[ale] OT - New encryption technology using a piece of paper
Michael H. Warfield
mhw at WittsEnd.com
Tue Sep 6 11:05:34 EDT 2011
On Tue, 2011-09-06 at 09:53 -0400, Ron Frazier wrote:
> Hi David,
>
> I posted the original message on this topic. Actually, the party never
> got started very well. The discussion drifted into whether pass phrases
> are better (sometimes they are) or whether password cards are better
> (sometimes they are). However, the merits of the OTG system for it's
> intended purpose were never discussed in any depth. The intended
> purpose is to allow average users to easily create moderate length
> cryptographically strong passwords that are unique for each site they
> visit. The sites in question, many times, will not accept long complex
> passwords. Furthermore, the system allows the user to create said
> passwords without using anything other than the piece of paper with the
> grid on it. All they need to traverse the grid is the domain name of
> interest. They don't have to remember any key code to get them to their
> password (as in pass cards), and they can use the password in places
> where a pass phrase will not be accepted, unless it's a very short pass
> phrase. As I mentioned in one of the posts, I deal with two sites which
> will only accept 8 character passwords, so even the default method of
> the OTG system which generates a 12 character upper / lower case
> password won't work. If desired, entropy of the final password can be
> increased by adding length, symbols, or numbers. I am currently
> evaluating all these methods to go to a system of having one password
> for every website. Not sure what I'm going to do yet. I may end up
> using something like OTG to generate some passwords and something like
> LastPass to enter them into websites automatically. Then I can save the
> grid for later reference. At sites where pass phrases of decent length
> will work, I'll probably use those. As I see it, the pros and cons for
> each method are:
>
> * Pass Phrases - easiest to remember, if you have a dozen - probably
> still have to write down, long ones or ones with symbols won't work for
> many sites, good entropy if they're long, if attacker knows you're using
> words separated by spaces, his search for your pass phrase becomes much
> easier
No it doesn't. If he knows that you are using 6 words all in lower case
separated by a single space coming from 2048 words (assuming he even
knows your entire lexicon - change it how you want), the chances of him
guessing your password are one chance in 73786976294838206464 (2^66) per
guess. That might just give him reason to shake his head an walk off.
The xkcd example of 4 words from a similar lexicon gives you one chance
in 17592186044416 (2^44) per guess. He's still not going to brute force
that.
> * Password Cards - somewhat easy to remember a key code, if you have a
> dozen - probably still have to write key codes down, shorter ones should
> work for most sites, longer ones won't
>
> * OTG - nothing to remember - use the domain name, if you have a dozen -
> generate as needed, somewhat tedious, shorter ones should work for most
> sites, longer ones won't
>
> Sincerely,
>
> Ron
>
>
> On 9/5/2011 10:14 PM, David Hillman wrote:
> > I guess I came too late to the party. I read "Off The Grid" and
> > wondered how long it would be before really well-informed people poked
> > holes in the whole idea. To me, it looks like it'll do a better job
> > of creating passwords than most of the user population (who might find
> > it to be too complicated). The rest will have to be handled by the
> > system administrator with a defense strategy that consists of a
> > mile-wide moat filled with alligators, rocks and burning faeces.
> > Intruders tend to shy away from that level of stinkiness. Now that I
> > have contributed, I can go back to reading about Single Packet
> > Authorization (SPA).
> >
> >
> > On Sun, Sep 4, 2011 at 8:56 PM, Michael H. Warfield <mhw at wittsend.com
> > <mailto:mhw at wittsend.com>> wrote:
> >
> > On Sun, 2011-09-04 at 19:49 -0500, Pat Regan wrote:
> > > On Sat, 03 Sep 2011 20:06:56 -0400
> > > "Michael H. Warfield" <mhw at wittsend.com
> > <mailto:mhw at wittsend.com>> wrote:
> > >
> > > > The forced changes provide no benefit and yet add that little tiny
> > > > extra opportunity of additional threat. And, yes, there are
> > password
> > > > sniffers that will fire on password changes so they follow your
> > > > changes as you make them. Factor it in how you will.
> >
> > > A company I used to work for about a decade ago had a 60 or 90 day
> > > schedule on their forced password changes. The requirements for the
> > > passwords weren't very strict, either.
> >
> > > Most of the customer service people ended up teaching each other the
> > > same password scheme of current month+year (jan99, for example).
> > Since
> > > those passwords were good for 60 or 90 days, you could walk out
> > on that
> > > call center floor and guess almost anyone's password in 2 or 3
> > tries.
> >
> > In my talks on this, I try to dance around it a little bit without
> > being
> > as blatant as that, but you are absolutely correct. Forced expiration
> > and password changes invariably force most users into predictable
> > patterns which are of no benefit and often just the opposite.
> >
> > The other effect, when password strength/complexity checkers are not
> > enforced, is the "jumping in front of the bus effect". Small but
> > real,
> > it's the case where a user is forced to change his password and he
> > changes it to one that the attackers are using to guess... Powned...
> >
> > > Pat
> >
> > Regards,
> > Mike
> > --
> > Michael H. Warfield (AI4NB) | (770) 985-6132
> > <tel:%28770%29%20985-6132> | mhw at WittsEnd.com
> > /\/\|=mhw=|\/\/ | (678) 463-0932
> > <tel:%28678%29%20463-0932> | http://www.wittsend.com/mhw/
> > NIC whois: MHW9 | An optimist believes we live in the
> > best of all
> > PGP Key: 0x674627FF | possible worlds. A pessimist is
> > sure of it!
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org <mailto:Ale at ale.org>
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> >
> >
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> >
>
> --
>
> (PS - If you email me and don't get a quick response, you might want to
> call on the phone. I get about 300 emails per day from alternate energy
> mailing lists and such. I don't always see new messages very quickly.)
>
> Ron Frazier
>
> 770-205-9422 (O) Leave a message.
> linuxdude AT c3energy.com
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
--
Michael H. Warfield (AI4NB) | (770) 985-6132 | mhw at WittsEnd.com
/\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/
NIC whois: MHW9 | An optimist believes we live in the best of all
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20110906/4f712874/attachment-0001.bin
More information about the Ale
mailing list