[ale] OT - New encryption technology using a piece of paper

Michael Trausch mike at trausch.us
Sat Sep 3 23:37:06 EDT 2011


On 09/03/2011 10:40 PM, Ron Frazier wrote:
> On 9/3/2011 7:25 PM, Michael Trausch wrote:
>> On 09/03/2011 06:01 PM, Ron Frazier wrote:
> 
> Why would I have any inclination to Google the phrase password card? 
> Nothing I've ever encountered would lead me to believe it means anything
> other than a card with passwords on it.

Because there was a big buzz about it on several security sites
somewhere between six months and a year ago, as well as on a large
number of blogs?  Because I wouldn't be so stupid as to advocate that
someone actually put cards with actual passwords on them in their
wallets?  Because you're curious about what I might be talking about
that sounded like it was a better option when, as I obviously did the
first time around, I forget to put the link in the email?

I don't know.  I can think of a number of reasons.  I lean on Google a
lot to clear things up when I think something might be slightly off or
"smell funny".  I suppose I simply expect that others do, too.

> However, since you cited the
> link, it looks pretty cool.  I might even use it.  I'll be sure and
> suggest to Steve that he mention it to his listeners during his
> podcast.

I would expect him to know about them already and not have reinvented a
worse wheel.  Of course, nobody's perfect, but Gibson simply is not a
security expert.

The last time you sang his praises on the list I took some time to
listen to several episodes of his podcast.  There were several things he
discussed that were simply plain incorrect, several others that had
kernels of truth in them, a few that were almost correct, and only a
very few that were actually dead on.  As I've mentioned, even broken
clocks are right twice a day.  He can't get *everything* wrong, that
would surpass even my expectations of a human being.

> I'm sure some people will find password cards easier and others may find
> Latin Squares easier.  Plenty to go around for everyone.

I'm not sure how something that requires an algorithm to be correctly
used would be easier when compared to something that can be used freely
with little special effort.  The only thing that you need to do with a
password card is pick a pattern.  It really is much more versatile, and
you really don't have to even read the Web page to learn how to use it.

Simpler is almost universally better.

>>>   I am
>>> sorry to say that both my bank (which shall remain nameless)
>>>      
>> Please, tell.  I want to know who NOT to go to for an account should I
>> have to hunt in the future.  (Unless it's Chase, which I am already
>> aware of.)
>>
> 
> I have no intention of enticing you all to hack my bank.  Those
> interested should call customer service of a prospective bank, ask for
> help with online banking, then ask what the password criteria are.
> 

Yes, because that's what we at ALE do.  We wait for information about
things and break into their networks.  We don't have better things to do
like, I don't know, service our clients and spend time with our families.

It would be helpful to know what bank to avoid.  If someone was going to
(or is going to) attempt to crack into your bank, they will do it
regardless of what is posted on the list or not.  Oh, well.

>>> as well as
>>> the job posting website of a major national defense lab (which shall
>>> also remain nameless) both limit me to 8 characters.
>>>      
>> Then clearly they are not a worthwhile place of employment because they
>> either do not know what they are talking about, or they feel that they
>> (like many other alleged security companies) are somehow above the way
>> the world works.
>>
> I don't think I'd say that a premier Federal National lab with some of
> the most brilliant scientists in the country is not worth working for
> just because their job board has 1990's vintage security systems. 
> However, I do find it exceedingly frustrating.

If they are a "premier Federal National lab with some of the most
brilliant scientists in the country" and are also a defense contractor,
then they are expected to be in the business of knowing their stuff and
operating with relavant and current security practices.  If a
business---governmental entity or not---claims to know security (which
defense is a part of), but does such things as using systems that are
known insecure, especially when known to be insecure by design, then
they can't be taken seriously.

That's like HBGary, which claims to be an IT security firm, saying that
they know security.  However, both the firm and the CEO were affected by
directed attacks that, should the company's claims have been correct,
should not have been possible.  Will anyone take HBGary seriously again?
 Only those who buy into marketing and don't do their homework, I suspect.

That's like LifeLock, which claims to be so safe and secure as to
prevent identity theft for all of its subscribers, being taken seriously
even though the owner (or CEO, I don't remember which) of the company
publishes his social security number widely---and has himself been the
victim of identity theft several times since the company was started.

>> It follows his usual pattern, unfortunately.  Instead of working to help
>> improve things, he is working to solidify things the way they are.  What
>> makes *me* curious is what sort of motivation does he have for doing so?
> 
> He's always slamming corporations for storing non hashed passwords, not
> salting, putting length restrictions on them, etc.  However, he also

He'd simply be unworthy of being called an IT professional if he didn't.

One cannot commend a self-proclaimed security expert for knowing
something that everyone in the various IT fields already knows.  Of
course, just because everyone knows it doesn't mean that everyone
follows it.  Everyone who doesn't seems to always have a (in their own
eyes) valid excuse.

> tries to help users deal with the real world conditions they face.  I'm
> sure that if the bank or the lab had asked Steve how to set up their
> systems, I wouldn't have to be dealing with the limits that I do.

Then why doesn't he encourage people to do things that have been
historically shown to work in the past?  Move away from companies that
are known to not care about their users' security, and so forth?  That
would be rather more useful than not doing so.

>> His system creates low entropy passwords, end of story.  Unless you're
>> using 50 characters, it is really not worthwhile to attempt to use a
>> password where the characters come from a pool of only 52 possibilities.
> 
> Not universally true.  His DEFAULT procedure which he shares has 12
> upper / lower case characters.  However, it is trivial to add more
> length, or symbols, or numbers, or all three.  He has a web page that
> explains how to do that.

Again, his system is far more complex than the password card.  That
makes it less secure because it is more likely to be used incorrectly.
The entropy is too low to trust that it can be used without some sort of
algorithm to ensure at least a minimum level of validity.

Any good system should work with randomness, anyway.  Using an algorithm
keyed on the name of a domain is actually lowering entopy.  My
calculations didn't take that into effect, namely because I don't know
just how to accomodate that.  Mike Warfield might, though.

>> The page requires you to put the password INTO THE SITE?  And people
>> ACTUALLY DO IT?  Please, stop.  You're hurting me.
> 
> Wrong.  Everything is done by JavaScript on the page.  Nothing is
> transmitted.  I'm sure that could be confirmed by examining the source
> code or placing a sniffer on the net.

Unless you have read the JavaScript and can vouch for that, I'll choose
to believe that putting a password into a Web site to check it before
using it on another Web site is a pretty stupid thing to do.
Universally so.  A real security expert would tell you the same thing, I
suspect.  Why would you want to potentially seed someone's database?
That'd be a most excellent way to do so, "please, enter your password
here.  I'll tell you if it's strong." "..." "Hey, good password! [quick,
save it in the database table and we'll sell it later!]".

There are a number of tools that are available, and are free software,
that can check the strength of a password without ever contacting a node
on the Internet or running over something like the Web.  If he didn't
have negative motivations, why wouldn't he simply recommend one of them?
 Aside from the fact that he thinks he knows better than everyone else?
 SpinRite, enough said.

>>> Count of all possible passwords with this alphabet:
>>> 99,246,114,928,149,462
>>> Time to crack it - Online attack - 1000 guesses / second: 31.56 thousand
>>> centuries
>>>      
>> So he's off by about 38,000 quadrillion.  But that's okay, because it's
>> not like the site knew that the pool was as limited as it was.
>>
> I would imagine his numbers are right.  However, I don't have the
> knowledge of number theory that I'd need to verify either his or your
> numbers.

Of course.  Well, that's fine.  I'm not here to dispute math.

>> I'm no longer interested.  I've evaluated his grid enough to see that it
>> is worthy of his reputation, and that's really all I need to know.  I
>> will continue going about my business and using strong passwords and
>> passphrases because honestly, I have a system that works better and
>> requires less time and know-how, meaning that I can focus on my work and
>> not on useless bull like password management.
> 
> You really seem eager to trash someone you barely know.  Regardless, if
> you have a system that works for you, that's great.  I may use all or
> parts of it myself.  If Steve passes it along to listeners, they may use
> it too.  He likes to give users various options so they can use what
> works for them.
> 

I've known about Gibson longer than I've lived in Georgia.  His "work"
speaks for itself, insofar as I can see.

Calling Gibson a knowledgeable expert in security would be like calling
Donald Knuth a veritable idiot in the fields of computer science or
mathematics.  Why?  Because Knuth's work _also_ speaks for itself.

	--- Mike

-- 
A man who reasons deliberately, manages it better after studying Logic
than he could before, if he is sincere about it and has common sense.
                                   --- Carveth Read, “Logic”


More information about the Ale mailing list