From a40b700601744e7f83856df4e8a1d28159ea4951 Mon Sep 17 00:00:00 2001 From: Maximilian Friedersdorff Date: Fri, 31 May 2019 10:07:51 +0100 Subject: [PATCH] Start explaining dangers of password reuse --- slides.rst | 40 ++++++++++++++++++++++++++++++++++++++-- 1 file changed, 38 insertions(+), 2 deletions(-) diff --git a/slides.rst b/slides.rst index 5e7d6ce..f419ab7 100644 --- a/slides.rst +++ b/slides.rst @@ -1,11 +1,28 @@ +Surviving phishing +------------------ +Password reuse, password managers and strong passwords +====================================================== Why is Password Reuse a Problem? -------------------------------- .. image:: password_reuse_1.png -.. image:: password_reuse_2.png -.. image:: password_reuse_3.png + :height: 6.5cm + +Consider the following hypothetical users that reuse a strong password in +most places: + ++-------------------+--------------------------+ +| User | Password | ++===================+==========================+ +| Sucker1@gmail.com | QUo5Qt+1Wa/Q1smDJRDbFg== | ++-------------------+--------------------------+ +| Sucker2@gmail.com | +9Hz+/20rVkSkbcsmgdVFw== | ++-------------------+--------------------------+ +| Sucker3@gmail.com | wnYkRcbi7Kkh7Fx2uR8EeA== | ++-------------------+--------------------------+ About password strength ----------------------- + How is strength measured? ========================= 'Entropy' `s` depends on the size of the alphabet `a` and the length `n` of the @@ -31,6 +48,8 @@ reuse them. It's surprisingly difficult for humans to generate good passwords! +A strong password, as of 2019, has at least 80 bits of entropy. + Password Managers to the Rescue! -------------------------------- Password managers allow you to create a unique and strong password for every @@ -83,3 +102,20 @@ Generate passphrases with Diceware 5. Write down your passphrase on paper and keep it somewhere secure 6. If you are 100% confident that you will not forget the passphrase, destroy the paper by burning + +What about phishing? +==================== +A password manager worth it's salt will refuse to fill out a password on a +different website, for instance faceb00k.com vs facebook.com + +Using different passwords on every service limits your vulnerability even if +phishing is successful + +Other advice +------------ +In no particular order: + +* Only log in on webpages that you navigated to by typing in the url yourself, + by searching on google, duckduckgo or some other reputable search engine or + from a bookmark +* Only log in to webpages that are -- 2.47.1