Silk Road forums
Discussion => Security => Topic started by: Banjo on May 16, 2012, 08:05 pm
-
You need to make a very long, secure password for PGP, your truecrypt volume, your silk road login, etc... Unfortunately, very secure passwords are also hard to remember, and if you end up writing down your password, saving it on your computer, etc... then you've given up a lot of the security that password provided you.
So, here's a trick I use to make long, secure passwords that I can still easily remember.
First, take a phrase that you can remember, or better yet, 4-6 random words. Lets use a phrase for this example.
TheQuickBrownFoxJumpedOverTheLazyDogs
Next, to create your password, simply type the key above and to the left of the original letter on your keyboard.
You end up with:
%y3!78diG492hR9sU7j03e(f34%y3Oqa6E9tw
An exceptionally good password, but one that's still easy to type in. Also, you don't technically remember your password, so you can't accidentally say it in your sleep :)
If this is unclear:
a=q
b=g
c=d
d=e
e=3
f=r
g=t
etc...
By capitalizing the first letter of each word, you can introduce special characters and uppercase letters.
-
Very clever, I like it. have a +1 on me :)
-
An excellent re working of the classic Caesar Shift cipher, well done Banjo! A +1 from me too.
V.
You need to make a very long, secure password for PGP, your truecrypt volume, your silk road login, etc... Unfortunately, very secure passwords are also hard to remember, and if you end up writing down your password, saving it on your computer, etc... then you've given up a lot of the security that password provided you.
So, here's a trick I use to make long, secure passwords that I can still easily remember.
First, take a phrase that you can remember, or better yet, 4-6 random words. Lets use a phrase for this example.
TheQuickBrownFoxJumpedOverTheLazyDogs
Next, to create your password, simply type the key above and to the left of the original letter on your keyboard.
You end up with:
%y3!78diG492hR9sU7j03e(f34%y3Oqa6E9tw
An exceptionally good password, but one that's still easy to type in. Also, you don't technically remember your password, so you can't accidentally say it in your sleep :)
If this is unclear:
a=q
b=g
c=d
d=e
e=3
f=r
g=t
etc...
By capitalizing the first letter of each word, you can introduce special characters and uppercase letters.
-
An excellent re working of the classic Caesar Shift cipher
Have you read, "The Code Book" by Simon Singh? If not, I think you'd enjoy it, based on some of your other posts
-
I've got a lot of time for Simon Singh. Fermat's Last Theorem is a great read, and all that business with the Chiropractors. Seriously, fuck them for a bunch of pseudo-scientific, litigious fraudsters!
-
I just spell my user name backwards. But i like this method. I might change it now.
-
It's my Bible my friend!
I have been trying to find a way to upload it on here to share it with the masses but no joy so far. I did write a small piece on Book Ciphers based on Singh's writings, it's a very important part of our general education :-D
V.
An excellent re working of the classic Caesar Shift cipher
Have you read, "The Code Book" by Simon Singh? If not, I think you'd enjoy it, based on some of your other posts
-
I just spell my user name backwards. But i like this method. I might change it now.
If that's what you do on this forum or SR I hope you changed it before posting that :o
-
I just spell my user name backwards. But i like this method. I might change it now.
If that's what you do on this forum or SR I hope you changed it before posting that :o
Lol 8)
-
I like it. Of course, now that it's out, they'll just add this cipher to the standard dictionary attack. But honestly, 6 random words will never be cracked in the first place, so I feel pretty safe all the same.
-
Nice method but personally i just remember one long complex password, i encrypt every password/link i need using pgp, store the encrypted content at a tormail draft and decrypt it when i need it, that way i can just copy paste everything i need as well, instead of typing it.
-
Please correct me if i am wrong, but isn't this kind of code-breaking already in there artillery? Seems pretty simple to me, considering the code breaking technology they had even back in WWII. No offense intended. It's a sincere question.
I like to pick a strange word that means absolutely nothing, fx, "gangleshplangle". Insert a few of your favorite numbers, fx, "12gangle34shplangle". Then insert some upper case/special characters making it, fx, "12g@NgLe34$hplAnGl3". Then MEMORIZE IT!!!! ;)
Now you have a "base" password with no dictionary words, upper/lower case, special characters, and numbers.
Now when you go to sign up for say, a SR account, you can add on to your (PERMANENT and pretty damn strong already) "base" password by adding something like "4getzin2DaSilkRoad". Then if you wanted a separate pass for the forums, just add "4getzin2DaSilkForums", ect. Add some uppers/sc's, ect if you like. Then as long as you remember your base pass, then you can always just "add on" to it for each app, site, ect, you need to access, making it easily an remembered password based on which app/site you are accessing, giving you a sweet password like : "12g@NgLe34$hplAnGl34g3tZin2DaFlip$id3"....or whatever.
Of course don't rely fully on replacing letters like "E" with numbers like "3". The feds may be stupid, but their not $tUp!D. ::)
Just a thought. :)
Peace
TFC
-
Flipside, your drug of choice here is obviously not weed because if you were a toker you would know that would never work! LOL! WAY too much to remember.
-
Not if you're cereal. Like Captain Crunch. ;)
[Edit: And just took another toke.] 8)
Peace
TFC
-
@flipside: you're sort of correct. If this were being used as an encryption scheme, it would indeed be very weak. Here's how passwords are used.
1.) You create a password. Let's say, "ro80w8e3" ("flipside", using the method I outlined earlier)
2.) When you create an account on a website, your password is then hashed, and ideally salted. A hash algorithm is a type of one-way encryption. It is possible to encrypt, but impossible to decrypt. Let's use the SHA-512 algorithm in this case. The SHA512 hash of "ro80w8e3" is:
8ecf56e37ff71b7ef7d0c1a4b309ef9aa114357565015cfa564ddffe8cdc1b736187dfd3e0125cf64fd9a4842f2a5b4cfdad721922dfa658a1b5c81e112ae37d
And that's what would actually get stored in the database. But since it can't be decrypted, how can the system check to see if the password you entered when logging in matches the password you created? In hash algorithms, input A will always produce output B. "ro80w8e3" will always produce the above hash. So, when you log in, the system will hash the password you tried to log in with, and compare it against the hash stored in the database. If the hashes match, it knows the original passwords were the same. If they don't match, you have the wrong password.
So, the way this is attacked is called brute forcing. If I wanted to figure out what your password is, I would write a program that tries every possible combination of characters, hashes them, and then compares them to your hash. When I get a match, I know I've found your password. With current computational power, it's infeasible to try every possible combination of characters once you get passed eight characters in length or so. So the important part is to generate a lot of random characters that are longer than ten characters. It doesn't matter how you came up with them. Because of the way hashing (and hash cracking) works, having a password of "ksdk39dk57s5" (just random letters I pressed on my keyboard" is just as secure as "q55qdyj3h5" (attachment).
Someone else mentioned earlier that this is good, but won't they just add this to standard password cracking software? The answer is no, because even passwords like "AppleOrangeBanannaPearGrapefruitKiki" are very difficult for password crackers to crack. Using just those six words, there are thirty-six possible combinations. Assuming there are around 1,000,000 words in the English language, using just six randomly selected words gives you 1.0 × 10^36 possible combinations. Now, using my method, using six random words, and (maybe) capitalizing certain letters, you'd have to try 7.29 × 10^38 possible combinations.
-
The output from a cryptographic hash algorithm has as many bits of entropy in it as the input does, up to the maximum size of the hashing algorithm. A good cryptographic hash aims to distill and evenly distribute entropy. Distilling means the output takes all of the entropy of the input and has it in the output, which is a fixed size, potentially much less size than the input. Evenly distributing means that if the input has 8 bits of entropy in the first character and no bits of entropy in the other characters, the output hash will have 8 bits of randomness equally distributed through out every character. So the hash of "a" is still much less secure than the hash of "uteyvw5i697895t45ytf495w6f4t6t9548t943t34t456iotui4ru5o3u54io9t586y843t654989kfwlejtiueh5i"
-
@ Banjo/kmf, ect...
Well now I'm just more confused than ever. ::)
But from what I think I'm understanding, it is safe to say with my method that since my passwords are over well 10 characters long, with uppers, lowers. number, sc's ect that it's pretty phreakin strong then?
That basically, anything over 10 characters with all random characters, ect is the basis for a pretty strong password?
Sorry, it's just all the talk of Hash made we wanna smoke some. ;)
-
Here's my basic process:
Say I'm making a password for a site that's all about physics. I'll pick a memorable phrase that relates to the subject.
entanglement is spooky action at a distance
Pick a capping scheme, say first and last letters of words
EntanglemenT IS SpookY ActioN AT A DistancE
Now pick, say, every third character, including spaces
Eale oYcoAAiaE
Translate spaces into numbers (preferably have more spaces left)
Eale19oYcoAAiaE
Now make all prime numbers their corresponding symbol (or even numbers, or every not-3, etc)
Eale!9oYcoAAiaE
There you go. Memorize it and enjoy being able to re-derive if necessary, knowing that the derivation itself is randomized and is a form of password.
-
Great stuff, guys. I'll keep an eye on this thread.
Personally, I picked my SR password by mashing my keyboard, then writing on paper what came out. Whenever I type it in, I do it in a different order, then copy/paste a couple times in case I have a keylogger installed.
-
SR really should have a 'virtual keyboard' built in on the log-in screen to bypass keyloggers, just like vmail.me, or even, (ugg) safe-mail does.
Thoughts? ???
-
good keyloggers can see the screen too
-
Yeah, that's why I asked cuz I know they have screen capture software as well. More concerned about a few friends I know that use solely public comps, or any comp for that matter.
Is there 'any' way around both physical and digital key loggers? Like some way to use copy/paste, perhaps along with multiple desktops (like using "Spaces" on OSX)? Or even enable "remember passwords for websites", which I would NEVER want to do, but if you could ensure your comp was 100% secure from physical tampering, this might work, no?.
Or maybe copy/pasting your pass, turn of your wireless connection, then change your MAC addy, and turn your connection back on. That way at least they couldn't prove that pass came from that specific computer/MAC address. Yes? No? Maybe?
Or maybe a script of some kind?
With "sneak n' peaks" ever since the Patriot Act, it is a serious concern. Either you can carry your comp with you at all times to avoid "physical" loggers, but most of us store all hardware, ect off-site, but then you have the concern of being away from your secret location, and all it takes is acciddently forgetting to power off your cell ONE TIME, then your location could "potentially' be compromised. So it's kind of a Catch 22. :(
Is there ANY way to beat all keyloggers, 100%?
Peace. And thanks for all the great info. This is a great thread. :)
-
Is there ANY way to beat all keyloggers, 100%?
Peace. And thanks for all the great info. This is a great thread. :)
Hmm, my guess would be laser keyboard along with a security token.
http://en.wikipedia.org/wiki/Projection_keyboar
http://en.wikipedia.org/wiki/Security_token
-
edit: I should preface this by saying that there are two goals when it comes to countering keyloggers, the primary goal is to protect from the attacker being able to get any keystrokes at all, a lesser goal is to protect from the attacker stealing a password that can be used for authentication. Also, I am using keystroke information interchangeably with user input.
There are two types of keylogger, hardware and software. They come in various levels of sophistication. The shittiest hardware keyloggers are just a connection piece that you place between the keyboards USB connector and the computers USB connector. They record all of the keystrokes and then forward them on to the computer. You can spot these simply by looking for them. Virtual keyboards protect from this sort of keylogger because the input comes from the mouse. There are slightly more advanced hardware keyloggers that work in essentially the same way, but which can be hidden better, inside of the keyboard itself for example. These are harder to find but virtual keyboards protect from them as well.
The more sophisticated hardware keyloggers can not so easily be defeated. They use extremely tiny cameras and position them so they can view the keyboard as it is typed on. Or they analyze transient electromagnetic information and use it to pull the entire monitors display from a substantial distance, or to determine keystrokes based on the sounds of typing, also from great distance. Maybe they plug into the power grid and gather keystroke information that leaks into it. Protecting from this sort of attack is much harder, and requires a combination of surveillance technology to detect physical intrusions (or keeping your laptop on you 24/7) and shielded equipment/rooms to prevent information leakage.
Software keyloggers also come in various forms. The least sophisticated of them will be defeated by a virtual keyboard because they monitor input from the keyboard and ignore the mouse. However most people use much more advanced software keyloggers that also monitor mouse position. Even the mouse/keyboard monitoring software keyloggers can be defeated by using a virtual keyboard that randomly rearranges the position of the keys every time one is clicked. However, even more advanced software keyloggers will take a screenshot every time a mouse button is clicked, and many of them just constantly record what is happening on the screen. You can even get around software keyloggers that monitor everything on the screen by using one time password systems, the password is good for authentication exactly one time and then a new one needs to be generated. The server and the client both have a piece of secret information that allows them to keep synched up with what the appropriate password should be, but the attacker can not guess future passwords from current passwords so they are still screwed. banks use technology like this quite a bit, but it is possible to implement these systems without specialized hardware.
https://en.wikipedia.org/wiki/One-time_password
OTP pretty much defeats a keyloggers ability to steal a password that can be used for authentication at a later point in time.
In the grand scheme of things I think that virtual keyboards are a waste of time. Theoretically they can protect from some simple keyloggers, but in practice no significant attacker uses such primitive keyloggers. IMO virtual keyboards are largely just a marketing gimmick because they make people feel more secure. OTPs can be effective at preventing keyloggers from stealing a password that can be used for future authentication, but they wont protect you from the attacker spying on your keystrokes.
-
Thanks for the awesome info, kmfkewn. That's a lot more than I ever knew on the subject. I'd toss a +1 your way but I'm sadly incapable at this point in time.
-
Well Neuro, I completely agree.
So I'll toss him one one your behalf! ;)
[Edit: Apparently I can't as it says I have given karma within the last 72 hours, but I haven't done so in well over a week. Yet another flaw in the somewhat ridiculous "karma" system I suppose. Or possibly just since I recently did a fresh install of TBB?]
Additionally, I was curious. If using an email client set up to access Tormail (following the instructions given on their website) you are essentially relying solely on Tor's encryption alone to safely send passwords to access accounts correct? Is there a safer way to transmit passwords? I would imagine relying on Tor alone to protect something as sensitive as a password sent to any account connected to SR (considering the known and (potentially) unknown vulnerabilities in Tor) is potentially unsafe, no? If a password were compromised for this reason, then all the GPG in the world would be meaningless, no? Well, obviously only if any private keys were compromised as well of course, but I'd still prefer not to give my passwords to the feds for Christmas.
In Thunderbird, ect there is a "send password encrypted" option, but on the Tormail website it says not to use this, and to rely on Tor alone to protect your password. But isn't that a bit of a stretch in this business? Is there any way to encrypt passwords using GPG or otherwise (on top of the great advice 'randomOVDB#2' and 'kmf' gave above about avoiding keyloggers)?
I've never liked the fact of having to select no SSL/STARTTLS or 'password transmited insecurely', ect. Tor or not.
And again, thanks for all the great advice guys! ;)
Peace
TFC
-
kmf.. (or any others who may know as well)
I'm still looking into it, but perhaps someone could post it up clearer here in the mean time. According to your advice, one could then theoretically beat software keyloggers entirely using a OTP, but can OTP's be set up using an email client as well? And set to automatically do so each time? With each individual email account? That would at least somewhat alleviate the concerns I mentioned of passwords being transmitted insecurely and being 'Tor-protected' only when accessing SR, Tormail, ect.
Otherwise, assuming screen-capture software isn't being used, and although I keep ALL of my passwords in my head. Period! As MANY have tried to 'crack' and 'brute-force' my head, without success! (Which might also explain a few things...) ;)
BUT...for others...then simply copy/pasting a password from an (encrypted) text file from a flash drive into say, SR's log-in page should work as well, no? Against BOTH hardware and software loggers? Or is screen-capture software pretty much built in to most software-loggers these days? If so, wouldn't be pretty easy to write a script or whatever to add some sort of "time-delay" to bypass the screen capture each time the mouse or keyboard is clicked? But since the password box is un-viewable to screen capture on SR, it should work regardless for passwords (on SR at least), no?
And if using a small, detachable usb keyboard (that you take with you everywhere or keep stored separate from your laptop) could also potentially eliminate concerns of hardware keylogger's as well? Perhaps even "new" ones we may not know about that might perhaps not be quite so 'noticable' (like the micro camera's you mentioned)?
And finally, is there ANY way to encrypt information being sent between a wireless USB keyboard or mouse before it hit's your screen? I'd imagine that would be a nifty option as well if possible. At least making it much harder to prove who may have typed anything, or used a mouse, on any specific comp. Similar to concept of using text only on a disposable pre-paid phone.
Thanks for the great info all! :)
Slowly but surely, I am certain we can make ourselves a far too "time consuming" and "unreasonable" target they won't bother to even mess with, as catching real-life dealers, 'violent' street gangs, and the TONS of drugs constantly being intercepted at the border, are all a far more 'high-value', as well as far more easily obtainable and financially reasonable targets. No matter how 'desirable' a target SR may be, if we can stay 10 steps ahead, it will only help to ensure the ongoing safety of our little yellow brick Road here in the land of drOgZ. ;)
"If" everyone heeds all the excellent and ever-expanding advice spread all over these forums. So just...do your part!
Please. :)
And thank you.
Peace
-
This works :)
http://imgs.xkcd.com/comics/password_strength.png
-
SR really should have a 'virtual keyboard' built in on the log-in screen to bypass keyloggers, just like vmail.me, or even, (ugg) safe-mail does.
Thoughts? ???
if you worry about keyloggers you run windows here is the solution press windows key and r simultaneously and then type osk and press enter
-
some things require passwords with a special character some without, that is why past couple years my passwd list has gotten so big.
now i just learned some can use whitespace ...
for simplicity (cut and paste) and security, (i do not need to write it down), a couple ideas.
have you downloaded your car insurance card? is the vin # on it ? copy and paste, maybe add couple *>!.
or a lot of us are on linux. since i found out i can use whitespace with truecrypt--
remembering what line in what file is easier for me than actual 20 character randomness.
so open a random file for example in /usr/src/linux/ablkcipher.c . pick something like
"if (likely(!(walk->flags & ABLKCIPHER_WALK_SLOW)))"
lines starting with #, such as
#include <crypto/internal/skcipher.h>
are not operable in the script so you can modify to make it stronger and help you remember which line you chose. example
#include <crypto/internal/skcipher.h> <ThisOne>
hidden in plain sight. easier for me to remember file and line and copy and paste
-
some things require passwords with a special character some without, that is why past couple years my passwd list has gotten so big.
now i just learned some can use whitespace ...
for simplicity (cut and paste) and security, (i do not need to write it down), a couple ideas.
have you downloaded your car insurance card? is the vin # on it ? copy and paste, maybe add couple *>!.
or a lot of us are on linux. since i found out i can use whitespace with truecrypt--
remembering what line in what file is easier for me than actual 20 character randomness.
so open a random file for example in /usr/src/linux/ablkcipher.c . pick something like
"if (likely(!(walk->flags & ABLKCIPHER_WALK_SLOW)))"
lines starting with #, such as
#include <crypto/internal/skcipher.h>
are not operable in the script so you can modify to make it stronger and help you remember which line you chose. example
#include <crypto/internal/skcipher.h> <ThisOne>
hidden in plain sight. easier for me to remember file and line and copy and paste
forensics people would likely discover that password after an analysis of your machine shows the frequency and pattern with which you opened it, then they could just diff it and assume this one is a password. They try to make a time line of all of your actions, and it is going to look strange if they discover that you always open some random file with <thisone> in it prior to doing things that require a password to be input.
-
some things require passwords with a special character some without, that is why past couple years my passwd list has gotten so big.
now i just learned some can use whitespace ...
for simplicity (cut and paste) and security, (i do not need to write it down), a couple ideas.
have you downloaded your car insurance card? is the vin # on it ? copy and paste, maybe add couple *>!.
or a lot of us are on linux. since i found out i can use whitespace with truecrypt--
remembering what line in what file is easier for me than actual 20 character randomness.
so open a random file for example in /usr/src/linux/ablkcipher.c . pick something like
"if (likely(!(walk->flags & ABLKCIPHER_WALK_SLOW)))"
lines starting with #, such as
#include <crypto/internal/skcipher.h>
are not operable in the script so you can modify to make it stronger and help you remember which line you chose. example
#include <crypto/internal/skcipher.h> <ThisOne>
hidden in plain sight. easier for me to remember file and line and copy and paste
forensics people would likely discover that password after an analysis of your machine shows the frequency and pattern with which you opened it, then they could just diff it and assume this one is a password. They try to make a time line of all of your actions, and it is going to look strange if they discover that you always open some random file with <thisone> in it prior to doing things that require a password to be input.
I have had some differences with kmfkewm but he is a 100% right here. Thanks for your thoghts self but no, no a thousand times no - it would be very easy to see you'd accessed this file if your passwords stored in plain text on the machine. You also might find that the so-called random file exists on every machine with the same Operating System and it might not be as unique as you thought!
Similarly your VIN, along with your Social Security number is right up there with the name of your dog and your kid's date of birth as passwords which are easy to guess by LEO.
Having said this, I do agree it is difficult to remember long strings of mixed characters indefinitely!
If you must store your password list anywhere besides your head then I would recommend protecting them with a book cipher - I've posted about this on a separate thread but in essence, it involves selecting a key text which can either be an actual book or something you've penned yourself and then choosing a sequence of characters as your password.
For instance if you had a copy of "War and Peace" on your book shelf you could decide that your password to your private key will be every second character on page 394. Obviously if will help if you select a text with a mixture of numbers and symbols as well as upper and lower case letters.
This system isn't perfect as it will be obvious to anyone who's able to observe you that you've a book in your hand while you're using the machine but provided you have a large enough amount of them and you don't write down the page number you're using, it's very little to go on - it also allows you to have extremely long passwords which is a good defence against brute force attacks.
Having said this as discussed in another thread, a cunning password will not protect you against keyloggers or a successful brute force attack, although there are ways to mitigate the risk.
Many thanks to everyone for their thoughts.
V.
-
remembering passwords is easy.
an7d62k
lodi712s
oplakUU
9delma!
spend one week to memorize each of those strings. How many phone numbers do you have memorized? Now remember the order that you memorized them in.
an7d62klodi712soplakUU9delma!
if you know any phone numbers it is pretty evident that you are capable of memorizing largely arbitrary sequences of several characters. It probably wont even take you a full week to memorize each of the substrings if you spend a bit of time on it, and make sure to practice typing it in also cuz muscle memory helps.
-
It is probably a better technique to remember a random sentence though.
"The red dog jumps over things and then falls down because he sucks at jumping"
if you need a reminder:
TRDJOTATFDBHSAJ
that will not leak much information if it is discovered but could jog your memory. It would be better if your sentence doesn't follow grammatical rules though, if you want to write a reminder.
Tan while went worm ready fell fuck tap dance then on
TWWWRFFTDTO will leak even less
-
It is probably a better technique to remember a random sentence though.
"The red dog jumps over things and then falls down because he sucks at jumping"
if you need a reminder:
TRDJOTATFDBHSAJ
that will not leak much information if it is discovered but could jog your memory. It would be better if your sentence doesn't follow grammatical rules though, if you want to write a reminder.
Tan while went worm ready fell fuck tap dance then on
TWWWRFFTDTO will leak even less
Yes, this would certainly be easier to remember than an arbitrary stream of characters and could well be more secure - I was discussing this via e-mail with one of my associates as I'd shown him the howsecureismypassword.net website and he found that a lot of the passwords he'd dreamed up were actually shockingly easy to crack e.g:
"uxehsk345" would take 4 days to crack on your average desktop PC,
whereas
"I love cookies!" would take around 13 Trillion years.
:-)
V.
-
PKCS5 is nice where it can be implemented. Let's say your password is "a". Normally passwords are hashed before they are used, so "a" is really translated to "3f786850e387550fdab836ed7e6dc881de23001b" PCKS5 follows this logic out thousands of iterations,
a .... 3f786850e387550fdab836ed7e6dc881de23001b .... 782338a30a2f5c1eef41288a9dddbb22751dc65f .... 7feee70fbd24f8c460d034f0c5fcfeab12b8e77b .... etc
and uses the 5,000th (or whatever) hash value as the key. If you use plain old single iteration hashing to obtain the key, the attacker only needs to hash "a" once to see if a is your password, with PKCS5 systems they need to keep hashing 5,000 times before they can see if "a" was the password. Now a normal PC can quickly find the 5,000th hash that starts with "a" as the input, but when you are testing a and then b and then c ... aa ab ac .... etc....it really adds up and it greatly increases the time required for an attacker to brute force or dictionary attack a password, since by the time they find the 5000th hash that starts with "a" they would have been able to try 4,999 other passwords if you used just a single hash of the password. Nothing stops you from making them iteratively hash out your password hundreds of thousands of times, other than the fact that you may not want to wait hours for your password to work :P. But in theory it could take a year to bruteforce the password "a", it would just take you a year to be able to use it yourself as well ;). Of course if your password is b and they start at a it will take them two years to brute force it and you can use it once every year !!
-
some things require passwords with a special character some without, that is why past couple years my passwd list has gotten so big.
now i just learned some can use whitespace ...
for simplicity (cut and paste) and security, (i do not need to write it down), a couple ideas.
have you downloaded your car insurance card? is the vin # on it ? copy and paste, maybe add couple *>!.
or a lot of us are on linux. since i found out i can use whitespace with truecrypt--
remembering what line in what file is easier for me than actual 20 character randomness.
so open a random file for example in /usr/src/linux/ablkcipher.c . pick something like
"if (likely(!(walk->flags & ABLKCIPHER_WALK_SLOW)))"
lines starting with #, such as
#include <crypto/internal/skcipher.h>
are not operable in the script so you can modify to make it stronger and help you remember which line you chose. example
#include <crypto/internal/skcipher.h> <ThisOne>
hidden in plain sight. easier for me to remember file and line and copy and paste
forensics people would likely discover that password after an analysis of your machine shows the frequency and pattern with which you
I don't see this working. They have no idea about the password length. Add ".gz" (or any character basically) to the password that you've copied from the file and their routine data is useless.
-
some things require passwords with a special character some without, that is why past couple years my passwd list has gotten so big.
now i just learned some can use whitespace ...
for simplicity (cut and paste) and security, (i do not need to write it down), a couple ideas.
have you downloaded your car insurance card? is the vin # on it ? copy and paste, maybe add couple *>!.
or a lot of us are on linux. since i found out i can use whitespace with truecrypt--
remembering what line in what file is easier for me than actual 20 character randomness.
so open a random file for example in /usr/src/linux/ablkcipher.c . pick something like
"if (likely(!(walk->flags & ABLKCIPHER_WALK_SLOW)))"
lines starting with #, such as
#include <crypto/internal/skcipher.h>
are not operable in the script so you can modify to make it stronger and help you remember which line you chose. example
#include <crypto/internal/skcipher.h> <ThisOne>
hidden in plain sight. easier for me to remember file and line and copy and paste
forensics people would likely discover that password after an analysis of your machine shows the frequency and pattern with which you
I don't see this working. They have no idea about the password length. Add ".gz" (or any character basically) to the password that you've copied from the file and their routine data is useless.
If I know that your password contains ewiofiofj32iofiu42hf4u2ihr3ht1sk3r41it3r4ytthruthr4ugh43yhuy I don't care much if you add .gz after it
-
PKCS5 is nice where it can be implemented. Let's say your password is "a". Normally passwords are hashed before they are used, so "a" is really translated to "3f786850e387550fdab836ed7e6dc881de23001b" PCKS5 follows this logic out thousands of iterations,
a .... 3f786850e387550fdab836ed7e6dc881de23001b .... 782338a30a2f5c1eef41288a9dddbb22751dc65f .... 7feee70fbd24f8c460d034f0c5fcfeab12b8e77b .... etc
and uses the 5,000th (or whatever) hash value as the key. If you use plain old single iteration hashing to obtain the key, the attacker only needs to hash "a" once to see if a is your password, with PKCS5 systems they need to keep hashing 5,000 times before they can see if "a" was the password. Now a normal PC can quickly find the 5,000th hash that starts with "a" as the input, but when you are testing a and then b and then c ... aa ab ac .... etc....it really adds up and it greatly increases the time required for an attacker to brute force or dictionary attack a password, since by the time they find the 5000th hash that starts with "a" they would have been able to try 4,999 other passwords if you used just a single hash of the password. Nothing stops you from making them iteratively hash out your password hundreds of thousands of times, other than the fact that you may not want to wait hours for your password to work :P. But in theory it could take a year to bruteforce the password "a", it would just take you a year to be able to use it yourself as well ;). Of course if your password is b and they start at a it will take them two years to brute force it and you can use it once every year !!
A little salt anyone? :-)
V.
-
salting is a different technique for protecting from rainbow table attacks. If the attacker has precomputed the hashes for a bazillion potential passwords, having the salt "salt" added to you password prior to its hash value being obtained will make their table worthless. Of course you would use some random string for the salt. But salting doesn't slow down the time it takes them to guess passwords like PKCS5 does, it just makes previously generated password => hash databases worthless. Both can be combined :).
-
If I know that your password contains ewiofiofj32iofiu42hf4u2ihr3ht1sk3r41it3r4ytthruthr4ugh43yhuy I don't care much if you add .gz after it
You add .gz (.yournick or aaa43 or fu@f, ...) to the text that is in the file so your password is isn't ewiofiofj32iofiu42hf4u2ihr3ht1sk3r41it3r4ytthruthr4ugh43yhuy but
ewiofiofj32iofiu42hf4u2ihr3ht1sk3r41it3r4ytthruthr4ugh43yhuy.gz and since .gz isn't there ... Addition of a few characters that are not in the file makes frequency useless.
Testing every combination from an average sized system txt file would take quite a bit of time wouldn't it ? File with 1000 lines, part (you add something that is not in the file) of the password being your 42th line. It seems pretty safe to me ?
-
If I know that your password contains ewiofiofj32iofiu42hf4u2ihr3ht1sk3r41it3r4ytthruthr4ugh43yhuy I don't care much if you add .gz after it
You add .gz (.yournick or aaa43 or fu@f, ...) to the text that is in the file so your password is isn't ewiofiofj32iofiu42hf4u2ihr3ht1sk3r41it3r4ytthruthr4ugh43yhuy but
ewiofiofj32iofiu42hf4u2ihr3ht1sk3r41it3r4ytthruthr4ugh43yhuy.gz and since .gz isn't there ... Addition of a few characters that are not in the file makes frequency useless.
Testing every combination from an average sized system txt file would take quite a bit of time wouldn't it ? File with 1000 lines, part (you add something that is not in the file) of the password being your 42th line. It seems pretty safe to me ?
I think it would depend on how easy it would be for LEO to monitor which files you were accessing from your machine.
An associate of mine used to use a similar technique to yours where he had a website generate a million random passwords and put them in a spreadsheet. He would then choose one at random to be his password for the month and add a few random characters in.
On the face of it, but reducing your password possibilities down from infinity to a million is actually quite bad for your security. Although it would take considerable time and trouble to perform hash algorithims on a password list that long and see how similar they are to the one for the stored password, it would reduce the time to 'bruteforce' the password considerably.
Of course if there were one, universal method of having an easy to remember but incredibly robust password we would all do it. I don't claim to be an expert in Cryptography but can tell you that the best methods of encryption historically have been those whereby revealing the method behind the encryption process doesn't materially advantage any eavesdroppers - for instance owning a copy of the AES encryption algorithim wouldn't be much use without the corresponding password.
Conversely the "one time pad" method of encryption while theoretically secure was a disaster to implement in practice for Spies as recovery of what was obviously the code book by an enemy meant all subsequent messages would be decoded! (There are other practical concerns but we'll gloss over these..)
The general emphasis seems to be on "something you have" and "something you know" in order to secure your data e.g a password and a keyfile. As such if you're going to do something like this I'd suggest you go a little further than adding .gz to each file. For instance you could swap the first five digits around or otherwise skew a larger number of characters.
One method I used to use to protect against dictionary based attacks would be to choose several normal words as a pass phrase and cycle every second character two places forward. I actually got the idea from reading a book in the Star Wars series of all things (http://starwars.wikia.com/wiki/Cracken_Twist).
I'd like to hear more thoughts from the floor on this please but my general feeling is that writing your passwords down is not a good idea unless you alter them substantially.
V.
-
If I know that your password contains ewiofiofj32iofiu42hf4u2ihr3ht1sk3r41it3r4ytthruthr4ugh43yhuy I don't care much if you add .gz after it
You add .gz (.yournick or aaa43 or fu@f, ...) to the text that is in the file so your password is isn't ewiofiofj32iofiu42hf4u2ihr3ht1sk3r41it3r4ytthruthr4ugh43yhuy but
ewiofiofj32iofiu42hf4u2ihr3ht1sk3r41it3r4ytthruthr4ugh43yhuy.gz and since .gz isn't there ... Addition of a few characters that are not in the file makes frequency useless.
Testing every combination from an average sized system txt file would take quite a bit of time wouldn't it ? File with 1000 lines, part (you add something that is not in the file) of the password being your 42th line. It seems pretty safe to me ?
At that point you are pretty much just remembering your password anyway so why bother to store part of it in a text file with <=== THIS!!!! written next to it if you need to remember enough to keep it secure if someone finds the text file.
-
On the face of it, but reducing your password possibilities down from infinity to a million is actually quite bad for your security. Although it would take considerable time and trouble to perform hash algorithims on a password list that long and see how similar they are to the one for the stored password, it would reduce the time to 'bruteforce' the password considerably.
It seems the question here is, how much alteration is needed ? Or to go back a step with a help of as tory.
Cops find a small piece of paper that was ripped in two. The first piece says "password for GPG: 123456". They never find the second piece of paper that has the other part of the password. Is the info on the first piece of any use ? Knowing part of the password but not knowing length ? My, limited, knowledge suggested that the info as such is useless and so I don't see why alterations are bad or less secure.
At that point you are pretty much just remembering your password anyway so why bother to store part of it in a text file with <=== THIS!!!! written next to it if you need to remember enough to keep it secure if someone finds the text file.
I disagree. Addition of "@vV" doesn't require much memory effort. There is also no need to highlight the password in such visible way, double dash can be used. without any suspicion.
-
A nice little option OSX allows (and most likely Windows as well), is go to System Preferences-> Language & Text -> Text
Here you can customize any keyboard command you like. So if you are just lazy, or have concerns of possible key-loggers/screen-capture, ect, simply set a command (let's say Shift/F..K/TheDEA). Now let's assume you don't have 11 fingers to spare. So make the command whatever you choose. Something simple. And make this command produce any text/password in TextEdit like: hSD%#HQ5678j&3NY6&$%^@YBCZhdjf8Ljf988d5y....ect.
So now you have a (personally) designed keyboard command that will, with the click of a single button (if you choose) spew out the longest, most random password your application or website will allow. Now let's say you move your TextEdit box (just) below the screen if you are concerned about Screen-capture. Simply move your text box slightly below the screen before typing your command. Then: [Cmd-A] (highlights all text), [Cmd-C] (copy's the text), [Cmd-V] will Paste it nicely into a SR password box.
This (should?) fool most key-loggers as well as screen-capture I'd imagine?
Of course feel free to always 'add on' to your password though to increase security. For example, you could type, say, "the exact number of different alkaloids in your system at that time" BEFORE the resulting password, then times that number by ∞ and you now have a unique number you could could add the END of your password as well. Or zipcodes, lottery numbers, whatever, anything that should ensure part of your password ALWAYS resides in your head if your System Prefs were to ever to become compromised.
Also, someone mentioned that virtual keyboards may not be safe since some key-loggers send a screen capture each time a key or mouse button is pushed. The ability to set a delay on either is also an option under SP -> Universal Access. This (might?) perhaps throw off some mouse/key-loggers? Although I would not personally rely on Apples "built-in" delay algorithms alone, as that is likely your adversary's minimum standard. Although it certainly wouldn't hurt if you have reason to be concerned.
However, just as you can manually modify a Technics 1200 to pitch at 2x the default, I'd imagine you could do the same with delays on your mouse and keyboard as well. It might be something that could help? Particularly if the delay times were set to random intervals. It might be a pain in the ass, but it is also my understanding that prison can be as well. Just in a slightly more literal sense. ;)
Later!
☀ℇɣểἠ℉℧ℜƮℍƺ℞☀
-
Oh!
And of course don't forget to keep that OS with those configurations on a separate card (sold/stored separately), only be used to unlock your passwords on another drive.
Before you start inserting your 3rd, 4th, cards, ect of course.
Manipulating passwords among user accounts to gain access to certain files on even a single OS is always fun as well of course. Particularly when your encrypted disk images are disguised deep in your system folder, and better yet 'invisible'.
You may not win in the long run (depending on your adversary), but at at least you can waste their time. ;)
Later...
☀ℇɣểἠ℉℧ℜƮℍƺ℞☀
-
WRITE THEM ON THE BACK OF YOUR MOUSEPAD WITH A SHARPIE!!
-
I usually highlight a section in a book or some piece of paper. It is normally pretty easy to remember sentences -- and just use the first letter. Highlight more than one section if you fear you don't have enough security.
example:
Highlighted "" For more information about these services and how to bar or unbar, phone 1555 free fom your mobile or visit www.vodafone.com.au/premiumsms. ""
Password "" Fmiatsahtbou,p1555ffymovw.v.c.a/p. ""
I used the entire "phone number" for more numbers. Passwords made like this take me about three days to remember based on the feel i get when typing it on the keyboard. Remembering it until then requires me to remember the entire sentence so essentially you can't forget it. This is more obscure than those really long passwords that make use of like six words, and for services that exclude special characters (eg. tormail), you have enough obscurity to keep it as it is.
Things that work exceptionally well are those that include addresses. "" MC,OMW,Rm,WA9-6,USA "" << That is just an address "" MIcrosoft Corporation, One Microsoft Way, Redmond, WA, 98052-6399, USA ""
Also, don't write them on the back of your mousepad... once you are able to remember the password, you need to dispose of all copies of it. Why the fuck would you ruin a mousepad?
-
I haven't read this whole tread. But what you're suggesting uses unicode characters which can be bruteforced with the correct hardware in minuets, no matter how long or complex. It also matters how the passwords are encrypted.
For example if SR uses MD5 then it doesn't matter how complex your password is, an SQL attack on the site would reveal all passwords in seconds.
I laughed when I saw the details of the recent Linkedin attack. Really, securing passwords using MD5 hashes? SERIOUSLY? Jesus. Tut tut Linkedin.
-
Even something like: ~#1❡₪ϕ☀⡟⅔➹☄✌↵→∞✺➏➒☞☜☠✌ = a bitc0in better...but only"IF" the website or application supports it.
Which is the very reason (as mentioned above) that Tormail still bugs me to this day. Why don't they allow even the very simplest of special characters in either names or passwords? It makes NO SENSE with the type of service they are attempting/claiming to provide. Even the (WONDERFUL) drug-addled SR coders figured that one out. ;)
Most members here using Tormail should be smart enough to be using GPG regardless, so passwords aren't quite the major concern. Yet most other providers of free, Opensource, online security/remail/privacy based tools and services tend to stand proudly behind their services.
Does anyone even know how they are funded? It's certainly not from ad's.
And the recent .net incident kind of left me feeling like it was almost a ploy. An attempt to build user-confidence and perhaps lure some into a false sense of security. Perhaps even with an original overall intent of confusing new-comers to encryption with Tor and GPG? All while the growing, public (and now mainstream) online d...g-trade scene was, and is (FM aside) thriving. And all just (somewhat) around the same time as SR went online?
I'm not sure if "domainsbyproxy" are even still around, but I'm certain similar services are. In which case, I'm even more surprised they wouldn't register using such a service instead of the whole Russia/ICANN story. I know a little about domain law and have had threats over domains from lawyers in the past. And I knew my rights. I guess it just doesn't sit right with me personally. Though I still use Tormail at times, remember there are plenty of other Tor-accessible email providers.
"Hidden"-service or not (and exitnodes, ect aside), traffic-analysis alone is reason enough to (at least) switch up your Tormail address periodically. It's not as if the concept of setting up domains to adapt to changing technological trends is something new to North American governments, DZF, ect.
Although in this case I'd imagine it could just as easily be the Chinese behind it, since they know their politically suppressed population know more about Tor and far less about GPG and would likely flock to a Tor-based email provider. But then again...
[Oh damn. All out of tin-foil. Oh well.]
Later...
☀ℇɣểἠ℉℧ℜƮℍƺ℞☀
-
I don't get this..
If you want to remember a password, why don't you just try.. REMEMBERING the password?
It really isn't that hard.
-
I don't get this..
If you want to remember a password, why don't you just try.. REMEMBERING the password?
It really isn't that hard.
40+ characters can be hard to remember.
-
I don't get this..
If you want to remember a password, why don't you just try.. REMEMBERING the password?
It really isn't that hard.
40+ characters can be hard to remember.
What is wrong with you that you need to use 40 characters? If you're using 40 characters, you've already made it obscure enough to just write something like "Myfullnameismikehuntandiliveat11southst."
-
I don't get this..
If you want to remember a password, why don't you just try.. REMEMBERING the password?
It really isn't that hard.
40+ characters can be hard to remember.
What is wrong with you that you need to use 40 characters? If you're using 40 characters, you've already made it obscure enough to just write something like "Myfullnameismikehuntandiliveat11southst."
That's a simple password, made up form real words which are easier to crack.
-
What about http://lastpass.com? Make a single, complex password (and a bit of trust in LastPass - but that's their job) and every password you have is very different and very complex. 8)
-
What about http://lastpass.com? Make a single, complex password (and a bit of trust in LastPass - but that's their job) and every password you have is very different and very complex. 8)
It's only as secure as the lastpass servers.
-
I laughed when I saw the details of the recent Linkedin attack. Really, securing passwords using MD5 hashes? SERIOUSLY? Jesus. Tut tut Linkedin.
sha-1, no salt
using utf-8 characters would help against attacks if it was supported by the database. it would take longer to crack but would still provide *better* protection than \w+