[colug-432] password survey

Scott McCarty scott.mccarty at gmail.com
Sat May 24 14:51:10 EDT 2014


That's why I check all of the client certificates in a monthly checklist. Then I will know if another browser, or device has authenticated with a stolen yubikey. Also, I don't carry a yubikey with me AT ALL. I have them locked in a safe at home.


Sent from my Verizon Wireless 4G LTE smartphone

<div>-------- Original message --------</div><div>From: Angelo McComis <angelo at mccomis.com> </div><div>Date:05/24/2014  12:21 PM  (GMT-05:00) </div><div>To: Central OH Linux User Group - 432xx <colug-432 at colug.net> </div><div>Cc: Central OH Linux User Group - 432xx <colug-432 at colug.net> </div><div>Subject: Re: [colug-432] password survey </div><div>
</div>

> On May 24, 2014, at 11:46 AM, Rob Funk <rfunk at funknet.net> wrote:
> 
> The problem is that it doesn't solve the problem of existing protocols. SSH 
> is great, but that doesn't help with logging into Google or my bank or my 
> company's mail server, much less using my phone to do those things, nor 
> with getting random non-techies secure access to what they need.

Bingo. Unless said entity has their encrypted passwords ripped through some kind of internal-based exploit and those hashes can then be reverse engineered.  By internal, I am inferring an inside job or a bad guy that has worked his way into the inside. 

The best way on these is to change your password regularly and make them reasonably secure. For example, I use a combination of alpha numeric and symbols but originates from a purposely  misspelled word. Thus that won't ever come up on a dictionary based 0/o, I/1, r/4, e/3 "leet substitution" combined attack.  Also account lockout and other mitigating measures is smart to implement on the hosting side to slow down brute attempts. 

Yubikey could be circumvented pretty easily. Borrow the device. Open vi, press the button. Watch it output the 44 chars, save that out or take a pic of it and now you have the secure string it uses. If it we're to use a "very long" string, that might be say 4096 chars, it would still be possible to compromise in the same manner but a bit more difficult to manage carrying a string of that length around in a way you could easily input it to open your lastpass vault. 


_______________________________________________
colug-432 mailing list
colug-432 at colug.net
http://lists.colug.net/mailman/listinfo/colug-432
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.colug.net/pipermail/colug-432/attachments/20140524/4898a609/attachment.html 


More information about the colug-432 mailing list