[ale] OT - making really strong pass phrases - was New encryption technology using a piece of paper

Scott Castaline skotchman at gmail.com
Wed Sep 7 15:04:00 EDT 2011


Hey JD, you forgot a possible 4th time.
If you use LUKS/dmcrypt on all but /boot fs you need to remember the 
pass phrase for that so that you can boot, login and then open your 
password manager. So that's 3 just to get started.

On 09/07/2011 10:24 AM, JD wrote:
> On 09/06/2011 11:15 PM, Tim Watts wrote:
>> Interesting stuff. Unless I'm misunderstanding this, these times only
>> apply under the assumed conditions (multiple 1-4 char words etc.). If
>> the off-line attackers only have say a 256-bit hash of your
>> password/phrase then they have no rational basis to make these
>> assumptions. Depending on the attacker's degree of motivation and
> Yes, this is all interesting, but there seems to be a really simple
> answer that has been used for years.
>
> Please find a realistic flaw in my method.
>
> Use a password manager that supports long, random, generated passwords.
>
> Certainly my 55 character, computer generated, passwords with large
> alphabets is more secure than anything shorter made up of words.  Every
> login/password is different (within reason). Inside the network, ssh
> keys are used, so those passwords don't get in the way. Using this
> technique for all but 3 of your passwords seems the best case answer to me.
>
> All but 3 passwords?  Huh?
>
> There will always be a few passwords / passphrases that we need to
> memorize. These are for systems you need access to **before** you can
> access the password manager program and encrypted database.
>
> 1) Login to your work desktop.
> 2) Password Manager passphrase
> 3) Login to your home desktop, cell phone, or other portable devices.
>
> Those 3 passwords need to be secure enough, which depends on your data
> and access sensitivity. If your laptop has access to all your servers
> without any challenges, then it needs to be highly secure.
>
> KeePassX http://www.keepassx.org/ is cross platform, F/LOSS, and
> supports the KeePass v1.x database. There are versions for Linux,
> Windows, OSX, Android, Nokia Maemo and probably others between KeePass
> and KeePassX, you are probably covered. The password database is
> encrypted. I use the "autotype" facility, which probably breaks all
> sorts of security rules, but it is the only way I can type some of these
> passphrases.  It is the only realistic way I can access my GPG keys for
> encrypted email.
>
> Every online account has a long, complex, unrecallable, untypeable,
> password. To me, it doesn't matter if the password is 15, 55 or 100
> characters.  I'm not gonna type or remember them, so I use the longest,
> most complex supported by the system or 55 characters by default.  There
> is no substitute for length, assuming the alphabet is the same.
>
> I'm nervous about using anything labeled as "new encryption technology"
> on my systems. Time will tell if these "new" ideas really are secure at
> all. Let me know how that works out in 2-3 years.  Being an "early
> adopter" for encryption seems like a really bad idea to me.
>
>
>
> Are you using strong encryption for all your portable devices? Without
> it (and maybe with it), your password doesn't matter. Physical access is
> everything.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo



More information about the Ale mailing list