The "To Keep Up" Wiki

A collection of information we find useful

User Tools

Site Tools


security_presentation

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision
Previous revision
security_presentation [2021.11.29 09:12] – [How to create hard-to-guess passwords] Steve Isenbergsecurity_presentation [2022.10.11 15:31] (current) – [How to create hard-to-guess passwords] Steve Isenberg
Line 1: Line 1:
 +~~NOCACHE~~ <fc #a0a0a0><fs small>[This page last changed ~~LASTMOD~~;
 +visits {{counter|today| time| times}} today, {{counter|yesterday| time| times}} yesterday, and {{counter|total| time total| total times}}]</fs></fc>
 +
 We all have bank accounts, credit cards, insurance policies,  We all have bank accounts, credit cards, insurance policies, 
 healthcare accounts, the list goes on.  Many are online. There are so  healthcare accounts, the list goes on.  Many are online. There are so 
-many of these, each with its URL to go to for access, phone numbers,  +many of these to rememberthe URL to go to for access, phone numbers,  
-account numbers, and requiring a password to access--one that is  +account numbers, and an access login and password--preferably one that is  
-complex and hard to guess.  The challenge is how do you keep track of +complex and hard to guess.   
 + 
 +The challenge is how do you keep track of 
 all of this information in a way that is secure, yet easy to access,  all of this information in a way that is secure, yet easy to access, 
 that's stored in multiple locations so it's unlikely to get lost, and  that's stored in multiple locations so it's unlikely to get lost, and 
 that you can make available to your next-of-kin if necessary? that you can make available to your next-of-kin if necessary?
 +
 We will discuss a solution that your presenter uses to solve all of  We will discuss a solution that your presenter uses to solve all of 
 these challenges in a cost affordable--free--way. these challenges in a cost affordable--free--way.
  
 ====Importance of Strong Hard-to-Guess Passwords==== ====Importance of Strong Hard-to-Guess Passwords====
 +//And, hard to remember passwords//
 ===How to Guess a Password=== ===How to Guess a Password===
 From Feb, 2017: [[https://sites.psu.edu/hacking/2017/02/17/how-to-guess-a-password/]] From Feb, 2017: [[https://sites.psu.edu/hacking/2017/02/17/how-to-guess-a-password/]]
Line 23: Line 30:
   * Phishing email that you respond to   * Phishing email that you respond to
   * Password cracking software (ophcrack, cain and able, THC-Hydra, Brutus)   * Password cracking software (ophcrack, cain and able, THC-Hydra, Brutus)
 +  * Using the same or similar password for multiple sites
 +  * (Can you think of others?)
  
-How long to crack: From [[https://www.komando.com/security-privacy/check-your-password-strength/783192/|Kim Komando]]+Recent from WikiHow: [[https://www.wikihow.com/Guess-a-Password]] 
 +Gives a set of steps to follow to guess someone's password. 
 +  - Figure out the password requirements for the site or app 
 +  - Ask for a hint or security questions (the "hint" may be easy to guess) 
 +  - Check the list of easy-to-remember passwords 
 +    - like: 123456, 123456789, Qwerty, Password, Pa$$w0rd, Qwerty123, Iloveyou, etc 
 +  - Phone screen passwords may be easy to guess (123456, 147258, etc) 
 +  - Names of family members and pets 
 +  - What you know about the target's interests (Golfpro, Mathwhiz, etc) 
 +  - Significant numbers and dates 
 +    - like: address, birth/marriage/etc dates, lucky numbers, graduation date 
 +  - Reverse or change the letters 
 +    - Adlihnurb, tsorfmada 
 +    - Substituting $ for s, 0 for o, 3 for e, 1 for i, etc  (P@$$w0rd, w1k1h0w) 
 +  - If you have access to their machine, check for saved passwords in Browsers 
 + 
 +How long to crack: From [[https://www.komando.com/security-privacy/check-your-password-strength/783192/|Kim Komando]] March 2021
 ^Length^numbers only^lowercase letters^U/L letters^Numbers, U/L^Numbers, U/L, Symbols^ ^Length^numbers only^lowercase letters^U/L letters^Numbers, U/L^Numbers, U/L, Symbols^
 |10|instantly|58 min|1 month|7 months|5 years| |10|instantly|58 min|1 month|7 months|5 years|
Line 35: Line 60:
 //Of course technology will improve over time and shorten these brute force crack times.// //Of course technology will improve over time and shorten these brute force crack times.//
  
-You should assume that the attacker knows a lot about you: e.g., Facebook.  Guessable things like the following have no business being in your password (or as one the answer to any of your recovery questions:+You should assume that the attacker knows a lot about you: e.g., Facebook.  Guessable things like the following have no business being in your password (or as one the answer to any of your recovery questions):
   * Your: name, birthday, anniversary, social security number, etc   * Your: name, birthday, anniversary, social security number, etc
   * Name, birthday, etc of your parents, friends, spouse, dogs, etc   * Name, birthday, etc of your parents, friends, spouse, dogs, etc
Line 54: Line 79:
  
 ====Remembering Passwords and Associated Issues==== ====Remembering Passwords and Associated Issues====
-|Method|Plusses|Minuses| +^Method^Plusses^Minuses^ 
-|Piece of paper|Free, flexible|Loss. Smudges/can't read writing. Processed by washing machine. Someone else can get. You create passwords.| +|Piece of paper|Free, flexible|Loss. Smudges/can't read writing. Processed by washing machine. Someone else can get. You create the passwords.| 
-|Sticky note attached to computer|Free|Can be seen or stolen by others. Fall off/loss. Smudges/can't read writing. Only available on computer its posted. You create passwords.|+|Sticky note attached to computer|Free|Can be seen or stolen by others. Fall off/loss. Smudges/can't read writing. Only available on computer its posted. You create the passwords.|
 |Spreadsheet|Free, flexible|Where do you store it. Overwrittenable by accident. You create passwords.| |Spreadsheet|Free, flexible|Where do you store it. Overwrittenable by accident. You create passwords.|
-|Password Manager|Free, or paid. Can produce good passwords|Where are passwords stored. Breech if stored online|+|Password Manager|Free, or paid. Can produce good passwords in one spot. Backupable.|Where are passwords stored. Possible breech if stored online. Loss or theft if stored in thumb drive or your computer.| 
 +or there's this option,\\ credit to John McPherson of [[http://closetohome.com|Close to Home]]:\\  
 +{{:20211202solution.jpg?direct&500|}}
  
 ====How to create hard-to-guess passwords==== ====How to create hard-to-guess passwords====
-If a human is going to guess the password then make it unhuman.  Consider: a password "safe" Here are some free alternatives.  From [[https://www.techradar.com/news/software/applications/the-best-password-manager-1325845|Tech RadarThe best free password manager 2019]] with updates I took from the application sites 20211129\\  +If a human is going to guess the password then make it unhuman.  Consider: a password "safe" Here are some alternatives, many are free or have free options.\\   
-Also see [[https://www.pcmag.com/roundup/331555/the-best-free-password-managers|PC Magazine's picks]]\\  +You can also do a DuckDuckGo (or Google if you're still using Google) search for "Best Password Managers" and look for those with recent information.
-Do a DuckDuckGo (or Google if you're still using Google) search for "Best Password Managers" and look for those with 2020 or 2021 information.+
  
-All offer unlimited login and text note storage in a secure vault protected by your master password, and can generate (and store) strong passwords.+//All of these offer login and text note storage in a secure vault protected by your master password, and can generate (and store) strong passwords.//
  
 +//Following data updated 10/9/2022.  There are MANY other options, these are a few.  You should study all of the features and drawbacks of any option you consider or select.//
 ^Manager^Free version.  ^Paid version.  ^Cost.  ^platforms^ ^Manager^Free version.  ^Paid version.  ^Cost.  ^platforms^
-|[[https://www.lastpass.com/|www.lastpass.com]] |Access on one device type |1GB Secure cloud storage\\ Multi Factor Authentication\\ Contingency plan (loved one access in emergency) |Free for one device type; $3/month 1 user, $4/month 6 users (group and share items, family manager)|Win, Mac, Linux, Mobile| +|[[https://www.lastpass.com/|www.lastpass.com]] |Access on one device type (computer or mobile) |1GB encrypted cloud storage\\ Multifactor Authentication (MFA)\\ Contingency plan (loved one access in emergency) |Free for one device type; $36/yr 1 user, $48/yr 6 users (group and share items, family manager)|Browser based. Win, Mac, Linux, Mobile| 
-|[[https://www.dashlane.com/|www.dashlane.com]]|Up to 50 passwords, one device|unlimited passwords, unlimited devices, 1GB max| $4.99/mo billed annually, multiple accounts $7.49/mo billed annually|Win, Mac, iOS, Android| +|[[https://www.dashlane.com/|www.dashlane.com]]|One device, secure sharing|unlimited devices, 1GB max, VPNFree; $60/yr or $90/yr (10 accts)|Browser based.  Win, Mac, iOS, Android| 
-|[[https://keepersecurity.com|keepersecurity.com]]|access on one device|unlimited device access|$2.91/month, $34.99 annually|Mac, Windows, Linux, iOS, Android| +|[[https://keepersecurity.com|keepersecurity.com]]|no free option|(Personal) no limits on storage, devices, sharing; (family) 5 vaults, 10GB secure storage|Personal $35/yrFamily $75/yr|App: Mac, Windows, Linux, iOS, Android; Browser extension
-|[[https://www.roboform.com/lp?frm=everywhere-offer&rec=TechRadar&dc=TR30&affid=a6277|www.roboform.com]]| |sync across devices, cloud backup, web access, all cost|<del>$23.88</del>$16.68/1yr, <del>$71.64</del>$45.14/3yr, <del>$119.40</del>$69.60/5yr|Windows, Mac, iOS, Android, Linux, Chrome OS+|[[https://www.roboform.com/lp?frm=everywhere-offer&rec=TechRadar&dc=TR30&affid=a6277|www.roboform.com]]|one device |sync across devices, cloud backup, web access. Family plan is 5 users.|Personal: $16.68/1yr, $45.14/3yr, $69.60/5yr\\ Family: $33.40/1yr, $90.20/3yr, $139.30/5yr|Windows, Mac, iOS, Android, Linux, Chromebook, Browsers
-|[[https://bitwarden.com/|bitwarden.com]]|* passwords file kept online\\ *<fs small>(but you can install it on your own server)</fs>\\ *one file, share w/another | 1GB encrypted storage | $10/yr one user, $39.96/yr up to 6 users |Windows, Mac, Linux, iOS, Android| +|[[https://bitwarden.com/|bitwarden.com]]|Unlimited pw, devices | 2FA, emergency access, share w/1-6 people | $10/yr one user, $40/yr up to 6 users |Windows, Mac, Linux, iOS, Android, Browsers
-|[[https://keepass.info/|keepass.info]]|* Can run from USB\\ * Many customizable options\\ * A little intimidating? You judge.|FOSS((FOSS=Free, Open-Source Software)) - there is no paid version -- all features in free version\\ Many ports, with different features and UI|Note, no cost. Does not provide place to store the Password Safe, that's up to you|Windows, Android, iPhone/iPad, Mac, Chromebook, Blackberry, Linux, and more|+|[[https://1password.com/]]|no free version, only paid, 2wk free trial|unlimited pw & devices, 1GB storage, 2FA.|Individual: $36/yr, Families (5 family members): $60/yr|Mac, Win, Linux, iOS, Android, Browsers| 
 +|[[https://nordpass.com/]]|unlimited pw, notes also, credit cards|emergency access |Premium $24/yr, Family (6 accts) $60/yr|Win, Mac, Linux, Android, iOS, Browsers| 
 +|[[https://keepass.info/]]\\ [[https://keepassxc.org/download/|KeePassXC]]|* Can run from USB\\ * Many customizable options\\ * A little intimidating? You judge.|FOSS((FOSS=Free, Open-Source Software)) - there is no paid version -- all features in free version\\ Many ports, with different features and UI|Note, no cost. Does not provide place to store the Password Safe, that's up to you|Windows, Android, iPhone/iPad, Mac, Chromebook, Blackberry, Linux, and more| 
 +KeePassXC is a KeePass port, see Tech Radar's review: [[https://www.techradar.com/reviews/keepassxc]]. It's free but accepts donations. 
 + 
 +Refs:  
 +  * [[https://www.techradar.com/news/software/applications/the-best-password-manager-1325845|Tech Radar, The best free password manager 2019]] 
 +  * [[https://www.pcmag.com/roundup/331555/the-best-free-password-managers|PC Magazine's picks]] 
 +  * [[https://www.pcmag.com/picks/the-best-password-managers]] 
 +  * [[https://www.cnet.com/tech/services-and-software/best-password-manager/]] 
 +  * [[https://www.techradar.com/best/password-manager]] a good site for reviews of offerings 
 +  * [[https://www.techradar.com/reviews/keepassxc]] TechRadar's review of KeePassXC
  
 ====Caveat==== ====Caveat====
Line 85: Line 123:
 ====What I do==== ====What I do====
 //These are my practices for your information. You should make a decision that's best for you.// //These are my practices for your information. You should make a decision that's best for you.//
-  * KeePass on multiple devices+  * Use KeePass application on multiple devices 
 +    * On MacBook: KeePassXC 
 +    * On iPhone and iPad: KeePass Touch 
 +    * On Android: 
 +    * On Windows:
   * Store password file in iCloud   * Store password file in iCloud
-  * Copy password file to local Documents on each device +  * Copy password file to local Document storage on each device (so it's available when there's no internet) 
-  * Copy password file to Dropbox, pCloud+  * Copy password file to Dropbox, pCloud (as backup) 
 + 
 +To note: 
 +  * KeePassXC updates the iCloud version whenever I make a change 
 +  * On iPhone and iPad I need to download a latest version of password file 
 +  * I added an entry in the password file that tracks latest changes (so I can tell if I have the latest on a given device)
  
 Benefits: Benefits:
   * Free   * Free
 +  * Available on all my devices
   * One password to remember   * One password to remember
   * I can use long and complex passwords   * I can use long and complex passwords
 +  * Can keep a history of past passwords
  
 Using a password manager: Using a password manager:
-    * you can create quite long and complex passwords+    * easy to create long and complex passwords 
 +    * you can use long and complex passwords
     * you can create secure passwords and not have to remember all of them     * you can create secure passwords and not have to remember all of them
     * you only have to remember One password     * you only have to remember One password
 +    * you can store your password file encrypted in multiple places including USB drives so it's unlikely to be lost
     * you have all of your important access information in one spot, the encrypted file     * you have all of your important access information in one spot, the encrypted file
-      * (your next of kin would likely find this useful)+      * //your next of kin would likely find this useful//
 ====More About KeePass==== ====More About KeePass====
 //Note that many of these features can be handled/provided by other password manager software, free and at cost// //Note that many of these features can be handled/provided by other password manager software, free and at cost//
Line 115: Line 166:
     * These are all available to download from keepass.info     * These are all available to download from keepass.info
  
-===My history with KeePass and password managers===+===My history with passwords and password managers===
  
-  * At first, password database on USB stick +  * At first, one password for all sites 
-    * Copy it to/from any computer I'd use+    * Turns out, it was easy to guess! 
 +  
 +  * Then 
 +    * Password database on USB stick 
 +    * Copy database to/from any computer I'd use
     * Not possible on smartphone (and I didn't have one)     * Not possible on smartphone (and I didn't have one)
     * Risk: loss of USB stick, loss of database synch     * Risk: loss of USB stick, loss of database synch
  
   * Then, use Dropbox to hold database   * Then, use Dropbox to hold database
-    * Password control to Dropbox 
     * In the cloud, can access from many devices (as I now had a smartphone)     * In the cloud, can access from many devices (as I now had a smartphone)
 +    * Two levels security: need password to access Dropbox, need password to access Password DB
  
   * Then Dropbox restricted free access to max 3 devices   * Then Dropbox restricted free access to max 3 devices
-    * So I switched to iCloud, as 5GB free [note, my database is 350KB] +    * As I have more than 3 devices, I had to seek alternatives 
-    * After a change(s), copy DB from iCloud to other places+    * So I switched to iCloud, as 5GB is free [note, my database is ~350KB] 
 +    * Most recent version on iCloud 
 +    * For redundancy, after I make password DB change(s), copy DB from iCloud to other places
       * local Documents directory       * local Documents directory
       * Clouds: Dropbox, pCloud       * Clouds: Dropbox, pCloud
 +    * I share password DB with wife via pCloud
    
   * I use a DB entry to log changes   * I use a DB entry to log changes
-    * Last changed 20211201.2007 (Dec 22021, 8:07pm) +    * "Last changed 20221009.1817" meaning October 92022 at 6:17pm 
-    * Enter change(s) made, eg: "1201: updated CCS entry, new password Kohls"+    * Enter change(s) made, eg: "0921: updated CCS entry, new password Kohls" 
 +    * This I do manually
     * Helps me synchronize databases     * Helps me synchronize databases
  
   * I use KeePass application to create new entries and login passwords   * I use KeePass application to create new entries and login passwords
     * Passwords typically 14+ characters (upper/lower case and numbers)     * Passwords typically 14+ characters (upper/lower case and numbers)
-    * KeePass tells me if a password is/isn't secure+    * KeePass tells me how secure given password is
  
 Here is a possible password I might use: ''cqLbq2NHcuNmgU'' -- 14 characters, upper and lower case letters, and at least one number.  This one has entropy 82.06 which is deemed "good".   Here is a possible password I might use: ''cqLbq2NHcuNmgU'' -- 14 characters, upper and lower case letters, and at least one number.  This one has entropy 82.06 which is deemed "good".  
  
 Another: ''M6dehfJRn7dz7lM82K'' 18 characters with entropy 101.60 and is deemed "excellent" by KeePass. Another: ''M6dehfJRn7dz7lM82K'' 18 characters with entropy 101.60 and is deemed "excellent" by KeePass.
 +By comparison
 +|password|entropy 1.00|
 +|Password|entrypy 2.00|
 +|P@$$w0rd|entropy 3.58 (and P@$$w0 has entropy 16.80 !)|
 +
  
  
 //There are other capabilities of a KeePass password manager, such as autofill (it'll copy and enter passwords for you) and URL entry (it'll type your site's URL into your browser), and more; but I do not have experience with these.// //There are other capabilities of a KeePass password manager, such as autofill (it'll copy and enter passwords for you) and URL entry (it'll type your site's URL into your browser), and more; but I do not have experience with these.//
 +
 +====Next: Live demo of KeePass====
 +on smi macbook
 +
 +  * open, select PasswordExample.kbdx pw=1234
 +  * Save as CSV and look
 +  * Save as HTML and look
 +  * Database>Reports
 +====Questions and Answers====
 +
 +----
 +
 +====References====
 +  * [[https://www.betterbuys.com/estimating-password-cracking-times/]]
 +  * [[https://digg.com/2020/password-difficulty-hacking]]
 +  * [[https://sites.psu.edu/hacking/2017/02/17/how-to-guess-a-password/]]
 +  * [[https://www.comparitech.com/privacy-security-tools/password-strength-test/]]
 +  * [[https://keithieopia.com/post/2017-12-13-passwd-crack-time/]]
 +  * [[https://www.komando.com/security-privacy/check-your-password-strength/783192/]]
 +  * [[https://www.komando.com/safety-security-reviews/creating-the-best-passwords/592778/]]
 +  * [[https://www.cnet.com/tech/services-and-software/dont-put-your-online-security-at-risk-get-a-password-manager-now/]]
 +
  
security_presentation.1638205944.txt.gz · Last modified: 2021.12.22 14:33 (external edit)