[Cryptography] Recommendations in lieu of short AES passphrases

Kevin W. Wall kevin.w.wall at gmail.com
Sun Sep 18 19:51:57 EDT 2016


On Sun, Sep 18, 2016 at 4:26 PM, John Denker <jsd at av8n.com> wrote:
> On 09/18/2016 12:38 PM, Kent Borg opined:
>
>> - Password managers are a bad idea.
>
> Opinions differ on that.  I would argue that they are the
> worst imaginable idea, except for all the known alternatives.
>
> Some of the smartest, most security-conscious folks I know
> use password managers.

I won't claim to be one of those smartest, but I certainly advise
that use for most users who DO end up reusing passwords
across sites because they can't remember them all, which includes
most of us.

>
>> They become an all-eggs-in-one-basket, single-point-of-failure.
>
> Sometimes it is a good idea to put all your eggs someplace
> safe, and watch that place very carefully.  It decreases the
> number of places you have to watch.

Well, technically, you can still separate these passwords into separate
password "safes" and use a different passphrase for each safe. So you can
have one for social media, one for email accounts, one for financial,
one for health, etc. The end result is that you are still down to remembering
one a few passphrases rather than one for each site. You could even use
different password *managers* for each of these "safes" if you insist on
further spreading your risk.

>> Why should we trust them to be both competently written and honestly
>>  written?

A lot of them are open source. You could, if so inclined, review the code
I suppose. Or research them, see if any have had reported vulnerabilities,
etc. and then choose one accordingly. But you probably trust others for
more or less implementing much other more important parts (like your OS
or even the web sites yourself) and it's not practical to review all that
code yourself and much less implement it yourself. So, choose your poison.

> Why should we trust the users to remember a gazillion different
> passphrases, when every study ever done indicates they are not
> very good at that?
>
>> Even if they are perfect,
>
> Nothing is perfect.
>
>> what about some local malware that compromises the machine accessing
>>  them?
>
> Then you're screwed anyway, with or without a password manager.

John is abolutely right. If your laptop / desktop / mobile device is
compromised, it's already game over.

>> Was it Lastpass that was recently broken? Why will that be the last
>> vulnerability?
>
> Lastpass and four others were found vulnerable in 2014:
>   http://arstechnica.com/security/2014/07/severe-password-manager-attacks-steal-digital-keys-and-data-en-masse/
>

Keep in mind that all 5 of these compromised password managers were ones that
were WEB-based that backed up user passwords to the cloud. That type of password
manager is in some sense more convenient as you *can* (but not *should*) access
them from any device that has Internet access so your passwords become more
portable across your devices. But the major downside of these cloud-storage
password managers is that they create a target rich environment for hackers.
If you only use a password manager that keeps LOCAL copies of your password
or one where you can disable cloud backup, then if a site like lastpass.com,
etc. is compromised, then you won't be effected. And if you need the cloud
storage as a backup, you can always upload them somewhere yourself and even
add an additional layer of encryption using something like OpenPGP or whatever.

> OpenSSL was also found vulnerable in 2014:
>   http://heartbleed.com/
>
> I suggest that rather than giving up on SSL entirely, it makes
> sense to fix the implementation and keep using it.  Ditto for
> password managers.

True; and some password managers allow for stronger forms of authentication
before decrypting your password vault; e.g., PasswordSafe now supports
YubiKey.

>> My advice: Write down passwords on physical paper, obfuscate them
>> slightly, obfuscate what accounts they are for, keep that paper
>> safe!
>
> You've just made yourself -- and all your advisees -- targets for
> muggers, pickpockets, evil maids, shoulder surfers, et cetera.
>
> Also the inconvenience of paper creates pressure to keep passphrases
> short and/or cute, further reducing security.

Yes, I don't think that writing passwords down is a good LONG term or
scalable strategy, but it does work well if you have to unexpectedly
change your password or create a password for some new account and
you don't have access to your favorite password manager at the time.
That's much better than choosing a weak password that you are likely
to remember...because even if you remember it, you may forget to go
back and change it to replace it with a stronger password later.

>> - Don't give your password to anyone or anything other than the
>> account you are going to use it for.
>
> IMHO it is security malpractice to transmit passwords *even* to
> the account that is trying to authenticate you.  It would make
> more sense to perform a zero-knowledge proof that you know your
> master password.

Ideally, yes, but unfortunately, that's not how password authentication on
99.9% of web works. Unless you are referring to web-based password managers.
Not entirely clear.

> Therefore a suggestion:  Don't give your master password to anyone
> or anything other than your password manager (aka ZK proof manager).

But what would be better is if password authentication on the web used
something like ZK or challenge/response, etc. Just don't hold your breath.

> For users who rely on present-generation password managers, the
> incremental burden of a ZK proof manager would be zero, if the
> infrastructure supported it properly.  This in itself is an
> argument in favor of password managers, since it gets people
> moving in the right general direction.

I don't think YubiKey qualifies of ZK, but it's definitely a step up.
And for PasswordSafe (passwordsafe.org), you can use both a passphrase
and YubiKey if you wish.

>> Don't type it on the computer in the hotel lobby.
>
> That's a corollary of the more general rule:
>   If you don't have physical security, you don't have security.

Also, falls under the category of don't be stupid. Checking your Gmail,
FB, Twitter, etc. can wait!

>> Yes, it requires some discipline to record all those passwords,
>
> Study after study has shown that most users don't exhibit that
> kind of discipline.
>
>> If you have easy-to-remember and easy-to-type passwords
>> (farmer-turtle-sardine)
>
> That's too short.

Not to mention that most sites now will require at least 3 out of 4 character
classes (uppercase alpha, lowercase alpha, digits, special characters).

>> you will quickly learn all the ones you frequently use,
>
> All evidence indicates that unaided users will either:
>   a) reuse phassphrases,
Yes
>   b) write down passphrases in some insecure way, or
Also likely
>   c) forget passphrases
And even if they don't, most "Forgot password" password recovery mechanisms
are usually a major weakness link in this chain anyway. So the hackers
will use that even if you do select a secure password.

>> -kb, the Kent who disagrees with a lot of people on these topics.

Well, how else can one strive to become a curmudgeon? :)

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.


More information about the cryptography mailing list