Re: [gentoo-user] Re: Coming up with a password that is very strong.
Mick wrote: > On Monday, 4 February 2019 22:12:16 GMT Dale wrote: >> Neil Bothwick wrote: >>> On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote: > One reason I use LastPass, it is mobile. I can go to someone else's > computer, use LastPass to say make use of Paypal, Newegg, Ebay etc, > logoff and it is like I was never there. As much as I like Lastpass I would never do that. It isn't magic - it is javascript. If there is a compromise on your computer, then your password database will be compromised. This is true of other solutions like KeePassX and so on - if something roots your box then it will be compromised. >>> I don't see what root has to do with it. If someone gains access to your >>> box, they can copy the database file and then take their time trying to >>> crack the password, but you don't need to be root to do that. >> I might point out, LastPass encrypts the password before sticking it in >> a file. It isn't visible or plain text. Even getting the file would >> still require some tools and cracking to get the password itself. >> Cracking the master password would likely be much easier and doesn't >> even require access to the box itself, Linux or windoze. Also, LastPass >> only stores the encrypted password on its servers. Even if LastPass is >> hacked, the passwords are still encrypted. It's one reason LastPass >> shouldn't have to worry about getting court orders to turn over >> passwords. It doesn't really have them. I would suspect that cracking >> a encrypted password is as difficult as is just poking at a password >> until it is guessed. >> >> Even if a person is using a perfect tool, cracking a password is always >> going to be possible. The tougher the password, the harder it will be >> and the longer it will take. Still, it can be done. Using these tools >> just makes it harder. I'm not aware of a perfect password tool. I >> doubt one exists or ever will either. ;-) It's still good to pick one, >> use it and try to be as secure as one can. >> >> Dale >> >> :-) :-) > A solution like LastPass et al., using a browser's javascript to access it, > under a single master passwd, theoretically would have so many side-channel > attacks no one would be wasting time to brute force anything. > > https://en.wikipedia.org/wiki/LastPass#Security_issues > > You could use gpg/openssl to encrypt a number of files, which would contain > your different website/application passwds. For paranoid use cases you can > use asymmetric keys and store your private key out-of-band. Sure, it won't > be > as convenient as LastPass, but I expect it would be more secure and unlikely > to be compromised by XSS vulnerabilities. > >From what I read, no users had their passwords compromised in those. As I pointed out earlier, the passwords are already encrypted when they are sent to LastPass. If I called LastPass, could prove I am who I claim to be and asked them for a password to a site, they couldn't give it to me because it is encrypted when it leaves my machine. The only breach I recall is when they said that users email addresses were taken. There was once where they asked everyone to change their master password as a precaution several years ago. They had no info that showed anything was hacked but they wanted users to change them anyway. Since I get emails as a user, I've never received a email that said their service was hacked and that passwords were known to be taken decrypted. I do get emails when something needs to be changed or I changed something. As I pointed out to Rich, I don't expect these tools to be 100%. There is no perfect password tool or a perfect way to manage them either. No matter what you do, someone can come along and poke a hole in it. If you use a tool, the tool is hackable. If you use the same password that is 40 characters long for several dozen sites, then the site can be hacked and they have the password for those other sites as well. The list could go on for ages but it doesn't really change anything. We do the best we can and then hope it is enough. Using tools is in my opinion better than not using a tool at all. At the least, they will have a hard time breaking into a site directly without my password. It beats the alternative which is cutting off the computer and unplugging it. :-( Still can't get cracklib to work right. < scratches head > Dale :-) :-)
Re: [gentoo-user] Re: Coming up with a password that is very strong.
Rich Freeman wrote: > On Mon, Feb 4, 2019 at 5:12 PM Dale wrote: >> Neil Bothwick wrote: >>> On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote: >>> > One reason I use LastPass, it is mobile. I can go to someone else's > computer, use LastPass to say make use of Paypal, Newegg, Ebay etc, > logoff and it is like I was never there. As much as I like Lastpass I would never do that. It isn't magic - it is javascript. If there is a compromise on your computer, then your password database will be compromised. This is true of other solutions like KeePassX and so on - if something roots your box then it will be compromised. >>> I don't see what root has to do with it. If someone gains access to your >>> box, they can copy the database file and then take their time trying to >>> crack the password, but you don't need to be root to do that. > Correct, it just needs access to the user's data or browser process, > which could mean running as root, or that user. > >> I might point out, LastPass encrypts the password before sticking it in >> a file. It isn't visible or plain text. Even getting the file would >> still require some tools and cracking to get the password itself. > That assumes you're attacking the password file directly. > > If you're using lastpass on a compromised system then there are many > ways that can be used to bypass the encryptions. They could sniff > your master password when you key it in, or read it directly from the > browser's memory. These things are protected from sandboxed code in > your browser, but not from processes running outside the browser > (unless again you're using a non-conventional privilege system like > selinux/android/etc). > One could argue the same thing with any password tool out there tho, right? After all, at some point, all password tools have to decrypt the password even if it is only in memory. At that point, it can be 'sniffed' out. Thing is, if my system or any system I use is compromised, I'll have the same issue no matter what I do or what tool I use. Even if I use the password tool included in Firefox or any other browser, wouldn't I run into the same problem? Wouldn't I run into some other security problem if I used no password tool at all and just typed in the same password for say 20 or 30 different sites? The solution is, be reasonably secure. Nothing is 100% secure unless it is turned off completely, maybe not even then. I'm sure even selinux has its security issues as well. It is after all a OS that runs a lot of code and only needs one flaw in it. As I've pointed out before on different topics, if a person gets physical access or control of a machine and is able to install things on it, it doesn't really matter what one does unless they can detect it somehow before ever using anything. Given I only install things from trusted sources, the odds of that happening are likely very small. Even my neighbors don't install much of anything because they mostly use it to access financial sites and to check their email. They are a older pair so they don't use it like even someone my age does. Still, if I did have to use it in a situation, such as ordering computer parts to rebuild, I'd likely change my more important passwords just to be sure ASAP. I already do that regularly anyway especially for my financial sites. That's another thing LastPass tracks, how long a password has been in use for a site. It reminds me of that sort of thing. While I'm trying to come up with a good password, I don't expect it to cover every possible case. While I use LastPass, I don't expect it to be a perfect solution. I wouldn't expect it of any other tool either. Thing is, LastPass does what I need and is likely as secure as other tools that can do the same things. I get that one can be hacked as you describe but once a person is able to do what you describe, it really doesn't matter what tool I use. Even a simple keylogger can do the job if I use no password tool at all. I'm just trying to be reasonably secure. If everyone or even most everyone would do the same, those little script kiddys would have to work much harder. That's one thing I read about while googling for ways to come up with passwords. Over half the people using passwords use some really awful ones. Some use the same one for a lot of sites as well. Something we both know is bad. If everyone would put in even a tenth of the effort I am, the internet would be a much safer place. Dale :-) :-)
Re: [gentoo-user] Re: Coming up with a password that is very strong.
On Monday, 4 February 2019 22:12:16 GMT Dale wrote: > Neil Bothwick wrote: > > On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote: > >>> One reason I use LastPass, it is mobile. I can go to someone else's > >>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc, > >>> logoff and it is like I was never there. > >> > >> As much as I like Lastpass I would never do that. It isn't magic - it > >> is javascript. If there is a compromise on your computer, then your > >> password database will be compromised. This is true of other > >> solutions like KeePassX and so on - if something roots your box then > >> it will be compromised. > > > > I don't see what root has to do with it. If someone gains access to your > > box, they can copy the database file and then take their time trying to > > crack the password, but you don't need to be root to do that. > > I might point out, LastPass encrypts the password before sticking it in > a file. It isn't visible or plain text. Even getting the file would > still require some tools and cracking to get the password itself. > Cracking the master password would likely be much easier and doesn't > even require access to the box itself, Linux or windoze. Also, LastPass > only stores the encrypted password on its servers. Even if LastPass is > hacked, the passwords are still encrypted. It's one reason LastPass > shouldn't have to worry about getting court orders to turn over > passwords. It doesn't really have them. I would suspect that cracking > a encrypted password is as difficult as is just poking at a password > until it is guessed. > > Even if a person is using a perfect tool, cracking a password is always > going to be possible. The tougher the password, the harder it will be > and the longer it will take. Still, it can be done. Using these tools > just makes it harder. I'm not aware of a perfect password tool. I > doubt one exists or ever will either. ;-) It's still good to pick one, > use it and try to be as secure as one can. > > Dale > > :-) :-) A solution like LastPass et al., using a browser's javascript to access it, under a single master passwd, theoretically would have so many side-channel attacks no one would be wasting time to brute force anything. https://en.wikipedia.org/wiki/LastPass#Security_issues You could use gpg/openssl to encrypt a number of files, which would contain your different website/application passwds. For paranoid use cases you can use asymmetric keys and store your private key out-of-band. Sure, it won't be as convenient as LastPass, but I expect it would be more secure and unlikely to be compromised by XSS vulnerabilities. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Re: Coming up with a password that is very strong.
On Mon, Feb 4, 2019 at 5:12 PM Dale wrote: > > Neil Bothwick wrote: > > On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote: > > > >>> One reason I use LastPass, it is mobile. I can go to someone else's > >>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc, > >>> logoff and it is like I was never there. > >> As much as I like Lastpass I would never do that. It isn't magic - it > >> is javascript. If there is a compromise on your computer, then your > >> password database will be compromised. This is true of other > >> solutions like KeePassX and so on - if something roots your box then > >> it will be compromised. > > I don't see what root has to do with it. If someone gains access to your > > box, they can copy the database file and then take their time trying to > > crack the password, but you don't need to be root to do that. Correct, it just needs access to the user's data or browser process, which could mean running as root, or that user. > > I might point out, LastPass encrypts the password before sticking it in > a file. It isn't visible or plain text. Even getting the file would > still require some tools and cracking to get the password itself. That assumes you're attacking the password file directly. If you're using lastpass on a compromised system then there are many ways that can be used to bypass the encryptions. They could sniff your master password when you key it in, or read it directly from the browser's memory. These things are protected from sandboxed code in your browser, but not from processes running outside the browser (unless again you're using a non-conventional privilege system like selinux/android/etc). -- Rich
Re: [gentoo-user] Coming up with a password that is very strong.
Neil Bothwick wrote: > On Mon, 04 Feb 2019 11:17:13 +, Mick wrote: > >>> https://xkcd.com/936/ >> Not strictly true ... the crackers would probably use rainbow tables >> attacks first. Also, it isn't fair to compare an 11 character passwd >> against a 25 character passwd. For the *same* number of characters >> used in any given passwd, a random lower/upper/numerical/symbol passwd >> will provide an exponentially higher degree of difficulty in cracking >> it with brute force, than one which uses only lower case dictionary >> words. Anyway, these days many attacks are focused on OS or hardware >> vulnerabilities which have been baked in by design, rather than brute >> force attacks. > I'm not sure xkcd is meant to be taken that seriously... > > Sort of picking a random message to reply to here. Someone sent a reply off list about checking passwords on my system with tools available. They also mentioned not trusting strength meters which I can get since they pass some obvious passwords. I used three meters and some sort of common sense as well. I found cracklib-check after some digging. I used that to try to check my password and get this weird response. -su: me-supper-secret-password-here;): event not found I'm going to try to emulate my password without actually posting it, for obvious reasons. You all are smart enough to understand why. ROFL It has some of the following 'stuff' in it. !sdER*ark4567# As you can tell, I use some of those things on the tops of the number keys. It seems that confuses cracklib just a bit. BTW, I was running that as root just to be sure it wasn't a permissions issue. I tried a few different things but it seems the "!" is triggering that at least, maybe others too. The command works fine with just normal stuff. That leads me to this question. Is there a tool I can use/install that will test a password, try to crack it if you will, that will work regardless of the characters used? In other words, it doesn't mind the things on top of the number keys. BTW, I've also whittled it down to something a little easier to type too. Feel sorry for any poor fool trying to just guess it. lol May have better luck with P vs NP. ;-) Thanks. Dale :-) :-)
Re: [gentoo-user] Coming up with a password that is very strong.
Tanstaafl wrote: > On 2/4/2019, 12:47:35 AM, Dale wrote: >> Thing is, with today's computing power, it really isn't anymore. >> While no one could just guess it, it could be cracked/hacked I'm >> sure. I need to come up with a new one that meets the requirements I >> just mentioned. Strong, easy to remember, easy to type but won't >> forget. I've read that using maiden names, years of birth or whole >> dates of birth, actual names, pet's name, words in a dictionary and a >> whole list of other things makes it easier, especially if you post a >> lot on social media, for hackers to use against you. I'm trying to >> avoid that sort of thing obviously and have a couple ideas but am >> curious as to what method others use, without exposing to much >> detail since this is public. > I've been using a little Firefox Addon called Passwordmaker for many, > many years, and despite all of its warts, I've been loathe to give it > up, even though it will never be upgraded to work as a WebExtension. > > 2 things I loved about it - > > a) it doesn't save the password locally, only info about the > site/account, and > b) you can use an unlimited number of Master Passwords > > I'm looking at migrating to KeePassXC, and even though I really hate the > idea of saving the actual password - Passwordmaker simply generates the > password on the fly each time based on certain specified criteria (ie, > the site URL, username, password length, etc for each account - one > technique I adopted shortly after assisting in updating the > Passwordmaker website eases my mind about it... > > This is a simple technique I strongly recommend that everyone employ, > especially if you use a Password manager (like LastPass or KeePass)... > > It is uncrackable (well, as long as it isn't the CIA or NSA that wants > to crack it and they are willing to kidnap/torture you to do so). > > You sit down and come up with a ... call it a 'password modification > protocol' ... whereby, you always modify your generated/stored password > in a specific way before pressing enter. > > For example, you delete characters 3, 5 and 7, then add 2 characters to > the beginning and 2 to the end. > > It is very simple, and negates worrying about someone stealing your > password vault. > > I tried to find it just to see how it works but it isn't listed. From what you wrote, you may want to at least check into LastPass. Link below. It may do what you currently use and some. I only use the free version and it does more than I need already. I think if I get a smart phone, I'd have to pay a small monthly fee. Still, I'm sure there is a tool that will suite your needs. There are a lot of them out there. Typing password in the add-on search box produces a LOT of results. Just find a good one and let it work for you. https://www.lastpass.com/ I'm not sure I understand what you mean password modification protocol. It sounds like you change your master password each time you use it. If I did that, I'd never know which one to use because that would confuse me. I don't write passwords down, period. I went to the local nursing home the other day, to drop off some puzzle books and a bunch of bananas, and they have a coded entry thing on the door. I entered the code a couple times and it didn't work. One of the nurses that was coming on shift came up and entered the code. When she told me the code, I realized I was using the code they had before the current one. I shifted back in time a bit I guess. I may not have a flux capacitor but I did it anyway. lol I admit, some of the new things they use, I have no idea how they work since I've never used most of them. I've read about a few of them but don't really get how they work. If I used them, I'd get it. What I hate most, when my bank changes something about their login process and a little research shows it accomplishes nothing. My credit card site has this picture and phrase thing. I found where it was researched and it does little to actually help because most people don't pay it any attention. My biggest cheat, I adblock stuff on the bank website, like their great big logo thing. If I do go to a website and that logo shows up, it didn't match my adblock setting. At that point, that gets a little extra attention until I know for sure and for certain I'm on the correct site. Also, LastPass will pick up its on the wrong site to. It won't fill in the password info if it doesn't match up. They've had the same logo on the site for years. It's amazing what we have to do with our computers to keep ourselves safe because of . . . computers. :/ I guess this is one reason I like Linux. It at least tries to be secure. Dale :-) :-)
Re: [gentoo-user] Coming up with a password that is very strong.
Hi Dale, On Sun, Feb 03, 2019 at 11:47:35PM -0600 , Dale wrote: > How do you, especially those who admin systems that are always being > hacked at, generate strong passwords that meet the above? I have a script for generating passwords the way I like (basically diceware on bash). Something like: FACTOR=$[ 2**(4*8)/$(cat "$WORDLIST"|wc -l) ] cat "$WORDLIST" | head -n "$[ $(od -vAn -N4 -tu4 < /dev/random ) / $FACTOR ]" | tail -1 I use this in conjunction with https://github.com/dwyl/english-words/blob/master/words.txt As far as I understand, if you have about 96 bits of entropy you are golden. 256 bits is unbruteforceable (at least within the realms of physics apparently). 5 words = 94 bits (which is good enough for me) 14 words = 256 bits (which seems like a lot of typing) I also have a messy spreadsheet for checking passwords. https://github.com/rjhwelsh/gpg-tutorial/blob/master/password_checker.ods I provide no warranty for my working. ;) -- Roger Welsh fpr: 2FCB 9E31 EA77 CDEC A3AE 5DD7 D54C C777 553A 180D
Re: [gentoo-user] VRFs / Jails / Containers
On 02/04/2019 02:58 PM, Rich Freeman wrote: So, I think we're miscommunicating a bit here... It happens. I'm saying that an init.d script shouldn't try to do anything other than initialize a service, which should be implemented outside the init.d script. It sounds like you are saying that an init script shouldn't do anything other than (re)start/stop a service and that there should be a separate script (binary / command) that is the service. (I'm going to assume that's accurate unless / until you say otherwise.) Does this apply if the ""service is something as simple as enabling or disabling IP forwarding? Should the init script call a separate script to write the proper value to the requisite proc entry? So, if you have a shell script that launches a container, then you should call it from the init.d script. You shouldn't merge them into a single init.d script that has 30 lines of container setup logic or whatever. I think the issue that I'm having, and part of what you're calling out is that the script for a ""container (network namespace) is more than it should be. Consider the following commands to start the ""container: ip netns add myContainer ip link add myContainer type veth peer name myHost netns myContainer ip link set myContainer up ip addr add 192.0.2.1/24 dev myContainer ip netns exec myContainer ip link set myHost up ip netns exec myContainer ip addr add 192.0.2.2/24 dev myHost Consider the following command to stop the ""container: ip netns del myContainer I feel like those two sections could easily fit within an OpenRC init script: start() { ip netns add myContainer ip link add myContainer type veth peer name myHost netns myContainer ip link set myContainer up ip addr add 192.0.2.1/24 dev myContainer ip netns exec myContainer ip link set myHost up ip netns exec myContainer ip addr add 192.0.2.2/24 dev myHost } stop() { ip netns del myContainer } So, I'm not sure why those commands need to or should live inside something other than the init script. Please help me understand what I'm missing or not understanding. Of course. That shell script that launches a container could very well just launch sysvinit which runs openrc which runs another set of init.d scripts INSIDE the container to initialize it. Now I'm starting to think that you are under the impression that the ""container(s) that I'm working with are more complicated and have many things running in them, more akin to a full OS. That's not the case for me or my use case. About the only other added complication might be launching BIRD and / or an additional network interface. Yup - though I would think the scripts inside the container would be fairly different, as they are doing different things. The scripts inside the container aren't starting containers, for a start... The contents of the ""container(s) that I'm using are identical to the host. They actually /are/ the host. I'm not using mount namespaces. So the ""container ~> network namespace sees the exact same files as the host. The only reason that I (sometimes) use the UTS namespace is so that uname (et al) return a different name when run inside the NetNS. OpenRC/Netifrc are run by sysvinit in Gentoo, as I mention later on. These two are not mutually exclusive. Okay. Not sure how much of it would be re-use. The scripts inside/outside the container would likely have different roles. I would think that I could (re)start / stop BIRD inside the NetNS the exact same way I do on the host. I would expect that I could use the same "rc-service bird …" command inside and outside. Honestly, I wouldn't go sticking container init.d scripts inside the host init.d. I mean, I guess you could, but again, separation of concerns and all that. You're going to have to use a separate /etc/runlevels, so why not just a whole separate /etc? Why do I need to use a separate /etc/runlevels? Why can't I have a single /etc/runlevels/myContainer that is never used outside of the container and only used inside the container? Remember that the host and container share the same file system. -- Grant. . . . unix || die
Re: [gentoo-user] VRFs / Jails / Containers
On 2/4/19 5:10 PM, Grant Taylor wrote: Consider the following commands to start the ""container: ip netns add myContainer ip link add myContainer type veth peer name myHost netns myContainer ip link set myContainer up ip addr add 192.0.2.1/24 dev myContainer ip netns exec myContainer ip link set myHost up ip netns exec myContainer ip addr add 192.0.2.2/24 dev myHost Consider the following command to stop the ""container: ip netns del myContainer This is the other method that I'm starting containers. unshare --mount=/run/mountns/$container --net=/run/netns/$container --uts=/run/utsns/$container /bin/true nsenter --mount=/run/mountns/$container --net=/run/netns/$container --uts=/run/utsns/$container /bin/hostname $container I can use nsenter to execute similar ip link & addr commands to bring the links up. -- Grant. . . . unix || die
Re: [gentoo-user] Coming up with a password that is very strong.
On 2/4/2019, 12:47:35 AM, Dale wrote: > Thing is, with today's computing power, it really isn't anymore. > While no one could just guess it, it could be cracked/hacked I'm > sure. I need to come up with a new one that meets the requirements I > just mentioned. Strong, easy to remember, easy to type but won't > forget. I've read that using maiden names, years of birth or whole > dates of birth, actual names, pet's name, words in a dictionary and a > whole list of other things makes it easier, especially if you post a > lot on social media, for hackers to use against you. I'm trying to > avoid that sort of thing obviously and have a couple ideas but am > curious as to what method others use, without exposing to much > detail since this is public. I've been using a little Firefox Addon called Passwordmaker for many, many years, and despite all of its warts, I've been loathe to give it up, even though it will never be upgraded to work as a WebExtension. 2 things I loved about it - a) it doesn't save the password locally, only info about the site/account, and b) you can use an unlimited number of Master Passwords I'm looking at migrating to KeePassXC, and even though I really hate the idea of saving the actual password - Passwordmaker simply generates the password on the fly each time based on certain specified criteria (ie, the site URL, username, password length, etc for each account - one technique I adopted shortly after assisting in updating the Passwordmaker website eases my mind about it... This is a simple technique I strongly recommend that everyone employ, especially if you use a Password manager (like LastPass or KeePass)... It is uncrackable (well, as long as it isn't the CIA or NSA that wants to crack it and they are willing to kidnap/torture you to do so). You sit down and come up with a ... call it a 'password modification protocol' ... whereby, you always modify your generated/stored password in a specific way before pressing enter. For example, you delete characters 3, 5 and 7, then add 2 characters to the beginning and 2 to the end. It is very simple, and negates worrying about someone stealing your password vault.
Re: [gentoo-user] Re: Coming up with a password that is very strong.
Neil Bothwick wrote: > On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote: > >>> One reason I use LastPass, it is mobile. I can go to someone else's >>> computer, use LastPass to say make use of Paypal, Newegg, Ebay etc, >>> logoff and it is like I was never there. >> As much as I like Lastpass I would never do that. It isn't magic - it >> is javascript. If there is a compromise on your computer, then your >> password database will be compromised. This is true of other >> solutions like KeePassX and so on - if something roots your box then >> it will be compromised. > I don't see what root has to do with it. If someone gains access to your > box, they can copy the database file and then take their time trying to > crack the password, but you don't need to be root to do that. > > I might point out, LastPass encrypts the password before sticking it in a file. It isn't visible or plain text. Even getting the file would still require some tools and cracking to get the password itself. Cracking the master password would likely be much easier and doesn't even require access to the box itself, Linux or windoze. Also, LastPass only stores the encrypted password on its servers. Even if LastPass is hacked, the passwords are still encrypted. It's one reason LastPass shouldn't have to worry about getting court orders to turn over passwords. It doesn't really have them. I would suspect that cracking a encrypted password is as difficult as is just poking at a password until it is guessed. Even if a person is using a perfect tool, cracking a password is always going to be possible. The tougher the password, the harder it will be and the longer it will take. Still, it can be done. Using these tools just makes it harder. I'm not aware of a perfect password tool. I doubt one exists or ever will either. ;-) It's still good to pick one, use it and try to be as secure as one can. Dale :-) :-)
Re: [gentoo-user] VRFs / Jails / Containers
So, I think we're miscommunicating a bit here... On Mon, Feb 4, 2019 at 4:10 PM Grant Taylor wrote: > > On 02/04/2019 11:55 AM, Rich Freeman wrote: > > IMO I would separate your container logic from your service manager logic. > > I'm not exactly sure what you mean by "container logic" vs "service > manager logic" and how they differ. I'm assuming that the former > creates / destroys the container and that the latter manages > (re)starting/stopping services where ever they are at. I'm saying that an init.d script shouldn't try to do anything other than initialize a service, which should be implemented outside the init.d script. So, if you have a shell script that launches a container, then you should call it from the init.d script. You shouldn't merge them into a single init.d script that has 30 lines of container setup logic or whatever. > > I'd like to see a way that I can have standard service init scripts and > use them where ever I want them, either inside a container or outside on > the host. Of course. That shell script that launches a container could very well just launch sysvinit which runs openrc which runs another set of init.d scripts INSIDE the container to initialize it. > I'm wanting to avoid having an init script that creates the container > and starts services therein. I'd rather start the container and then > start the services therein using the same type of init scripts, just > called within different contexts. Yup - though I would think the scripts inside the container would be fairly different, as they are doing different things. The scripts inside the container aren't starting containers, for a start... > > As a result, I'd suggest considering using sysvinit inside your > > containers to do the work. > > That is a possibility. But I feel like that's tantamount to saying > "Gentoo doesn't have an answer for what you're wanting to do, so just > use Sys V init scripts." I don't like it. > > I like the idea of re-using standard OpenRC / NetifRC scripts inside the > containers too. Especially if the services don't conflict anywhere. To > me, this re-uses the existing Gentoo methodology in different contexts. OpenRC/Netifrc are run by sysvinit in Gentoo, as I mention later on. These two are not mutually exclusive. > The more that I think about it, largely in response to emails in this > thread, I believe that I want the same overall thing to create the > network between the default / main / unnamed NetNS and the container, as > well as likely re-using the OpenRC / NetifRC scripts to configure things > inside the container. Not sure how much of it would be re-use. The scripts inside/outside the container would likely have different roles. > I think, and would be curious to have someone confirm or refute, that I > could add configuration information to /etc/conf.d/net for the xyz123 > interface inside the container and use an /etc/init.d/net.xyz123 init > script sym-linked to /etc/init.d/net.lo script. > > My host would not have net.xyz123 in any runlevel. Certainly not boot > or default. Honestly, I wouldn't go sticking container init.d scripts inside the host init.d. I mean, I guess you could, but again, separation of concerns and all that. You're going to have to use a separate /etc/runlevels, so why not just a whole separate /etc? -- Rich
Re: [gentoo-user] Re: Coming up with a password that is very strong.
Rich Freeman wrote: > On Mon, Feb 4, 2019 at 3:09 PM Dale wrote: >> I'm not sure if one can convert that to NSA time or not. o_O The >> password contains upper/lower case letters, couple symbols from up top >> of the number keys and several numbers. None of which anyone would be >> able to guess in any way. They have nothing to do with that list of >> things not to use, birthdays etc. If a person was trying to just guess >> it, even a best friend who knows me extremely well, they would not be >> able to guess it much less the order of it. The only bad thing, it >> isn't to easy to type. Of course, a really good password usually isn't >> so . . . > And do you use that password on only a single site? > > If you use it on more than one, then as soon as one of those sites is > compromised it will sniff your password and then your password can be > used on all the others without any cpu cycles wasted on brute-forcing > it at all. > > That is the weakness of random passwords. Unless you use some kind of > password manager you won't actually use a unique password on each site > due to difficulty with memorization... > Right now, I'm coming up with a master password for LastPass and maybe a new set of keys. I may use something different for my keys to your point. My encryption thingy broke on Seamonkey, the keys are broken somehow. I googled, tried some stuff but can't figure out how to fix them so I revoked the things and am going to start fresh. Heck, only one person ever uses them anyway. lol Once I get logged into LastPass, I generate unique passwords with it for each site. Depending on the site, I try to generate as long and use as many characters as the site will allow. If it allows the symbols on top of the number keys, I enable them. If it doesn't, I cut that off. If it allows 20 characters, I set it to generate 20. It's not like I have to remember it or even type it in either. I may as well be as secure and random as possible. The master password is the current project tho. Way back, I used to have three passwords. One fairly secure one for financial type sites, one somewhat decent one for stuff like social sites and one I could care less about. None of them would be easy to guess but the complexity changed. Nowadays, I wouldn't even dream of doing like that. Far to many script kiddys out there trying to steal stuff. That doesn't even mention the pros and what they do. You are right tho, reusing passwords is a really bad idea. It makes it dead simple to hack everything else. Dale :-) :-)
Re: [gentoo-user] VRFs / Jails / Containers
On 02/04/2019 11:55 AM, Rich Freeman wrote: IMO I would separate your container logic from your service manager logic. I'm not exactly sure what you mean by "container logic" vs "service manager logic" and how they differ. I'm assuming that the former creates / destroys the container and that the latter manages (re)starting/stopping services where ever they are at. If you have a script that launches a container, then all you need is a generic init.d script that runs it. I guess that's one way to do it. But that doesn't seem very Gentoo to me. I'd like to see a way that I can have standard service init scripts and use them where ever I want them, either inside a container or outside on the host. As long as I don't want to run the same service in multiple places, I don't see a problem with doing that. Multiple instances starts to get more tricky, but is still possible, and should be location agnostic. I launch nspawn containers from systemd units all the time. The only logic in the units is running the command line to start nspawn. IMO if you start mixing the two it will just make it harder to maintain. Sure, an init.d script CAN do anything, but that doesn't mean that you should do it this way. I'm wanting to avoid having an init script that creates the container and starts services therein. I'd rather start the container and then start the services therein using the same type of init scripts, just called within different contexts. Without creating a separate reply I wanted to react to your other email detailing your config. It strikes me that you might not even need containers to set up all those interfaces and the routing between them. However, the container probably still makes sense so that random processes trying to listen on 0.0.0.0 on the host don't end up attaching to all those virtual interfaces. Yes, I could have all the interfaces on the host. But I'm doing a number of different things and don't want to spoil the host. The nice containers that I mentioned are long standing containers. I routinely stand up 10 ~ 100 more for various tests. I'm also using network namespaces as an isolation so that I can easily do various things with networking without the added complexity of isolating things from each other via command line or policy based routing. Each network namespace can easily have it's view of 0.0.0.0 (as a good example) and it's own routing table. I don't need to bother with PBR / ip rules / iptables complexities. Each NetNS just knows about it's local interfaces. Really all you need is some initialization inside each container and then the kernel is doing all the work. You don't really need any userspace process running in the container except for the fact that kernel namespaces are attached to processes. I mostly agree. I am running BIRD inside the container, but that's more of a would be nice to have and I can work around not having it. There are also the occasional commands that I want to run to do troubleshooting (ping, traceroute, etc) as well as dynamically modifying the containers which is usually done via "nsenter …" or "ip netns exec $NetNSname …" commands. As a result, I'd suggest considering using sysvinit inside your containers to do the work. That is a possibility. But I feel like that's tantamount to saying "Gentoo doesn't have an answer for what you're wanting to do, so just use Sys V init scripts." I don't like it. I like the idea of re-using standard OpenRC / NetifRC scripts inside the containers too. Especially if the services don't conflict anywhere. To me, this re-uses the existing Gentoo methodology in different contexts. You might run openrc/netifrc to do the network setup inside each container, or just have sysvinit run a shell script that initializes and then terminates, leaving init running childless indefinitely (I assume it supports this). If you want a process to noop indefinitely at minimal cost that is basically the definition of what sysvinit does... The more that I think about it, largely in response to emails in this thread, I believe that I want the same overall thing to create the network between the default / main / unnamed NetNS and the container, as well as likely re-using the OpenRC / NetifRC scripts to configure things inside the container. I think, and would be curious to have someone confirm or refute, that I could add configuration information to /etc/conf.d/net for the xyz123 interface inside the container and use an /etc/init.d/net.xyz123 init script sym-linked to /etc/init.d/net.lo script. My host would not have net.xyz123 in any runlevel. Certainly not boot or default. I think that would mean that I could run rc-service net.xyz123 start inside the container and re-use existing Gentoo methodology. Now I wonder if I could use custom runlevels for each container and rely on standard init system. }:-) But that's a different
Re: [gentoo-user] Re: Coming up with a password that is very strong.
On Mon, 4 Feb 2019 15:59:02 -0500, Rich Freeman wrote: > > One reason I use LastPass, it is mobile. I can go to someone else's > > computer, use LastPass to say make use of Paypal, Newegg, Ebay etc, > > logoff and it is like I was never there. > > As much as I like Lastpass I would never do that. It isn't magic - it > is javascript. If there is a compromise on your computer, then your > password database will be compromised. This is true of other > solutions like KeePassX and so on - if something roots your box then > it will be compromised. I don't see what root has to do with it. If someone gains access to your box, they can copy the database file and then take their time trying to crack the password, but you don't need to be root to do that. -- Neil Bothwick ... "I'm simply not a nice girl", she whispered tartly. pgp1mQVWkPX2n.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Re: Coming up with a password that is very strong.
On Mon, Feb 4, 2019 at 3:49 PM Dale wrote: > > One reason I use LastPass, it is mobile. I can go to someone else's > computer, use LastPass to say make use of Paypal, Newegg, Ebay etc, > logoff and it is like I was never there. As much as I like Lastpass I would never do that. It isn't magic - it is javascript. If there is a compromise on your computer, then your password database will be compromised. This is true of other solutions like KeePassX and so on - if something roots your box then it will be compromised. If you were talking about something like a Chromebook that is still locked down and you're using guest mode or logging in under a separate user account from anybody else, then you're probably fairly safe against that. However, if you're just looking into a generic windows box or a shared linux account then there isn't going to be much protection if something has compromised the system. At that point you're vulnerable to all kinds of attacks, from theft of the password manager database, to just skimming the accounts you're using. This won't stop sniffing of individual passwords, but you could at least protect your overall database by looking up the password on a secure device (your phone or whatever) and rekeying it on the untrusted device. Then while that password is still vulnerable your password database never touches that box. -- Rich
Re: [gentoo-user] Re: Coming up with a password that is very strong.
On Mon, 04 Feb 2019 14:38:38 -0500, Jack wrote: > The problem I have with many of these suggestions is that I have > multiple devices (two desktops, two laptops, tablet, android phone) I > use sufficiently often that I either need to be able to remember the > passwords or have some way of easily accessing them when I'm not > sitting at my main desktop. Other than using a password manager > (which I do not currently have) how to others deal with this? If you don't want to use an online passwrd manager like LastPass, you could use a local solution. I use KeePassX, which is available for Linux and Android (and some minority OSes). It stores the passwords in an encrypted database file, protected by a master password. As it's a single file it is easy enough to keep this synchronised between devices. I initially did this with DropBox but soon switched to Syncthing. It's just another file to keep synchronised between devices, so use whatever method you already use for that purpose. -- Neil Bothwick You are about to give someone a piece of your mind, something you can ill afford... pgp1GLfKnCDax.pgp Description: OpenPGP digital signature
Re: [gentoo-user] VRFs / Jails / Containers
On 02/03/2019 11:23 AM, Michael Orlitzky wrote: Ultimately netifrc is just a shell script that parses another shell script to construct a third shell script. I don't think doing it with only two shell scripts is that much less elegant =) The elegance, or lack there of, is not in the number of shell scripts. Rather the fact that tc (QoS) parameters are stuffed into a command line verses having things split out and parsed is what I dislike. Take VLANs for example, there is a netifrc parameter for specifying the VLAN IDs that belong on an interface. Netifrc will then construct the commands. People don't need to know how to construct the commands themselves to utilize VLANs. tc (QoS) is not anywhere nearly as nice. Bridging and bonding is similarly more graceful than tc (QoS). You could go all the way and write your own OpenRC service as /etc/init.d/whatever. That's sort of where I'm gravitating at the moment. Something I can (re)start/stop via standard init commands. You can make it depend on the network being up, and then just write everything that you want it to do into the start function with the corresponding "undo" steps in the stop function. Maybe it will need to depend on the lowest level of networking. Maybe. Seeing as how it would provide networking between the host and the namespaces (containers), I think it would functionally be parallel to the networking services. I think namespaces could be up even if the main network was not. If the series of commands is long and complicated and if you sometimes want to do/undo this subset of the configuration independently, then that's how I'd do it. The number of commands is really dependent on what I'm doing at a higher level. I can see having relatively similar commands for different namespaces broken out into separate files such that it's easy to (re)start/stop individual namespaces. I might see if there's a way to re-use the same file much like net. is a sym-link to net.lo. -- Grant. . . . unix || die
Re: [gentoo-user] Re: Coming up with a password that is very strong.
Nikos Chantziaras wrote: > On 04/02/2019 07:47, Dale wrote: >> How do you, especially those who admin systems that are always being >> hacked at, generate strong passwords that meet the above? I've googled >> and found some ideas but if I use the same method, well, how many others >> are using that same method, if you know what I mean. ;-) Just looking >> for ideas. > > I don't use a password manager. For website logins, I just use the > password manager in the browser (Firefox), which does not use a master > password :-P I just assume my own system is not going to be compromised. > > For the websites I use, I generate a unique password per site using > this command: > > $ pwmake 128 > > This generates a password using 128 bits of entropy from /dev/urandom. > You need dev-libs/libpwquality being installed (it's a dep of > something important, I think, so should be installed on most systems > already.) > > For remote systems I administer through SSH, I don't use passwords. I > use a public/private key pair to log in (4096 bits.) My private key is > protected with a strong password though, but it's easy to remember > since it doesn't need to change. Something like: > > ilp@4*r > > Which is short for: > > I like pizza and macaroni for dinner at four star restaurants. > > > One reason I use LastPass, it is mobile. I can go to someone else's computer, use LastPass to say make use of Paypal, Newegg, Ebay etc, logoff and it is like I was never there. Also, if my computer were to die a sudden death, power supply goes bonkers and burns everything in it up including hard drives, my passwords are still safe but available. When I get a new rig built, I can install LastPass, put in my email and password then go on like nothing ever happened. I can also use a neighbors computer to order the parts for a new rig as well. I just use LastPass on their computer. I could do that even if my backups were out of date as well. I also like that it generates passwords that are dang near impossible to crack. It also doesn't have to be anything I can remember either. This is a few examples of what it generates. *k0Dx^RiNPHOocIg 5wfy^HHgwZ3 NnWM9DwCrVYyVryS3Aa9 Now I admit, I sometimes see one that pops up that I don't like the looks of and I click for a new one. Just like the last one in the list. It has two of the same letter at the beginning. One upper and one lower but still the same. I'd skip that one. Still, good luck guessing it easily. Cracking it is always possible but it makes it difficult. Also, I sometimes have to leave off the other characters since some websites don't allow those. My bank for example doesn't allow a couple of them. I think "*" and "$" is a no go. It does reject it when you try to enter it tho. If I were to ever get me a smart phone, LastPass works on those too. I still like my Razr tho. It makes phone calls and allows me to text. It does what I need. It also takes the place of a watch as well. ;-) I get why some may just use Firefox or other browsers password tool but thing is, if you don't have a backup of it and something happens, you could be working a while to get those passwords going again. If I recall correctly, I have to go to the bank, present ID and such to do a complete reset of my bank password. I know it was that way several years ago because I had to do it once. Those keys do work for things that support it. I don't think any site I use has that ability tho. If it does, I don't know about it. Maybe one day tho. Dale :-) :-)
Re: [gentoo-user] Re: Coming up with a password that is very strong.
On Mon, Feb 4, 2019 at 3:09 PM Dale wrote: > > I'm not sure if one can convert that to NSA time or not. o_O The > password contains upper/lower case letters, couple symbols from up top > of the number keys and several numbers. None of which anyone would be > able to guess in any way. They have nothing to do with that list of > things not to use, birthdays etc. If a person was trying to just guess > it, even a best friend who knows me extremely well, they would not be > able to guess it much less the order of it. The only bad thing, it > isn't to easy to type. Of course, a really good password usually isn't > so . . . And do you use that password on only a single site? If you use it on more than one, then as soon as one of those sites is compromised it will sniff your password and then your password can be used on all the others without any cpu cycles wasted on brute-forcing it at all. That is the weakness of random passwords. Unless you use some kind of password manager you won't actually use a unique password on each site due to difficulty with memorization... -- Rich
[gentoo-user] Re: Coming up with a password that is very strong.
Dale wrote: > Howdy, > > <<< SNIP >>> > > How do you, especially those who admin systems that are always being > hacked at, generate strong passwords that meet the above? I've googled > and found some ideas but if I use the same method, well, how many others > are using that same method, if you know what I mean. ;-) Just looking > for ideas. > > Thanks much. > > Dale > > :-) :-) > > P. S. I haven't had time to deal with the video thing in previous > thread. It's on my todo list still. :-( > I read the replies and got some ideas. I don't have any favorite songs or sayings so that wouldn't work with me. I'm weird, as some know but might not say it. ROFL I did come up with some things tho based on replies. I then googled for some password checker sites, found three or so, and checked to see what they think about my password. Here is some results: It would take a computer about 34 thousand years to crack your password Medium size botnet About 143 billion years or Standard Desktop PC About 143 quadrillion years Time to crack your password: 17 centuries or Review: Fantastic, using that password makes you as secure as Fort Knox. I'm not sure if one can convert that to NSA time or not. o_O The password contains upper/lower case letters, couple symbols from up top of the number keys and several numbers. None of which anyone would be able to guess in any way. They have nothing to do with that list of things not to use, birthdays etc. If a person was trying to just guess it, even a best friend who knows me extremely well, they would not be able to guess it much less the order of it. The only bad thing, it isn't to easy to type. Of course, a really good password usually isn't so . . . I'm going to practice typing that thing in a bit to see if I get the hang of it. Maybe it will grow on me or I can come up with a change that makes it easier to type. Thanks to all for the suggestions. It did help. Some were sort of funny but they would make a good password easy to remember. Dale :-) :-)
Re: [gentoo-user] Re: Coming up with a password that is very strong.
On 2019.02.04 06:10, Nikos Chantziaras wrote: On 04/02/2019 07:47, Dale wrote: How do you, especially those who admin systems that are always being hacked at, generate strong passwords that meet the above? I've googled and found some ideas but if I use the same method, well, how many others are using that same method, if you know what I mean. ;-) Just looking for ideas. I don't use a password manager. For website logins, I just use the password manager in the browser (Firefox), which does not use a master password :-P I just assume my own system is not going to be compromised. For the websites I use, I generate a unique password per site using this command: $ pwmake 128 This generates a password using 128 bits of entropy from /dev/urandom. You need dev-libs/libpwquality being installed (it's a dep of something important, I think, so should be installed on most systems already.) For remote systems I administer through SSH, I don't use passwords. I use a public/private key pair to log in (4096 bits.) My private key is protected with a strong password though, but it's easy to remember since it doesn't need to change. Something like: ilp@4*r Which is short for: I like pizza and macaroni for dinner at four star restaurants. The problem I have with many of these suggestions is that I have multiple devices (two desktops, two laptops, tablet, android phone) I use sufficiently often that I either need to be able to remember the passwords or have some way of easily accessing them when I'm not sitting at my main desktop. Other than using a password manager (which I do not currently have) how to others deal with this? Jack
Re: [gentoo-user] VRFs / Jails / Containers
On Mon, Feb 4, 2019 at 1:44 PM Grant Taylor wrote: > > I'm starting to wonder if I'm going to be better off writing new scripts > that will match existing init scripts and their methodology to > (re)start/stop namespaces / containers / jails. Perhaps firejail will > give me what I want or provide insight. > IMO I would separate your container logic from your service manager logic. If you have a script that launches a container, then all you need is a generic init.d script that runs it. I launch nspawn containers from systemd units all the time. The only logic in the units is running the command line to start nspawn. IMO if you start mixing the two it will just make it harder to maintain. Sure, an init.d script CAN do anything, but that doesn't mean that you should do it this way. Without creating a separate reply I wanted to react to your other email detailing your config. It strikes me that you might not even need containers to set up all those interfaces and the routing between them. However, the container probably still makes sense so that random processes trying to listen on 0.0.0.0 on the host don't end up attaching to all those virtual interfaces. Really all you need is some initialization inside each container and then the kernel is doing all the work. You don't really need any userspace process running in the container except for the fact that kernel namespaces are attached to processes. As a result, I'd suggest considering using sysvinit inside your containers to do the work. You might run openrc/netifrc to do the network setup inside each container, or just have sysvinit run a shell script that initializes and then terminates, leaving init running childless indefinitely (I assume it supports this). If you want a process to noop indefinitely at minimal cost that is basically the definition of what sysvinit does... -- Rich
Re: [gentoo-user] Coming up with a password that is very strong.
On Sun, 3 Feb 2019 23:47:35 -0600 Dale wrote: > Howdy, > [...snip...] > > How do you, especially those who admin systems that are always being > hacked at, generate strong passwords that meet the above? I've > googled and found some ideas but if I use the same method, well, how > many others are using that same method, if you know what I > mean. ;-) Just looking for ideas. Search for diceware. Memorizing 7-10 word passwords is possible and fairly strong. Lee
Re: [gentoo-user] VRFs / Jails / Containers
On 02/04/2019 09:23 AM, Laurence Perkins wrote: Have you tried firejail? It gives you convenient ways to set up the container parameters consistently and is in the repo. No, I have not. Thank you for the pointer. Its invocation is also simple enough to not clutter up your startup scripts. I don't think I mind adding things to start up scripts. I'm more looking for the most Gentoo way to do what I'm wanting to do without relying on something on top of Gentoo. So if that involves adding things to start up scripts, I'm cool with it. I just don't want to add an entire subsystem, like Docker (et al), if I don't actually have to. I'm starting to wonder if I'm going to be better off writing new scripts that will match existing init scripts and their methodology to (re)start/stop namespaces / containers / jails. Perhaps firejail will give me what I want or provide insight. -- Grant. . . . unix || die
Re: [gentoo-user] Coming up with a password that is very strong.
On Sun, 2019-02-03 at 23:47 -0600, Dale wrote: > > > How do you, especially those who admin systems that are always being > hacked at, generate strong passwords that meet the above? I've > googled > and found some ideas but if I use the same method, well, how many > others > are using that same method, if you know what I mean. ;-) Just > looking > for ideas. > > Thanks much. > > Dale > > :-) :-) > > P. S. I haven't had time to deal with the video thing in previous > thread. It's on my todo list still. :-( > Take 80 to 100 characters of something you already have memorized. Poetry, bible verses, RFCs, pages of the phone book, digits of pi out of the middle, whatever. Run it through a transposition, substitution, or combination cipher that you can calculate in your head on-the-fly. (Do avoid the substitutions that everyone uses since those will be tried first.) Now you only need to remember a pointer to the memorized section, the length, and the cipher specification. There are enough possible combinations that an attacker won't be able to make a meaningful reduction in entropy by examining your social media. As an example: The second paragraph of Hamlet's soliloquy and invert the case based on whether the corresponding digit of e is odd or even. LMP
Re: [gentoo-user] VRFs / Jails / Containers
On Sat, 2019-02-02 at 19:32 -0700, Grant Taylor wrote: > Does Gentoo have any support for VRFs or (chroot) Jails or > Containers > without going down the Docker (et al) path? > > I'm wanting to do some things with a Gentoo router that is trivial to > do > with network namespaces via manual commands ~> scripts. But that's > far > from standard Gentoo init script based system. And I'd like > something > more Gentoo standards based. > > Does Gentoo have or support anything like this natively? Or am I > getting into territory where I'm rolling my own? > Have you tried firejail? It gives you convenient ways to set up the container parameters consistently and is in the repo. Its invocation is also simple enough to not clutter up your startup scripts. LMP
Re: [gentoo-user] Coming up with a password that is very strong.
On Mon, Feb 4, 2019 at 8:21 AM Neil Bothwick wrote: > > On Mon, 04 Feb 2019 11:17:13 +, Mick wrote: > > > > https://xkcd.com/936/ > > > > Not strictly true ... the crackers would probably use rainbow tables > > attacks first. Also, it isn't fair to compare an 11 character passwd > > against a 25 character passwd. For the *same* number of characters > > used in any given passwd, a random lower/upper/numerical/symbol passwd > > will provide an exponentially higher degree of difficulty in cracking > > it with brute force, than one which uses only lower case dictionary > > words. Anyway, these days many attacks are focused on OS or hardware > > vulnerabilities which have been baked in by design, rather than brute > > force attacks. > > I'm not sure xkcd is meant to be taken that seriously... > IMO xkcd has treated the situation more seriously than some of the replies here... Obviously words from a dictionary have less entropy per character than random characters do, but the xkcd cartoon already takes this into account. For the same number of bits of ENTROPY a random password provides the exact same level of security as one based on words. To obtain that entropy through words requires more characters of course. However, the whole point of the cartoon is that our brains are much better at remembering words than random characters, since we have a big chunk of grey matter evolved to do exactly that which is more sophisticated than any computer on the planet so far. Now, if you have some brain-dead software which only accepts 8 character passwords then you would obviously do better to use random characters (truly random - not picking the most pleasing-looking random password out of a list) than to try to cram one or two words in there. Likewise, if you're using a password manager and want to maximize entropy per bit of storage/transmission then random passwords are better since words provide no utility. However, if you want to obtain the highest number of bits of entropy for a password that is memorized, xkcd makes a compelling argument that you're better off with a longer password composed of words, because they let you cram more entropy into your brain. Two bits from a dictionary might be the same as two bits from 1/3rd of a random character to a brute force cracking engine, but they aren't the same to your brain. Xkcd isn't doing a like-for-like comparison, because the two categories aren't alike. -- Rich
Re: [gentoo-user] Coming up with a password that is very strong.
On Mon, 04 Feb 2019 11:17:13 +, Mick wrote: > > https://xkcd.com/936/ > > Not strictly true ... the crackers would probably use rainbow tables > attacks first. Also, it isn't fair to compare an 11 character passwd > against a 25 character passwd. For the *same* number of characters > used in any given passwd, a random lower/upper/numerical/symbol passwd > will provide an exponentially higher degree of difficulty in cracking > it with brute force, than one which uses only lower case dictionary > words. Anyway, these days many attacks are focused on OS or hardware > vulnerabilities which have been baked in by design, rather than brute > force attacks. I'm not sure xkcd is meant to be taken that seriously... -- Neil Bothwick Help a man when he is in trouble and he will remember you when he is in trouble again pgpbzypu3SaUv.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Is my NVME too slow?
Hello, Helmut. On Mon, Feb 04, 2019 at 12:01:33 +0100, Helmut Jarausch wrote: > I have a very fast Samsung NVME drive hosting my root file system. > During backup 'atop' often shows 100% usage of my NVME drive while > reading only a few MB/s and > several thousands 'Read' ops (during 10 seconds). > Is this normal or a measuring bug of 'atop'. > Stand alone timing tests have shown that this drive can read some GB > per second. > What's happening? I don't understand this well myself, but please make sure you've got CONFIG_PCI_MSI ("message signalled interrupts") enabled in your kernel. This was a tip from Adam Carter to me in 2017-04, when my new Samsung NVMe drive wasn't performing to expectations, and it helped greatly. > Many thanks for a hint, > Helmut -- Alan Mackenzie (Nuremberg, Germany).
[gentoo-user] Re: Coming up with a password that is very strong.
On 04/02/2019 13:17, Mick wrote: You will be surprised how many people are still using passwds like: password password1 arsenal manchesterunited2018 fido on websites which store their credit card details. O_O A friend of mine used "" as a password because it matched what was being shown on the screen while typing it, and thus no one would ever be able to figure that one out. He thought he was being very smart.
Re: [gentoo-user] Coming up with a password that is very strong.
On Monday, 4 February 2019 10:37:03 GMT Neil Bothwick wrote: > On Mon, 04 Feb 2019 10:24:27 +, Peter Humphrey wrote: > > > How do you, especially those who admin systems that are always being > > > hacked at, generate strong passwords that meet the above? I've > > > googled and found some ideas but if I use the same method, well, how > > > many others are using that same method, if you know what I > > > mean. ;-) Just looking for ideas. > > > > You could use a password generator to keep creating random passwords > > until it comes up with something you like the look of, then learn it by > > rote. I did that some time ago - it must be about time I did it again > > to make another one. > > https://xkcd.com/936/ Not strictly true ... the crackers would probably use rainbow tables attacks first. Also, it isn't fair to compare an 11 character passwd against a 25 character passwd. For the *same* number of characters used in any given passwd, a random lower/upper/numerical/symbol passwd will provide an exponentially higher degree of difficulty in cracking it with brute force, than one which uses only lower case dictionary words. Anyway, these days many attacks are focused on OS or hardware vulnerabilities which have been baked in by design, rather than brute force attacks. Any financial company worth their salt are employing 2-factor authentication and account lockups to stop brute forcing of users credentials. So, guarding against your own OS compromise is more important than individual website credentials. You will be surprised how many people are still using passwds like: password password1 arsenal manchesterunited2018 fido on websites which store their credit card details. O_O You may want to take a look at app-admin/apg and to mitigate against your CPU's lack of randomness use sys-apps/haveged. Combining multiple outputs of apg should arrive at a passwd which is more secure than not. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
[gentoo-user] Re: Coming up with a password that is very strong.
On 04/02/2019 07:47, Dale wrote: How do you, especially those who admin systems that are always being hacked at, generate strong passwords that meet the above? I've googled and found some ideas but if I use the same method, well, how many others are using that same method, if you know what I mean. ;-) Just looking for ideas. I don't use a password manager. For website logins, I just use the password manager in the browser (Firefox), which does not use a master password :-P I just assume my own system is not going to be compromised. For the websites I use, I generate a unique password per site using this command: $ pwmake 128 This generates a password using 128 bits of entropy from /dev/urandom. You need dev-libs/libpwquality being installed (it's a dep of something important, I think, so should be installed on most systems already.) For remote systems I administer through SSH, I don't use passwords. I use a public/private key pair to log in (4096 bits.) My private key is protected with a strong password though, but it's easy to remember since it doesn't need to change. Something like: ilp@4*r Which is short for: I like pizza and macaroni for dinner at four star restaurants.
[gentoo-user] Is my NVME too slow?
I have a very fast Samsung NVME drive hosting my root file system. During backup 'atop' often shows 100% usage of my NVME drive while reading only a few MB/s and several thousands 'Read' ops (during 10 seconds). Is this normal or a measuring bug of 'atop'. Stand alone timing tests have shown that this drive can read some GB per second. What's happening? Many thanks for a hint, Helmut
Re: [gentoo-user] Coming up with a password that is very strong.
On Mon, 04 Feb 2019 10:24:27 +, Peter Humphrey wrote: > > How do you, especially those who admin systems that are always being > > hacked at, generate strong passwords that meet the above? I've > > googled and found some ideas but if I use the same method, well, how > > many others are using that same method, if you know what I > > mean. ;-) Just looking for ideas. > > You could use a password generator to keep creating random passwords > until it comes up with something you like the look of, then learn it by > rote. I did that some time ago - it must be about time I did it again > to make another one. https://xkcd.com/936/ -- Neil Bothwick There's too much blood in my caffeine system. pgpzcPbnKrFaM.pgp Description: OpenPGP digital signature
Re: [gentoo-user] Coming up with a password that is very strong.
On Monday, 4 February 2019 05:47:35 GMT Dale wrote: > How do you, especially those who admin systems that are always being > hacked at, generate strong passwords that meet the above? I've googled > and found some ideas but if I use the same method, well, how many others > are using that same method, if you know what I mean. ;-) Just looking > for ideas. You could use a password generator to keep creating random passwords until it comes up with something you like the look of, then learn it by rote. I did that some time ago - it must be about time I did it again to make another one. -- Regards, Peter.