Re: [cryptography] Hi all, would like your feedback on something

2015-12-21 Thread Jeffrey Walton 
On Mon, Dec 21, 2015 at 10:39 AM, Brian Hankey  wrote:
>
>> From: Givon Zirkind 
>>
>> On 12/20/2015 2:14 AM, Jeffrey Goldberg wrote:
>>> The problem you address is certainly real. And a lot of people have
>>> looked at various approaches over the decades. None, so far, is fully
>>> satisfactory. (I obviously believe that a well designed password
>>> manager is the best solution for most people available today, but I do
>>> not see them as the long term solution.) One common mistake
>> IMHO, the basic problem [on a meta level] is, that if you put all your
>> passwords [eggs] into one basket, all you have to do is steal the
>> basket.  crack the master password to the password file and you have all
>> the passwords.
>>
>> old school, manually, ppl used to keep a rolodex of which files to look
>> in for the passwords to certain items.  and, passwords would be hidden
>> in those files.  obstensively, the CIA does this with files that need to
>> "disappear".  e.g. keeping a record in the Atomic Energy Commissions
>> files of some covert op.  with a cross reference that tells someone
>> where to find it.  who's going to look through a warehouse of files to
>> find a record?  it's like a needle in a haystack.  if you could
>> implement that electronically, that would probably be the best way to
>> go.  imho.
>
> This particular needle got lost in the haystack of my inbox… very interesting 
> idea.  Do you have any preliminary ideas on how to implement that 
> electronically? I am not sure where to begin.
>

Yeah, its good idea for many users under a number of threat models and
use cases. Its also the reason that, say, Gmail recovery codes that
are printed and sit in a desk drawer are usually OK. The primary
threat is the network attacker, and he/she does not have access to
your desk drawer.

As Gutmann wrote in his book (p. 528):


This 1960s perspective of computing is the type of threat model that
some of the password-security guidelines that are in use today were
designed to counter! What’s worse is that even today, decades after
these archaic threat models were employed as the basis for
password-usage guidelines, we’re still fairly consistently giving
users the wrong advice about password security such as “Passwords are
like underwear, change them often” (solving no identifiable problem
but creating several new ones, see “Password Lifetimes” on page 537)
and “Firewalls are useless if passwords are stuck to the monitor with
a Post-it” [9] (phishers are pretty creative but the one thing they
haven’t managed to do yet is reach out of the monitor to read your
Post-it notes, see “Passwords on the Client” on page 577). As Bob
Blakley puts it, “despite the fact that both attacks and losses have
approximately doubled every year since 1992, we continue to rely on
old models that are demonstrably ill-suited to the current reality and
don’t inhibit the ongoing march of failure” [10].


Jeff
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] Hi all, would like your feedback on something

2015-12-21 Thread Brian Hankey 

>> 
>> This, and things like 
>> 
>> 
>> @inproceedings{BonneauSchechter2014:USENIX,
>>  Address = {San Diego, CA},
>>  Author = {Bonneau, Joseph and Schechter, Stuart},
>>  Booktitle = {23rd USENIX Security Symposium (USENIX Security 14)},
>>  Month = Aug,
>>  Pages = {607--623},
>>  Publisher = {USENIX Association},
>>  Title = {Towards Reliable Storage of 56-bit Secrets in Human Memory},
>>  Year = {2014}}
>> 
>> https://www.usenix.org/conference/usenixsecurity14/technical-sessions/presentation/bonneau
>>  
>> 
>> 
>> are great. But the problem is that there is so far no testing (or reason to 
>> believe) that people will be able to do that for dozens of independent 
>> passwords. So those training schemes are good for something like a Master 
>> Password for some password management system, but they are not useful for 
>> the scores of passwords that people need to use.
> 

There is an in depth reply to the rest stuck in the moderation queue for being 
too long but now that I watched this I will respond.  Very cool.  Interesting 
research.

I also thought this was great:

https://telepathwords.research.microsoft.com 


The funny thing is, it doesn’t seem to like hashes very much. If really thought 
hard about how to “beat the system” I was able to get to perhaps character 20 
or something before I got a red X for typing a “u”.

Thanks for this.___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography