Re: [gentoo-user] Resetting the root passwd

[Walter Dnes]

On Mon, Jan 16, 2012 at 08:23:33AM +0700, Pandu Poluan wrote

 That depends on who are authorized to access the boxen via SSH. In my case,
 only the IT Division is authorized to access them via SSH, so the real
 sysadmin in me (g) decides it is much easier to shift the port rather than
 implementing esoteric hardening stuffs ;-)
 
 Plus, I get the benefit of ridiculing any IT guy/gal who managed to get
 him-/herself locked out (thanks to the auto-blacklist) B-)

  The opposite of auto-blacklisting is port-knocking.  Think of it as
auto-unblacklisting, where the world is blacklisted by default.  See...

http://www.hostsvault.com/blog/howto-protect-services-like-ssh-against-brute-force-using-only-iptables-port-knocking/

  The idea is that your external service is blocked to everybody by
default.  When an external IP address knocks in sequence on the right
3 ports (specified in iptables), it is then allowed a few seconds to
establish a connection (ssh/ftp/whatever).

-- 
Walter Dnes waltd...@waltdnes.org

Re: [gentoo-user] Resetting the root passwd

[Mick]

On Monday 16 Jan 2012 01:35:04 Pandu Poluan wrote:
 On Jan 16, 2012 12:58 AM, Walter Dnes waltd...@waltdnes.org wrote:
  On Thu, Jan 12, 2012 at 06:30:03AM -0500, Tanstaafl wrote
  
   This is nothing like changing the port for SSH - a port scanner can
   figure that one out in seconds...
   
   A real BOFH would set up a dummy instance of sshd on the regular port,
  
  as well as a real sshd instance on another port.  The dummy instance
  could be set up to always fail the login attempt, and with special
  iptable rules to not clutter up your logfile.
 
 And don't forget to put the false sshd through a tc rule that chokes the
 return traffic to 1 cps B-)
 
 Of course, being the real sysadmin a.k.a lazy slob that I am, that's way
 too much work for not enough bastardly pleasure... I can't gleefully see
 the face of people trapped in the tc hell :-P


Can you set up tc by port?  I thought it is only applicable to an interface.  
I need to brush up on this one day.
-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] Resetting the root passwd

[Pandu Poluan]

On Jan 17, 2012 6:11 AM, Mick michaelkintz...@gmail.com wrote:

 On Monday 16 Jan 2012 01:35:04 Pandu Poluan wrote:
  On Jan 16, 2012 12:58 AM, Walter Dnes waltd...@waltdnes.org wrote:
   On Thu, Jan 12, 2012 at 06:30:03AM -0500, Tanstaafl wrote
  
This is nothing like changing the port for SSH - a port scanner can
figure that one out in seconds...
  
A real BOFH would set up a dummy instance of sshd on the regular
port,
  
   as well as a real sshd instance on another port.  The dummy instance
   could be set up to always fail the login attempt, and with special
   iptable rules to not clutter up your logfile.
 
  And don't forget to put the false sshd through a tc rule that chokes the
  return traffic to 1 cps B-)
 
  Of course, being the real sysadmin a.k.a lazy slob that I am, that's
way
  too much work for not enough bastardly pleasure... I can't gleefully see
  the face of people trapped in the tc hell :-P


 Can you set up tc by port?  I thought it is only applicable to an
interface.
 I need to brush up on this one day.

Actually, yes, by using u32 match.

But I prefer to just MARK the packet in iptables and match against that.

Rgds,

Re: [gentoo-user] Resetting the root passwd

[Pandu Poluan]

On Jan 12, 2012 8:07 PM, Alan McKinnon alan.mckin...@gmail.com wrote:


, 8 snip


 Changing the ssh port (and even crypto keys on DVDs) is just a
 brain-dead approach, we agree on that. We rightfully rip a new one to
 people advocating doing this.


Well, I *always* change my sshd ports, not for added security, but because
I'm tired of seeing failed login attempts from China. The daily log became
*much* shorter after I moved the port somewhere else.

Plus, thanks to the wonders of iptables and ipset, anyone attempting to
connect to port 22 will now gets blocked completely.

Rgds,

Re: [gentoo-user] Resetting the root passwd

[Tanstaafl]

On 2012-01-15 3:50 AM, Pandu Poluan pa...@poluan.info wrote:

Well, I *always* change my sshd ports, not for added security, but
because I'm tired of seeing failed login attempts from China. The daily
log became *much* shorter after I moved the port somewhere else.


That is the *only* legitimate reason (I can think of) to change the 
port... but it always irks me when someone thinks they are truly gaining 
any extra *security* through doing so...

Re: [gentoo-user] Resetting the root passwd

[Mick]

On Sunday 15 Jan 2012 14:19:07 Tanstaafl wrote:
 On 2012-01-15 3:50 AM, Pandu Poluan pa...@poluan.info wrote:
  Well, I *always* change my sshd ports, not for added security, but
  because I'm tired of seeing failed login attempts from China. The daily
  log became *much* shorter after I moved the port somewhere else.
 
 That is the *only* legitimate reason (I can think of) to change the
 port... but it always irks me when someone thinks they are truly gaining
 any extra *security* through doing so...

They are ... not at all in terms of complexity (the difficulty of cracking the 
ssh password remains exactly the same), but yes in terms of probability (fewer 
attempts to crack the password).

Of course, using public keys instead of passwords improves difficulty by orders 
of magnitude, but for the sake of reducing bandwidth alone, I think that 
changing the sshd port makes sense.
-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] Resetting the root passwd

[Walter Dnes]

On Thu, Jan 12, 2012 at 06:30:03AM -0500, Tanstaafl wrote

 This is nothing like changing the port for SSH - a port scanner can 
 figure that one out in seconds...

  A real BOFH would set up a dummy instance of sshd on the regular port, 
as well as a real sshd instance on another port.  The dummy instance
could be set up to always fail the login attempt, and with special
iptable rules to not clutter up your logfile.

-- 
Walter Dnes waltd...@waltdnes.org

Re: [gentoo-user] Resetting the root passwd

[Tanstaafl]

On 2012-01-15 12:54 PM, Walter Dnes waltd...@waltdnes.org wrote:

On Thu, Jan 12, 2012 at 06:30:03AM -0500, Tanstaafl wrote

This is nothing like changing the port for SSH - a port scanner can
figure that one out in seconds...



A real BOFH would set up a dummy instance of sshd on the regular port,
as well as a real sshd instance on another port.  The dummy instance
could be set up to always fail the login attempt, and with special
iptable rules to not clutter up your logfile.


Interesting, thanks for the idea... :)

Re: [gentoo-user] Resetting the root passwd

[Alan McKinnon]

On Sun, 15 Jan 2012 12:54:51 -0500
Walter Dnes waltd...@waltdnes.org wrote:

 On Thu, Jan 12, 2012 at 06:30:03AM -0500, Tanstaafl wrote
 
  This is nothing like changing the port for SSH - a port scanner can 
  figure that one out in seconds...
 
   A real BOFH would set up a dummy instance of sshd on the regular
 port, as well as a real sshd instance on another port.  The dummy
 instance could be set up to always fail the login attempt, and with
 special iptable rules to not clutter up your logfile.
 

Actually a real sysadmin[1] would run ssh standardly plus OSSEC with
active rules and dynamically block our Chinese friends 

[1] real sysadmin being defined as the quintessentially lazy dude who
is really not into causing himself pain or doing anything that would
increase support tickets in his inbox


-- 
Alan McKinnnon
alan.mckin...@gmail.com

Re: [gentoo-user] Resetting the root passwd

[Pandu Poluan]

On Jan 16, 2012 3:56 AM, Alan McKinnon alan.mckin...@gmail.com wrote:

 On Sun, 15 Jan 2012 12:54:51 -0500
 Walter Dnes waltd...@waltdnes.org wrote:

  On Thu, Jan 12, 2012 at 06:30:03AM -0500, Tanstaafl wrote
 
   This is nothing like changing the port for SSH - a port scanner can
   figure that one out in seconds...
 
A real BOFH would set up a dummy instance of sshd on the regular
  port, as well as a real sshd instance on another port.  The dummy
  instance could be set up to always fail the login attempt, and with
  special iptable rules to not clutter up your logfile.
 

 Actually a real sysadmin[1] would run ssh standardly plus OSSEC with
 active rules and dynamically block our Chinese friends

 [1] real sysadmin being defined as the quintessentially lazy dude who
 is really not into causing himself pain or doing anything that would
 increase support tickets in his inbox


That depends on who are authorized to access the boxen via SSH. In my case,
only the IT Division is authorized to access them via SSH, so the real
sysadmin in me (g) decides it is much easier to shift the port rather than
implementing esoteric hardening stuffs ;-)

Plus, I get the benefit of ridiculing any IT guy/gal who managed to get
him-/herself locked out (thanks to the auto-blacklist) B-)

Rgds,

Re: [gentoo-user] Resetting the root passwd

[Pandu Poluan]

On Jan 16, 2012 12:58 AM, Walter Dnes waltd...@waltdnes.org wrote:

 On Thu, Jan 12, 2012 at 06:30:03AM -0500, Tanstaafl wrote

  This is nothing like changing the port for SSH - a port scanner can
  figure that one out in seconds...

  A real BOFH would set up a dummy instance of sshd on the regular port,
 as well as a real sshd instance on another port.  The dummy instance
 could be set up to always fail the login attempt, and with special
 iptable rules to not clutter up your logfile.


And don't forget to put the false sshd through a tc rule that chokes the
return traffic to 1 cps B-)

Of course, being the real sysadmin a.k.a lazy slob that I am, that's way
too much work for not enough bastardly pleasure... I can't gleefully see
the face of people trapped in the tc hell :-P

Rgds,

Re: [gentoo-user] Resetting the root passwd

[Mick]

On Thursday 12 Jan 2012 14:06:26 Alan McKinnon wrote:
 On Thu, 12 Jan 2012 08:58:02 -0500
 
 Tanstaafl tansta...@libertytrek.org wrote:

  But I still disagree. Would you also classify 'changing the locks on
  your house' as security through obscurity? Because changing the
  character set in PWM is just like changing the lock on a door...

Changing locks (with the same number and quality of locks) is as good as not 
changing locks at all - unless some burglar happens to be half way through 
unpicking the current door lock mechanism.

Changing locks with a higher quality lock (i.e. one with more levers in it) is 
like increasing the number of characters in your password.  If the new levers 
are from a different 'character set' (different design class/pattern of lock 
levers) then it would be more difficult for the burglar to guess what these 
levers might look like (sort of adding more entropy - the levers would appear 
to be more random) and he'll have to try all combinations of levers.  The 
addition of levers (or locks of the same design) is called protection through 
redundancy.  If one falls in the hands of a skilled cracker the second should 
present the *same* level of protection.  So we are essentially increasing the 
time it will take to crack the locks and thankfully the burglar's time is a 
limited resource.

If on the other hand we add an entirely different *means* of protection - e.g. 
a guard dog, then we are increasing the level of protection not through 
redundancy, but through diversity.  This means that systemic weaknesses of 
door lock lever design can be compensated for in our door protection system.  
Systemic weaknesses are important because they can be guessed (like which side 
of the qwerty keyboard the uber-geek typed his password) and so give the 
burglar a smaller set of solutions to try.  There's no point in a burglar 
trying to guess how many or what type of levers a guard dog has.  Indeed, his 
skills and resources at picking locks is now irrelevant - he's got to be a 
skilled dog whisperer too!

We could think of the change of the port of sshd like adding redundancy 
protection, but we don't really.  In reality we are adding (a very low degree 
of) diversity.  This is because we're hiding the door of our hypothetical 
house.  However, in doing so we're giving away the wrong signal to a non-
opportunistic burglar.  Since every other house door in the street is not 
hidden we are subliminally telling the burglars:  Hey!  We have something 
worth hiding in this house.  Then they'll set off picking the locks of our 
door, instead of the doors down the road.  From a probability perspective 
though we are better off changing the sshd port, because all the opportunistic 
(botnet) burglars who just check port 22 will miss our door and never bother 
us.

A strong security system will have both redundancy and diversity in its 
design.  As an example an IPSec VPN set up which uses both SSL Certificates and 
XAuth with a long and random passphrase does just that.
-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] Resetting the root passwd

[Tanstaafl]

On 2012-01-11 5:51 PM, Alan McKinnon alan.mckin...@gmail.com wrote:

2. Change the character set used (I always do this)

I like this one:-)

yes, I know it's really just security by obscurity in disguise but I
still like it.


Actually, I disagree vehemently that it is 'security through obscurity'...

It would be next to impossible to 'guess' what changes to any given 
character set any one person randomly chose to make (ie, adding one 
additional '!' character in the middle of the character set in between 
'r' and 's') totally changes the resulting passwords that use that 
character set.


This is nothing like changing the port for SSH - a port scanner can 
figure that one out in seconds...


The fact is, there is *no* 'perfect' security measure, but Passwordmaker 
is as close to one that I have found for managing password (both online, 
and not)...

Re: [gentoo-user] Resetting the root passwd

[Tanstaafl]

On 2012-01-11 6:48 PM, Dale rdalek1...@gmail.com wrote:

That's why I like Lastpass.  It fills them in for me so that I can have
a really nice strong password but I don't have to type it in each time.


Like I said, I like Lastpass too, but I simply do not like *storing* the 
passwords somewhere, encrypted or no...

Re: [gentoo-user] Resetting the root passwd

[Tanstaafl]

On 2012-01-11 7:31 PM, Alan McKinnon alan.mckin...@gmail.com wrote:

Personally, I advocate using smart password generators like apg. The
password truly is a random distribution of junk, but one that can be
pronounced (a key factor in remembering it).


But that is the whole point... once you get beyond 3, 4 or 10+ 
passwords, 'remembering' them is the problem.


That, again, is why I like pwm... I only have to remember my 3 or 4 
Master Passwords (and which category an account is in, but I have a 
system and that is not a problem).


The passwords it generates *are* as close to random as you can get, 
while still capable of being 'generated' each time by PWM...


Even if I were to lose my settings file (which is kept on a Truecrypt 
container) which contains all of the accounts and settings, I could 
recreate the changes/modifications I have made to it... it would take a 
little while, but I could do it...


I've been using it for many years, and it has never failed me...

Re: [gentoo-user] Resetting the root passwd

[Tanstaafl]

On 2012-01-12 6:39 AM, Tanstaafl tansta...@libertytrek.org wrote:

That, again, is why I like pwm... I only have to remember my 3 or 4
Master Passwords (and which category an account is in, but I have a
system and that is not a problem).


Oh... I have about 100 accounts in my passwordmaker settings... so I 
would have to remember 100+ passwords (+ = the ones I use the 'Default' 
settings with, which may be 10 or 15)...

Re: [gentoo-user] Resetting the root passwd

[Alan McKinnon]

On Thu, 12 Jan 2012 06:30:03 -0500
Tanstaafl tansta...@libertytrek.org wrote:

 On 2012-01-11 5:51 PM, Alan McKinnon alan.mckin...@gmail.com wrote:
  2. Change the character set used (I always do this)
  I like this one:-)
 
  yes, I know it's really just security by obscurity in disguise but I
  still like it.
 
 Actually, I disagree vehemently that it is 'security through
 obscurity'...

I'd disagree with your disagreement.

There's two usages of the phrase, the first is very disparaging and the
second is simply descriptive. I'm using the second meaning.

Changing the ssh port (and even crypto keys on DVDs) is just a
brain-dead approach, we agree on that. We rightfully rip a new one to
people advocating doing this.

Changing the character set; well that's quite clever actually. You have
a decent security strength underneath it and add an extra layer to
increase the entropy even more (sort of like salting a hash). If an
attacker figures out you're doing it, it won't be hard to undo it, then
only to be faced with a *much* harder problem.

So it's just a description, not an insult. Don't read it as such



 
 It would be next to impossible to 'guess' what changes to any given 
 character set any one person randomly chose to make (ie, adding one 
 additional '!' character in the middle of the character set in
 between 'r' and 's') totally changes the resulting passwords that use
 that character set.
 
 This is nothing like changing the port for SSH - a port scanner can 
 figure that one out in seconds...
 
 The fact is, there is *no* 'perfect' security measure, but
 Passwordmaker is as close to one that I have found for managing
 password (both online, and not)...
 



-- 
Alan McKinnnon
alan.mckin...@gmail.com

Re: [gentoo-user] Resetting the root passwd

[Tanstaafl]

On 2012-01-12 8:03 AM, Alan McKinnon alan.mckin...@gmail.com wrote:

On Thu, 12 Jan 2012 06:30:03 -0500 Tanstaafl wrote:

On 2012-01-11 5:51 PM, Alan McKinnonalan.mckin...@gmail.com  wrote:

yes, I know it's really just security by obscurity in disguise but I
still like it.



Actually, I disagree vehemently that it is 'security through
obscurity'...



I'd disagree with your disagreement.

There's two usages of the phrase, the first is very disparaging and the
second is simply descriptive. I'm using the second meaning.

Changing the ssh port (and even crypto keys on DVDs) is just a
brain-dead approach, we agree on that. We rightfully rip a new one to
people advocating doing this.

Changing the character set; well that's quite clever actually. You have
a decent security strength underneath it and add an extra layer to
increase the entropy even more (sort of like salting a hash). If an
attacker figures out you're doing it, it won't be hard to undo it, then
only to be faced with a *much* harder problem.

So it's just a description, not an insult. Don't read it as such


Oh, I didn't, I did catch the 'but I still like it', sorry if my reply 
made it sound like I was insulted ;)


But I still disagree. Would you also classify 'changing the locks on 
your house' as security through obscurity? Because changing the 
character set in PWM is just like changing the lock on a door...

Re: [gentoo-user] Resetting the root passwd

[Alan McKinnon]

On Thu, 12 Jan 2012 08:58:02 -0500
Tanstaafl tansta...@libertytrek.org wrote:

  So it's just a description, not an insult. Don't read it as such  
 
 Oh, I didn't, I did catch the 'but I still like it', sorry if my
 reply made it sound like I was insulted ;)
 
 But I still disagree. Would you also classify 'changing the locks on 
 your house' as security through obscurity? Because changing the 
 character set in PWM is just like changing the lock on a door...

I don't see it that way. But it all comes down to semantics really and
it's quite a pointless debate as we DO agree that it's overall a good
thing.

And that's what's really important here.
The words we classify it with as not anywhere near as important.

-- 
Alan McKinnnon
alan.mckin...@gmail.com

RE: [gentoo-user] Resetting the root passwd

[Mike Edenfield]

 From: Alan McKinnon [mailto:alan.mckin...@gmail.com]
 Sent: Wednesday, January 11, 2012 7:31 PM
 To: gentoo-user@lists.gentoo.org
 Subject: Re: [gentoo-user] Resetting the root passwd
 
 On Wed, 11 Jan 2012 18:09:40 -0500
 Mike Edenfield kut...@kutulu.org wrote:
 
   I agree. Longer pass{words,phrases} only increases the difficulty of
   the problem, but not significantly so.
 
  After I read the aforementioned xkcd comic, my main question was how
  he defined the various bits of entropy for each thing done to a
  password. That seemed to be a crucial determining factor in why the
  common words password appeared so much harder than the goofy
  gibberish one. Some seemed more obvious to me than others.
 
  I'm also curious, using the latest modern password-cracking
  techniques, if his assessment really is accurate. As in, which of the
  following two passwords would take longer to crack:
 
  #purpl3.R$!n#
 
  dovesymbolcarprince
 
 I noticed something about your first sample password, and it reveals a
lot, I
 hinted at it in my reply to Dale. Look at the pattern one must type to
enter
 that password (assuming a qwerty keyboard):
 
 A symbol, a partial word, then 7 nonsense symbols. The pattern of those
 symbols is highly significant - composed entirely of keystrokes in the
upper
 left area and lower right area of the keyboard with a few Shifts thrown in
for
 good measure. Almost as if you dropped both hands on the keyboard and
 wiggled your fingers without moving the entire hand much.

Actually, it's just the words purple RAIN with e/a/I replaced with 3/4/1;
I chose l33t-sp33k since I figured it was so over-used for password
generation that everyone would recognize it immediately :) But yes, I think
Randall's point is much the same as yours: once the cracker tools figure
out this pattern of character replacements it becomes significantly less
secure. I'm just curious if there are any real metrics as to how much less
secure that is...

(Clearly my pop culture reference was too obscure, or you'd also have picked
up on the connection between the four random words. :) )

--K

Re: [gentoo-user] Resetting the root passwd

[Frank Steinmetzger]

On Thu, Jan 12, 2012 at 11:41:28AM -0500, Mike Edenfield wrote:

 Actually, it's just the words purple RAIN with e/a/I replaced with 3/4/1;
 I chose l33t-sp33k since I figured it was so over-used for password
 generation that everyone would recognize it immediately :) But yes, I think
 Randall's point is much the same as yours: once the cracker tools figure
 out this pattern of character replacements it becomes significantly less
 secure. I'm just curious if there are any real metrics as to how much less
 secure that is...

I'm mixing both -- having long phrases (like whole, but normal, sentences), or
randomly joined words, and those words are in turn leetified. Exampple:
r3dc7053tch41r (red, closet and chair combined in such a fashion).
-- 
Gruß | Greetings | Qapla'
I forbid any use of my email addresses with Facebook services.

Düsseldorf is only half as big as the graveyard of New York, but twice as dead.


pgp4qgoXr279K.pgp
Description: PGP signature

Re: [gentoo-user] Resetting the root passwd

[Tanstaafl]

On 2012-01-10 2:12 PM, Hinnerk van Bruinehsen 
h.v.bruineh...@fu-berlin.de wrote:

The simpelest solution should be to copy the password-hash of a user
whose password is know to you.
Afterwards you can log in an change the password again.


Thanks, I like that better and it worked like a charm, this way the root 
account is never unprotected (even for a minute)... although remote root 
login is disabled anyway...



And for the future:http://xkcd.com/936/  ;)


I couldn't live without Passwordmaker (Firefox Addon), with it, I can 
have as strong and random passwords as I want on every site, it auto 
fills the username/password for me (if it is a web login page), but 
doesn't store any password anywhere...


http://passwordmaker.org/

Re: [gentoo-user] Resetting the root passwd

[Nilesh Govindarajan]

On Jan 11, 2012 5:57 PM, Tanstaafl tansta...@libertytrek.org wrote:

 On 2012-01-10 2:12 PM, Hinnerk van Bruinehsen h.v.bruineh...@fu-berlin.de
wrote:

 The simpelest solution should be to copy the password-hash of a user
 whose password is know to you.
 Afterwards you can log in an change the password again.


 Thanks, I like that better and it worked like a charm, this way the root
account is never unprotected (even for a minute)... although remote root
login is disabled anyway...

 And for the future:http://xkcd.com/936/  ;)


 I couldn't live without Passwordmaker (Firefox Addon), with it, I can
have as strong and random passwords as I want on every site, it auto fills
the username/password for me (if it is a web login page), but doesn't store
any password anywhere...

 http://passwordmaker.org/


While booting, pass init=/bin/bash in the kernel command line

Re: [gentoo-user] Resetting the root passwd

[Tanstaafl]

On 2012-01-11 7:35 AM, Nilesh Govindarajan cont...@nileshgr.com wrote:

While booting, pass init=/bin/bash in the kernel command line


I did... otherwise, it still requires you to know the password... ;)

Re: [gentoo-user] Resetting the root passwd

[Alan McKinnon]

On Wed, 11 Jan 2012 07:26:07 -0500
Tanstaafl tansta...@libertytrek.org wrote:

 On 2012-01-10 2:12 PM, Hinnerk van Bruinehsen 
 h.v.bruineh...@fu-berlin.de wrote:
  The simpelest solution should be to copy the password-hash of a user
  whose password is know to you.
  Afterwards you can log in an change the password again.
 
 Thanks, I like that better and it worked like a charm, this way the
 root account is never unprotected (even for a minute)... although
 remote root login is disabled anyway...
 
  And for the future:http://xkcd.com/936/  ;)
 
 I couldn't live without Passwordmaker (Firefox Addon), with it, I can 
 have as strong and random passwords as I want on every site, it auto 
 fills the username/password for me (if it is a web login page), but 
 doesn't store any password anywhere...



Of course it stores the password somewhere. How else could it log you
in next time? It isn't magic, it retrieves the password from somewhere.



 
 http://passwordmaker.org/
 



-- 
Alan McKinnnon
alan.mckin...@gmail.com

Re: [gentoo-user] Resetting the root passwd

[Tanstaafl]

On 2012-01-11 9:16 AM, Alan McKinnon alan.mckin...@gmail.com wrote:

On Wed, 11 Jan 2012 07:26:07 -0500
Tanstaafltansta...@libertytrek.org  wrote:

I couldn't live without Passwordmaker (Firefox Addon), with it, I can
have as strong and random passwords as I want on every site, it auto
fills the username/password for me (if it is a web login page), but
doesn't store any password anywhere...



Of course it stores the password somewhere. How else could it log you
in next time? It isn't magic, it retrieves the password from somewhere.


Nope, it generates it on the fly every time. It uses the current URL (or 
if you create a custom account for that URL, whatever you tell it to 
use), the username (if supplied), and a few other URL unique attributes 
to compute it, and if you create a custom account, it offers many other 
options...


I highly recommend it... it does have a small learning curve, but the 
website will teach you most of what you need to know (I even authored a 
lot of the wiki)...


http://passwordmaker.org/

Re: [gentoo-user] Resetting the root passwd

[Neil Bothwick]

On Wed, 11 Jan 2012 11:04:01 -0500, Tanstaafl wrote:

  I couldn't live without Passwordmaker (Firefox Addon), with it, I can
  have as strong and random passwords as I want on every site, it auto
  fills the username/password for me (if it is a web login page), but
  doesn't store any password anywhere...  
 
  Of course it stores the password somewhere. How else could it log you
  in next time? It isn't magic, it retrieves the password from
  somewhere.  
 
 Nope, it generates it on the fly every time. It uses the current URL
 (or if you create a custom account for that URL, whatever you tell it
 to use), the username (if supplied), and a few other URL unique
 attributes to compute it,

So it stores the data and method needed to recreate the password, same
thing. Or does it not store the username, in which case you have to use
the same username everywhere?


-- 
Neil Bothwick

If Satan ever loses his hair, there'll be hell toupee.


signature.asc
Description: PGP signature

Re: [gentoo-user] Resetting the root passwd

[Tanstaafl]

On 2012-01-11 11:27 AM, Neil Bothwick n...@digimed.co.uk wrote:

On Wed, 11 Jan 2012 11:04:01 -0500, Tanstaafl wrote:

I couldn't live without Passwordmaker (Firefox Addon), with it, I can
have as strong and random passwords as I want on every site, it auto
fills the username/password for me (if it is a web login page), but
doesn't store any password anywhere...



Of course it stores the password somewhere. How else could it log you
in next time? It isn't magic, it retrieves the password from
somewhere.



Nope, it generates it on the fly every time. It uses the current URL
(or if you create a custom account for that URL, whatever you tell it
to use), the username (if supplied), and a few other URL unique
attributes to compute it,



So it stores the data and method needed to recreate the password, same
thing. Or does it not store the username, in which case you have to use
the same username everywhere?


It would be easier for you to understand how it works if you would 
simply go read about it.


The one piece that is not stored anywhere (but inside your head) is the 
Master Password.


You can also use more than one Master Password, which I do (three to be 
exact, one for critical stuff (server root passwords, online banking, 
etc), one for less critical stuff, and one for incidental stuff...


Like I said, there is a small learning curve involved with using it, but 
once you figure it out, you'll wonder how you ever got along without it.

Re: [gentoo-user] Resetting the root passwd

[Michael Mol]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Neil Bothwick wrote:
 On Wed, 11 Jan 2012 11:04:01 -0500, Tanstaafl wrote:
 
 I couldn't live without Passwordmaker (Firefox Addon), with 
 it, I can have as strong and random passwords as I want on 
 every site, it auto fills the username/password for me (if
 it is a web login page), but doesn't store any password 
 anywhere...
 
 Of course it stores the password somewhere. How else could it 
 log you in next time? It isn't magic, it retrieves the
 password from somewhere.
 
 Nope, it generates it on the fly every time. It uses the current 
 URL (or if you create a custom account for that URL, whatever
 you tell it to use), the username (if supplied), and a few other
 URL unique attributes to compute it,
 
 So it stores the data and method needed to recreate the password, 
 same thing. Or does it not store the username, in which case you 
 have to use the same username everywhere?

Most of my passwords are some hash[1] of a common passcode[2] and some
site-specific or service-specific mnemonic. I imagine this would work
similarly, using the absolute URL in place of a mnemonic.

The downside would be if the server changed its URL rewriting scheme.
- From their perspective, they didn't break anything as long as things
301 redirect to where they should. But it does break things that make
assumptions about absolute URLs. (I've seen that break StumbleUpon
thump-up counts, for example.)

[1] The hash algorithm is something I can easily do in my head, not
some massive, crypto-secure, heavily-mathematical thing.

[2] I change the passcode I use for new passwords every several
months, but I can usually guess which one I used for any given site
within three tries. It works out, and is a nice in-head way to have a
different password for every site.
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPDbqfAAoJEC/SB0LItoL+OdQIALK/0qjkmQrfBENrj5WrEs0h
6oDe599TNya4XCTdOJbBmNAZ2JxCbXq+O1zunqSzHXHLE38n3vTHHPUHQNa/2I1k
NQBLATfobr4edWqvdKO4LjhQLkKq7sL8I/rEA6ol2M019/WviIDNKmyJfPM3LfpK
m3XZ3ATHDX5yC52cydYKXk1UbMQb6YZqPMzhmkpn4Vm7SL/Sj7RNdkQ+XAbLCyRo
BWL4/oy3IZFuMd5r7x3ktKoQtzW85rUIpZrR8ZmoAFI+lXv+7JhuUwayM3kZga0O
WeBLkv+efU0GP2s66ePPtjMeN7Z9AFpOG7OKO6VXwwjb1bPLkLUdALjyawzi2NE=
=n6Cc
-END PGP SIGNATURE-

Re: [gentoo-user] Resetting the root passwd

[Neil Bothwick]

On Wed, 11 Jan 2012 11:35:57 -0500, Tanstaafl wrote:

  So it stores the data and method needed to recreate the password, same
  thing. Or does it not store the username, in which case you have to
  use the same username everywhere?  
 
 It would be easier for you to understand how it works if you would 
 simply go read about it.
 
 The one piece that is not stored anywhere (but inside your head) is the 
 Master Password.

Ah, you didn't mention that part. Now it makes some sense.


-- 
Neil Bothwick

If at first you don't succeed you'll get lots of advice.


signature.asc
Description: PGP signature

Re: [gentoo-user] Resetting the root passwd

[Dale]

Tanstaafl wrote:

On 2012-01-11 11:27 AM, Neil Bothwick n...@digimed.co.uk wrote:

On Wed, 11 Jan 2012 11:04:01 -0500, Tanstaafl wrote:

I couldn't live without Passwordmaker (Firefox Addon), with it, I can
have as strong and random passwords as I want on every site, it auto
fills the username/password for me (if it is a web login page), but
doesn't store any password anywhere...



Of course it stores the password somewhere. How else could it log you
in next time? It isn't magic, it retrieves the password from
somewhere.



Nope, it generates it on the fly every time. It uses the current URL
(or if you create a custom account for that URL, whatever you tell it
to use), the username (if supplied), and a few other URL unique
attributes to compute it,



So it stores the data and method needed to recreate the password, same
thing. Or does it not store the username, in which case you have to use
the same username everywhere?


It would be easier for you to understand how it works if you would 
simply go read about it.


The one piece that is not stored anywhere (but inside your head) is 
the Master Password.


You can also use more than one Master Password, which I do (three to 
be exact, one for critical stuff (server root passwords, online 
banking, etc), one for less critical stuff, and one for incidental 
stuff...


Like I said, there is a small learning curve involved with using it, 
but once you figure it out, you'll wonder how you ever got along 
without it.





I use Lastpass for my stuff.  It is encypted locally but available 
anywhere.  It works pretty well.


These things sure beat trying to remember a really strong password.  My 
bank and credit card passwords are off the chart.


Dale

:-)  :-)

--
I am only responsible for what I said ... Not for what you understood or how 
you interpreted my words!

Miss the compile output?  Hint:
EMERGE_DEFAULT_OPTS=--quiet-build=n

Re: [gentoo-user] Resetting the root passwd

[Tanstaafl]

On 2012-01-11 11:36 AM, Michael Mol mike...@gmail.com wrote:

Most of my passwords are some hash[1] of a common passcode[2] and some
site-specific or service-specific mnemonic. I imagine this would work
similarly, using the absolute URL in place of a mnemonic.

The downside would be if the server changed its URL rewriting scheme.
- From their perspective, they didn't break anything as long as things
301 redirect to where they should. But it does break things that make
assumptions about absolute URLs. (I've seen that break StumbleUpon
thump-up counts, for example.)


This is not a problem with Passwordmaker as long as you use a custom 
account, because all you hev to do if the URL changes is add/edit the 
URL pattern (used to detect the account/page). The 'text' used for 
*calculating* the password wouldn't change then.



[1] The hash algorithm is something I can easily do in my head, not
some massive, crypto-secure, heavily-mathematical thing.


I do something similar with Passwordmaker... I have a specific way I 
'modify' the password (add a few specific characters at certain places 
in the password) before logging in, but I only do this with critical 
sites/passwords.



[2] I change the passcode I use for new passwords every several
months, but I can usually guess which one I used for any given site
within three tries. It works out, and is a nice in-head way to have a
different password for every site.


I almost never change my passwords, unless there is a good reason to. 
With a strong password, it simply isn't necessary. But if you need to, 
it is dead easy in Passwordmaker - just add a '1' to the modifier field 
for that account, then start incrementing it whenever you change it.

Re: [gentoo-user] Resetting the root passwd

[Tanstaafl]

On 2012-01-11 11:51 AM, Dale rdalek1...@gmail.com wrote:

I use Lastpass for my stuff. It is encypted locally but available
anywhere. It works pretty well.


Heard good things about it, but I prefer something that doesn't store 
the passwords anywhere, ever...



These things sure beat trying to remember a really strong password. My
bank and credit card passwords are off the chart.


Yeah, but what about those moron banks that only allow you to use 
lowercase letters - and only a max of 6 - for the password? I'm not sure 
if it as big a problem as it was, but I have changed banks over things 
like that, and told  them why in the process.

Re: [gentoo-user] Resetting the root passwd

[Michael Mol]

Tanstaafl wrote:
 On 2012-01-11 11:36 AM, Michael Mol mike...@gmail.com wrote:
 Most of my passwords are some hash[1] of a common passcode[2] and some
 site-specific or service-specific mnemonic. I imagine this would work
 similarly, using the absolute URL in place of a mnemonic.

 The downside would be if the server changed its URL rewriting scheme.
 - From their perspective, they didn't break anything as long as things
 301 redirect to where they should. But it does break things that make
 assumptions about absolute URLs. (I've seen that break StumbleUpon
 thump-up counts, for example.)
 
 This is not a problem with Passwordmaker as long as you use a custom
 account, because all you hev to do if the URL changes is add/edit the
 URL pattern (used to detect the account/page). The 'text' used for
 *calculating* the password wouldn't change then.
 
 [1] The hash algorithm is something I can easily do in my head, not
 some massive, crypto-secure, heavily-mathematical thing.
 
 I do something similar with Passwordmaker... I have a specific way I
 'modify' the password (add a few specific characters at certain places
 in the password) before logging in, but I only do this with critical
 sites/passwords.
 
 [2] I change the passcode I use for new passwords every several
 months, but I can usually guess which one I used for any given site
 within three tries. It works out, and is a nice in-head way to have a
 different password for every site.
 
 I almost never change my passwords, unless there is a good reason to.
 With a strong password, it simply isn't necessary. But if you need to,
 it is dead easy in Passwordmaker - just add a '1' to the modifier field
 for that account, then start incrementing it whenever you change it.

Pretty sure I understand the thing.

The biggest driver for me to change my passcode are leaks...whether it's
something like Sony's Play Station Network leak, or whether I typed
something into the wrong terminal, or whether something stole focus at
the wrong moment. Critical sites get their password changed first, on
the off chance someone knows enough about me to guess my username,
mnemonic and hash. Less critical sites follow.

Actually happened Sunday morning. Typed a password into the wrong
window, and now I've got a new passcode.

Re: [gentoo-user] Resetting the root passwd

[Dale]

Tanstaafl wrote:

On 2012-01-11 11:51 AM, Dale rdalek1...@gmail.com wrote:

I use Lastpass for my stuff. It is encypted locally but available
anywhere. It works pretty well.


Heard good things about it, but I prefer something that doesn't store 
the passwords anywhere, ever...


I have to many places to remember all the passwords tho.  Having just 
one or two password isn't a good idea either.





These things sure beat trying to remember a really strong password. My
bank and credit card passwords are off the chart.


Yeah, but what about those moron banks that only allow you to use 
lowercase letters - and only a max of 6 - for the password? I'm not 
sure if it as big a problem as it was, but I have changed banks over 
things like that, and told  them why in the process.





I agree with that.  My bank made some changes that I didn't agree with 
too.  I sent them information about how their process was tested by MIT 
and some University in California and it failed the test badly.  I then 
figured out a way to work around that and still have my really good 
password.  If they won't let me have a good password, I won't be doing 
anything online.  I'll just pick up the phone and call them to check on 
balances and such until they fix it.  My bank does allow customers to 
disable online access.


Dale

:-)  :-)

--
I am only responsible for what I said ... Not for what you understood or how 
you interpreted my words!

Miss the compile output?  Hint:
EMERGE_DEFAULT_OPTS=--quiet-build=n

Re: [gentoo-user] Resetting the root passwd

[Tanstaafl]

On 2012-01-11 1:47 PM, Dale rdalek1...@gmail.com wrote:

Tanstaafl wrote:

On 2012-01-11 11:51 AM, Dale rdalek1...@gmail.com wrote:

I use Lastpass for my stuff. It is encypted locally but available
anywhere. It works pretty well.



Heard good things about it, but I prefer something that doesn't store
the passwords anywhere, ever...



I have to many places to remember all the passwords tho. Having just one
or two password isn't a good idea either.


That is precisely *why* I love passwordmaker... each and every site has 
a unique 15 or 20 character strong password that I don't *have* to 
remember, all I have to remember is my Master Password for that category 
of account...



If they won't let me have a good password, I won't be doing
anything online. I'll just pick up the phone and call them to check on
balances and such until they fix it. My bank does allow customers to
disable online access.


Which won't help if/when they get hacked.

If you don't care enough to change banks, they'll probably never change 
their policy. If they lose enough accounts because of it, someone is 
gonna take notice, and some moron admin will get canned for being so stupid.

Re: [gentoo-user] Resetting the root passwd

[Alex Schuster]

Tanstaafl writes:

 On 2012-01-11 11:51 AM, Dale rdalek1...@gmail.com wrote:

 These things sure beat trying to remember a really strong password. My
 bank and credit card passwords are off the chart.
 
 Yeah, but what about those moron banks that only allow you to use 
 lowercase letters - and only a max of 6 - for the password? I'm not sure 
 if it as big a problem as it was, but I have changed banks over things 
 like that, and told  them why in the process.

My banking PIN also has only six characters, but I don't worry too much
about this. An attacker only has a few tries before online access is
being disabled. And even if he would succeed, all he gains is to see my
account balance and my past transactions. In order to actually do
something, he would also need the correct TAN. In the past I had a list
of those, but nowadays this is no longer possible, instead I get the TAN
via SMS when I make a transaction.

Wonko

Re: [gentoo-user] Resetting the root passwd

[Dale]

Tanstaafl wrote:

On 2012-01-11 1:47 PM, Dale rdalek1...@gmail.com wrote:

Tanstaafl wrote:

On 2012-01-11 11:51 AM, Dale rdalek1...@gmail.com wrote:

I use Lastpass for my stuff. It is encypted locally but available
anywhere. It works pretty well.



Heard good things about it, but I prefer something that doesn't store
the passwords anywhere, ever...



I have to many places to remember all the passwords tho. Having just one
or two password isn't a good idea either.


That is precisely *why* I love passwordmaker... each and every site 
has a unique 15 or 20 character strong password that I don't *have* to 
remember, all I have to remember is my Master Password for that 
category of account...


Well, Lastpass does the same thing.  I do make up my own tho.  I at 
least have a chance at guessing it.  ;-)





If they won't let me have a good password, I won't be doing
anything online. I'll just pick up the phone and call them to check on
balances and such until they fix it. My bank does allow customers to
disable online access.


Which won't help if/when they get hacked.

If you don't care enough to change banks, they'll probably never 
change their policy. If they lose enough accounts because of it, 
someone is gonna take notice, and some moron admin will get canned for 
being so stupid.





If I call the bank and tell them to disable online access, even I can't 
access my account online.  If a hacker can hack in and get my info, then 
that has nothing to do with passwords.  The hacker has gained access to 
the server as a whole at that point.


The biggest thing I don't like, my bank runs windoze.  A really old 
version at that.  I hope they update that thing.  o_O


Dale

:-)  :-)

--
I am only responsible for what I said ... Not for what you understood or how 
you interpreted my words!

Miss the compile output?  Hint:
EMERGE_DEFAULT_OPTS=--quiet-build=n

Re: [gentoo-user] Resetting the root passwd

[Alan McKinnon]

On Wed, 11 Jan 2012 11:04:01 -0500
Tanstaafl tansta...@libertytrek.org wrote:

 On 2012-01-11 9:16 AM, Alan McKinnon alan.mckin...@gmail.com wrote:
  On Wed, 11 Jan 2012 07:26:07 -0500
  Tanstaafltansta...@libertytrek.org  wrote:
  I couldn't live without Passwordmaker (Firefox Addon), with it, I
  can have as strong and random passwords as I want on every site,
  it auto fills the username/password for me (if it is a web login
  page), but doesn't store any password anywhere...
 
  Of course it stores the password somewhere. How else could it log
  you in next time? It isn't magic, it retrieves the password from
  somewhere.
 
 Nope, it generates it on the fly every time. It uses the current URL
 (or if you create a custom account for that URL, whatever you tell it
 to use), the username (if supplied), and a few other URL unique
 attributes to compute it, and if you create a custom account, it
 offers many other options...
 
 I highly recommend it... it does have a small learning curve, but the 
 website will teach you most of what you need to know (I even authored
 a lot of the wiki)...
 
 http://passwordmaker.org/
 

I haven't read the site yet, but just on the basis of your description,
all I'm seeing is a teeny-weeny amount of entropy leading to
passwords that are very easy for computers to compute.

The algorithm is probably known and there can't be that many unique
attributes to a URL, leading to a very small pool of random data.

In fact, I see this as a distinct possibility:
http://xkcd.com/936/

Feel free to correct me if I'm wrong.



-- 
Alan McKinnnon
alan.mckin...@gmail.com

Re: [gentoo-user] Resetting the root passwd

[Tanstaafl]

On 2012-01-11 3:56 PM, Alan McKinnon alan.mckin...@gmail.com wrote:

On Wed, 11 Jan 2012 11:04:01 -0500
Tanstaafltansta...@libertytrek.org  wrote:

http://passwordmaker.org/



I haven't read the site yet, but just on the basis of your description,
all I'm seeing is a teeny-weeny amount of entropy leading to
passwords that are very easy for computers to compute.

The algorithm is probably known and there can't be that many unique
attributes to a URL, leading to a very small pool of random data.

In fact, I see this as a distinct possibility:
http://xkcd.com/936/

Feel free to correct me if I'm wrong.


You are wrong, but you'll need to read the site to learn why...

Re: [gentoo-user] Resetting the root passwd

[Alan McKinnon]

On Wed, 11 Jan 2012 16:07:41 -0500
Tanstaafl tansta...@libertytrek.org wrote:

 On 2012-01-11 3:56 PM, Alan McKinnon alan.mckin...@gmail.com wrote:
  On Wed, 11 Jan 2012 11:04:01 -0500
  Tanstaafltansta...@libertytrek.org  wrote:
  http://passwordmaker.org/
 
 
  I haven't read the site yet, but just on the basis of your
  description, all I'm seeing is a teeny-weeny amount of entropy
  leading to passwords that are very easy for computers to compute.
 
  The algorithm is probably known and there can't be that many unique
  attributes to a URL, leading to a very small pool of random data.
 
  In fact, I see this as a distinct possibility:
  http://xkcd.com/936/
 
  Feel free to correct me if I'm wrong.
 
 You are wrong, but you'll need to read the site to learn why...

The site doesn't say much. It has one page, no internal links (quite a
few external ones) and a single link to an image.

But still, one can infer some of the methods of operation. There's a
master password and a few bits of easily guessable[1] entropy in the
additional data the user can configure.

It has one weakness that reduces it back to the same password being
re-used. And that is that there is a single master password. An
attacker would simply need to acquire that using various nefarious
means (shoulder surfing, social engineering, hosepipe decryption) and
suddenly you are wide open[2].

I don't see that it increases cryptographic security by very much (it
does by a little) but it will increase real-life effective security by
a lot. It removes most of the threat from shoulder-surfing and
StickyNoteSyndrome (much like ssh agents do too). In a corporate
environment[3], that is the major threat we face, the onbe that keeps
me awake at night, the one ignored by all security auditors and the one
understood by a mere three people in the company... :-(

[1] Easily guessable by a computer
[2] I have my paranoia hat on currently
[3] for example, mine

-- 
Alan McKinnnon
alan.mckin...@gmail.com

Re: [gentoo-user] Resetting the root passwd

[Tamer Higazi]

I tell you the right way todo it. Make it easy as possible, not so
difficult like the others in the thread!

Download system rescuecd (which is a nice gentoo system with lots of
beautiful tools running out of the box):

http://www.sysresccd.org/Download


download, burn and boot from the cd. This is a gentoo live cd, with
maintenance tools!


After you started from the cd, create a directotry, let us say: /mnt/gentooX

and mount your partition inside, where the entire tree lives in it.

if /dev/sda5 or whatever has the entire tree:

mount /dev/sda5 /mnt/gentooX

optionally mount the other partitions from your harddisk, if opt is in
your harddisk an own partition, otherwise look in your harddisk, in this
case:

/mnt/gentooX/etc/fstab

which shows you the partition table!

chroot the new environment:

mount -t proc none /mnt/gentoo/proc

if you need networking, otherwise leave this step away.
cp -L /etc/resolv.conf /mnt/gentoo/etc/resolv.conf


chroot /mnt/gentoo /bin/bash
env-update
source /etc/profile


after you did this, your are on your harddisks environment as root, and
you easily can issue this command:

passwd root


Tamer

Am 10.01.2012 19:46, schrieb Tanstaafl:
 Ok, I did something really dumb...
 
 I changed the root passwd for a system I manage last week, but neglected
 to write it down, and now what I *thought* I had changed it to isn't
 working... I know, I know, really *really* dumb, but that's where I am...
 
 I know I can boot into Single User mode, remount the root partition
 read/write, and edit /etc/shadow (removing the encrypted passwd), then
 rest it using passwd, but...
 
 Some of the accounts in /etc/shadow have a '*' where the encrypted
 passwd would be, and some have a '!'... (ie, one is sshd:!:... and
 another is halt:*:...)
 
 Does it matter what I change it to? Should I use a *, !, or nothing at
 all (so that there is *nothing* between the two :: that would normally
 contain the encrypted passwd)?
 
 Thanks...
 

Re: [gentoo-user] Resetting the root passwd

[Tanstaafl]

On 2012-01-11 4:51 PM, Alan McKinnon alan.mckin...@gmail.com wrote:

The site doesn't say much. It has one page, no internal links (quite a
few external ones) and a single link to an image.


Weird... the wiki tree is gone... there are a *ton* of pages there, I'll 
have to poke the maintainers... maybe they were updating mediawiki and 
broke something...



But still, one can infer some of the methods of operation. There's a
master password and a few bits of easily guessable[1] entropy in the
additional data the user can configure.

It has one weakness that reduces it back to the same password being
re-used. And that is that there is a single master password.


Like I said, you can use more than one. The trick is remembering which 
one you used with which accounts. I use different Master Passwords for 
different Account Groups.



An attacker would simply need to acquire that using various
nefarious means (shoulder surfing, social engineering, hosepipe
decryption) and suddenly you are wide open[2].


That is true for *any* password scheme... but there are simple ways to 
mitigate the risks...


1. Use multiple Master Passwords...
2. Change the character set used (I always do this)
3. Add additional character modifications to each password (figure out
   one way that you can easily remember and do it the same for each
   password)
4.


I don't see that it increases cryptographic security by very much (it
does by a little)


Actually, it does, and once the site is back up I'll post here and you 
can go read all about it...

Re: [gentoo-user] Resetting the root passwd

[Michael Mol]

Alan McKinnon wrote:
 On Wed, 11 Jan 2012 16:07:41 -0500
 Tanstaafl tansta...@libertytrek.org wrote:
 
 On 2012-01-11 3:56 PM, Alan McKinnon alan.mckin...@gmail.com wrote:
 On Wed, 11 Jan 2012 11:04:01 -0500
 Tanstaafltansta...@libertytrek.org  wrote:
 http://passwordmaker.org/


 I haven't read the site yet, but just on the basis of your
 description, all I'm seeing is a teeny-weeny amount of entropy
 leading to passwords that are very easy for computers to compute.

 The algorithm is probably known and there can't be that many unique
 attributes to a URL, leading to a very small pool of random data.

 In fact, I see this as a distinct possibility:
 http://xkcd.com/936/

 Feel free to correct me if I'm wrong.

 You are wrong, but you'll need to read the site to learn why...
 
 The site doesn't say much. It has one page, no internal links (quite a
 few external ones) and a single link to an image.
 
 But still, one can infer some of the methods of operation. There's a
 master password and a few bits of easily guessable[1] entropy in the
 additional data the user can configure.
 
 It has one weakness that reduces it back to the same password being
 re-used. And that is that there is a single master password. An
 attacker would simply need to acquire that using various nefarious
 means (shoulder surfing, social engineering, hosepipe decryption) and
 suddenly you are wide open[2].

I would expect it to use a strong forward-only hash. I can't do that in
my head, but that's what I'd expect this software to do. A MITM between
the computer and the remote host should only result in a single password
lost.

 
 I don't see that it increases cryptographic security by very much (it
 does by a little) but it will increase real-life effective security by
 a lot. It removes most of the threat from shoulder-surfing and
 StickyNoteSyndrome (much like ssh agents do too). In a corporate
 environment[3], that is the major threat we face, the onbe that keeps
 me awake at night, the one ignored by all security auditors and the one
 understood by a mere three people in the company... :-(

I was convinced you completely missed the point, but I think you found
it here.

 
 [1] Easily guessable by a computer
 [2] I have my paranoia hat on currently
 [3] for example, mine
 

I'm seriously unconvinced that concatenating words significantly
increases the difficulty of the problem. Just as a mentalist will
presume you're thinking about '7', your average demographic would
probably draw from a small pool of source words, even latching on to
catchphrases and other memes. You're likely to see steamingmonkeypile,
nyanyanyan, dontsaycandleja- and hasturhasturhast- used more than
once, for example. I'd give a better list of likely results, but I don't
want to run too far afoul of good taste in public posting. :)

Re: [gentoo-user] Resetting the root passwd

[Tanstaafl]

On 2012-01-11 5:05 PM, Tanstaafl tansta...@libertytrek.org wrote:

Actually, it does, and once the site is back up I'll post here and you
can go read all about it...


Even weirder...

The menu tree is actually still there, but it is displayed way down the 
page, so something definitely is broken. I've already emailed the 
maintainer...


But, you can peruse the site from the menu tree, you'll just have to 
scroll way down to get to it...


www.passwordmaker.org

Re: [gentoo-user] Resetting the root passwd

[Alan McKinnon]

On Wed, 11 Jan 2012 17:08:04 -0500
Michael Mol mike...@gmail.com wrote:

 I'm seriously unconvinced that concatenating words significantly
 increases the difficulty of the problem. Just as a mentalist will
 presume you're thinking about '7', your average demographic would
 probably draw from a small pool of source words, even latching on to
 catchphrases and other memes. You're likely to see
 steamingmonkeypile, nyanyanyan, dontsaycandleja- and
 hasturhasturhast- used more than once, for example. I'd give a
 better list of likely results, but I don't want to run too far afoul
 of good taste in public posting. :)

I agree. Longer pass{words,phrases} only increases the difficulty of
the problem, but not significantly so.



-- 
Alan McKinnnon
alan.mckin...@gmail.com

Re: [gentoo-user] Resetting the root passwd

[Alan McKinnon]

On Wed, 11 Jan 2012 17:05:28 -0500
Tanstaafl tansta...@libertytrek.org wrote:

 On 2012-01-11 4:51 PM, Alan McKinnon alan.mckin...@gmail.com wrote:
  The site doesn't say much. It has one page, no internal links
  (quite a few external ones) and a single link to an image.
 
 Weird... the wiki tree is gone... there are a *ton* of pages there,
 I'll have to poke the maintainers... maybe they were updating
 mediawiki and broke something...
 
  But still, one can infer some of the methods of operation. There's a
  master password and a few bits of easily guessable[1] entropy in the
  additional data the user can configure.
 
  It has one weakness that reduces it back to the same password being
  re-used. And that is that there is a single master password.
 
 Like I said, you can use more than one. The trick is remembering
 which one you used with which accounts. I use different Master
 Passwords for different Account Groups.
 
  An attacker would simply need to acquire that using various
  nefarious means (shoulder surfing, social engineering, hosepipe
  decryption) and suddenly you are wide open[2].
 
 That is true for *any* password scheme... but there are simple ways
 to mitigate the risks...
 
 1. Use multiple Master Passwords...
 2. Change the character set used (I always do this)

I like this one :-)

yes, I know it's really just security by obscurity in disguise but I
still like it. 

It's like anti-spam measures - effective at first till the spammers
catch on then you go find another method. But in the interim you did
have something workableto use


 3. Add additional character modifications to each password (figure out
 one way that you can easily remember and do it the same for each
 password)
 4.
 
  I don't see that it increases cryptographic security by very much
  (it does by a little)
 
 Actually, it does, and once the site is back up I'll post here and
 you can go read all about it...
 



-- 
Alan McKinnnon
alan.mckin...@gmail.com

RE: [gentoo-user] Resetting the root passwd

[Mike Edenfield]

 From: Alan McKinnon [mailto:alan.mckin...@gmail.com]
 Sent: Wednesday, January 11, 2012 5:48 PM

 On Wed, 11 Jan 2012 17:08:04 -0500
 Michael Mol mike...@gmail.com wrote:
 
  I'm seriously unconvinced that concatenating words significantly
  increases the difficulty of the problem. Just as a mentalist will
  presume you're thinking about '7', your average demographic would
  probably draw from a small pool of source words, even latching on to
  catchphrases and other memes. You're likely to see
  steamingmonkeypile, nyanyanyan, dontsaycandleja- and
  hasturhasturhast- used more than once, for example. I'd give a
  better list of likely results, but I don't want to run too far afoul
  of good taste in public posting. :)
 
 I agree. Longer pass{words,phrases} only increases the difficulty of the
 problem, but not significantly so.

After I read the aforementioned xkcd comic, my main question was how he
defined the various bits of entropy for each thing done to a password.
That seemed to be a crucial determining factor in why the common words
password appeared so much harder than the goofy gibberish one. Some seemed
more obvious to me than others.

I'm also curious, using the latest modern password-cracking techniques, if
his assessment really is accurate. As in, which of the following two
passwords would take longer to crack:

#purpl3.R$!n#

dovesymbolcarprince

--K

Re: [gentoo-user] Resetting the root passwd

[Hinnerk van Bruinehsen]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 12.01.2012 00:09, Mike Edenfield wrote:
 From: Alan McKinnon [mailto:alan.mckin...@gmail.com] Sent:
 Wednesday, January 11, 2012 5:48 PM
 
 On Wed, 11 Jan 2012 17:08:04 -0500 Michael Mol
 mike...@gmail.com wrote:
 
 I'm seriously unconvinced that concatenating words
 significantly increases the difficulty of the problem. Just as
 a mentalist will presume you're thinking about '7', your
 average demographic would probably draw from a small pool of
 source words, even latching on to catchphrases and other memes.
 You're likely to see steamingmonkeypile, nyanyanyan,
 dontsaycandleja- and hasturhasturhast- used more than once,
 for example. I'd give a better list of likely results, but I
 don't want to run too far afoul of good taste in public
 posting. :)
 
 I agree. Longer pass{words,phrases} only increases the difficulty
 of the problem, but not significantly so.
 
 After I read the aforementioned xkcd comic, my main question was
 how he defined the various bits of entropy for each thing done to
 a password. That seemed to be a crucial determining factor in why
 the common words password appeared so much harder than the goofy
 gibberish one. Some seemed more obvious to me than others.
 
 I'm also curious, using the latest modern password-cracking
 techniques, if his assessment really is accurate. As in, which of
 the following two passwords would take longer to crack:
 
 #purpl3.R$!n#
 
 dovesymbolcarprince
 
 --K
 
 

Since both passwords are of nearly same length, the argument from the
comic is not fulfilled: if you would use
armageddonholycowencryptionworkshop you would have a relatively easy
to remember, long password.

Password length is far more important than using special characters... [1]


[1]
http://www.infoworld.com/d/security-central/password-size-does-matter-531
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPDh7sAAoJEJwwOFaNFkYcV8MIAK9VekY88JElF9n9dEOSFOq1
g/RajBSrAaVbR/WV84DQ8xGGOLSIFMUFRWXTRcVEufCw0fXu6OBvKIsXhgZbWK1v
DEYsQInIk73YGIeyCImd95nXZbswD7cbpGA7g9h/0u2d8+tbvqSIP/fNAKAUU0Yi
uj3YiBz3ZXF+PZhvN5H0ZbKo1h7FOspzrd8UeSAzCBYJJeFEnpihWsfDiYdMYZrz
AnAN6tk/llWfYsJkVaVpsjwHjzsDCCgUhmqL30kV2l24ngg5WeEXDcuuEoFdQGIK
eV6CP6NSxSIPfQ4qEi2FTKzPLhHR6YhT/EVfYwis/OyYMSXatW+s7oNaqdjGAbg=
=aKCH
-END PGP SIGNATURE-

Re: [gentoo-user] Resetting the root passwd

[Dale]

Alan McKinnon wrote:

On Wed, 11 Jan 2012 17:08:04 -0500
Michael Molmike...@gmail.com  wrote:


I'm seriously unconvinced that concatenating words significantly
increases the difficulty of the problem. Just as a mentalist will
presume you're thinking about '7', your average demographic would
probably draw from a small pool of source words, even latching on to
catchphrases and other memes. You're likely to see
steamingmonkeypile, nyanyanyan, dontsaycandleja- and
hasturhasturhast- used more than once, for example. I'd give a
better list of likely results, but I don't want to run too far afoul
of good taste in public posting. :)

I agree. Longer pass{words,phrases} only increases the difficulty of
the problem, but not significantly so.





I use those online password strength testers.  I don't use the exact 
characters tho.  I replace a character with a similar one.  I may 
replace the letter A with the letter Z.  I leave cases the same tho 
since they make a difference.  I at least try to get them to 100% and 
for sites like my bank, I add a few more weird characters for good measure.


The password I use for my banks has both upper and lower case, a few 
numbers and some of the thingys above the numbers on the top row.  You 
know, !@#$%^*().  Mine is reasonably long but it is not based on 
anything related to me.  It's just sort of a random thing that I can 
remember pretty well but HATE to type in.  That's why I like Lastpass.  
It fills them in for me so that I can have a really nice strong password 
but I don't have to type it in each time.


On a security related question.  Why does so many people have their 
facebook accounts and other similar sites hacked?  Do hackers just guess 
their passwords or do they break into the websites?  I have facebook, 
myspace, google+ and a couple others and have had them for years.  I 
have never had mine hacked into, at least not yet.  I'm just curious.  
Is it a windoze thing?  lol


Dale

:-)  :-)

--
I am only responsible for what I said ... Not for what you understood or how 
you interpreted my words!

Miss the compile output?  Hint:
EMERGE_DEFAULT_OPTS=--quiet-build=n

Re: [gentoo-user] Resetting the root passwd

[Alan McKinnon]

On Wed, 11 Jan 2012 17:48:50 -0600
Dale rdalek1...@gmail.com wrote:

 On a security related question.  Why does so many people have their 
 facebook accounts and other similar sites hacked?  Do hackers just
 guess their passwords or do they break into the websites?  I have
 facebook, myspace, google+ and a couple others and have had them for
 years.  I have never had mine hacked into, at least not yet.  I'm
 just curious. Is it a windoze thing?  lol

Nothing like that. Most people think they are very clever about
passwords but they are actually rather dumb about it.

Easiest way to break into many people's FaceBook page is to scrape
their FaceBook page and throw a lexical analyser at it (that being the
same class of software that search engines use - it looks for patterns
in text. The software does not have the human bias we all have, so it
can find relations that our minds are wired to ignore). The more public
the person's FaceBook page is and the more activity it has on it, the
greater the odds that they will leak enough information about
themselves so that software can make a reasonable prediction about what
sort of passwords they use.

When you approach this problem with an understanding of human
psychology you almost always find that the range of possible passwords
for people is far far smaller than we think. I'll even tell you who are
the WORST offenders:

Geeks.

Geeks are their own worst enemies, and their accounts are very valuable
targets to crackers. Geeks are a niche class of humans and are prone to
think the same way (not all the time of course, they just share much
more in common with each other than the big group called humanity).

Too many geeks think they are being cute with their clever password
schemes. Here's a common one: something from Lord of The Rings
translated to l337-speak sigh. And the geek who does it is blind to
the fact that he's doing it - simple observer bias about self.

That's not true for all geeks of course - some really do have well-nigh
uncrackable passwords. But I find that when a geek is a victim of his
own bias and does something dumbish, it's usually a spectacular level
of dumbishness.


-- 
Alan McKinnnon
alan.mckin...@gmail.com

Re: [gentoo-user] Resetting the root passwd

[Alan McKinnon]

On Wed, 11 Jan 2012 18:09:40 -0500
Mike Edenfield kut...@kutulu.org wrote:

  I agree. Longer pass{words,phrases} only increases the difficulty
  of the problem, but not significantly so.  
 
 After I read the aforementioned xkcd comic, my main question was how
 he defined the various bits of entropy for each thing done to a
 password. That seemed to be a crucial determining factor in why the
 common words password appeared so much harder than the goofy
 gibberish one. Some seemed more obvious to me than others.
 
 I'm also curious, using the latest modern password-cracking
 techniques, if his assessment really is accurate. As in, which of the
 following two passwords would take longer to crack:
 
 #purpl3.R$!n#
 
 dovesymbolcarprince

Interesting questions. Randall doesn't provide answers so though. I
suppose he knows his audience and assumes we'll understand the gist of
what he's getting at and not demand full proof from him - it's his
comic, not his PhD thesis :-)

I noticed something about your first sample password, and it reveals a
lot, I hinted at it in my reply to Dale. Look at the pattern one must
type to enter that password (assuming a qwerty keyboard):

A symbol, a partial word, then 7 nonsense symbols. The pattern of those
symbols is highly significant - composed entirely of keystrokes in the
upper left area and lower right area of the keyboard with a few Shifts
thrown in for good measure. Almost as if you dropped both hands on the
keyboard and wiggled your fingers without moving the entire hand much.

How much entropy? A truck load less than you think!

And how often do you think people will do that (or something similar)
when creating passwords? How easy will it be for a dev with a clue to
write cracker software that takes such biases
into account?

The second example looks better - four words that have no obvious
connection with each other and will not usually be found together.
Hence not much in the way of predictable pattern that I can see.

Personally, I advocate using smart password generators like apg. The
password truly is a random distribution of junk, but one that can be
pronounced (a key factor in remembering it). It's not too hard to
expand that to also use whole words, then you'd get a passphrase
without your own inherent bias in it. Just be careful that you don't
end up with a password containing the *developer's* own inherent
bias :-)


-- 
Alan McKinnnon
alan.mckin...@gmail.com

Re: [gentoo-user] Resetting the root passwd

[Hinnerk van Bruinehsen]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 10.01.2012 19:46, Tanstaafl wrote:
 Ok, I did something really dumb...
 
 I changed the root passwd for a system I manage last week, but
 neglected to write it down, and now what I *thought* I had changed
 it to isn't working... I know, I know, really *really* dumb, but
 that's where I am...
 
 I know I can boot into Single User mode, remount the root
 partition read/write, and edit /etc/shadow (removing the encrypted
 passwd), then rest it using passwd, but...
 
 Some of the accounts in /etc/shadow have a '*' where the encrypted 
 passwd would be, and some have a '!'... (ie, one is sshd:!:... and 
 another is halt:*:...)
 
 Does it matter what I change it to? Should I use a *, !, or nothing
 at all (so that there is *nothing* between the two :: that would
 normally contain the encrypted passwd)?
 
 Thanks...
 

The simpelest solution should be to copy the password-hash of a user
whose password is know to you.
Afterwards you can log in an change the password again. And for the
future: http://xkcd.com/936/ ;)
-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.18 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJPDI20AAoJEJwwOFaNFkYceuMH/0DJgaQ+6HH0zUkKl8y5wTW6
Kn2grThJwhrbAhzpQxRV2UOvwnVIc93LIfZXdtqISzyhYCtUo1BaYMCVNIn6Rcmj
wbgk1sI3ql49SvH+Tfai/DyW0WzHbFmSsYu36xzGl02xZpuUeKSpk/cTmINz1wq4
HUA/Ej9x0jEAcNNby5t5neiTt4B3ILaFyAMQbVKVIyZy/8beoR/Rn+7bET0DoFJU
QneX+fa98IYjLUFlAjENQnyNly/koEt/+RIrffbBAPUOYc3wcX+e/q9vIVrKad3H
Ah+BpQOwAkceog33Y2HqNrKMMOfp3R2Nm1GgbqQpFe7N2A329OqLBPfMPs8Ejts=
=EHqa
-END PGP SIGNATURE-

Re: [gentoo-user] Resetting the root passwd

[Alan McKinnon]

On Tue, 10 Jan 2012 13:46:59 -0500
Tanstaafl tansta...@libertytrek.org wrote:

 Ok, I did something really dumb...
 
 I changed the root passwd for a system I manage last week, but
 neglected to write it down, and now what I *thought* I had changed it
 to isn't working... I know, I know, really *really* dumb, but that's
 where I am...
 
 I know I can boot into Single User mode, remount the root partition 
 read/write, and edit /etc/shadow (removing the encrypted passwd),
 then rest it using passwd, but...
 
 Some of the accounts in /etc/shadow have a '*' where the encrypted 
 passwd would be, and some have a '!'... (ie, one is sshd:!:... and 
 another is halt:*:...)
 
 Does it matter what I change it to? Should I use a *, !, or nothing
 at all (so that there is *nothing* between the two :: that would
 normally contain the encrypted passwd)?

The password field in shadow contains one of three types of values:

- a valid hash
- nothing (meaning the account has no password at all)
- an invalid hash (meaning the account cannot be logged into as no
  password will ever hash to that value)

The third type has some standard values set by convention over the
years to indicate why the password is not valid. Because they are just
loose conventions there's not much consistency by usually is goes like
this:

* means the account is definitely a system account, should never have a
  valid shell and no-one must ever log into that account. Accounts like
  bin are like this, and Gentoo gives these /bin/false as a shell

! means it is a valid account that probably should not have a login
shell but might run with a proper environment. The man account is like
this and Gentoo usually gives these nologin as a shell.

So what's the difference? Not much really, it's all a fine case of
semantics and to you they ought to be treated the same. I might even
have the explanation the wrong way round or be completely wrong, that's
how poorly documented this all is :-)

To reset root's password, set the field to blank (nothing between
the ::) 

-- 
Alan McKinnnon
alan.mckin...@gmail.com

Re: [gentoo-user] Resetting the root passwd

[Aljosha Papsch]

On Tue, Jan 10, 2012 at 08:12:53PM +0100, Hinnerk van Bruinehsen wrote:
 On 10.01.2012 19:46, Tanstaafl wrote:
  Ok, I did something really dumb...
  
  I changed the root passwd for a system I manage last week, but
  neglected to write it down, and now what I *thought* I had changed
  it to isn't working... I know, I know, really *really* dumb, but
  that's where I am...
  
  I know I can boot into Single User mode, remount the root
  partition read/write, and edit /etc/shadow (removing the encrypted
  passwd), then rest it using passwd, but...
  
  Some of the accounts in /etc/shadow have a '*' where the encrypted 
  passwd would be, and some have a '!'... (ie, one is sshd:!:... and 
  another is halt:*:...)
  
  Does it matter what I change it to? Should I use a *, !, or nothing
  at all (so that there is *nothing* between the two :: that would
  normally contain the encrypted passwd)?
  
  Thanks...
  
 
 The simpelest solution should be to copy the password-hash of a user
 whose password is know to you.
 Afterwards you can log in an change the password again. And for the
 future: http://xkcd.com/936/ ;)

Or boot from a Live CD, chroot and set the password from there.

Re: [gentoo-user] Resetting the root passwd

[Tanstaafl]

Perfect answer Alan, many thanks...

On 2012-01-10 3:38 PM, Alan McKinnon alan.mckin...@gmail.com wrote:

On Tue, 10 Jan 2012 13:46:59 -0500
Tanstaafltansta...@libertytrek.org  wrote:


Ok, I did something really dumb...

I changed the root passwd for a system I manage last week, but
neglected to write it down, and now what I *thought* I had changed it
to isn't working... I know, I know, really *really* dumb, but that's
where I am...

I know I can boot into Single User mode, remount the root partition
read/write, and edit /etc/shadow (removing the encrypted passwd),
then rest it using passwd, but...

Some of the accounts in /etc/shadow have a '*' where the encrypted
passwd would be, and some have a '!'... (ie, one is sshd:!:... and
another is halt:*:...)

Does it matter what I change it to? Should I use a *, !, or nothing
at all (so that there is *nothing* between the two :: that would
normally contain the encrypted passwd)?


The password field in shadow contains one of three types of values:

- a valid hash
- nothing (meaning the account has no password at all)
- an invalid hash (meaning the account cannot be logged into as no
   password will ever hash to that value)

The third type has some standard values set by convention over the
years to indicate why the password is not valid. Because they are just
loose conventions there's not much consistency by usually is goes like
this:

* means the account is definitely a system account, should never have a
   valid shell and no-one must ever log into that account. Accounts like
   bin are like this, and Gentoo gives these /bin/false as a shell

! means it is a valid account that probably should not have a login
shell but might run with a proper environment. The man account is like
this and Gentoo usually gives these nologin as a shell.

So what's the difference? Not much really, it's all a fine case of
semantics and to you they ought to be treated the same. I might even
have the explanation the wrong way round or be completely wrong, that's
how poorly documented this all is :-)

To reset root's password, set the field to blank (nothing between
the ::)