121 lines
4.1 KiB
ReStructuredText
121 lines
4.1 KiB
ReStructuredText
Surviving phishing
|
|
------------------
|
|
Password reuse, password managers and strong passwords
|
|
======================================================
|
|
Why is Password Reuse a Problem?
|
|
--------------------------------
|
|
.. image:: password_reuse_1.png
|
|
:height: 6.5cm
|
|
|
|
Consider the following hypothetical users that reuse a strong password in
|
|
most places:
|
|
|
|
+-------------------+--------------------------+
|
|
| User | Password |
|
|
+===================+==========================+
|
|
| Sucker1@gmail.com | QUo5Qt+1Wa/Q1smDJRDbFg== |
|
|
+-------------------+--------------------------+
|
|
| Sucker2@gmail.com | +9Hz+/20rVkSkbcsmgdVFw== |
|
|
+-------------------+--------------------------+
|
|
| Sucker3@gmail.com | wnYkRcbi7Kkh7Fx2uR8EeA== |
|
|
+-------------------+--------------------------+
|
|
|
|
About password strength
|
|
-----------------------
|
|
|
|
How is strength measured?
|
|
=========================
|
|
'Entropy' `s` depends on the size of the alphabet `a` and the length `n` of the
|
|
password:
|
|
|
|
.. math::
|
|
s = log_2(a^n)
|
|
|
|
* 0889234877724602 -> 53 bits
|
|
* ZeZJieatdH -> 60 bits
|
|
|
|
Why are weak passwords problematic?
|
|
===================================
|
|
Weak passwords are trivial to crack in many situations. A password with 53 bits
|
|
may be cracked by a criminal organisation in less than an hour.
|
|
|
|
|
|
What about strong passwords?
|
|
============================
|
|
They are difficult to remember, a problem especially when you use a different
|
|
strong password for every service. You are also tempted to write them down, or
|
|
reuse them.
|
|
|
|
It's surprisingly difficult for humans to generate good passwords!
|
|
|
|
A strong password, as of 2019, has at least 80 bits of entropy.
|
|
|
|
Password Managers to the Rescue!
|
|
--------------------------------
|
|
Password managers allow you to create a unique and strong password for every
|
|
service.
|
|
|
|
Additional benefits:
|
|
|
|
* Remembers passwords for you
|
|
* Generates passwords for you
|
|
* Automagically fills in passwords on websites for you, this is important!
|
|
* Makes passwords available on all your configured devices
|
|
* Can store additional related data, usernames, answers to security questions,
|
|
pins for debit/credit cards
|
|
|
|
Any of the mainstream password manager is equivalent in the above respects.
|
|
|
|
Can you trust password managers?
|
|
--------------------------------
|
|
Yes*
|
|
|
|
How do they keep passwords secure?
|
|
----------------------------------
|
|
1. User supplies a password
|
|
2. The password is used to derive an encryption key. This process is designed
|
|
to be slow, even on modern hardware
|
|
3. The so generated encryption key is used to encrypt/decrypt your passwords
|
|
|
|
Note that the security of the encryption depends on the strengh of your
|
|
password. With a poor password (50 bits), it would take the entire computing
|
|
power of the world less than a month to crack the database. With a decent ish
|
|
password (60 bits), it would take on the order of 50 years on average. With a
|
|
better password (70 bits), it would take on the order of 50,000 years.
|
|
|
|
Generating a Strong Password
|
|
----------------------------
|
|
Passphrases are better than passwords:
|
|
|
|
* Tr0ub4dor&3 -> 28 bits of entropy, hard to remember
|
|
* correct horse battery stable -> 44 bits of entropy, easy to remember
|
|
|
|
Use passphrases everywhere you have to remember.
|
|
|
|
Generate passphrases with Diceware
|
|
==================================
|
|
1. Roll 5, 6 sided, *physical* dice
|
|
2. Read the numbers left to right
|
|
3. Find the word with that number on a list 6^5 (7776) words
|
|
4. Repeat until desired length is reached. For a password manager, use at
|
|
least 7.
|
|
5. Write down your passphrase on paper and keep it somewhere secure
|
|
6. If you are 100% confident that you will not forget the passphrase, destroy
|
|
the paper by burning
|
|
|
|
What about phishing?
|
|
====================
|
|
A password manager worth it's salt will refuse to fill out a password on a
|
|
different website, for instance faceb00k.com vs facebook.com
|
|
|
|
Using different passwords on every service limits your vulnerability even if
|
|
phishing is successful
|
|
|
|
Other advice
|
|
------------
|
|
In no particular order:
|
|
|
|
* Only log in on webpages that you navigated to by typing in the url yourself,
|
|
by searching on google, duckduckgo or some other reputable search engine or
|
|
from a bookmark
|
|
* Only log in to webpages that are
|