[colug-432] password survey

[Angelo McComis]

> On May 24, 2014, at 11:46 AM, Rob Funk <rfunk at funknet.net> wrote:
> 
> The problem is that it doesn't solve the problem of existing protocols. SSH 
> is great, but that doesn't help with logging into Google or my bank or my 
> company's mail server, much less using my phone to do those things, nor 
> with getting random non-techies secure access to what they need.

Bingo. Unless said entity has their encrypted passwords ripped through some kind of internal-based exploit and those hashes can then be reverse engineered.  By internal, I am inferring an inside job or a bad guy that has worked his way into the inside. 

The best way on these is to change your password regularly and make them reasonably secure. For example, I use a combination of alpha numeric and symbols but originates from a purposely  misspelled word. Thus that won't ever come up on a dictionary based 0/o, I/1, r/4, e/3 "leet substitution" combined attack.  Also account lockout and other mitigating measures is smart to implement on the hosting side to slow down brute attempts. 

Yubikey could be circumvented pretty easily. Borrow the device. Open vi, press the button. Watch it output the 44 chars, save that out or take a pic of it and now you have the secure string it uses. If it we're to use a "very long" string, that might be say 4096 chars, it would still be possible to compromise in the same manner but a bit more difficult to manage carrying a string of that length around in a way you could easily input it to open your lastpass vault.