Rubberhose Cryptanalysis
"No one can hack my mind", eh? We'll see about that...
https://xkcd.com/538/
PS. Applies equally well to password managers.
Antivirus software has copped another beating from security experts, who axed the tool from their list of top five security-enhancing recommendations. The findings are contained in the Google study No one can hack my mind: Comparing Expert and Non-Expert Security Practices which polled 231 security experts, and 294 normal …
Ignore rubber hoses, let's just think practical. Security experts may be able to remember a couple dozen different passwords, and claim that's a good security practice, but it is impractical for the average person. Maybe the average person could do that if it was their job/life (like it is for a security expert) but they won't. So how about the security experts give recommendations an average person can actually be expected to follow?
I'm glad at least "change your passwords every 90 days" wasn't on the list, that's the bane of good security once you are enforcing strong passwords - you basically force everyone to either 1) write down their passwords 2) use simple variation schemes on the same password or 3) use a password manager and hope it isn't compromised and they have more than a simple "Android squiggle pattern" or fingerprint unlock protecting it.
> So how about the security experts give recommendations an average person can actually be expected to follow?
Read it again?
The security experts are telling people to use password managers. What the article said is that some end-users, wary of technology they don't understand or control, are saying they prefer to remember passwords in their heads as they feel it is more secure that way.
Security experts may be able to remember a couple dozen different passwords, and claim that's a good security practice, but it is impractical for the average person.
Perhaps that's why password managers are on the list, too, which for personal use is not such a bad idea. I have yet to work anywhere that provided or approved of a password manager for professional use, though.
I would love to see an expanded list of "expert recommended tools," because the top five is certainly not enough. There's nothing on there about mobile apps, which are the de facto way most people interact with the internet these days rather than a browser on their home PC. Also, the recommendation I would make more than the use of any of these is customer/user education. The fact that there is such a big misalignment in professional and lay opinions indicate where efforts in the security community ought to be focused.
"No one can hack my mind" - YET!
Just wait until we get chips in our heads to improve memory and someone hacks our chip, or police obtain court orders to insert chips into our heads to find out our secrets, or the government make it mandatory.... @_@
*wears tinfoil hat*
Mental note: do not sleep overnight in a room that has just been painted @_@
Non-expert participants reported being reluctant to promptly install software updates, perhaps due to lack of understanding of their effectiveness or bad past experiences caused by software updates.
Now which software company has made a habit of declaring their advertising nagware as "important security update" again?
For companies with a reasonable IT budget this is not such a big deal, as they can install patches in advance on test machines and see what happens, but home users don't have this chance and they get exactly the wrong message.
Just as well, as the patches will be stuffed down their throats in the future, if they like them or not...
Right. So that's one half . But what are they going to do about it?
I can easily remember complex passwords that I use regularly, and even with memory tricks I can remember a very few difficult ones even a year after last using them ... however... the average user is going to sign up for a site, the browse is going to offer to remember their password for them (don't they realise that this is a password manager!) and then later on when they change computers they're stuffed (because they can't remember said password) ... or they're doubly stuffed because when they want to change password, they can't remember what it was in the first place ... or signed up with an e-mail account from a previous ISP that they're no longer with and thus can't use the reminder service. That's the reality that I know.
The average user is scared to apply updates and doesn't trust password managers.
So ... what is going to come of this research? What is the industry going to do, to convince punters that password managers are a good idea, and are secure; and increase their faith in updates that are actually updates, and not either brick-wielding pieces of software ... or won't actually downgrade their system by turning off features that they use, but that the provider has decided to remove from their product.
Anybody?
I like the idea of associating pictures to other pictures instead of using text. E.g. 'monkey in blue hat' = sad so eats something sweet to cheer himself up. Sorry we are all out of banana splits but you can have a 'chocolate fudge sundae' - user is presented with 50 images to map to a choc fudge sundae, of which a fair % are very similar to the correct answer, however there is only 1 right answer. Sundae = like Sunday, which is really the first day of the week but we think of it as the last... days of the week have their own logic; we can count upwards from 1 or 0 so it could, relate to 4 possible numbers; 0167 - this forms a pin code secondary password. Today is Friday... Friday is an "up" day, meaning the pin numbers are sorted lowest to highest. On a Monday they might be sorted high to low.
The Mac address of the device I'm using has not been associated with the service/application I'm trying to use so before I get any further I get an email and an SMS. Clicking the link in the email requests that a 4 digit code from the SMS be entered to register the device and gain entry.
I must have stolen this idea from somewhere/perhaps multiple different trains of thought - is anyone aware of any proper research?
Yes, this wouldn't work for the visually impaired however variants using noises/songs/text could be optional.
Password managers don't have to be run 'in the cloud' - they can be standalone applications running on your computer, and which should therefore continue running long after the developers have gone.
(I wouldn't touch a cloudy one with someone else's highly secured bargepole.)
"Password managers don't have to be run 'in the cloud' - they can be standalone applications running on your computer, and which should therefore continue running long after the developers have gone." -- VinceH
Here's mine:
echo -n 'mymainpassword myusernameforthewebsite thewebsitename' | sha256sum - | xxd -r -p | base64 | tr 'a-m' '!--' | cut -c -20 | xclip
When my browser can't remember a password, I just run that script in a terminal, then middle key click the password input field to paste a twenty character password, with 6 bits of entropy per character. If you used the literal values in the case above it would be: 3"'MnsKA-&t74GD&,GxE
For stupid accounts that insist on alphanumeric only, replace the 'tr' command (with something like sed "s/[+/=]//g"). The script works with very little modification on windows too. I also have a version that does a non-echoing prompt for the main password, but I tend not to bother with that now unless I'm aware I may be overlooked (but it's also good if you don't want it to end up in your shell history):
read -s -p "Password:" PASSWORD && echo -n "$PASSWORD myusernameforthewebsite thewebsitename" | sha256sum - | xxd -r -p | base64 | cut -c -20 | xclip
For WIndows, I find Keynote NF quite useful...it's a freebie tree-style note-taker with tabs; standalone; no installation (you have to create your own shortcut); and you can encrypt files with a couple of choices of encryption flavours. One executable and one data file.
If you keep the login URL with the passwords, you're pretty well proof against phishing attacks as well because you're only using your own URLs. Also you can keep notes, code snippets and other relevant bits in it.
It is a single point of failure; but you can mitigate that a bit by scattering a few copies of the data file around. Works for me, anyway. No synching and only works on WIndows; but I never log into stuff from anywhere but here, so works for me. Highly mobile people won't find a lot of use for it probably.
You don't need a cloud-based one. You need one that synchronises the password database between your devices (which does inevitably involve a cloud provider). That database is encrypted anyway, so the security of your passwords is relative to the number of devices you sync to, the security of the cloud provider, and the strength of your password on your database.
... at guarding pieces of paper - if they think they're valuable.
Those ones in your pocket with a drawing of Lizzie Winsdor being one example.
The problem with people writing down passwords is not the writing down, it's where they leave them once they've done so.
We have a policy of periodically walking the building and checking for anything that looks like a password stuck to monitors, under keyboards or on the sides of filing cabinets. Those get "removed" and added to our crack dictionary. Accounts whose passwords which fall out of cracking runs get locked.
Users have complained on more than one occasion that the system won't let them set a password of XYZ arabic/maori/thai/laos/tibetan/chinese words - on the basis that "they're not in the dictionary so how would a system guess them?" The response has always been "They're in our dictionary, the world isn't just english"
As for rubber hose cryptography - If things have gone that far then there's more to worry about than a password being breached - but even 35 years ago when I was working for a telco, all our physical access which was card controlled had a "duress" code - which allowed you in, but set off security alarms everywhere else. It's kind of surprising that such things aren't normal practice in computing.