Re: [gentoo-user] VRFs / Jails / Containers
On 2/5/19 10:55 AM, Rich Freeman wrote: Yeah, I think you're over-reading into my posts. I'm mostly reacting to your ideas and not trying to be prescriptive. So we have a feedback loop. I'm trying to understand why you're saying what you're saying. I'm still looking for possibilities and pros / cons of each. For example, you talked about running openrc inside the container, and then I talked about how you might do that, and then you asked why would you want to run openrc inside the container. Well, since I don't know exactly what you're doing I don't know - if it doesn't make sense then don't do it... :) Seeing as how my container really is the same as the host, at least when it comes to file system and files, OpenRC is what is there. Hence my interest in re-using what's already there. That is /if/ doing such does not have too many cons. Essentially. It isn't like it won't work if you do something else - it is just a design principle. ACK Suppose you want to manually launch a container without using the init.d script, just as you might launch a non-forking server process to do some console debugging if you were having an issue. And so on. I see what you're saying by starting a typical daemon manually vs init scripts. Given that what I'm talking about doing doesn't leave a process running (I'm ignoring BIRD for the moment) there's nothing to kill to stop it. What I'm doing is really a series of commands that stand the service up and a command that stops it. I guess that I could have an independent script for this and then have the init script do nothing more than call the script with a start parameter. But I feel like my independent script is functionally identical to an init script. It is just a shell script, so it isn't like it won't work if you do it all in the script. *nod* Interesting. I didn't realize that linux even supported creating network namespaces without an associated process. Maybe you don't need one after all. I've been using network namespaces without a process for quite a while. They are extremely handy. I guess since network interfaces can do their netfilter/etc logic without any processes actually listening on them it makes sense that these namespaces might have their own existence. ;-) They don't need to. Which is why I was back to putting the (re)start / stop commands in the init script. IMO they should, but that is like saying that your 5000 line C program should actually have 5000 lines and whitespace, and not look like the javascript source to gmail. It is somewhat subjective, as gcc doesn't care if the whole thing is one big mass of punctuation... :) Yes, there is subjectivity to it. But there are also Gentoo methodologies and guidelines. Can you actually start openrc in a container using a parameter-driven runlevel that isn't a number? I don't know. I'll have to try and find out. I believe you can pass a numeric runlevel to init and it will start on that runlevel (though I'm not sure you can start openrc that way in non-trivial configs as that might skip the boot runlevel, assuming openrc doesn't override this sysvinit behavior). You can't use the kernel command line since containers don't have a separate kernel. I think I understand what you're saying. I also doubt that I will need a boot runlevel in a container the way that I'm doing them. I can see needing a net. and maybe a BIRD init script in the target runlevel. But other than that, there's virtually nothing that does not already exist from the host's file system / environment. You can of course change the default runlevel for openrc using config files in /etc, but those are shared with the host in your proposed design. ACK I /can/ use a mount namespace and have a different /etc. But I'd rather not do that unless there is a need to do so. Maybe you could hack something together here, but honestly I'm not sure what you're getting by not having a separate /etc or at least a bind mount for the openrc config. I currently have no need for a separate /etc. So why have something that I don't currently need? Again, assuming you need openrc in the container at all. Seeing as how the container has the same files as the host, that means that OpenRC is already in the container. So if I can make use of it without causing problems, then why not?
Re: [gentoo-user] Re: Coming up with a password that is very strong.
On Wed, Feb 6, 2019 at 5:18 AM Neil Bothwick wrote: > > On Wed, 6 Feb 2019 04:28:49 +0800, Mark David Dumlao wrote: > > > My own solution is actually very simple. I have a "secret algorithm" > > that incorporates several secrets with a predictable way to generate a > > site-specific secret. The end result is a 100% predictable way to > > generate unique passwords for every site that are cryptographically > > secure from each other (you cannot derive > > one from the other) which can be generated by any device using the > > appropriate tools. > > The was a tool in portage this did this. I tried it but it did not work > in the real world because you couldn't set a rule for generated passwords > that matched the requirements of all sites, for example some require a > non-alphanumeric character while other sites only allow alphanumerics. > > I can remember what the tools was called, although I'm pretty sure it > was written in Python. I'd be interested to know how you get around the > conflicting restrictions as this seems a good way to do things. > Well the original idea is to reduce dependency on specific tools, such that the algorithm is the secret, and the passwords are just byproducts of the secret. You will still need tools to do any hashing, but those are generic tools you can acquire anywhere. So for example, the "password123" equivalent secret algorithm might be: 1) global pepper: "password" 3) site-specific pepper: pepper plus number = vowels in domain name 2) site-specific ID: pepper dot domain name dot username 4) hashing algorithm: md5sum + base64, take first 8 Example application: madum...@gmail.com 1) site-specific pepper: pepper3 (3 vowels in domain name: google) 2) site-specific ID: pepper3.google.madumlao 3) site-specific hash: (2) -> md5sum -> base64 -> first8 -> NGI3MTQz 4) combined with global pepper: password.NGI3MTQz 5) hashed with global pepper: (4) -> md5sum -> base64 -> first8 -> MWJjZjg2 password: MWJjZjg2 Example application: madum...@yahoo.com 1) site-specific pepper: pepper3 (3 vowels in domain name: yahoo) 2) site-specific ID: pepper3.yahoo.madumlao 3) site-specific hash: (2) -> md5sum -> base64 -> first8 -> ZDQzZGM5 4) combined with global pepper: password.ZDQzZGM5 5) hashed with global pepper: (4) -> md5sum -> base64 -> first8 -> ZjUwMTI2 password: ZjUwMTI2 The procedure takes up a little more headspace than 1 password, but definitely less headspace than a dozen cryptographically secure passwords. You can change the hashing algorithm, peppering rule, ID rule, number of characters, etc to your tastes. You can add iteration rules for the nth password change anywhere in the procedure, and add constraint rules for sites that have certain password limitations (the caveat is that you have to remember which sites have password changes and constraints). For me really all that matters is that the building blocks are widely available and the end result incorporates data loss that makes it impossible to recover the original secrets. "Obviously" do not use this algorithm as-is. The algorithm, not the password, is the secret, so using this algorithm as is is the equivalent of using any example of a crypto secure password (correct horse battery stapler) as a password. -- This email is:[ ] actionable [x] fyi[ ] social Response needed: [ ] yes [x] up to you [ ] no Time-sensitive: [ ] immediate[ ] soon [x] none
Re: [gentoo-user] Coming up with a password that is very strong.
Tanstaafl wrote: > On 2/4/2019, 8:10:57 PM, Dale wrote: >> Tanstaafl wrote: >>> I've been using a little Firefox Addon called Passwordmaker for many, >>> many years, and despite all of its warts, I've been loathe to give it >>> up, even though it will never be upgraded to work as a WebExtension. >>> >>> 2 things I loved about it - >>> >>> a) it doesn't save the password locally, only info about the >>> site/account, and >>> b) you can use an unlimited number of Master Passwords >>> >>> I'm looking at migrating to KeePassXC, and even though I really hate the >>> idea of saving the actual password - Passwordmaker simply generates the >>> password on the fly each time based on certain specified criteria (ie, >>> the site URL, username, password length, etc for each account - one >>> technique I adopted shortly after assisting in updating the >>> Passwordmaker website eases my mind about it... >>> >>> This is a simple technique I strongly recommend that everyone employ, >>> especially if you use a Password manager (like LastPass or KeePass)... >>> >>> It is uncrackable (well, as long as it isn't the CIA or NSA that wants >>> to crack it and they are willing to kidnap/torture you to do so). >>> >>> You sit down and come up with a ... call it a 'password modification >>> protocol' ... whereby, you always modify your generated/stored password >>> in a specific way before pressing enter. >>> >>> For example, you delete characters 3, 5 and 7, then add 2 characters to >>> the beginning and 2 to the end. >>> >>> It is very simple, and negates worrying about someone stealing your >>> password vault. >> I tried to find it just to see how it works but it isn't listed. > What... Passwordmaker (the old one I still use and why I keep an old > Firefox 56 portable version around)? I'm on the newer version of Firefox so it doesn't show up in my search since it isn't compatible. I'm pretty sure that is why it doesn't show up for me. If I were on the older version of Firefox, then it would show up. I was wanting to look at it tho. I did find a Pro version which is likely the same thing but for the newer versions of Firefox. Did you see it? It is here: https://addons.mozilla.org/en-US/firefox/addon/firefox-passwordmaker-pro/?src=search I see another version as well but with very few users. Still, if the above is just a version for the newer Firefox, you may not have to switch or can use both somehow. Some other add-ons I use did similar things. Since some required a complete rewrite, they also changed the name a bit too. Thing is, some of the new versions of add-ons don't show up in older versions of Firefox. If you didn't see this, I hope it helps. >> From what you wrote, you may want to at least check into LastPass. > I did a massive amount of research (including LastPass), and settled on > KeePassXC for a good reason. I've read where people use that and like it. It just depends on what you are looking for and expect from the tool. If it meets your needs, then it is a good fit for you. I picked LastPass since it did what I need and then some plus is free. I also had the privilege of emailing back and forth with one of the original owners or creators way back then. His name is Joe Siegrist. My bank and credit card sites wouldn't work at first. I gave him a link and he made some changes so that the next version would fill those sites. I may switch one day, may even switch to what you are using, but at the moment, LastPass seems to be doing well. >> Still, I'm sure there is a tool that will suite your needs. > ? Its like you didn't really read my email. I already said, I'm > migrating to KeePassXC. But my complaint is, nothing works like > Passwordmaker (again, it doesn't store passwords, can only use one > Master Password). > >> I'm not sure I understand what you mean password modification protocol. >> It sounds like you change your master password each time you use it. > No, I'm talking about the saved (or in Passwordmakers case, generated) > password, not the Master Password. > > Doing this with the Master Password wouldn't make any sense. > If I understand you correctly, I think I have seen a site that allows that sort of thing. I think. To be honest, this is why I like tools. I tend to let tools do the heavy lifting. My biggest responsibility is having a good master password. That's what started this. I want a good one. ;-) Most of the sites I use are email or ID plus password. A couple have this picture and phrase thing between login and password tho. There is also a couple that uses that secret question thing. Some of those are plain annoying tho. lol Given how things are nowadays, I suspect we will always be in a constant race to try and stay ahead of hackers and such. Every time we change to try and beat them, they will find new tools, faster hardware etc to beat us. The biggest thing, our tools or us have to keep up. I really need to keep up with the newer stuff
Re: [gentoo-user] Re: Coming up with a password that is very strong.
On Wed, 6 Feb 2019 04:28:49 +0800, Mark David Dumlao wrote: > My own solution is actually very simple. I have a "secret algorithm" > that incorporates several secrets with a predictable way to generate a > site-specific secret. The end result is a 100% predictable way to > generate unique passwords for every site that are cryptographically > secure from each other (you cannot derive > one from the other) which can be generated by any device using the > appropriate tools. The was a tool in portage this did this. I tried it but it did not work in the real world because you couldn't set a rule for generated passwords that matched the requirements of all sites, for example some require a non-alphanumeric character while other sites only allow alphanumerics. I can remember what the tools was called, although I'm pretty sure it was written in Python. I'd be interested to know how you get around the conflicting restrictions as this seems a good way to do things. -- Neil Bothwick MIPS: Meaningless Indication of Processor Speed pgpfxOzY7wyil.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Re: Coming up with a password that is very strong.
On Tue, Feb 5, 2019 at 3:39 AM Jack wrote: > The problem I have with many of these suggestions is that I have > multiple devices (two desktops, two laptops, tablet, android phone) I > use sufficiently often that I either need to be able to remember the > passwords or have some way of easily accessing them when I'm not > sitting at my main desktop. Other than using a password manager (which > I do not currently have) how to others deal with this? > > Jack Haven't posted here in a long while. I personally do not trust password managers for (1) the same reason you gave above and (2) typically the way around it is they store your passwords in the cloud which is all sorts of facepalm from a security perspective. My own solution is actually very simple. I have a "secret algorithm" that incorporates several secrets with a predictable way to generate a site-specific secret. The end result is a 100% predictable way to generate unique passwords for every site that are cryptographically secure from each other (you cannot derive one from the other) which can be generated by any device using the appropriate tools. There is also a protocol for password shifting in case any single password is revealed. The long and short of it is that you can combine secure passwords with hashing techniques, site-specific data, and truncation / peppering in a predetermined way that is easy for you to remember but guarantees that the original secret data is irrecoverable. Then all you need is the hashing program on, say, your phone, and you will always be able to generate the site-specific password when needed. In effect the algorithm is your secret, the site-specific password is just a side effect of that secret. -- This email is:[ ] actionable [x] fyi[x] social Response needed: [ ] yes [x] up to you [ ] no Time-sensitive: [ ] immediate[ ] soon [x] none
Re: [gentoo-user] Coming up with a password that is very strong.
On 2/4/2019, 8:10:57 PM, Dale wrote: > Tanstaafl wrote: >> I've been using a little Firefox Addon called Passwordmaker for many, >> many years, and despite all of its warts, I've been loathe to give it >> up, even though it will never be upgraded to work as a WebExtension. >> >> 2 things I loved about it - >> >> a) it doesn't save the password locally, only info about the >> site/account, and >> b) you can use an unlimited number of Master Passwords >> >> I'm looking at migrating to KeePassXC, and even though I really hate the >> idea of saving the actual password - Passwordmaker simply generates the >> password on the fly each time based on certain specified criteria (ie, >> the site URL, username, password length, etc for each account - one >> technique I adopted shortly after assisting in updating the >> Passwordmaker website eases my mind about it... >> >> This is a simple technique I strongly recommend that everyone employ, >> especially if you use a Password manager (like LastPass or KeePass)... >> >> It is uncrackable (well, as long as it isn't the CIA or NSA that wants >> to crack it and they are willing to kidnap/torture you to do so). >> >> You sit down and come up with a ... call it a 'password modification >> protocol' ... whereby, you always modify your generated/stored password >> in a specific way before pressing enter. >> >> For example, you delete characters 3, 5 and 7, then add 2 characters to >> the beginning and 2 to the end. >> >> It is very simple, and negates worrying about someone stealing your >> password vault. > I tried to find it just to see how it works but it isn't listed. What... Passwordmaker (the old one I still use and why I keep an old Firefox 56 portable version around)? > From what you wrote, you may want to at least check into LastPass. I did a massive amount of research (including LastPass), and settled on KeePassXC for a good reason. > Still, I'm sure there is a tool that will suite your needs. ? Its like you didn't really read my email. I already said, I'm migrating to KeePassXC. But my complaint is, nothing works like Passwordmaker (again, it doesn't store passwords, can only use one Master Password). > I'm not sure I understand what you mean password modification protocol. > It sounds like you change your master password each time you use it. No, I'm talking about the saved (or in Passwordmakers case, generated) password, not the Master Password. Doing this with the Master Password wouldn't make any sense.
Re: [gentoo-user] VRFs / Jails / Containers
On Mon, Feb 4, 2019 at 7:10 PM Grant Taylor wrote: > > On 02/04/2019 02:58 PM, Rich Freeman wrote: > > So, I think we're miscommunicating a bit here... > > It happens. > Yeah, I think you're over-reading into my posts. I'm mostly reacting to your ideas and not trying to be prescriptive. For example, you talked about running openrc inside the container, and then I talked about how you might do that, and then you asked why would you want to run openrc inside the container. Well, since I don't know exactly what you're doing I don't know - if it doesn't make sense then don't do it... :) > > I'm saying that an init.d script shouldn't try to do anything other > > than initialize a service, which should be implemented outside the > > init.d script. > > It sounds like you are saying that an init script shouldn't do anything > other than (re)start/stop a service and that there should be a separate > script (binary / command) that is the service. Essentially. It isn't like it won't work if you do something else - it is just a design principle. Suppose you want to manually launch a container without using the init.d script, just as you might launch a non-forking server process to do some console debugging if you were having an issue. And so on. It is just a shell script, so it isn't like it won't work if you do it all in the script. > > ip netns add myContainer > ip link add myContainer type veth peer name myHost netns myContainer > ip link set myContainer up > ip addr add 192.0.2.1/24 dev myContainer > ip netns exec myContainer ip link set myHost up > ip netns exec myContainer ip addr add 192.0.2.2/24 dev myHost > Interesting. I didn't realize that linux even supported creating network namespaces without an associated process. Maybe you don't need one after all. I guess since network interfaces can do their netfilter/etc logic without any processes actually listening on them it makes sense that these namespaces might have their own existence. > So, I'm not sure why those commands need to or should live inside > something other than the init script. They don't need to. IMO they should, but that is like saying that your 5000 line C program should actually have 5000 lines and whitespace, and not look like the javascript source to gmail. It is somewhat subjective, as gcc doesn't care if the whole thing is one big mass of punctuation... :) > Why can't I have a single /etc/runlevels/myContainer that is never used > outside of the container and only used inside the container? Remember > that the host and container share the same file system. Can you actually start openrc in a container using a parameter-driven runlevel that isn't a number? I believe you can pass a numeric runlevel to init and it will start on that runlevel (though I'm not sure you can start openrc that way in non-trivial configs as that might skip the boot runlevel, assuming openrc doesn't override this sysvinit behavior). You can't use the kernel command line since containers don't have a separate kernel. You can of course change the default runlevel for openrc using config files in /etc, but those are shared with the host in your proposed design. Maybe you could hack something together here, but honestly I'm not sure what you're getting by not having a separate /etc or at least a bind mount for the openrc config. Again, assuming you need openrc in the container at all. -- Rich
Re: [gentoo-user] VRFs / Jails / Containers
On 2/4/19 3:50 PM, Grant Taylor wrote: > On 02/03/2019 11:23 AM, Michael Orlitzky wrote: >> Ultimately netifrc is just a shell script that parses another shell >> script to construct a third shell script. I don't think doing it with >> only two shell scripts is that much less elegant =) > > The elegance, or lack there of, is not in the number of shell scripts. > Rather the fact that tc (QoS) parameters are stuffed into a command line > verses having things split out and parsed is what I dislike. Take VLANs > for example, there is a netifrc parameter for specifying the VLAN IDs > that belong on an interface. Netifrc will then construct the commands. > People don't need to know how to construct the commands themselves to > utilize VLANs. tc (QoS) is not anywhere nearly as nice. > If you're willing to go all-out to do this right, you can implement that parsing yourself. You can create a package called netifrc-qos that consists of (only?) two files: an OpenRC service script, and an associated conf.d file. Inside the conf.d file you can use whatever variables you like, and then have the init script parse them and run the resulting commands. Afterwards you'd create an ebuild for it, install it from an overlay, and then edit the conf.d file accordingly. It's a lot of work, but that's the most Gentoo way to do it IMO. You might also want to check with the OpenRC/netifrc projects to see if they have anything like this in the works already. Either way they may be willing to collaborate on a design.
Re: [gentoo-user] Re: Coming up with a password that is very strong.
Rich Freeman wrote: > On Tue, Feb 5, 2019 at 2:34 AM Dale wrote: >> Rich Freeman wrote: >>> On Mon, Feb 4, 2019 at 5:12 PM Dale wrote: Neil Bothwick wrote: > On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote: > >>> One reason I use LastPass, it is mobile. I can go to someone else's >>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc, >>> logoff and it is like I was never there. >> As much as I like Lastpass I would never do that. It isn't magic - it >> is javascript. If there is a compromise on your computer, then your >> password database will be compromised. This is true of other >> solutions like KeePassX and so on - if something roots your box then >> it will be compromised. I might point out, LastPass encrypts the password before sticking it in a file. It isn't visible or plain text. Even getting the file would still require some tools and cracking to get the password itself. >>> That assumes you're attacking the password file directly. >>> >>> If you're using lastpass on a compromised system then there are many >>> ways that can be used to bypass the encryptions. They could sniff >>> your master password when you key it in, or read it directly from the >>> browser's memory. These things are protected from sandboxed code in >>> your browser, but not from processes running outside the browser >>> (unless again you're using a non-conventional privilege system like >>> selinux/android/etc). >> One could argue the same thing with any password tool out there tho, >> right? > Of course. This is by no means specific to Lastpass. I wasn't > reacting to your use of Lastpass (I use it myself). I was reacting to > your statement that you can go to someone else's computer and use > lastpass on that computer and then log off and it is as if you were > never there. What I meant was, they couldn't use it without knowing my password. Sure, I may leave something, like LastPass installed but disabled, on their computer but no one can use it without it being logged in. Once I logout and close the browser, that pretty much ends the session. Most sites I visit are not set to remember me anyway and some don't allow it. I also logout before leaving a site especially when I'm on a computer other than mine. So, once I logout, they can't login as me without my password. We sort of went in different directions. If I really wanted to, I could use some bootable media like Knoppix. I think it comes with Firefox already installed. I could boot that, install LastPass, do my thing, reboot into the OS and not have to worry about anything they have installed at all. I do keep copies of those around and try to update every once in a while. I certainly keep sysrescue up to date. I don't think it has a browser tho. It may but I'm not sure. >> Given I only install things from >> trusted sources, the odds of that happening are likely very small. > Not if you go typing your Lastpass master password into computers > owned by people who aren't as careful as you are... > > If you do want the benefits of a password manager on an untrusted > computer then you might want to look into the hardware/USB-based > solutions, or alternatives like U2F and so on. > > Now, you're still vulnerable to MITM attacks and so on against the > sites you're actually logging into, but your credentials for other > sites would not be at risk since they stay on the hardware device, > which is going to be hardened against USB attacks (well, at least you > hope it would be). If you're using conventional passwords then of > course something could still sniff that password since it has to pass > through the untrusted computer. If you're using OTPs or U2F/etc then > you may still be vulnerable to some cookie-based attacks and MITM and > so on, but if you log off at the end of your session that at least > limits their duration. > > Personally I would like to switch to a hardware-based solution, but > they have their own set of downsides: > > 1. Less convenience - you have to physically have the device on you > (I don't carry my keys around in the hosue/etc), and plug it in when > you want to use it. > 2. Recovery options aren't always great. Often these devices don't > really have their own recovery solution, and you're stuck following > the recovery options on each individual site. Many of these are > pretty lousy. > 3. Often no support for multiple hardware devices (and keeping them > in sync). Again you're stuck with what individual sites allow, and > many sites don't let you have multiple hardware tokens registered. > 4. Lack of convenience features like auto-changing passwords. Some > software-based solutions have this. Though, to be honest, I rarely > trust these because if something goes wrong I could lose account > access and this can be difficult or impossible to recover from in many > situations. > > A big advantage (and disadvantage) of the
Re: [gentoo-user] Re: Coming up with a password that is very strong.
On Tue, Feb 5, 2019 at 2:34 AM Dale wrote: > > Rich Freeman wrote: > > On Mon, Feb 4, 2019 at 5:12 PM Dale wrote: > >> Neil Bothwick wrote: > >>> On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote: > >>> > > One reason I use LastPass, it is mobile. I can go to someone else's > > computer, use LastPass to say make use of Paypal, Newegg, Ebay etc, > > logoff and it is like I was never there. > As much as I like Lastpass I would never do that. It isn't magic - it > is javascript. If there is a compromise on your computer, then your > password database will be compromised. This is true of other > solutions like KeePassX and so on - if something roots your box then > it will be compromised. > > > >> I might point out, LastPass encrypts the password before sticking it in > >> a file. It isn't visible or plain text. Even getting the file would > >> still require some tools and cracking to get the password itself. > > That assumes you're attacking the password file directly. > > > > If you're using lastpass on a compromised system then there are many > > ways that can be used to bypass the encryptions. They could sniff > > your master password when you key it in, or read it directly from the > > browser's memory. These things are protected from sandboxed code in > > your browser, but not from processes running outside the browser > > (unless again you're using a non-conventional privilege system like > > selinux/android/etc). > > One could argue the same thing with any password tool out there tho, > right? Of course. This is by no means specific to Lastpass. I wasn't reacting to your use of Lastpass (I use it myself). I was reacting to your statement that you can go to someone else's computer and use lastpass on that computer and then log off and it is as if you were never there. > Given I only install things from > trusted sources, the odds of that happening are likely very small. Not if you go typing your Lastpass master password into computers owned by people who aren't as careful as you are... If you do want the benefits of a password manager on an untrusted computer then you might want to look into the hardware/USB-based solutions, or alternatives like U2F and so on. Now, you're still vulnerable to MITM attacks and so on against the sites you're actually logging into, but your credentials for other sites would not be at risk since they stay on the hardware device, which is going to be hardened against USB attacks (well, at least you hope it would be). If you're using conventional passwords then of course something could still sniff that password since it has to pass through the untrusted computer. If you're using OTPs or U2F/etc then you may still be vulnerable to some cookie-based attacks and MITM and so on, but if you log off at the end of your session that at least limits their duration. Personally I would like to switch to a hardware-based solution, but they have their own set of downsides: 1. Less convenience - you have to physically have the device on you (I don't carry my keys around in the hosue/etc), and plug it in when you want to use it. 2. Recovery options aren't always great. Often these devices don't really have their own recovery solution, and you're stuck following the recovery options on each individual site. Many of these are pretty lousy. 3. Often no support for multiple hardware devices (and keeping them in sync). Again you're stuck with what individual sites allow, and many sites don't let you have multiple hardware tokens registered. 4. Lack of convenience features like auto-changing passwords. Some software-based solutions have this. Though, to be honest, I rarely trust these because if something goes wrong I could lose account access and this can be difficult or impossible to recover from in many situations. A big advantage (and disadvantage) of the software-based solutions is that they're just data files and you can back them up trivially. Really though a lot of this boils down to the fact that PKI is a hard problem without a trusted and convenient mediator, and this largely doesn't exist in the world of free online services. -- Rich
Re: [gentoo-user] Re: Coming up with a password that is very strong.
Mick wrote: > On Tuesday, 5 February 2019 07:55:41 GMT Dale wrote: >> Mick wrote: >>> https://en.wikipedia.org/wiki/LastPass#Security_issues >>> >> From what I read, no users had their passwords compromised in those. > I read it differently. LastPass didn't know if any passwds were compromised > (or wouldn't tell you). As a precaution they asked users to change their > master passwd, while they changed their server's salt. In addition, there > were XSS vulnerabilities later on, which is probably to be expected with > JavaScript and similar technologies. > I recall the email vaguely. It said there was nothing that showed the passwords were compromised. I did change passwords for things like my bank etc but left the others alone. Of course, I change those passwords on a fairly regular basis anyway. Thing is, when it comes to financial stuff, I don't leave as much to chance. I found the email notice. Here is a bit of it: "No encrypted user vault data was taken, however other data, including email addresses and password reminders, was compromised." So, the encrypted stuff such as passwords was not compromised. They only got email addys and such which isn't a big deal. >> As >> I pointed out earlier, the passwords are already encrypted when they are >> sent to LastPass. If I called LastPass, could prove I am who I claim to >> be and asked them for a password to a site, they couldn't give it to me >> because it is encrypted when it leaves my machine. > I don't know exactly how the LastPass architecture is configured, other than > it relies on device based encryption activated with JavaScript, but anomalies > they observed in incoming and outgoing traffic on the 2011 incident indicate > someone was interfering with their data streams. Given Diffie-Hellman could > be compromised (e.g. as per Logjam) by precomputing some of the most commonly > used primes in factoring large integers, it may be someone was undertaking > comparative analysis to deduce ciphers and what not. If the server salt was > obtained, then one layer of encryption was compromised. > > All this is juxtaposition and my hypothesizing does not mean LastPass is not > useful, or not secure. It just means its design is not as secure as locally > run simpler encryption mechanisms, which do not leave your PC and are not > stored somewhere else. > > The greater surface area a security system exposes, the higher likelihood > someone will take a punt at cracking it. A browser, sandboxed or not, has > far > too many moving parts and exposed flanks to keep crackers and state actors > busy. I expect with advances in AI this effort will accelerate > logarithmically. This is why I don't use the built in password manager in Firefox. Firefox most likely concentrates on the browser since its main job is being a browser. A password tool is a little lower on the list I would think. However, LastPass and other password tools, it is their main function to be password tools that are secure but can still work with the browser as well. > >> As I pointed out to Rich, I don't expect these tools to be 100%. There >> is no perfect password tool or a perfect way to manage them either. No >> matter what you do, someone can come along and poke a hole in it. If >> you use a tool, the tool is hackable. If you use the same password that >> is 40 characters long for several dozen sites, then the site can be >> hacked and they have the password for those other sites as well. The >> list could go on for ages but it doesn't really change anything. We do >> the best we can and then hope it is enough. Using tools is in my >> opinion better than not using a tool at all. At the least, they will >> have a hard time breaking into a site directly without my password. It >> beats the alternative which is cutting off the computer and unplugging >> it. :-( > Yes, well said. A disconnected and switched off PC is probably quite secure, > but what use is this to anybody. LOL! The effectiveness of PC security is > challenged on a daily basis and you eventually have to arrive at a personal > trade-off between security and usability. > This is what I run into with this new password project. I want one that is easy for me to remember, easy to type and such but I also want it to where some script kiddy can't crack it in like 10 seconds while laughing his/her fool head off at me. The decision to use a tool like LastPass, or any other tool for that matter, also means a trade off. Anything we use will expose us to something. That said, not using one exposes us to something else, even if it is just bad ways to deal with passwords. Using one password on several sites is one thing that jumps to my mind. We just have to try to be reasonable about it. One thing about this, I'm putting more effort into one password than most do for every password they have. Now to play with the strength meters some more. Dale :-) :-)
Re: [gentoo-user] Coming up with a password that is very strong.
Mick wrote: > On Tuesday, 5 February 2019 10:13:44 GMT Dale wrote: > >> After seeing your reply, I realize I just type the command and it >> prompts me for a password. I ctrl c to exit. Well, ain't that >> something? You can stop laughing now. ;-) >> >> It seems to think helloworld and reallysecurepassword is OK. I have to >> question just how good this tool is at this point. > Quite! > > I think the cracklib acceptance parameters are not as strict as they could > have been for modern computing, but I don't know how to tweak them. With > johntheripper you have many options to tweak the characters tested, length, > etc. when checking a password. > > PS. I wasn't laughing at you, I was laughing at the passwords cracklib > thought were OK. I'm emerging john* or at least it's thinking on it. I was talking about you laughing at my comment about the idiot in the chair who was using the command wrong. I have to admit, I was laughing at myself over here. lol I might add, I did try to get a man page or -h to help but it didn't. I've got my password down to something I can remember and isn't to bad to type. The password strength meter thingys, while not perfect either, do say it is a strong one. My looking at it says it is strong too. I just can't imagine anyone guessing it. It's so random and such that I think it would be very difficult to crack. Even if one could, it would take a fairly long time even with some pretty fast puters. It may not be NSA proof either but I suspect it would take even them a while. Still, I'd like to test this thing really well if I can find a tool that can really do it properly. We already know the meter sites aren't trustworthy. It seems cracklib isn't quite there either. Moving on. Thanks for the help. By the time I get around to using this thing, it may be easy to crack with some laser type puter or something. Dale :-) :-)
[gentoo-user] Re: Coming up with a password that is very strong.
On 04/02/2019 22:49, Dale wrote: Also, if my computer were to die a sudden death, power supply goes bonkers and burns everything in it up including hard drives, my passwords are still safe but available. Firefox stores my login passwords encrypted on a server provided by Mozilla. It syncs them between my machines.
Re: [gentoo-user] Re: Coming up with a password that is very strong.
On Tuesday, 5 February 2019 07:55:41 GMT Dale wrote: > Mick wrote: > > https://en.wikipedia.org/wiki/LastPass#Security_issues > > > From what I read, no users had their passwords compromised in those. I read it differently. LastPass didn't know if any passwds were compromised (or wouldn't tell you). As a precaution they asked users to change their master passwd, while they changed their server's salt. In addition, there were XSS vulnerabilities later on, which is probably to be expected with JavaScript and similar technologies. > As > I pointed out earlier, the passwords are already encrypted when they are > sent to LastPass. If I called LastPass, could prove I am who I claim to > be and asked them for a password to a site, they couldn't give it to me > because it is encrypted when it leaves my machine. I don't know exactly how the LastPass architecture is configured, other than it relies on device based encryption activated with JavaScript, but anomalies they observed in incoming and outgoing traffic on the 2011 incident indicate someone was interfering with their data streams. Given Diffie-Hellman could be compromised (e.g. as per Logjam) by precomputing some of the most commonly used primes in factoring large integers, it may be someone was undertaking comparative analysis to deduce ciphers and what not. If the server salt was obtained, then one layer of encryption was compromised. All this is juxtaposition and my hypothesizing does not mean LastPass is not useful, or not secure. It just means its design is not as secure as locally run simpler encryption mechanisms, which do not leave your PC and are not stored somewhere else. The greater surface area a security system exposes, the higher likelihood someone will take a punt at cracking it. A browser, sandboxed or not, has far too many moving parts and exposed flanks to keep crackers and state actors busy. I expect with advances in AI this effort will accelerate logarithmically. > As I pointed out to Rich, I don't expect these tools to be 100%. There > is no perfect password tool or a perfect way to manage them either. No > matter what you do, someone can come along and poke a hole in it. If > you use a tool, the tool is hackable. If you use the same password that > is 40 characters long for several dozen sites, then the site can be > hacked and they have the password for those other sites as well. The > list could go on for ages but it doesn't really change anything. We do > the best we can and then hope it is enough. Using tools is in my > opinion better than not using a tool at all. At the least, they will > have a hard time breaking into a site directly without my password. It > beats the alternative which is cutting off the computer and unplugging > it. :-( Yes, well said. A disconnected and switched off PC is probably quite secure, but what use is this to anybody. LOL! The effectiveness of PC security is challenged on a daily basis and you eventually have to arrive at a personal trade-off between security and usability. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Coming up with a password that is very strong.
On Tuesday, 5 February 2019 10:13:44 GMT Dale wrote: > After seeing your reply, I realize I just type the command and it > prompts me for a password. I ctrl c to exit. Well, ain't that > something? You can stop laughing now. ;-) > > It seems to think helloworld and reallysecurepassword is OK. I have to > question just how good this tool is at this point. Quite! I think the cracklib acceptance parameters are not as strict as they could have been for modern computing, but I don't know how to tweak them. With johntheripper you have many options to tweak the characters tested, length, etc. when checking a password. PS. I wasn't laughing at you, I was laughing at the passwords cracklib thought were OK. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Coming up with a password that is very strong.
Michael Schwartzkopff wrote: > Am 05.02.19 um 10:55 schrieb Mick: >> On Tuesday, 5 February 2019 06:48:53 GMT Dale wrote: >> >>> Sort of picking a random message to reply to here. Someone sent a reply >>> off list about checking passwords on my system with tools available. >>> They also mentioned not trusting strength meters which I can get since >>> they pass some obvious passwords. I used three meters and some sort of >>> common sense as well. I found cracklib-check after some digging. I >>> used that to try to check my password and get this weird response. >>> >>> -su: me-supper-secret-password-here;): event not found >>> >>> I'm going to try to emulate my password without actually posting it, for >>> obvious reasons. You all are smart enough to understand why. ROFL It >>> has some of the following 'stuff' in it. !sdER*ark4567# As you can >>> tell, I use some of those things on the tops of the number keys. It >>> seems that confuses cracklib just a bit. BTW, I was running that as >>> root just to be sure it wasn't a permissions issue. I tried a few >>> different things but it seems the "!" is triggering that at least, maybe >>> others too. The command works fine with just normal stuff. >> Hmm ... I don't get such problem here, when I run cracklib as a plain user: >> >> $ cracklib-check >> password >> password: it is based on a dictionary word >> p4ssw0rd >> p4ssw0rd: it is based on a dictionary word >> p477w0rd >> p477w0rd: OK >> !sdER*ark4567# >> !sdER*ark4567#: OK >> helloworld >> helloworld: OK >> reallysecurepassword >> reallysecurepassword: OK >> >> LOL! >> >> Could it be something to do with your terminal/shell? I've run the above >> with >> bash in a urxvt terminal. >> >> >>> That leads >>> me to this question. Is there a tool I can use/install that will test a >>> password, try to crack it if you will, that will work regardless of the >>> characters used? In other words, it doesn't mind the things on top of >>> the number keys. >>> >>> BTW, I've also whittled it down to something a little easier to type >>> too. Feel sorry for any poor fool trying to just guess it. lol May >>> have better luck with P vs NP. ;-) >>> >>> Thanks. >>> >>> Dale >>> >>> :-) :-) >> I've used app-crypt/johntheripper in the distant past, but you'll need a >> good >> word list for it to be useful. Some of the wordlists I had found at the >> time >> were too big to download over dial-up! :p >> > A good password also has to be memorizable. See: > > https://xkcd.com/936/ > > > Mit freundlichen Grüßen, > That's the problem. I want one really good password that would be virtually impossible even for someone who knows me to guess. Doing that and being able to remember it plus be relatively easy to remember complicates things a lot. While at it, I'd like it to be hard to crack as well. Even with these password test tools, that is proving to be hard to know for sure. I have one that I know would be hard to guess and I think it would be hard to crack as well but I don't know that last part for sure, yet anyway. Thanks. It's a work in progress still. Dale :-) :-)
Re: [gentoo-user] Coming up with a password that is very strong.
Mick wrote: > On Tuesday, 5 February 2019 06:48:53 GMT Dale wrote: > >> Sort of picking a random message to reply to here. Someone sent a reply >> off list about checking passwords on my system with tools available. >> They also mentioned not trusting strength meters which I can get since >> they pass some obvious passwords. I used three meters and some sort of >> common sense as well. I found cracklib-check after some digging. I >> used that to try to check my password and get this weird response. >> >> -su: me-supper-secret-password-here;): event not found >> >> I'm going to try to emulate my password without actually posting it, for >> obvious reasons. You all are smart enough to understand why. ROFL It >> has some of the following 'stuff' in it. !sdER*ark4567# As you can >> tell, I use some of those things on the tops of the number keys. It >> seems that confuses cracklib just a bit. BTW, I was running that as >> root just to be sure it wasn't a permissions issue. I tried a few >> different things but it seems the "!" is triggering that at least, maybe >> others too. The command works fine with just normal stuff. > Hmm ... I don't get such problem here, when I run cracklib as a plain user: > > $ cracklib-check > password > password: it is based on a dictionary word > p4ssw0rd > p4ssw0rd: it is based on a dictionary word > p477w0rd > p477w0rd: OK > !sdER*ark4567# > !sdER*ark4567#: OK > helloworld > helloworld: OK > reallysecurepassword > reallysecurepassword: OK > > LOL! > > Could it be something to do with your terminal/shell? I've run the above > with > bash in a urxvt terminal. > > He he he he. It was the idiot in the chair. The idiot in the chair thought it was done this way, like I saw on a website that must be outdated. root@fireball / # cracklib-check !sdER*ark4567# -su: !sdER: event not found root@fireball / # After seeing your reply, I realize I just type the command and it prompts me for a password. I ctrl c to exit. Well, ain't that something? You can stop laughing now. ;-) It seems to think helloworld and reallysecurepassword is OK. I have to question just how good this tool is at this point. Maybe I need to install some more stuff here. Pardon me while I go find some more of this. Something has to be missing. :/ Dale :-) :-)
Re: [gentoo-user] Coming up with a password that is very strong.
Am 05.02.19 um 10:55 schrieb Mick: > On Tuesday, 5 February 2019 06:48:53 GMT Dale wrote: > >> Sort of picking a random message to reply to here. Someone sent a reply >> off list about checking passwords on my system with tools available. >> They also mentioned not trusting strength meters which I can get since >> they pass some obvious passwords. I used three meters and some sort of >> common sense as well. I found cracklib-check after some digging. I >> used that to try to check my password and get this weird response. >> >> -su: me-supper-secret-password-here;): event not found >> >> I'm going to try to emulate my password without actually posting it, for >> obvious reasons. You all are smart enough to understand why. ROFL It >> has some of the following 'stuff' in it. !sdER*ark4567# As you can >> tell, I use some of those things on the tops of the number keys. It >> seems that confuses cracklib just a bit. BTW, I was running that as >> root just to be sure it wasn't a permissions issue. I tried a few >> different things but it seems the "!" is triggering that at least, maybe >> others too. The command works fine with just normal stuff. > Hmm ... I don't get such problem here, when I run cracklib as a plain user: > > $ cracklib-check > password > password: it is based on a dictionary word > p4ssw0rd > p4ssw0rd: it is based on a dictionary word > p477w0rd > p477w0rd: OK > !sdER*ark4567# > !sdER*ark4567#: OK > helloworld > helloworld: OK > reallysecurepassword > reallysecurepassword: OK > > LOL! > > Could it be something to do with your terminal/shell? I've run the above > with > bash in a urxvt terminal. > > >> That leads >> me to this question. Is there a tool I can use/install that will test a >> password, try to crack it if you will, that will work regardless of the >> characters used? In other words, it doesn't mind the things on top of >> the number keys. >> >> BTW, I've also whittled it down to something a little easier to type >> too. Feel sorry for any poor fool trying to just guess it. lol May >> have better luck with P vs NP. ;-) >> >> Thanks. >> >> Dale >> >> :-) :-) > I've used app-crypt/johntheripper in the distant past, but you'll need a good > word list for it to be useful. Some of the wordlists I had found at the time > were too big to download over dial-up! :p > A good password also has to be memorizable. See: https://xkcd.com/936/ Mit freundlichen Grüßen, -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schleißheimer Straße 26/MG,80333 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] Coming up with a password that is very strong.
On Tuesday, 5 February 2019 06:48:53 GMT Dale wrote: > Sort of picking a random message to reply to here. Someone sent a reply > off list about checking passwords on my system with tools available. > They also mentioned not trusting strength meters which I can get since > they pass some obvious passwords. I used three meters and some sort of > common sense as well. I found cracklib-check after some digging. I > used that to try to check my password and get this weird response. > > -su: me-supper-secret-password-here;): event not found > > I'm going to try to emulate my password without actually posting it, for > obvious reasons. You all are smart enough to understand why. ROFL It > has some of the following 'stuff' in it. !sdER*ark4567# As you can > tell, I use some of those things on the tops of the number keys. It > seems that confuses cracklib just a bit. BTW, I was running that as > root just to be sure it wasn't a permissions issue. I tried a few > different things but it seems the "!" is triggering that at least, maybe > others too. The command works fine with just normal stuff. Hmm ... I don't get such problem here, when I run cracklib as a plain user: $ cracklib-check password password: it is based on a dictionary word p4ssw0rd p4ssw0rd: it is based on a dictionary word p477w0rd p477w0rd: OK !sdER*ark4567# !sdER*ark4567#: OK helloworld helloworld: OK reallysecurepassword reallysecurepassword: OK LOL! Could it be something to do with your terminal/shell? I've run the above with bash in a urxvt terminal. > That leads > me to this question. Is there a tool I can use/install that will test a > password, try to crack it if you will, that will work regardless of the > characters used? In other words, it doesn't mind the things on top of > the number keys. > > BTW, I've also whittled it down to something a little easier to type > too. Feel sorry for any poor fool trying to just guess it. lol May > have better luck with P vs NP. ;-) > > Thanks. > > Dale > > :-) :-) I've used app-crypt/johntheripper in the distant past, but you'll need a good word list for it to be useful. Some of the wordlists I had found at the time were too big to download over dial-up! :p -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Re: Coming up with a password that is very strong.
On Tuesday, 5 February 2019 08:41:28 GMT Neil Bothwick wrote:
> On Mon, 04 Feb 2019 23:26:52 +, Mick wrote:
> > You could use gpg/openssl to encrypt a number of files, which would
> > contain your different website/application passwds.
>
> pass does exactly that
>
> * app-admin/pass
> Available versions: 1.7.3 ** {X dmenu emacs fish-completion +git
> importers zsh-completion ELIBC="Darwin"} Homepage:
> https://www.passwordstore.org/
> Description: Stores, retrieves, generates, and synchronizes passwords
> securely
What do you know?! Someone else thought of it too. :-)
Thanks Neil, this looks interesting and seems way more advanced than my simple
one-liner.
--
Regards,
Mick
signature.asc
Description: This is a digitally signed message part.
Re: [gentoo-user] Re: Coming up with a password that is very strong.
On Mon, 04 Feb 2019 23:26:52 +, Mick wrote:
> You could use gpg/openssl to encrypt a number of files, which would
> contain your different website/application passwds.
pass does exactly that
* app-admin/pass
Available versions: 1.7.3 ** {X dmenu emacs fish-completion +git
importers zsh-completion ELIBC="Darwin"}
Homepage: https://www.passwordstore.org/
Description: Stores, retrieves, generates, and synchronizes passwords
securely
--
Neil Bothwick
"There are some ideas so idiotic that only an intellectual could believe
them" George Orwell
pgp3m_v20rIeD.pgp
Description: OpenPGP digital signature
