Frequency of changing master password ?

[philip]

HaveIBeenPwnd's list of the most common 100,000 cracked passwords https://www.ncsc.gov.uk/static-assets/documents/PwnedPasswordsTop100k.txt contains the password .......... so people are using it and crackers are guessing it.

[Jaded]

HaveIBeenPwnd's list of the most common 100,000 cracked passwords https://www.ncsc.gov.uk/static-assets/documents/PwnedPasswordsTop100k.txt contains the password .......... so people are using it and crackers are guessing it.

Yes, I suppose you could instruct your cracker to first try a run of .

hence the characters before and after the run of .

I guess to answer QG, the point of having a password like the one I suggested (which I don't ) is that you remember

GtY7 run of 12 . Tj

Which, for a password vault is way better than trying to remember 18 random characters,

[quixoticgeek]

HaveIBeenPwnd's list of the most common 100,000 cracked passwords https://www.ncsc.gov.uk/static-assets/documents/PwnedPasswordsTop100k.txt contains the password .......... so people are using it and crackers are guessing it.

This list is a common word list to use as input to a password cracker. Try these 100k first then move on to the more complicated stuff. You'd be amazed how often this list is enough.

J

[Kim]

I read somewhere that a character can be '.'

So a 20 character password can be

e5.................T

And this is just as hard to crack as

e5KryuHTeBp4CA9si7uT

Ostensibly yes, though it depends on how you're trying to crack it.

A naive brute-force attempt treats every character equally.  A more refined brute-force attempt would prioritise dictionary words and repetition and sequences of characters, obvious substitutions, and so on.  So you might start with "password12345" rather than "AAAAAAAAAAAAA".  Sequences of numbers that look like dates are probably a good bet.  That sort of thing.

Obviously if you have context, you can take more informed approaches.  The view from their desk.  Any post-it notes found under the keyboard.  Details of family members.  The specifics of the corporate mandatory password change policy^[1].  Which numbers on the keypad are greasiest.  That sort of thing.

As always, security's about appropriateness.  What works for keeping your paypal login safe from opportunist h4xx0rs isn't the same as what you need to protect from a government agency who might break in and bug your computer's keyboard controller, which isn't the same as what you need to keep an opportunist thief from stealing your laptop, your stalker ex from reading your calendar, or your kids from using the WiFi after bedtime.


_{[1] Which is why these are an own goal.  If the last character(s) are a number that gets incremented every 30 days, it becomes much easier to guess.}

[quixoticgeek]

Yes, I suppose you could instruct your cracker to first try a run of .

hence the characters before and after the run of .

I guess to answer QG, the point of having a password like the one I suggested (which I don't ) is that you remember

GtY7 run of 12 . Tj

Which, for a password vault is way better than trying to remember 18 random characters,

Thing is, people are crap at remembering such things. Yet words words we're great at. I can remember a poem I learnt in high school, large tracts of hitch hikers guide to the galaxy, lyrics to songs. Remembering such things is normal. If I give you the password "bike toilet coat soap paint carpet door" after you've typed it twice you'll remember it. And it's gonna take years for a computer to crack it. If you had a word list of 10000 words, and you pick 6 of them randomly. The search space, even if the hacker knows you used that word list is immense. If you're multi lingual and can throw in a word or two from a second language, the search space gets even bigger. Meanwhile it's easier to type, easier to remember, and you're gonna have a more secure password.

It drives me nuts when I come across a system that is limited in what length I can use for a password [1]. It just makes things less secure.

J

[1] there's a special place in Hell for web designers who do not limit the password length field when you set the password, but only use the first X characters from what you submit, cos then unless you can work out exactly which of the characters it used, you can never actually log in. I've come across this a lot.

[Jaded]

I read somewhere that a character can be '.'

So a 20 character password can be

e5.................T

And this is just as hard to crack as

e5KryuHTeBp4CA9si7uT

Ostensibly yes, though it depends on how you're trying to crack it.

A naive brute-force attempt treats every character equally.  A more refined brute-force attempt would prioritise dictionary words and repetition and sequences of characters, obvious substitutions, and so on.  So you might start with "password12345" rather than "AAAAAAAAAAAAA".  Sequences of numbers that look like dates are probably a good bet.  That sort of thing.

Obviously if you have context, you can take more informed approaches.  The view from their desk.  Any post-it notes found under the keyboard.  Details of family members.  The specifics of the corporate mandatory password change policy^[1].  Which numbers on the keypad are greasiest.  That sort of thing.

As always, security's about appropriateness.  What works for keeping your paypal login safe from opportunist h4xx0rs isn't the same as what you need to protect from a government agency who might break in and bug your computer's keyboard controller, which isn't the same as what you need to keep an opportunist thief from stealing your laptop, your stalker ex from reading your calendar, or your kids from using the WiFi after bedtime.


_{[1] Which is why these are an own goal.  If the last character(s) are a number that gets incremented every 30 days, it becomes much easier to guess.}

The crowbar and drugs 

[Kim]

Also: Password hints are a work of Stan.  I once guessed (on the first attempt) the password on a laptop I was attempting to repair a hardware fault on based entirely on the hint and the knowledge that the owner (a friend of a friend) was a white British woman of about my age.  If you're going to use "middle name" or "first school", at least have the sense to lie about it.

[quixoticgeek]

Ostensibly yes, though it depends on how you're trying to crack it.

A naive brute-force attempt treats every character equally.  A more refined brute-force attempt would prioritise dictionary words and repetition and sequences of characters, obvious substitutions, and so on.  So you might start with "password12345" rather than "AAAAAAAAAAAAA".  Sequences of numbers that look like dates are probably a good bet.  That sort of thing.

Obviously if you have context, you can take more informed approaches.  The view from their desk.  Any post-it notes found under the keyboard.  Details of family members.  The specifics of the corporate mandatory password change policy^[1].  Which numbers on the keypad are greasiest.  That sort of thing.

As always, security's about appropriateness.  What works for keeping your paypal login safe from opportunist h4xx0rs isn't the same as what you need to protect from a government agency who might break in and bug your computer's keyboard controller, which isn't the same as what you need to keep an opportunist thief from stealing your laptop, your stalker ex from reading your calendar, or your kids from using the WiFi after bedtime.

As I find myself saying a lot at work "your threat model is not my threat model" ultimately if someone is at the point of targeting you so specifically that they are using cues from your desk to make guesses at what your password is, you've already lost. An attacker that determined is gonna succeed. Hell if they have that much physical access a keystroke logger in your keyboard, or a camera in the ceiling, are all going to be quicker and easier. Or often as not, a good ole spear phishing attack. "What's the best way to find someone's password? Ask them"

Password policy needs to be proportionate, and sensible. Something the OPs employer policy most definitely isn't.

Long passphrases good. Regular changes, bad.

J

[quixoticgeek]

The crowbar and drugs 

Didn't I suggest that already?

Also: Password hints are a work of Stan.  I once guessed the password on a laptop I was attempting to repair a hardware fault on based entirely on the hint and the knowledge that the owner (a friend of a friend) was a white British woman of about my age.

Yes and no. Having something that tells me that this site has a policy where my password needs two named female characters that talk to each other, and a number, and a capital city, and symbol, can greatly simplify life.

At work everyone's password hint is "ask Julia" cos if they can't remember it. I have to reset it. And this stops them putting something too obvious in there.

J

[Jaded]

The crowbar and drugs 

Didn't I suggest that already?

J

Yes, you did, but then you moved on to something more technical.

[quixoticgeek]

Oh. And while I remember, and seeing as my insomnia is being a bitch tonight.

Single factor Auth bad. Multi factor Auth good. With MFA even if you have my password, unless you have my second factor you're not getting in.

SMS second factor sucks, it's too easy to take over someone's number. But tools like Google authenticator are great. Even better is a yubikey. I cannot recommend enough how much a physical token like a yubikey can improve your security.

I have several[1], both for work and personal use. They aren't cheap. About €50 a pop, but the security improvement they provide is incredible.

Stop reading yacf, and go enable multi factor authentication everywhere you can. (Google, twitter, Microsoft, Instagram, etc... they all support some form of mfa).

J

[1] in fact it's a good idea to have a primary and a backup yubikey, so even if you lose one, you can use the backup to reset everything and disable the one you lost. Keep it in your safe, you do have a safe right?

[quixoticgeek]

Yes, you did, but then you moved on to something more technical.

At work we have a pair of 42"[1] bolt croppers for this purpose...


J

[1] I thought I had ordered some 42cm bolt croppers. Then they turns up in a very large box...

[Kim]

As I find myself saying a lot at work "you're threat model is not my threat model" ultimately if someone is at the point of targeting you so specifically that they are using cues from your desk to make guesses at what your password is, you've already lost. An attacker that determined is gonna succeed.

Physical access doesn't always imply highly determined and/or competent though.  It might just be someone with (semi) legitimate access to the physical space, with time to poke around.

In actual threat terms, "parents discover you've been reading queer stuff on the fidonets" is somewhat more existential than the financial fraud or data loss that people normally tend to worry about, but the threat model is quite different.

So yes, long passphrases good, but another good rule of thumb is don't do anything incriminating using a computer.

[Kim]

Single factor Auth bad. Multi factor Auth good. With MFA even if you have my password, unless you have my second factor you're not getting in.

SMS second factor sucks, it's too easy to take over someone's number. But tools like Google authenticator are great. Even better is a yubikey. I cannot recommend enough how much a physical token like a yubikey can improve your security.

This is good advice.  The problem with SMS is worse than that: You might simply be (temporarily) unable to access the phone, rather than it being compromised.  Bonus points if the thing you're trying to two-factor authenticate with is your phone service provider in order to get them to send you a new SIM or whatever.

[quixoticgeek]

Physical access doesn't always imply highly determined and/or competent though.  It might just be someone with (semi) legitimate access to the physical space, with time to poke around.

In actual threat terms, "parents discover you've been reading queer stuff on the fidonets" is somewhat more existential than the financial fraud or data loss that people normally tend to worry about, but the threat model is quite different.

So yes, long passphrases good, but another good rule of thumb is don't do anything incriminating using a computer.

Good point well made. And an excellent demonstration of "your threat model is not my threat model". One of the problems with working with people who are paid to break into buildings, and computer systems, is it gives a very skewed view of the world.

J

[quixoticgeek]

This is good advice.  The problem with SMS is worse than that: You might simply be unable to access the phone, rather than it being compromised.  Bonus points if the thing you're trying to two-factor authenticate with is your phone service provider in order to get them to send you a new SIM or whatever.

Oh yes. Or the code sent by SMS only has a 5 minute life, but because SMS has zero sla, it takes ten minutes to come through...that's bitten me on the arse a few times.

A friend lost their phone, which is the second factor on credit card purchases here (log into online banking app and approve the transaction). Which meant he couldn't buy a new phone, as he didn't have the second factor to approve the purchase. Fortunately I could buy it for him, and he could pay me back 3 days later once he had a working phone again. Proper multi factor authentication requires that there be backup options...

J

[Jaded]

So yes, long passphrases good, but another good rule of thumb is don't do anything incriminating using a computer.

or on or near any device that can be used for recording your ‘do’ things.

[Kim]

Physical access doesn't always imply highly determined and/or competent though.  It might just be someone with (semi) legitimate access to the physical space, with time to poke around.

In actual threat terms, "parents discover you've been reading queer stuff on the fidonets" is somewhat more existential than the financial fraud or data loss that people normally tend to worry about, but the threat model is quite different.

So yes, long passphrases good, but another good rule of thumb is don't do anything incriminating using a computer.

Good point well made. And an excellent demonstration of "your threat model is not my threat model". One of the problems with working with people who are paid to break into buildings, and computer systems, is it gives a very skewed view of the world.

I'm also reminded of being bored waiting in $parent's office as a teenager, where people's confidential medical data (and assorted DOS games) were a mere post-it note away...

(To be fair, the computer wasn't connected to anything outside the building, and was at least as secure as the paper records - it all hinged on the sort of rigorous physical security that you'd need a modicum of knowledge, a cleaner's uniform and a mop to circumvent.)

[quixoticgeek]

So yes, long passphrases good, but another good rule of thumb is don't do anything incriminating using a computer.

or on or near any device that can be used for recording your ‘do’ things.

You do all have a piece of tape over your laptop camera right? And you keep your phone in a drawer when you're doing things with your SO? Or turned off. And in a drawer?

I was pleasant surprised to discover MacBooks have a hardware disconnect of the microphone when the lid is closed. A very nice feature.

J

[Jaded]

So yes, long passphrases good, but another good rule of thumb is don't do anything incriminating using a computer.

or on or near any device that can be used for recording your ‘do’ things.

You do all have a piece of tape over your laptop camera right? And you keep your phone in a drawer when you're doing things with your SO? Or turned off. And in a drawer?

I was pleasant surprised to discover MacBooks have a hardware disconnect of the microphone when the lid is closed. A very nice feature.

J

Oh, I just use bargain second-hand PC laptops. Save loads of money and no one is going to target a machine that cost £150

[quixoticgeek]

Oh, I just use bargain second-hand PC laptops. Save loads of money and no one is going to target a machine that cost £150

Someone targeting indiscriminately to deploy malware isn't going to be checking the value of the device. But if they have remote access. They may well turn the camera on to see what you're doing.

J

[Kim]

Or you might have turned the mic on so that the Mega-Global Internet-of-Shit co can hear you ask to play music or set cookery reminders, and have overlooked that they've worked out how to use machine learning to identify sexual activity by sounds in order to target advertising of condoms and Barry White CDs, which can then be subpoenaed by the new authoritarian government in order to more effectively police people's uteruses...

(Ha ha only serious.)

[quixoticgeek]

Or you might have turned the mic on so that the Mega-Global Internet-of-Shit co can hear you ask to play music or set cookery reminders, and have overlooked that they've worked out how to use machine learning to identify sexual activity by sounds in order to target advertising of condoms and Barry White CDs, which can then be subpoenaed by the new authoritarian government in order to more effectively police people's uteruses...

(Ha ha only serious.)

And people wonder why I don't even have the kernel driver for my laptop's mic loaded...

It's Also worth noting that I advise people against using biometrics for access.

A) in many jurisdictions whilst a court order is needed to compell you to give up a password, the same is not true of a finger print or face scan.

B) it's a lot easier to hold someone's thumb over the finger print reader than it is to beat a password out of them. Or even just hold their face in front of the scanner. Also finger prints can't do duress codes...

C) losing access to the datacentre at work cos you cut your finger at the weekend is a really annoying failure mode DAMHIKT.

J

[Polar Bear]

Ah, passwords.  A slight pain in my life.

An elderly relative sets them up and then forgets them.  He knows not to keep a record but his random approach ends up restricting him from access to his own accounts.  And then, on a whim, he will know one and he'll decide to change it forgetting what he changed it to.

I have managed to sort his passwords for now ...

[road-runner]

… expensive … crack … unsalted hash …

Will my computer risk becoming a drug addict?

QG, thank you for the explanation; I now understand the topic better.