507 private links
Feb. 1 is Change Your Password Day, and you may think that good cyber hygiene means creating new, robust passwords every few months. Not so fast.
There was a time that whenever I wrote something related to security passwords, I'd use these words: "Use password managers, as they make it very easy to change passwords, which you should do frequently." Because that's the advice everyone gives about passwords, along with making them strong and unique to every service and account you create.
I haven't done that in years, though, because one of our resident security experts, Neil. J. Rubenking, pointed out that the "should do frequently" part is now outdated advice.
When the National Institute of Standards and Technology (NIST) issued Digital Identity Guidelines in 2017, they used a lot of science-talk to discuss information security standards and "memorized secrets"—its term for passwords, passphrases, and personal identification numbers (PINs). Its conclusion: "Do not require that [passwords] be changed arbitrarily (e.g., periodically) unless there is a user request or evidence of authenticator compromise."
The NIST report also included an appendix about the Strength of Memorized Secrets, which discusses how it's almost impossible for people to memorize passwords if they have forced "composition rules," such as including a symbol, an uppercase letter, a numeral, etc.
"The benefit of such rules is not nearly as significant as initially thought, although the impact on usability and memorability is severe," NIST said.
The length of a memorized secret is more important than complexity. Yet so many services reject extra-long passphrases. (NIST says people should be allowed up to 64 characters.)
Nothing beats memorization for security, but after a couple of years online, you could have hundreds of passwords to keep in your brain. That way lies madness. Ultimately, the best advice for anyone dealing with password security is to use a password manager so you only have to remember one master password/phrase.
Vaultwarden is an unofficial Bitwarden server implementation written in Rust. It is compatible with the official Bitwarden clients, and is ideal for self-hosted deployments where running the official resource-heavy service is undesirable.
Vaultwarden is targeted towards individuals, families, and smaller organizations. Development of features that are mainly useful to larger organizations (e.g., single sign-on, directory syncing, etc.) is not a priority, though high-quality PRs that implement such features would be welcome.
There have been several audits done on Vaultwarden of which some are publicly available, read more about it on our Vaultwarden Audits wiki page.
Supported features
End-to-end encryption for things that matter.
Keybase is secure messaging and file-sharing.
Backing up data
By default, vaultwarden stores all of its data under a directory called data (in the same directory as the vaultwarden executable). This location can be changed by setting the DATA_FOLDER environment variable. If you run vaultwarden with SQLite (this is the most common setup), then the SQL database is just a file in the data folder. If you run with MySQL or PostgreSQL, you will have to dump that data separately --
Ente Auth
Open source 2FA authenticator, with end-to-end encrypted backups
Secure Backups
Auth provides end-to-end encrypted cloud backups so you don't have to worry about losing your tokens. Our cryptography has been externally audited.
Cross platform sync
Auth has an app for every platform. Mobile, desktop and web. Your codes sync across all your devices, end-to-end encrypted.
Aegis Authenticator is a free, secure and open source app for Android to manage your 2-step verification tokens for your online services.
Secure, simple and actively developed.
Note: You can easily create a random password with the command:
cat /dev/urandom | tr -dc 'A-Za-z0-9' | fold -w 32 | head -n 1On Tuesday, the US Federal Bureau of Investigation advised Americans to share a secret word or phrase with their family members to protect against AI-powered voice-cloning scams, as criminals increasingly use voice synthesis to impersonate loved ones in crisis.
"Create a secret word or phrase with your family to verify their identity," wrote the FBI in an official public service announcement (I-120324-PSA).
For example, you could tell your parents, children, or spouse to ask for a word or phrase to verify your identity if something seems suspicious, such as "The sparrow flies at midnight," "Greg is the king of burritos," or simply "flibbertigibbet." (As fun as these sound, your password should be secret and not the same as these.)
The bureau also recommends that people listen carefully to the tone and word choices in unexpected calls claiming to be from family members. The FBI reports that criminals use AI-generated audio to create convincing voice clips of relatives pleading for emergency financial help or ransom payments. //
Of course, passwords have been used since ancient times to verify someone's identity, and it seems likely some science fiction story has dealt with the issue of passwords and robot clones in the past. It's interesting that, in this new age of high-tech AI identity fraud, this ancient invention—a special word or phrase known to few—can still prove so useful.
Open source tool chooses to become more open than ever
The move comes just weeks after we reported that it wasn't strictly FOSS any more. At the time, the company claimed that this was just a mistake in how it packaged up its software, saying on Twitter:
It seems like a packaging bug was misunderstood as something more, and the team plans to resolve it. Bitwarden remains committed to the open source licensing model in place for years, along with retaining a fully featured free version for individual users.
Steven P
October 30, 2024
I worked as a general IT guy for a behavioral health/addiction clinic. I started as a consultant but finally moved to part-time on call worker so I could be protected by their liability insurance rather than having to cover myself. Plus I was worried if there was a breach I would be inside the corporate wall rather than outside.
I had big problems with vendors. The first EMR company we had, I broke down and yelled at them for the first time in my career. I saw a note asking the receptionist to gather up everyone’s password so the vendor could update their client software. When I told them that was a violation of basic network security nevermind HIPAA regulations, they said “well it’s just easier that way”. I told my boss and I finally decided to quit when I realized the clinic needed that software more than they needed me. I wasn’t around enough to keep tabs on them and I didn’t want to deal with any fallout from their shoddy security practices. Other vendors were either asking to install software on our network or open ports in the firewall so they could remotely access their devices.
That was a small practice without even a full time IT person, these big companies that can afford good cybersecurity teams and equipment have no excuse.
NIST Recommends Some Common-Sense Password Rules
NIST’s second draft of its “SP 800-63-4“—its digital identify guidelines—finally contains some really good rules about passwords:
The following requirements apply to passwords:
- lVerifiers and CSPs SHALL require passwords to be a minimum of eight characters in length and SHOULD require passwords to be a minimum of 15 characters in length.
- Verifiers and CSPs SHOULD permit a maximum password length of at least 64 characters.
- Verifiers and CSPs SHOULD accept all printing ASCII [RFC20] characters and the space character in passwords.
- Verifiers and CSPs SHOULD accept Unicode [ISO/ISC 10646] characters in passwords. Each Unicode code point SHALL be counted as a signgle character when evaluating password length.
- Verifiers and CSPs SHALL NOT impose other composition rules (e.g., requiring mixtures of different character types) for passwords.
- Verifiers and CSPs SHALL NOT require users to change passwords periodically. However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
- Verifiers and CSPs SHALL NOT permit the subscriber to store a hint that is accessible to an unauthenticated claimant.
- Verifiers and CSPs SHALL NOT prompt subscribers to use knowledge-based authentication (KBA) (e.g., “What was the name of your first pet?”) or security questions when choosing passwords.
Verifiers SHALL verify the entire submitted password (i.e., not truncate it).
Hooray.
Password security and a comparison of Password Managers
There are two general approaches to password generation and management:
Password Managers which store passwords and have the flexibility to apply different complexity rules to each password or to store a pre-existing password - often required when a password needs to be shared between a team of people. The downside of the storage approach is that the password storage (file/database) needs to be managed carefully - secured, backed up and synchronised to all the devices where you will need to use the passwords. If the password store is lost or corrupted you will lose all the passwords! Destructive viruses such as CryptoLocker can also make a password store unreadable.
Password Generators which use a hash function, like the SS64 password generator, are easy to use and will repeatedly regenerate the same password when given the same inputs but they do have some limitations, the only way to change a password is to enter a different main password or a different salt value. All the generated passwords are the same length. //
NIST recommend 80 bits for the most secure passwords to resist a brute force attack. There is no definitive answer to the question of the minimum password strength required to avoid all types of attack; it is a moving target; over time we all need to use longer passwords.
Entropy Maximum Time to crack at 350 billion guesses/Sec
59 bits 457.50 Hours
65 bits 3.342 Years
71 bits 213.92 Years
77 bits 13,690 Years
80 bits 109,527.95 Years
89 bits 56078315.93 Years.
GPU computer clusters can cycle through as many as 350 billion guesses per second. [offline guesses against a stolen password database/file]
Kerckhoffs’s principle - A cryptosystem should be secure even if everything about the system, except the key, is public knowledge
A 2FA Mule is a mobile phone configured to forward SMS 2FA codes via email.
This divorces 2FA from the mobile phone you carry with you and makes it possible to perform 2FA without your phone, after having your phone lost or stolen, while on an airplane, or while roaming in a foreign place with an alternate SIM card.
In my case, the 2FA mule sits in my office lab connected to mains power.
It is an unlocked Google Pixel phone with no google account and no apps installed except for "SMS Forwarder".
It is configured to forward all SMS to an email address via encrypted SMTP.
jhollinger said:
Sounds like this may explain the large number of password reset requests I'm suddenly getting...
My sisters instagram account was taken over before, interesting strategy they use.
Basically they start chit chatting with you about your posts to look friendly, then they message you saying that someone is trying to hack their account and send you pics of the reset text that instagram sends out and ask if you received anything similar.
In the background they try to reset your account and then you receive the text from instagram to recover it, then you obviously tell them yes i'm receiving the same texts, they ask for a screenshot of it to compare with their own which has a link to recover the account. Then they simply type in the link, make a new password and have access to the account.
My sister didn't have 2fa on because she used some other app to see who follows/unfollows her and it didn't work with 2fa, she eventually got her account back and learned her lesson... i hope lol
Passkeys are an asymmetric key pair
Each passkey is a pair of two related asymmetric cryptographic keys, which are very long, random strings of characters. While they differ from each other, they do have a special relationship - one can decrypt messages that have been encrypted by the other. This feature can be used to verify a user and authenticate them.
The key pair is made up of a private key that’s kept securely on your device, inside a password manager supporting passkeys (also called a passkey provider), and a public key that’s stored on the website you are logging into. Your private key is secure and never leaves your device, and the password manager keeps it locked by biometrics, PIN, or a password. The public key, on the other hand, could be shared with the world, such as in the case of a website data breach, and your security wouldn't be compromised so long as the private key stays safe.
In November 2022, the password manager service LastPass disclosed a breach in which hackers stole password vaults containing both encrypted and plaintext data for more than 25 million users. Since then, a steady trickle of six-figure cryptocurrency heists targeting security-conscious people throughout the tech industry has led some security experts to conclude that crooks likely have succeeded at cracking open some of the stolen LastPass vaults. //
How hard would it be for well-resourced criminals to crack the master passwords securing LastPass user vaults? Perhaps the best answer to this question comes from Wladimir Palant, a security researcher and the original developer behind the Adblock Plus browser plugin.
In a December 2022 blog post, Palant explained that the crackability of a LastPass master password depends largely on two things: The complexity of the master password, and the default settings for LastPass users, which appear to have varied quite a bit based on when those users began patronizing the service.
LastPass says that since 2018 it has required a twelve-character minimum for master passwords, which the company said “greatly minimizes the ability for successful brute force password guessing.”
But Palant said while LastPass indeed improved its master password defaults in 2018, it did not force all existing customers who had master passwords of lesser lengths to pick new credentials that would satisfy the 12-character minimum.
“If you are a LastPass customer, chances are that you are completely unaware of this requirement,” Palant wrote. “That’s because LastPass didn’t ask existing customers to change their master password. I had my test account since 2018, and even today I can log in with my eight-character password without any warnings or prompts to change it.”
Palant believes LastPass also failed to upgrade many older, original customers to more secure encryption protections that were offered to newer customers over the years. One important setting in LastPass is the number of “iterations,” or how many times your master password is run through the company’s encryption routines. The more iterations, the longer it takes an offline attacker to crack your master password.
Palant noted last year that for many older LastPass users, the initial default setting for iterations was anywhere from “1” to “500.” By 2013, new LastPass customers were given 5,000 iterations by default. In February 2018, LastPass changed the default to 100,100 iterations. And very recently, it upped that again to 600,000.
Palant said the 2018 change was in response to a security bug report he filed about some users having dangerously low iterations in their LastPass settings.
“Worse yet, for reasons that are beyond me, LastPass didn’t complete this migration,” Palant wrote. “My test account is still at 5,000 iterations, as are the accounts of many other users who checked their LastPass settings. LastPass would know how many users are affected, but they aren’t telling that. In fact, it’s painfully obvious that LastPass never bothered updating users’ security settings. Not when they changed the default from 1 to 500 iterations. Not when they changed it from 500 to 5,000. Only my persistence made them consider it for their latest change. And they still failed implementing it consistently.”
FusionAuth is the customer authentication and authorization platform that makes developers' lives awesome. You'll get all the features your app needs plus a customizable, scalable solution you can run on any computer, anywhere in the world.
If a transgression by a single employee breaches your network, you're doing it wrong. //
Accessing personal accounts at a company like Okta has long been known to be a huge no-no. And if that prohibition wasn’t clear to some before, it should be now. The employee almost surely violated company policy, and it wouldn’t be surprising if the offense led to the employee’s firing.
However, it would be wrong for anyone to conclude that employee misconduct was the cause of the breach. It wasn’t. The fault, instead, lies with the security people who designed the support system that was breached, specifically the way the breached service account was configured. //
First, Okta should have put access controls in place besides a simple password to limit who or what could log into the service account. One way of doing this is to put a handful of company-controlled IP addresses on an allow list and to block all others unless additional credentials are supplied. Another is to regularly rotate access tokens used to authenticate to service accounts. And, of course, it should have been impossible for employees to be logged in to personal accounts on a work machine. These and other precautions are the responsibility of senior people inside Okta.
all the tags from https://b.plas.ml
1st-amendment 2nd-amendment 4th-amendment 5th-amendment 9/11 a8 abortion acl adhd afghanistan africa a/i air-conditioning amateur-radio amazon america american android animals anti-americanism antifa anti-semitism antiv antivirus aoip apollo apple appliances archaeology architecture archive art astronomy audio automation avatar aviation backup bash batteries belleville bible biden bill-of-rights biology bookmarks books borg bush business calibre camping capitalism cellphone censorship chemistry children china christianity church cia clinton cloud coldwar communication communist composed computers congress conservatives constitution construction cooking copyleft copyright corruption cosmology counseling creation crime cron crypto culture culture-of-death cummins data database ddt dd-wrt defense democrats depression desantis development diagrams diamonds disinformation diy dns documentation dokuwiki domains dprk drm drm-tpm drugs dvd dysautonomia earth ebay ebola ebook economics education efficiency electricity electronics elements elwa email energy engineering english environment environmentalism epa ethernet ethics europe euthanasia evolution faa facebook family fbi fcc feminism finance firewall flightsim flowers fonts français france fraud freebsd free-speech fun games gardening genealogy generation generators geography geology gifts git global-warming google gop government gpl gps graphics green-energy grounding hdd-test healthcare help history hollywood homeschool hormones hosting houses hp html humor hunting hvac hymns hyper-v imap immigration india infosec infotech insects instruments interesting internet investing ip-addressing iran iraq irs islam israel itec j6 journalism jumpcloud justice kindle kodi language ldap leadership leftist leftists legal lego lgbt liberia liberty linguistics linux literature locks make malaria malware management maps markdown marriage mars math media medical meshcentral metatek metric microbit microsoft mikrotik military minecraft minidisc missions moon morality mothers motorola movies mp3 museum music mythtv names nasa nature navigation navy network news nextcloud ntp nuclear obama ocean omega opensource organizing ortlip osmc oxygen paint palemoon paper parents passwords patents patriotism pdf petroleum pets pews photography photo-mgmt physics piano picasa plesk podcast poetry police politics pollution pornography pots prayer pregnancy presentations press printers privacy programming progressive progressives prolife psychology purchasing python quotes rabbits rabies racism radiation radio railroad reagan recipes recording recycling reference regulations religion renewables republicans resume riots rockets r-pi russia russiagate safety samba satellites sbe science sci-fi scotus secularism security servers shipping ships shooting shortwave signal sjw slavery sleep snakes socialism social-media software solar space spacex spam spf spideroak sports ssh statistics steampowered streaming supplement surveillance sync tarsnap taxes tck tds technology telephones television terrorism tesla theology thorium thumbnail thunderbird time tls tools toyota trains transformers travel trump tsa twitter typography ukraine unions united.nations unix ups usa vaccinations vangelis vehicles veracrypt video virtualbox virus vitamin vivaldi vlc voting vpn w3w war water weather web whatsapp who wifi wikipedia windows wordpress wuflu ww2 xigmanas xkcd youtube zfs