diceware_presentation/slides.rst

Surviving phishing
------------------
Password reuse, password managers and strong passwords
======================================================
Why is Password Reuse a Problem?
--------------------------------
.. image:: password_reuse_1.png
   :height: 6.5cm

Consider the following hypothetical users that reuse a strong password in
most places:

+-------------------+--------------------------+
| User              | Password                 |
+===================+==========================+
| Sucker1@gmail.com | QUo5Qt+1Wa/Q1smDJRDbFg== |
+-------------------+--------------------------+
| Sucker2@gmail.com | +9Hz+/20rVkSkbcsmgdVFw== |
+-------------------+--------------------------+
| Sucker3@gmail.com | wnYkRcbi7Kkh7Fx2uR8EeA== |
+-------------------+--------------------------+

About password strength
-----------------------

How is strength measured?
=========================
'Entropy' `s` depends on the size of the alphabet `a` and the length `n` of the 
password:

.. math:: 
        s = log_2(a^n)

* 0889234877724602 -> 53 bits
* ZeZJieatdH -> 60 bits

Why are weak passwords problematic?
===================================
Weak passwords are trivial to crack in many situations. A password with 53 bits
may be cracked by a criminal organisation in less than an hour.


What about strong passwords?
============================
They are difficult to remember, a problem especially when you use a different 
strong password for every service.  You are also tempted to write them down, or 
reuse them.

It's surprisingly difficult for humans to generate good passwords!

A strong password, as of 2019, has at least 80 bits of entropy.

Password Managers to the Rescue!
--------------------------------
Password managers allow you to create a unique and strong password for every
service.

Additional benefits:

* Remembers passwords for you
* Generates passwords for you
* Automagically fills in passwords on websites for you, this is important!
* Makes passwords available on all your configured devices
* Can store additional related data, usernames, answers to security questions,
  pins for debit/credit cards

Any of the mainstream password manager is equivalent in the above respects.

Can you trust password managers?
--------------------------------
Yes*

How do they keep passwords secure?
----------------------------------
1. User supplies a password
2. The password is used to derive an encryption key.  This process is designed
   to be slow, even on modern hardware
3. The so generated encryption key is used to encrypt/decrypt your passwords

Note that the security of the encryption depends on the strengh of your
password.  With a poor password (50 bits), it would take the entire computing 
power of the world less than a month to crack the database. With a decent ish 
password (60 bits), it would take on the order of 50 years on average.  With a 
better password (70 bits), it would take on the order of 50,000 years.

Generating a Strong Password
----------------------------
Passphrases are better than passwords:

* Tr0ub4dor&3 -> 28 bits of entropy, hard to remember
* correct horse battery stable -> 44 bits of entropy, easy to remember

Use passphrases everywhere you have to remember.

Generate passphrases with Diceware
==================================
1. Roll 5, 6 sided, *physical* dice
2. Read the numbers left to right
3. Find the word with that number on a list 6^5 (7776) words
4. Repeat until desired length is reached.  For a password manager, use at 
   least 7.
5. Write down your passphrase on paper and keep it somewhere secure
6. If you are 100% confident that you will not forget the passphrase, destroy
   the paper by burning

What about phishing?
====================
A password manager worth it's salt will refuse to fill out a password on a 
different website, for instance faceb00k.com vs facebook.com

Using different passwords on every service limits your vulnerability even if 
phishing is successful

Other advice
------------
In no particular order:

* Only log in on webpages that you navigated to by typing in the url yourself,
  by searching on google, duckduckgo or some other reputable search engine or 
  from a bookmark
* Only log in to webpages that are
Start explaining dangers of password reuse 2019-05-31 10:07:51 +01:00			`Surviving phishing`
			`------------------`
			`Password reuse, password managers and strong passwords`
			`======================================================`
Add content for slides 2019-05-30 13:43:56 +01:00			`Why is Password Reuse a Problem?`
			`--------------------------------`
			`.. image:: password_reuse_1.png`
Start explaining dangers of password reuse 2019-05-31 10:07:51 +01:00			`:height: 6.5cm`

			`Consider the following hypothetical users that reuse a strong password in`
			`most places:`

			`+-------------------+--------------------------+`
			`\| User \| Password \|`
			`+===================+==========================+`
			`\| Sucker1@gmail.com \| QUo5Qt+1Wa/Q1smDJRDbFg== \|`
			`+-------------------+--------------------------+`
			`\| Sucker2@gmail.com \| +9Hz+/20rVkSkbcsmgdVFw== \|`
			`+-------------------+--------------------------+`
			`\| Sucker3@gmail.com \| wnYkRcbi7Kkh7Fx2uR8EeA== \|`
			`+-------------------+--------------------------+`
Add content for slides 2019-05-30 13:43:56 +01:00
			`About password strength`
			`-----------------------`
Start explaining dangers of password reuse 2019-05-31 10:07:51 +01:00
Add content for slides 2019-05-30 13:43:56 +01:00			`How is strength measured?`
			`=========================`
			'Entropy' `s` depends on the size of the alphabet `a` and the length `n` of the
			`password:`

			`.. math::`
			`s = log_2(a^n)`

			`* 0889234877724602 -> 53 bits`
			`* ZeZJieatdH -> 60 bits`

			`Why are weak passwords problematic?`
			`===================================`
			`Weak passwords are trivial to crack in many situations. A password with 53 bits`
			`may be cracked by a criminal organisation in less than an hour.`


			`What about strong passwords?`
			`============================`
			`They are difficult to remember, a problem especially when you use a different`
			`strong password for every service. You are also tempted to write them down, or`
			`reuse them.`

			`It's surprisingly difficult for humans to generate good passwords!`

Start explaining dangers of password reuse 2019-05-31 10:07:51 +01:00			`A strong password, as of 2019, has at least 80 bits of entropy.`

Add content for slides 2019-05-30 13:43:56 +01:00			`Password Managers to the Rescue!`
			`--------------------------------`
			`Password managers allow you to create a unique and strong password for every`
			`service.`

			`Additional benefits:`

			`* Remembers passwords for you`
			`* Generates passwords for you`
			`* Automagically fills in passwords on websites for you, this is important!`
			`* Makes passwords available on all your configured devices`
			`* Can store additional related data, usernames, answers to security questions,`
			`pins for debit/credit cards`

			`Any of the mainstream password manager is equivalent in the above respects.`

			`Can you trust password managers?`
			`--------------------------------`
			`Yes*`

			`How do they keep passwords secure?`
			`----------------------------------`
			`1. User supplies a password`
			`2. The password is used to derive an encryption key. This process is designed`
			`to be slow, even on modern hardware`
			`3. The so generated encryption key is used to encrypt/decrypt your passwords`

			`Note that the security of the encryption depends on the strengh of your`
			`password. With a poor password (50 bits), it would take the entire computing`
			`power of the world less than a month to crack the database. With a decent ish`
			`password (60 bits), it would take on the order of 50 years on average. With a`
			`better password (70 bits), it would take on the order of 50,000 years.`

			`Generating a Strong Password`
			`----------------------------`
			`Passphrases are better than passwords:`

			`* Tr0ub4dor&3 -> 28 bits of entropy, hard to remember`
			`* correct horse battery stable -> 44 bits of entropy, easy to remember`

			`Use passphrases everywhere you have to remember.`

			`Generate passphrases with Diceware`
			`==================================`
			`1. Roll 5, 6 sided, physical dice`
			`2. Read the numbers left to right`
			`3. Find the word with that number on a list 6^5 (7776) words`
			`4. Repeat until desired length is reached. For a password manager, use at`
			`least 7.`
			`5. Write down your passphrase on paper and keep it somewhere secure`
			`6. If you are 100% confident that you will not forget the passphrase, destroy`
			`the paper by burning`
Start explaining dangers of password reuse 2019-05-31 10:07:51 +01:00
			`What about phishing?`
			`====================`
			`A password manager worth it's salt will refuse to fill out a password on a`
			`different website, for instance faceb00k.com vs facebook.com`

			`Using different passwords on every service limits your vulnerability even if`
			`phishing is successful`

			`Other advice`
			`------------`
			`In no particular order:`

			`* Only log in on webpages that you navigated to by typing in the url yourself,`
			`by searching on google, duckduckgo or some other reputable search engine or`
			`from a bookmark`
			`* Only log in to webpages that are`