X-Git-Url: https://git.friedersdorff.com/?a=blobdiff_plain;f=slides.rst;h=2d143b7f59b1f6ab2cac67cf8293fa7432f42e97;hb=HEAD;hp=f419ab7a93809b5a6295429583eba14e6f500347;hpb=a40b700601744e7f83856df4e8a1d28159ea4951;p=max%2Fintro_dice_and_pmgmnt.git diff --git a/slides.rst b/slides.rst index f419ab7..2d143b7 100644 --- a/slides.rst +++ b/slides.rst @@ -2,23 +2,33 @@ Surviving phishing ------------------ Password reuse, password managers and strong passwords ====================================================== +.. contents:: :depth: 1 + Why is Password Reuse a Problem? -------------------------------- .. image:: password_reuse_1.png :height: 6.5cm Consider the following hypothetical users that reuse a strong password in -most places: - -+-------------------+--------------------------+ -| User | Password | -+===================+==========================+ -| Sucker1@gmail.com | QUo5Qt+1Wa/Q1smDJRDbFg== | -+-------------------+--------------------------+ -| Sucker2@gmail.com | +9Hz+/20rVkSkbcsmgdVFw== | -+-------------------+--------------------------+ -| Sucker3@gmail.com | wnYkRcbi7Kkh7Fx2uR8EeA== | -+-------------------+--------------------------+ +most places and the following common scenario: + ++------------------+--------------------------+ +| User | Password | ++==================+==========================+ +| mark1@gmail.com | QUo5Qt+1Wa/Q1smDJRDbFg== | ++------------------+--------------------------+ +| mark2@gmail.com | +9Hz+/20rVkSkbcsmgdVFw== | ++------------------+--------------------------+ +| mark3@gmail.com | wnYkRcbi7Kkh7Fx2uR8EeA== | ++------------------+--------------------------+ + +#. User registers an account with a careless service, eg Facebook, Yahoo, + Google, Equifax etc. etc. +#. The service is hacked and the password and email is leaked +#. The hacker logs in to the email account +#. The hacker resets passwords on all important accounts tied to that email + address + About password strength ----------------------- @@ -73,15 +83,24 @@ Yes* How do they keep passwords secure? ---------------------------------- 1. User supplies a password -2. The password is used to derive an encryption key. This process is designed - to be slow, even on modern hardware -3. The so generated encryption key is used to encrypt/decrypt your passwords - -Note that the security of the encryption depends on the strengh of your -password. With a poor password (50 bits), it would take the entire computing -power of the world less than a month to crack the database. With a decent ish -password (60 bits), it would take on the order of 50 years on average. With a -better password (70 bits), it would take on the order of 50,000 years. +2. A slow function derives an encryption key +3. The encryption key is used to encrypt/decrypt your passwords + +Security of the encryption depends on the strengh of your +password: + ++---------+------------------------+ +| Entropy | Time to crack, | +| | assuming 1 second per | +| | attempt per typical | +| | CPU | ++=========+========================+ +| 50b | < 1 Month | ++---------+------------------------+ +| 60b | ~ 50 Years | ++---------+------------------------+ +| 70b | ~ 50,000 yers | ++---------+------------------------+ Generating a Strong Password ---------------------------- @@ -90,10 +109,10 @@ Passphrases are better than passwords: * Tr0ub4dor&3 -> 28 bits of entropy, hard to remember * correct horse battery stable -> 44 bits of entropy, easy to remember -Use passphrases everywhere you have to remember. +If you have to remember it, use a passphrase. -Generate passphrases with Diceware -================================== +Generate passphrases with Diceware_ +=================================== 1. Roll 5, 6 sided, *physical* dice 2. Read the numbers left to right 3. Find the word with that number on a list 6^5 (7776) words @@ -105,11 +124,13 @@ Generate passphrases with Diceware What about phishing? ==================== -A password manager worth it's salt will refuse to fill out a password on a -different website, for instance faceb00k.com vs facebook.com +* A password manager will refuse to fill out a password on a spoofed website, + for instance faceb00k.com vs facebook.com +* Using different passwords on every service protects all other services even + if phishing is successful on one of them +* Good password managers will navigate to the login page for you, reducing the + risk of spoofed websites -Using different passwords on every service limits your vulnerability even if -phishing is successful Other advice ------------ @@ -117,5 +138,38 @@ In no particular order: * Only log in on webpages that you navigated to by typing in the url yourself, by searching on google, duckduckgo or some other reputable search engine or - from a bookmark -* Only log in to webpages that are + from a bookmark. If after clicking a link in an email you are directed to a + log in page, it's probably a phishing attempt +* Only log in to webpages that are protected by SSL/TLS (HTTPS). Look for a + green address bar, or a green lock icon or similar in your browser +* Use two factor or two step authentication everywhere if possible +* Turn of automatic image rendering. Better still, disable HTML rendering and + authoring entirely in your email client +* Be suspicious of *all* emails. Risky things: HTML email, images, unknown + sender, poor spelling/grammer, 'Your email client can't display this email, + click here to view in your browser' or similar attempts to coerce you to click + on things + +Resources +--------- + +`EFF notes on Diceware`_ They generally have good advice for these kinds of +topics. + +`This Presentation`_ + +`Keepass`_, an offline password manager + +`1Password`_, a pay to use password manager with some nice features + +`LastPass`_, an online password manager with a gratis tier + +.. _Diceware: http://world.std.com/~reinhold/diceware.html +.. _EFF notes on Diceware: https://www.eff.org/dice +.. _This Presentation: https://git.friedersdorff.com/max/intro_dice_and_pmgmnt +.. _Keepass: https://keepass.info/ +.. _1Password: https://1password.com/ +.. _LastPass: https://www.lastpass.com/ + + +.. target-notes::