ad: UR5CDX-1

How Strong is your Password?

Discussion in 'Amateur Radio News' started by AA7BQ, Apr 22, 2023.

ad: L-HROutlet
ad: l-rl
ad: Left-2
ad: L-MFJ
ad: abrind-2
ad: Radclub22-2
ad: Left-3
  1. AE2DX

    AE2DX XML Subscriber QRZ Page

    I found this very informative and thank you for the research in this matter will be changing a few of my passwords today.
     
  2. K2CAJ

    K2CAJ XML Subscriber QRZ Page

    I've worked with one of my students on a similar approach to this, and we found that IBM developed something similar: you get a login page with a challenge URL, and then your phone or browser plugin or other device follows a response URL, using cryptographic signatures instead of a password. The server then recognizes your original browser's connection as authenticated.

    The trick is making the whole thing less painful than 2FA. At my work, people have to provide the 2FA with every login, which happens at least once a day. You might think the solution to that is changing the login to only require the authenticator occasionally, but our ITS is unable to do this. It doesn't help that this is a very complex ecosystem of external web applications with a central authentication service. So our main constraint is ease of use: if we replaced passwords+2FA with something like SQRL, it would have to be much more convenient.

    Along those lines, I developed a hotkey for MacOS that automagically makes the OS type my (work) 2FA authenticator at the keyboard. I haven't physically typed that 2FA in over a year. And one of my students built a USB dongle that imitates a USB keyboard, typing in the 2FA authenticator when you press a button. The challenging part turns out to be cheaply giving the dongle a reliable clock. In both cases they are one-button solutions.
     
    VK5OHR likes this.
  3. GM4BRB

    GM4BRB Ham Member QRZ Page

    Sounds like a ruddy nightmare. Driving a 16-lane superhighway directly through my own house to link N. Ireland's Belfast & Londonderry ('Stroke-City') directly to Penrith, might surely be far less painful.
     
    Last edited: Apr 29, 2023
    K2CAJ likes this.
  4. VK5OHR

    VK5OHR Ham Member QRZ Page

    Actually it is quite an eloquent solution however cryptographics can seem mind blowing to the uninitiated...

    [​IMG]
     
    Last edited: Apr 29, 2023
  5. K2CAJ

    K2CAJ XML Subscriber QRZ Page

    I think Graeme was referring to the situation at my workplace, where a 2FA code must be entered multiple times a day, which is frankly awful.

    This SQRL approach is clearly more secure and technologically superior IF you have to go to the trouble to use an app to login. As long as you're involving an app, you might as well make that app use proper cryptography under the hood instead of managing passwords (or 2FA keys, which can be stolen.) In other words, my workplace is forcing everyone into an inconvenience in exchange for quite meagre security.

    What my coworkers and students really want, however, is not an improvement in security but a halt to these work interruptions where they have to find their phone or switch to an app because their access to the courseware site has timed out. I would not be able to convince them to switch to SQRL because it still involves the phone/app. (I might be able to convince IT to switch to SQRL, but apparently they have little control over the central authentication service.)
     
    GM4BRB and VK5OHR like this.
  6. K4KYV

    K4KYV Premium Subscriber Volunteer Moderator QRZ Page

    It depends on the site. I don't really care if someone hacks my access to the account at Podunk Times I was forced to create a username and password for, in order to read one article that interested me. Same goes for other low-priority sites that are of limited value. I'm not going to waste my time keeping track of a long list or remembering junk passwords for junk sites, nor taking time to change them periodically; I use the same 8-digit p/w for many of those, and I'm sure by now it's well known all over the web and I couldn't care less.

    OTOH I try to create strong passwords for more valuable sites like web-based e-mail and accounts with firms I periodically do business with. For banking and other critical applications, I prefer the two-tier authentication system, where I submit a strong password, then click a button for the site to call me back on the phone to deliver a voice-message with a numerical access code that's good for a brief period of time.

    For added security, my anti-virus program includes VPN that encrypts ingoing and outgoing traffic, and supposedly makes my IP invisible. The only reason I don't use it all the time is that it sometimes slows down my browser.
     
    WB8NXR likes this.
  7. WB8NXR

    WB8NXR Ham Member QRZ Page

    A password brute forcer four years ago built from NVIDIA graphic cards right before I retired from cybersecurity and using multiple networked computers could try in excess of 6 billion passwords per second. Yes, billions with a "b". Yes, per second. They have to be exponentially faster nowadays.

    It matters little how you pick your password. What matters is what the thing using it, whether it's an app or a web site, does with it after you enter it. Do they store it in clear text? Bad. Do they encrypt it? Bad. Do they hash it? Better. Do they also "salt" the hash? Much better. Do they also use a real, really, really slow hash algorithm? Bingo. At least as of four years ago.

    Criminals often swipe the entire unsecured credential database. Once the database is stolen all of those little controls like "Lock after five attempts", "Wait one minute before retrying", and "Wipe the device after ten bad tries" become meaningless. Why? Because those are part of the programming and not part of the credential database you now stole. The criminal (or auditor) can let their brute forcer loose at warp speed. That's why a really slow hash algorithm is key. When one person logs in the slowness does not affect the speed they see. But when someone throws a password brute forcer against it the algorithm still runs at snail speed, taking that massive GPU-based cracker and putting it in molasses.

    The only way to make a password less crackable is to know the assumptions behind brute forcing tools. One assumption always is that the character set consists of things typed directly on a keyboard. But there is a thing called Extended ASCII that can be typed from a keyboard using the Alt key and the numeric keypad. The use of Extended ASCII characters increases the number of possibilities per character to 256, more than doubling the possible permutations per character.

    Active Directory allows the use of Extended ASCII in passwords so I always used at least one in my passwords. Some apps also allow it but others do not. During one penetration test the auditors recovered all but one password from the stolen AD credential database within a week. Mine was it.

    If you work for a company that uses AD it can be trivial to swipe the AD Security Accounts Manager database and do it so fast no one knows. The you run the password brute forcer against your copy at your leisure.

    Yes, Fred's explanation of using passphrases with unrelated words is good but with the tools nowadays no password can stand up as long as needed. How long is that? The password needs to be uncrackable for the usable life of the data. If that is a draft of the company quarterly financial results that's maybe a month so a password may last that long. But if it's your non-public info, well, that's until you're dead.
     
    Last edited: May 2, 2023
    KR3DX, N0NC and K2CAJ like this.
  8. WQ1C

    WQ1C Ham Member QRZ Page

    My password level is the same as yours, Dave. But your article has made the light bulb (or LED, your choice) come on and gives me an idea of how to strengthen my passwords even more. I'm figuring that "past the end of the universe" should become the strength of my passwords. :D:D But everyone's mileage may vary.

    73 de Warren, WQ1C
    Kempner, Texas / Grid EM11ab
     
  9. KJ7RBS

    KJ7RBS Ham Member QRZ Page

    What about adding a seed prefix to a then shorter site specific password?

    I get that it would weaken all your passwords if the seed was discovered but you would need a human to target you and apply the discovered seed against other websites
     
  10. KQ4GUI

    KQ4GUI Ham Member QRZ Page

    mine would be
    kiloquebecfourgolfuniformindiaKQ4GUI
    That will be strong :)
     
  11. ON3MDR

    ON3MDR Ham Member QRZ Page

    Sorry for my two cents...I NEVER store passwords on a computer, even if it's a password manager. I use an unbreakable system : the lil' black book...still using v 1.0, still needs to be hacked ;)
     
    K2CAJ likes this.
  12. K2CAJ

    K2CAJ XML Subscriber QRZ Page

    There are a lot of advantages to a literal password book. It lets you easily compose very complex and difficult passwords, it lets you easily make every password unique for every site, and depending on the form factor you can carry it with you as easily as you carry a wallet or key chain.

    As a physical book it can't be stolen by malware, you aren't locked in to any site or browser or service, and it's trivial to store or share a backup (photocopy) in a safe for your family.
     
    ON3MDR likes this.
  13. K4FXC

    K4FXC XML Subscriber QRZ Page

    Does anybody really still use plain MD5 to store password hashes? The whole basis of the "scare tactic" article is use of methods that are long obsolete. For fun, crack this password for me! PASS is only 6 characters long!! Very, VERY short! Based on the article, this should be "instantly" crackable!!! I'll even define that the alphabet used is: 0-9a-zA-Z (base62).

    echo $PASS | argon2 4hG0uLsY -id -t 70 -p 10 -m 14
    Type: Argon2id
    Iterations: 70
    Memory: 16384 KiB
    Parallelism: 10
    Hash: 8f32d89b310626d09b0e1626c5d417a31a2a84883b7bf400c36608acb2aeec09
    Encoded: $argon2id$v=19$m=16384,t=70,p=10$NGhHMHVMc1k$jzLYmzEGJtCbDhYmxdQXoxoqhIg7e/QAw2YIrLKu7Ak

    Any takers?

    73, David K4FXC
     
    Last edited: May 13, 2023
  14. PD0JBV

    PD0JBV Ham Member QRZ Page

    Like KeePassCX. Works platform independent with local database or stored in own cloud solution instead of supplier. Password managers independent of your operating system also ensure that not all your eggs are in one basket. When Google, Microsoft or Apple close your account for whatever reason, you can always access the data, ... for this you must have saved the password protected backup file in several places.
     
    Last edited: May 21, 2023
    ON3MDR likes this.

Share This Page

ad: M2Ant-1