[conspire] storing passwords

Rick Moen rick at linuxmafia.com
Fri Mar 31 17:30:45 PDT 2017 

Quoting Paul Zander (paulz at ieee.org):

> Well the pattern I use you could probably break with N=1 samples.  My
> thought is that when passwords are "stolen", they probably go into a
> database where a simple computer software can give a lot of "benefit"
> to the thief by just using the passwords as is, combined with a lot of
> people using same login and password in many places.  Why go to the
> bother of even attempting to "derive a pattern"?  

I can only say:  Adjust your approach to suit your personal level of
paranoia -- and don't assume you're not worth (the bad guys) bothering
with unless you're rather sure.

Most attacks on user credentials can be expected to be the automated
kind, which implies not very adaptable, but don't underestimate them.
For example, malware able to gain user-level authority on your computing
device (and this includes Javscript snippets you shouldn't have run) can
be expected (if able) to mine your device activity history for outgoing
access activity, usernames employed, and (if preserved) security tokens
use -- and then convey that information to the bad guys. 

The classic old-school example of this was:  You sshed into a shared
server, that unbknownst to you has had a trojaned /usr/bin/ssh client
program (or called library) installed.  You then, unknowing, conduct
outbound ssh or scp activity to a variety of other hosts.  All tokens,
credentials, and remote-host identities you expose to the trojaned SSH
client will get logged and delivered to the bad guys.  (That much is
certain to be totally automated, these days.  The further abuse of your
exposed information might not be.)  

Please note that this form of information exposure is not defeated by
using differing usernames and unpredictable passwords, nor by eschewing
passwords and sticking to ssh keypairs -- but nonetheless sticking to
passwords (or other credentials) unique to each system and never reused
across systems will at least help limit the damage to _just_ those lost
credentials.

As to personal level of paranoia, I tend to err on the side of 'Make
security compromise effectively impossible everywhere you can', as
having fewer things to worry about simplifies my life.

More information about the conspire mailing list