Transfer of Knowledge Underground Wiki

A collection of information we find useful

User Tools

Site Tools


security_presentation

[This page last changed 2022.10.11 18:31; visits 5 times today, 0 time yesterday, and 419 total times]

We all have bank accounts, credit cards, insurance policies, healthcare accounts, the list goes on. Many are online. There are so many of these to remember, the URL to go to for access, phone numbers, account numbers, and an access login and password–preferably one that is complex and hard to guess.

The challenge is how do you keep track of all of this information in a way that is secure, yet easy to access, that's stored in multiple locations so it's unlikely to get lost, and that you can make available to your next-of-kin if necessary?

We will discuss a solution that your presenter uses to solve all of these challenges in a cost affordable–free–way.

Importance of Strong Hard-to-Guess Passwords

And, hard to remember passwords

How to Guess a Password

From Feb, 2017: https://sites.psu.edu/hacking/2017/02/17/how-to-guess-a-password/

  • Use common, easy-to-guess passwords (Password, P@$$w0rd, password123, etc)
  • Sequences like 12345
  • Dictionary attack
  • Social Engineering – things the bad guys can find out about you
    • name of husband/wife/son/daughter/dog/cat
    • birthdays and anniversaries
  • Brute Force
  • Fake websites
  • Phishing email that you respond to
  • Password cracking software (ophcrack, cain and able, THC-Hydra, Brutus)
  • Using the same or similar password for multiple sites
  • (Can you think of others?)

Recent from WikiHow: https://www.wikihow.com/Guess-a-Password Gives a set of steps to follow to guess someone's password.

  1. Figure out the password requirements for the site or app
  2. Ask for a hint or security questions (the “hint” may be easy to guess)
  3. Check the list of easy-to-remember passwords
    1. like: 123456, 123456789, Qwerty, Password, Pa$$w0rd, Qwerty123, Iloveyou, etc
  4. Phone screen passwords may be easy to guess (123456, 147258, etc)
  5. Names of family members and pets
  6. What you know about the target's interests (Golfpro, Mathwhiz, etc)
  7. Significant numbers and dates
    1. like: address, birth/marriage/etc dates, lucky numbers, graduation date
  8. Reverse or change the letters
    1. Adlihnurb, tsorfmada
    2. Substituting $ for s, 0 for o, 3 for e, 1 for i, etc (P@$$w0rd, w1k1h0w)
  9. If you have access to their machine, check for saved passwords in Browsers

How long to crack: From Kim Komando March 2021

Lengthnumbers onlylowercase lettersU/L lettersNumbers, U/LNumbers, U/L, Symbols
10instantly58 min1 month7 months5 years
112 secs1 day5 years41 years400 years
1225 seconds3 weeks300 years2000 years34k years
134 mins1 year16k years100k years2m years
1441 mins51 years800k years9m years200m years
156 hrs1k years43m years600m years15 bn years

Of course technology will improve over time and shorten these brute force crack times.

You should assume that the attacker knows a lot about you: e.g., Facebook. Guessable things like the following have no business being in your password (or as one the answer to any of your recovery questions):

  • Your: name, birthday, anniversary, social security number, etc
  • Name, birthday, etc of your parents, friends, spouse, dogs, etc
  • Sequences like 12345
  • Any of the above but combined – adding guessable things together does not make them un-guessable
  • Passwords you've used before, they've probably already been breached

How to Protect Yourself

  • Use a different password for each site you visit
  • Use strong passwords
  • Use randomly generated passwords
  • Treat “security questions” as passwords
  • Somehow, remember them all
  • Use two-factor authentication
  • Protect passwords from compromise
  • Provide for next of kin

Remembering Passwords and Associated Issues

MethodPlussesMinuses
Piece of paperFree, flexibleLoss. Smudges/can't read writing. Processed by washing machine. Someone else can get. You create the passwords.
Sticky note attached to computerFreeCan be seen or stolen by others. Fall off/loss. Smudges/can't read writing. Only available on computer its posted. You create the passwords.
SpreadsheetFree, flexibleWhere do you store it. Overwrittenable by accident. You create passwords.
Password ManagerFree, or paid. Can produce good passwords in one spot. Backupable.Where are passwords stored. Possible breech if stored online. Loss or theft if stored in thumb drive or your computer.

or there's this option,
credit to John McPherson of Close to Home:

How to create hard-to-guess passwords

If a human is going to guess the password then make it unhuman. Consider: a password “safe”. Here are some alternatives, many are free or have free options.
You can also do a DuckDuckGo (or Google if you're still using Google) search for “Best Password Managers” and look for those with recent information.

All of these offer login and text note storage in a secure vault protected by your master password, and can generate (and store) strong passwords.

Following data updated 10/9/2022. There are MANY other options, these are a few. You should study all of the features and drawbacks of any option you consider or select.

ManagerFree version. Paid version. Cost. platforms
www.lastpass.com Access on one device type (computer or mobile) 1GB encrypted cloud storage
Multifactor Authentication (MFA)
Contingency plan (loved one access in emergency)
Free for one device type; $36/yr 1 user, $48/yr 6 users (group and share items, family manager)Browser based. Win, Mac, Linux, Mobile
www.dashlane.comOne device, secure sharingunlimited devices, 1GB max, VPN Free; $60/yr or $90/yr (10 accts)Browser based. Win, Mac, iOS, Android
keepersecurity.comno free option(Personal) no limits on storage, devices, sharing; (family) 5 vaults, 10GB secure storagePersonal $35/yr, Family $75/yrApp: Mac, Windows, Linux, iOS, Android; Browser extension
www.roboform.comone device sync across devices, cloud backup, web access. Family plan is 5 users.Personal: $16.68/1yr, $45.14/3yr, $69.60/5yr
Family: $33.40/1yr, $90.20/3yr, $139.30/5yr
Windows, Mac, iOS, Android, Linux, Chromebook, Browsers
bitwarden.comUnlimited pw, devices 2FA, emergency access, share w/1-6 people $10/yr one user, $40/yr up to 6 users Windows, Mac, Linux, iOS, Android, Browsers
https://1password.com/no free version, only paid, 2wk free trialunlimited pw & devices, 1GB storage, 2FA.Individual: $36/yr, Families (5 family members): $60/yrMac, Win, Linux, iOS, Android, Browsers
https://nordpass.com/unlimited pw, notes also, credit cardsemergency access Premium $24/yr, Family (6 accts) $60/yrWin, Mac, Linux, Android, iOS, Browsers
https://keepass.info/
KeePassXC
* Can run from USB
* Many customizable options
* A little intimidating? You judge.
FOSS1) - there is no paid version – all features in free version
Many ports, with different features and UI
Note, no cost. Does not provide place to store the Password Safe, that's up to youWindows, Android, iPhone/iPad, Mac, Chromebook, Blackberry, Linux, and more

KeePassXC is a KeePass port, see Tech Radar's review: https://www.techradar.com/reviews/keepassxc. It's free but accepts donations.

Refs:

Caveat

From https://sites.psu.edu/hacking/2017/02/17/how-to-guess-a-password/
Lawrence Lee February 19, 2017 at 12:07 am
While I do definitely agree with using a password manager, you also should be careful of who you trust with your information. LastPass recently had a data breach where hackers got away with a significant amount of personal information – thankfully no encrypted passwords were taken, but the fact that they were able to get as much as they did is slightly concerning. You’d think that a company who’s only goal is to increase your online security would be able to defend against intrusions by attackers.

What I do

These are my practices for your information. You should make a decision that's best for you.

  • Use KeePass application on multiple devices
    • On MacBook: KeePassXC
    • On iPhone and iPad: KeePass Touch
    • On Android:
    • On Windows:
  • Store password file in iCloud
  • Copy password file to local Document storage on each device (so it's available when there's no internet)
  • Copy password file to Dropbox, pCloud (as backup)

To note:

  • KeePassXC updates the iCloud version whenever I make a change
  • On iPhone and iPad I need to download a latest version of password file
  • I added an entry in the password file that tracks latest changes (so I can tell if I have the latest on a given device)

Benefits:

  • Free
  • Available on all my devices
  • One password to remember
  • I can use long and complex passwords
  • Can keep a history of past passwords

Using a password manager:

  • easy to create long and complex passwords
  • you can use long and complex passwords
  • you can create secure passwords and not have to remember all of them
  • you only have to remember One password
  • you can store your password file encrypted in multiple places including USB drives so it's unlikely to be lost
  • you have all of your important access information in one spot, the encrypted file
    • your next of kin would likely find this useful

More About KeePass

Note that many of these features can be handled/provided by other password manager software, free and at cost

  • A KeePass database can hold
    • Logins and password
    • Other information you feel useful, such as: Social Security numbers, Secret passwords (answer to “what was your first dog's name”), telephone numbers
    • Past passwords. Date you started to use a given password.
    • And all of the data in the database is encrypted.
  • There are many applications that can access a KeePass database, and the same database can be accessed from each of them. You choose one that is available and that you find works for you.
    • On my iPhone, I use: KeePass Touch (and I have used: KeePassium, MiniKeePass)
    • On Windows (a while ago) I was using KeePass2
    • On MacOS I'm using KeePassXC
    • These are all available to download from keepass.info

My history with passwords and password managers

  • At first, one password for all sites
    • Turns out, it was easy to guess!
  • Then
    • Password database on USB stick
    • Copy database to/from any computer I'd use
    • Not possible on smartphone (and I didn't have one)
    • Risk: loss of USB stick, loss of database synch
  • Then, use Dropbox to hold database
    • In the cloud, can access from many devices (as I now had a smartphone)
    • Two levels security: need password to access Dropbox, need password to access Password DB
  • Then Dropbox restricted free access to max 3 devices
    • As I have more than 3 devices, I had to seek alternatives
    • So I switched to iCloud, as 5GB is free [note, my database is ~350KB]
    • Most recent version on iCloud
    • For redundancy, after I make a password DB change(s), I copy DB from iCloud to other places
      • local Documents directory
      • Clouds: Dropbox, pCloud
    • I share password DB with wife via pCloud
  • I use a DB entry to log changes
    • “Last changed 20221009.1817” meaning October 9, 2022 at 6:17pm
    • Enter change(s) made, eg: “0921: updated CCS entry, new password Kohls”
    • This I do manually
    • Helps me synchronize databases
  • I use KeePass application to create new entries and login passwords
    • Passwords typically 14+ characters (upper/lower case and numbers)
    • KeePass tells me how secure a given password is

Here is a possible password I might use: cqLbq2NHcuNmgU – 14 characters, upper and lower case letters, and at least one number. This one has entropy 82.06 which is deemed “good”.

Another: M6dehfJRn7dz7lM82K 18 characters with entropy 101.60 and is deemed “excellent” by KeePass. By comparison

passwordentropy 1.00
Passwordentrypy 2.00
P@$$w0rdentropy 3.58 (and P@$$w0 has entropy 16.80 !)

There are other capabilities of a KeePass password manager, such as autofill (it'll copy and enter passwords for you) and URL entry (it'll type your site's URL into your browser), and more; but I do not have experience with these.

Next: Live demo of KeePass

on smi macbook

  • open, select PasswordExample.kbdx pw=1234
  • Save as CSV and look
  • Save as HTML and look
  • Database>Reports

Questions and Answers


References

1)
FOSS=Free, Open-Source Software
security_presentation.txt · Last modified: 2022.10.11 18:31 by Steve Isenberg