[PLUG] Password managers

Sun May 31 06:33:27 UTC 2020

On Sat, May 30, 2020 at 5:52 AM Rich Shepard <rshepard at appl-ecosys.com>
wrote:

> On Fri, 29 May 2020, Mike C. wrote:
>
> > If you don't use a strong passPHRASE and change it regularly, where/how
> > you store your passwords is mostly a moot point.
>
> Mike,
>
> The passphrase need not be more than three or four words long, with spaces
> between each word; for example. 'Hog tied with bow'. The article said that
> the addition of spaces greatly increased the time it would take to guess or
> crack it.
>

That's a common misintrepretation of the concept. When dealing with brute
force attacks where a bot tries to guess every possible variation then
length of the password exponentially increases the amount of time a brute
force attack takes. This can be achieved by simply repeating characters, or
adding spaces. Since a brute force guess doesn't make assumptions about
what you put into your password, a small number of random unique characters
in a very long password can take thousands of years to guess.

Howver, that ONLY accounts for attacks where they guess every possible
password. The other attack vector is the AI driven side, where you restrict
your guesses to obvious patterns that people are known to use. By simply
adding spaces between words, you actually make it EASIER to guess by
adhering to a pattern that exists in the english language.

> When I was in the Army and being taught how to pick locks and manipulate
> combination locks (skills I lost decades ago) I learned that all locks can
> be opened, the idea is to use one that would take more time to open than it
> would be left un-attended. We used Sargent & Greenleaf combination padlocks
> (user-setable combination) and I kept and used one for years. It had a
> security time of about 10 hours which the Army decided was as long as a
> locked file cabinet would be un-attended.
>
> I think digital passwords and passphrases have the same characteristics:
> just use one that would take more time to crack than the cracker is willing
> to spend on the attempt.
>

Time and pattern recognition. Random passwords are hard to remember because
there is no mental hook in place to remember it. We pick passwords that are
linked to past experiences. By gathering enough information about someone
(age, gender, ethnicity, interests, hobbies, and careers) you can begin to
identify a pattern in the "randomness" of their passwords. Why waste time
on all 5 million combinations when you can limit yourself to the top 5000?

A strong password has to be long to resist a brute force attack, AND
obscure to avoid being guessed. A long password that uses words from the
dictionary is just as weak as a 4 digit PIN code.

>
> > I'm sure I'm not the only one who's guilty of using very similar
> passwords
> > with the same email address for multiple accounts for many years. =(
>
> Web sites that have no personal information that could be monitized, such
> as
> pdxlinx.org and linuxquestions.org, are of no interest to those seeking to
> steal idendities or money so they need less secure passwords/phrases than
> do, for example, banks.
>
>
That's a very bad way to look at it. While your profiles for PLUG or LQ may
not contain information that can be used to identify you, they still exist
as channels through which you communicate. Identity theft can prove very
profitable, whether it's your SSN or an online profile. We saw a state
sponsored example of this during the 2016 election. Russian spies
impersonated US citizens using online profiles. This gave them an increased
amount of perceived legitimacy to their viewpoints when discussing
political issues and allowed them to spread information. There were a lot
of opinions that appeared to originate from American citizens even though
russians were in control of the profiles.

Your profile (name and repuation) could be used to send messages and spread
information to those who trust you. Maybe it's not about you? Maybe you are
simply the attack vector, and the people around you are the target. This
raises a bold new question for the era of digital communication - If a
criminal uses your account to commit a crime, should we hold you
accountable?

-Ben