More warnings about phishing
This commit is contained in:
parent
d37458b97c
commit
609ddda2b0
1 changed files with 52 additions and 24 deletions
74
slides.rst
74
slides.rst
|
|
@ -8,17 +8,25 @@ Why is Password Reuse a Problem?
|
|||
:height: 6.5cm
|
||||
|
||||
Consider the following hypothetical users that reuse a strong password in
|
||||
most places:
|
||||
most places and the following common scenario:
|
||||
|
||||
+-------------------+--------------------------+
|
||||
+------------------+--------------------------+
|
||||
| User | Password |
|
||||
+===================+==========================+
|
||||
| Sucker1@gmail.com | QUo5Qt+1Wa/Q1smDJRDbFg== |
|
||||
+-------------------+--------------------------+
|
||||
| Sucker2@gmail.com | +9Hz+/20rVkSkbcsmgdVFw== |
|
||||
+-------------------+--------------------------+
|
||||
| Sucker3@gmail.com | wnYkRcbi7Kkh7Fx2uR8EeA== |
|
||||
+-------------------+--------------------------+
|
||||
+==================+==========================+
|
||||
| mark1@gmail.com | QUo5Qt+1Wa/Q1smDJRDbFg== |
|
||||
+------------------+--------------------------+
|
||||
| mark2@gmail.com | +9Hz+/20rVkSkbcsmgdVFw== |
|
||||
+------------------+--------------------------+
|
||||
| mark3@gmail.com | wnYkRcbi7Kkh7Fx2uR8EeA== |
|
||||
+------------------+--------------------------+
|
||||
|
||||
#. User registers an account with a careless service, eg Facebook, Yahoo,
|
||||
Google, Equifax etc. etc.
|
||||
#. The service is hacked and the password database is leaked
|
||||
#. The hacker logs in to the email accounts
|
||||
#. The hacker resets passwords on all important accounts tied to that email
|
||||
address
|
||||
|
||||
|
||||
About password strength
|
||||
-----------------------
|
||||
|
|
@ -73,15 +81,24 @@ Yes*
|
|||
How do they keep passwords secure?
|
||||
----------------------------------
|
||||
1. User supplies a password
|
||||
2. The password is used to derive an encryption key. This process is designed
|
||||
to be slow, even on modern hardware
|
||||
3. The so generated encryption key is used to encrypt/decrypt your passwords
|
||||
2. A slow function derives an encryption key
|
||||
3. The encryption key is used to encrypt/decrypt your passwords
|
||||
|
||||
Note that the security of the encryption depends on the strengh of your
|
||||
password. With a poor password (50 bits), it would take the entire computing
|
||||
power of the world less than a month to crack the database. With a decent ish
|
||||
password (60 bits), it would take on the order of 50 years on average. With a
|
||||
better password (70 bits), it would take on the order of 50,000 years.
|
||||
Security of the encryption depends on the strengh of your
|
||||
password:
|
||||
|
||||
+---------+------------------------+
|
||||
| Entropy | Time to crack, |
|
||||
| | assuming 1 second per |
|
||||
| | attempt per typical |
|
||||
| | CPU |
|
||||
+=========+========================+
|
||||
| 50b | < 1 Month |
|
||||
+---------+------------------------+
|
||||
| 60b | ~ 50 Years |
|
||||
+---------+------------------------+
|
||||
| 70b | ~ 50,000 yers |
|
||||
+---------+------------------------+
|
||||
|
||||
Generating a Strong Password
|
||||
----------------------------
|
||||
|
|
@ -105,11 +122,13 @@ Generate passphrases with Diceware
|
|||
|
||||
What about phishing?
|
||||
====================
|
||||
A password manager worth it's salt will refuse to fill out a password on a
|
||||
different website, for instance faceb00k.com vs facebook.com
|
||||
* A password manager will refuse to fill out a password on a spoofed website,
|
||||
for instance faceb00k.com vs facebook.com
|
||||
* Using different passwords on every service protects all other services even
|
||||
if phishing is successful on one of them
|
||||
* Good password managers will navigate to the login page for you, reducing the
|
||||
risk of spoofed websites
|
||||
|
||||
Using different passwords on every service limits your vulnerability even if
|
||||
phishing is successful
|
||||
|
||||
Other advice
|
||||
------------
|
||||
|
|
@ -117,5 +136,14 @@ In no particular order:
|
|||
|
||||
* Only log in on webpages that you navigated to by typing in the url yourself,
|
||||
by searching on google, duckduckgo or some other reputable search engine or
|
||||
from a bookmark
|
||||
* Only log in to webpages that are
|
||||
from a bookmark. If after clicking a link in an email you are directed to a
|
||||
log in page, it's probably a phishing attempt
|
||||
* Only log in to webpages that are protected by SSL/TLS (HTTPS). Look for a
|
||||
green address bar, or a green lock icon or similar in your browser
|
||||
* Use two factor or two step authentication everywhere if possible
|
||||
* Turn of automatic image rendering. Better still, disable HTML rendering and
|
||||
authoring entirely
|
||||
* Be suspicious of *all* emails. Risky things: HTML email, images, unknown
|
||||
sender, poor spelling/grammer, 'Your email client can't display this email,
|
||||
click here to view in your browser' or similar attempts to coerce you to click
|
||||
on things
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue