Re: [gentoo-user] Coming up with a password that is very strong.
Mark David Dumlao wrote: > On Mon, Feb 11, 2019 at 1:00 AM Andrew Savchenko wrote: >> On Sun, 10 Feb 2019 10:27:32 -0600 Dale wrote: >>> My password manager does that already. The password I was trying to >>> come up with was the master password which I must easily remember, be >>> secure and be easy to type. The other passwords I let the password >>> manager generate and remember as well. I don't type those so they can >>> be anything. >> The line above is approximately the same how I got one of my master >> passwords. It is not that hard to remember 30-40 random chars. >> Just try typing them several hundred times. I'm serious. > That's one of the problems of secure password generation is that human > memory is used backwards. Things become encoded permanently in our > memory after the fact that we've repeated them several times, but most > password generation utilities require you to have perfect memory > first, THEN use repetition to enforce it. > > Both a managed password / algorithmic approach gets this more > humanely. You need to first have a reliable way to generate the > pssword, and if you typie it enough times, your brain will commit it > to memory. > > My biggest thing was to find a way to come up with it. Most use some famous quote or song and then each first letter or something with a few numbers and symbols thrown in. Thing is, I don't really have any of those. So, what I did, I based it on model numbers of some things I like. I threw in a few symbols as well just to make it harder. I might add, I used three password strength sites to sort of give me a idea on strength. I tried different methods to shorten the thing and make it easier to type as well. I actually ended up with a slightly shorter password but one that the meters said would be harder to crack. I might add, the difference was large. The original was something along the lines of thousands of years. The end result that was easier to type and slightly shorter was millions of years. I was able to put in more symbols. Those things help toughen up a password pretty quick. What I find so interesting about this, everyone seems to have a slightly or even very different way of doing this. Even if a person is reading this list and taking notes, I wish them luck trying to guess our passwords. Given the variety of methods used, I don't see how any tool could be built that would guess any of our passwords in a short time frame either. Now if everyone else would put some effort into this instead of using "passw0rd" or something as silly as that, the internet would be a much safer place. I also ran up on some sites that discussed passwords that people commonly used and some are just laughable but so bad one should cry. Some people are just plain idiots. I might add, some sites restrict passwords in ways that keeps a person from generating a really good password too. Some need to get with the current threat models instead of living in the past when security wasn't such a issue. Interesting thread. Dale :-) :-)
Re: [gentoo-user] Coming up with a password that is very strong.
On Mon, Feb 11, 2019 at 1:00 AM Andrew Savchenko wrote: > > On Sun, 10 Feb 2019 10:27:32 -0600 Dale wrote: > > My password manager does that already. The password I was trying to > > come up with was the master password which I must easily remember, be > > secure and be easy to type. The other passwords I let the password > > manager generate and remember as well. I don't type those so they can > > be anything. > > The line above is approximately the same how I got one of my master > passwords. It is not that hard to remember 30-40 random chars. > Just try typing them several hundred times. I'm serious. That's one of the problems of secure password generation is that human memory is used backwards. Things become encoded permanently in our memory after the fact that we've repeated them several times, but most password generation utilities require you to have perfect memory first, THEN use repetition to enforce it. Both a managed password / algorithmic approach gets this more humanely. You need to first have a reliable way to generate the pssword, and if you typie it enough times, your brain will commit it to memory.
Re: [gentoo-user] Coming up with a password that is very strong.
On Sun, 10 Feb 2019 10:27:32 -0600 Dale wrote: > Andrew Savchenko wrote: > > On Sun, 3 Feb 2019 23:47:35 -0600 Dale wrote: > >> Howdy, > >> > >> Some may recall me mentioning using LastPass to manage my passwords. > >> Obviously, it can generate very strong passwords that are different for > >> each site. It can also remember them as well which makes things more > >> secure than using just a few passwords for all sites. One for things > >> like financial sites, maybe a less secure one for some site you still > >> want reasonably secure and a even weaker one for sites you don't care > >> about hacking, and hackers likely won't either. I know some people who > >> do this even today. Heck, ages ago, I was one of them. Things change > >> tho. Some passwords can be hacked in seconds by a desktop computer, > >> including my own if I had the software and knowledge to do it. > >> > >> The one thing about most all password managers, they have a master > >> password. That one password unlocks the rest. Trick is, having that > >> one be a good one that is easy to remember, type on a keyboard and be > >> secure, virtually unhackable but also unforgettable. I've had what used > >> to be a strong password for a while. Thing is, with today's computing > >> power, it really isn't anymore. While no one could just guess it, it > >> could be cracked/hacked I'm sure. I need to come up with a new one that > >> meets the requirements I just mentioned. Strong, easy to remember, easy > >> to type but won't forget. I've read that using maiden names, years of > >> birth or whole dates of birth, actual names, pet's name, words in a > >> dictionary and a whole list of other things makes it easier, especially > >> if you post a lot on social media, for hackers to use against you. I'm > >> trying to avoid that sort of thing obviously and have a couple ideas but > >> am curious as to what method others use, without exposing to much detail > >> since this is public. > >> > >> How do you, especially those who admin systems that are always being > >> hacked at, generate strong passwords that meet the above? I've googled > >> and found some ideas but if I use the same method, well, how many others > >> are using that same method, if you know what I mean. ;-) Just looking > >> for ideas. > > 1) Install app-admin/apg. > > 2) apg -a1 -m40 > > > > Best regards, > > Andrew Savchenko > > > My password manager does that already. The password I was trying to > come up with was the master password which I must easily remember, be > secure and be easy to type. The other passwords I let the password > manager generate and remember as well. I don't type those so they can > be anything. The line above is approximately the same how I got one of my master passwords. It is not that hard to remember 30-40 random chars. Just try typing them several hundred times. I'm serious. > Goes to show tho, there is yet another tool to come up with passwords. > lol > > Dale > > :-) :-) > > Best regards, Andrew Savchenko pgpfLizNmTD_z.pgp Description: PGP signature
Re: [gentoo-user] Coming up with a password that is very strong.
Andrew Savchenko wrote: > On Sun, 3 Feb 2019 23:47:35 -0600 Dale wrote: >> Howdy, >> >> Some may recall me mentioning using LastPass to manage my passwords. >> Obviously, it can generate very strong passwords that are different for >> each site. It can also remember them as well which makes things more >> secure than using just a few passwords for all sites. One for things >> like financial sites, maybe a less secure one for some site you still >> want reasonably secure and a even weaker one for sites you don't care >> about hacking, and hackers likely won't either. I know some people who >> do this even today. Heck, ages ago, I was one of them. Things change >> tho. Some passwords can be hacked in seconds by a desktop computer, >> including my own if I had the software and knowledge to do it. >> >> The one thing about most all password managers, they have a master >> password. That one password unlocks the rest. Trick is, having that >> one be a good one that is easy to remember, type on a keyboard and be >> secure, virtually unhackable but also unforgettable. I've had what used >> to be a strong password for a while. Thing is, with today's computing >> power, it really isn't anymore. While no one could just guess it, it >> could be cracked/hacked I'm sure. I need to come up with a new one that >> meets the requirements I just mentioned. Strong, easy to remember, easy >> to type but won't forget. I've read that using maiden names, years of >> birth or whole dates of birth, actual names, pet's name, words in a >> dictionary and a whole list of other things makes it easier, especially >> if you post a lot on social media, for hackers to use against you. I'm >> trying to avoid that sort of thing obviously and have a couple ideas but >> am curious as to what method others use, without exposing to much detail >> since this is public. >> >> How do you, especially those who admin systems that are always being >> hacked at, generate strong passwords that meet the above? I've googled >> and found some ideas but if I use the same method, well, how many others >> are using that same method, if you know what I mean. ;-) Just looking >> for ideas. > 1) Install app-admin/apg. > 2) apg -a1 -m40 > > Best regards, > Andrew Savchenko My password manager does that already. The password I was trying to come up with was the master password which I must easily remember, be secure and be easy to type. The other passwords I let the password manager generate and remember as well. I don't type those so they can be anything. Goes to show tho, there is yet another tool to come up with passwords. lol Dale :-) :-)
Re: [gentoo-user] Coming up with a password that is very strong.
On Sun, 3 Feb 2019 23:47:35 -0600 Dale wrote: > Howdy, > > Some may recall me mentioning using LastPass to manage my passwords. > Obviously, it can generate very strong passwords that are different for > each site. It can also remember them as well which makes things more > secure than using just a few passwords for all sites. One for things > like financial sites, maybe a less secure one for some site you still > want reasonably secure and a even weaker one for sites you don't care > about hacking, and hackers likely won't either. I know some people who > do this even today. Heck, ages ago, I was one of them. Things change > tho. Some passwords can be hacked in seconds by a desktop computer, > including my own if I had the software and knowledge to do it. > > The one thing about most all password managers, they have a master > password. That one password unlocks the rest. Trick is, having that > one be a good one that is easy to remember, type on a keyboard and be > secure, virtually unhackable but also unforgettable. I've had what used > to be a strong password for a while. Thing is, with today's computing > power, it really isn't anymore. While no one could just guess it, it > could be cracked/hacked I'm sure. I need to come up with a new one that > meets the requirements I just mentioned. Strong, easy to remember, easy > to type but won't forget. I've read that using maiden names, years of > birth or whole dates of birth, actual names, pet's name, words in a > dictionary and a whole list of other things makes it easier, especially > if you post a lot on social media, for hackers to use against you. I'm > trying to avoid that sort of thing obviously and have a couple ideas but > am curious as to what method others use, without exposing to much detail > since this is public. > > How do you, especially those who admin systems that are always being > hacked at, generate strong passwords that meet the above? I've googled > and found some ideas but if I use the same method, well, how many others > are using that same method, if you know what I mean. ;-) Just looking > for ideas. 1) Install app-admin/apg. 2) apg -a1 -m40 Best regards, Andrew Savchenko pgp562ZjmGipO.pgp Description: PGP signature
Re: [gentoo-user] Coming up with a password that is very strong.
Tanstaafl wrote: > On 2/4/2019, 8:10:57 PM, Dale wrote: >> Tanstaafl wrote: >>> I've been using a little Firefox Addon called Passwordmaker for many, >>> many years, and despite all of its warts, I've been loathe to give it >>> up, even though it will never be upgraded to work as a WebExtension. >>> >>> 2 things I loved about it - >>> >>> a) it doesn't save the password locally, only info about the >>> site/account, and >>> b) you can use an unlimited number of Master Passwords >>> >>> I'm looking at migrating to KeePassXC, and even though I really hate the >>> idea of saving the actual password - Passwordmaker simply generates the >>> password on the fly each time based on certain specified criteria (ie, >>> the site URL, username, password length, etc for each account - one >>> technique I adopted shortly after assisting in updating the >>> Passwordmaker website eases my mind about it... >>> >>> This is a simple technique I strongly recommend that everyone employ, >>> especially if you use a Password manager (like LastPass or KeePass)... >>> >>> It is uncrackable (well, as long as it isn't the CIA or NSA that wants >>> to crack it and they are willing to kidnap/torture you to do so). >>> >>> You sit down and come up with a ... call it a 'password modification >>> protocol' ... whereby, you always modify your generated/stored password >>> in a specific way before pressing enter. >>> >>> For example, you delete characters 3, 5 and 7, then add 2 characters to >>> the beginning and 2 to the end. >>> >>> It is very simple, and negates worrying about someone stealing your >>> password vault. >> I tried to find it just to see how it works but it isn't listed. > What... Passwordmaker (the old one I still use and why I keep an old > Firefox 56 portable version around)? I'm on the newer version of Firefox so it doesn't show up in my search since it isn't compatible. I'm pretty sure that is why it doesn't show up for me. If I were on the older version of Firefox, then it would show up. I was wanting to look at it tho. I did find a Pro version which is likely the same thing but for the newer versions of Firefox. Did you see it? It is here: https://addons.mozilla.org/en-US/firefox/addon/firefox-passwordmaker-pro/?src=search I see another version as well but with very few users. Still, if the above is just a version for the newer Firefox, you may not have to switch or can use both somehow. Some other add-ons I use did similar things. Since some required a complete rewrite, they also changed the name a bit too. Thing is, some of the new versions of add-ons don't show up in older versions of Firefox. If you didn't see this, I hope it helps. >> From what you wrote, you may want to at least check into LastPass. > I did a massive amount of research (including LastPass), and settled on > KeePassXC for a good reason. I've read where people use that and like it. It just depends on what you are looking for and expect from the tool. If it meets your needs, then it is a good fit for you. I picked LastPass since it did what I need and then some plus is free. I also had the privilege of emailing back and forth with one of the original owners or creators way back then. His name is Joe Siegrist. My bank and credit card sites wouldn't work at first. I gave him a link and he made some changes so that the next version would fill those sites. I may switch one day, may even switch to what you are using, but at the moment, LastPass seems to be doing well. >> Still, I'm sure there is a tool that will suite your needs. > ? Its like you didn't really read my email. I already said, I'm > migrating to KeePassXC. But my complaint is, nothing works like > Passwordmaker (again, it doesn't store passwords, can only use one > Master Password). > >> I'm not sure I understand what you mean password modification protocol. >> It sounds like you change your master password each time you use it. > No, I'm talking about the saved (or in Passwordmakers case, generated) > password, not the Master Password. > > Doing this with the Master Password wouldn't make any sense. > If I understand you correctly, I think I have seen a site that allows that sort of thing. I think. To be honest, this is why I like tools. I tend to let tools do the heavy lifting. My biggest responsibility is having a good master password. That's what started this. I want a good one. ;-) Most of the sites I use are email or ID plus password. A couple have this picture and phrase thing between login and password tho. There is also a couple that uses that secret question thing. Some of those are plain annoying tho. lol Given how things are nowadays, I suspect we will always be in a constant race to try and stay ahead of hackers and such. Every time we change to try and beat them, they will find new tools, faster hardware etc to beat us. The biggest thing, our tools or us have to keep up. I really need to keep up with the newer stuff
Re: [gentoo-user] Coming up with a password that is very strong.
On 2/4/2019, 8:10:57 PM, Dale wrote: > Tanstaafl wrote: >> I've been using a little Firefox Addon called Passwordmaker for many, >> many years, and despite all of its warts, I've been loathe to give it >> up, even though it will never be upgraded to work as a WebExtension. >> >> 2 things I loved about it - >> >> a) it doesn't save the password locally, only info about the >> site/account, and >> b) you can use an unlimited number of Master Passwords >> >> I'm looking at migrating to KeePassXC, and even though I really hate the >> idea of saving the actual password - Passwordmaker simply generates the >> password on the fly each time based on certain specified criteria (ie, >> the site URL, username, password length, etc for each account - one >> technique I adopted shortly after assisting in updating the >> Passwordmaker website eases my mind about it... >> >> This is a simple technique I strongly recommend that everyone employ, >> especially if you use a Password manager (like LastPass or KeePass)... >> >> It is uncrackable (well, as long as it isn't the CIA or NSA that wants >> to crack it and they are willing to kidnap/torture you to do so). >> >> You sit down and come up with a ... call it a 'password modification >> protocol' ... whereby, you always modify your generated/stored password >> in a specific way before pressing enter. >> >> For example, you delete characters 3, 5 and 7, then add 2 characters to >> the beginning and 2 to the end. >> >> It is very simple, and negates worrying about someone stealing your >> password vault. > I tried to find it just to see how it works but it isn't listed. What... Passwordmaker (the old one I still use and why I keep an old Firefox 56 portable version around)? > From what you wrote, you may want to at least check into LastPass. I did a massive amount of research (including LastPass), and settled on KeePassXC for a good reason. > Still, I'm sure there is a tool that will suite your needs. ? Its like you didn't really read my email. I already said, I'm migrating to KeePassXC. But my complaint is, nothing works like Passwordmaker (again, it doesn't store passwords, can only use one Master Password). > I'm not sure I understand what you mean password modification protocol. > It sounds like you change your master password each time you use it. No, I'm talking about the saved (or in Passwordmakers case, generated) password, not the Master Password. Doing this with the Master Password wouldn't make any sense.
Re: [gentoo-user] Coming up with a password that is very strong.
Mick wrote: > On Tuesday, 5 February 2019 10:13:44 GMT Dale wrote: > >> After seeing your reply, I realize I just type the command and it >> prompts me for a password. I ctrl c to exit. Well, ain't that >> something? You can stop laughing now. ;-) >> >> It seems to think helloworld and reallysecurepassword is OK. I have to >> question just how good this tool is at this point. > Quite! > > I think the cracklib acceptance parameters are not as strict as they could > have been for modern computing, but I don't know how to tweak them. With > johntheripper you have many options to tweak the characters tested, length, > etc. when checking a password. > > PS. I wasn't laughing at you, I was laughing at the passwords cracklib > thought were OK. I'm emerging john* or at least it's thinking on it. I was talking about you laughing at my comment about the idiot in the chair who was using the command wrong. I have to admit, I was laughing at myself over here. lol I might add, I did try to get a man page or -h to help but it didn't. I've got my password down to something I can remember and isn't to bad to type. The password strength meter thingys, while not perfect either, do say it is a strong one. My looking at it says it is strong too. I just can't imagine anyone guessing it. It's so random and such that I think it would be very difficult to crack. Even if one could, it would take a fairly long time even with some pretty fast puters. It may not be NSA proof either but I suspect it would take even them a while. Still, I'd like to test this thing really well if I can find a tool that can really do it properly. We already know the meter sites aren't trustworthy. It seems cracklib isn't quite there either. Moving on. Thanks for the help. By the time I get around to using this thing, it may be easy to crack with some laser type puter or something. Dale :-) :-)
Re: [gentoo-user] Coming up with a password that is very strong.
On Tuesday, 5 February 2019 10:13:44 GMT Dale wrote: > After seeing your reply, I realize I just type the command and it > prompts me for a password. I ctrl c to exit. Well, ain't that > something? You can stop laughing now. ;-) > > It seems to think helloworld and reallysecurepassword is OK. I have to > question just how good this tool is at this point. Quite! I think the cracklib acceptance parameters are not as strict as they could have been for modern computing, but I don't know how to tweak them. With johntheripper you have many options to tweak the characters tested, length, etc. when checking a password. PS. I wasn't laughing at you, I was laughing at the passwords cracklib thought were OK. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Coming up with a password that is very strong.
Michael Schwartzkopff wrote: > Am 05.02.19 um 10:55 schrieb Mick: >> On Tuesday, 5 February 2019 06:48:53 GMT Dale wrote: >> >>> Sort of picking a random message to reply to here. Someone sent a reply >>> off list about checking passwords on my system with tools available. >>> They also mentioned not trusting strength meters which I can get since >>> they pass some obvious passwords. I used three meters and some sort of >>> common sense as well. I found cracklib-check after some digging. I >>> used that to try to check my password and get this weird response. >>> >>> -su: me-supper-secret-password-here;): event not found >>> >>> I'm going to try to emulate my password without actually posting it, for >>> obvious reasons. You all are smart enough to understand why. ROFL It >>> has some of the following 'stuff' in it. !sdER*ark4567# As you can >>> tell, I use some of those things on the tops of the number keys. It >>> seems that confuses cracklib just a bit. BTW, I was running that as >>> root just to be sure it wasn't a permissions issue. I tried a few >>> different things but it seems the "!" is triggering that at least, maybe >>> others too. The command works fine with just normal stuff. >> Hmm ... I don't get such problem here, when I run cracklib as a plain user: >> >> $ cracklib-check >> password >> password: it is based on a dictionary word >> p4ssw0rd >> p4ssw0rd: it is based on a dictionary word >> p477w0rd >> p477w0rd: OK >> !sdER*ark4567# >> !sdER*ark4567#: OK >> helloworld >> helloworld: OK >> reallysecurepassword >> reallysecurepassword: OK >> >> LOL! >> >> Could it be something to do with your terminal/shell? I've run the above >> with >> bash in a urxvt terminal. >> >> >>> That leads >>> me to this question. Is there a tool I can use/install that will test a >>> password, try to crack it if you will, that will work regardless of the >>> characters used? In other words, it doesn't mind the things on top of >>> the number keys. >>> >>> BTW, I've also whittled it down to something a little easier to type >>> too. Feel sorry for any poor fool trying to just guess it. lol May >>> have better luck with P vs NP. ;-) >>> >>> Thanks. >>> >>> Dale >>> >>> :-) :-) >> I've used app-crypt/johntheripper in the distant past, but you'll need a >> good >> word list for it to be useful. Some of the wordlists I had found at the >> time >> were too big to download over dial-up! :p >> > A good password also has to be memorizable. See: > > https://xkcd.com/936/ > > > Mit freundlichen Grüßen, > That's the problem. I want one really good password that would be virtually impossible even for someone who knows me to guess. Doing that and being able to remember it plus be relatively easy to remember complicates things a lot. While at it, I'd like it to be hard to crack as well. Even with these password test tools, that is proving to be hard to know for sure. I have one that I know would be hard to guess and I think it would be hard to crack as well but I don't know that last part for sure, yet anyway. Thanks. It's a work in progress still. Dale :-) :-)
Re: [gentoo-user] Coming up with a password that is very strong.
Mick wrote: > On Tuesday, 5 February 2019 06:48:53 GMT Dale wrote: > >> Sort of picking a random message to reply to here. Someone sent a reply >> off list about checking passwords on my system with tools available. >> They also mentioned not trusting strength meters which I can get since >> they pass some obvious passwords. I used three meters and some sort of >> common sense as well. I found cracklib-check after some digging. I >> used that to try to check my password and get this weird response. >> >> -su: me-supper-secret-password-here;): event not found >> >> I'm going to try to emulate my password without actually posting it, for >> obvious reasons. You all are smart enough to understand why. ROFL It >> has some of the following 'stuff' in it. !sdER*ark4567# As you can >> tell, I use some of those things on the tops of the number keys. It >> seems that confuses cracklib just a bit. BTW, I was running that as >> root just to be sure it wasn't a permissions issue. I tried a few >> different things but it seems the "!" is triggering that at least, maybe >> others too. The command works fine with just normal stuff. > Hmm ... I don't get such problem here, when I run cracklib as a plain user: > > $ cracklib-check > password > password: it is based on a dictionary word > p4ssw0rd > p4ssw0rd: it is based on a dictionary word > p477w0rd > p477w0rd: OK > !sdER*ark4567# > !sdER*ark4567#: OK > helloworld > helloworld: OK > reallysecurepassword > reallysecurepassword: OK > > LOL! > > Could it be something to do with your terminal/shell? I've run the above > with > bash in a urxvt terminal. > > He he he he. It was the idiot in the chair. The idiot in the chair thought it was done this way, like I saw on a website that must be outdated. root@fireball / # cracklib-check !sdER*ark4567# -su: !sdER: event not found root@fireball / # After seeing your reply, I realize I just type the command and it prompts me for a password. I ctrl c to exit. Well, ain't that something? You can stop laughing now. ;-) It seems to think helloworld and reallysecurepassword is OK. I have to question just how good this tool is at this point. Maybe I need to install some more stuff here. Pardon me while I go find some more of this. Something has to be missing. :/ Dale :-) :-)
Re: [gentoo-user] Coming up with a password that is very strong.
Am 05.02.19 um 10:55 schrieb Mick: > On Tuesday, 5 February 2019 06:48:53 GMT Dale wrote: > >> Sort of picking a random message to reply to here. Someone sent a reply >> off list about checking passwords on my system with tools available. >> They also mentioned not trusting strength meters which I can get since >> they pass some obvious passwords. I used three meters and some sort of >> common sense as well. I found cracklib-check after some digging. I >> used that to try to check my password and get this weird response. >> >> -su: me-supper-secret-password-here;): event not found >> >> I'm going to try to emulate my password without actually posting it, for >> obvious reasons. You all are smart enough to understand why. ROFL It >> has some of the following 'stuff' in it. !sdER*ark4567# As you can >> tell, I use some of those things on the tops of the number keys. It >> seems that confuses cracklib just a bit. BTW, I was running that as >> root just to be sure it wasn't a permissions issue. I tried a few >> different things but it seems the "!" is triggering that at least, maybe >> others too. The command works fine with just normal stuff. > Hmm ... I don't get such problem here, when I run cracklib as a plain user: > > $ cracklib-check > password > password: it is based on a dictionary word > p4ssw0rd > p4ssw0rd: it is based on a dictionary word > p477w0rd > p477w0rd: OK > !sdER*ark4567# > !sdER*ark4567#: OK > helloworld > helloworld: OK > reallysecurepassword > reallysecurepassword: OK > > LOL! > > Could it be something to do with your terminal/shell? I've run the above > with > bash in a urxvt terminal. > > >> That leads >> me to this question. Is there a tool I can use/install that will test a >> password, try to crack it if you will, that will work regardless of the >> characters used? In other words, it doesn't mind the things on top of >> the number keys. >> >> BTW, I've also whittled it down to something a little easier to type >> too. Feel sorry for any poor fool trying to just guess it. lol May >> have better luck with P vs NP. ;-) >> >> Thanks. >> >> Dale >> >> :-) :-) > I've used app-crypt/johntheripper in the distant past, but you'll need a good > word list for it to be useful. Some of the wordlists I had found at the time > were too big to download over dial-up! :p > A good password also has to be memorizable. See: https://xkcd.com/936/ Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Coming up with a password that is very strong.
On Tuesday, 5 February 2019 06:48:53 GMT Dale wrote: > Sort of picking a random message to reply to here. Someone sent a reply > off list about checking passwords on my system with tools available. > They also mentioned not trusting strength meters which I can get since > they pass some obvious passwords. I used three meters and some sort of > common sense as well. I found cracklib-check after some digging. I > used that to try to check my password and get this weird response. > > -su: me-supper-secret-password-here;): event not found > > I'm going to try to emulate my password without actually posting it, for > obvious reasons. You all are smart enough to understand why. ROFL It > has some of the following 'stuff' in it. !sdER*ark4567# As you can > tell, I use some of those things on the tops of the number keys. It > seems that confuses cracklib just a bit. BTW, I was running that as > root just to be sure it wasn't a permissions issue. I tried a few > different things but it seems the "!" is triggering that at least, maybe > others too. The command works fine with just normal stuff. Hmm ... I don't get such problem here, when I run cracklib as a plain user: $ cracklib-check password password: it is based on a dictionary word p4ssw0rd p4ssw0rd: it is based on a dictionary word p477w0rd p477w0rd: OK !sdER*ark4567# !sdER*ark4567#: OK helloworld helloworld: OK reallysecurepassword reallysecurepassword: OK LOL! Could it be something to do with your terminal/shell? I've run the above with bash in a urxvt terminal. > That leads > me to this question. Is there a tool I can use/install that will test a > password, try to crack it if you will, that will work regardless of the > characters used? In other words, it doesn't mind the things on top of > the number keys. > > BTW, I've also whittled it down to something a little easier to type > too. Feel sorry for any poor fool trying to just guess it. lol May > have better luck with P vs NP. ;-) > > Thanks. > > Dale > > :-) :-) I've used app-crypt/johntheripper in the distant past, but you'll need a good word list for it to be useful. Some of the wordlists I had found at the time were too big to download over dial-up! :p -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Coming up with a password that is very strong.
Neil Bothwick wrote: > On Mon, 04 Feb 2019 11:17:13 +, Mick wrote: > >>> https://xkcd.com/936/ >> Not strictly true ... the crackers would probably use rainbow tables >> attacks first. Also, it isn't fair to compare an 11 character passwd >> against a 25 character passwd. For the *same* number of characters >> used in any given passwd, a random lower/upper/numerical/symbol passwd >> will provide an exponentially higher degree of difficulty in cracking >> it with brute force, than one which uses only lower case dictionary >> words. Anyway, these days many attacks are focused on OS or hardware >> vulnerabilities which have been baked in by design, rather than brute >> force attacks. > I'm not sure xkcd is meant to be taken that seriously... > > Sort of picking a random message to reply to here. Someone sent a reply off list about checking passwords on my system with tools available. They also mentioned not trusting strength meters which I can get since they pass some obvious passwords. I used three meters and some sort of common sense as well. I found cracklib-check after some digging. I used that to try to check my password and get this weird response. -su: me-supper-secret-password-here;): event not found I'm going to try to emulate my password without actually posting it, for obvious reasons. You all are smart enough to understand why. ROFL It has some of the following 'stuff' in it. !sdER*ark4567# As you can tell, I use some of those things on the tops of the number keys. It seems that confuses cracklib just a bit. BTW, I was running that as root just to be sure it wasn't a permissions issue. I tried a few different things but it seems the "!" is triggering that at least, maybe others too. The command works fine with just normal stuff. That leads me to this question. Is there a tool I can use/install that will test a password, try to crack it if you will, that will work regardless of the characters used? In other words, it doesn't mind the things on top of the number keys. BTW, I've also whittled it down to something a little easier to type too. Feel sorry for any poor fool trying to just guess it. lol May have better luck with P vs NP. ;-) Thanks. Dale :-) :-)
Re: [gentoo-user] Coming up with a password that is very strong.
Tanstaafl wrote: > On 2/4/2019, 12:47:35 AM, Dale wrote: >> Thing is, with today's computing power, it really isn't anymore. >> While no one could just guess it, it could be cracked/hacked I'm >> sure. I need to come up with a new one that meets the requirements I >> just mentioned. Strong, easy to remember, easy to type but won't >> forget. I've read that using maiden names, years of birth or whole >> dates of birth, actual names, pet's name, words in a dictionary and a >> whole list of other things makes it easier, especially if you post a >> lot on social media, for hackers to use against you. I'm trying to >> avoid that sort of thing obviously and have a couple ideas but am >> curious as to what method others use, without exposing to much >> detail since this is public. > I've been using a little Firefox Addon called Passwordmaker for many, > many years, and despite all of its warts, I've been loathe to give it > up, even though it will never be upgraded to work as a WebExtension. > > 2 things I loved about it - > > a) it doesn't save the password locally, only info about the > site/account, and > b) you can use an unlimited number of Master Passwords > > I'm looking at migrating to KeePassXC, and even though I really hate the > idea of saving the actual password - Passwordmaker simply generates the > password on the fly each time based on certain specified criteria (ie, > the site URL, username, password length, etc for each account - one > technique I adopted shortly after assisting in updating the > Passwordmaker website eases my mind about it... > > This is a simple technique I strongly recommend that everyone employ, > especially if you use a Password manager (like LastPass or KeePass)... > > It is uncrackable (well, as long as it isn't the CIA or NSA that wants > to crack it and they are willing to kidnap/torture you to do so). > > You sit down and come up with a ... call it a 'password modification > protocol' ... whereby, you always modify your generated/stored password > in a specific way before pressing enter. > > For example, you delete characters 3, 5 and 7, then add 2 characters to > the beginning and 2 to the end. > > It is very simple, and negates worrying about someone stealing your > password vault. > > I tried to find it just to see how it works but it isn't listed. From what you wrote, you may want to at least check into LastPass. Link below. It may do what you currently use and some. I only use the free version and it does more than I need already. I think if I get a smart phone, I'd have to pay a small monthly fee. Still, I'm sure there is a tool that will suite your needs. There are a lot of them out there. Typing password in the add-on search box produces a LOT of results. Just find a good one and let it work for you. https://www.lastpass.com/ I'm not sure I understand what you mean password modification protocol. It sounds like you change your master password each time you use it. If I did that, I'd never know which one to use because that would confuse me. I don't write passwords down, period. I went to the local nursing home the other day, to drop off some puzzle books and a bunch of bananas, and they have a coded entry thing on the door. I entered the code a couple times and it didn't work. One of the nurses that was coming on shift came up and entered the code. When she told me the code, I realized I was using the code they had before the current one. I shifted back in time a bit I guess. I may not have a flux capacitor but I did it anyway. lol I admit, some of the new things they use, I have no idea how they work since I've never used most of them. I've read about a few of them but don't really get how they work. If I used them, I'd get it. What I hate most, when my bank changes something about their login process and a little research shows it accomplishes nothing. My credit card site has this picture and phrase thing. I found where it was researched and it does little to actually help because most people don't pay it any attention. My biggest cheat, I adblock stuff on the bank website, like their great big logo thing. If I do go to a website and that logo shows up, it didn't match my adblock setting. At that point, that gets a little extra attention until I know for sure and for certain I'm on the correct site. Also, LastPass will pick up its on the wrong site to. It won't fill in the password info if it doesn't match up. They've had the same logo on the site for years. It's amazing what we have to do with our computers to keep ourselves safe because of . . . computers. :/ I guess this is one reason I like Linux. It at least tries to be secure. Dale :-) :-)
Re: [gentoo-user] Coming up with a password that is very strong.
Hi Dale, On Sun, Feb 03, 2019 at 11:47:35PM -0600 , Dale wrote: > How do you, especially those who admin systems that are always being > hacked at, generate strong passwords that meet the above? I have a script for generating passwords the way I like (basically diceware on bash). Something like: FACTOR=$[ 2**(4*8)/$(cat "$WORDLIST"|wc -l) ] cat "$WORDLIST" | head -n "$[ $(od -vAn -N4 -tu4 < /dev/random ) / $FACTOR ]" | tail -1 I use this in conjunction with https://github.com/dwyl/english-words/blob/master/words.txt As far as I understand, if you have about 96 bits of entropy you are golden. 256 bits is unbruteforceable (at least within the realms of physics apparently). 5 words = 94 bits (which is good enough for me) 14 words = 256 bits (which seems like a lot of typing) I also have a messy spreadsheet for checking passwords. https://github.com/rjhwelsh/gpg-tutorial/blob/master/password_checker.ods I provide no warranty for my working. ;) -- Roger Welsh fpr: 2FCB 9E31 EA77 CDEC A3AE 5DD7 D54C C777 553A 180D
Re: [gentoo-user] Coming up with a password that is very strong.
On 2/4/2019, 12:47:35 AM, Dale wrote: > Thing is, with today's computing power, it really isn't anymore. > While no one could just guess it, it could be cracked/hacked I'm > sure. I need to come up with a new one that meets the requirements I > just mentioned. Strong, easy to remember, easy to type but won't > forget. I've read that using maiden names, years of birth or whole > dates of birth, actual names, pet's name, words in a dictionary and a > whole list of other things makes it easier, especially if you post a > lot on social media, for hackers to use against you. I'm trying to > avoid that sort of thing obviously and have a couple ideas but am > curious as to what method others use, without exposing to much > detail since this is public. I've been using a little Firefox Addon called Passwordmaker for many, many years, and despite all of its warts, I've been loathe to give it up, even though it will never be upgraded to work as a WebExtension. 2 things I loved about it - a) it doesn't save the password locally, only info about the site/account, and b) you can use an unlimited number of Master Passwords I'm looking at migrating to KeePassXC, and even though I really hate the idea of saving the actual password - Passwordmaker simply generates the password on the fly each time based on certain specified criteria (ie, the site URL, username, password length, etc for each account - one technique I adopted shortly after assisting in updating the Passwordmaker website eases my mind about it... This is a simple technique I strongly recommend that everyone employ, especially if you use a Password manager (like LastPass or KeePass)... It is uncrackable (well, as long as it isn't the CIA or NSA that wants to crack it and they are willing to kidnap/torture you to do so). You sit down and come up with a ... call it a 'password modification protocol' ... whereby, you always modify your generated/stored password in a specific way before pressing enter. For example, you delete characters 3, 5 and 7, then add 2 characters to the beginning and 2 to the end. It is very simple, and negates worrying about someone stealing your password vault.
Re: [gentoo-user] Coming up with a password that is very strong.
On Sun, 3 Feb 2019 23:47:35 -0600 Dale wrote: > Howdy, > [...snip...] > > How do you, especially those who admin systems that are always being > hacked at, generate strong passwords that meet the above? I've > googled and found some ideas but if I use the same method, well, how > many others are using that same method, if you know what I > mean. ;-) Just looking for ideas. Search for diceware. Memorizing 7-10 word passwords is possible and fairly strong. Lee
Re: [gentoo-user] Coming up with a password that is very strong.
On Sun, 2019-02-03 at 23:47 -0600, Dale wrote: > > > How do you, especially those who admin systems that are always being > hacked at, generate strong passwords that meet the above? I've > googled > and found some ideas but if I use the same method, well, how many > others > are using that same method, if you know what I mean. ;-) Just > looking > for ideas. > > Thanks much. > > Dale > > :-) :-) > > P. S. I haven't had time to deal with the video thing in previous > thread. It's on my todo list still. :-( > Take 80 to 100 characters of something you already have memorized. Poetry, bible verses, RFCs, pages of the phone book, digits of pi out of the middle, whatever. Run it through a transposition, substitution, or combination cipher that you can calculate in your head on-the-fly. (Do avoid the substitutions that everyone uses since those will be tried first.) Now you only need to remember a pointer to the memorized section, the length, and the cipher specification. There are enough possible combinations that an attacker won't be able to make a meaningful reduction in entropy by examining your social media. As an example: The second paragraph of Hamlet's soliloquy and invert the case based on whether the corresponding digit of e is odd or even. LMP
Re: [gentoo-user] Coming up with a password that is very strong.
On Mon, Feb 4, 2019 at 8:21 AM Neil Bothwick wrote: > > On Mon, 04 Feb 2019 11:17:13 +, Mick wrote: > > > > https://xkcd.com/936/ > > > > Not strictly true ... the crackers would probably use rainbow tables > > attacks first. Also, it isn't fair to compare an 11 character passwd > > against a 25 character passwd. For the *same* number of characters > > used in any given passwd, a random lower/upper/numerical/symbol passwd > > will provide an exponentially higher degree of difficulty in cracking > > it with brute force, than one which uses only lower case dictionary > > words. Anyway, these days many attacks are focused on OS or hardware > > vulnerabilities which have been baked in by design, rather than brute > > force attacks. > > I'm not sure xkcd is meant to be taken that seriously... > IMO xkcd has treated the situation more seriously than some of the replies here... Obviously words from a dictionary have less entropy per character than random characters do, but the xkcd cartoon already takes this into account. For the same number of bits of ENTROPY a random password provides the exact same level of security as one based on words. To obtain that entropy through words requires more characters of course. However, the whole point of the cartoon is that our brains are much better at remembering words than random characters, since we have a big chunk of grey matter evolved to do exactly that which is more sophisticated than any computer on the planet so far. Now, if you have some brain-dead software which only accepts 8 character passwords then you would obviously do better to use random characters (truly random - not picking the most pleasing-looking random password out of a list) than to try to cram one or two words in there. Likewise, if you're using a password manager and want to maximize entropy per bit of storage/transmission then random passwords are better since words provide no utility. However, if you want to obtain the highest number of bits of entropy for a password that is memorized, xkcd makes a compelling argument that you're better off with a longer password composed of words, because they let you cram more entropy into your brain. Two bits from a dictionary might be the same as two bits from 1/3rd of a random character to a brute force cracking engine, but they aren't the same to your brain. Xkcd isn't doing a like-for-like comparison, because the two categories aren't alike. -- Rich
Re: [gentoo-user] Coming up with a password that is very strong.
On Mon, 04 Feb 2019 11:17:13 +, Mick wrote: > > https://xkcd.com/936/ > > Not strictly true ... the crackers would probably use rainbow tables > attacks first. Also, it isn't fair to compare an 11 character passwd > against a 25 character passwd. For the *same* number of characters > used in any given passwd, a random lower/upper/numerical/symbol passwd > will provide an exponentially higher degree of difficulty in cracking > it with brute force, than one which uses only lower case dictionary > words. Anyway, these days many attacks are focused on OS or hardware > vulnerabilities which have been baked in by design, rather than brute > force attacks. I'm not sure xkcd is meant to be taken that seriously... -- Neil Bothwick Help a man when he is in trouble and he will remember you when he is in trouble again pgpbzypu3SaUv.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Coming up with a password that is very strong.
On Monday, 4 February 2019 10:37:03 GMT Neil Bothwick wrote: > On Mon, 04 Feb 2019 10:24:27 +, Peter Humphrey wrote: > > > How do you, especially those who admin systems that are always being > > > hacked at, generate strong passwords that meet the above? I've > > > googled and found some ideas but if I use the same method, well, how > > > many others are using that same method, if you know what I > > > mean. ;-) Just looking for ideas. > > > > You could use a password generator to keep creating random passwords > > until it comes up with something you like the look of, then learn it by > > rote. I did that some time ago - it must be about time I did it again > > to make another one. > > https://xkcd.com/936/ Not strictly true ... the crackers would probably use rainbow tables attacks first. Also, it isn't fair to compare an 11 character passwd against a 25 character passwd. For the *same* number of characters used in any given passwd, a random lower/upper/numerical/symbol passwd will provide an exponentially higher degree of difficulty in cracking it with brute force, than one which uses only lower case dictionary words. Anyway, these days many attacks are focused on OS or hardware vulnerabilities which have been baked in by design, rather than brute force attacks. Any financial company worth their salt are employing 2-factor authentication and account lockups to stop brute forcing of users credentials. So, guarding against your own OS compromise is more important than individual website credentials. You will be surprised how many people are still using passwds like: password password1 arsenal manchesterunited2018 fido on websites which store their credit card details. O_O You may want to take a look at app-admin/apg and to mitigate against your CPU's lack of randomness use sys-apps/haveged. Combining multiple outputs of apg should arrive at a passwd which is more secure than not. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Coming up with a password that is very strong.
On Mon, 04 Feb 2019 10:24:27 +, Peter Humphrey wrote: > > How do you, especially those who admin systems that are always being > > hacked at, generate strong passwords that meet the above? I've > > googled and found some ideas but if I use the same method, well, how > > many others are using that same method, if you know what I > > mean. ;-) Just looking for ideas. > > You could use a password generator to keep creating random passwords > until it comes up with something you like the look of, then learn it by > rote. I did that some time ago - it must be about time I did it again > to make another one. https://xkcd.com/936/ -- Neil Bothwick There's too much blood in my caffeine system. pgpzcPbnKrFaM.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Coming up with a password that is very strong.
On Monday, 4 February 2019 05:47:35 GMT Dale wrote: > How do you, especially those who admin systems that are always being > hacked at, generate strong passwords that meet the above? I've googled > and found some ideas but if I use the same method, well, how many others > are using that same method, if you know what I mean. ;-) Just looking > for ideas. You could use a password generator to keep creating random passwords until it comes up with something you like the look of, then learn it by rote. I did that some time ago - it must be about time I did it again to make another one. -- Regards, Peter.
