:height: 6.5cm
Consider the following hypothetical users that reuse a strong password in
-most places:
-
-+-------------------+--------------------------+
-| User | Password |
-+===================+==========================+
-| Sucker1@gmail.com | QUo5Qt+1Wa/Q1smDJRDbFg== |
-+-------------------+--------------------------+
-| Sucker2@gmail.com | +9Hz+/20rVkSkbcsmgdVFw== |
-+-------------------+--------------------------+
-| Sucker3@gmail.com | wnYkRcbi7Kkh7Fx2uR8EeA== |
-+-------------------+--------------------------+
+most places and the following common scenario:
+
++------------------+--------------------------+
+| User | Password |
++==================+==========================+
+| mark1@gmail.com | QUo5Qt+1Wa/Q1smDJRDbFg== |
++------------------+--------------------------+
+| mark2@gmail.com | +9Hz+/20rVkSkbcsmgdVFw== |
++------------------+--------------------------+
+| mark3@gmail.com | wnYkRcbi7Kkh7Fx2uR8EeA== |
++------------------+--------------------------+
+
+#. User registers an account with a careless service, eg Facebook, Yahoo,
+ Google, Equifax etc. etc.
+#. The service is hacked and the password database is leaked
+#. The hacker logs in to the email accounts
+#. The hacker resets passwords on all important accounts tied to that email
+ address
+
About password strength
-----------------------
How do they keep passwords secure?
----------------------------------
1. User supplies a password
-2. The password is used to derive an encryption key. This process is designed
- to be slow, even on modern hardware
-3. The so generated encryption key is used to encrypt/decrypt your passwords
-
-Note that the security of the encryption depends on the strengh of your
-password. With a poor password (50 bits), it would take the entire computing
-power of the world less than a month to crack the database. With a decent ish
-password (60 bits), it would take on the order of 50 years on average. With a
-better password (70 bits), it would take on the order of 50,000 years.
+2. A slow function derives an encryption key
+3. The encryption key is used to encrypt/decrypt your passwords
+
+Security of the encryption depends on the strengh of your
+password:
+
++---------+------------------------+
+| Entropy | Time to crack, |
+| | assuming 1 second per |
+| | attempt per typical |
+| | CPU |
++=========+========================+
+| 50b | < 1 Month |
++---------+------------------------+
+| 60b | ~ 50 Years |
++---------+------------------------+
+| 70b | ~ 50,000 yers |
++---------+------------------------+
Generating a Strong Password
----------------------------
What about phishing?
====================
-A password manager worth it's salt will refuse to fill out a password on a
-different website, for instance faceb00k.com vs facebook.com
+* A password manager will refuse to fill out a password on a spoofed website,
+ for instance faceb00k.com vs facebook.com
+* Using different passwords on every service protects all other services even
+ if phishing is successful on one of them
+* Good password managers will navigate to the login page for you, reducing the
+ risk of spoofed websites
-Using different passwords on every service limits your vulnerability even if
-phishing is successful
Other advice
------------
* Only log in on webpages that you navigated to by typing in the url yourself,
by searching on google, duckduckgo or some other reputable search engine or
- from a bookmark
-* Only log in to webpages that are
+ from a bookmark. If after clicking a link in an email you are directed to a
+ log in page, it's probably a phishing attempt
+* Only log in to webpages that are protected by SSL/TLS (HTTPS). Look for a
+ green address bar, or a green lock icon or similar in your browser
+* Use two factor or two step authentication everywhere if possible
+* Turn of automatic image rendering. Better still, disable HTML rendering and
+ authoring entirely
+* Be suspicious of *all* emails. Risky things: HTML email, images, unknown
+ sender, poor spelling/grammer, 'Your email client can't display this email,
+ click here to view in your browser' or similar attempts to coerce you to click
+ on things
projects / max / intro_dice_and_pmgmnt.git / commitdiff