Author Topic: Password Managers ... vs. Not (Read 14890 times)

wraith808 · « **on:** June 02, 2017, 04:46 PM »

An Interesting Article for discussion.

Password managers don't have to be perfect, they just have to be better than not having one (via Troy Hunt)

I never could figure out how to argue why I have a password manager, and why I stay with Lastpass. He argues it very well, I think. The best password is one that you can't remember. And if you can't remember, there are several ways to augment your memory. And all of those ways are going to have security problems if attacked consistently.

So what do you do?

MilesAhead · « **Reply #1 on:** June 03, 2017, 07:53 AM »

It seems the entire premise of using unmemorable passwords is that if the password is easy to remember, then it is likely made up of common words. Therefore it is vulnerable to dictionary attack. I have a couple of questions

1) Why is the server allowing thousands of attempts on your account so that the entire dictionary is traversed until a successful hit is achieved?

2) What is to stop the dictionary attackers from just using permutations of numbers and letters just like the unmemorable password generators produce? If the server is going to allow thousands of logon attempts to the same account why not just brute force it?

Lately there seems to be a tendency to make using the internet and computers generally nearly more of a pain in the ass than it is worth. Especially with phone logon it is a real pita to have to fat finger passwords with mixed case letters plus numbers and funky symbols. It just seems like it is getting to the point where everyone can get into my account but me.

Anyone else have that feeling?

mouser · « **Reply #2 on:** June 03, 2017, 11:03 AM »

I can't imagine not using a password manager. It is essential. Just remember one long password and then use the app to create a unique password for every site.
People that don't use password managers seem to inevitably use the same password on different sites, which is a major risk.
I love not having to remember passwords.

cranioscopical · « **Reply #3 on:** June 03, 2017, 07:37 PM »

The thing that makes me shudder is that online password managers are such a juicy target. In just the past few days one succumbed to an attack and was plundered.

mouser · « **Reply #4 on:** June 03, 2017, 08:21 PM »

Yeah I don't use an online synchronizing password manager, though I understand their appeal for folks who travel around a lot and use multiple devices, etc.

wraith808 · « **Reply #5 on:** June 03, 2017, 09:46 PM »

The thing that makes me shudder is that online password managers are such a juicy target. In just the past few days one succumbed to an attack and was plundered.

-cranioscopical (June 03, 2017, 07:37 PM)

It happens. Just because it's not perfect doesn't mean that they are not better than the alternative.

Tuxman · « **Reply #6 on:** June 04, 2017, 08:48 AM »

Data you store on other people's computers can and will eventually be read by other people.

dr_andus · « **Reply #7 on:** June 04, 2017, 09:33 AM »

Data you store on other people's computers can and will eventually be read by other people.
-Tuxman (June 04, 2017, 08:48 AM)

But you got to balance that with the risk of catastrophic hardware or software failure at your end, at which point you'd lose access to everything (let's say fire or flooding that destroys both your main PC and your local backup harddrives). I'd rather risk the former than the latter.

f0dder · « **Reply #8 on:** June 04, 2017, 09:37 AM »

1) Why is the server allowing thousands of attempts on your account so that the entire dictionary is traversed until a successful hit is achieved?
-MilesAhead (June 03, 2017, 07:53 AM)

Rate-limiting the service doesn't help if hackers are able to exploit servers and snatch the entire (encrypted) database and do offline attacks.

2) What is to stop the dictionary attackers from just using permutations of numbers and letters just like the unmemorable password generators produce? If the server is going to allow thousands of logon attempts to the same account why not just brute force it?
-MilesAhead (June 03, 2017, 07:53 AM)

Plain bruteforcing has to search a much bigger keyspace than a smart dictionary-based attack.

Lately there seems to be a tendency to make using the internet and computers generally nearly more of a pain in the ass than it is worth. Especially with phone logon it is a real pita to have to fat finger passwords with mixed case letters plus numbers and funky symbols. It just seems like it is getting to the point where everyone can get into my account but me.
-MilesAhead (June 03, 2017, 07:53 AM)

Your definition of worth is probably different from other people's. Getting key email accounts breached could be enough to cause severe financial harm for some companies, or even death for individuals.

Proper 2-factor authentication is one of the most effective ways to stay safe even in the face of password breaches. I'm pretty happy about services that offer YubiKey (or other FIDO device) with Google Auth (or other TOTP app) as backup.

Tuxman · « **Reply #9 on:** June 04, 2017, 09:37 AM »

If you, for any valid or not-so-valid reason, insist on using passwords you can not remember without technical support (ref. xkcd) and you plan to store them on other people's computers, you are the one in charge to make sure that everything is safely encrypted. Nobody but you should have a key for the decryption - because if there is a key stored on somebody else's computer... well, see LastPass's numerous "incidents".

Dormouse · « **Reply #10 on:** June 04, 2017, 05:13 PM »

I'm gradually switching systems again.
I still use Lastpass; it is very convenient, but I have never stored passwords to my financial accounts on it. It has a very long password that isn't stored anywhere but I can derive fairly quickly.
I am switching back to browsers for passwords for sites that don't store any of my personal or sensitive information (just email addresses). I don't always want Lastpass enabled.
I have a password manager on my computer (with copy on my mobile) with a very secure password that isn't written anywhere. Both phone and computer are encrypted. I am switching more to this.
It's not complete security. But is my current balance between convenience and security - or it will be when I have completed the transition and checked everything out.

x16wda · « **Reply #11 on:** June 04, 2017, 07:22 PM »

I put what I can into Lastpass. But any sensitive passwords aren't saved there - I just use Secure Notes named as hints to the site to save hints that allow me to remember the correct password. In the end, one ~~ring~~ password to rule them all, on multiple devices, is just too darned convenient. Seductive. Especially for the permanently exhausted who might otherwise look at alternatives more closely.

MilesAhead · « **Reply #12 on:** June 05, 2017, 06:57 AM »

Plain bruteforcing has to search a much bigger keyspace than a smart dictionary-based attack.
-f0dder (June 04, 2017, 09:37 AM)

See your previous comment about off line attach modes.

f0dder · « **Reply #13 on:** June 05, 2017, 11:02 AM »

Plain bruteforcing has to search a much bigger keyspace than a smart dictionary-based attack.
-f0dder (June 04, 2017, 09:37 AM)
See your previous comment about off line attach modes.
-MilesAhead (June 05, 2017, 06:57 AM)

I'm not sure what you're trying to say here? I thought you were wondering why "unmemorable passwords" were any better?

MilesAhead · « **Reply #14 on:** June 05, 2017, 04:30 PM »

Plain bruteforcing has to search a much bigger keyspace than a smart dictionary-based attack.
-f0dder (June 04, 2017, 09:37 AM)
See your previous comment about off line attach modes.
-MilesAhead (June 05, 2017, 06:57 AM)
I'm not sure what you're trying to say here? I thought you were wondering why "unmemorable passwords" were any better?
-f0dder (June 05, 2017, 11:02 AM)

My point was that although passwords that are made of actual words were more vulnerable than those "secure" generated ones, if you do not limit the number of attempts at cracking them then nothing is secure. Also the same thing applies to hijacking the encrypted database. If the brute force method can be applied offline then just because the passwords have no vowels and some numbers and symbols sprinkled in that will not long delay the cracking. Especially with cheap computing power. Seems to me setting delays on IPs and domains generating invalid logon attempts would be more secure.

Then the main worry might be somebody flubbing logins to your account just to get it shut off for a time. Kind of a perverted denial of access. But even then there should be some indication where the attack is coming from.

To me it is similar to these fast food joints where you have to hop skip and jump to their "system" in order to place your order. When everything is owned by four holding companies there is less "competition" and customer service than when Mom and Pop have to worry you will go around saying their service sucks at their one variety store. This seems to be analogous to the online situation these days. You have to include uppercase letters, lower case letters, punctuation and numbers, plus pass gas twice, in order t log on. IOW, it stinks for a reason.

Tuxman · « **Reply #15 on:** June 05, 2017, 04:32 PM »

passwords that are made of actual words were more vulnerable than those "secure" generated ones
-MilesAhead (June 05, 2017, 04:30 PM)

They are not.

f0dder · « **Reply #16 on:** June 06, 2017, 02:44 AM »

My point was that although passwords that are made of actual words were more vulnerable than those "secure" generated ones, if you do not limit the number of attempts at cracking them then nothing is secure. Also the same thing applies to hijacking the encrypted database. If the brute force method can be applied offline then just because the passwords have no vowels and some numbers and symbols sprinkled in that will not long delay the cracking.
-MilesAhead (June 05, 2017, 04:30 PM)

That is wrong, though - and it all comes down to the number of guesses you have to make.

Assuming a dictionary of ~171k enlighs words and stringing five of them together (one more word than XKCD's Correct Horse Battery Staple) gives 171000^5 permutations. I don't know what the average word length is, but let's be (very) generous to the string-words-together method and compare to a 20-character random string of base64 alphabet - which gives 64^20 permutations. That's 9.091.152.181 times as many password attempts.

Of course the above is simplistic, and you can do things like uppercasing and other character manipulations - but an extended alphabet will always require (quiiiite a bit) more effort for a string of the same length.

Seems to me setting delays on IPs and domains generating invalid logon attempts would be more secure.
-MilesAhead (June 05, 2017, 04:30 PM)

False dilemma - using secure passphrases doesn't remove rate limiting. And while rate limiting definitely should be implemented, it only protects against remote bruteforcing of the lamest of lame passwords. Strong passwords guard against offline attacks.

Stoic Joker · « **Reply #17 on:** June 06, 2017, 06:34 AM »

@MilesAhead - I hear ya man ... Some of this stuff - necessary as it may be - is just a flat-out royal pain-in-the-ass.

MilesAhead · « **Reply #18 on:** June 06, 2017, 07:02 AM »

@MilesAhead - I hear ya man ... Some of this stuff - necessary as it may be - is just a flat-out royal pain-in-the-ass.
-Stoic Joker (June 06, 2017, 06:34 AM)

If you hear the phrase "for your protection" you know it's going to be shoved sideways.

MilesAhead · « **Reply #19 on:** June 06, 2017, 07:06 AM »

Of course the above is simplistic, and you can do things like uppercasing and other character manipulations - but an extended alphabet will always require (quiiiite a bit) more effort for a string of the same length.
-f0dder (June 06, 2017, 02:44 AM)

I'm sure that technically you have foundation for your argument(s). But people live day to day fine with getting home from work and using a house key to get into their house/condo/apartment. It does not stress them that a guy with a couple of battery powered drills can drill out the front door lock in about 30 seconds if he has practiced the procedure. But the owner/renter can get in his own place in the most likely event terrorists are not waiting inside. There's a balance point past which the customer exists to serve the service instead of the other way around. We have already tipped the scales in many areas.

f0dder · « **Reply #20 on:** June 06, 2017, 10:21 AM »

Of course the above is simplistic, and you can do things like uppercasing and other character manipulations - but an extended alphabet will always require (quiiiite a bit) more effort for a string of the same length.
-f0dder (June 06, 2017, 02:44 AM)
I'm sure that technically you have foundation for your argument(s). But people live day to day fine with getting home from work and using a house key to get into their house/condo/apartment. It does not stress them that a guy with a couple of battery powered drills can drill out the front door lock in about 30 seconds if he has practiced the procedure. But the owner/renter can get in his own place in the most likely event terrorists are not waiting inside.
-MilesAhead (June 06, 2017, 07:06 AM)

I'm sorry, but that is a silly attempt at an analogy.

Getting your credentials leaked is a very real risk - just look at the monster breaches various big sites have had over the last few years. You really should consider your password hashes to have been breached, and better hope you haven't used any sites negligent enough to use weak hashing (or no hashing at all, or reversible encryption instead of hashing).

So you need to pick your passphrases under the assumption that it will be suffering an offline attack.

There's a balance point past which the customer exists to serve the service instead of the other way around. We have already tipped the scales in many areas.
-MilesAhead (June 06, 2017, 07:06 AM)

Password hygiene has nothing to do with "customer serving the service", but you're right that there's a balance - that balance is between how much effort you put into securing credentials for Site X vs. how much it would hurt if that set of credentials are breached.

For most people, getting facebook or their primary email account taken over can lead to a lot of hurt.

Using a password manager to have unique, strong passwords per-site really isn't much of a hassle. Adding 2-factor authentication is a minor annoyance, but it's worth doing for "primary" accounts like mail, facebook, github and the likes.

cranioscopical · « **Reply #21 on:** June 06, 2017, 10:28 AM »

If you hear the phrase "for your protection" you know it's going to be shoved sideways.
-MilesAhead (June 06, 2017, 07:02 AM)

I use passwords wherever I go; it's the only password I can remember.

MilesAhead · « **Reply #22 on:** June 06, 2017, 11:39 AM »

Password hygiene has nothing to do with "customer serving the service", but you're right that there's a balance - that balance is between how much effort you put into securing credentials for Site X vs. how much it would hurt if that set of credentials are breached.

-f0dder (June 06, 2017, 10:21 AM)

I disagree. By insisting on funky characters that make you shift mode on touch keyboards they can always say you made a typo when entering. Even if they are the ones who changed what you typed. It amounts to asking the service provider for permission to use your own account. Just like you have to ask the bank for permission to access your own money. It is kind of like the rulers calling themselves "public servants." Talk about cynicism. Oh yeah, billionaires just shell out millions of their own $$ to "serve" others. Right!

wraith808 · « **Reply #23 on:** June 06, 2017, 11:54 AM »

Password hygiene has nothing to do with "customer serving the service", but you're right that there's a balance - that balance is between how much effort you put into securing credentials for Site X vs. how much it would hurt if that set of credentials are breached.

-f0dder (June 06, 2017, 10:21 AM)

I disagree. By insisting on funky characters that make you shift mode on touch keyboards they can always say you made a typo when entering. Even if they are the ones who changed what you typed. It amounts to asking the service provider for permission to use your own account. Just like you have to ask the bank for permission to access your own money. It is kind of like the rulers calling themselves "public servants." Talk about cynicism. Oh yeah, billionaires just shell out millions of their own $$ to "serve" others. Right!

-MilesAhead (June 06, 2017, 11:39 AM)

You do have to follow rules to access your own money at banks. And though it is inconvenient, one would find it more inconvenient if their credentials are breached, and want to hold the institution liable. This has been a slow progression as more and more sites are breached. And what is this changed what you typed bit? I've never had that happen.

f0dder · « **Reply #24 on:** June 06, 2017, 01:13 PM »

I disagree. By insisting on funky characters that make you shift mode on touch keyboards they can always say you made a typo when entering. Even if they are the ones who changed what you typed. It amounts to asking the service provider for permission to use your own account.
-MilesAhead (June 06, 2017, 11:39 AM)

What on earth are you on about?