[arch-general] How long do you make the passphrase for the private key?
Hello, I want to publish a package repository with some packages that I need and only want to build once for all my systems. I want to make the packages available for general use. I have server space for that so I only have to rsync my final repo to my server after compiling my packages. I have my autobuild set up and signing seems to work, too. For convenience, I decided to make the passphrase not too long. I have 10 characters with both, alphanumeric and "special characters". I think if the passphrase is meant to be uncrackable alone, then we wouldn't need the big private key file, right? Is my passphrase long enough? What do the trusted users think about this topic? Thanks in advance Manuel
The last standard the United States Navy used before it migrated to smartcards was 16 characters with at least two digits; at least two upper-case, at least two lower-case, and at least two special characters. A slight improvement on that would have been to insure the pass phrase started and ended with a letter. On Mon, 24 Jun 2019, Manuel Reimer wrote:
Date: Mon, 24 Jun 2019 11:02:57 From: Manuel Reimer <mail+archgeneral@m-reimer.de> Reply-To: General Discussion about Arch Linux <arch-general@archlinux.org> To: arch-general@archlinux.org Subject: [arch-general] How long do you make the passphrase for the private key?
Hello,
I want to publish a package repository with some packages that I need and only want to build once for all my systems.
I want to make the packages available for general use. I have server space for that so I only have to rsync my final repo to my server after compiling my packages.
I have my autobuild set up and signing seems to work, too.
For convenience, I decided to make the passphrase not too long.
I have 10 characters with both, alphanumeric and "special characters".
I think if the passphrase is meant to be uncrackable alone, then we wouldn't need the big private key file, right?
Is my passphrase long enough? What do the trusted users think about this topic?
Thanks in advance
Manuel
--
On 6/24/19 5:45 PM, Jude DaShiell wrote:
The last standard the United States Navy used before it migrated to smartcards was 16 characters with at least two digits; at least two upper-case, at least two lower-case, and at least two special characters. A slight improvement on that would have been to insure the pass phrase started and ended with a letter.
Unrelated to the topic at hand, these password recommendations have been outdated for about a decade. Additionally, that 'slight improvement' you're mentioning actually *decreases* the search-space required for bruteforcing... -- Rob (coderobe) O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
tl;dr: follow standard practices — there is nothing special about passwords for private keys.
I want to publish a package repository with some packages that I need and only want to build once for all my systems.
I want to make the packages available for general use. I have server space for that so I only have to rsync my final repo to my server after compiling my packages.
I have my autobuild set up and signing seems to work, too.
For convenience, I decided to make the passphrase not too long. This alone makes me raise an eyebrow and wonder, if the security is already compromised.
I have 10 characters with both, alphanumeric and "special characters". Is it coming from a proper CSPRNG or an unbiased random source?
I think if the passphrase is meant to be uncrackable alone, then we wouldn't need the big private key file, right? Those topics are unrelated. The password is only used to protect the key in case of a leak and plays no role in security based on that key. If the key is breakable, whether it is protected by a strong or weak
If not — in particular if was your brain that generated it, you have applied any changes to „make it easier to remember” or chosen one from a set of random passwords — you are close to having no password at all. But if it properly generated, it is meeting the often repeated password criteria: 8 characters in the past, becoming 10 nowadays. But that doesn’t mean it is fine. Random, compact passwords are hard to remember. Unless you’re using a password manager, you’re going to either make mistakes (like writing down the password) or you’ll undetake an unneccessary effort for little gain (remembering it). There are better ways. See diceware and friends: it lets you generate a password with very good entropy, but being easy to remember. If you’re using a password manager, you should not care about the password being “too long”. After all it’s not you who type it. Go for 16 or 20 random chars. pasword, or not protected at all is insignificant. The attack will not even consider the password.
On 24.06.19 18:00, mpan wrote:
If you’re using a password manager, you should not care about the password being “too long”. After all it’s not you who type it. Go for 16 or 20 random chars.
If the key is too complicated to remember or to type in manually, then I have to use a password manager which now saves my password to local disk again. Maybe encrypted with a master password. Then we are back at the starting problem. If someone can take my private key file, then he can also take my password manager database. How strong would you make this master password and where to save this one? A second password manager? I think if really someone takes over control over my PC, then I have to expect the password to be gone, too. I someone is really able to take my private key file, then I think he should also be able to install some kind of key logger. And I really think that finally someone *has* to come up with some replacement for this password nightmare. Some kind of hardware key maybe. I could protect the private signing key with an UUID (just call uuidgen on console). This should be pretty hard to crack but is impossible to remember so I would have to keep this written down somewhere and need this piece of paper every time I unlock the key for signing. Manuel
On 6/24/19 4:31 PM, Manuel Reimer wrote:
On 24.06.19 18:00, mpan wrote:
If you’re using a password manager, you should not care about the password being “too long”. After all it’s not you who type it. Go for 16 or 20 random chars.
If the key is too complicated to remember or to type in manually, then I have to use a password manager which now saves my password to local disk again. Maybe encrypted with a master password.
Then we are back at the starting problem.
If someone can take my private key file, then he can also take my password manager database.
How strong would you make this master password and where to save this one? A second password manager?
I think if really someone takes over control over my PC, then I have to expect the password to be gone, too. I someone is really able to take my private key file, then I think he should also be able to install some kind of key logger.
And I really think that finally someone *has* to come up with some replacement for this password nightmare. Some kind of hardware key maybe.
I could protect the private signing key with an UUID (just call uuidgen on console). This should be pretty hard to crack but is impossible to remember so I would have to keep this written down somewhere and need this piece of paper every time I unlock the key for signing.
I'm not sure where you're going with any of this. The purpose of a PGP signing key is that it does interesting crypto things that prove your identity in a way that passwords don't (passwords can be guessed). The purpose of password-protecting your PGP private key is to prevent someone who gains access to the filesystem, from gaining access to the key. Password managers, like PGP keys, are things that "should be encrypted with a password to prevent an attacker with disk access from gaining your secret material". How you protect the master password for a password manager, has nothing to do with whether it's intelligent to use a password in the first place. Personally, I find it very easy to remember *one* master password (or even, to be honest, two or three), which exists only in my own head and unlocks the secrets that are stored on disk -- like PGP keys and password databases. ... As for hardware keys, there is no need to come up with a replacement for the password nightmare. Hardware keys have existed for some time now, and they were already intended as a replacement for the password "nightmare", something they do an excellent job at. Did you try getting one? -- Eli Schwartz Bug Wrangler and Trusted User
Some ballpark numbers, rounded to one significant figure: 10 characters chosen truly randomly from an alphabet of 70 characters (e.g., [a-zA-Z0-9#$&_() =+/%]) is ~61 bits of entropy and will take just about 90 years to brute-force at 1e9 guesses per second, or 30 days at 1e12/s. The Bitcoin swarm is currently estimated to perform 60e18 hash guesses per second [1], so the 10-character password would be safe from the swarm for about 50 milliseconds, give or take a few orders of magnitude (depending on algorithm differences; mostly irrelevant for this discussion). 14 characters (85 bits) would be safe from the (current) swarm for about 10 days, 16 characters (98 bits) for about 200 years. 6 words chosen randomly (not a grammatically valid sentence!) from a list of 1000 words (59 bits) would take about 30 years to break at 1e9/s, and 10 days at 1e12/s. 9 words (89 bits) gives you half a year against the swarm, and 10 words (99 bits) gives you 500 years. So, somewhere between 10 and 16 random characters should probably be good enough, depending on how defensive you want to be. [1]: https://digiconomist.net/bitcoin-energy-consumption I personally use `pass` for password management and keep my PGP key on a YubiKey (full disclosure: I work for Yubico) with a 6-digit PIN, so my private key is not stored on disk and is protected against brute force attacks by blocking the key (effectively destroying the key) after too many incorrect PIN attempts (I also have an airgapped backup of the key, of course). /Emil On Mon, 24 Jun 2019, 22:37 Eli Schwartz via arch-general, < arch-general@archlinux.org> wrote:
On 6/24/19 4:31 PM, Manuel Reimer wrote:
On 24.06.19 18:00, mpan wrote:
If you’re using a password manager, you should not care about the password being “too long”. After all it’s not you who type it. Go for 16 or 20 random chars.
If the key is too complicated to remember or to type in manually, then I have to use a password manager which now saves my password to local disk again. Maybe encrypted with a master password.
Then we are back at the starting problem.
If someone can take my private key file, then he can also take my password manager database.
How strong would you make this master password and where to save this one? A second password manager?
I think if really someone takes over control over my PC, then I have to expect the password to be gone, too. I someone is really able to take my private key file, then I think he should also be able to install some kind of key logger.
And I really think that finally someone *has* to come up with some replacement for this password nightmare. Some kind of hardware key maybe.
I could protect the private signing key with an UUID (just call uuidgen on console). This should be pretty hard to crack but is impossible to remember so I would have to keep this written down somewhere and need this piece of paper every time I unlock the key for signing.
I'm not sure where you're going with any of this.
The purpose of a PGP signing key is that it does interesting crypto things that prove your identity in a way that passwords don't (passwords can be guessed).
The purpose of password-protecting your PGP private key is to prevent someone who gains access to the filesystem, from gaining access to the key.
Password managers, like PGP keys, are things that "should be encrypted with a password to prevent an attacker with disk access from gaining your secret material".
How you protect the master password for a password manager, has nothing to do with whether it's intelligent to use a password in the first place. Personally, I find it very easy to remember *one* master password (or even, to be honest, two or three), which exists only in my own head and unlocks the secrets that are stored on disk -- like PGP keys and password databases.
...
As for hardware keys, there is no need to come up with a replacement for the password nightmare. Hardware keys have existed for some time now, and they were already intended as a replacement for the password "nightmare", something they do an excellent job at. Did you try getting one?
-- Eli Schwartz Bug Wrangler and Trusted User
You want to make the packages available for general use. Does general use require behavioral biometric verification and spring guns? Black hats are able to hack Google and Facebook, what ever you will do, you never ever will be able to reach the level of security those and the other most successful computer related companies are able to accomplish. IMO an averaged "strong" but still memorizable passphrase, even when following obsolet rules, is ok.
I think the fact that it's not possible to be perfectly safe is not a good reason to not earnestly consider what you _can_ do to try to protect yourself. Of course you won't stand a chance if a nation-state is determined to get you, but that doesn't mean you should just give up and wing it, because the most relevant threats are probably much less capable in most cases. It's still a good idea to try to quantify one's threat model and what it would take to protect yourself, and then make a (somewhat) educated decision on how much effort one is willing to spend on it. /Emil On Tue, 25 Jun 2019, 01:14 Ralf Mardorf via arch-general, < arch-general@archlinux.org> wrote:
You want to make the packages available for general use. Does general use require behavioral biometric verification and spring guns?
Black hats are able to hack Google and Facebook, what ever you will do, you never ever will be able to reach the level of security those and the other most successful computer related companies are able to accomplish.
IMO an averaged "strong" but still memorizable passphrase, even when following obsolet rules, is ok.
On Tue, 2019-06-25 at 03:00 +0200, Emil Lundberg wrote:
You want to make the packages available for general use. Does general use require behavioral biometric verification and spring guns?
Black hats are able to hack Google and Facebook, what ever you will do, you never ever will be able to reach the level of security those and the other most successful computer related companies are able to accomplish.
IMO an averaged "strong" but still memorizable passphrase, even when following obsolet rules, is ok. I think the fact that it's not possible to be perfectly safe is not a good reason to not earnestly consider what you _can_ do to try to
On Tue, 25 Jun 2019, 01:14 Ralf Mardorf via arch-general, <arch-general@archlinux.org> wrote: protect yourself. Of course you won't stand a chance if a nation-state is determined to get you, but that doesn't mean you should just give up and wing it, because the most relevant threats are probably much less capable in most cases. It's still a good idea to try to quantify one's threat model and what it would take to protect yourself, and then make a (somewhat) educated decision on how much effort one is willing to spend on it.
If I leave my home, I don't leave the apartment door wide open. I lock up the door. The door is locked by a pin tumbler. Everybody knows that professional thief are able to open the door without any great effort, while averaged people need a lockout services to open the door, if they have lost the key. There could be reasons to lock the door in a more secure way, but a pin tumbler for good reasons, is still the most used way to lock apartment doors. Just my experiences: I remember 2 passphrases around 10 random chars. However, I had written down the passphrases and kept the paper for a long time and now I'm using those passphrases on a regular basis. I do not rotate those passphrases. For things that are unimportant to me, I'm using very weak passphrases and if I don't use them often enough, I even forget some of the weak passphrases. A word and 4 random chars already could be to hard to remember, when seldom used. Passphrase rotation for a single passphrase containing 16 to 20 random chars would be to much effort for me. That's just me. Or isn't it just me? Actually biometric verification is much used nowadays, but there are different levels of biometric verification, some biometric verification methods are not as safe as people guess. Actually my bank offers me to chose a 4 number PIN, because averaged people often forget even 4 random numbers. I'm from the analog landline generation, we were able to remember several 6 numbers long telephone numbers of or friends, because we were used to do it. For people who aren't used to do it, because it's not needed anymore to remember even a single telephone number, it's getting harder to remember contextless random chars. They do not develop this skill, but they develop other skills instead. In a nutshell. I guess for most people it's possible to remember one 16 to 20 chars random passphrase, if it is often used. I doubt that a lot of people remember 16 to 20 chars, if they rotate the passphrase that often as recommended. Humans get older, humans get a cold etc. pp., they need to remember that passphrase even if they should be temporarily in a bad state. Some computer freaks are out of touch with reality. Even if we learn passphrases that fullfil today's security recommendations. In how many years do we need to learn passphrases that are 2 times, 3 times or 4 times that long? In 5 years? It's not realistic to assume that the majority of people is able to follow. All of us have got a limit to remember a lot of context-free random chars. There is an easy to learn mnemonic to remember random words of objects. By painting a picture in one's mind's eye containing all the objects, almost all people will remember those words. However, "painting" such a picture is time consuming and not as easy as it sounds. There is already a learning-curve to learn how to use this mnemonic.
Black hats are able to hack Google and Facebook, what ever you will do, you never ever will be able to reach the level of security those and the other most successful computer related companies are able to accomplish. In 2015 four men have stolen equivalent of 200M GBP from Hatton Garden Safe Deposit. Does that mean you are not locking your door, because “thieves can get in anyway”?
The argument would make sense, if the better solution would be considerably more expensive. But in 21th century it is not. Everyone can get good security without effort. There is no need to artificially decrease it. The topic is also about signing packages, that will be available to others. There is much more at stake here than just Manuel Reimer’s security and aiming for the best should be encouraged. Happily for us, nowadays he can achieve that easily.
On Tue, 25 Jun 2019 10:57:55 +0200, mpan wrote:
In 2015 four men have stolen equivalent of 200M GBP from Hatton Garden Safe Deposit. Does that mean you are not locking your door, because “thieves can get in anyway”?
You ignore the context of my email. I've also written: "IMO an averaged "strong" but still memorizable passphrase, even when following obsolet rules, is ok." In a follow-up email unfortunately send after your reply, I exactly describe the apartment door scenario.
"IMO an averaged "strong" but still memorizable passphrase, even when following obsolet rules, is ok." But we do not need to follow any obsolete rules anymore.
In a follow-up email unfortunately send after your reply, I exactly describe the apartment door scenario. Which I have indirectly answered before you have sent it. With the second paragraph of my message. The comparison to the apartment door can’t be extended further, because an important difference appears. Better physical security costs a lot more and even now we’re sitting at the edge of the dimishing returns abyss. That’s exactly the reason why Yale decided to stop locks wars in 19th century and promoted pin tumbler locks as good enough. But the analogy to the lock doesn’t extend well, when it comes to information security. The costs have different nature and, as it happens, right now everyone can employ good security at approximately the same cost as the “not too horrible” solutions.
You are trying to argue, that it is OK to use pin tumbler locks in wooden doors, while everyone can — at nearly the same price — acquire 10-inch steel gates with scifi eye scanners and a private army to defend the gate.⁽ᵗⁱⁿʸ ᵉˣᵃᵍᵍᵉʳᵃᵗⁱᵒⁿ⁾ ;) With Diceware, as an example, you randomly choose 5 words and have a 60-bit password. Why even bother with obsolete rules?
On Tue, 25 Jun 2019 11:53:11 +0200, mpan wrote:
You are trying to argue, that it is OK to use pin tumbler locks in wooden doors, while everyone can — at nearly the same price — acquire 10-inch steel gates with scifi eye scanners and a private army to defend the gate.⁽ᵗⁱⁿʸ ᵉˣᵃᵍᵍᵉʳᵃᵗⁱᵒⁿ⁾ ;)
:D
With Diceware, as an example, you randomly choose 5 words and have a 60-bit password. Why even bother with obsolete rules?
I agree that Diceware seems to be the best way to go. OTOH if I should talk in my sleep, it would be easier for my fraudulant girlfriend Mata Hari to catch words, than the (not enough, to modern security standards) random chars I'm using at the moment.
Hi Manuel,
How strong would you make this master password and where to save this one?
Are you familiar with https://xkcd.com/936/ ?
And I really think that finally someone *has* to come up with some replacement for this password nightmare. Some kind of hardware key maybe.
Yes, they exist. https://www.imperialviolet.org/2018/03/27/webauthn.html is a comprehensive introduction that will give you terms to feed Google, and his https://www.imperialviolet.org/2017/08/13/securitykeys.html compares some of the keys then on the market. Yubico do well, IIRC. -- Cheers, Ralph.
On 2019-06-25 09:35:53, Ralph Corderoy wrote:
Yes, they exist. https://www.imperialviolet.org/2018/03/27/webauthn.html is a comprehensive introduction that will give you terms to feed Google, and his https://www.imperialviolet.org/2017/08/13/securitykeys.html compares some of the keys then on the market. Yubico do well, IIRC.
FWIW I can also vouch for the NitroKey Pro. It's not U2F, but then barely anything I use supports U2F. You can store TOTPs on it for 2 Factor (but it's limited to 15, which is not enough for me, so I'm still using andOTP on my phone...). The main use I have for it is as a GPG smartcard. It lets you carry your GPG key around with you everywhere, or a subkey if you wish. This unlocks loads of possibilities, like being able to decrypt my password store, signing and encrypting emails, files etc etc. I also use it for SSH authentication. It's allowed me to use GPG a lot more than I otherwise would have.
On Tue, 25 Jun 2019 09:35:53 +0100, Ralph Corderoy wrote:
Are you familiar with https://xkcd.com/936/ ?
Too funny, that is the method I described and while I was writing my email, you posted that cartoon. However, even this suffers from the pitfall, that it is not that easy to use this mnemonic as described by the cartoon.
On 2019-06-25 11:09, Ralf Mardorf via arch-general wrote:
On Tue, 25 Jun 2019 09:35:53 +0100, Ralph Corderoy wrote:
Are you familiar with https://xkcd.com/936/ ?
Too funny, that is the method I described and while I was writing my email, you posted that cartoon. However, even this suffers from the pitfall, that it is not that easy to use this mnemonic as described by the cartoon.
I use diceware passphrases for my master passwords (login, hardware encryption, GPG, password manager) and they are much easier to remember than normal (safe) passwords.
On Tue, 2019-06-25 at 11:29 +0200, Bennett Piater wrote:
On 2019-06-25 11:09, Ralf Mardorf via arch-general wrote:
On Tue, 25 Jun 2019 09:35:53 +0100, Ralph Corderoy wrote:
Are you familiar with https://xkcd.com/936/ ?
Too funny, that is the method I described and while I was writing my email, you posted that cartoon. However, even this suffers from the pitfall, that it is not that easy to use this mnemonic as described by the cartoon.
I use diceware passphrases for my master passwords (login, hardware encryption, GPG, password manager) and they are much easier to remember than normal (safe) passwords.
Randomly open a dictionary and then randomly pointing on a word, repeating this a few times, is one way for an artist to get an inspiration. I wonder how safe it is to use such a method to generate a passphrase. To remember words, they must be from the languages, the user is able to understand and to write and the amount of the vocabulary must be within the range of the educational background. Six words are just six words out of an assessable vocabulary. "This level of unpredictability assumes that a potential attacker knows that Diceware has been used to generate the passphrase, knows the particular word list used, and knows exactly how many words make up the passphrase." - https://en.wikipedia.org/wiki/Diceware Google already "guesses" that women are pregnant, before the women have got the slightest idea that they are pregnant. To guess that somebody does use Diceware or something similar is not hard to do. You already mentioned this on this mailing list. Probably you are not exactly doing it by exactly the method mentioned by the Wiki, but likely by a similar method. Humans tend to follow patterns, a savant syndrome computer expert probably more, than an averaged user ;). 13 rAnd0.m_C?arS are probably less secure, than 13 random words, because even an illiterate human knows more words, than we have got keys on a keyboard. This is indeed speaking pro Diceware :).
On 2019-06-25 12:11, Ralf Mardorf via arch-general wrote:
Six words are just six words out of an assessable vocabulary.
"This level of unpredictability assumes that a potential attacker knows that Diceware has been used to generate the passphrase, knows the particular word list used, and knows exactly how many words make up the passphrase." - https://en.wikipedia.org/wiki/Diceware
You seem to be misunderstanding that statement. The minimum entropy is calculated _assuming_ that the attacker knows that you are using diceware *and* which word list you used. That is part of the threat model. Think of it this way: In a normal password, you have an alphabet of ~80 chars and use 10-15 of them. In diceware, you have an alphabet of >= 8K words and use at least 6 of them. So a diceware passphrase of appropriate (word) length has the same entropy as a password with equivalent (char) length, but the diceware passphrase is much easier to remember.
On Tue, 2019-06-25 at 12:41 +0200, Bennett Piater wrote:
On 2019-06-25 12:11, Ralf Mardorf via arch-general wrote:
Six words are just six words out of an assessable vocabulary.
"This level of unpredictability assumes that a potential attacker knows that Diceware has been used to generate the passphrase, knows the particular word list used, and knows exactly how many words make up the passphrase." - https://en.wikipedia.org/wiki/Diceware
You seem to be misunderstanding that statement.
I'm not, from the same email you are quoting incomplete: "13 rAnd0.m_C?arS are probably less secure, than 13 random words, because even an illiterate human knows more words, than we have got keys on a keyboard. This is indeed speaking pro Diceware :)." So I agree, that Diceware seems to be the best method without using special hardware. The comment of my follow-up email, is just a joke: "OTOH if I should talk in my sleep, it would be easier for my fraudulant girlfriend Mata Hari to catch words, than the (not enough, to modern security standards) random chars I'm using at the moment."
Randomly open a dictionary and then randomly pointing on a word, repeating this a few times, is one way for an artist to get an inspiration.
I wonder how safe it is to use such a method to generate a passphrase. An old Chinese proverb says: do not invent your own crypto.
Diceware is much better crafted than you may imagine. It’s not just some random idea someone had while contemplating life in a loo. It solves some real problems and avoids pitfalls. What are the problems with the proposed method? First of all: what is your RNG or CSPRNG? Is it your brain? Your hand? Then you have already lost. If you’re just grabbing a book and opening it at a “random page”, your generator is already biased. You have much greater chances of picking a page closer to the middle than on the ends of the book. It may be even worse when it comes to the selection of the word on a page. Are you, instead, using an actual RNG or CSPRNG? Is it not biased? How are you dealing with that issue? Are the values from it mutually independent? Even if you have a good [pseudo]randomness source, how do you map its output to the page number and word number? It isn’t a trivial task and if you do it wrong, you skew your distribution. A dictionary may contain long words. While you may imagine that is good, because “longer is better”, it is giving you only a tiny advantage, because the space a word takes is not really used. In English it’s less than 3 bits per letter and it tends to be worse for longer words. Still, no loss, yes? Wrong. Unfortunately many services limit the length of the password you may use. It is also harder to get muscle memory for typing long words. I believe a cryptographer could point out a few other mistakes as well. The reason I explained this is not to inspire anyone to “fix” the proposed algorithm. My goal is opposite: to discourage people from undertaing such tasks. There is many gotachas, it is easy to introduce a vulnerability and you don’t even get any testing/review for your method. Better trust people, who spent half of their lives studying cryptography. How does Diceware deal with the above problems? It eliminates the human factor. It uses a randomness source that for all practical purposes is an actual RNG. A RNG that is even better than what is typically used for private key genereation! The tiny bias it has is acceptable, considering the great advantage of using dice. The set of possible values is chosen in a way, which ensures no bias being introduced while mapping from the output of the RNG to those values (yes, it avoids the issue altogether). It is clear, transparent and obvious at each stage — nothing up my sleeve. It can be used by anyone. Finally, words are short, so the output is compact. After some time entering such a passphrase is just a series of 4–5 taps on the keyboard. APPRECIATE WHAT ARNOLD REINHOLD DID, because he did a truly good job. :)
Doesn't the actual key get derived using pbkdf2 with many iterations making brute force of even fairly weak passphrases time consuming? I am not sure it is as critical as one would think. There are more secure options too such as smart cards / hsm or ssh-ca. Maybe look into those options as well? And maybe look for some guidance in securing your ssh agent as well On Tue, Jun 25, 2019, 2:16 PM mpan <archml-y1vf3axu@mpan.pl> wrote:
Randomly open a dictionary and then randomly pointing on a word, repeating this a few times, is one way for an artist to get an inspiration.
I wonder how safe it is to use such a method to generate a passphrase. An old Chinese proverb says: do not invent your own crypto.
Diceware is much better crafted than you may imagine. It’s not just some random idea someone had while contemplating life in a loo. It solves some real problems and avoids pitfalls.
What are the problems with the proposed method? First of all: what is your RNG or CSPRNG? Is it your brain? Your hand? Then you have already lost. If you’re just grabbing a book and opening it at a “random page”, your generator is already biased. You have much greater chances of picking a page closer to the middle than on the ends of the book. It may be even worse when it comes to the selection of the word on a page. Are you, instead, using an actual RNG or CSPRNG? Is it not biased? How are you dealing with that issue? Are the values from it mutually independent?
Even if you have a good [pseudo]randomness source, how do you map its output to the page number and word number? It isn’t a trivial task and if you do it wrong, you skew your distribution.
A dictionary may contain long words. While you may imagine that is good, because “longer is better”, it is giving you only a tiny advantage, because the space a word takes is not really used. In English it’s less than 3 bits per letter and it tends to be worse for longer words. Still, no loss, yes? Wrong. Unfortunately many services limit the length of the password you may use. It is also harder to get muscle memory for typing long words.
I believe a cryptographer could point out a few other mistakes as well. The reason I explained this is not to inspire anyone to “fix” the proposed algorithm. My goal is opposite: to discourage people from undertaing such tasks. There is many gotachas, it is easy to introduce a vulnerability and you don’t even get any testing/review for your method. Better trust people, who spent half of their lives studying cryptography.
How does Diceware deal with the above problems? It eliminates the human factor. It uses a randomness source that for all practical purposes is an actual RNG. A RNG that is even better than what is typically used for private key genereation! The tiny bias it has is acceptable, considering the great advantage of using dice. The set of possible values is chosen in a way, which ensures no bias being introduced while mapping from the output of the RNG to those values (yes, it avoids the issue altogether). It is clear, transparent and obvious at each stage — nothing up my sleeve. It can be used by anyone. Finally, words are short, so the output is compact. After some time entering such a passphrase is just a series of 4–5 taps on the keyboard. APPRECIATE WHAT ARNOLD REINHOLD DID, because he did a truly good job. :)
Doesn't the actual key get derived using pbkdf2 with many iterations making brute force of even fairly weak passphrases time consuming?
Arguing that weak passphrases are okay because the hash is strong is making the assumption that a password cracker will perform a naive iterative search over the space of all possible passphrases. In practice, I believe any decent password cracker would start with a dictionary of the most common words and passphrases, based on databases of leaked passwords. See [1] for examples of what might be tried first. If your passphrase is "123456" then you can expect it to be cracked instantly, regardless of how strong the hash is. [1] https://en.wikipedia.org/wiki/List_of_the_most_common_passwords
On Wed, 2019-06-26 at 10:41 +1000, asymptosis via arch-general wrote:
https://en.wikipedia.org/wiki/List_of_the_most_common_passwords
That's interesting. The most common passwords even don't contain simple patterns as reversed words, such as "drowssap". It's funny that "aleatoric" is a very important element of art and it already was before computers existed. A culture of using patterns to avoid patterns already exists on an intuitive basis used by artists all over the planet. Btw. a musical phrase for example is made of notes, their level, their length their relation to each other. Hand made music by gifted musicians has noting to do with quantised sequencer patterns and rules such as circle of fifths, scales etc. are not necessary an element of music. IOW a musician could use an easy to remember pattern, that even while it is a pattern, can't be produced by using hacker software to generate patterns. It requires either a human musician or a recording played by a human musician. It's too funny that the very important things, such as online banking even don't allow to use any wanted char pattern, they limit it by enforcing a pattern, such as use chars + numbers + special chars out of a very limited group of special chars. It's even not possible to use Diceware to generate some passphrases, because just words a not accepted. Btw. if I do not want to use a password at all, but the password can't be disabled, I'm using 1234 when ever possible or stay with a 0000 default passphrase. It's insane that settings for a television set or a tablet used only at home and only for artwork are password protected. It would be way better if passwords are only used whre passwords make sense. It's also insane that security experts made modern car keys less secure than conventionally car keys. Today a thief even don't need to spend a few seconds for hot-wiring a car and the thief don't need to have any skills, such as how to hot-wire a car. There's no need to have the muscles to break the steering lock. Nowadays just pushing a button is all a thief needs to do. Be careful with academical theories regarding security and don't trust experts too much. A little bit of horse sense should be used in addition to hints from experts.
On Wed, 26 Jun 2019 10:41:03 +1000, asymptosis via arch-general wrote:
In practice, I believe any decent password cracker would start with a dictionary of the most common word
There are some common human patterns. In music for example it's unusual to play a b c d, its more common to play patterns such as a c b d. So instead of using a word, even a stupid human more likely would e.g. turn syllables by a pattern. Such a pattern isn't hard to crack, but a starting point for contemplation.
I did a quick search and noticed by default pbkdf2 is not used... Check this out, https://security.stackexchange.com/questions/84482/do-gpg-and-openssh-use-ke... Seems worth it, but hardware solutions still seen preferable and have anti hammering. On Tue, Jun 25, 2019, 7:43 PM Ralf Mardorf via arch-general < arch-general@archlinux.org> wrote:
On Wed, 26 Jun 2019 10:41:03 +1000, asymptosis via arch-general wrote:
In practice, I believe any decent password cracker would start with a dictionary of the most common word
There are some common human patterns. In music for example it's unusual to play a b c d, its more common to play patterns such as a c b d. So instead of using a word, even a stupid human more likely would e.g. turn syllables by a pattern. Such a pattern isn't hard to crack, but a starting point for contemplation.
On Tue, 25 Jun 2019 20:07:00 -0700, Justin Capella wrote:
I did a quick search and noticed by default pbkdf2 is not used...
IIRC (I don't want to re-read the thread and might be mistaken) the intention is to use something like this for a master passphrase, to unlock a password manager.
On Tue, 25 Jun 2019 23:16:04 +0200, mpan wrote:
Randomly open a dictionary and then randomly pointing on a word, repeating this a few times, is one way for an artist to get an inspiration.
I wonder how safe it is to use such a method to generate a passphrase. An old Chinese proverb says: do not invent your own crypto.
I wouldn't do it exactly as described by my ironical inspiration example, I just wanted to point out that here are always pitfalls. Security experts are sometimes the reason for security flaws. "Heartbleed" for example was introduced as part of the groundwork for a dissertation. Sometimes questions and their answers are purely academic. Keep in mind that if you dice, random could generate a result absolutely equal to an biased pattern of even an obsessional neurotic and the obsessional neurotic wouldn't notice it. The likehood of randomly generating 1234 alike passphrases could only be ruled out by biasing the random generation with a pattern to avoid patterns. Nobody can rule out this dilemma.
participants (12)
-
asymptosis
-
Ben Oliver
-
Bennett Piater
-
Eli Schwartz
-
Emil Lundberg
-
Jude DaShiell
-
Justin Capella
-
Manuel Reimer
-
mpan
-
Ralf Mardorf
-
Ralph Corderoy
-
Robin Broda