Thank you abobader, I am working on the next security piece just hope I don't get shadow banned, for some reason You Tube hates us talking about securing our operating systems
I am using the encrypted file approach (pass). No big deal to maintain and synchronize. There is rsync for a reason (over ssh, of course and within the local network).
I used to use pass - password store - it is wrapper written in shell around GPG. Each password entry is separate GPG encrypted file stored in directory hierarchy. It also has a wrapper to push/pull/sync with git :-) There are also very nice phone clients and browser extensions that work just fine. The only hassle is GPG itself :-)
Thank for this topic. The problem of a so calling bus factor is not solved when the only key keeper is one person. So if password keeper was hit by a bus secrets pass away too forever.
So, as a someone who works more on the information secutiry side of things, there are several issues here either not covered or not covered fully that ends up mistating things. 1. The 7 character remembering, not, that is not how it really works at all, the study has a flaw. We remember things through association, if we can associate it with something we find important, we can with a little effort remember a lot longer things. I can remember 11 digit UK mobile phone numbers of certain important contacts for example, it does take a real effort to get them in there. Students regularly memorise their enrolment or examination ID numbers, there are those that have memorised their social security number... Of course I would recommend a phrase anyway, phrase made up by joining a 4-5 randomly generated words or similar can be much longer as a phrase is easier to associate. 2. Password expiration timer, I agree on this being good to hace, but one should not be regularly changing passwords, it leads to bad practices from just the anoyance of it. I would only use it if I have no choice and I would send a message to whatever administrator is making such a requirement about just how bad such requirements are. Passwords only need be changed when there is some evidence they have been exposed if properly managed, and if not properly managed expiration is the least of the issues. 3. Quantum computers, it depends, and this is why I would not recommend GPG for password manager. Quantum computers break current classical public key cryptography (there are new algorithms for more resistance that are being evaluated), this is because Schor's algorithm solves the prime factorization and discrete logarithm problems those encryption algorithms are based on. For symmetric key cryptography, it about equivilent to the time it takes to crack half the key size. so a 256bit key is still 128bits which is still more than enough. Obviously these are theorectical based on best quantum cracking algorithms we have.
Let's see first: Number 1, you can disagree all you like but the study called the seven number phenomena the "magical number seven" it was discovered in the 1950's as the maximum number working memory could hold and recall. If you still disagree you can take it up with them. I didn't discover it. 2. You might want to review the NIST standard under 800 for a list of best practices which are requirements for certification in the US for governmental sites, note DoD sites have much stricter standards which include mandatory password expiration times that vary depending on the security classification of the network. I am surprised that someone in information security isn't familiar with them, but perhaps you are not from the US. 3, Proposed for Quantum computings defeat of current methods of asymmetric encryption algorithms are known as Post Quantum Cryptographic (PQC) Algorithms, they are currently in draft status as of 2022, with plans to finalize them in 2024. Schor's algorithm fails above a factorization of 35 due to accumulated errors . This was demonstrated by IBM on IBM Q System ONE in 2019. There are other algorithms which work well above the 35 factor, but Schor's is not one of them. Note: My reply may differ from what was said in the video, but the video was created in 2021 and my time machine is currently under repair.
I (for fun) began working on a state-minimal password manager just like the author of Spectre too. But after considering the difference between a pw database with unique random passwords stored with encryption vs a master password + crypt functions to generate site unique passwords - I fugured that it is not safe. The reason is that a key logger can get your master password and then brute force (which is easy here) any site domain name and a counter etc to arrive at your password (as long as they have a username that matches your account too). I would argue that a pw db like KeepassXC is better for you than Spectre masterpassword + site domain crypto approach.
Thanks for the informative video, Currently I use Firefox account as a password manager, hope to shift to something professional soon. By the way, you mentioned that you want one that can run on your ARM machine, do you use raspberry?
is cloud storage really a problem if you use a strong password for your encrypted passwords? i have a really long password that I remember for the master, and everything inside is just random strings automatically generated. I sync it to google drive so I can get updates across my devices.
I may be incorrect, but essentially isn't spectre basically the same idea as a password manager? It seems to me with both you have one master password. The only benefit from spectre, it seems, is that it essentially automagically generates a unique password instead of having to do it yourself with the password manager app.
Very informative DJ thanks! I use Bitwarden extension in Firefox. Wich option should I use for vault timeout? What to do with the master password? Also at least 18 characters? And where to keep it? Write it down?
That is a problem I am working on at the moment too, Johan and will come back with a solution as soon as I can work out a decent solution to it, I can hardly wait for 36 char passwords, hopefully by then the whole password mess will be dead.
You should consider using AGC on your audio. Often your voice trails off to - inaudible and if I turn it up it's too loud. A compressor limiter may help, if you already have one perhaps make an adjustment. The more I listen the more your speech does trail off. I guess that's the way you roll, just a friendly comment DJ. Thanks for sharing your vast knowledge, experince and expertise.
Thanks Rick for the suggestion, I moved the mic so its in front of me which will help I am sure. I noticed the same thing, am trailing off a bit when looking away from the mic, the C7 has a pretty narrow width on its polar pattern I could switch in the C4, but that would be total overkill for a you tube video
Thanks a lot In depth analysis presented in an easy to understand way Also, one more question I had made another comment with a question/request and I came back to see your response I can't see it now Did you happen to delete it? If so, can you please tell me the reason. I didn't find anything objectionable to that.
for what it's worth, regarding quantum computers, passwords are symmetric cryptography (and the database should be encrypted with symmetric cryptography, derived from the master password) so its Grover rather than Shor. AES-256 is safe against quantum computers, but only with 128 bits of security rather than the full 256 with Grover's Algorithm. only public key cryptography (key exchange and signature schemes based on discreet log or factorisation like RSA, DH, DSA and their Elliptic Curve equivalents) are really in trouble. it shouldn't be a problem for data at rest.
additionally, sort of a concern for Spectre: all the passwords are derived from a single secret. if one password it generates leaked (e.g. a site you use is hacked and the raw password obtained by you logging in while it was compromised) then an attacker likely has your full name. they could then spend time bruteforcing to see what passphrase input in to spectre and derive your master secret. once they have this, they have all your passwords. with a traditional password database, the secrets are compartmentalised and this can't be done as each password is its own, unrelated, random value.
Two things I've been wondering about. If you using a password of only 6 characters then there would millions of possibilities. In order to crack it some site would have test millions of wrong passwords on your computer. Why isn't there some kind of monitor program that could block any source trying more than a few wrong passwords? I guess it isn't possible or somebody would have already done it. And then there's Intel Management Engine and reportedly something similar from AMD that have a backdoor into your system. Once someone is inside your system passwords don't protect anything. That's what I've heard anyway. I could be wrong.
Hi Bill, there is a couple of ways on Linux to handle this, you can configure the system to delay between password guesses, and you can configure login to lock out the account after a number of unsuccessful attempts. This block can automatically release after a certain amount of time has passed or you can leave the lock in place permanently and have the system admin remove it manually. The backdoor in the IME works as you have described, there other ways to do this like a shell out inside a system service running as root, once you get the shell prompt for root its game over.
yeah but what kind of passwords do you have? most of my passwords are small beer. Almost all. Example is my NETFLIX password. So who cares? Nobody is going to spend a lot of time to crack it.
I like the pass-git strategy too. I think the simplicity of it makes it very secure.
In keepassxc I do see a password generator and it can lock db computer is idle (not sure if it was meant that only db was idle)
I really enjoy this subject, well done DJ!
Thank you abobader, I am working on the next security piece just hope I don't get shadow banned, for some reason You Tube hates us talking about securing our operating systems
DJ ware I loved the in depth comparison and would like to see a follow up on Spectre. Thanks!
Hi Aris, I will be watching the progress on it and will do a follow up
Thanks DJ 👍
You bet Ernest
I am using the encrypted file approach (pass). No big deal to maintain and synchronize. There is rsync for a reason (over ssh, of course and within the local network).
Thank you for another brilliant overview.
I used to use pass - password store - it is wrapper written in shell around GPG. Each password entry is separate GPG encrypted file stored in directory hierarchy. It also has a wrapper to push/pull/sync with git :-)
There are also very nice phone clients and browser extensions that work just fine.
The only hassle is GPG itself :-)
This was Properly Considered, Thorough and, It made me THINK Security ! Many Thanks for waking me up.
I said Neiman Marcus had a 4.2 million user data spill, it was actually a little bit more at 4.6 million users
Good explanation. Thanks.
Glad it was helpful, Steven
Thank for this topic. The problem of a so calling bus factor is not solved when the only key keeper is one person. So if password keeper was hit by a bus secrets pass away too forever.
So, as a someone who works more on the information secutiry side of things, there are several issues here either not covered or not covered fully that ends up mistating things.
1. The 7 character remembering, not, that is not how it really works at all, the study has a flaw. We remember things through association, if we can associate it with something we find important, we can with a little effort remember a lot longer things. I can remember 11 digit UK mobile phone numbers of certain important contacts for example, it does take a real effort to get them in there. Students regularly memorise their enrolment or examination ID numbers, there are those that have memorised their social security number... Of course I would recommend a phrase anyway, phrase made up by joining a 4-5 randomly generated words or similar can be much longer as a phrase is easier to associate.
2. Password expiration timer, I agree on this being good to hace, but one should not be regularly changing passwords, it leads to bad practices from just the anoyance of it. I would only use it if I have no choice and I would send a message to whatever administrator is making such a requirement about just how bad such requirements are. Passwords only need be changed when there is some evidence they have been exposed if properly managed, and if not properly managed expiration is the least of the issues.
3. Quantum computers, it depends, and this is why I would not recommend GPG for password manager. Quantum computers break current classical public key cryptography (there are new algorithms for more resistance that are being evaluated), this is because Schor's algorithm solves the prime factorization and discrete logarithm problems those encryption algorithms are based on. For symmetric key cryptography, it about equivilent to the time it takes to crack half the key size. so a 256bit key is still 128bits which is still more than enough. Obviously these are theorectical based on best quantum cracking algorithms we have.
Let's see first: Number 1, you can disagree all you like but the study called the seven number phenomena the "magical number seven" it was discovered in the 1950's as the maximum number working memory could hold and recall. If you still disagree you can take it up with them. I didn't discover it.
2. You might want to review the NIST standard under 800 for a list of best practices which are requirements for certification in the US for governmental sites, note DoD sites have much stricter standards which include mandatory password expiration times that vary depending on the security classification of the network. I am surprised that someone in information security isn't familiar with them, but perhaps you are not from the US.
3, Proposed for Quantum computings defeat of current methods of asymmetric encryption algorithms are known as Post Quantum Cryptographic (PQC) Algorithms, they are currently in draft status as of 2022, with plans to finalize them in 2024. Schor's algorithm fails above a factorization of 35 due to accumulated errors . This was demonstrated by IBM on IBM Q System ONE in 2019. There are other algorithms which work well above the 35 factor, but Schor's is not one of them.
Note: My reply may differ from what was said in the video, but the video was created in 2021 and my time machine is currently under repair.
Any ideas on LessPass (which use alternative approach)?. Great vid as always!
Looks interesting, never heard of it until your message, will have a look and see. Thanks jujujuju
Bitwarden. 15:50 - 19:27
Comparison. 27:22 - 29:08
Final thoughts. 29:10 - 31:30
Spectra. 31:35
I (for fun) began working on a state-minimal password manager just like the author of Spectre too. But after considering the difference between a pw database with unique random passwords stored with encryption vs a master password + crypt functions to generate site unique passwords - I fugured that it is not safe. The reason is that a key logger can get your master password and then brute force (which is easy here) any site domain name and a counter etc to arrive at your password (as long as they have a username that matches your account too). I would argue that a pw db like KeepassXC is better for you than Spectre masterpassword + site domain crypto approach.
Thanks for the informative video,
Currently I use Firefox account as a password manager, hope to shift to something professional soon.
By the way, you mentioned that you want one that can run on your ARM machine, do you use raspberry?
I sure do have a Raspberry Pi, and some other ARM machines as well mostly Odroids. Thanks for the question, Sally
is cloud storage really a problem if you use a strong password for your encrypted passwords? i have a really long password that I remember for the master, and everything inside is just random strings automatically generated. I sync it to google drive so I can get updates across my devices.
for me it is, my experience with security has left me jaded "Trust no one" hehe
I use synching instead so it never sits on a drive somewhere. Encrypted transfer
I may be incorrect, but essentially isn't spectre basically the same idea as a password manager? It seems to me with both you have one master password. The only benefit from spectre, it seems, is that it essentially automagically generates a unique password instead of having to do it yourself with the password manager app.
Very informative DJ thanks! I use Bitwarden extension in Firefox. Wich option should I use for vault timeout? What to do with the master password? Also at least 18 characters? And where to keep it? Write it down?
That is a problem I am working on at the moment too, Johan and will come back with a solution as soon as I can work out a decent solution to it, I can hardly wait for 36 char passwords, hopefully by then the whole password mess will be dead.
You should consider using AGC on your audio. Often your voice trails off to - inaudible and if I turn it up it's too loud. A compressor limiter may help, if you already have one perhaps make an adjustment. The more I listen the more your speech does trail off. I guess that's the way you roll, just a friendly comment DJ. Thanks for sharing your vast knowledge, experince and expertise.
Thanks Rick for the suggestion, I moved the mic so its in front of me which will help I am sure. I noticed the same thing, am trailing off a bit when looking away from the mic, the C7 has a pretty narrow width on its polar pattern I could switch in the C4, but that would be total overkill for a you tube video
@@CyberGizmo I would describe C4 to be more explosive than overkill. Truly overkill under certain hands, but for regular Joe totally safe.
Thank you kind sir. Spectre seems to be a way to go, I hope to see a review in due course.
Hi Tony, yep will review it as soon as it reaches RC status
Thanks a lot
In depth analysis presented in an easy to understand way
Also, one more question
I had made another comment with a question/request and I came back to see your response
I can't see it now
Did you happen to delete it? If so, can you please tell me the reason. I didn't find anything objectionable to that.
for what it's worth, regarding quantum computers, passwords are symmetric cryptography (and the database should be encrypted with symmetric cryptography, derived from the master password) so its Grover rather than Shor. AES-256 is safe against quantum computers, but only with 128 bits of security rather than the full 256 with Grover's Algorithm.
only public key cryptography (key exchange and signature schemes based on discreet log or factorisation like RSA, DH, DSA and their Elliptic Curve equivalents) are really in trouble.
it shouldn't be a problem for data at rest.
additionally, sort of a concern for Spectre: all the passwords are derived from a single secret.
if one password it generates leaked (e.g. a site you use is hacked and the raw password obtained by you logging in while it was compromised) then an attacker likely has your full name.
they could then spend time bruteforcing to see what passphrase input in to spectre and derive your master secret.
once they have this, they have all your passwords.
with a traditional password database, the secrets are compartmentalised and this can't be done as each password is its own, unrelated, random value.
Keepass with a password+key file has always seemed robust to me
Hoping I'm correct to believe that
lesspass is another ROS and is pretty good
👍👍
Mr. DJ please more Truenas Scale videos. like install traefik, nextcloud etc...
I could do a short series on it, I spent way too much time playing with the VMs, thanks for the suggestion Ruperto
Dropped LastPass well over a year ago
Password expiration makes no sense. It the password is good keep it if not change it immediately.
Two things I've been wondering about. If you using a password of only 6 characters then there would millions of possibilities. In order to crack it some site would have test millions of wrong passwords on your computer. Why isn't there some kind of monitor program that could block any source trying more than a few wrong passwords? I guess it isn't possible or somebody would have already done it. And then there's Intel Management Engine and reportedly something similar from AMD that have a backdoor into your system. Once someone is inside your system passwords don't protect anything. That's what I've heard anyway. I could be wrong.
Hi Bill, there is a couple of ways on Linux to handle this, you can configure the system to delay between password guesses, and you can configure login to lock out the account after a number of unsuccessful attempts. This block can automatically release after a certain amount of time has passed or you can leave the lock in place permanently and have the system admin remove it manually. The backdoor in the IME works as you have described, there other ways to do this like a shell out inside a system service running as root, once you get the shell prompt for root its game over.
It's now known that cosmic rays can bugger up quantum computers.
yeah but what kind of passwords do you have? most of my passwords are small beer. Almost all. Example is my NETFLIX password. So who cares? Nobody is going to spend a lot of time to crack it.