Also consider the "wrench" implication for biometrics. Given motivation the unscrupulous would cut your hand (or whatever) off for it too (or kidnap your loved ones or what have you).
In the end I think that knowing when people access stuff with decent pattern analysis is going to be more reliable/scalable than anything else. On 07/01/2013 10:00 AM, William J. Robbins wrote: > The wrench never fails. :) > > For 99% of my passwords I use LastPass and the PW generator. It irks > me no end to come across a site that doesn't accept complex passwords, > or ones with stupid limitations of 12 or less characters. I had (past > tense is key) a bank site that limited to 16 and didn't allow special > characters. Discover actually requires a complex *username*...but I > digress. > > At the end of the day if someone knows enough to bother encrypting > their system in the first place they know to use a decent > passphrase...and they also know about the wrench. As another tangent, > the wrench is why I like TrueCrypt's "Duress password" ability. But > that also doesn't work on whole disk. :( > > Which is why I typically don't do whole disk for my personal stuff. > Darn wrench. > > > - William > > > On Mon, Jul 1, 2013 at 6:35 AM, Edward Harvey > <[email protected] > <mailto:[email protected]>> wrote: > > Yeah, I like that one. :-) > > > > Also this: > > http://xkcd.com/538/ > > > > Incidentally, this is mine, and it's what I use: > > https://clevertrove.com/randcharsweb/ > > > > > > > > > > *From:*[email protected] <mailto:[email protected]> > [mailto:[email protected] <mailto:[email protected]>] *On > Behalf Of *William J. Robbins > *Sent:* Sunday, June 30, 2013 11:07 PM > > > *To:* Edward Ned Harvey (lopser) > *Subject:* Re: [lopsa-tech] Bitlocker vs Truecrypt > > > > Reminds me almost exactly of this: http://xkcd.com/936/ > > :D > > > > - William > > > > On Sun, Jun 30, 2013 at 8:29 PM, Edward Ned Harvey (lopser) > <[email protected] <mailto:[email protected]>> wrote: > > > From: [email protected] > <mailto:[email protected]> > [mailto:[email protected] > <mailto:[email protected]>] > > On Behalf Of William J. Robbins > > > > > (And that's based on > > this: > https://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_meas > > ure_of_password_strength > > using the Alphnumeric character value of 5.954, Would be > some higher using > > special characters as one should) > > If I'm encrypting a drive I'd think a decent passphrase > would meet/exceed 42 > > characters. Something like: Dammit Jim, I'm a doctor not a > bricklayer! > > To attack your password in a situation such as you described > above, an attacker only needs to learn (or guess) that you > used some sort of phrase instead of random characters, and > they won't need to attack random characters anymore. They'll > attack patterns of words, which is a *far* smaller space to > attack, considering you have only 8 words in there. 8 random > words from the space including unusual words and proper nouns > and stuff, gets you around 104 bits. Throw in some common > substitutions such as "d0ctor" and you gain a little bit, but > they're predictable, unless they're random. In fact, *all* > the characters are predictable unless they're random. > > I emphasize, number of characters is only a measure of > entropy, if they're randomly selected by a machine, and then > you memorize them without any modification. The measure of > entropy in your password is measured by the number of guesses > an attacker would have to work through in order to guess your > pass. As soon as you start making modifications such as > "Gpu7mvrDZ is too hard to type, I'm going to make it > GPU7mvrDZ" the attack space becomes smaller, based on > predictions of human behavior. > > > > > But to get 256 bits of entropy is only around 42 characters > isn't it? > > To answer this kind of stuff, I like wolframalpha. > Alphanumeric, mixed case, means 26*26*10 possibilities for > each character. > log2((26*26*10)^21) > If you randomly choose 21 characters = 267 bits. (20 chars is > only 254 bits). Here's an example of what the 21 char > password would look like: > omEzmGpu7mvrDZbYYPM4Da > Yes, you can memorize something like that, with some effort. > But you certainly cannot expect it to be common practice. > > They have to be *random* characters. No acronyms, nothing > that reflects the frequency of letters occurring in English, > etc. If you're not selecting them randomly, you're reducing > the space you select your password from. > > Also, in this: https://code.google.com/p/randchars/ There is a > 2264 list of words. log2(2264^23) = 256 bits. So 23 random > words would give you 256 bits entropy... > > suggest-pot-live-complaint-flood-mouth-bless-and-sauce-anger-mineral-discussion-point-gallon-notebook-wreck-mercy-drop-cousin-absence-other-ocean-sacred > > You could use a randomly generated 256 bit password like that. > It might be easier to memorize than the random characters. > > > > > And if you are doing a home PC not on a domain, the only > > storage of the recovery key is where you put it on > completion. I've seen > > folks screen shot it, print it off, etc. > > Good point. Recovery key that was initially generated > randomly is only as secure as the security around your backup > copy of that key. The truecrypt recovery media is equally > strong as the truecrypt volume itself - which is as strong as > your password. With bitlocker, you have several options, so > it's difficult to analyze the security of your backup keys. > If stored in Active Directory ... Well, AD is itself very > secure if well configured. But lots of people don't configure > it well. And if you take a screen shot, or copy text, then it > all depends on where you choose to save it... > > > > > > > _______________________________________________ > Tech mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ Please be advised that this email may contain confidential information. If you are not the intended recipient, please notify us by email by replying to the sender and delete this message. The sender disclaims that the content of this email constitutes an offer to enter into, or the acceptance of, any agreement; provided that the foregoing does not invalidate the binding effect of any digital or other electronic reproduction of a manual signature that is included in any attachment.
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
