X-Git-Url: https://git.friedersdorff.com/?a=blobdiff_plain;f=slides.rst;h=b4bba61bb071ecd294f8e2910861e94acc54b640;hb=4b392c68a9af343e9e5312e709c2cde6b6f6828f;hp=5e7d6ce117463aee2c78acc0ed20fe63f767324e;hpb=7d3423f860c17e76554c34fbfbb21f7ce4c6d595;p=max%2Fintro_dice_and_pmgmnt.git diff --git a/slides.rst b/slides.rst index 5e7d6ce..b4bba61 100644 --- a/slides.rst +++ b/slides.rst @@ -1,11 +1,38 @@ +Surviving phishing +------------------ +Password reuse, password managers and strong passwords +====================================================== +.. contents:: :depth: 1 + Why is Password Reuse a Problem? -------------------------------- .. image:: password_reuse_1.png -.. image:: password_reuse_2.png -.. image:: password_reuse_3.png + :height: 6.5cm + +Consider the following hypothetical users that reuse a strong password in +most places and the following common scenario: + ++------------------+--------------------------+ +| User | Password | ++==================+==========================+ +| mark1@gmail.com | QUo5Qt+1Wa/Q1smDJRDbFg== | ++------------------+--------------------------+ +| mark2@gmail.com | +9Hz+/20rVkSkbcsmgdVFw== | ++------------------+--------------------------+ +| mark3@gmail.com | wnYkRcbi7Kkh7Fx2uR8EeA== | ++------------------+--------------------------+ + +#. User registers an account with a careless service, eg Facebook, Yahoo, + Google, Equifax etc. etc. +#. The service is hacked and the password and email is leaked +#. The hacker logs in to the email account +#. The hacker resets passwords on all important accounts tied to that email + address + About password strength ----------------------- + How is strength measured? ========================= 'Entropy' `s` depends on the size of the alphabet `a` and the length `n` of the @@ -31,6 +58,8 @@ reuse them. It's surprisingly difficult for humans to generate good passwords! +A strong password, as of 2019, has at least 80 bits of entropy. + Password Managers to the Rescue! -------------------------------- Password managers allow you to create a unique and strong password for every @@ -54,15 +83,24 @@ Yes* How do they keep passwords secure? ---------------------------------- 1. User supplies a password -2. The password is used to derive an encryption key. This process is designed - to be slow, even on modern hardware -3. The so generated encryption key is used to encrypt/decrypt your passwords - -Note that the security of the encryption depends on the strengh of your -password. With a poor password (50 bits), it would take the entire computing -power of the world less than a month to crack the database. With a decent ish -password (60 bits), it would take on the order of 50 years on average. With a -better password (70 bits), it would take on the order of 50,000 years. +2. A slow function derives an encryption key +3. The encryption key is used to encrypt/decrypt your passwords + +Security of the encryption depends on the strengh of your +password: + ++---------+------------------------+ +| Entropy | Time to crack, | +| | assuming 1 second per | +| | attempt per typical | +| | CPU | ++=========+========================+ +| 50b | < 1 Month | ++---------+------------------------+ +| 60b | ~ 50 Years | ++---------+------------------------+ +| 70b | ~ 50,000 yers | ++---------+------------------------+ Generating a Strong Password ---------------------------- @@ -71,10 +109,10 @@ Passphrases are better than passwords: * Tr0ub4dor&3 -> 28 bits of entropy, hard to remember * correct horse battery stable -> 44 bits of entropy, easy to remember -Use passphrases everywhere you have to remember. +If you have to remember it, use a passphrase. -Generate passphrases with Diceware -================================== +Generate passphrases with Diceware_ +=================================== 1. Roll 5, 6 sided, *physical* dice 2. Read the numbers left to right 3. Find the word with that number on a list 6^5 (7776) words @@ -83,3 +121,55 @@ Generate passphrases with Diceware 5. Write down your passphrase on paper and keep it somewhere secure 6. If you are 100% confident that you will not forget the passphrase, destroy the paper by burning + +What about phishing? +==================== +* A password manager will refuse to fill out a password on a spoofed website, + for instance faceb00k.com vs facebook.com +* Using different passwords on every service protects all other services even + if phishing is successful on one of them +* Good password managers will navigate to the login page for you, reducing the + risk of spoofed websites + + +Other advice +------------ +In no particular order: + +* Only log in on webpages that you navigated to by typing in the url yourself, + by searching on google, duckduckgo or some other reputable search engine or + from a bookmark. If after clicking a link in an email you are directed to a + log in page, it's probably a phishing attempt +* Only log in to webpages that are protected by SSL/TLS (HTTPS). Look for a + green address bar, or a green lock icon or similar in your browser +* Use two factor or two step authentication everywhere if possible +* Turn of automatic image rendering. Better still, disable HTML rendering and + authoring entirely +* Be suspicious of *all* emails. Risky things: HTML email, images, unknown + sender, poor spelling/grammer, 'Your email client can't display this email, + click here to view in your browser' or similar attempts to coerce you to click + on things + +Resources +--------- + +`EFF notes on Diceware`_ They generally have good advice for these kinds of +topics. + +`This Presentation`_ + +`Keepass`_, an offline password manager + +`1Password`_, a pay to use password manager with some nice features + +`LastPass`_, an online password manager with a gratis tier + +.. _Diceware: http://world.std.com/~reinhold/diceware.html +.. _EFF notes on Diceware: https://www.eff.org/dice +.. _This Presentation: https://git.friedersdorff.com/max/intro_dice_and_pmgmnt +.. _Keepass: https://keepass.info/ +.. _1Password: https://1password.com/ +.. _LastPass: https://www.lastpass.com/ + + +.. target-notes::