<div dir="ltr">That article relies on the cracker having the hash of the password. On a normal desktop system today, there's one way to get that: be root on the system.<div>Or, if not having the hash, having a very high bandwidth to confirm guesses.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, May 8, 2017 at 12:12 PM, Allan Cecil <span dir="ltr"><<a href="mailto:allan@nblug.org" target="_blank">allan@nblug.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I'd really, *really* love to agree with you about the chances being small. Unfortunately, <a href="http://arstechnica.com/security/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking" rel="noreferrer" target="_blank">arstechnica.com/security/2013/<wbr>10/how-the-bible-and-youtube-<wbr>are-fueling-the-next-frontier-<wbr>of-password-cracking</a> is from 2013 and using modest resources of the day they were able to snag the password "Am i ever gonna see your face again?" and several others of equal complexity. (The above article is a fantastic primer to tomorrow's talk despite its age, but I digress.)<br>
<br>
What I'm currently struggling with is that, at least for me, I have to type the device access password many many times a day. I can't seem to find that perfect balance of complexity and ability to enter said password quickly, or rather, at a certain point the security comes at a measurable cost in amount of minutes per day lost to it.<br>
<br>
Is anyone using non-password methods for device security? If so, I'd love to know how it is working out for you and if you feel less or more secure going that path.<br>
<br>
Thanks for the discussion,<br>
<span class="im HOEnZb"><br>
A.C.<br>
******<br>
President, North Bay Linux Users' Group<br>
<br>
</span><div class="HOEnZb"><div class="h5">On 05/08/2017 11:51 AM, Christopher Wagner wrote:<br>
> Generally speaking, passwords that are long, but also relatively easy to type tend to be the best compromise. Something like "Walking to the 7/11 today." or "EatingGreenBananasSucks!" are both easier to type, but also very difficult for a password cracker to get without substantial resources. There's obviously a lot of dictionary words, but with multiple words, a long length, mixed case, and the special characters, the chance of them being cracked without substantial resources is vanishingly small.<br>
><br>
><br>
> On 05/07/2017 03:25 PM, Allan Cecil wrote:<br>
>> In advance of Kyle's talk on Tuesday I was curious what practices other NBLUG folks follow with physical access passwords, i.e. passwords that you have to type frequently to gain access to a local PC or other personal device. Since it's a password that you'll be typing often you generally want a password that is easy to type but that is often at odds with good security practices. I'm seriously doubting my own methods after attending the Thotcon security conference this past week. Obviously, don't give up anything secret or sensitive here, but how do you handle passwords that by their nature can't be in a password manager and have to by typed frequently?<br>
>><br>
>> This is probably a discussion for after Kyle's talk but it's been on my mind and I didn't want to wait. Thanks for your thoughts!<br>
>><br>
>> A.C.<br>
>> ******<br>
>> President, North Bay Linux Users' Group<br>
>><br>
>> On 04/18/2017 03:05 PM, Allan Cecil wrote:<br>
>>> Topic: Sex, Secret and God: A Brief History of Bad Passwords<br>
>>> When: Tuesday May 9th, 7:30 PM to 9:00 PM<br>
>>> Speaker: Kyle Rankin<br>
>>><br>
>>> Location: O'Reilly Media, Sebastopol CA in the Tarsier conference room<br>
>>> past the metal statue and to the right ( <a href="http://nblug.org/locations" rel="noreferrer" target="_blank">http://nblug.org/locations</a> )<br>
>>><br>
>>> Description:<br>
>>> Most of what we've been told over the years about what makes a good<br>
>>> password has been wrong, so it's no surprise most people pick bad<br>
>>> passwords. This talk will cover the history of password policy and password<br>
>>> cracking starting from the days when Richard Stallman hacked the passwords<br>
>>> forced on his MIT computer lab because he considered passwords an<br>
>>> authoritarian method of control. Next I'll discuss the golden days of<br>
>>> password guessing featured prominently in movies like Hackers and WarGames.<br>
>>><br>
>>> Then I'll move to the tech boom and the introduction of draconian IT<br>
>>> policies like password rotation and password complexity and the dirty<br>
>>> little leet-speak password secrets they led to. As we get closer to the<br>
>>> modern day I'll discuss the "correct horse battery staple" password<br>
>>> renaissance and more modern approaches to password cracking spawned by<br>
>>> tools like oclhashcat and giant password databases dumps like the RockYou<br>
>>> hack.<br>
>>><br>
>>> I'll finish up with modern attempts to fix the password auth problem such<br>
>>> as new approaches to secure password generation in password managers or<br>
>>> schemes such as diceware as well as cover password auth reinforcements like<br>
>>> the different forms of 2FA (including U2F) and Facebook's new approach to<br>
>>> "I forgot my password" workflows. By the end everyone should have plenty of<br>
>>> ammunition to take back to their IT department and get rid of those<br>
>>> horrible password policies.<br>
>>> ______________________________<wbr>_________________<br>
>>> announce mailing list<br>
>>> <a href="mailto:announce@nblug.org">announce@nblug.org</a><br>
>>> <a href="http://nblug.org/cgi-bin/mailman/listinfo/announce" rel="noreferrer" target="_blank">http://nblug.org/cgi-bin/<wbr>mailman/listinfo/announce</a><br>
>>><br>
>> ______________________________<wbr>_________________<br>
>> talk mailing list<br>
>> <a href="mailto:talk@nblug.org">talk@nblug.org</a><br>
>> <a href="http://nblug.org/cgi-bin/mailman/listinfo/talk" rel="noreferrer" target="_blank">http://nblug.org/cgi-bin/<wbr>mailman/listinfo/talk</a><br>
><br>
> ______________________________<wbr>_________________<br>
> talk mailing list<br>
> <a href="mailto:talk@nblug.org">talk@nblug.org</a><br>
> <a href="http://nblug.org/cgi-bin/mailman/listinfo/talk" rel="noreferrer" target="_blank">http://nblug.org/cgi-bin/<wbr>mailman/listinfo/talk</a><br>
><br>
______________________________<wbr>_________________<br>
talk mailing list<br>
<a href="mailto:talk@nblug.org">talk@nblug.org</a><br>
<a href="http://nblug.org/cgi-bin/mailman/listinfo/talk" rel="noreferrer" target="_blank">http://nblug.org/cgi-bin/<wbr>mailman/listinfo/talk</a><br>
</div></div></blockquote></div><br></div>