Re: gnome-password-generator replacement?
gnome-password-generator was just unretired and is now in F26 updates-testing ( https://bodhi.fedoraproject.org/updates/FEDORA-2017-58751e422c ) so should be in stable soon. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
Allegedly, on or about 19 June 2017, Greg Woods sent: > I'm surprised no one has posted this yet: > > https://xkcd.com/936/ Virtually the same thing as I said, minus the illustrations. -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 (always current details of the computer that I'm writing this email on) Boilerplate: All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I only get to see the messages posted to the mailing list. Next time your service provider asks you to reboot your equipment, ask them to reboot theirs, first. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 19 Jun 2017 21:27:51 +0100 Patrick O'Callaghan wrote: > Because modern CPUs already have hardware RNGs built-in, without > requiring an additional chip? But, but, but, they aren't quantum :-). ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On 06/18/2017 01:55 PM, Andre Robatino wrote: Thanks. I had actually installed pwgen a few months ago, but it looked like the passwords weren't strong enough. gnome-password-generator has a Character set option "All printable (excluding space)". It appears that "pwgen -sy 30 1", for example, does just that, and "pwgen -s 30 1" is the same as "Alphanumeric (a-z, A-Z, 0-9)". I use a password manager, so only care about maximum entropy. It would be really nice if there was something where you could specify an exact set of characters to either include or exclude, to cope with certain websites that allow only some special characters. I use "apg". It lets you choose the character classes you want included in the password and you can also exclude specific characters if necessary. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 2017-06-19 at 15:54 -0400, Tom Horsley wrote: > I just want to know when we'll all have one of these built into > our computers? > > http://www.physicscentral.com/buzz/blog/index.cfm?postid=4422261597116577682 > > (Doesn't look like it has been turned into a commercial product > yet which kind of surprises me - probably the researchers and the > university arguing about rights :-). Because modern CPUs already have hardware RNGs built-in, without requiring an additional chip? poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 19 Jun 2017 15:54:25 -0400 Tom Horsley wrote: > http://www.physicscentral.com/buzz/blog/index.cfm?postid=4422261597116577682 > > (Doesn't look like it has been turned into a commercial product > yet which kind of surprises me - probably the researchers and the > university arguing about rights :-). It might be that they are arguing about patent rights, but it could also be that the prototype is not robust enough to deal with everyday life. There is a huge junkyard between the bench and the shelf. It could also be that a government agency bought all the rights to the device, and is sitting on it because it is too secure. What would speculation be without conspiracy theories? :-) ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
I just want to know when we'll all have one of these built into our computers? http://www.physicscentral.com/buzz/blog/index.cfm?postid=4422261597116577682 (Doesn't look like it has been turned into a commercial product yet which kind of surprises me - probably the researchers and the university arguing about rights :-). ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 19 Jun 2017 17:35:10 - "Andre Robatino" wrote: > It seemed > to be a fairly sophisticated attack. When my PayPal account was > accessed, my email account was DoS'd by sending thousands of garbage > emails to it every hour, to prevent me from reading PayPal's email > notifications associated with account activity. It wasn't until later > in the day that I discovered independently what had happened, and > realized why my email was being DoS'd. Yes, that certainly seems sophisticated. Systems level thinking. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 19 Jun 2017 07:37:35 +0200 Heinz Diehl wrote: > Pwgen uses /dev/urandom, so the statement that those passwords are > less secure than "fully" random passwords (define "fully random"..) is > merely of academical nature. > > In case of any doubt, you can always do something like > > head /dev/random | tr -dc A-Za-z0-9 | head -c X > > where X is your password length. Tr also lets you tailor the > characterset used. Here's my shell hack to generate passwords using the above. It saves the passwords in the file devurandom_password.txt in the home directory. #! /bin/bash # generate a password using a character set, /dev/urandom, # and tr to select the characters included. # The three arguments are # the character class to use to generate the password (default alnum) # and # the length of the password (default 20) # and # the number of passwords to generate (default 10) DPW=/home/$USER/devurandom_password.txt if [ "$#" = 0 ]; then set an 20 10 elif [ "$#" = 1 ]; then set $1 20 10 elif [ "$#" = 2 ]; then set $1 $2 10 fi echo "Passwords from /dev/urandom with $1" > $DPW echo '' >> $DPW for ((x = 0 ; x < $3 ; x = x + 1)) ; do if[ "$1" = an ]; then echo $(head /dev/random | tr -dc [:alnum:] | head -c $2) >> $DPW echo '' >> $DPW elif[ "$1" = al ]; then echo $(head /dev/random | tr -dc [:alpha:] | head -c $2) >> $DPW echo '' >> $DPW elif[ "$1" = cn ]; then echo $(head /dev/random | tr -dc [:cntrl:] | head -c $2) >> $DPW echo '' >> $DPW elif[ "$1" = di ]; then echo $(head /dev/random | tr -dc [:digit:] | head -c $2) >> $DPW echo '' >> $DPW elif[ "$1" = gr ]; then echo $(head /dev/random | tr -dc [:graph:] | head -c $2) >> $DPW echo '' >> $DPW elif[ "$1" = lo ]; then echo $(head /dev/random | tr -dc [:lower:] | head -c $2) >> $DPW echo '' >> $DPW elif[ "$1" = pr ]; then echo $(head /dev/random | tr -dc [:print:] | head -c $2) >> $DPW echo '' >> $DPW elif[ "$1" = pu ]; then echo $(head /dev/random | tr -dc [:punct:] | head -c $2) >> $DPW echo '' >> $DPW elif[ "$1" = sp ]; then echo $(head /dev/random | tr -dc [:space:] | head -c $2) >> $DPW echo '' >> $DPW elif[ "$1" = up ]; then echo $(head /dev/random | tr -dc [:upper:] | head -c $2) >> $DPW echo '' >> $DPW elif[ "$1" = xd ]; then echo $(head /dev/random | tr -dc [:xdigit:] | head -c $2) >> $DPW echo '' >> $DPW else echo $(head /dev/random | tr -dc [:alnum:] | head -c $2) >> $DPW echo '' >> $DPW fi ; done exit 0 ; ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
> How? Don't the attackers have to know the password hashing algorithm to > do that? If they have enough penetration into the system to know that, > couldn't they just capture the passwords when they were unhashed? > i.e. could it have been that they let paypal know they had been > compromised, so that a program they left on paypal's systems could > report the unhashed passwords when paypal told their users to reset > their passwords? I don't know how it was done, but I'm pretty sure they grabbed the password hashes, not the plaintext passwords. If the hashes weren't salted, they could have just used a standard lookup table. It seemed to be a fairly sophisticated attack. When my PayPal account was accessed, my email account was DoS'd by sending thousands of garbage emails to it every hour, to prevent me from reading PayPal's email notifications associated with account activity. It wasn't until later in the day that I discovered independently what had happened, and realized why my email was being DoS'd. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On 06/18/2017 08:49 PM, Andre Robatino wrote: Many websites don't allow even 30 chars. One of the important ones I use allows only 16 characters (and no 2FA option), but happens to allow special characters. Using the largest possible character set is the only way to shore that up. A credit card that I recall, allows 56 character paswords. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, Jun 19, 2017 at 8:42 AM, stan wrote: > The man page says they are modified to be more memorable, by > some definition, and so are less than compeletely random. > > ...generates passwords which are designed to be easily memorized by > humans, while being as secure as possible. > I'm surprised no one has posted this yet: https://xkcd.com/936/ --Greg ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 19 Jun 2017 11:12:20 -0400 Matthew Miller wrote: > There are only a handful of commonly-used cryptographically-secure > hashes which are likely to be used, and they're relatively easy to > narrow down simply by looking at length. Or, if they're stored like > they are in /etc/shadow, the entire string actually includes an > identifier for the hash. > > If the passwords are hashed in a non-standard way or with some made-up > thing... there's probably something wrong that a skilled attacker can > exploit. (Rule one of crypto: don't write your own crypto.) Why not use RSA? Create a set of RSA keys, and don't publish them. Encrypt each password with one of the keys, and store it in a database. When needed, decrypt it with the other RSA key. Or encrypt with the original key to compare with the database contents. If an attacker gets the database without the RSA keys, they are trying to decrypt the encrypted message without knowing the composite number that generated the keys. That is, they are trying to break RSA for all composite numbers the product of two large primes. Horrendous. And because these RSA keys aren't published, they can be nonstandard sizes. 4023? 3084? 6173? Good luck with that if you are the cracker. :-) This is private key RSA instead of public key RSA, more secure. Not roll your own crypto, extensively attacked and tested crypto. Sure, if your system gets compromised, and someone gains the keys, they break the encryption easily, but that isn't a crypto problem. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 2017-06-19 at 12:07 -0400, Tom Horsley wrote: > On Mon, 19 Jun 2017 16:44:25 +0100 > Patrick O'Callaghan wrote: > > > Exactly. It also makes me question the competence of whoever programmed > > the website. Can it be that they only know how to read alphanumeric > > input? > > I always suspect someone's nephew built the web site and > didn't know how to properly quote and unquote special > characters in HTTP messages :-). Indeed. It's often the same kind of site that breaks when I input my surname ... poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 19 Jun 2017 16:44:25 +0100 Patrick O'Callaghan wrote: > Exactly. It also makes me question the competence of whoever programmed > the website. Can it be that they only know how to read alphanumeric > input? I always suspect someone's nephew built the web site and didn't know how to properly quote and unquote special characters in HTTP messages :-). ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
Tim: >> Really, what ought to get tightened up is the software accepting >> logons. There should be a limited number of attempts (3 goes and your >> out for a significant time limit). Any system that lets a cracker >> hammer away with repeated attempts is the thing that is broken. stan: > I don't think it has to be as low as 3. It could be 100 or 1000, a > restriction that a human will never hit, but a cracking program will > hit almost immediately. Three seems to be a common threshold, but I agree that it could be set higher for those reasons. I know that I've mistyped things three times in a row, and when you can't see what you're typing, it's easy to not notice you've made a mistake. Like you, I imagine a cracking attempt is going to try more than a person would. > This makes it easy to separate attackers from legitimate users, and > take appropriate action against the attackers. Ban their IP address? > Notify their ISP? Track their botnet and disable it? I'm not sure > there are effective defenses. > > An alternative is to look for frequency of login attempts. More than 1 > every second implies a bot, not a human. Again, I agree. It's not too hard for a person to make that kind of judgement call about what's a cracking attempt versus a human trying to deal with a poor interface, so it ought to be a programmable solution, too. I think you'd first want to block the source from further attempts. If multiple sources are trying, you know it's a crack attempt. No real user could be doing that. You could try banning all cracking sources, but if they're a zombied army of bots, you could be banning genuine users of your service who've no idea they're using a compromised computer. So the idea of notifying their ISP has merit, on a number of fronts (ISP can tell the user they need to fix up their PC, ISP can take action to check if their users are indulging in organised hacking, etc). Though there's still the problem of reporting things to ISPs that are a problem, in themselves. In my early days of using the net, I'd occasionally make a report to an ISP about spam from one of their users, only to get a bucketload more spam straight away. It was obvious that the ISP itself, or one of their staff, was involved in spamming; or they stupidly inform their user about the complaint, naming where the complaint came from. Either way, making a complaint was actually worse than useless. -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 (always current details of the computer that I'm writing this email on) Boilerplate: All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I only get to see the messages posted to the mailing list. Next time your service provider asks you to reboot your equipment, ask them to reboot theirs, first. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 2017-06-19 at 08:36 -0400, Tom Horsley wrote: > On Mon, 19 Jun 2017 12:55:28 +0100 > Patrick O'Callaghan wrote: > > > One > > of them even disallows cut-and-paste, which tempts the user to have a > > password simple enough to remember and type by hand. > > One of the keepassx features is the ability to simulate > typing to teach the annoying web designers who is boss :-). I just use the X buffer copy-and-paste, which they don't seem to be aware of. > The sites that crack me up are the ones which have rules > like "you can only use letters and numbers" in your password. > Why? That just means anyone trying to guess passwords has > a much simpler job. Exactly. It also makes me question the competence of whoever programmed the website. Can it be that they only know how to read alphanumeric input? poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, Jun 19, 2017 at 08:02:28AM -0700, stan wrote: > > That works as long as the website isn't hacked. If it is, even if the > > passwords are hashed (which they often aren't), the hash can be > > cracked if the password is weak. > How? Don't the attackers have to know the password hashing algorithm to > do that? If they have enough penetration into the system to know that, There are only a handful of commonly-used cryptographically-secure hashes which are likely to be used, and they're relatively easy to narrow down simply by looking at length. Or, if they're stored like they are in /etc/shadow, the entire string actually includes an identifier for the hash. If the passwords are hashed in a non-standard way or with some made-up thing... there's probably something wrong that a skilled attacker can exploit. (Rule one of crypto: don't write your own crypto.) -- Matthew Miller Fedora Project Leader ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 19 Jun 2017 02:49:30 - "Andre Robatino" wrote: > Many websites don't allow even 30 chars. One of the important ones I > use allows only 16 characters (and no 2FA option), but happens to > allow special characters. Using the largest possible character set is > the only way to shore that up. Good point. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 19 Jun 2017 04:48:16 - "Andre Robatino" wrote: > That works as long as the website isn't hacked. If it is, even if the > passwords are hashed (which they often aren't), the hash can be > cracked if the password is weak. How? Don't the attackers have to know the password hashing algorithm to do that? If they have enough penetration into the system to know that, couldn't they just capture the passwords when they were unhashed? i.e. could it have been that they let paypal know they had been compromised, so that a program they left on paypal's systems could report the unhashed passwords when paypal told their users to reset their passwords? ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 19 Jun 2017 12:51:30 +0930 Tim wrote: > Really, what ought to get tightened up is the software accepting > logons. There should be a limited number of attempts (3 goes and your > out for a significant time limit). Any system that lets a cracker > hammer away with repeated attempts is the thing that is broken. I don't think it has to be as low as 3. It could be 100 or 1000, a restriction that a human will never hit, but a cracking program will hit almost immediately. This makes it easy to separate attackers from legitimate users, and take appropriate action against the attackers. Ban their IP address? Notify their ISP? Track their botnet and disable it? I'm not sure there are effective defenses. An alternative is to look for frequency of login attempts. More than 1 every second implies a bot, not a human. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 19 Jun 2017 07:37:35 +0200 Heinz Diehl wrote: > Pwgen uses /dev/urandom, so the statement that those passwords are > less secure than "fully" random passwords (define "fully random"..) is > merely of academical nature. The man page says they are modified to be more memorable, by some definition, and so are less than compeletely random. ...generates passwords which are designed to be easily memorized by humans, while being as secure as possible. Human-memorable passwords are never going to be as secure as completely random passwords. ... I suppose if someone knew I had used pwgen, and incorporated that pattern knowledge into their attack, that might be true. But to an ignorant attacker, these are effectively random passwords. Or more importantly, crpytographically secure passwords, since 'password' is a perfectly legitimate random 8 character string, but not a crpytographically secure 8 character string. I'm glad to learn that pwgen uses /dev/urandom. That is probably the best solution on a linux system, especially if a hardware random number generator is feeding entropy into /dev/random, as excess entropy will be fed into /dev/urandom, enhancing its unpredictability. > In case of any doubt, you can always do something like > > head /dev/random | tr -dc A-Za-z0-9 | head -c X > > where X is your password length. Tr also lets you tailor the > characterset used. Neat solution. I like all the predefined character classes for tr. And it lends itself nicely to a script. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, Jun 19, 2017 at 11:33:00AM +0930, Tim wrote: > Matthew Miller: > > This seems... unnecssary. > Though, I'd say it's accurate. Maybe, but *entirely* unrelated to the situation here. So I don't see the value. -- Matthew Miller Fedora Project Leader ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
Allegedly, on or about 19 June 2017, Patrick O'Callaghan sent: > I have a number of bank accounts in several countries (for perfectly > legitimate reasons, I hasten to add) and in my experience each bank > has its own rules which as often as not mitigate *against* good > security practice, e.g. forcing you to change the password every 3 > months (which invites password1, password2, password3 ...) or having > their own peculiar Javascript which blocks you from using a password > manager. One of them even disallows cut-and-paste, which tempts the > user to have a password simple enough to remember and type by hand. Yes, I'm tired of hosts with special rules, and they often are the opposite of security. Such as your password has to be 6 to 8 characters long. My long passphrase is far more secure than a 6 to 8 character sequence, and far easier to type than mixed case and symbols. I wish these dunderheads would get it through their thick skulls that hard-to-type passwords does not equal hard-to-crack. Long ago, I set a password on something, but must have mistyped it in, the first time around. It took me ages to try out all the possible typing errors that might have occurred. I loathe password entry boxes that don't let you see what you're typing in. After one site gave me the runaround with their stupid rules, I set a passphrase that was my low opinion of the service. Later on, I had to say the password to one of their phone help people to resolve a problem. -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 (always current details of the computer that I'm writing this email on) Boilerplate: All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I only get to see the messages posted to the mailing list. I reserve the right to treat other people in exactly the same way that they treat me. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
Allegedly, on or about 19 June 2017, Tom Horsley sent: > The sites that crack me up are the ones which have rules > like "you can only use letters and numbers" in your password. > Why? That just means anyone trying to guess passwords has > a much simpler job. I can guess two reasons: Some special characters might get interpreted by their software, rather than accepted as-is. Some special characters can't by typed on all computers, or their users can't type them properly. e.g. How many times do you see the Brits mis-use the backtick as an apostrophe? -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 (always current details of the computer that I'm writing this email on) Boilerplate: All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I only get to see the messages posted to the mailing list. Just because nobody complains, it doesn't mean that all parachutes are perfect. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, Jun 19, 2017 at 08:36:35AM -0400, Tom Horsley wrote: > On Mon, 19 Jun 2017 12:55:28 +0100 > Patrick O'Callaghan wrote: > > > One > > of them even disallows cut-and-paste, which tempts the user to have a > > password simple enough to remember and type by hand. > > One of the keepassx features is the ability to simulate > typing to teach the annoying web designers who is boss :-). > > The sites that crack me up are the ones which have rules > like "you can only use letters and numbers" in your password. > Why? That just means anyone trying to guess passwords has > a much simpler job. possibly of brain-dead underlying systems that will accept only those characters. -- Fred Smith -- fre...@fcshome.stoneham.ma.us - Show me your ways, O LORD, teach me your paths; Guide me in your truth and teach me, for you are God my Savior, And my hope is in you all day long. -- Psalm 25:4-5 (NIV) ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 19 Jun 2017 12:55:28 +0100 Patrick O'Callaghan wrote: > One > of them even disallows cut-and-paste, which tempts the user to have a > password simple enough to remember and type by hand. One of the keepassx features is the ability to simulate typing to teach the annoying web designers who is boss :-). The sites that crack me up are the ones which have rules like "you can only use letters and numbers" in your password. Why? That just means anyone trying to guess passwords has a much simpler job. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 2017-06-19 at 00:17 -0700, Joe Zeff wrote: > On 06/18/2017 08:21 PM, Tim wrote: > > I completely agree, it's just as impossible to guess that a password is > > "$#DfSGxS" than "sickturtlepyjamas", and I know which one is easier to > > remember and type. With the peculiar password rules, I have no choice > > to but to do the insecure and write down passwords somewhere (whether > > that's on paper or on file). You're not supposed to write passwords > > down anywhere. > > I may have mentioned this before, but I have a friend who uses (roughly) > ThisIsAVeryVeryLongPassword for his WiFi, on the grounds that it's just > as hard to guess as the type of gibberish that most security "experts" > recommend, and a lot easier to remember. The problem with many of these "rules" is that they don't apply universally. A password suitable for a banking site is one thing, and a password for your home Wifi network is another. Never write down the first one (use a password manager), but feel free to write down the second one and keep it in a drawer. And where possible, use your router to configure a guest network with a different password and more restricted access for those times when you have visitors. I have a number of bank accounts in several countries (for perfectly legitimate reasons, I hasten to add) and in my experience each bank has its own rules which as often as not mitigate *against* good security practice, e.g. forcing you to change the password every 3 months (which invites password1, password2, password3 ...) or having their own peculiar Javascript which blocks you from using a password manager. One of them even disallows cut-and-paste, which tempts the user to have a password simple enough to remember and type by hand. poc ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Mon, 19 Jun 2017 06:03:08 -0400 Tom Horsley wrote: > I use keepassx to not only generate, but also store passwords. I was using the same, but now find (qt)pass more pleasant to use. Sincerely, Gour -- As the ignorant perform their duties with attachment to results, the learned may similarly act, but without attachment, for the sake of leading people on the right path. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
I use keepassx to not only generate, but also store passwords. It has lots of rules you can select about how to generate passwords, which is useful, because lots of web sites have idiotic requirements for passwords, and you can plug those idiot requirements into the password generator. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On 06/18/2017 08:21 PM, Tim wrote: I completely agree, it's just as impossible to guess that a password is "$#DfSGxS" than "sickturtlepyjamas", and I know which one is easier to remember and type. With the peculiar password rules, I have no choice to but to do the insecure and write down passwords somewhere (whether that's on paper or on file). You're not supposed to write passwords down anywhere. I may have mentioned this before, but I have a friend who uses (roughly) ThisIsAVeryVeryLongPassword for his WiFi, on the grounds that it's just as hard to guess as the type of gibberish that most security "experts" recommend, and a lot easier to remember. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On 18.06.2017, stan wrote: > It doesn't have a gui that I know of, but I use pwgen from the Fedora > repositories. It warns that the passwords are less secure than fully > random passwords Pwgen uses /dev/urandom, so the statement that those passwords are less secure than "fully" random passwords (define "fully random"..) is merely of academical nature. In case of any doubt, you can always do something like head /dev/random | tr -dc A-Za-z0-9 | head -c X where X is your password length. Tr also lets you tailor the characterset used. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
Andre Robatino: > If you use a password manager, you can use a different strong random > password for each site, and copy and paste it. Fifty characters is > just as easy as 8, and means you don't have to worry about changing > the password again (unless a website like Socialsecurity.gov forces > you to, and they should eventually stop doing that). That's all very well as long as you only use one device. When you have several computers, devices, using other people's equipment, etc., password managers soon become their own pain. So people use an on-line password manager, and create a single-point of failure for multiple accounts. Tim: >> Really, what ought to get tightened up is the software accepting logons. >> There should be a limited number of attempts (3 goes and your out for a >> significant time limit). Any system that lets a cracker hammer away >> with repeated attempts is the thing that is broken. > That works as long as the website isn't hacked. A different problem. Though perhaps related, it depends on how the site was hacked. If they let someone peck away at it, it's down to the same problem. Sites really need to stop storing your passwords, then need to keep something that can only be used to confirm correct authentication, and not be reverse engineerable to discover the password. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
> On Sun, 2017-06-18 at 19:13 -0700, stan wrote: > > I completely agree, it's just as impossible to guess that a password is > "$#DfSGxS" than "sickturtlepyjamas", and I know which one is easier > to > remember and type. With the peculiar password rules, I have no choice > to but to do the insecure and write down passwords somewhere (whether > that's on paper or on file). You're not supposed to write passwords > down anywhere. If you use a password manager, you can use a different strong random password for each site, and copy and paste it. Fifty characters is just as easy as 8, and means you don't have to worry about changing the password again (unless a website like Socialsecurity.gov forces you to, and they should eventually stop doing that). > Really, what ought to get tightened up is the software accepting logons. > There should be a limited number of attempts (3 goes and your out for a > significant time limit). Any system that lets a cracker hammer away > with repeated attempts is the thing that is broken. That works as long as the website isn't hacked. If it is, even if the passwords are hashed (which they often aren't), the hash can be cracked if the password is weak. This actually happened to my PayPal account in 2002. At the time, I was using a weak password vulnerable to a dictionary attack (but not to only several login attempts). PayPal sent me an email asking me to change my password, claiming it was just a random request and had nothing to do with a specific attack. Since I knew my password was secure against a handful of login attempts, I just changed the password and then immediately changed it back to the original one. Shortly after, my account was hacked and money was withdrawn from my bank account. PayPal admitted in a later email that there actually had been an attack where the password hashes were stolen (implying that they were lying the first time). PayPal did eventually reimburse me for the money. The point is that it's good if a website limits login attempts, but yo u can't rely on that. I always assume that the hash could become public, and choose my password accordingly. (Of course, many websites store passwords in plain text, in which case the only thing that helps is not using the same or similar password anywhere else.) ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Sun, 2017-06-18 at 19:13 -0700, stan wrote: > I think it isn't necessary to have all those special characters in > order to have strong passwords. I completely agree, it's just as impossible to guess that a password is "$#DfSGxS" than "sickturtlepyjamas", and I know which one is easier to remember and type. With the peculiar password rules, I have no choice to but to do the insecure and write down passwords somewhere (whether that's on paper or on file). You're not supposed to write passwords down anywhere. About the only benefit of stupid character rules is to try and stop people putting in guessable things, like their child's birthday. But the usual rules won't stop people using "John1983$". What these rulemakers forget is that password cracking is an all or nothing venture. You have to get it exactly right to crack it, you don't get hints that you're almost correct. Really, what ought to get tightened up is the software accepting logons. There should be a limited number of attempts (3 goes and your out for a significant time limit). Any system that lets a cracker hammer away with repeated attempts is the thing that is broken. > I think the real danger with passwords is that people use the same one > (usually weak) on multiple sites, so if a site gets cracked, they are > endangered in other places. I quite agree. Along with other stupidities, such as a website telling users to login with their email address and password. Instead, it ought to ask people to login with their account name and *this* site's password. People stupidly give their credentials away to all and and sundry with prompts like that. The account creation process should specifically say not to use the same password as they use anywhere else. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
Many websites don't allow even 30 chars. One of the important ones I use allows only 16 characters (and no 2FA option), but happens to allow special characters. Using the largest possible character set is the only way to shore that up. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On 06/18/2017 07:03 PM, Tim wrote: 1. Used to be able to customise GDM, can't anymore without serious hacking. 2. Used to be able to have screensavers, now you have to bodge in something else. 3. Used to have decent control of the audio mixer, now there's none. 4. Used to be able to customize your desktop without installing third party add-ons that might break without warning at the next update. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Sun, 18 Jun 2017 20:55:08 - "Andre Robatino" wrote: > Thanks. I had actually installed pwgen a few months ago, but it > looked like the passwords weren't strong enough. > gnome-password-generator has a Character set option "All printable > (excluding space)". It appears that "pwgen -sy 30 1", for example, > does just that, and "pwgen -s 30 1" is the same as "Alphanumeric > (a-z, A-Z, 0-9)". I use a password manager, so only care about > maximum entropy. It would be really nice if there was something where > you could specify an exact set of characters to either include or > exclude, to cope with certain websites that allow only some special > characters. ___ users I think it isn't necessary to have all those special characters in order to have strong passwords. Open an xterm, and start python by typing python. Then paste the following into the command line and hit enter. (62**30) // (864 * 366) There are 62 unique possibilities with upper and lower case letters and numerals. This is the number of years that a million brute force attempts per second would take to crack that 30 character password with only letters and numbers. With 9 alphanumerics instead of 30, its about 400 years, which seems more than adequate. The special characters add another 30 possibilities, so the passwords can be shorter for the same strength, but a 33 character alphanumeric password is ~ the same as a 92 possibility 30 character password. People cracking strong passwords don't know that you haven't used 92 characters instead of 62, so they have to check all 92. :-) Control-D exits the python interpreter. When I hit pwgen -y, it generates columns of 8 character passwords with a number, a capital, and a special character. If you need specific special characters, just grab a few of those with the special characters you need and concatenate them(4 would be 32 character), or change the special character(s) to the one(s) you need. I think the real danger with passwords is that people use the same one (usually weak) on multiple sites, so if a site gets cracked, they are endangered in other places. You've already finessed that by using a password manager, so you can easily have unique, strong passwords at every site. But these are just my opinions, you have to do what makes you feel comfortable with your security. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
JD wrote: >> gnome project keeps doing things that disable the user. Matthew Miller: > This seems... unnecssary. Though, I'd say it's accurate. You could build up a list of things that keep getting removed from your control in Gnome. I'm not going to attempt to build up an extensive one, but as someone who's used Gnome on Fedora since Fedora began, and Red Hat Linux beforehand, I have definitely noticed things being removed from user control. Here's just a few, and I'm sure others could add quite a few more, if they wanted: 1. Used to be able to customise GDM, can't anymore without serious hacking. 2. Used to be able to have screensavers, now you have to bodge in something else. 3. Used to have decent control of the audio mixer, now there's none. Others have commented that if they try to bring up user-configuration of Gnome in the Gnome arena, it always gets howled down. The evidence is against your assertion. -- [tim@localhost ~]$ uname -rsvp Linux 3.9.10-100.fc17.x86_64 #1 SMP Sun Jul 14 01:31:27 UTC 2013 x86_64 (always current details of the computer that I'm writing this email on) Boilerplate: All mail to my mailbox is automatically deleted, there is no point trying to privately email me, I only get to see the messages posted to the mailing list. I reserve the right to be as hypocritical as the next person. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
makepasswd also looks useful. It's clumsier to use, but more flexible. You use the -c option followed by a string to specify the exact set of allowed characters. The following prints all of the 94 non-space printable characters: for (( c=33; c<=126; c++ )); do printf "\x$(printf %x $c)"; done which you can use to construct a makepasswd command using all of those characters (putting all the special chars at the end, and backquoting each of them) makepasswd -c 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz\!\"\#\$\%\&\'\(\)\*\+\,\-\.\/\:\;\<\=\>\?\@\[\\\]\^\_\`\{\|\}\~ -l 30 (for a 30-character password) and you can remove special chars depending on what a particular website allows. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
BTW, just noticed a bug. pwgen doesn't have an option to use numbers only (for creating PINs) so I tried to use "pwgen -n 1" to generate a sequence of random digits. But all of the 1-character passwords are lower-case letters, no digits. Filed https://bugzilla.redhat.com/show_bug.cgi?id=1462557 . ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
Thanks. I had actually installed pwgen a few months ago, but it looked like the passwords weren't strong enough. gnome-password-generator has a Character set option "All printable (excluding space)". It appears that "pwgen -sy 30 1", for example, does just that, and "pwgen -s 30 1" is the same as "Alphanumeric (a-z, A-Z, 0-9)". I use a password manager, so only care about maximum entropy. It would be really nice if there was something where you could specify an exact set of characters to either include or exclude, to cope with certain websites that allow only some special characters. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Sun, Jun 18, 2017 at 12:19:46PM -0600, JD wrote: > gnome project keeps doing things that disable the user. This seems... unnecssary. No one in GNOME is "disabling the user". Remember that Fedora — like GNOME, for that matter — is maintained by volunteers. For whatever reason, this package is marked as an "orphan". This means that there is not currently anyone volunteering to take care of it. If you'd like to help, see the process for claimin an orphaned package: https://fedoraproject.org/wiki/Orphaned_package_that_need_new_maintainers#Claiming_Ownership_of_an_Orphaned_Package_Procedure -- Matthew Miller Fedora Project Leader ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On Sun, 18 Jun 2017 17:25:41 - "Andre Robatino" wrote: > gnome-password-generator will not be available in the Fedora repos > for F26 and later. Do the repos contain a good replacement? It doesn't have a gui that I know of, but I use pwgen from the Fedora repositories. It warns that the passwords are less secure than fully random passwords, but it allows passwords to be required to have a capital, a number, and a special character. When I put a 16 or 18 character password into a strength checker, it always comes out as highly secure. Of course, I don't remember those, I keep them in an encrpyted file and cut and paste them where needed. Not sure how secure using the paste buffer would be on a shared system. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
Re: gnome-password-generator replacement?
On 06/18/2017 11:25 AM, Andre Robatino wrote: gnome-password-generator will not be available in the Fedora repos for F26 and later. Do the repos contain a good replacement? ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org gnome project keeps doing things that disable the user. That is why I do not use it anymore. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org