[ale] OT - New encryption technology using a piece of paper

Michael H. Warfield mhw at WittsEnd.com
Tue Sep 6 11:05:34 EDT 2011 

On Tue, 2011-09-06 at 09:53 -0400, Ron Frazier wrote: 
> Hi David,
> 
> I posted the original message on this topic.  Actually, the party never 
> got started very well.  The discussion drifted into whether pass phrases 
> are better (sometimes they are) or whether password cards are better 
> (sometimes they are).  However, the merits of the OTG system for it's 
> intended purpose were never discussed in any depth.  The intended 
> purpose is to allow average users to easily create moderate length 
> cryptographically strong passwords that are unique for each site they 
> visit.  The sites in question, many times, will not accept long complex 
> passwords.  Furthermore, the system allows the user to create said 
> passwords without using anything other than the piece of paper with the 
> grid on it.  All they need to traverse the grid is the domain name of 
> interest.  They don't have to remember any key code to get them to their 
> password (as in pass cards), and they can use the password in places 
> where a pass phrase will not be accepted, unless it's a very short pass 
> phrase.  As I mentioned in one of the posts, I deal with two sites which 
> will only accept 8 character passwords, so even the default method of 
> the OTG system which generates a 12 character upper / lower case 
> password won't work.  If desired, entropy of the final password can be 
> increased by adding length, symbols, or numbers.  I am currently 
> evaluating all these methods to go to a system of having one password 
> for every website.  Not sure what I'm going to do yet.  I may end up 
> using something like OTG to generate some passwords and something like 
> LastPass to enter them into websites automatically.  Then I can save the 
> grid for later reference.  At sites where pass phrases of decent length 
> will work, I'll probably use those.  As I see it, the pros and cons for 
> each method are:
> 
> * Pass Phrases - easiest to remember, if you have a dozen - probably 
> still have to write down, long ones or ones with symbols won't work for 
> many sites, good entropy if they're long, if attacker knows you're using 
> words separated by spaces, his search for your pass phrase becomes much 
> easier

No it doesn't.  If he knows that you are using 6 words all in lower case
separated by a single space coming from 2048 words (assuming he even
knows your entire lexicon - change it how you want), the chances of him
guessing your password are one chance in 73786976294838206464 (2^66) per
guess.  That might just give him reason to shake his head an walk off.

The xkcd example of 4 words from a similar lexicon gives you one chance
in 17592186044416 (2^44) per guess.  He's still not going to brute force
that.

> * Password Cards - somewhat easy to remember a key code, if you have a 
> dozen - probably still have to write key codes down, shorter ones should 
> work for most sites, longer ones won't
> 
> * OTG - nothing to remember - use the domain name, if you have a dozen - 
> generate as needed, somewhat tedious, shorter ones should work for most 
> sites, longer ones won't
> 
> Sincerely,
> 
> Ron
> 
> 
> On 9/5/2011 10:14 PM, David Hillman wrote:
> > I guess I came too late to the party.  I read "Off The Grid" and 
> > wondered how long it would be before really well-informed people poked 
> > holes in the whole idea.  To me, it looks like it'll do a better job 
> > of creating passwords than most of the user population (who might find 
> > it to be too complicated).  The rest will have to be handled by the 
> > system administrator with a defense strategy that consists of a 
> > mile-wide moat filled with alligators, rocks and burning faeces. 
> >  Intruders tend to shy away from that level of stinkiness.  Now that I 
> > have contributed, I can go back to reading about Single Packet 
> > Authorization (SPA).
> >
> >
> > On Sun, Sep 4, 2011 at 8:56 PM, Michael H. Warfield <mhw at wittsend.com 
> > <mailto:mhw at wittsend.com>> wrote:
> >
> >     On Sun, 2011-09-04 at 19:49 -0500, Pat Regan wrote:
> >     > On Sat, 03 Sep 2011 20:06:56 -0400
> >     > "Michael H. Warfield" <mhw at wittsend.com
> >     <mailto:mhw at wittsend.com>> wrote:
> >     >
> >     > > The forced changes provide no benefit and yet add that little tiny
> >     > > extra opportunity of additional threat.  And, yes, there are
> >     password
> >     > > sniffers that will fire on password changes so they follow your
> >     > > changes as you make them.  Factor it in how you will.
> >
> >     > A company I used to work for about a decade ago had a 60 or 90 day
> >     > schedule on their forced password changes.  The requirements for the
> >     > passwords weren't very strict, either.
> >
> >     > Most of the customer service people ended up teaching each other the
> >     > same password scheme of current month+year (jan99, for example).
> >      Since
> >     > those passwords were good for 60 or 90 days, you could walk out
> >     on that
> >     > call center floor and guess almost anyone's password in 2 or 3
> >     tries.
> >
> >     In my talks on this, I try to dance around it a little bit without
> >     being
> >     as blatant as that, but you are absolutely correct.  Forced expiration
> >     and password changes invariably force most users into predictable
> >     patterns which are of no benefit and often just the opposite.
> >
> >     The other effect, when password strength/complexity checkers are not
> >     enforced, is the "jumping in front of the bus effect".  Small but
> >     real,
> >     it's the case where a user is forced to change his password and he
> >     changes it to one that the attackers are using to guess...  Powned...
> >
> >     > Pat
> >
> >     Regards,
> >     Mike
> >     --
> >     Michael H. Warfield (AI4NB) | (770) 985-6132
> >     <tel:%28770%29%20985-6132> |  mhw at WittsEnd.com
> >       /\/\|=mhw=|\/\/          | (678) 463-0932
> >     <tel:%28678%29%20463-0932> | http://www.wittsend.com/mhw/
> >       NIC whois: MHW9          | An optimist believes we live in the
> >     best of all
> >      PGP Key: 0x674627FF        | possible worlds.  A pessimist is
> >     sure of it!
> >
> >     _______________________________________________
> >     Ale mailing list
> >     Ale at ale.org <mailto:Ale at ale.org>
> >     http://mail.ale.org/mailman/listinfo/ale
> >     See JOBS, ANNOUNCE and SCHOOLS lists at
> >     http://mail.ale.org/mailman/listinfo
> >
> >
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> >    
> 
> -- 
> 
> (PS - If you email me and don't get a quick response, you might want to
> call on the phone.  I get about 300 emails per day from alternate energy
> mailing lists and such.  I don't always see new messages very quickly.)
> 
> Ron Frazier
> 
> 770-205-9422 (O)   Leave a message.
> linuxdude AT c3energy.com
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110906/4f712874/attachment-0001.bin

More information about the Ale mailing list