max/diceware_presentation
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: max:43b2b1f813274c09be56678a4e1eca29eed7c6cf
Branches Tags
max:master
..
compare: max:6f9e7174819f2e0387443abafaa8f27ff7ecdae4
Branches Tags
max:master

No commits in common. "43b2b1f813274c09be56678a4e1eca29eed7c6cf" and "6f9e7174819f2e0387443abafaa8f27ff7ecdae4" have entirely different histories.
43b2b1f813 ... 6f9e717481

6 changed files with 137 additions and 3941 deletions
Show stats Expand all files Collapse all files

4
dark.style
View file

@ -1,6 +1,6 @@
pageSetup: pageSetup:
size: null size: null
width: 12cm width: 16cm
height: 9cm height: 9cm
margin-top: 0cm margin-top: 0cm
margin-bottom: 0cm margin-bottom: 0cm
@ -44,7 +44,7 @@ styles:
table-heading: table-heading:
parent: heading parent: heading
backColor: #666666 backColor: black
alignment : TA_LEFT alignment : TA_LEFT
code: code:

BIN
password_reuse_1.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 80 KiB

BIN
password_reuse_2.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 65 KiB

BIN
password_reuse_3.png
View file

Binary file not shown.
Side by side

Before

Width:  |  Height:  |  Size: 36 KiB

3787
slides.pdf
View file

File diff suppressed because one or more lines are too long

287
slides.rst
View file

@ -1,175 +1,158 @@
Surviving phishing Plotting with Matplotlib
------------------ ------------------------
Password reuse, password managers and strong passwords
======================================================
.. contents:: :depth: 1
Why is Password Reuse a Problem? Also creating a presentation with rst2pdf
-------------------------------- =========================================
.. image:: password_reuse_1.png
:height: 6.5cm
Consider the following hypothetical users that reuse a strong password in Data Structures
most places and the following common scenario: ---------------
Favour simpler data structures if they do what you need. In order:
+------------------+--------------------------+ #. Built-in Lists
| User | Password | - 2xN data or simpler
+==================+==========================+ - Can't install system dependencies
| mark1@gmail.com | QUo5Qt+1Wa/Q1smDJRDbFg== | #. Numpy arrays
+------------------+--------------------------+ - 2 (or higher) dimensional data
| mark2@gmail.com | +9Hz+/20rVkSkbcsmgdVFw== | - Lots of numerical calculations
+------------------+--------------------------+ #. Pandas series/dataframes
| mark3@gmail.com | wnYkRcbi7Kkh7Fx2uR8EeA== | - 'Data Wrangling', reshaping, merging, sorting, querying
+------------------+--------------------------+ - Importing from complex formats
#. User registers an account with a careless service, eg Facebook, Yahoo, Shamelessly stolen from https://stackoverflow.com/a/45288000
Google, Equifax etc. etc.
#. The service is hacked and the password and email is leaked Loading Data from Disk
#. The hacker logs in to the email account ----------------------
#. The hacker resets passwords on all important accounts tied to that email Natively
address ========
.. code-block:: python
>>> import csv
>>> with open('eggs.csv', newline='') as csvfile:
... spam = csv.reader(csvfile,
... delimiter=' ',
... quotechar='|')
... for row in spam:
... # Do things
... pass
Loading Data from Disk
----------------------
Numpy
=====
.. code-block:: python
>>> import numpy
>>> spam = numpy.genfromtxt('eggs.csv',
... delimiter=' ',
... dtype=None) # No error handling!
>>> for row in spam:
... # Do things
... pass
``numpy.genfromtxt`` will try to infer the datatype of each column if
``dtype=None`` is set.
``numpy.loadtxt`` is generally faster at runtime if your data is well formated
(no missing values, only numerical data or constant length strings)
Loading Data from Disk
----------------------
Numpy NB.
=========
**Remind me to look at some actual numpy usage at the end**
- I think numpy does some type coercion when creating arrays.
- Arrays created by ``numpy.genfromtxt`` can not in general be indexed like
``data[xstart:xend, ystart:yend]``.
- Data of unequal types are problematic! Pandas *may* be a better choice in
that case.
- Specifying some value for ``dtype`` is probably necessary in most cases in
practice: https://docs.scipy.org/doc/numpy/reference/arrays.dtypes.html
Loading Data from Disk
----------------------
Pandas
======
.. code-block:: python
>>> import pandas
>>> # dtype=None is def
>>> spam = pandas.read_csv('eggs.csv',
... delimiter=' ',
... header=None)
>>> for row in spam:
... # Do things
... pass
``header=None`` is required if the flie does not have a header.
About password strength
-----------------------
How is strength measured? Generating Data for Testing
========================= ---------------------------
'Entropy' `s` depends on the size of the alphabet `a` and the length `n` of the
password:
.. math:: Generating the data on the fly with numpy is convenient.
s = log_2(a^n)
* 0889234877724602 -> 53 bits .. code-block:: python
* ZeZJieatdH -> 60 bits
Why are weak passwords problematic? >>> import numpy.random as ran
=================================== >>> # For repeatability
Weak passwords are trivial to crack in many situations. A password with 53 bits >>> ran.seed(7890234)
may be cracked by a criminal organisation in less than an hour. >>> # Uniform [0, 1) floats
>>> data = ran.rand(100, 2)
>>> # Uniform [0, 1) floats
>>> data = ran.rand(100, 100, 100)
>>> # Std. normal floats
>>> data = ran.randn(100)
>>> # 3x14x15 array of binomial ints with n = 100, p = 0.1
>>> data = ran.binomial(100, 0.1, (3, 14, 15))
Plotting Time Series
--------------------
Plot data of the form:
.. math:: y=f(t)
What about strong passwords? Subplots
============================ --------
They are difficult to remember, a problem especially when you use a different
strong password for every service. You are also tempted to write them down, or
reuse them.
It's surprisingly difficult for humans to generate good passwords!
A strong password, as of 2019, has at least 80 bits of entropy.
Password Managers to the Rescue!
--------------------------------
Password managers allow you to create a unique and strong password for every
service.
Additional benefits:
* Remembers passwords for you
* Generates passwords for you
* Automagically fills in passwords on websites for you, this is important!
* Makes passwords available on all your configured devices
* Can store additional related data, usernames, answers to security questions,
pins for debit/credit cards
Any of the mainstream password manager is equivalent in the above respects.
Can you trust password managers?
--------------------------------
Yes*
How do they keep passwords secure?
----------------------------------
1. User supplies a password
2. A slow function derives an encryption key
3. The encryption key is used to encrypt/decrypt your passwords
Security of the encryption depends on the strengh of your
password:
+---------+------------------------+
| Entropy | Time to crack, |
| | assuming 1 second per |
| | attempt per typical |
| | CPU |
+=========+========================+
| 50b | < 1 Month |
+---------+------------------------+
| 60b | ~ 50 Years |
+---------+------------------------+
| 70b | ~ 50,000 yers |
+---------+------------------------+
Generating a Strong Password
----------------------------
Passphrases are better than passwords:
* Tr0ub4dor&3 -> 28 bits of entropy, hard to remember
* correct horse battery stable -> 44 bits of entropy, easy to remember
If you have to remember it, use a passphrase.
Generate passphrases with Diceware_
===================================
1. Roll 5, 6 sided, *physical* dice
2. Read the numbers left to right
3. Find the word with that number on a list 6^5 (7776) words
4. Repeat until desired length is reached. For a password manager, use at
least 7.
5. Write down your passphrase on paper and keep it somewhere secure
6. If you are 100% confident that you will not forget the passphrase, destroy
the paper by burning
What about phishing?
====================
* A password manager will refuse to fill out a password on a spoofed website,
for instance faceb00k.com vs facebook.com
* Using different passwords on every service protects all other services even
if phishing is successful on one of them
* Good password managers will navigate to the login page for you, reducing the
risk of spoofed websites
Other advice Saving Plots
------------ ------------
In no particular order:
* Only log in on webpages that you navigated to by typing in the url yourself, So far I've just displayed plots with ``plt.show()``. You can actually save
by searching on google, duckduckgo or some other reputable search engine or the plots from that interface manually, but when scripting, it's convenient
from a bookmark. If after clicking a link in an email you are directed to a to do so automatically:
log in page, it's probably a phishing attempt
* Only log in to webpages that are protected by SSL/TLS (HTTPS). Look for a .. code-block:: python
green address bar, or a green lock icon or similar in your browser
* Use two factor or two step authentication everywhere if possible >>> # Some plotting has previously occured
* Turn of automatic image rendering. Better still, disable HTML rendering and >>> plt.savefig('eggs.pdf', dpi=300, transparent=False)
authoring entirely in your email client
* Be suspicious of *all* emails. Risky things: HTML email, images, unknown The output format is interpreted from the file extension.
sender, poor spelling/grammer, 'Your email client can't display this email, The keyword arguments are optional here. Other options exist.
click here to view in your browser' or similar attempts to coerce you to click
on things Error Bars
----------
Stacked Bar Graph
-----------------
Resources Resources
--------- ---------
NumPy User Guide: https://docs.scipy.org/doc/numpy/user/index.html
`EFF notes on Diceware`_ They generally have good advice for these kinds of NumPy Reference: https://docs.scipy.org/doc/numpy/reference/index.html#reference
topics.
`This Presentation`_ Matplotlib example gallery: https://matplotlib.org/gallery/index.html
`Keepass`_, an offline password manager Pandas: It probably exists. Good luck.
`1Password`_, a pay to use password manager with some nice features This presentation: https://git.friedersdorff.com/max/plotting_with_matplotlib.git
`LastPass`_, an online password manager with a gratis tier
.. _Diceware: http://world.std.com/~reinhold/diceware.html
.. _EFF notes on Diceware: https://www.eff.org/dice
.. _This Presentation: https://git.friedersdorff.com/max/intro_dice_and_pmgmnt
.. _Keepass: https://keepass.info/
.. _1Password: https://1password.com/
.. _LastPass: https://www.lastpass.com/
.. target-notes::