True Images Wiki

A collection of information Steve finds useful

User Tools

Site Tools


security_presentation

This page last changed 2021.12.22 14:33

We all have bank accounts, credit cards, insurance policies, healthcare accounts, the list goes on. Many are online. There are so many of these to remember, the URL to go to for access, phone numbers, account numbers, and an access login and password–preferably one that is complex and hard to guess.

The challenge is how do you keep track of all of this information in a way that is secure, yet easy to access, that's stored in multiple locations so it's unlikely to get lost, and that you can make available to your next-of-kin if necessary?

We will discuss a solution that your presenter uses to solve all of these challenges in a cost affordable–free–way.

Importance of Strong Hard-to-Guess Passwords

And, hard to remember passwords

How to Guess a Password

From Feb, 2017: https://sites.psu.edu/hacking/2017/02/17/how-to-guess-a-password/

  • Use common, easy-to-guess passwords (Password, P@$$w0rd, password123, etc)
  • Sequences like 12345
  • Dictionary attack
  • Social Engineering – things the bad guys can find out about you
    • name of husband/wife/son/daughter/dog/cat
    • birthdays and anniversaries
  • Brute Force
  • Fake websites
  • Phishing email that you respond to
  • Password cracking software (ophcrack, cain and able, THC-Hydra, Brutus)
  • Using the same or similar password for multiple sites
  • (Can you think of others?)

How long to crack: From Kim Komando

Lengthnumbers onlylowercase lettersU/L lettersNumbers, U/LNumbers, U/L, Symbols
10instantly58 min1 month7 months5 years
112 secs1 day5 years41 years400 years
1225 seconds3 weeks300 years2000 years34k years
134 mins1 year16k years100k years2m years
1441 mins51 years800k years9m years200m years
156 hrs1k years43m years600m years15 bn years

Of course technology will improve over time and shorten these brute force crack times.

You should assume that the attacker knows a lot about you: e.g., Facebook. Guessable things like the following have no business being in your password (or as one the answer to any of your recovery questions):

  • Your: name, birthday, anniversary, social security number, etc
  • Name, birthday, etc of your parents, friends, spouse, dogs, etc
  • Sequences like 12345
  • Any of the above but combined – adding guessable things together does not make them un-guessable
  • Passwords you've used before, they've probably already been breached

How to Protect Yourself

  • Use a different password for each site you visit
  • Use strong passwords
  • Use randomly generated passwords
  • Treat “security questions” as passwords
  • Somehow, remember them all
  • Use two-factor authentication
  • Protect passwords from compromise
  • Provide for next of kin

Remembering Passwords and Associated Issues

MethodPlussesMinuses
Piece of paperFree, flexibleLoss. Smudges/can't read writing. Processed by washing machine. Someone else can get. You create passwords.
Sticky note attached to computerFreeCan be seen or stolen by others. Fall off/loss. Smudges/can't read writing. Only available on computer its posted. You create passwords.
SpreadsheetFree, flexibleWhere do you store it. Overwrittenable by accident. You create passwords.
Password ManagerFree, or paid. Can produce good passwordsWhere are passwords stored. Possible breech if stored online. Loss or theft if stored in thumb drive or your computer.

or there's this option,
credit to John McPherson of Close to Home:

How to create hard-to-guess passwords

If a human is going to guess the password then make it unhuman. Consider: a password “safe”. Here are some free alternatives. From Tech Radar, The best free password manager 2019 with updates I took from the application sites 20211129
Also see PC Magazine's picks
Do a DuckDuckGo (or Google if you're still using Google) search for “Best Password Managers” and look for those with 2020 or 2021 information.

All of these offer login and text note storage in a secure vault protected by your master password, and can generate (and store) strong passwords.

ManagerFree version. Paid version. Cost. platforms
www.lastpass.com Access on one device type 1GB Secure cloud storage
Multi Factor Authentication
Contingency plan (loved one access in emergency)
Free for one device type; $3/month 1 user, $4/month 6 users (group and share items, family manager)Win, Mac, Linux, Mobile
www.dashlane.comUp to 50 passwords, one deviceunlimited passwords, unlimited devices, 1GB max $4.99/mo billed annually, multiple accounts $7.49/mo billed annuallyWin, Mac, iOS, Android
keepersecurity.comaccess on one deviceunlimited device access$2.91/month, $34.99 annuallyMac, Windows, Linux, iOS, Android
www.roboform.com sync across devices, cloud backup, web access, all cost$23.88$16.68/1yr, $71.64$45.14/3yr, $119.40$69.60/5yrWindows, Mac, iOS, Android, Linux, Chrome OS
bitwarden.com* passwords file kept online
*(but you can install it on your own server)
*one file, share w/another
1GB encrypted storage $10/yr one user, $39.96/yr up to 6 users Windows, Mac, Linux, iOS, Android
keepass.info* Can run from USB
* Many customizable options
* A little intimidating? You judge.
FOSS1) - there is no paid version – all features in free version
Many ports, with different features and UI
Note, no cost. Does not provide place to store the Password Safe, that's up to youWindows, Android, iPhone/iPad, Mac, Chromebook, Blackberry, Linux, and more
Others?

Caveat

From https://sites.psu.edu/hacking/2017/02/17/how-to-guess-a-password/
Lawrence Lee February 19, 2017 at 12:07 am
While I do definitely agree with using a password manager, you also should be careful of who you trust with your information. LastPass recently had a data breach where hackers got away with a significant amount of personal information – thankfully no encrypted passwords were taken, but the fact that they were able to get as much as they did is slightly concerning. You’d think that a company who’s only goal is to increase your online security would be able to defend against intrusions by attackers.

What I do

These are my practices for your information. You should make a decision that's best for you.

  • KeePass on multiple devices
  • Store password file in iCloud
  • Copy password file to local Documents on each device
  • Copy password file to Dropbox, pCloud

Benefits:

  • Free
  • One password to remember
  • I can use long and complex passwords

Using a password manager:

  • you can create quite long and complex passwords
  • you can create secure passwords and not have to remember all of them
  • you only have to remember One password
  • you have all of your important access information in one spot, the encrypted file
    • (your next of kin would likely find this useful)

More About KeePass

Note that many of these features can be handled/provided by other password manager software, free and at cost

  • A KeePass database can hold
    • Logins and password
    • Other information you feel useful, such as: Social Security numbers, Secret passwords (answer to “what was your first dog's name”), telephone numbers
    • Past passwords. Date you started to use a given password.
    • And all of the data in the database is encrypted.
  • There are many applications that can access a KeePass database, and the same database can be accessed from each of them. You choose one that is available and that you find works for you.
    • On my iPhone, I use: KeePass Touch (and I have used: KeePassium, MiniKeePass)
    • On Windows (a while ago) I was using KeePass2
    • On MacOS I'm using KeePassXC
    • These are all available to download from keepass.info

My history with passwords and password managers

  • At first, one password for all sites
    • Turns out, it was easy to guess!
  • Then
    • Password database on USB stick
    • Copy database to/from any computer I'd use
    • Not possible on smartphone (and I didn't have one)
    • Risk: loss of USB stick, loss of database synch
  • Then, use Dropbox to hold database
    • In the cloud, can access from many devices (as I now had a smartphone)
    • Two levels security: need password to access Dropbox, need password to access Password DB
  • Then Dropbox restricted free access to max 3 devices
    • As I have more than 3 devices, I had to seek alternatives
    • So I switched to iCloud, as 5GB is free [note, my database is ~350KB]
    • Most recent version on iCloud
    • For redundancy, after I make a password DB change(s), I copy DB from iCloud to other places
      • local Documents directory
      • Clouds: Dropbox, pCloud
    • I share password DB with wife via pCloud
  • I use a DB entry to log changes
    • “Last changed 20211201.2007” (Dec 2, 2021, 8:07pm)
    • Enter change(s) made, eg: “1201: updated CCS entry, new password Kohls”
    • This I do manually
    • Helps me synchronize databases
  • I use KeePass application to create new entries and login passwords
    • Passwords typically 14+ characters (upper/lower case and numbers)
    • KeePass tells me if a password is/isn't secure

Here is a possible password I might use: cqLbq2NHcuNmgU – 14 characters, upper and lower case letters, and at least one number. This one has entropy 82.06 which is deemed “good”.

Another: M6dehfJRn7dz7lM82K 18 characters with entropy 101.60 and is deemed “excellent” by KeePass. By comparison

passwordentropy 1.00
Passwordentrypy 2.00
P@$$w0rdentropy 3.58 (and P@$$w0 has entropy 16.80 !)

There are other capabilities of a KeePass password manager, such as autofill (it'll copy and enter passwords for you) and URL entry (it'll type your site's URL into your browser), and more; but I do not have experience with these.

Next: Live demo of KeePass

Questions and Answers


References

1)
FOSS=Free, Open-Source Software
security_presentation.txt · Last modified: 2021.12.22 13:51 (external edit)