• Welcome to Peterborough Linux User Group (Canada) Forum.
 

PLUG Meeting Notes: Passwords & Two-Factor Authentication

Started by Jason, May 07, 2019, 05:51:43 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Jason

Attached is the slideshow in ODP format. If anybody wants to spellcheck this or even clarify some of the points. Feel free to do so and send it to me at webmaster AT plugintolinux.ca and I'll re-post it. I'm sure there are some typos in it.

Here are some links to Password Manager reviews that are within in the last year:

Best Free Password Managers for 2019 (PCMag)
9 Best Free Password Manager Software For 2019 (Fossbytes)
The Best Password Managers for 2019 (PCMag)
The Best Password Managers for 2019 (CNET)
The 6 best password managers (CSO Online)
Best Password Managers 2019: LastPass vs. Dashlane vs. 1Password (Tom's Guide)
The Best Password Managers (Wirecutter)
The best free password manager 2019 (Techradar)
Best password managers: Reviews of the top products (PCWorld)
Best Password Managers of 2019 (A Secure Life)

Diceware
Passmaker

Also wanted to address the questions about password entropy that came up in the xkcd comic. Most of the bits of entropy in the first password example come from it having using an uncommon base word, in this case, troubador, not from each letter in it. Also, password entropy considers that bruteforcing half of the possible uncommon words will result in 50% chance of getting the password so the actual number of combinations is half of the entire total.

If instead you had a password of the same length (11 characters) which was full of randomly selected letters, upper and lower case, you'd have (52^11)/2 combinations resulting in 31 bits of entropy, and then it'd be 42 if you added the other components (common subsitutions, a special character, a numeral and the order.

My confusion was that my talk was talking about using a password made up of random characters  vs. using a bunch of random words whereas the xkcd comic wasn't using a completely random password. It was talking about the technique that has been suggested for taking a word you could use as a password and making it stronger. It does make it stronger but at the cost of making it harder to remember. Instead by using just 4 common words separated by spaces, you have a much harder password to crack (~65,000x as harder, in fact).

There was a mention that you can't use spaces in most sites for passwords (though password managers will let you do, I believe, at least LastPass does). So this is what I do for my LastPass, I use diceware and a number of uncommon words although I think diceware also uses some not real words but suffixes by themselves so not too hard to remember. And I use my YubiKey as well.

So now back to you guys... what do you do for passwords? How do you remember your passwords? Do you think a Password Manager would be a good idea for you if you don't already use one?
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

cod3poet

Arch, Windows, Ubuntu, MacOS. In that order. (Definitely 08/2024)
i9-13900hx/32gb/2tbNVME/4090-Win11-WSL2
Ryzen9 5950x/128gb/2tbNVME/8TBhdd/8TBssd/3080ti-Win11
8gen and 10gen i7/32gb/1tbNVME-Arch(k8s) + m1Mac(work)
Azure Devops Expert / Hacker / Automation Engineer

Jason

* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13