[opensuse] using KGpg to encrypt a LibreOffice text document in .ODT format
Hello List, - in case of interest: i tried using KGpg Version 2.12.1 to encrypt a LibreOffice Version: 4.1.6.2 Build ID: 410m0(Build:2) text document in .odt format .................. - after decrypting the file, LibreOffice found the text document to be corrupted, and LibreOffice failed in its attempt to repair that corruption .............. regards -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 8/11/2014 12:21 PM, ellanios82 wrote:
Hello List,
- in case of interest:
i tried using
KGpg Version 2.12.1
to encrypt a LibreOffice Version: 4.1.6.2 Build ID: 410m0(Build:2) text document in .odt format
..................
- after decrypting the file, LibreOffice found the text document to be corrupted, and LibreOffice failed in its attempt to repair that corruption
..............
regards
I just did a test using all the same versions you did. I verified that the document worked fine in LO before starting. I saved under a different name when Encrypting with KGpg. I saved under a different name when DEcrypting with Kgpg. I diff'ed the input and output files and saw no difference. LO opened the encrypted-then-decrypted file perfectly. Its not LO's job to repair damage done by KGpg. Are you sure of your steps? -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/11/2014 10:41 PM, John Andersen wrote:
On 8/11/2014 12:21 PM, ellanios82 wrote:
Hello List,
- in case of interest:
i tried using
KGpg Version 2.12.1
to encrypt a LibreOffice Version: 4.1.6.2 Build ID: 410m0(Build:2) text document in .odt format
..................
- after decrypting the file, LibreOffice found the text document to be corrupted, and LibreOffice failed in its attempt to repair that corruption
..............
regards
I just did a test using all the same versions you did. I verified that the document worked fine in LO before starting. I saved under a different name when Encrypting with KGpg. I saved under a different name when DEcrypting with Kgpg. I diff'ed the input and output files and saw no difference. LO opened the encrypted-then-decrypted file perfectly.
Its not LO's job to repair damage done by KGpg. Are you sure of your steps?
- thank you : no i am not too sure : i did not do as you did : "I saved under a different name when Encrypting with KGpg." "I saved under a different name when DEcrypting with Kgpg." in my case, I used same names and overwrote. ...................... regards -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 8/11/2014 12:54 PM, ellanios82 wrote:
in my case, I used same names and overwrote.
Living on the edge my friend..... ;-) -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/08/14 20:54, ellanios82 wrote:
On 08/11/2014 10:41 PM, John Andersen wrote:
On 8/11/2014 12:21 PM, ellanios82 wrote:
Hello List,
- in case of interest:
i tried using
KGpg Version 2.12.1
to encrypt a LibreOffice Version: 4.1.6.2 Build ID: 410m0(Build:2) text document in .odt format
..................
- after decrypting the file, LibreOffice found the text document to be corrupted, and LibreOffice failed in its attempt to repair that corruption
..............
regards
I just did a test using all the same versions you did. I verified that the document worked fine in LO before starting. I saved under a different name when Encrypting with KGpg. I saved under a different name when DEcrypting with Kgpg. I diff'ed the input and output files and saw no difference. LO opened the encrypted-then-decrypted file perfectly.
Its not LO's job to repair damage done by KGpg. Are you sure of your steps?
- thank you : no i am not too sure : i did not do as you did :
"I saved under a different name when Encrypting with KGpg." "I saved under a different name when DEcrypting with Kgpg."
in my case, I used same names and overwrote.
Never a good idea when processing files like that...
......................
regards
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/11/2014 11:06 PM, Dylan wrote:
On 11/08/14 20:54, ellanios82 wrote:
On 08/11/2014 10:41 PM, John Andersen wrote:
On 8/11/2014 12:21 PM, ellanios82 wrote:
Hello List,
- in case of interest:
i tried using
KGpg Version 2.12.1
to encrypt a LibreOffice Version: 4.1.6.2 Build ID: 410m0(Build:2) text document in .odt format
..................
- after decrypting the file, LibreOffice found the text document to be corrupted, and LibreOffice failed in its attempt to repair that corruption
..............
regards
I just did a test using all the same versions you did. I verified that the document worked fine in LO before starting. I saved under a different name when Encrypting with KGpg. I saved under a different name when DEcrypting with Kgpg. I diff'ed the input and output files and saw no difference. LO opened the encrypted-then-decrypted file perfectly.
Its not LO's job to repair damage done by KGpg. Are you sure of your steps?
- thank you : no i am not too sure : i did not do as you did :
"I saved under a different name when Encrypting with KGpg." "I saved under a different name when DEcrypting with Kgpg."
in my case, I used same names and overwrote.
Never a good idea when processing files like that...
- Can one conclude that best practice would suggest ? : 1. Upon encryption Save to New Name 2. Delete original un-encrypted file ................ regards -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 8/11/2014 1:57 PM, ellanios82 wrote:
Never a good idea when processing files like that...
- Can one conclude that best practice would suggest ? :
1. Upon encryption Save to New Name
2. Delete original un-encrypted file
Being a belt ans suspenders sort of guy..... 1 encrypt to new name (not REALLY necessary because it will get an additional extension.) 2 decrypt to new name diff original.odt new-decrypted.odt if no differences, you would be free to delete original and newly-decrypted copy of original. However, that last bit about deleting still gives me the willies. Well try it and post back. Then try your old method and see if it still fails or if it was a fluke. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/11/2014 04:57 PM, ellanios82 wrote:
- Can one conclude that best practice would suggest ? :
1. Upon encryption Save to New Name
2. Delete original un-encrypted file
????? If you are encrypting, think about the purpose. What is the point of keeping the cleartext around? What? Oh right. The crypttext is for transmission and will be deleted after a copy has been sent, but keep the cleartext around. There this not such thing as a *BEST* practice. That is a term invented by the Big Four to make out that They Know What's Best. There is no best, there is only what's good for you in your circumstances, for your application. I keep saying Context is Everything and that applies here too. Like, hey, Zimmerman came up with PGP for secure communication, not for crypto archiving. https://www.philzimmermann.com/EN/essays/WhyIWrotePGP.html -- I suspect that, over time, all bureaucratic processes decay into cargo cults unless regularly challenged by a hostile reality. -- Alan Rocker 2001-11-23 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/12/2014 07:17 AM, Anton Aylward wrote:
On 08/11/2014 04:57 PM, ellanios82 wrote:
- Can one conclude that best practice would suggest ? :
1. Upon encryption Save to New Name
2. Delete original un-encrypted file ????? If you are encrypting, think about the purpose. What is the point of keeping the cleartext around?
What? Oh right. The crypttext is for transmission and will be deleted after a copy has been sent, but keep the cleartext around.
There this not such thing as a*BEST* practice. That is a term invented by the Big Four to make out that They Know What's Best.
There is no best, there is only what's good for you in your circumstances, for your application.
I keep saying Context is Everything and that applies here too.
- Thank you, Because, one needs so many user-names and passwords : My.Yahoo, Google, Bank, etc., etc. : until now it had seemed reasonable to keep in text-file . . . but one reads frightening stuff like hackers scooping millions of passwords : thus, it seemed not excessive to think about using PGP to encrypt that text-file : this text-file might have to be decrypted and again re-encrypted several times a day - but, perhaps this is not a good way : maybe an Linux specialized password-wallet is a better way to consider ? ............ regards -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Password walletd get my vote. There are dozens to choose from. Just make sure the one you choose can sync with your phone, your tablet, your old phone that you just keep on your desk, your computer, and maybe Dropbox (as long as it encrypts it before sending it to Dropbox. Because Dropbox can't be trusted). I haven't found one that syncs with linux yet, but i use mSecure on Android and Windows and iPad. On August 12, 2014 12:14:28 AM PDT, ellanios82 <ellanios82@gmail.com> wrote:
On 08/12/2014 07:17 AM, Anton Aylward wrote:
On 08/11/2014 04:57 PM, ellanios82 wrote:
- Can one conclude that best practice would suggest ? :
1. Upon encryption Save to New Name
2. Delete original un-encrypted file ????? If you are encrypting, think about the purpose. What is the point of keeping the cleartext around?
What? Oh right. The crypttext is for transmission and will be deleted after a copy has been sent, but keep the cleartext around.
There this not such thing as a*BEST* practice. That is a term invented by the Big Four to make out that They Know What's Best.
There is no best, there is only what's good for you in your circumstances, for your application.
I keep saying Context is Everything and that applies here too.
- Thank you,
Because, one needs so many user-names and passwords : My.Yahoo, Google, Bank, etc., etc. : until now it had seemed reasonable to keep in text-file
. . . but one reads frightening stuff like hackers scooping millions of passwords
: thus, it seemed not excessive to think about using PGP to encrypt that text-file
: this text-file might have to be decrypted and again re-encrypted several times a day
- but, perhaps this is not a good way : maybe an Linux specialized password-wallet is a better way to consider ? ............
regards
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/12/2014 03:14 AM, ellanios82 wrote:
I keep saying Context is Everything and that applies here too.
_______________________
- Thank you,
Because, one needs so many user-names and passwords : My.Yahoo, Google, Bank, etc., etc. : until now it had seemed reasonable to keep in text-file
Eh? Sorry, not I don't think that it does. If you use a modern browser it has the ability to remember login. There are a number of plugins for Firefox to do this. In addition there are specific password managers for Linux in a variety of flavours.
. . . but one reads frightening stuff like hackers scooping millions of passwords
Which journalists play into headlines. Someone drilled down on that and found many of those "millions" were actually garbage. Why? Do you have reason to think that *your* password s have been stolen, are among them? To my mind, protecting the password store on *your* machine is of little use if the sites you visit are vulnerable. Perhaps they have you enter your password over a plain http connection, not https. Perhaps they store your password in cleartext in their database. Heck it makes more sense for hackers to attack some sites that have those millions of passwords, many by people who use the same password on all accounts, that to target users individually. Really, its about Risk management and some *sites* are the risk. Consider the ones, for example that only allow 8 character passwords and ignore case. Yes there are still many of those around.
: thus, it seemed not excessive to think about using PGP to encrypt that text-file
: this text-file might have to be decrypted and again re-encrypted several times a day
Seems very wrong headed to me.
- but, perhaps this is not a good way
Damn right! Lots of limits on how to 'automatically' create, sore, import etc. Lots of manual intervention needed, as you point out. Very much the old 1980's "Classic UNIX" way of doing it. Sad to say but MS-Windows and its emphasis on GUI-ness has show this to be antiquated.
: maybe an Linux specialized password-wallet is a better way to consider ?
Like Kwallet if you are using KDE? Keyring if you are using Gnome? But the example you gave above makes me think that a store integrated with your browser makes more sense. http://www.techradar.com/news/software/applications/8-of-the-best-linux-pass... Probably the most popular is http://www.keepassx.org/ What's interesingt about this http://sourceforge.net/projects/passwordsafe/ is <quote> PasswordSafe lets you create different groups such as blogs, forums, wikis and the like. You can then assign entries to any of these groups. You can define the settings for the password generator in the last tab – things like the number of characters, or what combination of lower-case/uppercase letters and numbers to use. </quote> -- "...there is no reason anyone would want a computer in their home." Ken Olson, President, Chairman, and Founder of DEC, 1977 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/12/2014 03:42 PM, Anton Aylward wrote:
Like Kwallet if you are using KDE? Keyring if you are using Gnome?
Thank you ...................... btw. : seems * pwgen * is a great password generator : - the command : pwgen 32 10 - produces a list of ten 32 character passwords . . . Brill. :) ................ regards -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/12/2014 09:42 AM, ellanios82 wrote:
On 08/12/2014 03:42 PM, Anton Aylward wrote:
Like Kwallet if you are using KDE? Keyring if you are using Gnome?
Thank you
......................
btw. : seems * pwgen * is a great password generator :
- the command : pwgen 32 10
- produces a list of ten 32 character passwords . . . Brill. :)
IIR there was a tool which produced 'pronounceable' passwords like 'Xpektor8' :-) Seriously. You seem hung up on text-mode, as I said, '1980s UNIX mode'. The various tools I referred to integrated with browsers and the like. I gathered from your previous email that you were using passwords to log in to various sites
My.Yahoo, Google, Bank, etc., etc.
and I presume that you use a web browser to do that. Unless you are talking dedicated application on Android or iOS. So a password manager which integrates with the browsers such as 'Password Exporter' in Firefox or any of the generic tools I mentioned in my previous post (which took only a few second googling) have more relevance. Some of them also have password generators that are more controllable than 'pwgen'. For example Figaro has a password generator that can choose passwords for you. In addition to how long the password should be, and what types of characters (lower case, upper case, numbers and symbols) should be used. You can even have it avoid ambiguous characters such as a capital O or the number zero, lower case 'L' and the number '1'. More to the point, many of these tools don't simply store the password, they also store the other login characteristics that go with a specific site and take care of autofill. That's what I mean by the text-file approach being "1980s UNIX mode'. it doesn't integrate with the GUI and doesn't integrate with the browser and doesn't expedite your work flow. -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Aug 12, 2014 at 8:42 AM, Anton Aylward <opensuse@antonaylward.com> wrote:
. . . but one reads frightening stuff like hackers scooping millions of passwords
Which journalists play into headlines. Someone drilled down on that and found many of those "millions" were actually garbage.
From what I understand there are nefarious sites where I can get millions of actual passwords that people have used. Then I can get the hashed equivalent of all those passwords.
Thus a bad actor can pull down the million or more most common passwords and their linux equivalent hash. If he can then get access to the hashed passwords maintained in /etc with a relatively quick reverse lookup and can determine what the password was for each account. I do more of this in Windows world than in Linux, but in Windows the first then an attacker goes for after they breach a PC is the SAM files. Those have the windows encrypted passwords. With that, they run reverse lookups to figure out what the various user passwords are. I've watched a white-hat cracker break the administrator password on a windows box in under 10 minutes after he got the SAM file. Thus the secret is to have long unusual passwords if you want them to be secure even if someone is able to get the hashed version of your password. I assume open office docs have the hashed password embedded in them somewhere, so for them it is especially important the password be long and unusual. Greg -- Greg Freemyer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/12/2014 11:06 AM, Greg Freemyer wrote:
. . . but one reads frightening stuff like hackers scooping millions of passwords
Which journalists play into headlines. Someone drilled down on that and found many of those "millions" were actually garbage. From what I understand there are nefarious sites where I can get millions of actual passwords that people have used. Then I can get
On Tue, Aug 12, 2014 at 8:42 AM, Anton Aylward <opensuse@antonaylward.com> wrote: the hashed equivalent of all those passwords.
Thus a bad actor can pull down the million or more most common passwords and their linux equivalent hash. If he can then get access to the hashed passwords maintained in /etc with a relatively quick reverse lookup and can determine what the password was for each account.
I'm not arguing with what you are saying but I think you are missing my point. So there are sites which have gathered together millions of passwords. But they haven't got those by visiting machines like ellanios's step-and-repeat one by one and seeing that she and other have a text file wherein they keep they passwords and Lo1! Its not encrypted. Rather they visit the sites that people like ellanios, you and me have accounts at but are run by admins who are less savvy and have allowed their systems to be hacked and either don't have one-way encryption of their passwords, keep them in cleartext or whatever, AND have allowed the hackers to break in and take whatever they want. Now I admit that given enough computing power even one-way salted encryption might not be enough. Encryption has always been a catch-up game, but SHA-2 or SHA3 in 512 bit mode should hold against all except the NSA (and overseas equivalents) and botnets-of-GPUs. But the real issue is that most of this is outside your control. It is the weaknesses in the sites you visit that are the issue, and sites like Yahoo, Google and Amazon are tempting ebcuase they have tens of millions of accounts. And these are real accounts, not the spamgrabbers like "junk@....". Finally that hacker is not interested in what's in your /etc/password. He, she or increasingly 'it' - since this is getting to be a business and not a lone geek - but what's in your bank account, your paypal account (since that's all integrated with ebay). Look at what's integrated with Google these days under a 'single sign-in'. Loo what can be federated to your LinkedIn sign-in. Yes, I, and ellanios, may have lists of other accounts on our machines, but why would the hacker bother when he has the rich trove from breaking in to some service provider? Plain text. Heck, I can even keep my password in an old moleskin that I keep behind the books on the shelf by my computer in case I ever loose my disk and all my backups, and SO FREAKING WHAT!!! Someone would have to break in to house, pass up on many more valuable things in display cabinets, rip down all my nooks and recognise that the tatty old moleskin is the key to accessing my ..... G+ account Like I said, its about risk management. Your greatest risk is in the web sites out there you access. -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 12/08/2014 19:07, Anton Aylward a écrit :
Your greatest risk is in the web sites out there you access.
so why it's better to have more than one passwd (by the way I have nearly a hundred ones :-) I don't really care is one people break my FB account :-) jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/12/2014 01:16 PM, jdd wrote:
Le 12/08/2014 19:07, Anton Aylward a écrit :
Your greatest risk is in the web sites out there you access.
so why it's better to have more than one passwd (by the way I have nearly a hundred ones :-)
I don't really care is one people break my FB account :-)
And so it comes to pass that someone breaks in to jdd's FB pages and uses it to defame and slander a presidential candidate. Not being a frequent user of FB, jdd doesn't notice, but someone else does and it goes vial. It makes ABC news that evening, and the 'Net is divided, as is the way with politics, between those who hate that candidate and think jdd is a great her for speaking out like that, and those who think that hanging, shooting and having jdd torn apart by ravenous wolves is too good for him. Of course jdd knows nothing of this .... Until the gets a lawyers letter from the legal team of the politician in question charging him with slander and demanding $5Million in reparation. When the fuss dies down jdd decided to change his FB password. Sadly, doe to all the publicity, there are over 1,000 hackers who have, one way or another, tapped into his machine, his feed, or his FB account. -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 12/08/2014 19:46, Anton Aylward a écrit :
And so it comes to pass that someone breaks in to jdd's FB pages and
there is nothing I can do to protect my FB paswd, but if this pass is broken, my bank account is not. My internet reputation do not depends on my FB :-), I'm not a teen ager :-). By the way I konw of at least one people sharing exactly the same name and first name I have and do not endorse what he do :-) jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Aug 12, 2014 at 1:07 PM, Anton Aylward <opensuse@antonaylward.com> wrote:
Now I admit that given enough computing power even one-way salted encryption might not be enough. Encryption has always been a catch-up game, but SHA-2 or SHA3 in 512 bit mode should hold against all except the NSA (and overseas equivalents) and botnets-of-GPUs.
My ignorance is showing. Even with the best one-way salted encryption how long does it take to crack a password if it is only 5 chars long? My belief/assumption is it doesn't take long to brute-force a short password regardless of the encryption used. I use 4 chars for throw-away sites - 8 chars for sites I care about, but not that much (facebook / linked-in). 18 chars for things I really care about. With a 18 char password, even the weakest encryption scheme should be relatively secure unless your password is in a rainbow table. Therefore, my 18 char passwords are also passwords I'm guessing no one else in the world is using. The counter example is windows XP / windows 2000 server / windows 2003 server with the LM hash feature in use. The algorithm for LM hash truncates the password to 16-chars then hashes the first 8 chars and the second 8 chars separately. Then end result is effectively just 2 8-char passwords. It also doesn't use a salt, so it allows for extremely quick password cracking even if the user used what seemed like a very secure password. Greg -- Greg Freemyer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 12/08/2014 19:47, Greg Freemyer a écrit :
With a 18 char password, even the weakest encryption scheme should be relatively secure
an 18 char passwd have to be written down, too long to be remembered. How do you do if you need it on travel? keying it needs often several tries, because chance are you make typos. If somebody is videotaping you, how long will it take to recover it? any keylogger will anyway do the job (let only the sound of your keyboard...). brute force is very difficult to use on most system where login is trial limited. My bank needs me to go to office in person if I fail three time. the problem there is that anybody can try and brake your account (I mean make it unusable), for example typing a wrong log number (your in place of they) there is no real solution to the problem. protection have to be as good as necessary, no more jdd -- http://www.dodin.org -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/12/2014 02:11 PM, jdd wrote:
an 18 char passwd have to be written down, too long to be remembered. How do you do if you need it on travel?
I have some >30 character pass PHRASES, such as the one to unlock my ssh. At school I was forced to learn various poems and stand out and recite them, in English Lit same with some books and play. Later in life I wrote soppy poetry for a girl I fancied. She forgot it but I remember it. So all that, together with nursery rhymes, advertising gingels and more, I have a good stock of 'phrases'. And its easy to do the haxor speek transliteration along the way. So actually they are easier to remember than the shorter 4-16 awkward sequence passwords, the ones I write down in that tatty old moleskin. All the really important ones never get written down or stored anywhere. -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Aug 12, 2014 at 2:11 PM, jdd <jdd@dodin.org> wrote:
Le 12/08/2014 19:47, Greg Freemyer a écrit :
With a 18 char password, even the weakest encryption scheme should be relatively secure
an 18 char passwd have to be written down, too long to be remembered. How do you do if you need it on travel?
DogKilledByApe,News@11 21 chars and easy to remember. Long passwords don't necessarily have to be complex, just long and relatively obscure. I would write down a hint for that like, "Ape loose in the city". That should enough for me to remember it. fyi: I just made that one up, so feel free to use it!
keying it needs often several tries, because chance are you make typos. If somebody is videotaping you, how long will it take to recover it? any keylogger will anyway do the job (let only the sound of your keyboard...).
brute force is very difficult to use on most system where login is trial limited. My bank needs me to go to office in person if I fail three time.
The first goal of most hackers is the password repository. They then have a copy of all the encrypted passwords. They then start cracking those passwords. Let's say they manage to steal 1,000,000 encrypted passwords. They will setup a list of "all short passwords" and a list of all common passwords. Let's say that is 100,000,000 passwords. For their big 100 million password list they run all of them through the encryption algorithm and now have a 100 million hash / password pairs. They match the stolen 1 million password hashes against the 100 million pre-calculated pairs and out pops 80 or 90% of the passwords. That process is called using rainbow tables to crack a password. If you are using either short or common passwords, you will be part of the victim list. Proper use of salt makes this much more complicated and I admit to not recalling the details of how salt plays into this. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/12/2014 02:45 PM, Greg Freemyer wrote:
On Tue, Aug 12, 2014 at 2:11 PM, jdd <jdd@dodin.org> wrote:
Le 12/08/2014 19:47, Greg Freemyer a écrit :
With a 18 char password, even the weakest encryption scheme should be relatively secure
an 18 char passwd have to be written down, too long to be remembered. How do you do if you need it on travel?
DogKilledByApe,News@11
21 chars and easy to remember. Long passwords don't necessarily have to be complex, just long and relatively obscure.
Love it! Now, what's the LAST line of the speech that begins "To be or not to be"? 83 @Ll my 5In5 R3m3m83r3D. Or, perhaps, even more obscure, the next to the last line :-)
That process is called using rainbow tables to crack a password.
If you are using either short or common passwords, you will be part of the victim list.
Proper use of salt makes this much more complicated and I admit to not recalling the details of how salt plays into this.
http://en.wikipedia.org/wiki/Salt_%28cryptography%29#Benefits Of course you have to do it right and the evidence, as per analysts looking at libraries of code, many sites don't. -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2014-08-12 at 14:45 -0400, Greg Freemyer wrote:
They match the stolen 1 million password hashes against the 100 million pre-calculated pairs and out pops 80 or 90% of the passwords.
That process is called using rainbow tables to crack a password.
...
Proper use of salt makes this much more complicated and I admit to not recalling the details of how salt plays into this.
The basic idea is like encoding your locally encrypted password list with another password, different on each machine (it is random). This way, they can not simply compare the hashed list of millions of more or less common passwords with your short list, because even if you use common passwords that are in that rainbow list, the hashes will not match. So it protects against rainbow table attacks :-) - -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlPqurgACgkQtTMYHG2NR9XCOACdG40sFcraUtunHFPvYjUzt1yT w14AniNFAw56VqtBlu9/S5NqYXMO12+r =06bI -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2014-08-12 at 20:11 +0200, jdd wrote:
brute force is very difficult to use on most system where login is trial limited. My bank needs me to go to office in person if I fail three time.
Mine too. But... they force that password to be 8 numbers. And forcing you to go in person if you make a mistake is a nuisance when you are not on your home town, or worse, abroad. A relative of mine found, when on a trip abroad, that his credit card was suddenly rejected at sites. Then he also got a phone call or an email from home, because the bank had called there, asking for him to call back. This message took some time to be relayed back to him, who then had to place an expensive very long distance phone call to his bank... who then said that they had deactivated the card because of "unusual activity", and that they were sorry. Heck, he was a trip abroad! Of course the activity was unusual, but perfectly legitimate! I don't remember if they managed to reactivate the card without getting a new one - which on a trip abroad it is very difficult to do, or if he had to borrow money from his fellow travelers. Banks have very funny security policies. Yesterday gmail asked me to verify my identity by SMS code, because of something suspicious. Maybe because I was using a different ISP, or because I was using "midori" as browser, the one that comes with the openSUSE XFCE rescue image, instead of the common firefox.
protection have to be as good as necessary, no more
Yes... On the other hand (back to the OP question), I would like a small text editor, capable of using strong encription (say, PGP), for editing in memory relatively small files, like one used to keep my passwords. I would not like somebody stealing my laptop, and getting the list of my passwords, extra. - -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEUEARECAAYFAlPqt7cACgkQtTMYHG2NR9UshQCYjgb0gneiz2aU1a2PcsA8ofC3 BQCfTz1HqqWOTsDuW+Jv4l3T7p2FOvU= =FER4 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 13/08/14 01:56, Carlos E. R. wrote:
I would not like somebody stealing my laptop, and getting the list of my passwords, extra.
Encrypt the hard drive, or at least /home. - -- Bob Williams System: Linux 3.11.10-21-desktop Distro: openSUSE 13.1 (x86_64) with KDE Development Platform: 4.13.3 Uptime: 06:00am up 17:05, 3 users, load average: 0.05, 0.07, 0.06 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlPsk0AACgkQ0Sr7eZJrmU5LJACfbuf5Kbuv967TpA+voVriwpE2 O58AoJ44PzbjziEtay/a28guv+WMfo/V =YRIq -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2014-08-14 a las 11:45 +0100, Bob Williams escribió:
On 13/08/14 01:56, Carlos E. R. wrote:
I would not like somebody stealing my laptop, and getting the list of my passwords, extra.
Encrypt the hard drive, or at least /home.
That I do already. But I want more, a single file, password protected. Why? Well, some paranoia. But also because the lappy is often hibernated, meaning the encryption is open at that moment. An editor capable of editing, in memory, PGP protected, plain text files, would be just wonderful. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlPswvwACgkQja8UbcUWM1yWSQD9H/w4tZBi+hIo1wRaBVI3wU/q J/xcJDyLVCfLg6P+1nUA/j94ScNXBW3nPIZ0TuMpS+hCHEKXzDQ4Uy2MCSdrGSzb =qve9 -----END PGP SIGNATURE-----
On Thursday, August 14, 2014 04:08:51 PM Carlos E. R. wrote:
El 2014-08-14 a las 11:45 +0100, Bob Williams escribió:
On 13/08/14 01:56, Carlos E. R. wrote:
I would not like somebody stealing my laptop, and getting the list of my passwords, extra.
Encrypt the hard drive, or at least /home.
That I do already.
But I want more, a single file, password protected.
Why? Well, some paranoia. But also because the lappy is often hibernated, meaning the encryption is open at that moment.
You could get some benefits by using EncFS (userspace encryption) based on FUSE libraries. http://www.arg0.net/encfs It is available for openSUSE.
An editor capable of editing, in memory, PGP protected, plain text files, would be just wonderful.
-- Cheers Carlos E. R.
(from 13.1 x86_64 "Bottle" (Minas Tirith))
Regards, R.Chung -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 2014-08-14 at 16:08 +0200, Carlos E. R. wrote:
An editor capable of editing, in memory, PGP protected, plain text files, would be just wonderful.
MyNotex It is a note taking application, made in Lazarus (object pascal), which support photos and PGP encription. I have not tested this feature, but it is there... <http://en.wikipedia.org/wiki/MyNotex> - -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlP5x/QACgkQtTMYHG2NR9XUcQCgh/1PJ146rvsTbFxgotUdCm8v XQcAn3t1w2CivXdGVZkcxL4QaM48i351 =sBWc -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/12/2014 01:47 PM, Greg Freemyer wrote:
Even with the best one-way salted encryption how long does it take to crack a password if it is only 5 chars long?
That depends on how much computing resources are devoted to the task. The classic DES-cracker of the EFF back in 1998 http://en.wikipedia.org/wiki/EFF_DES_cracker took only 56 hours. That's about 1 hour per bit of the key. That used 29x64 ASIC chips. Today's technology - well apply Moores Law. Wet finger in the air estimate, at least 1000 times faster. And now we have dedicated chips for doing this in mass production. And microcode in CPUs. That machine cost the EFF $250,000 back then. The number of dedicated GPUs or custom ASIC you could get for that today, for one tenth of that cost. https://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/HTML/19980716_eff_d... No wonder we believe the NSA is reading all our phone calls. Who needs back doors? Of course for $99 ... http://www.parallella.org/ 4096 cores on a single chip http://www.adapteva.com/ Well, almost ... Http://en.wikipedia.org/wiki/Adapteva http://www.zdnet.com/build-your-own-supercomputer-first-99-parallella-boards... -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Aug 12, 2014 at 2:19 PM, Anton Aylward <opensuse@antonaylward.com> wrote:
On 08/12/2014 01:47 PM, Greg Freemyer wrote:
Even with the best one-way salted encryption how long does it take to crack a password if it is only 5 chars long?
That depends on how much computing resources are devoted to the task.
The classic DES-cracker of the EFF back in 1998 http://en.wikipedia.org/wiki/EFF_DES_cracker took only 56 hours. That's about 1 hour per bit of the key. That used 29x64 ASIC chips.
Today's technology - well apply Moores Law. Wet finger in the air estimate, at least 1000 times faster. And now we have dedicated chips for doing this in mass production. And microcode in CPUs.
That machine cost the EFF $250,000 back then. The number of dedicated GPUs or custom ASIC you could get for that today, for one tenth of that cost.
https://w2.eff.org/Privacy/Crypto/Crypto_misc/DESCracker/HTML/19980716_eff_d...
No wonder we believe the NSA is reading all our phone calls. Who needs back doors?
Of course for $99 ... http://www.parallella.org/
4096 cores on a single chip http://www.adapteva.com/
Well, almost ... Http://en.wikipedia.org/wiki/Adapteva http://www.zdnet.com/build-your-own-supercomputer-first-99-parallella-boards...
Custom cracking chips are great, but the modern way is to use a GPU (or collection of GPUs). This one does 348 billion passwords guesses a second: http://www.techspot.com/news/51044-25-gpu-cluster-can-brute-force-windows-pa... It can create the rainbow table of every possible Windows Server 2003 password and encrypted password in 5.5 hours. The hard part is having a disk big enough to hold all the possible password / hash pairs and bandwidth enough to write all that data to disk. That's why most people consider maintaining a table of all possible 16-char passwords unfeasible. It is the difficulty of generating the information, it's the storage capacity required to maintain it. That's why, as I said, the bad guys like stealing passwords by the millions. They use those lists of actual passwords as the starting point for making their own rainbow tables. Also, as I've implied, Windows did not use a Salt value in their 2000 server / XP / 2003 server password algorithm. That is a huge part of what makes these brute force attacks so doable. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/12/2014 03:03 PM, Greg Freemyer wrote:
Custom cracking chips are great, but the modern way is to use a GPU (or collection of GPUs).
I believe I had previously mentioned that. However one might, say as a graduate student project, legitimately get this multicore and 're-purpose' it at evenings and weekends.
That's why most people consider maintaining a table of all possible 16-char passwords unfeasible. It is the difficulty of generating the information, it's the storage capacity required to maintain it.
See my other note about bean counters asnd truncation. I've no doubt that a black budget organization could afford all that disk space :-) -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/12/2014 01:47 PM, Greg Freemyer wrote:
My belief/assumption is it doesn't take long to brute-force a short password regardless of the encryption used. I use 4 chars for throw-away sites - 8 chars for sites I care about, but not that much (facebook / linked-in). 18 chars for things I really care about.
With a 18 char password, even the weakest encryption scheme should be relatively secure unless your password is in a rainbow table. Therefore, my 18 char passwords are also passwords I'm guessing no one else in the world is using.
I'm sorry, Greg but I'm going to burst your pretty baloon again. Your logic is impeccable. Until it meets the real world. In the real world there are sites that store your password in clear text. Perhaps its so they can send it back to you when you click in the "I forgot my password" button. Perhaps they think that sending it to you registered email address is secure enough. Even if they do send it in clear text. Just like some mailing list managers end a monthly reminder of your password. In clear text. By email. In the real world there are sites that will truncate your 18 character password to perhaps 8 characters. Anyway, they aren't storing all 18. Their bean counters figure that the amount of disk space they save by having fixed short fields for passwords .... Oh, and they don't tell you they've truncated it it. Just like those sites that map all your lower case to upper case, and don't tell you. Or won't let you use punctuation characters in the set [';()<>] See http://xkcd.com/327/ as to why. The real problem is not your password, its the sites out there. -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Aug 12, 2014 at 2:28 PM, Anton Aylward <opensuse@antonaylward.com> wrote:
On 08/12/2014 01:47 PM, Greg Freemyer wrote:
My belief/assumption is it doesn't take long to brute-force a short password regardless of the encryption used. I use 4 chars for throw-away sites - 8 chars for sites I care about, but not that much (facebook / linked-in). 18 chars for things I really care about.
With a 18 char password, even the weakest encryption scheme should be relatively secure unless your password is in a rainbow table. Therefore, my 18 char passwords are also passwords I'm guessing no one else in the world is using.
I'm sorry, Greg but I'm going to burst your pretty baloon again.
Your logic is impeccable. Until it meets the real world.
In the real world there are sites that store your password in clear text. Perhaps its so they can send it back to you when you click in the "I forgot my password" button.
Perhaps they think that sending it to you registered email address is secure enough. Even if they do send it in clear text.
Just like some mailing list managers end a monthly reminder of your password. In clear text. By email.
In the real world there are sites that will truncate your 18 character password to perhaps 8 characters. Anyway, they aren't storing all 18. Their bean counters figure that the amount of disk space they save by having fixed short fields for passwords ....
Oh, and they don't tell you they've truncated it it. Just like those sites that map all your lower case to upper case, and don't tell you.
Or won't let you use punctuation characters in the set [';()<>] See http://xkcd.com/327/ as to why.
The real problem is not your password, its the sites out there.
I agree with your real world, but I'm arguing you need a password algorithm that at a minimum can and does use at least 18 chars of password info and you need to actually have an obscure 18-char (or longer) password. With those 2 minimum features, the use of salt or highly sophisticated encryption algorithms seems much less important. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/12/2014 03:06 PM, Greg Freemyer wrote:
The real problem is not your password, its the sites out there.
I agree with your real world, but I'm arguing you need a password algorithm that at a minimum can and does use at least 18 chars of password info and you need to actually have an obscure 18-char (or longer) password.
As I said earlier in this thread, I have no problem with long pass-Phrases. I just think that most sites out there will mangle or truncate them, so rendering them irrelevant.
With those 2 minimum features, the use of salt or highly sophisticated encryption algorithms seems much less important.
OTS software to apply salting and modern/strong irreversible hashes are cheap and easy. That they are also easy to miss-apply of you have people grabbing them as FOSS without understanding how to set up web services, databases and FOSS experience is something we have little to no control over. *sigh* -- A distracted figure with a huge bushy beard blunders in just as you speak the word of ancient magic. The man wears loose clothing, and an expression of intense concentration. He is clutching his frizzy hair with one hand; his other hand grips an intricate grid - the object of his attention. His eyes brighten the word you've spoken reaches his ears. "Yes! Yes! That's it!" he exclaims as he draws out a pen and fills in a row of squares. "Now my hyperconstrained, double-acrostic, cryptic crossword is complete, and ready to puzzle others. That was all I needed - just a simple five-letter word, composed only of the letters 'X' 'Y' and 'Z,' that would fit here!" He grips your hand and shakes it fervently. "Thank you! Now that I've finished with that, I can get on to those other things I've been meaning to do, such as monkey-wrenching the demolition and saving recreational linguistics for future generations." He turns away and mutters, just before he departs, "I hope none of that will involve lying in front of a bulldozer..." -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Tuesday, 2014-08-12 at 14:28 -0400, Anton Aylward wrote:
Just like some mailing list managers end a monthly reminder of your password. In clear text. By email.
All the home routers I have used need a password - which you enter via plain http.
Oh, and they don't tell you they've truncated it it. Just like those sites that map all your lower case to upper case, and don't tell you.
Or won't let you use punctuation characters in the set [';()<>]
I hit one that did accept them, then broke down. I think I saw some database error on my browser. I had to contact their support, and they were baffled. I commented in passing that I was using those chars for my password - and they said something like "Doh! You can not use those". They had /forgotten/ to check for valid chars on the registration form. So they reset my account.
See http://xkcd.com/327/ as to why.
LOL! :-)
The real problem is not your password, its the sites out there.
I know some people that use the exact same 4 digit "password" on all the places, from credit card pin to google. - -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlPqviMACgkQtTMYHG2NR9Xt6gCgjUcvKqAo8VaGlzpt2irOVTdD nl8AmwanjG4Sp4rX3MwkDbNmS0yfadTt =nzhI -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/12/2014 09:23 PM, Carlos E. R. wrote:
I know some people that use the exact same 4 digit "password" on all the places, from credit card pin to google.
In one sense I can't say I blame them. You've recounted a good example of the ISP/database people being idiots. I too have encountered a site just recently that allowed ':' but not ';' and didn't say anything when I entered a password with a ';'. Not until I pressed 'submit', and then it said 'passwords don't match'. Which wasn't the error. So I installed that plugin for Firefox that makes password fields visible and verified that both fields had the same, EXACTLY the same, and it still said that. The support people did not understand why it wasn't working. They did not know about this quirk. As it turned out neither did the web site admin nor the database people, because this was a commercial package they had bought. No-one had actually RTFM. While they pressured me into using some other password I did so only on condition they sent up a bug report to the vendor. The original developers had long since left the vendor's employ and this baffled them for about a week. I happened across that cartoon and wondered, so I sent a copy to the ISP support and they sent it to vendor support. At first vendor support, so I'm told, dismissed it as "That can't possibly be what's wrong". The someone did test it and LO! All this time that site, every site using that vendor's software, had been vulnerable to SANS' #1 vulnerability: SQL injection. http://cwe.mitre.org/top25/index.html#Listing That and buffer overflow have been at the top for a couple of decades now. http://www.infosecurity-magazine.com/news/sql-injection-most-dangerous-threa... http://www.infosecurity-magazine.com/news/more-than-8-in-10-software-applica... <quote> The latest State of Software Security Report captures data collected over the past 18 months from the analysis of 9,910 applications (compared to 4,835 applications in Volume 3) that were submitted to Veracode’s cloud-based application security testing platform. For web applications, the report found a high concentration of cross-site scripting and SQL injection vulnerabilities, with cross-site scripting present in 68% of all web applications and SQL injection present in 32% of all web applications. Those vulnerabilities were found to affect a higher percentage of U.S. government web applications than private industry. The survey found that 75% of government applications had cross-site scripting issues compared to 67% for the finance sector and 55% for the software sector; 40% of government applications had SQL injection issues, compared to 29% for finance and 30% for software. </quote> Given figures like that its no wonder hackers steal millions of account entries. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2014-08-12 a las 22:05 -0400, Anton Aylward escribió:
On 08/12/2014 09:23 PM, Carlos E. R. wrote:
I know some people that use the exact same 4 digit "password" on all the places, from credit card pin to google.
In one sense I can't say I blame them.
I would at least use a different password for important sites, and another for non-important, non-money-involved sites. The danger here is that if some bad guy gets the password list of a site with low security, he inmediately will try those same passwords and matching users lists on other sites, important sites like say, banks, and get access on a percent of users, because they know of this "one password for all" practice. And they hit gold, of course.
You've recounted a good example of the ISP/database people being idiots. I too have encountered a site just recently that allowed ':' but not ';' and didn't say anything when I entered a password with a ';'. Not until I pressed 'submit', and then it said 'passwords don't match'. Which wasn't the error.
Yes, about the same thing that happened to me.
they had bought. No-one had actually RTFM.
Provided the FM does say about this...
While they pressured me into using some other password I did so only on condition they sent up a bug report to the vendor. The original developers had long since left the vendor's employ and this baffled them for about a week.
That's another issue. They hire some one to do the developping, but then don't keep at least some of the same people to do the maintenance. And often they pay ridicuously low wages, so they get what they paid for.
I happened across that cartoon and wondered, so I sent a copy to the ISP support and they sent it to vendor support. At first vendor support, so I'm told, dismissed it as "That can't possibly be what's wrong". The someone did test it and LO!
LOL :-) I must do that sometime. I would need a translated cartoon, though ;-)
Given figures like that its no wonder hackers steal millions of account entries.
Sigh. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlPsdf4ACgkQja8UbcUWM1y/rgEAgJNRhYYoV1jnibCwIpnubVi4 rOzebDWAVi4IxKRgpQwA/3fbb2xnDfFacaigQUEJcSBmLXOZk9pT6kaEapRuOaNV =0AXu -----END PGP SIGNATURE-----
On 08/14/2014 04:40 AM, Carlos E. R. wrote:
El 2014-08-12 a las 22:05 -0400, Anton Aylward escribió:
On 08/12/2014 09:23 PM, Carlos E. R. wrote:
I know some people that use the exact same 4 digit "password" on all the places, from credit card pin to google.
In one sense I can't say I blame them. I would at least use a different password for important sites, and another for non-important, non-money-involved sites.
The danger here is that if some bad guy gets the password list of a site with low security, he inmediately will try those same passwords and matching users lists on other sites, important sites like say, banks, and get access on a percent of users, because they know of this "one password for all" practice. And they hit gold, of course.
You know the risk. I know the risk. Quite probably the people I speak of know the risk. But it is RISK. They trade the "It won't happen to me" off against the frustration of the poor service and support they get and their technological ignorance. While the likes of Thee and Mee might not actually *be* techno-geeks, we can play one in emulation mode, so we know about password stores and tricks for remembering long pass<strike>words</strike>phrases. We may not be malicious hackers either but that is also something we can play in emulation mode, as you illustrate above, and say to ourselves "Ah, right, I better not do that" because for the likes of Thee and Mee using a password manager and longer passwords is a reflex action. http://www.cnet.com/news/to-stop-security-breaches-kill-the-username-and-password/?tag=nl.e404&s_cid=e404&ttag=e404&ftag=CAD1acfa04 Earlier in this thread IIR someone mentioned a colleague who believed that shorter passwords were more secure. *Our* reaction was 'how wrong headed". But some people have the strangest beliefs. I won't say more lest someone complains to Henne again, but there's plenty of evidence to that end. The trouble is that all too often our efforts to educate this people who indulge in what we consider to be high risk activities and practices seem to react as if we are criticizing their core being rather than something they do, and passionately defend their stance. It may be their choice of cell phone, tablet or computer, their clothing and body decoration, the music they listen to, the car they drive, how they educate their kids, the nation they live in or their justification for carrying more weapons than some serving militiamen. Or that other matter I better not speak of if I want Henne to allow me to continue posting. That some people *do* survive such high-risk activities just makes them more obdurate. At that point its not about risk any more, its about ego. When I'm actively engaged as a consultant I feel that I am duty bound to give my client his/her money's worth by making the risk and the cost of remediation or alternate practice quite clear. In many cases, and this thread is illustration one, the differential cost in behaviour is close to zero. Which is the point we are trying to make. And the threat is increasingly as more business and social activities moves to the 'Net. That includes even trivial things like reserving books at the library. But I'm not going to get in a lather if, while attending the library in physical presence to collect a dead-leaves book I encounter someone defending short passwords or using the same password for all the sites that are, in his judgement, "non-critical"; like the library. I'd rather spend that time reading the book. YMMV. -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Aug 12, 2014 at 1:47 PM, Greg Freemyer <greg.freemyer@gmail.com> wrote:
On Tue, Aug 12, 2014 at 1:07 PM, Anton Aylward <opensuse@antonaylward.com> wrote:
Now I admit that given enough computing power even one-way salted encryption might not be enough. Encryption has always been a catch-up game, but SHA-2 or SHA3 in 512 bit mode should hold against all except the NSA (and overseas equivalents) and botnets-of-GPUs.
My ignorance is showing.
Even with the best one-way salted encryption how long does it take to crack a password if it is only 5 chars long?
My belief/assumption is it doesn't take long to brute-force a short password regardless of the encryption used. I use 4 chars for throw-away sites - 8 chars for sites I care about, but not that much (facebook / linked-in). 18 chars for things I really care about.
Anton pointed me at: http://en.wikipedia.org/wiki/Salt_%28cryptography%29#Benefits It implies the salt is basically a open secret, but unique to each user. Thus a brute force attack takes exactly the same amount of time for a salted or un-salted password system. The difference is that a rainbow table attack is defeated by a good, long, random salt. On the other-hand, the system I linked to before (http://www.techspot.com/news/51044-25-gpu-cluster-can-brute-force-windows-pa...) can brute force the full 16-char password space of Windows 2003 in 5.5 hours. So even if you took the windows NTLM algorithm and added a proper salt feature, any single 16-char or shorter password could be cracked in 5 1/2 hours or less. That may be fine for most things we secure, but if you have a secret you truly want to secure from targeted bad actors, a 16-char password is simply not long enough anymore. My personal recommendation of 18-chars is even sounding too short. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/12/2014 03:30 PM, Greg Freemyer wrote:
So even if you took the windows NTLM algorithm and added a proper salt feature, any single 16-char or shorter password could be cracked in 5 1/2 hours or less.
The important thing you are saying here is "windows NTLM". I've mentioned web sites with poor security. If the hacker can grab the site's database giving him both the hashed password AND the individual salt AND the algorithm then ... FINIS! But if the whole code is mucked up and inadequate, broken by design, as you described this earlier, then salt is .... Lipstick on a Pig. Five hours or less ... Maybe not even that.
That may be fine for most things we secure, but if you have a secret you truly want to secure from targeted bad actors, a 16-char password is simply not long enough anymore. My personal recommendation of 18-chars is even sounding too short.
Poetry man. Engineers may think that their high school English Lit classes were a waste, but LO! We now have an application for all that poetry! -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Aug 12, 2014 at 3:30 PM, Greg Freemyer <greg.freemyer@gmail.com> wrote:
So even if you took the windows NTLM algorithm and added a proper salt feature, any single 16-char or shorter password could be cracked in 5 1/2 hours or less.
That may be fine for most things we secure, but if you have a secret you truly want to secure from targeted bad actors, a 16-char password is simply not long enough anymore. My personal recommendation of 18-chars is even sounding too short.
Greg
This is interesting, and worrying, as far as it goes. One of the guys I work with insists that passwords must have easy to remember patterns, and bt no more that 7 characters. He says shorter is better. I have told him repeatedly that using such passwords makes his systems vulnerable; but then he starts ranting about idiots forgetting the reasonably secure passwords and the soaring costs of customer support. I wonder how the situation changes if you add client side certificates. Leaving aside the logistics of securely distributing the client side certificate (and the sometimes vain hope that the CA will sign them with a decent algorithm, like sha512, instead of the compromised MD5), can one be secure if one uses a client side certificate in addition to a strong password? Can a client side certificate be passphrase protected? And, if so, I assume the browser would ask for that passphrase before sending the certificate to the server requesting it: right? But this would presuppose the operator of the website in question cares enough about security to configure his server to insist on receiving a client side certificate before providing access to anything like a login page. Then, I suppose there isn't much one can do if the website operator doesn't do much to ensure security is handled well. Cheers Ted -- R.E.(Ted) Byers, Ph.D.,Ed.D. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Aug 12, 2014 at 3:53 PM, Ted Byers <r.ted.byers@gmail.com> wrote:
On Tue, Aug 12, 2014 at 3:30 PM, Greg Freemyer <greg.freemyer@gmail.com> wrote:
So even if you took the windows NTLM algorithm and added a proper salt feature, any single 16-char or shorter password could be cracked in 5 1/2 hours or less.
That may be fine for most things we secure, but if you have a secret you truly want to secure from targeted bad actors, a 16-char password is simply not long enough anymore. My personal recommendation of 18-chars is even sounding too short.
Greg
This is interesting, and worrying, as far as it goes. One of the guys I work with insists that passwords must have easy to remember patterns, and bt no more that 7 characters. He says shorter is better. I have told him repeatedly that using such passwords makes his systems vulnerable; but then he starts ranting about idiots forgetting the reasonably secure passwords and the soaring costs of customer support.
Show him this website: http://www.onlinehashcrack.com/ I've never used it, but it claims to crack 7 char and shorter passwords for free for various password algorithms. It doesn't discuss using a salt, so I'm guessing it can't handle situations that use a salt. As I've said, for windows, LM doesn't use a salt and it was enabled by default all the way up to MS Server 2003. It has a $5 charge for longer passwords. You should at least put a few password hashes in there and see if can pop-out the real password. The next step up was NTLM. It is claimed to be fulled breached even without getting access to the hash database: http://markgamache.blogspot.com/2013/01/ntlm-challenge-response-is-100-broke... As I understand it, lots of Samba setups still use NTLM as the password protocol. I repeat, per that blog post you can breach NTLMv1 without having root/administrator access. They are just sniffing the cat5 connection to get the data they need. NTLMv2 is more secure, but if a bad guy can get the SAM (where the hashes are kept), I believe individual passwords can be cracked in 5 1/2 hours by the box I linked to.
I wonder how the situation changes if you add client side certificates. Leaving aside the logistics of securely distributing the client side certificate (and the sometimes vain hope that the CA will sign them with a decent algorithm, like sha512, instead of the compromised MD5), can one be secure if one uses a client side certificate in addition to a strong password? Can a client side certificate be passphrase protected? And, if so, I assume the browser would ask for that passphrase before sending the certificate to the server requesting it: right? But this would presuppose the operator of the website in question cares enough about security to configure his server to insist on receiving a client side certificate before providing access to anything like a login page.
Then, I suppose there isn't much one can do if the website operator doesn't do much to ensure security is handled well.
Cheers
Ted
Sorry, beyond my knowledge base, but I would hope certificates put you into a much better security posture. I'm sure it matters which class of certificates you are talking about. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 8/12/2014 12:30 PM, Greg Freemyer wrote:
On the other-hand, the system I linked to before (http://www.techspot.com/news/51044-25-gpu-cluster-can-brute-force-windows-pa...) can brute force the full 16-char password space of Windows 2003 in 5.5 hours.
You should have read all the way to the bottom of that article where it points out:
It's worth pointing out that this method typically only applies to offline attacks due to the fact that most websites limit the number of incorrect password guesses before either locking the account down or enforcing a waiting period.
When each possible decryption MUST BE TESTED, it really doesn't matter how fast your hardware is. UNLESS of course the decryption yields mountains of gibberish except for the ONE decryption that stands out clearly: DogKilledByApe,News@11 -- _________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Tue, Aug 12, 2014 at 4:14 PM, John Andersen <jsamyth@gmail.com> wrote:
On 8/12/2014 12:30 PM, Greg Freemyer wrote:
On the other-hand, the system I linked to before (http://www.techspot.com/news/51044-25-gpu-cluster-can-brute-force-windows-pa...) can brute force the full 16-char password space of Windows 2003 in 5.5 hours.
You should have read all the way to the bottom of that article where it points out:
It's worth pointing out that this method typically only applies to offline attacks due to the fact that most websites limit the number of incorrect password guesses before either locking the account down or enforcing a waiting period.
I read that part. I've been talking about offline attacks the entire time. They are easy to do. Take a look at John from the openSUSE distro: http://software.opensuse.org/package/john It is an offline cracker that you provide a hash and it gives back the password. Offline cracking is the norm. The hard part is getting the hashed password database, but breaches that gives access to the hashed password databases happen all the time. FYI: from http://www.openwall.com/john/doc/ === Out of the box, John supports (and autodetects) the following Unix crypt(3) hash types: traditional DES-based, "bigcrypt", BSDI extended DES-based, FreeBSD MD5-based (also used on Linux and in Cisco IOS), and OpenBSD Blowfish-based (now also used on some Linux distributions and supported by recent versions of Solaris). Also supported out of the box are Kerberos/AFS and Windows LM (DES-based) hashes, as well as DES-based tripcodes. When running on Linux distributions with glibc 2.7+, John 1.7.6+ additionally supports (and autodetects) SHA-crypt hashes (which are actually used by recent versions of Fedora and Ubuntu), with optional OpenMP parallelization (requires GCC 4.2+, needs to be explicitly enabled at compile-time by uncommenting the proper OMPFLAGS line near the beginning of the Makefile). Similarly, when running on recent versions of Solaris, John 1.7.6+ supports and autodetects SHA-crypt and SunMD5 hashes, also with optional OpenMP parallelization (requires GCC 4.2+ or recent Sun Studio, needs to be explicitly enabled at compile-time by uncommenting the proper OMPFLAGS line near the beginning of the Makefile and at runtime by setting the OMP_NUM_THREADS environment variable to the desired number of threads). John the Ripper Pro adds support for Windows NTLM (MD4-based) and Mac OS X 10.4+ salted SHA-1 hashes. "Community enhanced" -jumbo versions add support for many more password hash types, including Windows NTLM (MD4-based), Mac OS X 10.4-10.6 salted SHA-1 hashes, Mac OS X 10.7 salted SHA-512 hashes, raw MD5 and SHA-1, arbitrary MD5-based "web application" password hash types, hashes used by SQL database servers (MySQL, MS SQL, Oracle) and by some LDAP servers, several hash types used on OpenVMS, password hashes of the Eggdrop IRC bot, and lots of other hash types, as well as many non-hashes such as OpenSSH private keys, S/Key skeykeys files, Kerberos TGTs, PDF files, ZIP (classic PKZIP and WinZip/AES) and RAR archives. Unlike older crackers, John normally does not use a crypt(3)-style routine. Instead, it has its own highly optimized modules for different hash types and processor architectures. Some of the algorithms used, such as bitslice DES, couldn't have been implemented within the crypt(3) API; they require a more powerful interface such as the one used in John. Additionally, there are assembly language routines for several processor architectures, most importantly for x86-64 and x86 with SSE2. ===
When each possible decryption MUST BE TESTED, it really doesn't matter how fast your hardware is. UNLESS of course the decryption yields mountains of gibberish except for the ONE decryption that stands out clearly: DogKilledByApe,News@11
I don't think you understand the process. If 50 strange passwords and 1 human readable password (DogKilledByApe,News@11) all hash to the same thing, then they are _all_ valid passwords. All the algorithm cares about is that the password you entered hashes to the right value. It doesn't actually know what the original password was. Thus, there is no "testing" required. You just get the first one the off-line crack pops out and you use it. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On August 12, 2014 5:42:09 AM PDT, Anton Aylward <opensuse@antonaylward.com> wrote:
On 08/12/2014 03:14 AM, ellanios82 wrote:
I keep saying Context is Everything and that applies here too.
_______________________
- Thank you,
Because, one needs so many user-names and passwords : My.Yahoo, Google, Bank, etc., etc. : until now it had seemed reasonable to keep in text-file
Eh?
Sorry, not I don't think that it does.
If you use a modern browser it has the ability to remember login. There are a number of plugins for Firefox to do this.
In addition there are specific password managers for Linux in a variety of flavours.
. . . but one reads frightening stuff like hackers scooping millions of passwords
Which journalists play into headlines. Someone drilled down on that and found many of those "millions" were actually garbage.
Why? Do you have reason to think that *your* password s have been stolen, are among them?
To my mind, protecting the password store on *your* machine is of little use if the sites you visit are vulnerable. Perhaps they have you enter your password over a plain http connection, not https. Perhaps they store your password in cleartext in their database. Heck it makes more sense for hackers to attack some sites that have those millions of passwords, many by people who use the same password on all accounts, that to target users individually.
Really, its about Risk management and some *sites* are the risk.
Consider the ones, for example that only allow 8 character passwords and ignore case. Yes there are still many of those around.
: thus, it seemed not excessive to think about using PGP to encrypt that text-file
: this text-file might have to be decrypted and again re-encrypted several times a day
Seems very wrong headed to me.
- but, perhaps this is not a good way
Damn right! Lots of limits on how to 'automatically' create, sore, import etc. Lots of manual intervention needed, as you point out. Very much the old 1980's "Classic UNIX" way of doing it. Sad to say but MS-Windows and its emphasis on GUI-ness has show this to be antiquated.
: maybe an Linux specialized password-wallet is a better way to consider ?
Like Kwallet if you are using KDE? Keyring if you are using Gnome?
But the example you gave above makes me think that a store integrated with your browser makes more sense.
http://www.techradar.com/news/software/applications/8-of-the-best-linux-pass...
Probably the most popular is http://www.keepassx.org/
What's interesingt about this http://sourceforge.net/projects/passwordsafe/ is <quote> PasswordSafe lets you create different groups such as blogs, forums, wikis and the like. You can then assign entries to any of these groups. You can define the settings for the password generator in the last tab – things like the number of characters, or what combination of lower-case/uppercase letters and numbers to use. </quote>
-- "...there is no reason anyone would want a computer in their home." Ken Olson, President, Chairman, and Founder of DEC, 1977 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Browser plugins? OS based password vaults.? Are ye daft man? It's not 1998 any more. Not everyone does everything at their computer any more. Your passwords have to travel with you. With the pace that Linux adopts and then abandons packages, it's crazy to suggest putting anything of value into kde or gnome's password managers. If the hard drive failure doesn't get you the next release surely will. And your next trip through customs can get your laptop seized and held for months, holding your only copy of your passwords to say nothing of thieves. I reach for my phone or my tablet 5 times a day for password lookup. You need a password vault that syncs. Across several platforms. And one which does that even when you forget to do it. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/12/2014 12:45 PM, John Andersen wrote:
Browser plugins? OS based password vaults.?
Are ye daft man?
No, John, I'm trying to lead ellanios along gently. I'm trying to to respect that *she* does work at her desktop and that those DM or Browser integrated tools are he next step. Then I'd point out to her that there are browser integrated tools that 'sync' so that she can access them from Windows and other machines... And when she's comfortable with that I'll talk to her about what you propose. And maybe later on, when you USA-ans have finally universally adopted chip-and-pin at your store checkouts, I'll discuss using NFC for authentication and authorization. Heck, I'm not some geeky futurist. I'm not trying to induce systemic shock. I've had enough problems recently trying to drag a couple of government project managers out of the 1960s... -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 8/12/2014 10:14 AM, Anton Aylward wrote:
On 08/12/2014 12:45 PM, John Andersen wrote:
Browser plugins? OS based password vaults.?
Are ye daft man?
No, John, I'm trying to lead ellanios along gently. I'm trying to to respect that *she* does work at her desktop and that those DM or Browser integrated tools are he next step.
Then I'd point out to her that there are browser integrated tools that 'sync' so that she can access them from Windows and other machines...
And when she's comfortable with that I'll talk to her about what you propose.
And maybe later on, when you USA-ans have finally universally adopted chip-and-pin at your store checkouts, I'll discuss using NFC for authentication and authorization.
Heck, I'm not some geeky futurist. I'm not trying to induce systemic shock. I've had enough problems recently trying to drag a couple of government project managers out of the 1960s...
Well I must admire your mentoring spirit. It never occurred to me to assume I was dealing with a specific gender, email-addresses being unreliable indicators in the modern era, nor did I assume there was any reason to "lead her/him along gently". After all, figuring out kgpg and tool use suggested more than a novice was at work here. OT: As for Chip and Pin, rushing to that obsolete standard isn't a wise idea. You have to understand that the reason it was adopted in europe was because at the time their telecom networks at the time (early 2000s) were so inadequate that just getting through on a dialup verification station could take half an hour. Further, chip and pin has not been a panacea to knock down credit card fraud in the countries that have adopted it. EU fraud rate always was about .14% of transactions vs US fraud rate of .05%. 20 years of chip and pin and large parts of the EU still have not done better than the then, and current, US credit card fraud rate of around .052%. See
http://www.theguardian.com/news/datablog/2014/aug/06/european-card-reached-n... http://www.cardhub.com/edu/credit-debit-card-fraud-statistics/
Ars had an article about this:
http://arstechnica.com/business/2014/08/chip-based-credit-cards-are-a-decade...
The US will probably adopt chip and pin, not because it is a good idea, simply because it is being pushed by the EU, and we are taught to believe everything from the EU is superior and more advanced these days. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/12/2014 11:02 PM, John Andersen wrote:
Well I must admire your mentoring spirit. It never occurred to me to assume I was dealing with a specific gender
- my wife does not have a mustache & beard [ i do ] ................. - anyways : thanks for the help : appreciated ................. regards -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (11)
-
Anton Aylward -
Bob Williams -
Carlos E. R. -
Carlos E. R. -
Dylan -
ellanios82 -
Greg Freemyer -
jdd -
John Andersen -
Ricardo Chung -
Ted Byers