How to increase the security!

For discussions about security.
Message
Author
User avatar
Barkin
Posts: 803
Joined: Fri 12 Aug 2011, 04:55

Passwords

#31 Post by Barkin »

shoutcrown wrote: ... Now I can test how to create automatic passwords. It's very useful, but I shouldn't use any known word, just some other characters sequence, right?.
My point was to use the MD5 calculator for computer passwords, e.g.

Barkin’s list of online account “passwords

User avatar
Barkin
Posts: 803
Joined: Fri 12 Aug 2011, 04:55

#32 Post by Barkin »

Attachments
md5 of string in file calculated via puppy command line (GTK hash confirms MD5 is correct).png
screengrab
(17.56 KiB) Downloaded 766 times
Last edited by Barkin on Wed 02 May 2012, 05:35, edited 3 times in total.

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#33 Post by nooby »

Does this affect the vulnerability that I read about yesterday?
I try to find links this one and another that I don't find now

http://blogs.computerworld.com/19518/br ... vulnerable
this maybe
http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup

only four pin security despite having 8 pin. They only need to brute force
the first 4 pin and then they know the rest? Too easy is it not?
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
Barkin
Posts: 803
Joined: Fri 12 Aug 2011, 04:55

#34 Post by Barkin »

nooby wrote:Does this affect the vulnerability that I read about yesterday?

http://blogs.computerworld.com/19518/br ... vulnerable
this maybe
http://en.wikipedia.org/wiki/Wi-Fi_Protected_Setup
That's a new flaw, the eight digit pin is different from the Wi-Fi key.
My (old?) router doesn't have one of those PIN things: any device which connects to my router via wifi requires the WPA2 wi-fi key, (16 character alphanumeric passphase).

shoutcrown
Posts: 84
Joined: Sat 12 Mar 2011, 16:21

internet security

#35 Post by shoutcrown »

Hi barkin!

A long time ago I had to learn many long email passwords (what a waste of time!)

Thanks a lot!

User avatar
puppy_apprentice
Posts: 299
Joined: Tue 07 Feb 2012, 20:32

#36 Post by puppy_apprentice »

we don't understand each other, but nevermind

i didn't said that prepare paswords using MD5 or wathever is bad methode, i only give u example of my methode to store passwords, again:

i understand that using for eg. facebook: facebook+salt (where salt is secret word/char chain knwown only for u, stored in your head), is easy to remember (facebook describe online service an salt is used to make a "variation" of word facbook, so if cracker will use dictionary where he has word facbook and he will make hash of this word he don't find your pasword because your hashed password is not facebok but facebook+salt)

and it is ok, but i use some forums, some other sites and i have on everyone another nick name (eg. here is puppy_apprentice on another i have another nicknames) so as i have small head and can' remember all mu logins and passwords i'm using programs called password managers

in every password manager u have to first create your passwords database, create for this database master password, and add entries for all your password, whole database will be stored on hd and encrypted with Blowfish or AES etc., to retrieve your password u have to only remember your main password for your passwords database

eg. for Password Dragon (it is Java tool so works everywhere, whre Java is installed):

everytime when u want to open your password database u have to write your master password (it will be stored inside your passwords database and encrypted with Blowfish alghorithm so is safe)
Image

my database (it is only example):
Image

Password Dragon has password generator which i use to generate passwords for my accounts if i'm bored to invent my very own combination (you use MD5 for this, ok):
Image

shoutcrown
Posts: 84
Joined: Sat 12 Mar 2011, 16:21

wireless security

#37 Post by shoutcrown »

Hi puppy_apprentice!

OK!. Database seems to be very useful. Thanks

User avatar
RetroTechGuy
Posts: 2947
Joined: Tue 15 Dec 2009, 17:20
Location: USA

Re: Passwords

#38 Post by RetroTechGuy »

Barkin wrote:
shoutcrown wrote: ... Now I can test how to create automatic passwords. It's very useful, but I shouldn't use any known word, just some other characters sequence, right?.
My point was to use the MD5 calculator for computer passwords, e.g.
I think that this is a clever idea. Good passwords, without the pain of generating and then remembering them.

Then a decent password safe can store a number of different passwords. I started using Password Safe, and under Puppy migrated to Password Gorilla (compatible with the Safe archive):

http://www.schneier.com/passsafe.html

http://www.schneier.com/blog/archives/2 ... asswo.html

http://passwordsafe.sourceforge.net/

https://github.com/zdia/gorilla/wiki/

I use the Tcl/Tk version under Puppy.
[url=http://murga-linux.com/puppy/viewtopic.php?t=58615]Add swapfile[/url]
[url=http://wellminded.net63.net/]WellMinded Search[/url]
[url=http://puppylinux.us/psearch.html]PuppyLinux.US Search[/url]

shoutcrown
Posts: 84
Joined: Sat 12 Mar 2011, 16:21

wireless security

#39 Post by shoutcrown »

hi RetroTechGuy!

thanks!

Wognath
Posts: 423
Joined: Sun 19 Apr 2009, 17:23

Great information

#40 Post by Wognath »

Thanks to all of you. This topic was an interesting and entertaining read!!

I'd like to put in a plug here for truecrypt. http://www.truecrypt.org
I keep my tax files etc. in a truecrypt archive. [edit: it's a netbook and I travel with it. ]

My password list is also in there, but I'm definitely going to convert the more important passwords (bank, newegg, etc.) over to that elegant MD5 method.
Wognath

edit: Most of my sites of interest have max of 12-16 characters in password, Several require at least 1 character other than number or letter. :(

User avatar
RetroTechGuy
Posts: 2947
Joined: Tue 15 Dec 2009, 17:20
Location: USA

Re: Great information

#41 Post by RetroTechGuy »

Wognath wrote:Thanks to all of you. This topic was an interesting and entertaining read!!

I'd like to put in a plug here for truecrypt. http://www.truecrypt.org
I keep my tax files etc. in a truecrypt archive. [edit: it's a netbook and I travel with it. ]

My password list is also in there, but I'm definitely going to convert the more important passwords (bank, newegg, etc.) over to that elegant MD5 method.
Wognath

edit: Most of my sites of interest have max of 12-16 characters in password, Several require at least 1 character other than number or letter. :(
Truecrypt under Puppy:
http://murga-linux.com/puppy/viewtopic.php?t=60062
[url=http://murga-linux.com/puppy/viewtopic.php?t=58615]Add swapfile[/url]
[url=http://wellminded.net63.net/]WellMinded Search[/url]
[url=http://puppylinux.us/psearch.html]PuppyLinux.US Search[/url]

shoutcrown
Posts: 84
Joined: Sat 12 Mar 2011, 16:21

how to increase the security!

#42 Post by shoutcrown »

hi!
thanks!
I appreciate more information about security...
bye!!!

Wognath
Posts: 423
Joined: Sun 19 Apr 2009, 17:23

Figaro's password manager

#43 Post by Wognath »

Hello again,
Is there a reason why people seem to recommend Keepass, Gorilla etc. but not FPM2 (included with recent puppies)? Is there something wrong with FPM2 that I should know about?? Thanks
Wognath

User avatar
puppy_apprentice
Posts: 299
Joined: Tue 07 Feb 2012, 20:32

#44 Post by puppy_apprentice »

there is not problem with FPM2 i think, it uses good encryption algorithm (AES), some could prefer eg. Gorilla or Keepass because those apps are multiplatform (or they were using them on Windows so it is easier to use something on Linux that they know)

Wognath
Posts: 423
Joined: Sun 19 Apr 2009, 17:23

#45 Post by Wognath »

Thanks, puppy_apprentice. I finally have FPM2 working the way I want, so you gave me the answer I wanted! And thanks for the grc link above (page 1)--interesting stuff.

User avatar
01micko
Posts: 8741
Joined: Sat 11 Oct 2008, 13:39
Location: qld
Contact:

#46 Post by 01micko »

Barkin wrote:Just remembered Puppy can calculate MD5 via console (aka terminal) ... http://puppylinux.org/wikka/md5sum

http://www.puppylinuxfaq.org/how-to/20-linux-tips/44-copy-and-paste-to-terminal.html
Just two points I'd like to make here:

1. There is the chance of error when you put your text into a file and run md5sum. There can be no whitespace on the end of the string or carriage returns. If you produce it using "echo" you must use /bin/echo, that is, echo -n.

2. If you store that file then there isn't much point! An attacker could easily get hold of the file.
You can run md5sum from stdin like so:

Code: Select all

# echo -n '5&kr&t'|md5sum
5622165cab4eb0217daa09f574bd3c3d  -
Attachments
capture24653.jpg
(55.31 KiB) Downloaded 287 times
Puppy Linux Blog - contact me for access

User avatar
Barkin
Posts: 803
Joined: Fri 12 Aug 2011, 04:55

#47 Post by Barkin »

01micko wrote:2. If you store that file then there isn't much point! An attacker could easily get hold of the file.
You can run md5sum from stdin like so:

Code: Select all

# echo -n '5&kr&t'|md5sum
5622165cab4eb0217daa09f574bd3c3d  -
That was just to show the MD5 calculators were in agreement, I did say not to write down the salt 5&kr&t ...
Barkin wrote: ... the real passwords are MD5s of those words in quotes plus a secret string of characters I have committed to memory and never write down, e.g. 5&kr&t
It's the only thing you have to memorize to have an unlimited number of secure passwords.
BTW I use something longer than 5&kr&t as a salt : I use a 15 character string not in the dictionary,

So even if someone knows my list of dummy passwords and the method I've used they will still have to do a brute force attack on a 15 character unknown which could take some time ...
It would take a desktop PC about 157 billion years to crack your [15 character] password
http://howsecureismypassword.net/
Time Required to Exhaustively Search this [15 character] Password's Space:
Online Attack Scenario:
(Assuming one thousand guesses per second) 1.49 hundred thousand trillion centuries
Offline Fast Attack Scenario:
(Assuming one hundred billion guesses per second) 1.49 billion centuries
Massive Cracking Array Scenario:
(Assuming one hundred trillion guesses per second) 1.49 million centuries
Note that typical attacks will be online password guessing
limited to, at most, a few hundred guesses per second.
https://www.grc.com/haystack.htm

The above times do not include the additional time taken to calculate the MD5 for each guess: MD5 (DummyPassword+BruteForceGuess).

Post Reply