|
Khablam posted:Right. We started off talking about storing the database on dropbox, right? There's a good chance a cloud storage company or my cloud storage account gets compromised without my desktop getting compromised. So while there's no need to separate the database and keyfile on my desktop, there's a good reason not to put the keyfile in dropbox. And I shouldn't use one of 20k photos sitting in my google photos backup either. (Side note, don't use something on google photos anyway because they recompress files and change metadata and do other things that will make it suddenly stop working as a key file.)
|
#
?
Mar 10, 2021 23:24
|
|
|
|
| # ? May 24, 2024 22:11 |
|
|
Storm One posted:Sure, but the point stands, unless you're confident that: Re: #2 that is quite the self-threat model.
|
|
#
?
Mar 11, 2021 00:01
|
|
|
Ynglaur posted:Re: #2 that is quite the self-threat model. It is more likely then you think. Having to google where the various symbols are on an us layout to login after you screwed up your keymaps in some update is seriously annoying. Especially if you have problems remembering your password without the muscle memory. Hasn't happened to me again since I stopped using gentoo, at least.
|
|
#
?
Mar 11, 2021 00:15
|
|
|
Storm One posted:Sure, but the point stands, unless you're confident that: I'm going to say that 2 applies to basically every password, unless you are advocating against the use of special characters. And point 1 is an argument against strong passwords of any type. "But what if your are a blind quadruple amputee, what then?  "
|
|
#
?
Mar 11, 2021 16:52
|
|
|
RFC2324 posted:unless you are advocating against the use of special characters. It's OK to use them in web logins that are kept in a password manager and never typed by a human but for a master password and any other really important ones, the ones that should be written down on paper and never updated, lowercase ASCII letters only is the way to go. Encryption is a fantastic way of locking oneself out of important data when it's most needed. RFC2324 posted:And point 1 is an argument against strong passwords of any type. If an entropy estimator has a ceiling for strictly alphabetic passwords, it's plainly broken. But enough bike-shedding from me.
|
|
#
?
Mar 11, 2021 22:35
|
|
|
VictualSquid posted:using gentoo This may be more of a contribution to your difficulties than anything you do to set up your password :P
|
|
#
?
Mar 11, 2021 22:38
|
|
|
If punctuation is required, then "." seems to be the safest choice. But they are to be avoided unless you can be sure you will never end up in unusual situation. Just this week my coworker was in trouble inside VMware console where he was unable to produce "=". At the same time my own hell was IPMI and IP-KVM consoles where it was impossible to type "$" using finnish keyboard layout. So I decided to fallback to US layout. Funny thing is, that IP-KVM also occasionally has a problem where key gets stuck and repeats dozen or couple times. So I type 'setkmap', press enter and it gets stuck. And setkmap selects the first choice. After the enter got unstuck I find out my keyboard is now producing completely random characters. After a lot of trial and error I figure out I can run the setkmap command again by typing "ödkvmar". Turns out I was using ANSI-dvorak.
|
|
#
?
Mar 12, 2021 02:14
|
|
|
I would never be typing my passphrase in that situation anyway. Passphrases are for opening the vault with the real passwords, and so will never be subject to console wonkyness. Consoles use passwords out of pwgen or similar that actually are random, in accordance with company policy. Also helps to be in america where only idiots fiddle with they keymaps, and if its wonky on your production server then you have a bit of a problem
|
|
#
?
Mar 12, 2021 03:06
|
|
|
RFC2324 posted:Also helps to be in america where only idiots fiddle with they keymaps, and if its wonky on your production server then you have a bit of a problem If you work in tech and you don't have at least one idiot coworker who insists in changing everything to dvorak at every available opportunity you haven't lived.
|
|
#
?
Mar 12, 2021 07:37
|
|
|
Why are you typing in your passwords on other people’s computers?
|
|
#
?
Mar 12, 2021 15:02
|
|
|
We're spiraling towards "Dicewear passwords would be more secure if you use ten d20 dice on word lists in a language you alone can speak. Literally a new fully functional language no other soul knows."
|
|
#
?
Mar 12, 2021 15:32
|
|
|
this thread is so off track it's currently halfway to the earth's mantle
|
|
#
?
Mar 12, 2021 18:57
|
|
|
alexandriao posted:this thread is so off track it's currently halfway to the earth's mantle Whee! We gonna ride this thing straight to hell, y'all!
|
|
#
?
Mar 12, 2021 19:26
|
|
|
What did people use for passwords for The Core?
|
|
#
?
Mar 12, 2021 21:11
|
|
|
Rooted Vegetable posted:We're spiraling towards "Dicewear passwords would be more secure if you use ten d20 dice on word lists in a language you alone can speak. Literally a new fully functional language no other soul knows." This has already happened Agee years ago. Some private server for Trek site (so probably child pornography) was compromised in a hack. The hacker got in and simply guessed the pwd because it was a relatively “common” phrase in Klingon. Used to wait to see a GoT site about E. Clarke’s boobs get hacked in High Valyrian. Much less chances to name/protect your stuff in Or’zet (the fictional ork/troll language in the fictional future in Shadowrun that has been alluded to but never fleshed out).
|
|
#
?
Mar 12, 2021 22:41
|
|
|
DerekSmartymans posted:This has already happened Agee years ago. Some private server for Trek site (so probably child pornography) was compromised in a hack. The hacker got in and simply guessed the pwd because it was a relatively “common” phrase in Klingon. Used to wait to see a GoT site about E. Clarke’s boobs get hacked in High Valyrian. Much less chances to name/protect your stuff in Or’zet (the fictional ork/troll language in the fictional future in Shadowrun that has been alluded to but never fleshed out). well, none of these examples actually took the step of "a completely new language no one else knows" so are obviously not strong enough also, maybe don't use klingon for your trek site password, thats just obvious. use loving Khuzdul
|
|
#
?
Mar 12, 2021 22:46
|
|
|
RFC2324 posted:well, none of these examples actually took the step of "a completely new language no one else knows" so are obviously not strong enough Agreed. Or’zet is only a “named” alt language right now, though. I’m sure someone could make up an alphabet for it and slowly build words and grammar rules based on that. Then share with Trolls and Orks—-like the Army did with Navajo.
|
|
#
?
Mar 12, 2021 23:30
|
|
|
Here's your runic password generator https://watabou.itch.io/rune-generator To use it, scratch your password into your skin with a fingernail, and hold it up to the webcam. Your unique skin texture and password will open your computer-thing. Please use the disposable sloughing pad to remove the password from your skin after use, for added security.
|
|
#
?
Mar 12, 2021 23:49
|
|
|
Rooted Vegetable posted:We're spiraling towards "Dicewear passwords would be more secure if you use ten d20 dice on word lists in a language you alone can speak. Literally a new fully functional language no other soul knows." Surprisingly this sort of has been done. "pwgen" that RFC mentioned creates random password, but you will notice patterns in them. The passwords sem to be based on words, but these are made up words designed so they are bit easier to remember and type. You would be amazed how easy it is to remember these completely nonsensical passwords.
|
|
#
?
Mar 13, 2021 01:11
|
|
|
I've been enjoying the debate about threat models and levels, and lots of discussions here about risk models, threat models, measuring cost/benefit and likliehood etc. but other than just a walk-through rule of thumb, is there an actual documented methodology one could use to actually properly threat model your stuff? also, is anyone familiar with Pushbullet? I've been using it after randomly searching for an easy way to Right Click -> Send to Phone dumb memes I want to share on my whatsapp, signal or instagram groups but I recently realized I was seeing my messages pop up and thought "Wait, isn't the point of signal/whatsapp for E2E encryption but this is sending it over clear?". It has apparently an E2E setting which I've setup with a password, but it just doesn't work (I only receive a "encrypted data received" pop up which is fine). Literally my only use is the dumb meme push thing (I don't care about monitoring my phone or replying using my computer, I can just use my phone). Is there a more secure option for this?
|
|
#
?
Apr 4, 2021 16:01
|
|
|
Oysters Autobio posted:I've been enjoying the debate about threat models and levels, and lots of discussions here about risk models, threat models, measuring cost/benefit and likliehood etc. but other than just a walk-through rule of thumb, is there an actual documented methodology one could use to actually properly threat model your stuff? I guess, uh, why do you need to protect this? I think this could be more secure but I’m not sure: People frequently use cloud folders for this, like a synced Dropbox folder on PC where you put the memes and the Dropbox app on your phone from which you share them.
|
|
#
?
Apr 4, 2021 16:12
|
|
|
I'm going to second the question of why you need your memes secured. Are you afraid of people stealing them?
|
|
#
?
Apr 4, 2021 16:31
|
|
|
RFC2324 posted:I'm going to second the question of why you need your memes secured. Are you afraid of people stealing them? tuyop posted:I guess, uh, why do you need to protect this? Sorry I didn't explain my use-case well here. I'm not worried about my memes security (though maybe I should consider that...  ), it's the fact that I only use pushbullet for sending memes or funny/interesting articles I find on my computer back to my phone or vice versa (and I like the integration because after I "push" something between devices it's one click away from the share button on my smartphone) but that Pushbullet also fully mirrors all of my conversations/SMS etc. onto my desktop which is a feature I don't need and I wonder if I'm unnecessarily exposing really basic security risks (doesn't it defeat the purposes of E2E on whatsapp/signal if my convos are being forwarded in the clear through Pushbullet's servers then to mine?).My question is (1) Is there a better/more secure method I should consider for my use-case (sending non-sensitive links/images between my computer and phone with an integrated app that doesn't fully mirror my messaging apps)). I feel like there must be an obvious app here that doesn't add unnecessary and potential harmful features.
|
|
#
?
Apr 4, 2021 17:51
|
|
|
Is there a PC app for the messenger? Signal has one, iirc
|
|
#
?
Apr 4, 2021 18:03
|
|
|
RFC2324 posted:Is there a PC app for the messenger? Signal has one, iirc I'd preferrably like one that can push it direct to my phone that I can then just share to my Google Pixel's share function (which then opens up all the other messenger apps) instead of needing multiple PC apps for multiple Android apps (I sort of have a number of different groups split between Signal, whatsapp and Instagram). I also do like the history function in Pushbullet so I can go back and see previously "pushed" links and images and re-share them. I've enabled the E2E Encryption option in Pushbullet but I'm not sure if it works because even after entering in the same password for both sides (PC and phone) if it works because when I've set it up it's not actually opening up my messages (it just shows me I have a new encrypted message on my phone and to enter my password, and when I click on it it opens up my settings where the password goes and even after entering it multiple times it keeps on doing the same thing).
|
|
#
?
Apr 4, 2021 18:10
|
|
|
RFC2324 posted:Is there a PC app for the messenger? Signal has one, iirc
|
|
#
?
Apr 4, 2021 18:29
|
|
|
Curious to know if this is actually dumb or I'm overinflating the existing security of e transfers to begin with, or I'm clutching pearls over nothing. My bank started doing 2FA for confirming etransfers (which is good, right?), but instead of just sending a code on SMS they send the entire details of the transfer in the message "Enter code XXXXX now to send $3333 via e-transfer to Jimmy BEANS". I mean, I guess they want to do this so you can confirm that its a legitimate 2FA SMS, but isnt sending the details of the whole transfer over SMS sort of problematic because its all in plain text? I know this is a sort of generic pearl clutching over privacy and without a real threat model or anything but I recall hearing lots of issues with SMS security these days.
|
|
#
?
May 7, 2021 13:21
|
|
|
The biggest thread around SMS is how easy it is for someone else to walk into Rogers or whatever, pretend they're you and walk out with a SIM so I don't think the details in the SMS are that bad.
|
|
#
?
May 7, 2021 14:00
|
|
|
Oysters Autobio posted:Curious to know if this is actually dumb or I'm overinflating the existing security of e transfers to begin with, or I'm clutching pearls over nothing. It's not great but if somebody has access to your phone number (usually via SIM swapping), you have bigger problems. In my country you can choose to use physical one-time pads supplied by the government for online transactions and transfers. Good in a scenario like this because it requires SIM swapping and stealing the one-time pad. Of course this is still regularly defeated by social engineering, lots of gullible folks end up sending pictures of their one-time pads to scammers.
|
|
#
?
May 7, 2021 14:19
|
|
|
You trust the government with access to your money? *GASP*
|
|
#
?
May 7, 2021 15:41
|
|
|
Oysters Autobio posted:Curious to know if this is actually dumb or I'm overinflating the existing security of e transfers to begin with, or I'm clutching pearls over nothing. This is trying to stop a specific threat where the scammer gets access to someone's login info and phone number, but isn't able to easily spoof SMS 2FA. They call the victim, say "I'm from the bank, we need to verify your account and I'm going to send you a code. Could you please read it to me?" and then kick off the drain-yo-funds transfer. Victim gets the code, reads it to the scammer, and now the scammer is able to provide the second factor. If the SMS says "this is going to authorize a transfer" instead of just "enter this code to authorize access" it helps mitigate that threat. There are still a bunch of potential avenues for attack, and SMS 2FA isn't great overall, but it at least shuts down that common one.
|
|
#
?
May 7, 2021 15:58
|
|
|
That's not a failure of SMS, that's just social engineering. You can replace SMS with signal, Google auth, etc in that scenario and it still works. The problem with SMS is it's not too difficult to call a cell company and convince them you're the account owner, and therefore you can intercept SMS. There's no mitigation really, beyond "don't use SMS" since you won't be a part of the attack. For the especially vulnerable and monitored, SMS also lets LEA intercept 2FA codes over the air.
|
|
#
?
May 7, 2021 16:33
|
|
|
RFC2324 posted:You trust the government with access to your money? *GASP* Marginally more than a bank, I can vote elected officials out, but not bank directors  I've had banks fight me over obvious credit fraud, they see it as a cost of doing business and would prefer to pass the risk on to the customer.
|
|
#
?
May 7, 2021 16:57
|
|
|
Fruits of the sea posted:Marginally more than a bank, I can vote elected officials out, but not bank directors I was making a joke about America, tbh. We would never trust an otp issued by the government
|
|
#
?
May 7, 2021 17:45
|
|
|
RFC2324 posted:I was making a joke about America, tbh. We would never trust an otp issued by the government Why would you? Even back in the Clipper Chip days, trusting the Gov to handle secret management was viewed as the dumb idea it is.
|
|
#
?
May 7, 2021 19:33
|
|
|
B-Nasty posted:Why would you? Even back in the Clipper Chip days, trusting the Gov to handle secret management was viewed as the dumb idea it is. I generally "trust" our government at the bureaucracy level, but by its very nature its going to be bad at that sort of thing. can you imagine getting locked out of your identity because some paper pusher spilled his coffee and didn't want to admit it?
|
|
#
?
May 7, 2021 20:06
|
|
|
Any banks use Yubikeys yet?RFC2324 posted:I was making a joke about America, tbh. We would never trust an otp issued by the government You know that Login.gov supports TOPT, SMS Auth and Hardware Authentication, right? (How does a resident of Canada know? Nexus Card application!)
|
|
#
?
May 7, 2021 20:13
|
|
|
RFC2324 posted:I generally "trust" our government at the bureaucracy level, but by its very nature its going to be bad at that sort of thing. can you imagine getting locked out of your identity because some paper pusher spilled his coffee and didn't want to admit it? https://www.theverge.com/2021/4/23/22399721/uk-post-office-software-bug-criminal-convictions-overturned worse things have happened. Imagine being so crude as to defend your bug as legitimate to the point people go to jail over it.
|
|
#
?
May 7, 2021 20:14
|
|
|
Rooted Vegetable posted:You know that Login.gov supports TOPT, SMS Auth and Hardware Authentication, right? I've never even heard of login.gov, lol TheParadigm posted:https://www.theverge.com/2021/4/23/22399721/uk-post-office-software-bug-criminal-convictions-overturned I don't understand a refusal to admit fault. just say 'oh, I know what happened' and fix it. presto, you managed to not even have to admit you are admitting it
|
|
#
?
May 7, 2021 20:31
|
|
|
|
| # ? May 24, 2024 22:11 |
|
|
RFC2324 posted:I generally "trust" our government at the bureaucracy level, but by its very nature its going to be bad at that sort of thing. can you imagine getting locked out of your identity because some paper pusher spilled his coffee and didn't want to admit it? My adult son didn’t get his first stimulus check because it fell out inside a truck and nobody cared enough to pick it up. He got it almost the same day of his $600 stimulus check was direct deposited. 🙄
|
|
#
?
May 7, 2021 20:55
|
|