• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

[Tutorial] - How to Create a Secure Password

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Goto page Previous  1, 2, 3, 4  Next
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Physical Security and Social Engineering

View previous topic :: View next topic  
Author Message
Mongrel
SF Mod
SF Mod


Joined: 30 May 2002
Posts: 8


Offline

PostPosted: Fri Oct 22, 2004 4:25 pm    Post subject: Reply with quote

A little balance here. We have been discussing the bits and bytes,
difficulty in cracking, etc - in gorey detail.

Let's get down to brass tacks - we who manage networks and user
accounts need to give our users tools to pick a secure AND easily
rememberable password. One that does not need to be written down. One
that we do not need to reset weekly for the poor slob who makes things
too difficult on themselves.

Sooooo - that in mind - let me share my tricks - that I teach people - that
make passwords that are pretty damn strong and that they will never
forget.

The best part of it is that:

It CAN be a date
It CAN be a name
It CAN be something everyone knows about you

And STILL be difficult to crack.

Mind you this example isn't the greatest but certainly gets the idea across.
And I did LC4 this one once and it took a very long time to crack.

My present passwords, using this technique, have been run against LC5
for three days and not been detected. I got bored with waiting for it to
finish.

I'll take you through one I made for myself and show you how it works.
I'll be interested in the experts replies both in mathematical/scientific and
practical aspects.

Sooo - anyone who knows me well knows I like beer. If you REALLY know
me you know I used to drink Schlitz Malt Liquor (back in the '70s B4 it
was a racial thing). And everyone who knows me knows the year I
graduated High School.

Soo - onward and upward

Rule #1 - No words in any dictionary, names, places, things, brands.
(Baaaah Humbug on this one)

Simple solution - misspell a word, name, place, thing, or brand sufficiently
that it is not a real word but not so much that you forget it

Rule # 2 - Use lower case, caps

Simple solution - use both in your misspelled word(s)

Rule #3 - Mix numbers and special characters

Take that date and shift a couple characters.

19ShlitsMault&#

This is a password I will NEVER forget and passes all the rules of length
and complexity for any corporate environment, probably military
applications, and even if you know me you will be hard pressed to guess
that one in a million years.

Try it once - you'll like it - and teach your people
Back to top
View user's profile Send private message
data
Forum Fanatic
Forum Fanatic


Joined: 08 May 2004
Posts: 16777211
Location: India

Offline

PostPosted: Sat Oct 23, 2004 11:08 am    Post subject: Reply with quote

NeonWizard wrote:
mightB wrote:
is not more secure to have a password that is word from another language, so that it wont be prone to [English] dictionary attack?


A word from another language is good only if someone is trying to find out the password using an english based dictionary. But in countries such as Germany, and Russia, they most likely have their own based dictionary on that language for finding passwords, as most people that live there won't use english as part of their password.


Actually, every language has its on set of frequencies over alphabets as english does. It would mean that some one who has done a statistical analysis on a given language would be correctly able to decrypt the language(based on a frequency analysis for simple ciphers). He needn't learn to speak or write the language to 'crack' it.

Data.
Back to top
View user's profile Send private message Visit poster's website Yahoo Messenger
JustinT
Trusted SF Member
Trusted SF Member


Joined: 17 Apr 2003
Posts: 16777215
Location: Asheville, NC, US / Uberlândia, MG, Brazil

Offline

PostPosted: Mon Oct 25, 2004 6:31 am    Post subject: Even more thoughts. Reply with quote

Indeed. Frequency analysis is a rather general way to statistically look at occurrence probability, so if you know what to expect, you can often exploit that quite well. One decent example of foreign language statistical analysis, for a dictionary attack, is as follows, quoting:

JustinT wrote:

Consider an extension of a dictionary attack, where foreign languages were considered. This particular statistical test involved the Pinyin Romanization of syllables in the Chinese language, in regards to Chinese users. Basically, syllables were combined to form one-syllable, two-syllable, and three-syllable words. Because the aim of this approach was exhaustion, whether or not these words were legible made no difference. As such, the statistics of the Pinyin Romanization system are this: 298 Chinese syllables form the system, indicating that there are a total of 158,404 two-syllable formations, and over 16,000,000 three-syllable formations. I won't go into the semantics of this attack, but I mention it because of the relevance to similar methodology that can be mounted against the English language. As you can see, knowing the environment aids in narrowing the field down, quite significantly.


Statistically, using a foreign language doesn't buy you as much as you might think; there are clever attackers out there and if they want to divulge a secret, they'll flex their capabilities. Practically, depending on the reality of your threat model and environment conditions, it may make actually thwart an attack, assuming your attacker is average, dull, and lacks ingenuity (i.e., using a canned utility to search very general, limited dictionary listings, for legible English only). This goes as well for deliberately misspelling words or phrases, or using nonsensical formations. However, this is making a risky assumption, especially since dictionary attacks are so extensive and successful in practice. This risk is akin to saying, "I can get by with 40-bit keys", because your threat model is lenient enough; this makes the assumption that an attacker won't ever exhaust such a key space, which is possible, trivial, and a threat, even if improbable. The idea is to be conservative. Since bits are inexpensive, and being responsible is actually an easy habit once gotten the hang of, there's no excuse not to be. So, despite what "should get by", I think it's best to approach it from a "just in case" angle.

Mongrel wrote:

It CAN be a date
It CAN be a name
It CAN be something everyone knows about you


While the methodologies you mentioned below the above quote might suffice for many situations, it's my opinion that one should refrain from the above generalizations, especially if it will be taken literally, without any additional considerations. First, dates are limited to a small space, complexity-wise (at least considering past and present dates, but still predictable); names are often abused and predictable, statistically, as well. Information known to additional parties can often be detrimental; it's usually wise to limit this, and retain as much uncertainty as possible.

Since dictionary attacks have become so incredibly extensive, the above tactics may fall far short, because of their predictability. So, if they are to be used, it would be best to follow the extra "obfuscating" steps mentioned further in that post. It adds complexity; it may add just enough to thwart an attack. I'm positive Mongrel knew this, and for those reading - please read the entire post, as taking it out of context may mean the difference between glad, or you've been had! I've mentioned about all of my thoughts on this, here, here, and here, so that about concludes everything. There are very clever ways of being innovative and effective with personal information used for access control and cryptography; if you can integrate random, unpredictable values within that - all the better.

Say, close friends know that I'm a huge fan of the Cincinnati Reds. If an attacker knows this, and knows my policy for selecting passwords or passphrases, this may provide information in regards to the probability of likely values, assuming my policy allows me to use information known to others (which is doesn't, but we'll just assume it does). This may be exceptionally risky, considering that sports teams, players, and memorable figures and dates are common choices. Some diehard fans of certain bands are prone to using track names, or obvious variations. If the attacker knows the range of what a particular password is limited to, this make reduce the uncertainty of possible values, in regards to which are more probable than others.

One tactic that may be cumbersome, and is likened to how we view cryptographic keys, is the idea of making any value equally likely. Try to make any value equally likely for a given password, as well as any password for any other account or system that requires such. Never fall into a trend or predictable method for choosing values; this is information that can be used against you. If an attacker happens to divulge one or two passwords, and knows this, he may apply this to others as well. Social engineering works quite well. This may be an extreme, but if you're going to bother with security at all, assume that worst case scenarios are part of your threat model.

The problem isn't only the user; it is equally the fact that systems still using password or passphrase protection often do not demand enough or allow the flexibility to apply secure, yet efficient, techniques. So, until this is addressed systematically, the most secure measures are going to be much too cumbersome for the average Joe, thus limiting the options. Albeit decent, in some cases, an often overlooked fact is that humans not only use systems - they design them. So, responsibility is a two-way street.
Back to top
View user's profile Send private message Visit poster's website
Mongrel
SF Mod
SF Mod


Joined: 30 May 2002
Posts: 8


Offline

PostPosted: Mon Oct 25, 2004 11:08 am    Post subject: Reply with quote

Good points JustinT - re: reading the entire post and making sure
to read, practice, and test the obfuscating references yourself. And mind
you this is for joe average in a simple corp environment. It may well be
written in policies that one may not under any circumstances use
any personal information thus rendering my techniques useless.

And I'll take time to read your previous references on this topic.
Thanks for putting them nicely in one place here.
Back to top
View user's profile Send private message
stevensfo
Just Arrived
Just Arrived


Joined: 25 Oct 2004
Posts: 0
Location: Italy

Offline

PostPosted: Tue Oct 26, 2004 8:56 am    Post subject: Hiding a long random password Reply with quote

Hi,

I've just found this forum, and I'm really indebted to you all for the excellent advice.
Like the previous poster, I use foreign words and phrases as passwords and never thought there was a problem.

A while ago I downloaded Axcrypt which also produces a 44 character random password if you want one. Is this a bit of overkill?
However, it got me thinking about how would I store such passwords if I used one.

I came up with 2 ideas:

1. Save a webpage (I tried with bbc.co.uk) and right-click on it. Select 'View code' to open the html code in Notepad. Simply insert your password between <!-- and --> and then Save changes. Who would ever think of looking there?

2. Most people nowdays have a digital camera and thus thousands of boring holiday snaps on their PC. Simply use a free steganography program to hide the password inside a jpeg.

Overkill perhaps... but all good fun!


Steve
Back to top
View user's profile Send private message Send e-mail
moner
Just Arrived
Just Arrived


Joined: 28 Sep 2004
Posts: 0


Offline

PostPosted: Fri Oct 29, 2004 10:06 pm    Post subject: Re: Hiding a long random password Reply with quote

stevensfo wrote:
Hi,

I've just found this forum, and I'm really indebted to you all for the excellent advice.
Like the previous poster, I use foreign words and phrases as passwords and never thought there was a problem.

A while ago I downloaded Axcrypt which also produces a 44 character random password if you want one. Is this a bit of overkill?
However, it got me thinking about how would I store such passwords if I used one.

I came up with 2 ideas:

1. Save a webpage (I tried with bbc.co.uk) and right-click on it. Select 'View code' to open the html code in Notepad. Simply insert your password between <!-- and --> and then Save changes. Who would ever think of looking there?

2. Most people nowdays have a digital camera and thus thousands of boring holiday snaps on their PC. Simply use a free steganography program to hide the password inside a jpeg.

Overkill perhaps... but all good fun!


Steve


would you like to recomend any steganography software? i cant seem to find any that is worth the while, anyones comment, suggestion, or recomendations will be welcome
Back to top
View user's profile Send private message
stevensfo
Just Arrived
Just Arrived


Joined: 25 Oct 2004
Posts: 0
Location: Italy

Offline

PostPosted: Fri Oct 29, 2004 11:51 pm    Post subject: Reply with quote

Moner,

There are plenty of programs out there. Just do a search.

However the best free program I found is GRLhidden. This hides files in almost anything and is the only 'free' program that I know which can hide files in jpegs.

I use it for hiding my password.

I've also tried S-tools and Securengine, but they are not as versatile.

Have fun!

Steve
Back to top
View user's profile Send private message Send e-mail
capi
SF Senior Mod
SF Senior Mod


Joined: 21 Sep 2003
Posts: 16777097
Location: Portugal

Offline

PostPosted: Sat Oct 30, 2004 4:52 am    Post subject: Reply with quote

stevensfo wrote:
However the best free program I found is GRLhidden. This hides files in almost anything and is the only 'free' program that I know which can hide files in jpegs.

I'd be very wary of using that program if I were you. In fact, I would not recommend it at all. It's method of hiding is anything but "hidden", in fact under some circumstances, the supposedly "hidden" information is right there in plain sight!

Do the following to test for yourself:

  1. Make some example text file, just something like "blabla this is a test, my super hidden password is xxx"
  2. Use GRL to hide that sample file inside some other file. Put in whatever 5 letter code you want. Do not select "compress" in the end. This is only so that it will be easier to see the huge flaw in design of this program (that it just takes your data and appends it to the target file); if you compress it, the data will be slightly harder to identify of course, but nothing a determined attacker can't get past (in fact, the 5 digit password is never compressed, so the all the attacker would need to do is just use GRL himself and un-hide the whole thing).
  3. Ok, now that it's done it's "thing", open the output file with any hex editor. Go to the end of the file, and voilá, the entire contents of the supposed "secret", in plain text!!

All this program does is take the data and append it to the end of the file, without altering it in any way. The only way it'll change the data in any (very minor) way is if you choose to compress it. Even then, the 5 digit password is right there in plain text, so it's a trivial matter for anyone to un-hide it using the very GRL program again.

So, first of all, this isn't stenography at all - all this program does is put the data in the end of the file and nothing more. And even with the "compress" thing, it's still not stenography, it's just data "compressed" (with the password readily available in plain text just before the data). And even disregarding the plaintext password issue, this is still not stenography, at best it would be a poor form of cryptography (cryptography = scramble the meaning of data, stenography = hide the very existance of data). Anyone can look at the file and readily see the difference.
Back to top
View user's profile Send private message
stevensfo
Just Arrived
Just Arrived


Joined: 25 Oct 2004
Posts: 0
Location: Italy

Offline

PostPosted: Sat Oct 30, 2004 9:26 am    Post subject: Reply with quote

Capi,
Thanks for that piece of information. I had no idea!

So, which is the best free program at the moment? I liked GRL because it used jpegs. The others require gifs, bmps and wav sound files.

Recommendations?

Steve
Back to top
View user's profile Send private message Send e-mail
JustinT
Trusted SF Member
Trusted SF Member


Joined: 17 Apr 2003
Posts: 16777215
Location: Asheville, NC, US / Uberlândia, MG, Brazil

Offline

PostPosted: Sat Oct 30, 2004 11:21 pm    Post subject: Precedence. Reply with quote

Perhaps you mean "steganography", instead of "stenography?" Either way, simply hiding plaintext in a predictable manner is dangerous. It's like hiding your cash in the back of your top drawer, instead of just out in plain view on top. It's not going to buy you much. I wouldn't say the definition of steganography explicitly requires that you hide encrypted information, but it would be foolish to not ensure that the existence you're concealing is that of data protected confidentially and with integrity. Otherwise, it serves very little purpose. So, perhaps this satisfies the act of "hiding" it, but it doesn't do it very well, and to think it provides any sense of security is a misguided notion. For it to be effective for its purpose, it must be meticulously deployed and with realistic expectations.

In a sense, using steganography to conceal cryptographically-protected information gives you the opportunity to apply the cryptography that adheres to Kerckhoffs's principles, while concealing the act it with entire opposite strategies. "Obscuring the existence of security" rather than security through obscurity, in other words. However, you should never rely on steganography to protect your information; the object is to delay what information is known to an attacker, but we don't design cryptography to rely on this because we know it buys us very little. As we've discussed in the past, steganography probably has more of a political stance, then a role in most conventional systems, in regards to a required design criterion. So, you're either using it because cryptography is abhorred and you must conceal it, or because you just fancy the idea of delaying an attacker's ability to divulge ciphertext he may use to perform cryptanalysis. Either way, it shouldn't be an integral part that one relies on, semantically; rely on cryptography, and devote your faith and precedence to getting that right, first and foremost.
Back to top
View user's profile Send private message Visit poster's website
bknows
Just Arrived
Just Arrived


Joined: 11 Jul 2003
Posts: 5


Offline

PostPosted: Tue Nov 02, 2004 7:47 am    Post subject: Reply with quote

I mostly agree, but the only advantage that I see that steg has over crypto is that crypto screams out that you have something to hide. Steg just says, "Isn't my doggie adorable?""

So to resolve this crisis, hide all your encrypted stuff in stegged files! Razz

Seriously, if you encrypt files, make sure you have some junk files that are encrypted too. Some good ole encrypted white noise. Or encrypt lots of junk files and just steg the real stuff. Your attacker will spend their time focusing on the crypto...kinda like the story about the guy at the construction site who at the end of everyday left with a wheel barrow full of sawdust. The guard searched and searched the dust everyday wondering what he was stealing and found nothing. Finally after 2 weeks, the guard figured it out! He's stealing wheelbarrows! (and another one's gone....and another one bites the dust, heh heh!) Embarassed
Back to top
View user's profile Send private message
JustinT
Trusted SF Member
Trusted SF Member


Joined: 17 Apr 2003
Posts: 16777215
Location: Asheville, NC, US / Uberlândia, MG, Brazil

Offline

PostPosted: Wed Nov 03, 2004 4:57 am    Post subject: Understanding the limitations. Reply with quote

bknows wrote:
I mostly agree, but the only advantage that I see that steg has over crypto is that crypto screams out that you have something to hide. Steg just says, "Isn't my doggie adorable?""


This is valid, just because it's only fair to cite contrasting "advantages", even if out of context. However, the condition on which this is valid is a very weak condition, at that, because you're forced to assume that steganography satisfies the same application, which it doesn't. In other words, if we assume that either cryptography or steganography are suitable for protecting data, then we assume that steganography has the advantage of concealing existence, over cryptography, which doesn't; this is the dangerous assumption, since steganography doesn't protect data, but rather, just doesn't wave the idea around that there is data being protected, or assumed to be.

It's a contrast, but not a supporting factor in choosing either. Refer to the principles of Kerckhoffs's; it's easy to draw the analogy that cryptography is founded on those principles, while steganography defies them. Good cryptography is that of open nature, built with resilience to known information in the hands of an attacker; steganography is a clever way to reasonably conceal that information, in an attempt to delay what is known and the complexity of making it known. So, at best, steganography is a complement to cryptography, and an optional complement, at that. In hindsight, due to how we must assume conditions to be in practical security, the alleged advantage isn't really an advantage at all.

It's akin to arguing that some modes of confidentiality are more tolerant to integrity failure than others; this is true, if you assume integrity to be a function of a mode of confidentiality, but such an assumption is dangerous, as modes that are only confidentiality-aware provide only that, and do not satisfy the issue, or even mitigate the problem. Because of that, authentication is integral, just as much as encryption. So, these so-called advantages are left with no bearing at all. They aren't significant enough to fulfil the criteria imposed by proper assurance of data integrity, nor is steganography a satisfying solution to the proper assurance of data confidentiality or integrity.

Quote:

So to resolve this crisis, hide all your encrypted stuff in stegged files!


My above comments were just opinionated "caveats" for the general audience to consider. I say this because I understand your comments were more general, and not so rigorous in the detail of conditional assumptions, but I'm sure you're aware of the limitations. So, I agree, if you're going to use steganography, apply it to data protected by cryptography. Unless there is some militaristic requirement, or political crisis that renders cryptography a "bad science" in your particular nook of the globe, and because cryptography, as a whole, should be built to cater to the needs of information confidentiality and integrity, conventional systems shouldn't require steganography at all. Many can't, given their tight constraints.

If it's to be used, it should be understood that cryptography is still a necessity, and the limitations of steganography are far too monumental to substitute the former with the latter. Besides, a clever attacker will exploit user irresponsibility in non-cryptographic areas, or the handling of cryptographic parameters; implementation has a better track record, in regards to failing, as opposed to the actual science being implemented. So, information security is a pipe-dream, at its practical climax; it's going to take much more than rigorous cryptography to protect information. Adversaries take advantage of this shortcoming and are often left with open doors not related to the cryptography at all. It's like leaving your windows up, but confiding in the doors constructed from tungsten and protected by the most sophisticated of locking mechanisms. Almost a laughing matter.
Back to top
View user's profile Send private message Visit poster's website
bknows
Just Arrived
Just Arrived


Joined: 11 Jul 2003
Posts: 5


Offline

PostPosted: Wed Nov 03, 2004 7:26 am    Post subject: Reply with quote

You didn't comment on the junk crypted files. You missed an opportunity!

Yes, Mr. K's complaint was too many secrets, and that's bad for security. We want security to be tested! My comments were mostly tobacco-in-cheek with some serious drool dribbling out.

Of course, most good forensic tools will easily find stegged files, files with extensions that were changed (.xls to .jpeg), and any crypted files. However, most folks we're battling against don't run around with forensic tools in their back pocket. Wouldn't you agree that most of those we want to keep out of our files are those who take a quick peek and don't have the time or the skill to "practice cryptoanalysis" (as you might phrase it) nor know anything about stego.

The bottom line is that we only need to apply the security protections that most closely match the risk, and not a XOR'd bit more. Of course, you could say we need to protect ourselves from ninja assassins, but who's seen one of those lately in the civilized world (which is getting smaller by the way).

If you just want to keep the stuff from your Mom's eyes, fine. But if it's critical stuff that you carry around on a mobile device, then perhaps some heavier soup would be appropriate.
Back to top
View user's profile Send private message
moner
Just Arrived
Just Arrived


Joined: 28 Sep 2004
Posts: 0


Offline

PostPosted: Thu Nov 04, 2004 10:32 pm    Post subject: Reply with quote

can someone help me understand how password cracking or brute force works? how does a program know that a particular password that has been found is the correct one? e.g say my password was "pass", how would the computer program know that it has hit bulls eye for e.g for a pgp disk or something else...i know it might be basics for most of you but I don't know
Back to top
View user's profile Send private message
data
Forum Fanatic
Forum Fanatic


Joined: 08 May 2004
Posts: 16777211
Location: India

Offline

PostPosted: Fri Nov 05, 2004 10:51 am    Post subject: Reply with quote

moner wrote:
can someone help me understand how password cracking or brute force works? how does a program know that a particular password that has been found is the correct one? e.g say my password was "pass", how would the computer program know that it has hit bulls eye for e.g for a pgp disk or something else...i know it might be basics for most of you but I don't know


The computer internally may use a comparator circuit.
Otherwise,
For e.g. we could use an xor scheme.

if A=B, A Xor B =0. So,if we do an xor operation,and the result in the stored register is zero, we know A=B. If the register value is non-zero, we know the comparison strings are unequal.

Data.
Back to top
View user's profile Send private message Visit poster's website Yahoo Messenger
AdamV
SF Mod
SF Mod


Joined: 06 Oct 2004
Posts: 24
Location: Leeds, UK

Offline

PostPosted: Fri Nov 05, 2004 12:15 pm    Post subject: Reply with quote

moner wrote:
can someone help me understand how password cracking or brute force works? how does a program know that a particular password that has been found is the correct one? e.g say my password was "pass", how would the computer program know that it has hit bulls eye for e.g for a pgp disk or something else...i know it might be basics for most of you but I don't know


When the encryption scheme is known (although a decryption method may not be known or may not even exist) then the password cracker does what the normal system would do.

For example, on a Windows network, when you change your password, it is encrypted and only the encrypted version is stored, never the plaintext. When you log in, your password attempt is encrypted and this is compared with the stored encrypted copy.

SO, the cracking tool does the same thing - it makes up a word to try (or a set of random characters) and then encrypts this and compares with the encrypted hash which has either been taken off a server or possibly sniffed from the network.

Does that make sense?
Back to top
View user's profile Send private message Visit poster's website
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Physical Security and Social Engineering All times are GMT + 2 Hours
Goto page Previous  1, 2, 3, 4  Next
Page 3 of 4


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register