GeekNights Monday - Passwords

Tonight on GeekNights, in light of updated NIST guidelines for password best practices, we talk about the current state of passwords in 2017. Sure, 2-factor is important and so forth, but what about the passwords themselves? Are you using passphrases instead?

In the news, big names are backing the royalty-free AV1 codec, Pokemon GO Fest was a technological disaster (just as much as it was an event planning disaster), MS Paint is dead, Snopes might be in trouble, but it's not clear what that trouble is, an evil VC-funded firm is undermining open source projects, and the next GeekNights Book Club book after Dune is The Fifth Season!

Scott's Youtube
Rym's Youtube

GeekNights on Patreon

Things of the Day

Episode Links

Microsoft already backtracked and un-killed Paint.

http://www.cnbc.com/2017/07/25/microsoft-paint-not-dead.html

They claim it was never going to go away in the first place: it was just moving to the Windows App Store as a free app.

Interlaced passphrase

CHOCOLATE THREE CRYSTAL

type first word, return to start, type second word skipping each character, repeat for third word

CTHHORCEOELATE

CTCHHRORYCESOETLAATEL

Sucks to do on a phone or tablet. Chocolate three crystal is already a pretty good password.

1 Like

http://www.classicshell.net/

You’re welcome.

https://pwsafe.org/

It’s not lastpass but it was originally written and designed by Bruce Schneier and maintained by someone he trusts (I know trust isn’t transitive but still) I use it because when I’m not just using SSO, I use like 18 digit completely random passwords that no person needs to remember and maintain the safe.

Is it a single point of failure? Yes. But, but unlike lastpass or keypass there’s no online component. It’s just an encrypted volume that I control. It’s what I use anyway.

A thing that comes up in my work pretty regularly is people dying with their passwords and it becoming a giant complicated mess to try to recover data. Sometimes this is for court, sometimes it’s just trying to give as much data as possible to the family.

As a result I do generally suggest people either don’t use full disk encryption or have one time passwords / password stores in a safe deposit box or something if they ever want their family to have access to anything. Things are starting to get better, but most tech is still designed with some expectation that the user will survive the life of the service / device.

It’s really frustrating when we can’t get into an encrypted device, particularly in these kind of cases. On a slightly related note, when you’re dead, you don’t have any expectation of privacy. So if you die in an accident or at a crime scene going through your phone is not unlike performing an autopsy.

On the other hand, default heavy encryption protects your privacy forever, and nuts to anyone who’s still alive. :wink:

3 Likes

RE: passwords turn to stars. Yeah you can get a surprising amount of suckers doing that. Not that I would ever have done such a thing.

When people walk away from their workstations without locking them, and you can’t goatse them for harassment reasons, there is another solution.

GIS a picture of the most disgusting poop-filled overflowing nasty toilet bowl you can find, and set THAT as their desktop image. Juvenile, yes, but it gets the point across while being reasonably HR-friendly.

My work place still has that stupid periodic password change policy.

Tried to convince them using the NIST guidelines, head of IT got super pissed and reported me to the CTO and manager. I was apparently correct but they’re not changing because of reasons not provided.

Lastpass might be having financial trouble.

Even if their tech is legit, you can’t necessarily trust a company to exist forever.

Oh damn, they doubled the price? My subscription’s about to expire.

Yeah… Use two factor, and don’t use bad passwords.

Sites like this have been around forever, and that’s awesome but this one is different in a way I’ve not seen before. It’ll happily let you download some millions of real compromised password hashes. Hashes out of respect for people still using those passwords. Still profoundly useful for personal opsec.

What is the current recommendation of password manager across multiple devices (desktop & mobile)?

I have been using 1Password for years and it has worked quite well but largely because I have refused to go in with their ongoing subscription service and thus have run an increasingly outdated version of their app which allows me to store my password vault in Dropbox which I backup to my home NAS regularly. It looks like LastPass also wants to charge an ongoing fee to store your vault for you so switching there doesn’t seem to change much.

I’d rather not rely on my password manager for my vault storage but I also want integration with browsers and desktop & mobile OS’s.