From 609ddda2b0f61e4ec0859b02d5e16ffb7bc1b401 Mon Sep 17 00:00:00 2001
From: Maximilian Friedersdorff <max@friedersdorff.com>
Date: Fri, 31 May 2019 10:44:29 +0100
Subject: [PATCH] More warnings about phishing

---
 slides.rst | 80 ++++++++++++++++++++++++++++++++++++------------------
 1 file changed, 54 insertions(+), 26 deletions(-)

diff --git a/slides.rst b/slides.rst
index f419ab7..e9df0dd 100644
--- a/slides.rst
+++ b/slides.rst
@@ -8,17 +8,25 @@ Why is Password Reuse a Problem?
    :height: 6.5cm
 
 Consider the following hypothetical users that reuse a strong password in
-most places:
-
-+-------------------+--------------------------+
-| User              | Password                 |
-+===================+==========================+
-| Sucker1@gmail.com | QUo5Qt+1Wa/Q1smDJRDbFg== |
-+-------------------+--------------------------+
-| Sucker2@gmail.com | +9Hz+/20rVkSkbcsmgdVFw== |
-+-------------------+--------------------------+
-| Sucker3@gmail.com | wnYkRcbi7Kkh7Fx2uR8EeA== |
-+-------------------+--------------------------+
+most places and the following common scenario:
+
++------------------+--------------------------+
+| User             | Password                 |
++==================+==========================+
+| mark1@gmail.com  | QUo5Qt+1Wa/Q1smDJRDbFg== |
++------------------+--------------------------+
+| mark2@gmail.com  | +9Hz+/20rVkSkbcsmgdVFw== |
++------------------+--------------------------+
+| mark3@gmail.com  | wnYkRcbi7Kkh7Fx2uR8EeA== |
++------------------+--------------------------+
+
+#. User registers an account with a careless service, eg Facebook, Yahoo,
+   Google, Equifax etc. etc.
+#. The service is hacked and the password database is leaked
+#. The hacker logs in to the email accounts
+#. The hacker resets passwords on all important accounts tied to that email 
+   address
+
 
 About password strength
 -----------------------
@@ -73,15 +81,24 @@ Yes*
 How do they keep passwords secure?
 ----------------------------------
 1. User supplies a password
-2. The password is used to derive an encryption key.  This process is designed
-   to be slow, even on modern hardware
-3. The so generated encryption key is used to encrypt/decrypt your passwords
-
-Note that the security of the encryption depends on the strengh of your
-password.  With a poor password (50 bits), it would take the entire computing 
-power of the world less than a month to crack the database. With a decent ish 
-password (60 bits), it would take on the order of 50 years on average.  With a 
-better password (70 bits), it would take on the order of 50,000 years.
+2. A slow function derives an encryption key
+3. The encryption key is used to encrypt/decrypt your passwords
+
+Security of the encryption depends on the strengh of your
+password:  
+
++---------+------------------------+
+| Entropy | Time to crack,         |
+|         | assuming 1 second per  |
+|         | attempt per typical    |
+|         | CPU                    |
++=========+========================+
+| 50b     | < 1 Month              |
++---------+------------------------+
+| 60b     | ~ 50 Years             |
++---------+------------------------+
+| 70b     | ~ 50,000 yers          |
++---------+------------------------+
 
 Generating a Strong Password
 ----------------------------
@@ -105,11 +122,13 @@ Generate passphrases with Diceware
 
 What about phishing?
 ====================
-A password manager worth it's salt will refuse to fill out a password on a 
-different website, for instance faceb00k.com vs facebook.com
+* A password manager will refuse to fill out a password on a spoofed website, 
+  for instance faceb00k.com vs facebook.com
+* Using different passwords on every service protects all other services even 
+  if phishing is successful on one of them
+* Good password managers will navigate to the login page for you, reducing the
+  risk of spoofed websites
 
-Using different passwords on every service limits your vulnerability even if 
-phishing is successful
 
 Other advice
 ------------
@@ -117,5 +136,14 @@ In no particular order:
 
 * Only log in on webpages that you navigated to by typing in the url yourself,
   by searching on google, duckduckgo or some other reputable search engine or 
-  from a bookmark
-* Only log in to webpages that are 
+  from a bookmark.  If after clicking a link in an email you are directed to a 
+  log in page, it's probably a phishing attempt
+* Only log in to webpages that are protected by SSL/TLS (HTTPS).  Look for a 
+  green address bar, or a green lock icon or similar in your browser
+* Use two factor or two step authentication everywhere if possible
+* Turn of automatic image rendering. Better still, disable HTML rendering and 
+  authoring entirely
+* Be suspicious of *all* emails. Risky things: HTML email, images, unknown 
+  sender, poor spelling/grammer, 'Your email client can't display this email,
+  click here to view in your browser' or similar attempts to coerce you to click
+  on things
-- 
2.47.1