[NBLUG/talk] How do you handle physical device passwords?

Chris Wagner chris at cwcomputing.net
Mon May 8 16:42:14 PDT 2017


As Robert points out, you'd need the hash or really high bandwidth (and a server that wouldn't lockout the account).

One of the aspects of the examples I gave is that they aren't used anywhere online in any normal sense, so wouldn't be likely to end up in the dictionary referred to in the post you link to.

On May 8, 2017 12:12:57 PM PDT, Allan Cecil <allan at nblug.org> wrote:
>I'd really, *really* love to agree with you about the chances being
>small.  Unfortunately,
>arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking
>is from 2013 and using modest resources of the day they were able to
>snag the password "Am i ever gonna see your face again?" and several
>others of equal complexity.  (The above article is a fantastic primer
>to tomorrow's talk despite its age, but I digress.)
>
>What I'm currently struggling with is that, at least for me, I have to
>type the device access password many many times a day.  I can't seem to
>find that perfect balance of complexity and ability to enter said
>password quickly, or rather, at a certain point the security comes at a
>measurable cost in amount of minutes per day lost to it.
>
>Is anyone using non-password methods for device security?  If so, I'd
>love to know how it is working out for you and if you feel less or more
>secure going that path.
>
>Thanks for the discussion,
>
>A.C.
>******
>President, North Bay Linux Users' Group
>
>On 05/08/2017 11:51 AM, Christopher Wagner wrote:
>> Generally speaking, passwords that are long, but also relatively easy
>to type tend to be the best compromise.  Something like "Walking to the
>7/11 today." or "EatingGreenBananasSucks!" are both easier to type, but
>also very difficult for a password cracker to get without substantial
>resources.  There's obviously a lot of dictionary words, but with
>multiple words, a long length, mixed case, and the special characters,
>the chance of them being cracked without substantial resources is
>vanishingly small.
>> 
>> 
>> On 05/07/2017 03:25 PM, Allan Cecil wrote:
>>> In advance of Kyle's talk on Tuesday I was curious what practices
>other NBLUG folks follow with physical access passwords, i.e. passwords
>that you have to type frequently to gain access to a local PC or other
>personal device.  Since it's a password that you'll be typing often you
>generally want a password that is easy to type but that is often at
>odds with good security practices.  I'm seriously doubting my own
>methods after attending the Thotcon security conference this past week.
>Obviously, don't give up anything secret or sensitive here, but how do
>you handle passwords that by their nature can't be in a password
>manager and have to by typed frequently?
>>>
>>> This is probably a discussion for after Kyle's talk but it's been on
>my mind and I didn't want to wait.  Thanks for your thoughts!
>>>
>>> A.C.
>>> ******
>>> President, North Bay Linux Users' Group
>>>
>>> On 04/18/2017 03:05 PM, Allan Cecil wrote:
>>>> Topic: Sex, Secret and God: A Brief History of Bad Passwords
>>>> When: Tuesday May 9th, 7:30 PM to 9:00 PM
>>>> Speaker: Kyle Rankin
>>>>
>>>> Location: O'Reilly Media, Sebastopol CA in the Tarsier conference
>room
>>>> past the metal statue and to the right ( http://nblug.org/locations
>)
>>>>
>>>> Description:
>>>> Most of what we've been told over the years about what makes a good
>>>> password has been wrong, so it's no surprise most people pick bad
>>>> passwords. This talk will cover the history of password policy and
>password
>>>> cracking starting from the days when Richard Stallman hacked the
>passwords
>>>> forced on his MIT computer lab because he considered passwords an
>>>> authoritarian method of control. Next I'll discuss the golden days
>of
>>>> password guessing featured prominently in movies like Hackers and
>WarGames.
>>>>
>>>> Then I'll move to the tech boom and the introduction of draconian
>IT
>>>> policies like password rotation and password complexity and the
>dirty
>>>> little leet-speak password secrets they led to. As we get closer to
>the
>>>> modern day I'll discuss the "correct horse battery staple" password
>>>> renaissance and more modern approaches to password cracking spawned
>by
>>>> tools like oclhashcat and giant password databases dumps like the
>RockYou
>>>> hack.
>>>>
>>>> I'll finish up with modern attempts to fix the password auth
>problem such
>>>> as new approaches to secure password generation in password
>managers or
>>>> schemes such as diceware as well as cover password auth
>reinforcements like
>>>> the different forms of 2FA (including U2F) and Facebook's new
>approach to
>>>> "I forgot my password" workflows. By the end everyone should have
>plenty of
>>>> ammunition to take back to their IT department and get rid of those
>>>> horrible password policies.
>>>> _______________________________________________
>>>> announce mailing list
>>>> announce at nblug.org
>>>> http://nblug.org/cgi-bin/mailman/listinfo/announce
>>>>
>>> _______________________________________________
>>> talk mailing list
>>> talk at nblug.org
>>> http://nblug.org/cgi-bin/mailman/listinfo/talk
>> 
>> _______________________________________________
>> talk mailing list
>> talk at nblug.org
>> http://nblug.org/cgi-bin/mailman/listinfo/talk
>> 
>_______________________________________________
>talk mailing list
>talk at nblug.org
>http://nblug.org/cgi-bin/mailman/listinfo/talk

--
Chris Wagner
CW Computing
707-992-5554
 
Sent from my Android device with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nblug.org/pipermail/talk/attachments/20170508/901dd230/attachment.html>


More information about the talk mailing list