[ale] OT - New encryption technology using a piece of paper

Ron Frazier atllinuxenthinfo at c3energy.com
Sat Sep 3 22:40:24 EDT 2011


Comments inline.

On 9/3/2011 7:25 PM, Michael Trausch wrote:
> On 09/03/2011 06:01 PM, Ron Frazier wrote:
>    
>> Hi Mike,
>>
>>
>>      

snip

> Incorrect.  I'm guessing you couldn't find it within yourself to google
> for "password card".  Here is the site, which is also the first result
> at Google:  http://www.passwordcard.org/en
>
> If you check the box that includes symbols, you have a card that fits in
> your wallet from which you can generate pseudorandom passwords.  You can
> have memorable patterns based on the symbols along the top, the row
> numbers on the left, the colors, or anything else that you find that you
> can remember.  This system _works_ even with people who hate trying to
> remember passwords.  Using the password card, you don't have to remember
> the password; you only have to remember how to derive it.
>
> I have been using the password card system for some time now.  I use as
> many characters in my passwords as I can get away with when I am unable
> to use pass phrases.  (I prefer pass phrases, because they are longer,
> more memorable, more effective, and if you pick them nonsensically
> enough, are virtually impossible to guess.)  Passphrases are really good
> for protecting private keys.  For Web sites, I mostly use my password
> card.  Good luck cracking the passwords at any of the sites that I have
> an account on (unless they are in plaintext, but even so, you can't get
> to any of my other accounts that way).
>
>    

Why would I have any inclination to Google the phrase password card?  
Nothing I've ever encountered would lead me to believe it means anything 
other than a card with passwords on it.  However, since you cited the 
link, it looks pretty cool.  I might even use it.  I'll be sure and 
suggest to Steve that he mention it to his listeners during his 
podcast.  I'll also suggest that he talk about pass phrases if he hasn't 
already.  I think he covered a lot of that ground in podcast 303, so I 
might have to re listen to that.  Thanks also to Michael W for the info 
on pass phrases he posted.

> I use passphrases for wireless networks; they cannot be guessed, but if
> I have given you my passphrase one time, you'll likely never forget it.
>   I also do not have to go digging through files to find where I put the
> stupid thing when I have to tie something else to my network.  I am a
> member of the school of thought of working smart, not working hard.
>    

I have a pass phrase on one of my routers for the guest password, and on 
my Dad's for the guest password.  I'm also using one for my online 
backup.  However, they're complex enough that I still have to store them 
somewhere and look them up.  There just get to be too many things to 
remember at some point.  They are much easier to tell others however.

> Password cards are simpler, with higher available entropy, and have no
> requirements on algorithm or process.  Therefore, they are more robust
> systems which can be employed by more people for less time investment,
> and thus they can actually increase security because people will
> actually _use_ them.
>
>    

I'm sure some people will find password cards easier and others may find 
Latin Squares easier.  Plenty to go around for everyone.

>>   I am
>> sorry to say that both my bank (which shall remain nameless)
>>      
> Please, tell.  I want to know who NOT to go to for an account should I
> have to hunt in the future.  (Unless it's Chase, which I am already
> aware of.)
>
>    

I have no intention of enticing you all to hack my bank.  Those 
interested should call customer service of a prospective bank, ask for 
help with online banking, then ask what the password criteria are.

>> as well as
>> the job posting website of a major national defense lab (which shall
>> also remain nameless) both limit me to 8 characters.
>>      
> Then clearly they are not a worthwhile place of employment because they
> either do not know what they are talking about, or they feel that they
> (like many other alleged security companies) are somehow above the way
> the world works.
>
>    

I don't think I'd say that a premier Federal National lab with some of 
the most brilliant scientists in the country is not worth working for 
just because their job board has 1990's vintage security systems.  
However, I do find it exceedingly frustrating.

> It follows his usual pattern, unfortunately.  Instead of working to help
> improve things, he is working to solidify things the way they are.  What
> makes *me* curious is what sort of motivation does he have for doing so?
>
>    

He's always slamming corporations for storing non hashed passwords, not 
salting, putting length restrictions on them, etc.  However, he also 
tries to help users deal with the real world conditions they face.  I'm 
sure that if the bank or the lab had asked Steve how to set up their 
systems, I wouldn't have to be dealing with the limits that I do.

> His system creates low entropy passwords, end of story.  Unless you're
> using 50 characters, it is really not worthwhile to attempt to use a
> password where the characters come from a pool of only 52 possibilities.
>
>    

Not universally true.  His DEFAULT procedure which he shares has 12 
upper / lower case characters.  However, it is trivial to add more 
length, or symbols, or numbers, or all three.  He has a web page that 
explains how to do that.

> The page requires you to put the password INTO THE SITE?  And people
> ACTUALLY DO IT?  Please, stop.  You're hurting me.
>
>    

Wrong.  Everything is done by JavaScript on the page.  Nothing is 
transmitted.  I'm sure that could be confirmed by examining the source 
code or placing a sniffer on the net.

>> Count of all possible passwords with this alphabet: 99,246,114,928,149,462
>> Time to crack it - Online attack - 1000 guesses / second: 31.56 thousand
>> centuries
>>      
> So he's off by about 38,000 quadrillion.  But that's okay, because it's
> not like the site knew that the pool was as limited as it was.
>
>    

I would imagine his numbers are right.  However, I don't have the 
knowledge of number theory that I'd need to verify either his or your 
numbers.

> Gibson seems to be in the business of making people feel safer than they
> have any business feeling.  He seems to be in the business of making
> people like me out to be "paranoids".
>
>    

Steve is all about being paranoid.  I don't think he's ever criticized 
anyone, including people like yourself, for being too paranoid.  I 
certainly have never criticized that either.

> I'm no longer interested.  I've evaluated his grid enough to see that it
> is worthy of his reputation, and that's really all I need to know.  I
> will continue going about my business and using strong passwords and
> passphrases because honestly, I have a system that works better and
> requires less time and know-how, meaning that I can focus on my work and
> not on useless bull like password management.
>
> 	--- Mike
>
>    

You really seem eager to trash someone you barely know.  Regardless, if 
you have a system that works for you, that's great.  I may use all or 
parts of it myself.  If Steve passes it along to listeners, they may use 
it too.  He likes to give users various options so they can use what 
works for them.

Sincerely,

Ron

-- 

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new messages very quickly.)

Ron Frazier

770-205-9422 (O)   Leave a message.
linuxdude AT c3energy.com



More information about the Ale mailing list