Frequency of changing master password ?

[Kim]

finger prints can't do duress codes...

Shirley you could use a different finger...

[Kim]

Ah, passwords.  A slight pain in my life.

An elderly relative sets them up and then forgets them.  He knows not to keep a record but his random approach ends up restricting him from access to his own accounts.  And then, on a whim, he will know one and he'll decide to change it forgetting what he changed it to.

I have managed to sort his passwords for now ...

See, this is where threat models come in.  I'd generally suggest that old people who are bad at computers *should* keep a record of their passwords.  On paper.  Away from the computer.  Preferably obfuscated a bit.

Their main risk is clicking on some thing that pertains to, I dunno, stop the adverts or whatever, and backdoors their computer.  Paper records are secure against that.

Of course you could argue that never knowing their password provides useful protection against giving it out to random phone scammers who pretend to be calling from Windows about their slow computer...

Of course, there's a circle of hell where you have to reset passwords for your dyslexic relative, where they've enabled two-factor auth by SMS, so you've got to phone them up and get them to read out the code correctly before the timeout...

[quixoticgeek]

finger prints can't do duress codes...

Shirley you could use a different finger...

Not if someone is literally holding your hand to the scanner. No.

Ah, passwords.  A slight pain in my life.

An elderly relative sets them up and then forgets them.  He knows not to keep a record but his random approach ends up restricting him from access to his own accounts.  And then, on a whim, he will know one and he'll decide to change it forgetting what he changed it to.

I have managed to sort his passwords for now ...

See, this is where threat models come in.  I'd generally suggest that old people who are bad at computers *should* keep a record of their passwords.  On paper.  Away from the computer.  Preferably obfuscated a bit.

Their main risk is clicking on some thing that pertains to, I dunno, stop the adverts or whatever, and backdoors their computer.  Paper records are secure against that.

Of course you could argue that never knowing their password provides useful protection against giving it out to random phone scammers who pretend to be calling from Windows about their slow computer...

Of course, there's a circle of hell where you have to reset passwords for your dyslexic relative, where they've enabled two-factor auth by SMS, so you've got to phone them up and get them to read out the code correctly before the timeout...

Exactly. Writing a password down isn't always a bad thing.

Sticking it to the computer is...

J

[Pickled Onion]

I read somewhere that a character can be '.'

So a 20 character password can be

e5.................T

And this is just as hard to crack as

e5KryuHTeBp4CA9si7uT

Yes. But it's harder to type cos did you type 20 . Or 19? Or 21? Where as "this is a really long password made up of words " is a lot easier to type accurately, and harder to crack.

J

But a lot easier when someone on the phone asks for the 13th, 17th and 19th character

[quixoticgeek]

But a lot easier when someone on the phone asks for the 13th, 17th and 19th character

Which do you do more. Tell the password over the phone, or type it ?

J

[philip]

If somewhere is asking for password characters that means the password is stored unhashed. Such a password should never be used for anything else, and ideally you would never type it.

[quixoticgeek]

If somewhere is asking for password characters that means the password is stored unhashed. Such a password should never be used for anything else, and ideally you would never type it.

Very true.

It's worth noting everything I've been saying about passwords and authentication in this thread has been based around passwords you type into computer systems.

For challenge response systems. That needs to be taken into account. And should not be the same as the main password used to unlock your password mangler.

J

[tonycollinet]

I read somewhere that a character can be '.'

So a 20 character password can be

e5.................T

And this is just as hard to crack as

e5KryuHTeBp4CA9si7uT

Not according to the password checker here:
https://bitwarden.com/password-strength/

3 hours vs centuries.

Password hacking scripts will check for repeated characters.

[Pickled Onion]

But a lot easier when someone on the phone asks for the 13th, 17th and 19th character

Which do you do more. Tell the password over the phone, or type it ?

J

Other than at work, I never type a password. Fingerprint or face scan then password entered automatically from the keychain.

If somewhere is asking for password characters that means the password is stored unhashed. Such a password should never be used for anything else, and ideally you would never type it.

Very true.

It's worth noting everything I've been saying about passwords and authentication in this thread has been based around passwords you type into computer systems.

For challenge response systems. That needs to be taken into account. And should not be the same as the main password used to unlock your password mangler.

J

Yes I completely agree and my post above was not exactly serious. This is why banks, etc ask you to set up a "memorable word" rather than a password for the challenge-response and it's combined with other info. It's a "better than nothing" approach but doesn't allow actual passwords to be stored unencrypted (or two-way encrypted).

So it caught me by surprise yesterday when Plusnet asked for characters from password yesterday. Initially I didn't remember setting up a password for this purpose, but then it turned out that it was my actual password, used for both the router and the website. This is incredibly poor practice, especially from a technical supplier. Luckily I am leaving them very soon.

[Kim]

I don't think Pusnet's reputation as 'technical' survived the various email loss incidents.  To say nothing of them being borged by our-favourite-telco...

[quixoticgeek]

Other than at work, I never type a password. Fingerprint or face scan then password entered automatically from the keychain.

Somewhere up there ^^^^ I explained why I avoid fingerprint and face scans. Obviously my threat model is not your threat model, so you may not have the same worry as me. But I will not recommend biometrics.


J

[tonycollinet]

B) it's a lot easier to hold someone's thumb over the finger print reader than it is to beat a password out of them. Or even just hold their face in front of the scanner. Also finger prints can't do duress codes...

If someone is in the vicinity and mood to beat a password out of me.... I'm going to give it to them. Nothing sitting behind my passwords is life or death.

[Pickled Onion]

Other than at work, I never type a password. Fingerprint or face scan then password entered automatically from the keychain.

Somewhere up there ^^^^ I explained why I avoid fingerprint and face scans. Obviously my threat model is not your threat model, so you may not have the same worry as me. But I will not recommend biometrics.


J

Oh, yes, I missed that post. As usual you speak a lot of sense, but you are right about my risk assessment being different. I regard A and B as (for me) being several orders of magnitude lower than eg getting my wallet or bike stolen, with or without menaces. If I lived in N Korea or Putin's Russia I would think very differently. And for C, my work has back up procedures for biometric failure with fast response times.

[Asterix, the former Gaul.]

You'll get nothing out of me..  Passwords? What does that mean?

[quixoticgeek]

If someone is in the vicinity and mood to beat a password out of me.... I'm going to give it to them. Nothing sitting behind my passwords is life or death.

My bigger concern is a police officer deciding to try and unlock my device with my finger print against my will. The password at least requires a court order.

J

[quixoticgeek]

Oh, yes, I missed that post. As usual you speak a lot of sense, but you are right about my risk assessment being different. I regard A and B as (for me) being several orders of magnitude lower than eg getting my wallet or bike stolen, with or without menaces. If I lived in N Korea or Putin's Russia I would think very differently. And for C, my work has back up procedures for biometric failure with fast response times.

If you think it's only N Korea or Russia where such things happen, then you have *really* failed to pay attention to the policies being passed by the current Tory government.

As it is if you don't give up encryption keys upon a court order it's 2 years in prison. But it doesn't take much for a cop to hold the phone to your cuffed hands.

Choose the threat model that suits you, but I am not going to rely on hoping that if I get stopped by the police, that they are nice. I've had enough armed police pointing things at me enough times to not want to trust them very far.

J

[Afasoas]

Bemused to learn that mothership used LastPass until about three years ago (long before I started).
This latest breach has had me somewhat busy today.

I suppose the moral of this story is, if switching cloudy password managers, it's probably a good time to go through and change the most critical passwords. I've disabled a lot of accounts today (because I think they are probably not used). No doubt be dealing with the fallout tomorrow.


I have mixed feelings about MFA. For a lot of (low risk) things, I'd much rather just get a notification when I've signed in. For high risk things, I want to at least have N+1 second factors so I'm not hosed if I've forgotten my phone. Some services do support this. Some are even better (HOTP FTW). Sadly, many don't.


I'm really not a fan of using biometrics for authentication. Sadly it seems to be a necessity to enter some data centres so no doubt that my hashed values for my thumbrpints and irsies are in a world readable S3 bucket somewhere..

[Ham]

This (annoying) video popped up in my feed https://www.youtube.com/watch?v=0NdZrrzp7UE

To save you some minutes of your life, actually the hackers do not breach the Google 2FA. What they did is use a spear phishing attack to get browser cookies and then from a persistent session switch off 2FA. Bizarrely, Google do NOT need 2FA to switch 2FA off. I assume this is because otherwise there will be legions of numpties who lose their prime 2FA and hadn't first set up secondary and tertiary 2FA, but it is a surprising fail.

I do think you need to enter the password, though, so I don't think he provided all the story, and it may be he kept his Google password in his Google password manager which is VERY not secure.

[Pickled Onion]

Oh, yes, I missed that post. As usual you speak a lot of sense, but you are right about my risk assessment being different. I regard A and B as (for me) being several orders of magnitude lower than eg getting my wallet or bike stolen, with or without menaces. If I lived in N Korea or Putin's Russia I would think very differently. And for C, my work has back up procedures for biometric failure with fast response times.

If you think it's only N Korea or Russia where such things happen, then you have *really* failed to pay attention to the policies being passed by the current Tory government.

Not at all. I was talking about risk. And risk = likelihood multiplied by consequences. I'm pretty sure that nothing on my phone or via my passwords will actually get me banged up. There are things that would do so if I were a citizen of Russia.

As it is if you don't give up encryption keys upon a court order it's 2 years in prison. But it doesn't take much for a cop to hold the phone to your cuffed hands.

Again, the likelihood is very low compared to the other bad things that can happen on a day to day basis. But if a cop wants to sift through the half terabyte of data on my phone or whatever eleventy TB on my other devices, then good luck to him, the consequences for anything on there are tiny to nil.

Choose the threat model that suits you, but I am not going to rely on hoping that if I get stopped by the police, that they are nice. I've had enough armed police pointing things at me enough times to not want to trust them very far.

I am the last person to expect niceness from agents of the state, and yes, I've had loaded things pointed at me with threats too, and spent nights in cells on some cop's whim. My response is not to expect to be able to keep anything behind any kind of encryption (which as you say can be beaten out of you with the threat of imprisonment) but rather to make sure it's not stored there in the first place.

To put it in terms of the risk equation: getting my bike nicked would ruin my day, but is not unlikely. Losing all my passwords by someone compromising biometrics would ruin my month, but is very unlikely. Anything that would ruin my year or life is not behind a simple password or biometric.