techhub.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A hub primarily for passionate technologists, but everyone is welcome

Administered by:

Server stats:

4.9K
active users

#passphrases

0 posts0 participants0 posts today
Replied in thread

@gabe_sky
Great idea, thanks! Bookmarked.

As chance would have it, I also built another useful thing, way back in 2015:

batterystaple.pw/ - generates secure #Passphrases entirely in your browser

Like you, I built it because I was not happy with the existing alternatives. Since then, I have been using it quite regularly, but I have no idea if anybody else uses it (nor a way to find out).

In any case, I will gladly continue to pay for the domain name!

batterystaple.pwbattery staple
Continued thread
Continued thread

So what kind of policy framework do I have at my org? Goal is AAL2 per NIST 800-63B. Keep in mind, at least for the next decade or so still, passwords are not going anywhere - they are the last line of authentication while the world transitions to #passwordless

:finger_point: Encrypt everything, everywhere, all the time
:finger_point: VPN tunnels everywhere
:finger_point: PW polciy that enforces a minimum of 13-complex characters for passwords (passphrases are evangelized heavily) + mandatory MFA via an Authnticator app + 365-day rotation policy (unless someone phishes their credential or it comes up on a #darkweb monitor) + 30-day token expiration - we do have filtering to prevent anyone reusing old password or common passwords (no, I don't pay for it, you can integrate with AD directly with some clever #powershell, #jfgi.
:finger_point: For our admin accounts, we require #passphrases of at least 4 words (7 are recommended), using the diceware method (physical, not a website). PW rotation occurs every 180-days. Tokens expire every 24-hours.
:finger_point: Service accounts (where we cannot use auto-cycling API tokens) require a minimum 24-character very complex password or 4-word passphrase as MFA is required to be disabled. PW rotation occurs every 180-days.
:finger_point: Awareness trainings every quarter for high-risk/high-exposure employees, annually for the rest of the company. I update my presentation facts, data, and reported metrics frequently based on OSINT, SIGINT, HUMINT, research, and constant education.

"The challenge in storing encrypted backup data is that strong encryption requires strong (or “high entropy”) cryptographic keys and passwords. Since most of us are terrible at selecting, let alone remembering strong passwords, this poses a challenging problem."

#MatthewGreen, 2020

blog.cryptographyengineering.c

This isn't as hard as people seem to think;

xkcd.com/936/

What's missing is education, including replacing "password" with "passphrase".

A Few Thoughts on Cryptographic Engineering · Why is Signal asking users to set a PIN, or “A few thoughts on Secure Value Recovery”Over the past several months, Signal has been rolling out a raft of new features to make its app more usable. One of those features has recently been raising a bit of controversy with users. This i…

No, NCSC¹, passphrases of only three (or even four) random words are not sufficient - unless the user knows that the password hashing method is a "slow" one (bad for the attacker). Which is rarely guaranteed.

1025 combinations -- six words from a pool of 20K words, or five words from a pool of 100K words -- should be considered the minimum.

¹ncsc.gov.uk/collection/top-tip

#Passphrases
#PasswordCracking

Strong passphrases can be the only barrier between adversaries and your valuable information. As we have increased our reliance on passwords, adversaries have developed increasingly sophisticated ways to crack them.
Ensure your passphrases are long, unpredictable and unique. Follow as many of our principles as you can to create the most secure passphrase possible.

Read more about creating strong passphrases 👉cyber.gov.au/protect-yourself/

New webpassgen release 20231024.

Two new password generators:

- Obscure passphrases
- Pure random whitespace

Other features include:

- Colored mouse selection to match the requested security level.
- "Every Word List" size now surpasses 2^16 unique words.
- Noto Sans Mono replacing the system font for more consistency.
- Passwords are aligned vertically.
- Base4 now uses the digits 0-3 instead of DNA nucleic acid sequences.

#passwords #passphrases #opensource

github.com/atoponce/webpassgen

On LLM and passphrases ...

The thought has occurred that given that large language models are trained on texts, which one presumes includes not only Internet sources by scanned-in copies of published books and articles ...

... there's a strong probability that any given published word sequence appears within such a corpus ...

... and that given even a small sampling of a passphrase which is itself drawn from a similar corpus ... LLMs should be really good at guessing a given passphrase.

(How might it get a small sampling? Oh, say, shoulder-surfing, or acoustic signatures of typed characters, or leaks from inadvertently-entered phrases in the wrong dialogue, or other cues from context.)

Upshot: if you're relying on a single phrase from any published set of works ... as a long secret key ... you might want to reassess your threat model.

(I don't know that combining phrases from multiple sources might be an improvement ... though there are reasons to suspect that might also be at increased risk.)

(Oh, and by "you", I also mean "all the systems you're relying on, directly or indirectly". That would include, say, corporate, institutional, or governmental systems to which someone's previously relied on what they'd thought would be a long and hence difficult-to-crack phrase.)

(I also suspect that state-level actors will have first capabilities in this manner, but that that threshold will rapidly fall to far less-capable entities.)

(Many moons ago discussing security issues with a corporate user, I suggested that phrases from, oh, say, Alice in Wonderland would not be especially secure. Their passphrase was based on, of course, Jabberwocky.)

Edit: Markup.

#Passwords are a popular topic today - which is good! Far too many people make up easy/simple passwords, reuse them, and complain that it's too hard to figure out #strong passwords AND remember them. I get it! But just adding more symbols or numbers just makes it harder for you to remember, but not a machine to guess. Computers can quickly go through the iterations of 'i', '1', '!', '|' that you used to change up the letter 'i' you have in your password. So why not make it easier on yourself and harder for the machine? Great question! Use #diceware! I've been using it myself for decades now, and enforce its use for #Sysadmins at my company. Use it to create super secure, random #passphrases of 4-6 words that are easy for you, and extremely difficult for a machine. Aside from the manual way of doing it (like I do) a #netizen made a site where it does the dice rolling for you and spits out words from the list that is likely better than whatever you do lol. Give it a try, be #CyberSecure diceware.rempe.us/#eff

diceware.rempe.usDiceware Secure Passphrase and Password GeneratorAn easy way to generate a Diceware passphase or password.

Hello Fellow Mastolorians!

In the 1830s, Americans thought tomatoes were poisonous, and many people refused to have anything to do with them. But within the space of just 10 years — without TV, radio or the Internet — consumer perception and behavior completely changed. This bodes really well for infosec pros concerned about how to improve consumer security behaviors.

#ICYMI — I joined Carey Parker, host of the consumer security and privacy podcast Firewalls Don't Stop Dragons for a light-hearted discussion on a serious topic: password security. Listen in to find out what the history of tomatoes in the U.S. can teach infosec professionals about educating consumers on good password hygiene.

More than 9,700 people have read this blogpost so far!

Grab a few tomatoes 🍅🍅🍅​, have a listen (or read the transcript), and let me know what you think!

loistavainfosecurity.com/blog/

@FirewallDragons
#OneTimePads
#CaliforniaGoldRush
#Passwords
#Passphrases