Reminds me of *Demolition Man *where Wesley Snipes' character pulled out the warden's eye. :)
- William On Mon, Jul 1, 2013 at 9:19 AM, Jeremy Page <[email protected]>wrote: > Also consider the "wrench" implication for biometrics. Given motivation > the unscrupulous would cut your hand (or whatever) off for it too (or > kidnap your loved ones or what have you). > > In the end I think that knowing when people access stuff with decent > pattern analysis is going to be more reliable/scalable than anything else. > > > On 07/01/2013 10:00 AM, William J. Robbins wrote: > > The wrench never fails. :) > > For 99% of my passwords I use LastPass and the PW generator. It irks me > no end to come across a site that doesn't accept complex passwords, or ones > with stupid limitations of 12 or less characters. I had (past tense is > key) a bank site that limited to 16 and didn't allow special characters. > Discover actually requires a complex *username*...but I digress. > > At the end of the day if someone knows enough to bother encrypting their > system in the first place they know to use a decent passphrase...and they > also know about the wrench. As another tangent, the wrench is why I like > TrueCrypt's "Duress password" ability. But that also doesn't work on whole > disk. :( > > Which is why I typically don't do whole disk for my personal stuff. > Darn wrench. > > > - William > > > On Mon, Jul 1, 2013 at 6:35 AM, Edward Harvey < > [email protected]> wrote: > >> Yeah, I like that one. :-) >> >> >> >> Also this: >> >> http://xkcd.com/538/ >> >> >> >> Incidentally, this is mine, and it's what I use: >> >> https://clevertrove.com/randcharsweb/ >> >> >> >> >> >> >> >> >> >> *From:* [email protected] [mailto:[email protected]] *On Behalf Of >> *William J. Robbins >> *Sent:* Sunday, June 30, 2013 11:07 PM >> >> *To:* Edward Ned Harvey (lopser) >> *Subject:* Re: [lopsa-tech] Bitlocker vs Truecrypt >> >> >> >> Reminds me almost exactly of this: http://xkcd.com/936/ >> >> :D >> >> >> >> - William >> >> >> >> On Sun, Jun 30, 2013 at 8:29 PM, Edward Ned Harvey (lopser) < >> [email protected]> wrote: >> >> > From: [email protected] [mailto: >> [email protected]] >> > On Behalf Of William J. Robbins >> > >> >> > (And that's based on >> > this: >> https://en.wikipedia.org/wiki/Password_strength#Entropy_as_a_meas >> > ure_of_password_strength >> > using the Alphnumeric character value of 5.954, Would be some higher >> using >> > special characters as one should) >> > If I'm encrypting a drive I'd think a decent passphrase would >> meet/exceed 42 >> > characters. Something like: Dammit Jim, I'm a doctor not a bricklayer! >> >> To attack your password in a situation such as you described above, an >> attacker only needs to learn (or guess) that you used some sort of phrase >> instead of random characters, and they won't need to attack random >> characters anymore. They'll attack patterns of words, which is a *far* >> smaller space to attack, considering you have only 8 words in there. 8 >> random words from the space including unusual words and proper nouns and >> stuff, gets you around 104 bits. Throw in some common substitutions such >> as "d0ctor" and you gain a little bit, but they're predictable, unless >> they're random. In fact, *all* the characters are predictable unless >> they're random. >> >> I emphasize, number of characters is only a measure of entropy, if >> they're randomly selected by a machine, and then you memorize them without >> any modification. The measure of entropy in your password is measured by >> the number of guesses an attacker would have to work through in order to >> guess your pass. As soon as you start making modifications such as >> "Gpu7mvrDZ is too hard to type, I'm going to make it GPU7mvrDZ" the attack >> space becomes smaller, based on predictions of human behavior. >> >> >> >> > But to get 256 bits of entropy is only around 42 characters isn't it? >> >> To answer this kind of stuff, I like wolframalpha. >> Alphanumeric, mixed case, means 26*26*10 possibilities for each character. >> log2((26*26*10)^21) >> If you randomly choose 21 characters = 267 bits. (20 chars is only 254 >> bits). Here's an example of what the 21 char password would look like: >> omEzmGpu7mvrDZbYYPM4Da >> Yes, you can memorize something like that, with some effort. But you >> certainly cannot expect it to be common practice. >> >> They have to be *random* characters. No acronyms, nothing that reflects >> the frequency of letters occurring in English, etc. If you're not >> selecting them randomly, you're reducing the space you select your password >> from. >> >> Also, in this: https://code.google.com/p/randchars/ There is a 2264 list >> of words. log2(2264^23) = 256 bits. So 23 random words would give you 256 >> bits entropy... >> >> suggest-pot-live-complaint-flood-mouth-bless-and-sauce-anger-mineral-discussion-point-gallon-notebook-wreck-mercy-drop-cousin-absence-other-ocean-sacred >> >> You could use a randomly generated 256 bit password like that. It might >> be easier to memorize than the random characters. >> >> >> >> > And if you are doing a home PC not on a domain, the only >> > storage of the recovery key is where you put it on completion. I've >> seen >> > folks screen shot it, print it off, etc. >> >> Good point. Recovery key that was initially generated randomly is only >> as secure as the security around your backup copy of that key. The >> truecrypt recovery media is equally strong as the truecrypt volume itself - >> which is as strong as your password. With bitlocker, you have several >> options, so it's difficult to analyze the security of your backup keys. If >> stored in Active Directory ... Well, AD is itself very secure if well >> configured. But lots of people don't configure it well. And if you take a >> screen shot, or copy text, then it all depends on where you choose to save >> it... >> >> >> > > > > _______________________________________________ > Tech mailing > [email protected]https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ > > > > Please be advised that this email may contain confidential information. If > you are not the intended recipient, please notify us by email by replying > to the sender and delete this message. The sender disclaims that the > content of this email constitutes an offer to enter into, or the acceptance > of, any agreement; provided that the foregoing does not invalidate the > binding effect of any digital or other electronic reproduction of a manual > signature that is included in any attachment. > > _______________________________________________ > Tech mailing list > [email protected] > https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech > This list provided by the League of Professional System Administrators > http://lopsa.org/ > >
_______________________________________________ Tech mailing list [email protected] https://lists.lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
