[NBLUG/talk] How do you handle physical device passwords?

Robert Thille rthille at gmail.com
Mon May 8 13:23:47 PDT 2017


That article relies on the cracker having the hash of the password.  On a
normal desktop system today, there's one way to get that: be root on the
system.
Or, if not having the hash, having a very high bandwidth to confirm guesses.

On Mon, May 8, 2017 at 12:12 PM, Allan Cecil <allan at nblug.org> wrote:

> I'd really, *really* love to agree with you about the chances being
> small.  Unfortunately, arstechnica.com/security/2013/
> 10/how-the-bible-and-youtube-are-fueling-the-next-frontier-
> of-password-cracking is from 2013 and using modest resources of the day
> they were able to snag the password "Am i ever gonna see your face again?"
> and several others of equal complexity.  (The above article is a fantastic
> primer to tomorrow's talk despite its age, but I digress.)
>
> What I'm currently struggling with is that, at least for me, I have to
> type the device access password many many times a day.  I can't seem to
> find that perfect balance of complexity and ability to enter said password
> quickly, or rather, at a certain point the security comes at a measurable
> cost in amount of minutes per day lost to it.
>
> Is anyone using non-password methods for device security?  If so, I'd love
> to know how it is working out for you and if you feel less or more secure
> going that path.
>
> Thanks for the discussion,
>
> A.C.
> ******
> President, North Bay Linux Users' Group
>
> On 05/08/2017 11:51 AM, Christopher Wagner wrote:
> > Generally speaking, passwords that are long, but also relatively easy to
> type tend to be the best compromise.  Something like "Walking to the 7/11
> today." or "EatingGreenBananasSucks!" are both easier to type, but also
> very difficult for a password cracker to get without substantial
> resources.  There's obviously a lot of dictionary words, but with multiple
> words, a long length, mixed case, and the special characters, the chance of
> them being cracked without substantial resources is vanishingly small.
> >
> >
> > On 05/07/2017 03:25 PM, Allan Cecil wrote:
> >> In advance of Kyle's talk on Tuesday I was curious what practices other
> NBLUG folks follow with physical access passwords, i.e. passwords that you
> have to type frequently to gain access to a local PC or other personal
> device.  Since it's a password that you'll be typing often you generally
> want a password that is easy to type but that is often at odds with good
> security practices.  I'm seriously doubting my own methods after attending
> the Thotcon security conference this past week.  Obviously, don't give up
> anything secret or sensitive here, but how do you handle passwords that by
> their nature can't be in a password manager and have to by typed frequently?
> >>
> >> This is probably a discussion for after Kyle's talk but it's been on my
> mind and I didn't want to wait.  Thanks for your thoughts!
> >>
> >> A.C.
> >> ******
> >> President, North Bay Linux Users' Group
> >>
> >> On 04/18/2017 03:05 PM, Allan Cecil wrote:
> >>> Topic: Sex, Secret and God: A Brief History of Bad Passwords
> >>> When: Tuesday May 9th, 7:30 PM to 9:00 PM
> >>> Speaker: Kyle Rankin
> >>>
> >>> Location: O'Reilly Media, Sebastopol CA in the Tarsier conference room
> >>> past the metal statue and to the right ( http://nblug.org/locations )
> >>>
> >>> Description:
> >>> Most of what we've been told over the years about what makes a good
> >>> password has been wrong, so it's no surprise most people pick bad
> >>> passwords. This talk will cover the history of password policy and
> password
> >>> cracking starting from the days when Richard Stallman hacked the
> passwords
> >>> forced on his MIT computer lab because he considered passwords an
> >>> authoritarian method of control. Next I'll discuss the golden days of
> >>> password guessing featured prominently in movies like Hackers and
> WarGames.
> >>>
> >>> Then I'll move to the tech boom and the introduction of draconian IT
> >>> policies like password rotation and password complexity and the dirty
> >>> little leet-speak password secrets they led to. As we get closer to the
> >>> modern day I'll discuss the "correct horse battery staple" password
> >>> renaissance and more modern approaches to password cracking spawned by
> >>> tools like oclhashcat and giant password databases dumps like the
> RockYou
> >>> hack.
> >>>
> >>> I'll finish up with modern attempts to fix the password auth problem
> such
> >>> as new approaches to secure password generation in password managers or
> >>> schemes such as diceware as well as cover password auth reinforcements
> like
> >>> the different forms of 2FA (including U2F) and Facebook's new approach
> to
> >>> "I forgot my password" workflows. By the end everyone should have
> plenty of
> >>> ammunition to take back to their IT department and get rid of those
> >>> horrible password policies.
> >>> _______________________________________________
> >>> announce mailing list
> >>> announce at nblug.org
> >>> http://nblug.org/cgi-bin/mailman/listinfo/announce
> >>>
> >> _______________________________________________
> >> talk mailing list
> >> talk at nblug.org
> >> http://nblug.org/cgi-bin/mailman/listinfo/talk
> >
> > _______________________________________________
> > talk mailing list
> > talk at nblug.org
> > http://nblug.org/cgi-bin/mailman/listinfo/talk
> >
> _______________________________________________
> talk mailing list
> talk at nblug.org
> http://nblug.org/cgi-bin/mailman/listinfo/talk
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://nblug.org/pipermail/talk/attachments/20170508/148f2ea2/attachment-0001.html>


More information about the talk mailing list