Compare commits
10 commits
6f9e717481
...
43b2b1f813
| Author | SHA1 | Date | |
|---|---|---|---|
| 43b2b1f813 | |||
| 3e42d4118d | |||
| 4b392c68a9 | |||
| f26aceb439 | |||
| a3d2a9ad14 | |||
| 609ddda2b0 | |||
| d37458b97c | |||
| a40b700601 | |||
| 7d3423f860 | |||
| 9d72f9f066 |
6 changed files with 3941 additions and 137 deletions
|
|
@ -1,6 +1,6 @@
|
|||
pageSetup:
|
||||
size: null
|
||||
width: 16cm
|
||||
width: 12cm
|
||||
height: 9cm
|
||||
margin-top: 0cm
|
||||
margin-bottom: 0cm
|
||||
|
|
@ -44,7 +44,7 @@ styles:
|
|||
|
||||
table-heading:
|
||||
parent: heading
|
||||
backColor: black
|
||||
backColor: #666666
|
||||
alignment : TA_LEFT
|
||||
|
||||
code:
|
||||
|
|
|
|||
BIN
password_reuse_1.png
Normal file
BIN
password_reuse_1.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 80 KiB |
BIN
password_reuse_2.png
Normal file
BIN
password_reuse_2.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 65 KiB |
BIN
password_reuse_3.png
Normal file
BIN
password_reuse_3.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 36 KiB |
3787
slides.pdf
Normal file
3787
slides.pdf
Normal file
File diff suppressed because one or more lines are too long
287
slides.rst
287
slides.rst
|
|
@ -1,158 +1,175 @@
|
|||
Plotting with Matplotlib
|
||||
------------------------
|
||||
Surviving phishing
|
||||
------------------
|
||||
Password reuse, password managers and strong passwords
|
||||
======================================================
|
||||
.. contents:: :depth: 1
|
||||
|
||||
Also creating a presentation with rst2pdf
|
||||
=========================================
|
||||
Why is Password Reuse a Problem?
|
||||
--------------------------------
|
||||
.. image:: password_reuse_1.png
|
||||
:height: 6.5cm
|
||||
|
||||
Data Structures
|
||||
---------------
|
||||
Favour simpler data structures if they do what you need. In order:
|
||||
Consider the following hypothetical users that reuse a strong password in
|
||||
most places and the following common scenario:
|
||||
|
||||
#. Built-in Lists
|
||||
- 2xN data or simpler
|
||||
- Can't install system dependencies
|
||||
#. Numpy arrays
|
||||
- 2 (or higher) dimensional data
|
||||
- Lots of numerical calculations
|
||||
#. Pandas series/dataframes
|
||||
- 'Data Wrangling', reshaping, merging, sorting, querying
|
||||
- Importing from complex formats
|
||||
+------------------+--------------------------+
|
||||
| User | Password |
|
||||
+==================+==========================+
|
||||
| mark1@gmail.com | QUo5Qt+1Wa/Q1smDJRDbFg== |
|
||||
+------------------+--------------------------+
|
||||
| mark2@gmail.com | +9Hz+/20rVkSkbcsmgdVFw== |
|
||||
+------------------+--------------------------+
|
||||
| mark3@gmail.com | wnYkRcbi7Kkh7Fx2uR8EeA== |
|
||||
+------------------+--------------------------+
|
||||
|
||||
Shamelessly stolen from https://stackoverflow.com/a/45288000
|
||||
|
||||
Loading Data from Disk
|
||||
----------------------
|
||||
Natively
|
||||
========
|
||||
|
||||
.. code-block:: python
|
||||
|
||||
>>> import csv
|
||||
>>> with open('eggs.csv', newline='') as csvfile:
|
||||
... spam = csv.reader(csvfile,
|
||||
... delimiter=' ',
|
||||
... quotechar='|')
|
||||
... for row in spam:
|
||||
... # Do things
|
||||
... pass
|
||||
|
||||
Loading Data from Disk
|
||||
----------------------
|
||||
Numpy
|
||||
=====
|
||||
|
||||
.. code-block:: python
|
||||
|
||||
>>> import numpy
|
||||
>>> spam = numpy.genfromtxt('eggs.csv',
|
||||
... delimiter=' ',
|
||||
... dtype=None) # No error handling!
|
||||
>>> for row in spam:
|
||||
... # Do things
|
||||
... pass
|
||||
|
||||
``numpy.genfromtxt`` will try to infer the datatype of each column if
|
||||
``dtype=None`` is set.
|
||||
|
||||
``numpy.loadtxt`` is generally faster at runtime if your data is well formated
|
||||
(no missing values, only numerical data or constant length strings)
|
||||
|
||||
Loading Data from Disk
|
||||
----------------------
|
||||
Numpy NB.
|
||||
=========
|
||||
**Remind me to look at some actual numpy usage at the end**
|
||||
|
||||
- I think numpy does some type coercion when creating arrays.
|
||||
- Arrays created by ``numpy.genfromtxt`` can not in general be indexed like
|
||||
``data[xstart:xend, ystart:yend]``.
|
||||
- Data of unequal types are problematic! Pandas *may* be a better choice in
|
||||
that case.
|
||||
- Specifying some value for ``dtype`` is probably necessary in most cases in
|
||||
practice: https://docs.scipy.org/doc/numpy/reference/arrays.dtypes.html
|
||||
|
||||
Loading Data from Disk
|
||||
----------------------
|
||||
Pandas
|
||||
======
|
||||
|
||||
.. code-block:: python
|
||||
|
||||
>>> import pandas
|
||||
>>> # dtype=None is def
|
||||
>>> spam = pandas.read_csv('eggs.csv',
|
||||
... delimiter=' ',
|
||||
... header=None)
|
||||
>>> for row in spam:
|
||||
... # Do things
|
||||
... pass
|
||||
|
||||
``header=None`` is required if the flie does not have a header.
|
||||
#. User registers an account with a careless service, eg Facebook, Yahoo,
|
||||
Google, Equifax etc. etc.
|
||||
#. The service is hacked and the password and email is leaked
|
||||
#. The hacker logs in to the email account
|
||||
#. The hacker resets passwords on all important accounts tied to that email
|
||||
address
|
||||
|
||||
|
||||
About password strength
|
||||
-----------------------
|
||||
|
||||
Generating Data for Testing
|
||||
---------------------------
|
||||
How is strength measured?
|
||||
=========================
|
||||
'Entropy' `s` depends on the size of the alphabet `a` and the length `n` of the
|
||||
password:
|
||||
|
||||
Generating the data on the fly with numpy is convenient.
|
||||
.. math::
|
||||
s = log_2(a^n)
|
||||
|
||||
.. code-block:: python
|
||||
* 0889234877724602 -> 53 bits
|
||||
* ZeZJieatdH -> 60 bits
|
||||
|
||||
>>> import numpy.random as ran
|
||||
>>> # For repeatability
|
||||
>>> ran.seed(7890234)
|
||||
>>> # Uniform [0, 1) floats
|
||||
>>> data = ran.rand(100, 2)
|
||||
>>> # Uniform [0, 1) floats
|
||||
>>> data = ran.rand(100, 100, 100)
|
||||
>>> # Std. normal floats
|
||||
>>> data = ran.randn(100)
|
||||
>>> # 3x14x15 array of binomial ints with n = 100, p = 0.1
|
||||
>>> data = ran.binomial(100, 0.1, (3, 14, 15))
|
||||
|
||||
Plotting Time Series
|
||||
--------------------
|
||||
|
||||
Plot data of the form:
|
||||
|
||||
.. math:: y=f(t)
|
||||
Why are weak passwords problematic?
|
||||
===================================
|
||||
Weak passwords are trivial to crack in many situations. A password with 53 bits
|
||||
may be cracked by a criminal organisation in less than an hour.
|
||||
|
||||
|
||||
Subplots
|
||||
--------
|
||||
What about strong passwords?
|
||||
============================
|
||||
They are difficult to remember, a problem especially when you use a different
|
||||
strong password for every service. You are also tempted to write them down, or
|
||||
reuse them.
|
||||
|
||||
It's surprisingly difficult for humans to generate good passwords!
|
||||
|
||||
A strong password, as of 2019, has at least 80 bits of entropy.
|
||||
|
||||
Password Managers to the Rescue!
|
||||
--------------------------------
|
||||
Password managers allow you to create a unique and strong password for every
|
||||
service.
|
||||
|
||||
Additional benefits:
|
||||
|
||||
* Remembers passwords for you
|
||||
* Generates passwords for you
|
||||
* Automagically fills in passwords on websites for you, this is important!
|
||||
* Makes passwords available on all your configured devices
|
||||
* Can store additional related data, usernames, answers to security questions,
|
||||
pins for debit/credit cards
|
||||
|
||||
Any of the mainstream password manager is equivalent in the above respects.
|
||||
|
||||
Can you trust password managers?
|
||||
--------------------------------
|
||||
Yes*
|
||||
|
||||
How do they keep passwords secure?
|
||||
----------------------------------
|
||||
1. User supplies a password
|
||||
2. A slow function derives an encryption key
|
||||
3. The encryption key is used to encrypt/decrypt your passwords
|
||||
|
||||
Security of the encryption depends on the strengh of your
|
||||
password:
|
||||
|
||||
+---------+------------------------+
|
||||
| Entropy | Time to crack, |
|
||||
| | assuming 1 second per |
|
||||
| | attempt per typical |
|
||||
| | CPU |
|
||||
+=========+========================+
|
||||
| 50b | < 1 Month |
|
||||
+---------+------------------------+
|
||||
| 60b | ~ 50 Years |
|
||||
+---------+------------------------+
|
||||
| 70b | ~ 50,000 yers |
|
||||
+---------+------------------------+
|
||||
|
||||
Generating a Strong Password
|
||||
----------------------------
|
||||
Passphrases are better than passwords:
|
||||
|
||||
* Tr0ub4dor&3 -> 28 bits of entropy, hard to remember
|
||||
* correct horse battery stable -> 44 bits of entropy, easy to remember
|
||||
|
||||
If you have to remember it, use a passphrase.
|
||||
|
||||
Generate passphrases with Diceware_
|
||||
===================================
|
||||
1. Roll 5, 6 sided, *physical* dice
|
||||
2. Read the numbers left to right
|
||||
3. Find the word with that number on a list 6^5 (7776) words
|
||||
4. Repeat until desired length is reached. For a password manager, use at
|
||||
least 7.
|
||||
5. Write down your passphrase on paper and keep it somewhere secure
|
||||
6. If you are 100% confident that you will not forget the passphrase, destroy
|
||||
the paper by burning
|
||||
|
||||
What about phishing?
|
||||
====================
|
||||
* A password manager will refuse to fill out a password on a spoofed website,
|
||||
for instance faceb00k.com vs facebook.com
|
||||
* Using different passwords on every service protects all other services even
|
||||
if phishing is successful on one of them
|
||||
* Good password managers will navigate to the login page for you, reducing the
|
||||
risk of spoofed websites
|
||||
|
||||
|
||||
Saving Plots
|
||||
Other advice
|
||||
------------
|
||||
In no particular order:
|
||||
|
||||
So far I've just displayed plots with ``plt.show()``. You can actually save
|
||||
the plots from that interface manually, but when scripting, it's convenient
|
||||
to do so automatically:
|
||||
|
||||
.. code-block:: python
|
||||
|
||||
>>> # Some plotting has previously occured
|
||||
>>> plt.savefig('eggs.pdf', dpi=300, transparent=False)
|
||||
|
||||
The output format is interpreted from the file extension.
|
||||
The keyword arguments are optional here. Other options exist.
|
||||
|
||||
Error Bars
|
||||
----------
|
||||
|
||||
|
||||
Stacked Bar Graph
|
||||
-----------------
|
||||
|
||||
* Only log in on webpages that you navigated to by typing in the url yourself,
|
||||
by searching on google, duckduckgo or some other reputable search engine or
|
||||
from a bookmark. If after clicking a link in an email you are directed to a
|
||||
log in page, it's probably a phishing attempt
|
||||
* Only log in to webpages that are protected by SSL/TLS (HTTPS). Look for a
|
||||
green address bar, or a green lock icon or similar in your browser
|
||||
* Use two factor or two step authentication everywhere if possible
|
||||
* Turn of automatic image rendering. Better still, disable HTML rendering and
|
||||
authoring entirely in your email client
|
||||
* Be suspicious of *all* emails. Risky things: HTML email, images, unknown
|
||||
sender, poor spelling/grammer, 'Your email client can't display this email,
|
||||
click here to view in your browser' or similar attempts to coerce you to click
|
||||
on things
|
||||
|
||||
Resources
|
||||
---------
|
||||
NumPy User Guide: https://docs.scipy.org/doc/numpy/user/index.html
|
||||
|
||||
NumPy Reference: https://docs.scipy.org/doc/numpy/reference/index.html#reference
|
||||
`EFF notes on Diceware`_ They generally have good advice for these kinds of
|
||||
topics.
|
||||
|
||||
Matplotlib example gallery: https://matplotlib.org/gallery/index.html
|
||||
`This Presentation`_
|
||||
|
||||
Pandas: It probably exists. Good luck.
|
||||
`Keepass`_, an offline password manager
|
||||
|
||||
This presentation: https://git.friedersdorff.com/max/plotting_with_matplotlib.git
|
||||
`1Password`_, a pay to use password manager with some nice features
|
||||
|
||||
`LastPass`_, an online password manager with a gratis tier
|
||||
|
||||
.. _Diceware: http://world.std.com/~reinhold/diceware.html
|
||||
.. _EFF notes on Diceware: https://www.eff.org/dice
|
||||
.. _This Presentation: https://git.friedersdorff.com/max/intro_dice_and_pmgmnt
|
||||
.. _Keepass: https://keepass.info/
|
||||
.. _1Password: https://1password.com/
|
||||
.. _LastPass: https://www.lastpass.com/
|
||||
|
||||
|
||||
.. target-notes::
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue