passwords & pass phrases
TRANSCRIPT
Passwords & Passphrases
Member of Belgrade hackerspace (HKLBGD) sunday crypto workshop .
Writing for Libre online magazine (FLOSS)
Name: Simovi Petar
I study computer science at the Faculty of Mathematics, University of Belgrade
Agenda
Introducint to passwords and pass phrases
Measuring password/pass pharse strength
Service consumer handling secrets: why passwords migh be dead
Password hacking: phishing, bruteforce, Social engineering
Alternative methods of authentication
What's wrong with my P4$$w0rd?
Very week & easy to remember. Replacing 's' and 'o' with '$' and '0' won't help you much.
Or hard to remember & secure
So users reuse them
And If not random -> social engeenering guessingPeople are not very good at creating truly random passwords, even more they are a species of patterns. And it is hard to remember dozens of different nonsense passwords with numbers and special characters.
Password security blanket 1k
Lorrie Faith Cranor
Most used Pa$$s0rds
So, what is pass pharse?
Short answer: It is just a phrase.
Long: It contains few word, not neccessery from dictionaty, words should be picked at random not from book or website.
What are good and secure pass phrases?
How to generate them?
Secure pass phrase?
pass-phrase1 pass-phrase2 pass-phrase3
My pass phrase is hard to guess
Correct horse battery staple
red cross healty pharmacy medicine
yeti permutes kilobyte visas skin
red green blue cyan magenta yellow
police gun cuffs undercover sherif
Secure pass phrase?
pass-phrase1 pass-phrase2 pass-phrase3
My pass phrase is hard to guess
Correct horse battery staple
red cross healty pharmacy medicine
yeti permutes kilobyte visas skin
red green blue cyan magenta yellow
police gun cuffs undercover sherif
Pass phrase advatages
Easier to create maybe not for humans
Easier to remember
So no need for writing it down or using password managers
Hard automation attacks [verb adjective noun?] --needs bruteforce if done right
More secure?
...
Diceware
Method for manually generating pass phrases
Why? PRNG compromissed or paranoid?
How? Diceware wordlist, dice, paper and pen http://goo.gl/swgFz
Entropy Shannon entropy
Log2 (Character Set password length)
For example: 8 character password length with all 94 possible character: a-z (26), A-Z (26), 0-9 (10), and~!@#$%^&*()_-+={[}]|\":;?/>