Re: gnome-password-generator replacement?

[Andre Robatino]

gnome-password-generator was just unretired and is now in F26 updates-testing ( 
https://bodhi.fedoraproject.org/updates/FEDORA-2017-58751e422c ) so should be 
in stable soon.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Tim]

Allegedly, on or about 19 June 2017, Greg Woods sent:
> I'm surprised no one has posted this yet:
>
> https://xkcd.com/936/

Virtually the same thing as I said, minus the illustrations.

-- 
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 
(always current details of the computer that I'm writing this email on)

Boilerplate:  All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.

Next time your service provider asks you to reboot your equipment, ask
them to reboot theirs, first.


___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Tom Horsley]

On Mon, 19 Jun 2017 21:27:51 +0100
Patrick O'Callaghan wrote:

> Because modern CPUs already have hardware RNGs built-in, without
> requiring an additional chip?

But, but, but, they aren't quantum :-).
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Samuel Sieb]

On 06/18/2017 01:55 PM, Andre Robatino wrote:

Thanks. I had actually installed pwgen a few months ago, but it looked like the passwords weren't strong enough. 
gnome-password-generator has a Character set option "All printable (excluding space)". It appears that 
"pwgen -sy 30 1", for example, does just that, and "pwgen -s 30 1" is the same as 
"Alphanumeric (a-z, A-Z, 0-9)". I use a password manager, so only care about maximum entropy. It would be 
really nice if there was something where you could specify an exact set of characters to either include or exclude, to 
cope with certain websites that allow only some special characters.


I use "apg".  It lets you choose the character classes you want included 
in the password and you can also exclude specific characters if necessary.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Patrick O'Callaghan]

On Mon, 2017-06-19 at 15:54 -0400, Tom Horsley wrote:
> I just want to know when we'll all have one of these built into
> our computers?
> 
> http://www.physicscentral.com/buzz/blog/index.cfm?postid=4422261597116577682
> 
> (Doesn't look like it has been turned into a commercial product
> yet which kind of surprises me - probably the researchers and the
> university arguing about rights :-).

Because modern CPUs already have hardware RNGs built-in, without
requiring an additional chip?

poc
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[stan]

On Mon, 19 Jun 2017 15:54:25 -0400
Tom Horsley  wrote:

> http://www.physicscentral.com/buzz/blog/index.cfm?postid=4422261597116577682
> 
> (Doesn't look like it has been turned into a commercial product
> yet which kind of surprises me - probably the researchers and the
> university arguing about rights :-).

It might be that they are arguing about patent rights, but it could
also be that the prototype is not robust enough to deal with everyday
life.  There is a huge junkyard between the bench and the shelf.  It
could also be that a government agency bought all the rights to the
device, and is sitting on it because it is too secure.  What would
speculation be without conspiracy theories?  :-)
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Tom Horsley]

I just want to know when we'll all have one of these built into
our computers?

http://www.physicscentral.com/buzz/blog/index.cfm?postid=4422261597116577682

(Doesn't look like it has been turned into a commercial product
yet which kind of surprises me - probably the researchers and the
university arguing about rights :-).
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[stan]

On Mon, 19 Jun 2017 17:35:10 -
"Andre Robatino"  wrote:

> It seemed
> to be a fairly sophisticated attack. When my PayPal account was
> accessed, my email account was DoS'd by sending thousands of garbage
> emails to it every hour, to prevent me from reading PayPal's email
> notifications associated with account activity. It wasn't until later
> in the day that I discovered independently what had happened, and
> realized why my email was being DoS'd.

Yes, that certainly seems sophisticated.  Systems level thinking.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[stan]

On Mon, 19 Jun 2017 07:37:35 +0200
Heinz Diehl  wrote:

> Pwgen uses /dev/urandom, so the statement that those passwords are
> less secure than "fully" random passwords (define "fully random"..) is
> merely of academical nature.
> 
> In case of any doubt, you can always do something like
> 
>  head /dev/random | tr -dc A-Za-z0-9 | head -c X
> 
> where X is your password length. Tr also lets you tailor the
> characterset used.

Here's my shell hack to generate passwords using the above.  It saves
the passwords in the file devurandom_password.txt in the home directory.

#! /bin/bash

#  generate a password using a character set, /dev/urandom,
#  and tr to select the characters included.
#  The three arguments are 
#  the character class to use to generate the password  (default alnum)
#  and
#  the length of the password (default 20)
#  and
#  the number of passwords to generate (default 10)

DPW=/home/$USER/devurandom_password.txt

if [ "$#" = 0 ]; then
  set an 20 10
elif [ "$#" = 1 ]; then
  set $1 20 10
elif [ "$#" = 2 ]; then
  set $1 $2 10
fi

echo "Passwords from /dev/urandom with $1" > $DPW
echo '' >> $DPW


for ((x = 0 ; x < $3 ; x = x + 1)) ; do
  if[   "$1" = an ]; then
echo $(head /dev/random | tr -dc [:alnum:] | head -c $2) >> $DPW
echo '' >> $DPW
  elif[ "$1" = al ]; then
echo $(head /dev/random | tr -dc [:alpha:] | head -c $2) >> $DPW
echo '' >> $DPW
  elif[ "$1" = cn ]; then
echo $(head /dev/random | tr -dc [:cntrl:] | head -c $2) >> $DPW
echo '' >> $DPW
  elif[ "$1" = di ]; then
echo $(head /dev/random | tr -dc [:digit:] | head -c $2) >> $DPW
echo '' >> $DPW
  elif[ "$1" = gr ]; then
echo $(head /dev/random | tr -dc [:graph:] | head -c $2) >> $DPW
echo '' >> $DPW
  elif[ "$1" = lo ]; then
echo $(head /dev/random | tr -dc [:lower:] | head -c $2) >> $DPW
echo '' >> $DPW
  elif[ "$1" = pr ]; then
echo $(head /dev/random | tr -dc [:print:] | head -c $2) >> $DPW
echo '' >> $DPW
  elif[ "$1" = pu ]; then
echo $(head /dev/random | tr -dc [:punct:] | head -c $2) >> $DPW
echo '' >> $DPW
  elif[ "$1" = sp ]; then
echo $(head /dev/random | tr -dc [:space:] | head -c $2) >> $DPW
echo '' >> $DPW
  elif[ "$1" = up ]; then
echo $(head /dev/random | tr -dc [:upper:] | head -c $2) >> $DPW
echo '' >> $DPW
  elif[ "$1" = xd ]; then
echo $(head /dev/random | tr -dc [:xdigit:] | head -c $2) >> $DPW
echo '' >> $DPW
  else
echo $(head /dev/random | tr -dc [:alnum:] | head -c $2) >> $DPW
echo '' >> $DPW
  fi ;
done

exit 0 ;
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Andre Robatino]

> How?  Don't the attackers have to know the password hashing algorithm to
> do that? If they have enough penetration into the system to know that,
> couldn't they just capture the passwords when they were unhashed?
> i.e.  could it have been that they let paypal know they had been
> compromised, so that a program they left on paypal's systems could
> report the unhashed passwords when paypal told their users to reset
> their passwords?

I don't know how it was done, but I'm pretty sure they grabbed the password 
hashes, not the plaintext passwords. If the hashes weren't salted, they could 
have just used a standard lookup table. It seemed to be a fairly sophisticated 
attack. When my PayPal account was accessed, my email account was DoS'd by 
sending thousands of garbage emails to it every hour, to prevent me from 
reading PayPal's email notifications associated with account activity. It 
wasn't until later in the day that I discovered independently what had 
happened, and realized why my email was being DoS'd.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[JD]

On 06/18/2017 08:49 PM, Andre Robatino wrote:

Many websites don't allow even 30 chars. One of the important ones I use allows 
only 16 characters (and no 2FA option), but happens to allow special 
characters. Using the largest possible character set is the only way to shore 
that up.

A credit card that I recall, allows 56 character paswords.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Greg Woods]

On Mon, Jun 19, 2017 at 8:42 AM, stan  wrote:

> The man page says they are modified to be more memorable, by
> some definition, and so are less than compeletely random.
>
> ...generates passwords which are designed to be easily memorized by
> humans, while being as secure as possible.
>

I'm surprised no one has posted this yet:

https://xkcd.com/936/

--Greg
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[stan]

On Mon, 19 Jun 2017 11:12:20 -0400
Matthew Miller  wrote:

> There are only a handful of commonly-used cryptographically-secure
> hashes which are likely to be used, and they're relatively easy to
> narrow down simply by looking at length. Or, if they're stored like
> they are in /etc/shadow, the entire string actually includes an
> identifier for the hash.
> 
> If the passwords are hashed in a non-standard way or with some made-up
> thing... there's probably something wrong that a skilled attacker can
> exploit. (Rule one of crypto: don't write your own crypto.)

Why not use RSA?  Create a set of RSA keys, and don't publish them.
Encrypt each password with one of the keys, and store it in a
database.  When needed, decrypt it with the other RSA key.  Or encrypt
with the original key to compare with the database contents.  If an
attacker gets the database without the RSA keys, they are trying to
decrypt the encrypted message without knowing the composite number that
generated the keys. That is, they are trying to break RSA for all
composite numbers the product of two large primes. Horrendous. And
because these RSA keys aren't published, they can be nonstandard
sizes.  4023? 3084? 6173? Good luck with that if you are the
cracker.  :-)

This is private key RSA instead of public key RSA, more secure.  Not
roll your own crypto, extensively attacked and tested crypto.  Sure, if
your system gets compromised, and someone gains the keys, they break
the encryption easily, but that isn't a crypto problem.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Patrick O'Callaghan]

On Mon, 2017-06-19 at 12:07 -0400, Tom Horsley wrote:
> On Mon, 19 Jun 2017 16:44:25 +0100
> Patrick O'Callaghan wrote:
> 
> > Exactly. It also makes me question the competence of whoever programmed
> > the website. Can it be that they only know how to read alphanumeric
> > input?
> 
> I always suspect someone's nephew built the web site and
> didn't know how to properly quote and unquote special
> characters in HTTP messages :-).

Indeed. It's often the same kind of site that breaks when I input my
surname ...

poc
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Tom Horsley]

On Mon, 19 Jun 2017 16:44:25 +0100
Patrick O'Callaghan wrote:

> Exactly. It also makes me question the competence of whoever programmed
> the website. Can it be that they only know how to read alphanumeric
> input?

I always suspect someone's nephew built the web site and
didn't know how to properly quote and unquote special
characters in HTTP messages :-).
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Tim]

Tim:
>> Really, what ought to get tightened up is the software accepting
>> logons. There should be a limited number of attempts (3 goes and your
>> out for a significant time limit).  Any system that lets a cracker
>> hammer away with repeated attempts is the thing that is broken.

stan:
> I don't think it has to be as low as 3.  It could be 100 or 1000, a
> restriction that a human will never hit, but a cracking program will
> hit almost immediately.

Three seems to be a common threshold, but I agree that it could be set
higher for those reasons.  I know that I've mistyped things three times
in a row, and when you can't see what you're typing, it's easy to not
notice you've made a mistake.  Like you, I imagine a cracking attempt is
going to try more than a person would.

> This makes it easy to separate attackers from legitimate users, and
> take appropriate action against the attackers. Ban their IP address?
> Notify their ISP?  Track their botnet and disable it?  I'm not sure
> there are effective defenses.
> 
> An alternative is to look for frequency of login attempts.  More than 1
> every second implies a bot, not a human.

Again, I agree.  It's not too hard for a person to make that kind of
judgement call about what's a cracking attempt versus a human trying to
deal with a poor interface, so it ought to be a programmable solution,
too.

I think you'd first want to block the source from further attempts.  If
multiple sources are trying, you know it's a crack attempt.  No real
user could be doing that.

You could try banning all cracking sources, but if they're a zombied
army of bots, you could be banning genuine users of your service who've
no idea they're using a compromised computer.  So the idea of notifying
their ISP has merit, on a number of fronts (ISP can tell the user they
need to fix up their PC, ISP can take action to check if their users are
indulging in organised hacking, etc).

Though there's still the problem of reporting things to ISPs that are a
problem, in themselves.  In my early days of using the net, I'd
occasionally make a report to an ISP about spam from one of their users,
only to get a bucketload more spam straight away.  It was obvious that
the ISP itself, or one of their staff, was involved in spamming; or they
stupidly inform their user about the complaint, naming where the
complaint came from.  Either way, making a complaint was actually worse
than useless.

-- 
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 
(always current details of the computer that I'm writing this email on)

Boilerplate:  All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.

Next time your service provider asks you to reboot your equipment, ask
them to reboot theirs, first.


___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Patrick O'Callaghan]

On Mon, 2017-06-19 at 08:36 -0400, Tom Horsley wrote:
> On Mon, 19 Jun 2017 12:55:28 +0100
> Patrick O'Callaghan wrote:
> 
> > One
> > of them even disallows cut-and-paste, which tempts the user to have a
> > password simple enough to remember and type by hand.
> 
> One of the keepassx features is the ability to simulate
> typing to teach the annoying web designers who is boss :-).

I just use the X buffer copy-and-paste, which they don't seem to be
aware of.

> The sites that crack me up are the ones which have rules
> like "you can only use letters and numbers" in your password.
> Why? That just means anyone trying to guess passwords has
> a much simpler job.

Exactly. It also makes me question the competence of whoever programmed
the website. Can it be that they only know how to read alphanumeric
input?

poc
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Matthew Miller]

On Mon, Jun 19, 2017 at 08:02:28AM -0700, stan wrote:
> > That works as long as the website isn't hacked. If it is, even if the
> > passwords are hashed (which they often aren't), the hash can be
> > cracked if the password is weak.
> How?  Don't the attackers have to know the password hashing algorithm to
> do that? If they have enough penetration into the system to know that,

There are only a handful of commonly-used cryptographically-secure
hashes which are likely to be used, and they're relatively easy to
narrow down simply by looking at length. Or, if they're stored like
they are in /etc/shadow, the entire string actually includes an
identifier for the hash.

If the passwords are hashed in a non-standard way or with some made-up
thing... there's probably something wrong that a skilled attacker can
exploit. (Rule one of crypto: don't write your own crypto.)

-- 
Matthew Miller

Fedora Project Leader
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[stan]

On Mon, 19 Jun 2017 02:49:30 -
"Andre Robatino"  wrote:

> Many websites don't allow even 30 chars. One of the important ones I
> use allows only 16 characters (and no 2FA option), but happens to
> allow special characters. Using the largest possible character set is
> the only way to shore that up.

Good point.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[stan]

On Mon, 19 Jun 2017 04:48:16 -
"Andre Robatino"  wrote:

> That works as long as the website isn't hacked. If it is, even if the
> passwords are hashed (which they often aren't), the hash can be
> cracked if the password is weak.

How?  Don't the attackers have to know the password hashing algorithm to
do that? If they have enough penetration into the system to know that,
couldn't they just capture the passwords when they were unhashed?
i.e.  could it have been that they let paypal know they had been
compromised, so that a program they left on paypal's systems could
report the unhashed passwords when paypal told their users to reset
their passwords?
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[stan]

On Mon, 19 Jun 2017 12:51:30 +0930
Tim  wrote:

> Really, what ought to get tightened up is the software accepting
> logons. There should be a limited number of attempts (3 goes and your
> out for a significant time limit).  Any system that lets a cracker
> hammer away with repeated attempts is the thing that is broken.

I don't think it has to be as low as 3.  It could be 100 or 1000, a
restriction that a human will never hit, but a cracking program will
hit almost immediately.  This makes it easy to separate attackers from
legitimate users, and take appropriate action against the attackers.
Ban their IP address?  Notify their ISP?  Track their botnet and
disable it?  I'm not sure there are effective defenses.

An alternative is to look for frequency of login attempts.  More than 1
every second implies a bot, not a human.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[stan]

On Mon, 19 Jun 2017 07:37:35 +0200
Heinz Diehl  wrote:

> Pwgen uses /dev/urandom, so the statement that those passwords are
> less secure than "fully" random passwords (define "fully random"..) is
> merely of academical nature.

The man page says they are modified to be more memorable, by
some definition, and so are less than compeletely random.  

...generates passwords which are designed to be easily memorized by
humans, while being as secure as possible.  Human-memorable passwords
are never going to be as secure as completely random passwords. ...

I suppose if someone knew I had used pwgen, and incorporated that
pattern knowledge into their attack, that might be true.  But to an
ignorant attacker, these are effectively random passwords.  Or more
importantly, crpytographically secure passwords, since 'password' is a
perfectly legitimate random 8 character string, but not a
crpytographically secure 8 character string.

I'm glad to learn that pwgen uses /dev/urandom.  That is probably the
best solution on a linux system, especially if a hardware random number
generator is feeding entropy into /dev/random, as excess entropy will
be fed into /dev/urandom, enhancing its unpredictability.

> In case of any doubt, you can always do something like
> 
>  head /dev/random | tr -dc A-Za-z0-9 | head -c X
> 
> where X is your password length. Tr also lets you tailor the
> characterset used.

Neat solution.  I like all the predefined character classes for tr.
And it lends itself nicely to a script.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Matthew Miller]

On Mon, Jun 19, 2017 at 11:33:00AM +0930, Tim wrote:
> Matthew Miller:
> > This seems... unnecssary. 
> Though, I'd say it's accurate.

Maybe, but *entirely* unrelated to the situation here. So I don't see
the value. 

-- 
Matthew Miller

Fedora Project Leader
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Tim]

Allegedly, on or about 19 June 2017, Patrick O'Callaghan sent:
> I have a number of bank accounts in several countries (for perfectly
> legitimate reasons, I hasten to add) and in my experience each bank
> has its own rules which as often as not mitigate *against* good
> security practice, e.g. forcing you to change the password every 3
> months (which invites password1, password2, password3 ...) or having
> their own peculiar Javascript which blocks you from using a password
> manager. One of them even disallows cut-and-paste, which tempts the
> user to have a password simple enough to remember and type by hand. 

Yes, I'm tired of hosts with special rules, and they often are the
opposite of security.  Such as your password has to be 6 to 8 characters
long.  My long passphrase is far more secure than a 6 to 8 character
sequence, and far easier to type than mixed case and symbols.

I wish these dunderheads would get it through their thick skulls that
hard-to-type passwords does not equal hard-to-crack.

Long ago, I set a password on something, but must have mistyped it in,
the first time around.  It took me ages to try out all the possible
typing errors that might have occurred.  I loathe password entry boxes
that don't let you see what you're typing in.

After one site gave me the runaround with their stupid rules, I set a
passphrase that was my low opinion of the service.  Later on, I had to
say the password to one of their phone help people to resolve a problem.

-- 
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 
(always current details of the computer that I'm writing this email on)

Boilerplate:  All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.

I reserve the right to treat other people in exactly the same way that
they treat me.


___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Tim]

Allegedly, on or about 19 June 2017, Tom Horsley sent:
> The sites that crack me up are the ones which have rules
> like "you can only use letters and numbers" in your password.
> Why? That just means anyone trying to guess passwords has
> a much simpler job. 

I can guess two reasons:

Some special characters might get interpreted by their software, rather
than accepted as-is.

Some special characters can't by typed on all computers, or their users
can't type them properly.  e.g. How many times do you see the Brits
mis-use the backtick as an apostrophe?

-- 
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 
(always current details of the computer that I'm writing this email on)

Boilerplate:  All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.

Just because nobody complains, it doesn't mean that all parachutes are
perfect.


___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Fred Smith]

On Mon, Jun 19, 2017 at 08:36:35AM -0400, Tom Horsley wrote:
> On Mon, 19 Jun 2017 12:55:28 +0100
> Patrick O'Callaghan wrote:
> 
> > One
> > of them even disallows cut-and-paste, which tempts the user to have a
> > password simple enough to remember and type by hand.
> 
> One of the keepassx features is the ability to simulate
> typing to teach the annoying web designers who is boss :-).
> 
> The sites that crack me up are the ones which have rules
> like "you can only use letters and numbers" in your password.
> Why? That just means anyone trying to guess passwords has
> a much simpler job.

possibly of brain-dead underlying systems that will accept
only those characters.

-- 
 Fred Smith -- fre...@fcshome.stoneham.ma.us -
   Show me your ways, O LORD, teach me your paths;
 Guide me in your truth and teach me,
 for you are God my Savior,
And my hope is in you all day long.
-- Psalm 25:4-5 (NIV) 
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Tom Horsley]

On Mon, 19 Jun 2017 12:55:28 +0100
Patrick O'Callaghan wrote:

> One
> of them even disallows cut-and-paste, which tempts the user to have a
> password simple enough to remember and type by hand.

One of the keepassx features is the ability to simulate
typing to teach the annoying web designers who is boss :-).

The sites that crack me up are the ones which have rules
like "you can only use letters and numbers" in your password.
Why? That just means anyone trying to guess passwords has
a much simpler job.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Patrick O'Callaghan]

On Mon, 2017-06-19 at 00:17 -0700, Joe Zeff wrote:
> On 06/18/2017 08:21 PM, Tim wrote:
> > I completely agree, it's just as impossible to guess that a password is
> > "$#DfSGxS" than "sickturtlepyjamas", and I know which one is easier to
> > remember and type.  With the peculiar password rules, I have no choice
> > to but to do the insecure and write down passwords somewhere (whether
> > that's on paper or on file).  You're not supposed to write passwords
> > down anywhere.
> 
> I may have mentioned this before, but I have a friend who uses (roughly) 
> ThisIsAVeryVeryLongPassword for his WiFi, on the grounds that it's just 
> as hard to guess as the type of gibberish that most security "experts" 
> recommend, and a lot easier to remember.

The problem with many of these "rules" is that they don't apply
universally. A password suitable for a banking site is one thing, and a
password for your home Wifi network is another. Never write down the
first one (use a password manager), but feel free to write down the
second one and keep it in a drawer. And where possible, use your router
to configure a guest network with a different password and more
restricted access for those times when you have visitors.

I have a number of bank accounts in several countries (for perfectly
legitimate reasons, I hasten to add) and in my experience each bank has
its own rules which as often as not mitigate *against* good security
practice, e.g. forcing you to change the password every 3 months (which
invites password1, password2, password3 ...) or having their own
peculiar Javascript which blocks you from using a password manager. One
of them even disallows cut-and-paste, which tempts the user to have a
password simple enough to remember and type by hand.

poc
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Gour]

On Mon, 19 Jun 2017 06:03:08 -0400
Tom Horsley  wrote:

> I use keepassx to not only generate, but also store passwords.

I was using the same, but now find (qt)pass more pleasant to use.


Sincerely,
Gour

-- 
As the ignorant perform their duties with attachment to results,
the learned may similarly act, but without attachment, for the
sake of leading people on the right path.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Tom Horsley]

I use keepassx to not only generate, but also store passwords.
It has lots of rules you can select about how to generate
passwords, which is useful, because lots of web sites
have idiotic requirements for passwords, and you can plug
those idiot requirements into the password generator.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Joe Zeff]

On 06/18/2017 08:21 PM, Tim wrote:

I completely agree, it's just as impossible to guess that a password is
"$#DfSGxS" than "sickturtlepyjamas", and I know which one is easier to
remember and type.  With the peculiar password rules, I have no choice
to but to do the insecure and write down passwords somewhere (whether
that's on paper or on file).  You're not supposed to write passwords
down anywhere.


I may have mentioned this before, but I have a friend who uses (roughly) 
ThisIsAVeryVeryLongPassword for his WiFi, on the grounds that it's just 
as hard to guess as the type of gibberish that most security "experts" 
recommend, and a lot easier to remember.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Heinz Diehl]

On 18.06.2017, stan wrote: 

> It doesn't have a gui that I know of, but I use pwgen from the Fedora
> repositories.  It warns that the passwords are less secure than fully
> random passwords

Pwgen uses /dev/urandom, so the statement that those passwords are
less secure than "fully" random passwords (define "fully random"..) is
merely of academical nature.

In case of any doubt, you can always do something like

 head /dev/random | tr -dc A-Za-z0-9 | head -c X

where X is your password length. Tr also lets you tailor the
characterset used.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Tim]

Andre Robatino:
> If you use a password manager, you can use a different strong random
> password for each site, and copy and paste it. Fifty characters is
> just as easy as 8, and means you don't have to worry about changing
> the password again (unless a website like Socialsecurity.gov forces
> you to, and they should eventually stop doing that).

That's all very well as long as you only use one device.  When you have
several computers, devices, using other people's equipment, etc.,
password managers soon become their own pain.  So people use an on-line
password manager, and create a single-point of failure for multiple
accounts.

Tim:
>> Really, what ought to get tightened up is the software accepting logons.
>> There should be a limited number of attempts (3 goes and your out for a
>> significant time limit).  Any system that lets a cracker hammer away
>> with repeated attempts is the thing that is broken.

> That works as long as the website isn't hacked.

A different problem.  Though perhaps related, it depends on how the site
was hacked.  If they let someone peck away at it, it's down to the same
problem.

Sites really need to stop storing your passwords, then need to keep
something that can only be used to confirm correct authentication, and
not be reverse engineerable to discover the password.


___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Andre Robatino]

> On Sun, 2017-06-18 at 19:13 -0700, stan wrote:
> 
> I completely agree, it's just as impossible to guess that a password is
> "$#DfSGxS" than "sickturtlepyjamas", and I know which one is easier
> to
> remember and type.  With the peculiar password rules, I have no choice
> to but to do the insecure and write down passwords somewhere (whether
> that's on paper or on file).  You're not supposed to write passwords
> down anywhere.

If you use a password manager, you can use a different strong random password 
for each site, and copy and paste it. Fifty characters is just as easy as 8, 
and means you don't have to worry about changing the password again (unless a 
website like Socialsecurity.gov forces you to, and they should eventually stop 
doing that).

> Really, what ought to get tightened up is the software accepting logons.
> There should be a limited number of attempts (3 goes and your out for a
> significant time limit).  Any system that lets a cracker hammer away
> with repeated attempts is the thing that is broken.

That works as long as the website isn't hacked. If it is, even if the passwords 
are hashed (which they often aren't), the hash can be cracked if the password 
is weak. This actually happened to my PayPal account in 2002. At the time, I 
was using a weak password vulnerable to a dictionary attack (but not to only 
several login attempts). PayPal sent me an email asking me to change my 
password, claiming it was just a random request and had nothing to do with a 
specific attack. Since I knew my password was secure against a handful of login 
attempts, I just changed the password and then immediately changed it back to 
the original one. Shortly after, my account was hacked and money was withdrawn 
from my bank account. PayPal admitted in a later email that there actually had 
been an attack where the password hashes were stolen (implying that they were 
lying the first time). PayPal did eventually reimburse me for the money. The 
point is that it's good if a website limits login attempts, but yo
 u can't rely on that. I always assume that the hash could become public, and 
choose my password accordingly. (Of course, many websites store passwords in 
plain text, in which case the only thing that helps is not using the same or 
similar password anywhere else.)
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Tim]

On Sun, 2017-06-18 at 19:13 -0700, stan wrote:
> I think it isn't necessary to have all those special characters in
> order to have strong passwords.

I completely agree, it's just as impossible to guess that a password is
"$#DfSGxS" than "sickturtlepyjamas", and I know which one is easier to
remember and type.  With the peculiar password rules, I have no choice
to but to do the insecure and write down passwords somewhere (whether
that's on paper or on file).  You're not supposed to write passwords
down anywhere.

About the only benefit of stupid character rules is to try and stop
people putting in guessable things, like their child's birthday.  But
the usual rules won't stop people using "John1983$".

What these rulemakers forget is that password cracking is an all or
nothing venture.  You have to get it exactly right to crack it, you
don't get hints that you're almost correct.

Really, what ought to get tightened up is the software accepting logons.
There should be a limited number of attempts (3 goes and your out for a
significant time limit).  Any system that lets a cracker hammer away
with repeated attempts is the thing that is broken.

> I think the real danger with passwords is that people use the same one
> (usually weak) on multiple sites, so if a site gets cracked, they are
> endangered in other places.

I quite agree.  Along with other stupidities, such as a website telling
users to login with their email address and password.  Instead, it ought
to ask people to login with their account name and *this* site's
password.  People stupidly give their credentials away to all and and
sundry with prompts like that.  The account creation process should
specifically say not to use the same password as they use anywhere else.

___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Andre Robatino]

Many websites don't allow even 30 chars. One of the important ones I use allows 
only 16 characters (and no 2FA option), but happens to allow special 
characters. Using the largest possible character set is the only way to shore 
that up.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Joe Zeff]

On 06/18/2017 07:03 PM, Tim wrote:

  1. Used to be able to customise GDM, can't anymore without serious
 hacking.
  2. Used to be able to have screensavers, now you have to bodge in
 something else.
  3. Used to have decent control of the audio mixer, now there's
 none.


4. Used to be able to customize your desktop without installing
   third party add-ons that might break without warning at the
   next update.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[stan]

On Sun, 18 Jun 2017 20:55:08 -
"Andre Robatino"  wrote:

> Thanks. I had actually installed pwgen a few months ago, but it
> looked like the passwords weren't strong enough.
> gnome-password-generator has a Character set option "All printable
> (excluding space)". It appears that "pwgen -sy 30 1", for example,
> does just that, and "pwgen -s 30 1" is the same as "Alphanumeric
> (a-z, A-Z, 0-9)". I use a password manager, so only care about
> maximum entropy. It would be really nice if there was something where
> you could specify an exact set of characters to either include or
> exclude, to cope with certain websites that allow only some special
> characters. ___ users

I think it isn't necessary to have all those special characters in order
to have strong passwords.

Open an xterm, and start python by typing python.  Then paste the
following into the command line and hit enter.

(62**30) // (864 * 366)

There are 62 unique possibilities with upper and lower case letters and
numerals.  This is the number of years that a million brute force
attempts per second would take to crack that 30 character password with
only letters and numbers.  With 9 alphanumerics instead of 30,
its about 400 years, which seems more than adequate.  The special
characters add another 30 possibilities, so the passwords can be
shorter for the same strength, but a 33 character alphanumeric password
is ~ the same as a 92 possibility 30 character password. People
cracking strong passwords don't know that you haven't used 92
characters instead of 62, so they have to check all 92.  :-)  Control-D
exits the python interpreter.

When I hit pwgen -y, it generates columns of 8 character passwords with
a number, a capital, and a special character.  If you need specific
special characters, just grab a few of those with the special
characters you need and concatenate them(4 would be 32 character), or
change the special character(s) to the one(s) you need.

I think the real danger with passwords is that people use the same one
(usually weak) on multiple sites, so if a site gets cracked, they are
endangered in other places.  You've already finessed that by using a
password manager, so you can easily have unique, strong passwords at
every site.

But these are just my opinions, you have to do what makes you feel
comfortable with your security.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Tim]

JD wrote:
>> gnome project keeps doing things that disable the user.

Matthew Miller:
> This seems... unnecssary. 

Though, I'd say it's accurate.

You could build up a list of things that keep getting removed from your
control in Gnome.  I'm not going to attempt to build up an extensive
one, but as someone who's used Gnome on Fedora since Fedora began, and
Red Hat Linux beforehand, I have definitely noticed things being removed
from user control.  Here's just a few, and I'm sure others could add
quite a few more, if they wanted:

 1. Used to be able to customise GDM, can't anymore without serious
hacking.
 2. Used to be able to have screensavers, now you have to bodge in
something else.
 3. Used to have decent control of the audio mixer, now there's
none.

Others have commented that if they try to bring up user-configuration of
Gnome in the Gnome arena, it always gets howled down.  The evidence is
against your assertion.

-- 
[tim@localhost ~]$ uname -rsvp
Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 
(always current details of the computer that I'm writing this email on)

Boilerplate:  All mail to my mailbox is automatically deleted, there is
no point trying to privately email me, I only get to see the messages
posted to the mailing list.

I reserve the right to be as hypocritical as the next person.


___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Andre Robatino]

makepasswd also looks useful. It's clumsier to use, but more flexible. You use 
the -c option followed by a string to specify the exact set of allowed 
characters. The following prints all of the 94 non-space printable characters:

for (( c=33; c<=126; c++ )); do printf "\x$(printf %x $c)"; done

which you can use to construct a makepasswd command using all of those 
characters (putting all the special chars at the end, and backquoting each of 
them)

makepasswd -c 
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz\!\"\#\$\%\&\'\(\)\*\+\,\-\.\/\:\;\<\=\>\?\@\[\\\]\^\_\`\{\|\}\~
 -l 30

(for a 30-character password) and you can remove special chars depending on 
what a particular website allows.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Andre Robatino]

BTW, just noticed a bug. pwgen doesn't have an option to use numbers only (for 
creating PINs) so I tried to use "pwgen -n 1" to generate a sequence of random 
digits. But all of the 1-character passwords are lower-case letters, no digits. 
Filed https://bugzilla.redhat.com/show_bug.cgi?id=1462557 .
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Andre Robatino]

Thanks. I had actually installed pwgen a few months ago, but it looked like the 
passwords weren't strong enough. gnome-password-generator has a Character set 
option "All printable (excluding space)". It appears that "pwgen -sy 30 1", for 
example, does just that, and "pwgen -s 30 1" is the same as "Alphanumeric (a-z, 
A-Z, 0-9)". I use a password manager, so only care about maximum entropy. It 
would be really nice if there was something where you could specify an exact 
set of characters to either include or exclude, to cope with certain websites 
that allow only some special characters.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[Matthew Miller]

On Sun, Jun 18, 2017 at 12:19:46PM -0600, JD wrote:
> gnome project keeps doing things that disable the user.

This seems... unnecssary. No one in GNOME is "disabling the user".
Remember that Fedora — like GNOME, for that matter — is maintained by
volunteers. For whatever reason, this package is marked as an "orphan".
This means that there is not currently anyone volunteering to take care
of it.

If you'd like to help, see the process for claimin an orphaned package:
https://fedoraproject.org/wiki/Orphaned_package_that_need_new_maintainers#Claiming_Ownership_of_an_Orphaned_Package_Procedure



-- 
Matthew Miller

Fedora Project Leader
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[stan]

On Sun, 18 Jun 2017 17:25:41 -
"Andre Robatino"  wrote:

> gnome-password-generator will not be available in the Fedora repos
> for F26 and later. Do the repos contain a good replacement?

It doesn't have a gui that I know of, but I use pwgen from the Fedora
repositories.  It warns that the passwords are less secure than fully
random passwords, but it allows passwords to be required to have a
capital, a number, and a special character.  When I put a 16 or 18
character password into a strength checker, it always comes out as
highly secure.

Of course, I don't remember those, I keep them in an encrpyted file and
cut and paste them where needed.  Not sure how secure using the
paste buffer would be on a shared system.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

Re: gnome-password-generator replacement?

[JD]

On 06/18/2017 11:25 AM, Andre Robatino wrote:

gnome-password-generator will not be available in the Fedora repos for F26 and 
later. Do the repos contain a good replacement?
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

gnome project keeps doing things that disable the user.
That is why I do not use it anymore.
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org

gnome-password-generator replacement?

[Andre Robatino]

gnome-password-generator will not be available in the Fedora repos for F26 and 
later. Do the repos contain a good replacement?
___
users mailing list -- users@lists.fedoraproject.org
To unsubscribe send an email to users-le...@lists.fedoraproject.org