+Surviving phishing
+------------------
+Password reuse, password managers and strong passwords
+======================================================
+.. contents:: :depth: 1
+
Why is Password Reuse a Problem?
--------------------------------
.. image:: password_reuse_1.png
-.. image:: password_reuse_2.png
-.. image:: password_reuse_3.png
+ :height: 6.5cm
+
+Consider the following hypothetical users that reuse a strong password in
+most places and the following common scenario:
+
++------------------+--------------------------+
+| User | Password |
++==================+==========================+
+| mark1@gmail.com | QUo5Qt+1Wa/Q1smDJRDbFg== |
++------------------+--------------------------+
+| mark2@gmail.com | +9Hz+/20rVkSkbcsmgdVFw== |
++------------------+--------------------------+
+| mark3@gmail.com | wnYkRcbi7Kkh7Fx2uR8EeA== |
++------------------+--------------------------+
+
+#. User registers an account with a careless service, eg Facebook, Yahoo,
+ Google, Equifax etc. etc.
+#. The service is hacked and the password and email is leaked
+#. The hacker logs in to the email account
+#. The hacker resets passwords on all important accounts tied to that email
+ address
+
About password strength
-----------------------
+
How is strength measured?
=========================
'Entropy' `s` depends on the size of the alphabet `a` and the length `n` of the
It's surprisingly difficult for humans to generate good passwords!
+A strong password, as of 2019, has at least 80 bits of entropy.
+
Password Managers to the Rescue!
--------------------------------
Password managers allow you to create a unique and strong password for every
How do they keep passwords secure?
----------------------------------
1. User supplies a password
-2. The password is used to derive an encryption key. This process is designed
- to be slow, even on modern hardware
-3. The so generated encryption key is used to encrypt/decrypt your passwords
-
-Note that the security of the encryption depends on the strengh of your
-password. With a poor password (50 bits), it would take the entire computing
-power of the world less than a month to crack the database. With a decent ish
-password (60 bits), it would take on the order of 50 years on average. With a
-better password (70 bits), it would take on the order of 50,000 years.
+2. A slow function derives an encryption key
+3. The encryption key is used to encrypt/decrypt your passwords
+
+Security of the encryption depends on the strengh of your
+password:
+
++---------+------------------------+
+| Entropy | Time to crack, |
+| | assuming 1 second per |
+| | attempt per typical |
+| | CPU |
++=========+========================+
+| 50b | < 1 Month |
++---------+------------------------+
+| 60b | ~ 50 Years |
++---------+------------------------+
+| 70b | ~ 50,000 yers |
++---------+------------------------+
Generating a Strong Password
----------------------------
* Tr0ub4dor&3 -> 28 bits of entropy, hard to remember
* correct horse battery stable -> 44 bits of entropy, easy to remember
-Use passphrases everywhere you have to remember.
+If you have to remember it, use a passphrase.
-Generate passphrases with Diceware
-==================================
+Generate passphrases with Diceware_
+===================================
1. Roll 5, 6 sided, *physical* dice
2. Read the numbers left to right
3. Find the word with that number on a list 6^5 (7776) words
5. Write down your passphrase on paper and keep it somewhere secure
6. If you are 100% confident that you will not forget the passphrase, destroy
the paper by burning
+
+What about phishing?
+====================
+* A password manager will refuse to fill out a password on a spoofed website,
+ for instance faceb00k.com vs facebook.com
+* Using different passwords on every service protects all other services even
+ if phishing is successful on one of them
+* Good password managers will navigate to the login page for you, reducing the
+ risk of spoofed websites
+
+
+Other advice
+------------
+In no particular order:
+
+* Only log in on webpages that you navigated to by typing in the url yourself,
+ by searching on google, duckduckgo or some other reputable search engine or
+ from a bookmark. If after clicking a link in an email you are directed to a
+ log in page, it's probably a phishing attempt
+* Only log in to webpages that are protected by SSL/TLS (HTTPS). Look for a
+ green address bar, or a green lock icon or similar in your browser
+* Use two factor or two step authentication everywhere if possible
+* Turn of automatic image rendering. Better still, disable HTML rendering and
+ authoring entirely
+* Be suspicious of *all* emails. Risky things: HTML email, images, unknown
+ sender, poor spelling/grammer, 'Your email client can't display this email,
+ click here to view in your browser' or similar attempts to coerce you to click
+ on things
+
+Resources
+---------
+
+`EFF notes on Diceware`_ They generally have good advice for these kinds of
+topics.
+
+`This Presentation`_
+
+`Keepass`_, an offline password manager
+
+`1Password`_, a pay to use password manager with some nice features
+
+`LastPass`_, an online password manager with a gratis tier
+
+.. _Diceware: http://world.std.com/~reinhold/diceware.html
+.. _EFF notes on Diceware: https://www.eff.org/dice
+.. _This Presentation: https://git.friedersdorff.com/max/intro_dice_and_pmgmnt
+.. _Keepass: https://keepass.info/
+.. _1Password: https://1password.com/
+.. _LastPass: https://www.lastpass.com/
+
+
+.. target-notes::
projects / max / intro_dice_and_pmgmnt.git / blobdiff