[conspire] Password permutations

paulz at ieee.org paulz at ieee.org
Sat Apr 18 11:29:08 PDT 2020 

 Good point about writing down passwords.

I have a different background than many of you.  Currently I am only the sysadmin for my several personal computers, none is a server to the outside world.  If this lock down continued for a lot longer I might have time to try setting that up.  Oh wait, not long ago, Rick has having problems because the company providing his physical layer didn't want to offer static IP addresses and they also wanted to get rid of the 3rd party that offered static IP. 

The last time I had responsibility for a sizable system with multiple users was back before /etc/passwd was encrypted.  That was not a problem because everyone who had access to the system worked on the same project.  Time of innocence on the Internet.

I deal with passwords for the many financial  and shopping accounts.  They all have rules about character sets and so forth.  Many of those business restrict log in attempts.  I'm getting tired of looking at pictures with traffic lights.

 Lately I am noticing more and more want to use my email for my login name.  IMO, having somewhat unique log in names creates an extra difficulty for bad guys.  

Just this morning Consumer Reports on TV gave the following advise about security.  Their scenario was at the coffee shop with free WiFi.  I think most of the following do not really apply, but I invite your comments.1.  Go to places that use a password to access the free WiFi.  Duh, if someone goes to the effort to set up a bogus network with a confusingly similar name, why wouldn't they also use the password that is posted in the coffee shop?2.  Look for https.   If the bogus network actually connects to my bank, wouldn't I get the same certs?  How good is the encryption on the TSL, given that the network has been able to monitor all of the traffic that set up the connection?  The encryption keys do need to be exchanged, yes?
3.  Use VPN.  Ah, I believe that VPN needs to be enabled at both ends.  I haven't seen any evidence of VPN at my bank or Amazon.



    On Saturday, April 18, 2020, 2:27:55 AM PDT, Nick Moffitt <nick at zork.net> wrote:  
 
 On 17Apr2020 09:49pm (-0700), Tony Godshall wrote:
> On Thu, Apr 16, 2020 at 2:04 AM Nick Moffitt <nick at zork.net> wrote:
> > PSA: Disable ssh password access, and keep a passphrase-locked private key
> > on portable media.  This will prevent a number of "joe account" problems,
> > and simplify your threat model considerably.
> ...
> 
> Someone with access to your keyfiles *would* be able to do a
> dictionary attack, since there's no rate-limiter on that.
> 
> So preventing access to your private key on portable media becomes paramount.

I would argue that this is a much simpler threat model in this day and age.  We used to advise strongly that people never write down passwords, and that made a LOT of sense in the era of workstations in an office, where shoulder-surfing is a constant threat.  But we then scolded our grandparents for writing down passwords in the privacy of their own homes, and I feel that that misunderstood the scope of the problem.

I am currently far more worried about distributed armies of uncoordinated attackers throwing spaghetti at the walls of my systems to see what sticks than I am about targeted known-to-me attackers (with a few exceptions).  So I keep my ssh keys in offline storage that is encrypted at rest, and load the keys into RAM by hand on boot.

Even the exceptions to the category of attackers does not include people who have the resources to track me down physically and rob me in a way that would prevent me from contacting trusted parties to revoke my stolen credentials.

If I were feeling like confounding pickpocket-hackers even more, I could employ Shamir sharing and shard my keys into multiple pieces for assembly at load time.  I'm not sure the threat warrants that right now, and I'd be surprised if the benefits of such an approach outweighed the costs even under a persistent targeted threat.

_______________________________________________
conspire mailing list
conspire at linuxmafia.com
http://linuxmafia.com/mailman/listinfo/conspire
  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/conspire/attachments/20200418/b63d47ae/attachment.html>

More information about the conspire mailing list