Conversation

Notices

1. Embed this notice
   Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Wednesday, 26-Jun-2024 00:25:25 JST Ryan Castellucci :nonbinary_flag:

   Ryan's guide to determining whether your password is secure:

   1) Did you pick it yourself? If yes, it is not secure.

   2) Is it unique? If no, it is not secure.

   3) Is it part of a "password system"? If yes, it is not secure.

   4) Is created using a deterministic password generator? If yes, it's part of a "password system" and therefore not secure.

   5) Did your password manager randomly generate it for you? If yes, it's probably fine.

   6) Did you generate it with dice? If yes, it's probably fine.

   7) Did you create your password in some other way? It's probably fucked.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Wednesday, 26-Jun-2024 00:49:45 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Alexand

     @djg fucked

   • Embed this notice
     Alexand (djg@toad.social)'s status on Wednesday, 26-Jun-2024 00:49:46 JST Alexand

     in reply to

     @ryanc

     Please rate my method of creating passwords:
     I have a paperback book and use the first 12 characters of the first line at the top of the page including punctuation followed by the page number. I just use the next page every time I need a new password.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Wednesday, 26-Jun-2024 00:50:31 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Rich Felker
     • Amber
     • Alexand

     @puppygirlhornypost @dalias @djg probably fucked

   • Embed this notice
     Amber (puppygirlhornypost@transfem.social)'s status on Wednesday, 26-Jun-2024 00:50:32 JST Amber

     in reply to

     • Rich Felker
     • Alexand

     @dalias@hachyderm.io @djg@toad.social @ryanc@infosec.exchange Now we have to answer the question, is the library of babel deterministic and therefore not a secure password?

   • Embed this notice
     Amber (puppygirlhornypost@transfem.social)'s status on Wednesday, 26-Jun-2024 00:50:33 JST Amber

     in reply to

     • Rich Felker
     • Alexand

     @dalias@hachyderm.io @djg@toad.social @ryanc@infosec.exchange consider: https://libraryofbabel.info/ i grab my book from this.

   • Embed this notice
     Rich Felker (dalias@hachyderm.io)'s status on Wednesday, 26-Jun-2024 00:50:34 JST Rich Felker

     in reply to

     • Alexand

     @djg @ryanc See: 3, 4, 7

   • Embed this notice
     Martin Pilkington (pilky@mastodon.social)'s status on Wednesday, 26-Jun-2024 00:50:54 JST Martin Pilkington

     in reply to

     • Jan Lehnardt :couchdb:

     @ryanc @janl Website: “Create an account”

     Me: *rolls initiative*

   • Embed this notice
     Ron Bowes (iagox86@infosec.exchange)'s status on Wednesday, 26-Jun-2024 00:51:14 JST Ron Bowes

     in reply to

     @ryanc Thank you! Every time a security awareness training class talks about how to choose a secure and memorable password, I die a little. It's missing the point. Humans can't remember more than like 3-4 passwords, so we shouldn't. Teach users how to use a password manager!!

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Wednesday, 26-Jun-2024 01:00:45 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     If you have to ask in response to this post, your method is bad, sorry. 🤷

   • Embed this notice
     J. R. DePriest :verified_trans: :donor: :Moopsy: :EA DATA. SF: (jrdepriest@infosec.exchange)'s status on Wednesday, 26-Jun-2024 01:08:36 JST J. R. DePriest :verified_trans: :donor: :Moopsy: :EA DATA. SF:

     in reply to

     @ryanc

     What if your password is:
     They said I had to use a passphrase now?

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Wednesday, 26-Jun-2024 01:09:44 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Alexand

     @djg I have written password crackers and cracked this kind of password with them.

   • Embed this notice
     Alexand (djg@toad.social)'s status on Wednesday, 26-Jun-2024 01:09:45 JST Alexand

     in reply to

     @ryanc

     I ran l0phtcrack against my SAM file a while back and these passwords were the last to be brute forced…nearly a string of random letters with only one or two common words embedded. Do you use a similar tool for testing?

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Wednesday, 26-Jun-2024 01:13:32 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • dade

     @dade password manager with extra steps

   • Embed this notice
     dade (dade@crime.st)'s status on Wednesday, 26-Jun-2024 01:13:33 JST dade

     in reply to

     @ryanc Password Management system idea:

     1. Purchase a brick of playing cards.

     2. Shuffle each deck at least 7 times.

     3. Use the complete card order as your password (or as far as the shitty website will let you get into it)

     4. Subtly mark each deck's box to indicate which site it is for.

     5. Never lose or use your playing cards

   • Embed this notice
     Insecurity Princess 🌈💖🔥 (saraislet@infosec.exchange)'s status on Wednesday, 26-Jun-2024 01:14:31 JST Insecurity Princess 🌈💖🔥

     in reply to

     @ryanc Does that apply equally to all passwords for all systems?

     Do all passwords need to be "secure"?

   • Embed this notice
     Adam Katz (adamhotep@infosec.exchange)'s status on Wednesday, 26-Jun-2024 01:20:37 JST Adam Katz

     in reply to

     @ryanc This is a good list. Humans are bad at random:
     https://infosec.exchange/@adamhotep/112440540150220075

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Wednesday, 26-Jun-2024 01:40:36 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Insecurity Princess 🌈💖🔥

     @saraislet Great point. This post was somewhat prompted by someone describing passwords as "kayfabe".

     Many passwords are vestigial, existing within systems that assume (rightly) that they are not secure. They're there because they're expected, the actual security lies elsewhere.

     The nuance seems difficult to explain to people, though.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Wednesday, 26-Jun-2024 01:43:21 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Insecurity Princess 🌈💖🔥

     @saraislet My general opinion is that systems need to be designed to account for the fact that they're used by humans. We have very predictable failure modes that must be accounted for - trying to get us to change our behaviour to be "more secure" is like nailing jelly to a tree.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Wednesday, 26-Jun-2024 01:45:31 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • yetzt

     @yetzt I built a CTF challenge involving a password generator that had unicode replacement character problems.

     Something like generate N random bytes, base64 encode them, oops they were treated as utf8 before base64 happened.

   • Embed this notice
     yetzt (yetzt@vis.social)'s status on Wednesday, 26-Jun-2024 01:45:32 JST yetzt

     in reply to

     @ryanc 8) can the system understand or deal with the encoding your password uses? (yes, there are passwords that happen to consist entirely of unicode replacement characters because of issues like that)

   • Embed this notice
     Wendy Nather (wendynather@infosec.exchange)'s status on Wednesday, 26-Jun-2024 02:10:18 JST Wendy Nather

     in reply to

     • Dan Goodin

     @ryanc @dangoodin As a sysadmin, I used to generate them by hitting the keyboard with a rolled-up newspaper. And yes, I did switch hands. But this was a very long time ago, as evidenced by “keyboard” and “newspaper.”

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Wednesday, 26-Jun-2024 02:28:17 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • John M. Gamble

     @jgamble I have a bunch of those dice!

   • Embed this notice
     John M. Gamble (jgamble@fosstodon.org)'s status on Wednesday, 26-Jun-2024 02:28:19 JST John M. Gamble

     in reply to

     @ryanc

     Part 2 of my 3-part password making system.

     (Part 1 *is* deterministic, but it's useful to me so it stays. Part three isn't deterministic, but I'm also not revealing it.)

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Wednesday, 26-Jun-2024 04:33:22 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • migmit

     @migmit and yet you replied

   • Embed this notice
     migmit (migmit@mstdn.social)'s status on Wednesday, 26-Jun-2024 04:33:23 JST migmit

     in reply to

     @ryanc 0) Do you care? If not, it's fine, stop reading.

   • Embed this notice
     Ryan Castellucci :nonbinary_flag: (ryanc@infosec.exchange)'s status on Wednesday, 26-Jun-2024 21:36:42 JST Ryan Castellucci :nonbinary_flag:

     in reply to

     • Sashin

     @sashin 3 and 4 are password reuse with extra steps

   • Embed this notice
     Sashin (sashin@veganism.social)'s status on Wednesday, 26-Jun-2024 21:36:43 JST Sashin

     in reply to

     @ryanc Why is 5 different to 3 and 4?