[ale] OT - New encryption technology using a piece of paper

Ron Frazier atllinuxenthinfo at c3energy.com
Tue Sep 6 09:53:02 EDT 2011


Hi David,

I posted the original message on this topic.  Actually, the party never 
got started very well.  The discussion drifted into whether pass phrases 
are better (sometimes they are) or whether password cards are better 
(sometimes they are).  However, the merits of the OTG system for it's 
intended purpose were never discussed in any depth.  The intended 
purpose is to allow average users to easily create moderate length 
cryptographically strong passwords that are unique for each site they 
visit.  The sites in question, many times, will not accept long complex 
passwords.  Furthermore, the system allows the user to create said 
passwords without using anything other than the piece of paper with the 
grid on it.  All they need to traverse the grid is the domain name of 
interest.  They don't have to remember any key code to get them to their 
password (as in pass cards), and they can use the password in places 
where a pass phrase will not be accepted, unless it's a very short pass 
phrase.  As I mentioned in one of the posts, I deal with two sites which 
will only accept 8 character passwords, so even the default method of 
the OTG system which generates a 12 character upper / lower case 
password won't work.  If desired, entropy of the final password can be 
increased by adding length, symbols, or numbers.  I am currently 
evaluating all these methods to go to a system of having one password 
for every website.  Not sure what I'm going to do yet.  I may end up 
using something like OTG to generate some passwords and something like 
LastPass to enter them into websites automatically.  Then I can save the 
grid for later reference.  At sites where pass phrases of decent length 
will work, I'll probably use those.  As I see it, the pros and cons for 
each method are:

* Pass Phrases - easiest to remember, if you have a dozen - probably 
still have to write down, long ones or ones with symbols won't work for 
many sites, good entropy if they're long, if attacker knows you're using 
words separated by spaces, his search for your pass phrase becomes much 
easier

* Password Cards - somewhat easy to remember a key code, if you have a 
dozen - probably still have to write key codes down, shorter ones should 
work for most sites, longer ones won't

* OTG - nothing to remember - use the domain name, if you have a dozen - 
generate as needed, somewhat tedious, shorter ones should work for most 
sites, longer ones won't

Sincerely,

Ron


On 9/5/2011 10:14 PM, David Hillman wrote:
> I guess I came too late to the party.  I read "Off The Grid" and 
> wondered how long it would be before really well-informed people poked 
> holes in the whole idea.  To me, it looks like it'll do a better job 
> of creating passwords than most of the user population (who might find 
> it to be too complicated).  The rest will have to be handled by the 
> system administrator with a defense strategy that consists of a 
> mile-wide moat filled with alligators, rocks and burning faeces. 
>  Intruders tend to shy away from that level of stinkiness.  Now that I 
> have contributed, I can go back to reading about Single Packet 
> Authorization (SPA).
>
>
> On Sun, Sep 4, 2011 at 8:56 PM, Michael H. Warfield <mhw at wittsend.com 
> <mailto:mhw at wittsend.com>> wrote:
>
>     On Sun, 2011-09-04 at 19:49 -0500, Pat Regan wrote:
>     > On Sat, 03 Sep 2011 20:06:56 -0400
>     > "Michael H. Warfield" <mhw at wittsend.com
>     <mailto:mhw at wittsend.com>> wrote:
>     >
>     > > The forced changes provide no benefit and yet add that little tiny
>     > > extra opportunity of additional threat.  And, yes, there are
>     password
>     > > sniffers that will fire on password changes so they follow your
>     > > changes as you make them.  Factor it in how you will.
>
>     > A company I used to work for about a decade ago had a 60 or 90 day
>     > schedule on their forced password changes.  The requirements for the
>     > passwords weren't very strict, either.
>
>     > Most of the customer service people ended up teaching each other the
>     > same password scheme of current month+year (jan99, for example).
>      Since
>     > those passwords were good for 60 or 90 days, you could walk out
>     on that
>     > call center floor and guess almost anyone's password in 2 or 3
>     tries.
>
>     In my talks on this, I try to dance around it a little bit without
>     being
>     as blatant as that, but you are absolutely correct.  Forced expiration
>     and password changes invariably force most users into predictable
>     patterns which are of no benefit and often just the opposite.
>
>     The other effect, when password strength/complexity checkers are not
>     enforced, is the "jumping in front of the bus effect".  Small but
>     real,
>     it's the case where a user is forced to change his password and he
>     changes it to one that the attackers are using to guess...  Powned...
>
>     > Pat
>
>     Regards,
>     Mike
>     --
>     Michael H. Warfield (AI4NB) | (770) 985-6132
>     <tel:%28770%29%20985-6132> |  mhw at WittsEnd.com
>       /\/\|=mhw=|\/\/          | (678) 463-0932
>     <tel:%28678%29%20463-0932> | http://www.wittsend.com/mhw/
>       NIC whois: MHW9          | An optimist believes we live in the
>     best of all
>      PGP Key: 0x674627FF        | possible worlds.  A pessimist is
>     sure of it!
>
>     _______________________________________________
>     Ale mailing list
>     Ale at ale.org <mailto:Ale at ale.org>
>     http://mail.ale.org/mailman/listinfo/ale
>     See JOBS, ANNOUNCE and SCHOOLS lists at
>     http://mail.ale.org/mailman/listinfo
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>    

-- 

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new messages very quickly.)

Ron Frazier

770-205-9422 (O)   Leave a message.
linuxdude AT c3energy.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.ale.org/pipermail/ale/attachments/20110906/c1aa89cf/attachment.html 


More information about the Ale mailing list