🦓 <czyborra@gmail.com> wrote:

my mother is currently struggling to memorize all of my dead
stepfather's identities and passwords and that makes me wonder how
would you like an internet of hosts who store everything undeletably
and barrierlessly readably with no secrets whatsoever to humanity nor
any other natural or artificial or divine intelligence? i know this
sounds like a question for debian-devel or debian-policy but i m
dumping it onto debian-user as as of now i m not subscribed to any
other.

Why does your mother need to memorize all of your dead stepfather's
identities? Just let them die with him.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi,

On Mon, Dec 16, 2024 at 02:48:44AM -0500, Jeffrey Walton wrote:

On Mon, Dec 16, 2024 at 2:42 AM 🦓 <czyborra@gmail.com> wrote:

YubiKeys is a password manager in a dongle, thus the exact opposite of passwordless. Your dogs and your goats are passwordless, they reliably serve you but have a built in immune system with redundancies protecting them from abuses of their

passwordlessness.

You don't understand YubiKeys

I applaud your attempt to explain to a zebra on the Internet why
goat-based security may not be suitable for banking and other
similar applications, no matter their "built in immune system".

However, I am concerned that this particular raving lunatic may not be receptive to the reality-based community and its ways.

Thanks,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

debian-user@howorth.org.uk wrote:
...

Why does your mother need to memorize all of your dead stepfather's identities? Just let them die with him.

perhaps because the accounts are jointly owned and it
is much easier to just continue using the credentials as
they exist instead of having to set everything up all
over again for no real gain.


songbird

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

songbird writes:

perhaps because the accounts are jointly owned and it is much easier
to just continue using the credentials as they exist instead of having
to set everything up all over again for no real gain.

Then follow Bruce Schneier's advice and*write them down*.
--
John Hasler
john@sugarbit.com
Elmwood, WI USA

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Mon, Dec 16, 2024 at 10:22:43PM -0600, John Hasler wrote:

songbird writes:

perhaps because the accounts are jointly owned and it is much easier
to just continue using the credentials as they exist instead of having
to set everything up all over again for no real gain.

Then follow Bruce Schneier's advice and*write them down*.

Do you have a reference?

I ask because I'm in the middle of a discussion (and that was my advice,
too). Seeing what Schneier has to say on that would be very interesting.

Cheers
--
t

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZ2EP4QAKCRAFyCz1etHa RsTQAJ99GHdot6o08mhbgii6HirYkLbl+QCZAUPbxJA63iO6S+6qMArYIbGcV8Y=
=p8Vy
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, Dec 17, 2024 at 08:07:52AM +0100, Loris Bennett wrote:

<tomas@tuxteam.de> writes:

On Mon, Dec 16, 2024 at 10:22:43PM -0600, John Hasler wrote:

songbird writes:

perhaps because the accounts are jointly owned and it is much easier
to just continue using the credentials as they exist instead of having >> > to set everything up all over again for no real gain.

Then follow Bruce Schneier's advice and*write them down*.

Do you have a reference?

I ask because I'm in the middle of a discussion (and that was my advice, too). Seeing what Schneier has to say on that would be very interesting.

I have a German copy of "Secrets & Lies" from 2001 in which Schneier discusses writing passwords down on p. 138 (Chapter 9 "Identification
and Authentication, Section "Access Tokens"). He says that passwords
are no worse than other "simple tokens" (anything which can be stolen or copied) but if you write them down, keeping them in your wallet can be
safer than sticking them with a post-it to you monitor. His actual
advice is that you should only write half your password down and commit
the other half to memory.

Thanks :)

Cheers
--
t

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZ2EsQgAKCRAFyCz1etHa Rrc5AJ0Xr/GFXtpO21LUnJQvkuTGrryM1QCeMC99h+/rdcFAxv5EZF+c0fFtq+A=
=wLMa
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

<tomas@tuxteam.de> writes:

On Mon, Dec 16, 2024 at 10:22:43PM -0600, John Hasler wrote:

songbird writes:

perhaps because the accounts are jointly owned and it is much easier
to just continue using the credentials as they exist instead of having
to set everything up all over again for no real gain.

Then follow Bruce Schneier's advice and*write them down*.

Do you have a reference?

I ask because I'm in the middle of a discussion (and that was my advice, too). Seeing what Schneier has to say on that would be very interesting.

I have a German copy of "Secrets & Lies" from 2001 in which Schneier
discusses writing passwords down on p. 138 (Chapter 9 "Identification
and Authentication, Section "Access Tokens"). He says that passwords
are no worse than other "simple tokens" (anything which can be stolen or copied) but if you write them down, keeping them in your wallet can be
safer than sticking them with a post-it to you monitor. His actual
advice is that you should only write half your password down and commit
the other half to memory.

Cheers,

Loris

--
This signature is currently under constuction.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

songbird <songbird@anthive.com> wrote:

debian-user@howorth.org.uk wrote:
...

Why does your mother need to memorize all of your dead stepfather's identities? Just let them die with him.

perhaps because the accounts are jointly owned and it
is much easier to just continue using the credentials as
they exist instead of having to set everything up all
over again for no real gain.

(1) I assumed the OP was talking about more than 'accounts' (meaning
financial accounts which I assume to be fairly few in number) but
rather was talking about forums, web sites etc etc.

(2) My wife and I have a joint account. My credentials and hers for the
account are completely separate and different.

(3) I now think the OP was trolling, so ...

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, Dec 17, 2024 at 06:45:05AM +0100, tomas@tuxteam.de wrote:

Do you have a reference?

I ask because I'm in the middle of a discussion (and that was my advice, >too). Seeing what Schneier has to say on that would be very interesting.

All of this advice is overly simplistic. The right answer depends on understanding your threats and making a conscious decision what risks
you want to mitigate and which you want to accept. If your threats
include a coworker using your account to get a higher level of access
than permitted, or to avoid/shift accountability, then putting your
passwords on your monitor at work with a post-it is a tremendously
stupid idea. If your threats include a person in your home (e.g., health
aide, plumber's assistant, whatever) potentially accessing banking
information, then putting your passwords on your monitor at home is a tremendously stupid idea. If your main threat is forgetting a password,
and you don't have to worry at all about anyone else seeing your
post-it, then putting your password on your monitor may be a very good
idea. Putting your passwords in a notebook in a drawer may be a
reasonable mitigation in some environments, but not others. Locking the
drawer may or may not be an effective additional layer. People like to
throw out bombs like "passwords should be written down" for shock value,
but reality needs more effort and significantly more nuance. Schneier
would, I think, agree with this as he already has nuances like "put it
in your wallet". The problem of an elderly person with memory problems
that potentially does/will have people in their home is particularly
difficult as the wallet advice has minimal utility--there do exist
people who take advantage of the elderly and steal their money,
sometimes from their wallet and sometimes from their accounts, and if
both are vulnerable it is not effective to secure one with the other. I
don't think there is a good, general, simple answer to this without much
more knowledge of the particulars of the situation than is probably
appropriate for a mailing list.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

I make regular use of an OS that is completely passwordless.

It's called PC-DOS 2000.

(I might also add that I wish that my Meerkat desktop Linux box didn't
make it so easy to sign off by mistake when I'd intended to power down.)

--
James H. H. Lampert

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, Dec 17, 2024 at 10:59:40AM -0500, Michael Stone wrote:

On Tue, Dec 17, 2024 at 06:45:05AM +0100, tomas@tuxteam.de wrote:

Do you have a reference?

I ask because I'm in the middle of a discussion (and that was my advice, too). Seeing what Schneier has to say on that would be very interesting.

All of this advice is overly simplistic. The right answer depends on understanding your threats and making a conscious decision what risks you want to mitigate [...]

I know, I know. My introductory sentence is almost literally yours.

As times shift, threat models shift accordingly. Back then, when
computers and environments were more shared, post-its and shoulder
surfing were the main password leak threat, in-between it was the
(clear text) transport, these days it's probably phishing and
server-side breaches, which -- hopefully! -- yield a database of
salted hashes, in which case strong passwords are vital.

I'm still very interested in those references, not to follow them
blindly, but because they may contain insights I haven't had myself.
Especially in the case of Schneier, I'm doubly eager to listen.

Cheers
--
t

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZ2G05wAKCRAFyCz1etHa Rk9bAJsF3k10M+jbWxheDuJU7opFJxY5wgCfdbyUKgCD7uObmLNPDXI3prbb1i0=
=C5rt
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 17 Dec 2024 06:45 +0100, from tomas@tuxteam.de:

Then follow Bruce Schneier's advice and*write them down*.

Do you have a reference?

I ask because I'm in the middle of a discussion (and that was my advice, too). Seeing what Schneier has to say on that would be very interesting.

Not Schneier, but consider also the UK National Cyber Security
Centre's position on password managers: https://www.ncsc.gov.uk/blog-post/what-does-ncsc-think-password-managers

Under the heading "Should I use a password manager?" the opening is:
"Yes. Password managers are a good thing. They give you huge
advantages in a world where there's far too many passwords for anyone
to remember."

--
Michael Kjörling
🔗 https://michael.kjorling.se

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Tue, Dec 17, 2024 at 12:37:33PM -0500, Jeffrey Walton wrote:

On Tue, Dec 17, 2024 at 12:29 PM <tomas@tuxteam.de> wrote:

On Tue, Dec 17, 2024 at 10:59:40AM -0500, Michael Stone wrote:

On Tue, Dec 17, 2024 at 06:45:05AM +0100, tomas@tuxteam.de wrote:

Do you have a reference?

I ask because I'm in the middle of a discussion (and that was my advice,
too). Seeing what Schneier has to say on that would be very interesting.

All of this advice is overly simplistic. The right answer depends on understanding your threats and making a conscious decision what risks you want to mitigate [...]

I know, I know. My introductory sentence is almost literally yours.

As times shift, threat models shift accordingly. Back then, when
computers and environments were more shared, post-its and shoulder
surfing were the main password leak threat, in-between it was the
(clear text) transport, these days it's probably phishing and
server-side breaches, which -- hopefully! -- yield a database of
salted hashes, in which case strong passwords are vital.

I'm still very interested in those references, not to follow them
blindly, but because they may contain insights I haven't had myself. Especially in the case of Schneier, I'm doubly eager to listen.

Schneier is security on training wheels. (Not to impune his work). It
is a good introduction, but it is written for a different audience.

Perfect for my purposes. I'm trying to get people to understand that
security is relative (to everything else around it, i.e. the famous
"threat model"). If they end up digesting Schneier's "process, not
product", I'm happy.

If you really want to satisfy your security related hunger, then read Gutmann's Engineering Security[1] or Ross Anderson's Security
Engineering.[2] I prefer Gutmann because it is so well cited. I often
pull the cited papers and read them for myself.

Gutmann was mentioned in this thread. Anderson wrote in CACM's "Inside
Risks", right?

Cheers
--
t

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZ2HByQAKCRAFyCz1etHa RnY+AJ9++nCjDaESJJreVV94K4FLK1EhBACeJqVsX0t8nejrWeTuc8pccHme6sA=
=ih7e
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 17/12/2024 17:44, Michael Kjörling wrote:

On 17 Dec 2024 06:45 +0100, from tomas@tuxteam.de:

Then follow Bruce Schneier's advice and*write them down*.

Do you have a reference?

I ask because I'm in the middle of a discussion (and that was my advice,
too). Seeing what Schneier has to say on that would be very interesting.

Not Schneier, but consider also the UK National Cyber Security
Centre's position on password managers: https://www.ncsc.gov.uk/blog-post/what-does-ncsc-think-password-managers

Under the heading "Should I use a password manager?" the opening is:
"Yes. Password managers are a good thing. They give you huge
advantages in a world where there's far too many passwords for anyone
to remember."

I couldn't cope without PasswordSafe (thanks Mr. Schneier) and the
nonsense about about not changing them ignores the obvious. My bank
performs security checks by requesting a sub-set of my password. It
doesn't take a genius to work out that after several visits the complete password can be deduced.

Peter HB

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Michael Kjörling writes:

Under the heading "Should I use a password manager?" the opening is:
"Yes. Password managers are a good thing. They give you huge
advantages in a world where there's far too many passwords for anyone
to remember."

I use Firefox's built-in manager for "low threat" passwords such as that
for my Reddit account (I also write them down). Most of my passwords
fall in this class. Important passwords are recorded only in my "little
black book".

I also use a different user name for every Web account.

One reason for writing down all your passwords (even if only on a list
stored in your safe deposit box) is related to the item that started
this thread: not making things difficult for whoever has to deal with
your estate.
--
John Hasler
john@sugarbit.com
Elmwood, WI USA

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Peter Hillier-Brook writes:

the nonsense about about not changing them ignores the obvious.

What is that?

My bank performs security checks by requesting a sub-set of my
password.

Sounds like a reason to find a new bank, in the meantime changing your
password after every such request. Surely they can't be hashing the
passwords properly if that practice is of any use.
--
John Hasler
john@sugarbit.com
Elmwood, WI USA

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Michael Kjörling <c9bc136c6063@ewoof.net> wrote:

On 17 Dec 2024 06:45 +0100, from tomas@tuxteam.de:

Then follow Bruce Schneier's advice and*write them down*.

Do you have a reference?

I ask because I'm in the middle of a discussion (and that was my
advice, too). Seeing what Schneier has to say on that would be very interesting.

Not Schneier, but consider also the UK National Cyber Security
Centre's position on password managers: https://www.ncsc.gov.uk/blog-post/what-does-ncsc-think-password-managers

I tend to agree but I'll play Devil's Advocate here.

If I was NCSC would I prefer to break a few password managers or
millions of individual passwords?

Under the heading "Should I use a password manager?" the opening is:
"Yes. Password managers are a good thing. They give you huge
advantages in a world where there's far too many passwords for anyone
to remember."

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Simply sharing a password method I was taught years ago that works well. Granted I never allow anything to choose a password for me, not ever.
Instead I create a sentence with aspects of the characters forming the password.
As an example, I will create one, not in use of course, for the below sentence.
in 2012 I joined the Debian list.
Again everything above is likely untrue, still it becomes the following. ItlI#10t4l
I for the word in,
t is the twentieth letter of the alphabet,
l is the twelfth letter of the alphabet,
I for the word I
a # for the special character
10 for the letter j in joined
T for the word the
4 represents the letter d in Debian, and finally
l for the word list.
Its simply a method, but a fun one. create a sentence that makes you
smile to remember, finding creative representations for the letters
numbers and needful symbols.
Yes wise to write it down, but you can do that anywhere, with it
unlikely to seem like a password.
Hope that resonates,

Karen

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Dec 18, 2024 at 09:10:23AM +0000, Michael Kjörling wrote:

On 17 Dec 2024 21:41 -0600, from deblis@lionunicorn.co.uk (David Wright):

As you have to select the subset from some listboxes with a mouse,
I would guess that the step is designed to defeat key-logging.

If someone has maliciously installed a keylogger, there's also likely
some kind of screen recording software, so this seems like security
theater.

Nowadays, with browsers, you can even get better than just "screen
recording". Think, e.g. Selenium, which can record "clickstreams"
on a browser with reference to the DOM objects (is usually used for
testing, but hey).

When doing "security analysis", I tend to lump "compromised client"
into one category.

Cheers
--
t

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZ2KSxgAKCRAFyCz1etHa RiaqAJ0flo6HAi7jqDtjiGcUvvBJM86DWgCdHqOH2TNI9uWkjQ4gxEiSKWKyuE4=
=18wM
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 17 Dec 2024 21:41 -0600, from deblis@lionunicorn.co.uk (David Wright):

As you have to select the subset from some listboxes with a mouse,
I would guess that the step is designed to defeat key-logging.

If someone has maliciously installed a keylogger, there's also likely
some kind of screen recording software, so this seems like security
theater.

--
Michael Kjörling
🔗 https://michael.kjorling.se

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 18 Dec 2024 10:15 +0100, from tomas@tuxteam.de:

When doing "security analysis", I tend to lump "compromised client"
into one category.

Case in point: Microsoft Windows Recall.

Plug that into your favorite web search engine if you aren't familiar
with it, and read some of the tech media coverage of it.

--
Michael Kjörling
🔗 https://michael.kjorling.se

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 17 Dec 2024 23:42 -0500, from klewellen@shellworld.net (Karen Lewellen):

Simply sharing a password method I was taught years ago that works well. Granted I never allow anything to choose a password for me, not ever. Instead I create a sentence with aspects of the characters forming the password.
As an example, I will create one, not in use of course, for the below sentence.
in 2012 I joined the Debian list.
Again everything above is likely untrue, still it becomes the following. ItlI#10t4l
[/snip description/]

This method would seem to fail at generating randomness, because it's
based on an initial meaningful sentence (keeping in mind that natural
language has very low entropy; consider that in your example, "joined"
is much more likely in that position than, say, "aardvark", "vibrated"
or "swordsman") plus some relatively fixed, predetermined
transformations.

It also requires you to remember which sentence you used as the seed
for which service. That might work for a few services, but does it
scale into the hundreds or thousands?

Thus xkcd 936 essentially applies. https://xkcd.com/936/

As I note on https://michael.kjorling.se/password-tips/ (constructive
criticism most welcome!) "someone who has perfect knowledge of you
should not have any advantage in guessing the password".

The two main ways of meeting that criteria (which is not the only one,
but is the one which is pertinent here) is random out of a character
set, and Diceware with words selected at random. The former gives a
high degree of security for a given length, and the latter gives good memorability. The work factor of a password or passphrase generated
using either method can be objectively quantified.

And humans in general are terrible at randomness.

--
Michael Kjörling
🔗 https://michael.kjorling.se

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Michael Kjörling <c9bc136c6063@ewoof.net> wrote:

As I note on https://michael.kjorling.se/password-tips/ (constructive criticism most welcome!) "someone who has perfect knowledge of you
should not have any advantage in guessing the password".

Surely no one "has perfect knowledge of you"! :-) I'm not even sure I
have perfect knowledge of myself, in fact I'm pretty sure I don't!

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Dec 18, 2024 at 04:55:59PM +0000, Chris Green wrote:

Michael Kjörling <c9bc136c6063@ewoof.net> wrote:

On 17 Dec 2024 21:41 -0600, from deblis@lionunicorn.co.uk (David Wright):

As you have to select the subset from some listboxes with a mouse,
I would guess that the step is designed to defeat key-logging.

If someone has maliciously installed a keylogger, there's also likely
some kind of screen recording software, so this seems like security theater.

Yes, I think things like key loggers or even simple 'shoulder surfing'
are the commonest ways of passwords being 'broken'.

That's 1980s-1990s. These days it's service negligence and phishing.

Cheers
--
t

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZ2MMPwAKCRAFyCz1etHa RruLAJ0V1a/BjpA74cDSGrqx2S9QZJEU8wCfS82xIJRs4BgOgJc6k9lwslXyb5U=
=GPCs
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Chris Green writes:

Surely no one "has perfect knowledge of you"! :-) I'm not even sure I
have perfect knowledge of myself, in fact I'm pretty sure I don't!

But which things about you can you be sure no one else has knowledge of?
Most people seem to think that the name of the dog they had when they
were 12 is an unguessable secret.
--
John Hasler
john@sugarbit.com
Elmwood, WI USA

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

I *could* share my strategies for coming up with passwords. But then I'd
be legally obligated to irrecoverably crash the list server, kill every
member of the List, and kill everybody who might have seen my message in
the List archives, or might have talked to anybody who'd read it, and irrecoverably crash every computer that had ever contained a copy of the message.

And that would be rude.

So probably better for everybody if I kept it among the tiny handful of
secrets I'll take to my grave.

--
JHHL

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 18 Dec 2024 11:57 -0600, from john@sugarbit.com (John Hasler):

Surely no one "has perfect knowledge of you"! :-) I'm not even sure I
have perfect knowledge of myself, in fact I'm pretty sure I don't!

But which things about you can you be sure no one else has knowledge of?
Most people seem to think that the name of the dog they had when they
were 12 is an unguessable secret.

Pretty much. Or the phone number you had at home as a child. Or your
favorite color. Or your mother's maiden name. Or that you have used
Debian since year Y. Or which year your great-grandmother died.

If I generate a Diceware passphrase - let's take one from that page as
an example, "dean unissued mystified comfort everyday chokehold" -
then I can tell you exactly how I generated it and what the inputs
were ("6 words selected at random out of the EFF English long Diceware
word list, separated by single U+0020 space characters") and this
won't really help you, because the search space is still (6^5)^6 or
about 2^77.

On the other hand, someone who knows Karen Lewellen's system for
generating a password has a fairly significant advantage over someone
who doesn't; for example, that the digit group in the middle is highly
likely to be in the range 1..26 (possibly padded to 01..26), the first
letter may or may not be capitalized, and letters other than "I" are
more likely to be lowercase than uppercase. Note that this is just
some of what can be learned from that one password and the description
of the process. And if they can guess or glean a seed sentence, or
even a part of one, then the attacker has a _huge_ advantage. On the
other hand, if someone were to learn that a Diceware passphrase begins
with "dean unissued mystified comfort", then other than perhaps that
this can help narrow down which word list was used, they have no
advantage in guessing the remainder.

--
Michael Kjörling
🔗 https://michael.kjorling.se

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

JHHL writes:

I *could* share my strategies for coming up with passwords.

Mine is pwgen -s 12
--
John Hasler
john@sugarbit.com
Elmwood, WI USA

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Michael Kjörling <c9bc136c6063@ewoof.net> wrote:

On 18 Dec 2024 11:57 -0600, from john@sugarbit.com (John Hasler):

Surely no one "has perfect knowledge of you"! :-) I'm not even sure I
have perfect knowledge of myself, in fact I'm pretty sure I don't!

But which things about you can you be sure no one else has knowledge of? Most people seem to think that the name of the dog they had when they
were 12 is an unguessable secret.

Pretty much. Or the phone number you had at home as a child. Or your
favorite color. Or your mother's maiden name. Or that you have used
Debian since year Y. Or which year your great-grandmother died.

If I generate a Diceware passphrase - let's take one from that page as
an example, "dean unissued mystified comfort everyday chokehold" -
then I can tell you exactly how I generated it and what the inputs
were ("6 words selected at random out of the EFF English long Diceware
word list, separated by single U+0020 space characters") and this
won't really help you, because the search space is still (6^5)^6 or
about 2^77.

But how do you remember it? It's no more memorable than a string of
numbers, in fact I find numbers easier to remember than words.

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

John Hasler <john@sugarbit.com> wrote:

Chris Green writes:

Surely no one "has perfect knowledge of you"! :-) I'm not even sure I
have perfect knowledge of myself, in fact I'm pretty sure I don't!

But which things about you can you be sure no one else has knowledge of?
Most people seem to think that the name of the dog they had when they
were 12 is an unguessable secret.

That depends rather on how long ago they were 12 surely. For me it's
over 60 years ago and there's very little data from back then that's accessible. How would you guess the name of a dog I had back in the
1950s? (If you do guess it you're wrong, I didn't have a dog)

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Sent: Wednesday, December 18, 2024 at 2:04 PM
From: "John Hasler" <john@sugarbit.com>
To: debian-user@lists.debian.org
Subject: Re: Writing passwords down

JHHL writes:

I *could* share my strategies for coming up with passwords.

Mine is pwgen -s 12

I have a better strategy for passwords
I use my wifes underwear size

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

I wrote:

But which things about you can you be sure no one else has knowledge of?
Most people seem to think that the name of the dog they had when they
were 12 is an unguessable secret.

Chris Green writes:

That depends rather on how long ago they were 12 surely.

Not when the dog's name was Rover.
--
John Hasler
john@sugarbit.com
Elmwood, WI USA

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.

Well, I do not use hundreds.
Still that little black book is, speaking personally, far safer to my mind then any digital solution.



On Wed, 18 Dec 2024, Michael Kjörling wrote:

On 17 Dec 2024 23:42 -0500, from klewellen@shellworld.net (Karen Lewellen):

Simply sharing a password method I was taught years ago that works well.
Granted I never allow anything to choose a password for me, not ever.
Instead I create a sentence with aspects of the characters forming the
password.
As an example, I will create one, not in use of course, for the below
sentence.
in 2012 I joined the Debian list.
Again everything above is likely untrue, still it becomes the following.
ItlI#10t4l
[/snip description/]

This method would seem to fail at generating randomness, because it's
based on an initial meaningful sentence (keeping in mind that natural language has very low entropy; consider that in your example, "joined"
is much more likely in that position than, say, "aardvark", "vibrated"
or "swordsman") plus some relatively fixed, predetermined
transformations.

It also requires you to remember which sentence you used as the seed
for which service. That might work for a few services, but does it
scale into the hundreds or thousands?

Thus xkcd 936 essentially applies. https://xkcd.com/936/

As I note on https://michael.kjorling.se/password-tips/ (constructive criticism most welcome!) "someone who has perfect knowledge of you
should not have any advantage in guessing the password".

The two main ways of meeting that criteria (which is not the only one,
but is the one which is pertinent here) is random out of a character
set, and Diceware with words selected at random. The former gives a
high degree of security for a given length, and the latter gives good memorability. The work factor of a password or passphrase generated
using either method can be objectively quantified.

And humans in general are terrible at randomness.

--
Michael Kjörling
🔗 https://michael.kjorling.se

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

because my little black book is accessible for me.
random passwords that I cannot recall are not for me personally.
Additionally, most password managers are unlikely to work with my setup.
But that is me.



On Wed, 18 Dec 2024, John Hasler wrote:

Karen writes:

Well, I do not use hundreds. Still that little black book is,
speaking personally, far safer to my mind then any digital solution.

If you are going to use a little black book why not just use random passwords? pwgen -s 10 and write it down.

And if they insist on a "password recovery secret" give them a random
string for that as well.
--
John Hasler
john@sugarbit.com
Elmwood, WI USA

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.

Have to agree.
Perfect knowledge of you seems hard to imagine in another person, let
alone yourself.



On Wed, 18 Dec 2024, Chris Green wrote:

Michael Kjörling <c9bc136c6063@ewoof.net> wrote:

As I note on https://michael.kjorling.se/password-tips/ (constructive
criticism most welcome!) "someone who has perfect knowledge of you
should not have any advantage in guessing the password".

Surely no one "has perfect knowledge of you"! :-) I'm not even sure I
have perfect knowledge of myself, in fact I'm pretty sure I don't!

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Karen writes:

Well, I do not use hundreds. Still that little black book is,
speaking personally, far safer to my mind then any digital solution.

If you are going to use a little black book why not just use random
passwords? pwgen -s 10 and write it down.

And if they insist on a "password recovery secret" give them a random
string for that as well.
--
John Hasler
john@sugarbit.com
Elmwood, WI USA

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Wed, Dec 18, 2024 at 07:13:23PM +0000, Chris Green wrote:

Michael Kjörling <c9bc136c6063@ewoof.net> wrote:

[...]

If I generate a Diceware passphrase - let's take one from that page as
an example, "dean unissued mystified comfort everyday chokehold" -

[...]

But how do you remember it? It's no more memorable than a string of
numbers, in fact I find numbers easier to remember than words.

But that's exactly the point. Passwords are a /personal/ thing, i.e.
something you, the person, can memorize when it becomes important.
This varies from person to person.

So use a well vetted method which works for you. If it's numbers, then
fine.

Me? I found out I can memorize well 16-places pwgen things. So my important passwords come from there. Mostly. But this won't work for someone else.

Cheers
--
t

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZ2OmqgAKCRAFyCz1etHa Rqk7AJ9GdWjvxc+EAM9dfPfc8pUkU5rqzQCdHgDkstIqV0lnn5nvfl3v6ciTNVw=
=lphL
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

John Hasler <john@sugarbit.com> wrote:

Karen writes:

Well, I do not use hundreds. Still that little black book is,
speaking personally, far safer to my mind then any digital solution.

If you are going to use a little black book why not just use random passwords? pwgen -s 10 and write it down.

Because a long series of random characters is incredibly difficult to
type accurately!

Horses for courses, I enter login passwords/passphrases quite frequently (lots of
different systems that I ssh to) long, unmemorable, passwords would be
useless.

For the odd password that needs to be **extra** secure I suppose I
could use a written down password.

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Thu, 19 Dec 2024 08:56:00 +0000
Chris Green <cl@isbd.net> wrote:

John Hasler <john@sugarbit.com> wrote:

Karen writes:

Well, I do not use hundreds. Still that little black book is,
speaking personally, far safer to my mind then any digital
solution.

If you are going to use a little black book why not just use random passwords? pwgen -s 10 and write it down.

Because a long series of random characters is incredibly difficult to
type accurately!

Horses for courses, I enter login passwords/passphrases quite
frequently (lots of different systems that I ssh to) long,
unmemorable, passwords would be useless.

For the odd password that needs to be **extra** secure I suppose I
could use a written down password.

Something nobody has mentioned in connection with remembering passwords
is how often they are used. Many passwords I use are created and then
not used for another year or more. There's no way to remember anything
of any complexity at all over that period with no refreshing, whereas
even quite a random and complicated one will start to stick if used
every day.

--
Joe

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Friday, 20-12-2024 at 14:22 Max Nikulin wrote:

On 19/12/2024 15:56, Chris Green wrote:

Horses for courses, I enter login passwords/passphrases quite frequently (lots of
different systems that I ssh to) long, unmemorable, passwords would be useless.

Generate a private key and add its public counterpart to ~/.ssh/authorized_keys on remote machines. Locally running ssh-agent
allows to authenticate on remote machines without typing the pass phrase
for the private key for each connection. It is more secure than
passwords against brute force attacks.

(You may have more than one private key and may configure ssh to use
some key for specific set of servers.)

Another method for remote server management can be provided by Ansible and Ansible vault.

https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_privilege_escalation.html

https://docs.ansible.com/ansible/latest/vault_guide/index.html


George.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Fri, Dec 20, 2024 at 10:22:29AM +0700, Max Nikulin wrote:

On 19/12/2024 15:56, Chris Green wrote:

Horses for courses, I enter login passwords/passphrases quite frequently (lots of
different systems that I ssh to) long, unmemorable, passwords would be useless.

Generate a private key and add its public counterpart to ~/.ssh/authorized_keys on remote machines. Locally running ssh-agent allows to authenticate on remote machines without typing the pass phrase for the private key for each connection. It is more secure than passwords against brute force attacks.

Definitely. I was thinking specifically about passwords: what they are, how they work. But it's clear that (asymmetric) crypto keys are worlds ahead
of passwords in terms of security, convenience (agent forwarding, anyone?)
LDAP integration and all of that. Whenever I have the choice, a SSH key it
is.

Cheers
--
t

-----BEGIN PGP SIGNATURE-----

iF0EABECAB0WIQRp53liolZD6iXhAoIFyCz1etHaRgUCZ2T0NQAKCRAFyCz1etHa RtdXAJ9J65gby1UfCW5PlLKLjN9d8HonAQCggGvyoEAoMZTTsqmKnJ9lKE8ol5g=
=56iT
-----END PGP SIGNATURE-----

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Max Nikulin <manikulin@gmail.com> wrote:

On 19/12/2024 15:56, Chris Green wrote:

Horses for courses, I enter login passwords/passphrases quite frequently (lots of
different systems that I ssh to) long, unmemorable, passwords would be useless.

Generate a private key and add its public counterpart to ~/.ssh/authorized_keys on remote machines. Locally running ssh-agent
allows to authenticate on remote machines without typing the pass phrase
for the private key for each connection. It is more secure than
passwords against brute force attacks.

Yes, but the passphrase for the private key then becomes your
"password that you have to remember". The security of the actual
connection is better as an intruder has to guess the key but IMHO I
don't think that's the issue.

I do in fact use ssh key based accessed for all my 'external' ssh
connections, as you say this is more secure against direct attacks on
the remote ssh server. However I did say in my post above "passwords/passphrases", I have to enter passphrases quite frequently
for these ssh connections (I have agent set so the passphrase expires
after a while), that's what I was talking about.


--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

tomas@tuxteam.de wrote:

[-- text/plain, encoding quoted-printable, charset: utf-8, 24 lines --]

On Fri, Dec 20, 2024 at 10:22:29AM +0700, Max Nikulin wrote:

On 19/12/2024 15:56, Chris Green wrote:

Horses for courses, I enter login passwords/passphrases quite frequently (lots of
different systems that I ssh to) long, unmemorable, passwords would be useless.

Generate a private key and add its public counterpart to ~/.ssh/authorized_keys on remote machines. Locally running ssh-agent allows to authenticate on remote machines without typing the pass phrase for the private key for each connection. It is more secure than passwords against brute force attacks.

Definitely. I was thinking specifically about passwords: what they are, how they work. But it's clear that (asymmetric) crypto keys are worlds ahead
of passwords in terms of security, convenience (agent forwarding, anyone?) LDAP integration and all of that. Whenever I have the choice, a SSH key it is.

WHY????

It depends very much on the way your connection might get attacked. A
key based ssh connection is (as you say) much more secure against
attacks directly on the remote server, but only if that remote server
has password login disabled. Your key based login is quite irrelevant
if there's actually a password that the intruder can guess.

At the local end using a passphrase protected ssh key is no better
than a password, both depend entirely on how easy the password or
passphrase can be guessed. In fact my feeling is that password is
slightly better because if you are using ssh-agent as you may well
leave your system for short periods without logging off and then an
intruder will be able to log in to all those remote systems for which
ssh-agent has saved your key(s). (Physical security again!) This last
is why I have my ssh-agent set to expire keys after a few minutes.

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Friday, 20-12-2024 at 20:21 Chris Green wrote:

tomas@tuxteam.de wrote:

[-- text/plain, encoding quoted-printable, charset: utf-8, 24 lines --]

On Fri, Dec 20, 2024 at 10:22:29AM +0700, Max Nikulin wrote:

On 19/12/2024 15:56, Chris Green wrote:

Horses for courses, I enter login passwords/passphrases quite frequently (lots of
different systems that I ssh to) long, unmemorable, passwords would be useless.

Generate a private key and add its public counterpart to ~/.ssh/authorized_keys on remote machines. Locally running ssh-agent allows
to authenticate on remote machines without typing the pass phrase for the private key for each connection. It is more secure than passwords against brute force attacks.

Definitely. I was thinking specifically about passwords: what they are, how they work. But it's clear that (asymmetric) crypto keys are worlds ahead
of passwords in terms of security, convenience (agent forwarding, anyone?) LDAP integration and all of that. Whenever I have the choice, a SSH key it is.

WHY????

It depends very much on the way your connection might get attacked. A
key based ssh connection is (as you say) much more secure against
attacks directly on the remote server, but only if that remote server
has password login disabled. Your key based login is quite irrelevant
if there's actually a password that the intruder can guess.

At the local end using a passphrase protected ssh key is no better
than a password, both depend entirely on how easy the password or
passphrase can be guessed. In fact my feeling is that password is
slightly better because if you are using ssh-agent as you may well
leave your system for short periods without logging off and then an
intruder will be able to log in to all those remote systems for which ssh-agent has saved your key(s). (Physical security again!) This last
is why I have my ssh-agent set to expire keys after a few minutes.

"nothing is secure"

Security is an interesting topic.

People have attempted to make things secure for many years.

When security is mentioned, I first think of wax seals on envelopes and physical locks and keys. I wonder if the younger generations do?

1) When thinking about security, I like to remind myself that "nothing is secure", and all I can do is make it "more difficult for others to gain unapproved access". There is always a way to break through a security measure. Hence 'access attempt'
mitigation, monitoring and logging are useful in security plans.

2) I also like to remind myself and others, "If I can access it via the Internet, then so can anyone in the world who has access to the Internet". Staring questions: Does it really needed to be connected to the Internet? Is remote access truly required?

3) Applying Security makes access less convenient. The greater the security, usually the less convenient my access becomes. Hence weak passwords are less secure than complex, long passwords, ssh keys with passwords are less convenient than ssh keys
without passwords, stored passwords are convenient but give others another option to gain access to your password. How much inconvenience are you able to accept? (it is a good question)

4) Understanding what methods can be used to gain access to your system, and how to bypass whatever security systems you choose to implement, is important when choosing a security method.

5) Finding what methods, level, etc of security you are happy to accept and what level of risk you are willing to accept is the first step in making a security plan.

6) Keeping security patches up to date reduces ways people can inappropriate access your systems. But only reduces, never be lulled into thinking you are secure.

(please let me know if there is a simpler or more correct way to phrase this info, I like improving my knowledge. And there has to be more to security than the above).

Below is a link to an interesting list of suggestions. Somewhat inconvenient if one were to implement all suggestions.
https://tailscale.com/learn/ssh-security-best-practices-protecting-your-remote-access-infrastructure

George.

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)