Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Computer Security > Password / Encryption Scheme

Reply
Thread Tools

Password / Encryption Scheme

 
 
Dave McAuliffe
Guest
Posts: n/a
 
      03-10-2006
What are the weaknesses in the below plan?

I'm addressing password/keyfile encryption file protection for work
and home purposes. I'm considering using an easy password in the
belief that complex ones need to be written down and therefore pose
their own risk for being breached, and easy ones are nowhere to be
found in writing. In addition, I'm considering the encryption key as
being a part of the password.

The keyfile will *not* be kept on the same computer that it was used
to encrypt. It will be put on floppy, thumbdrive, etc. and kept in
pocket or purse not in the computer case. Therefore you would need
the floppy in order to decrypt the PC file, and if the keyfile were
compromised, it would need to hook up to the PC and then the password
would then need to be known. This separation of the encryption key
and the coming together of three elements, password - keyfile -
computer, is what I'm banking on for relative security.

All personnel (road people) would use the same password/encryption key
file. Any files sent to the office would be decrypted on that end. At
employee turnover, 100% re-encryption would be done with a new keyfile
based on a new password.


--
Dave
Central Mass. USA

To email: Replace
mailinator.com with email.com
 
Reply With Quote
 
 
 
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      03-10-2006
Dave McAuliffe wrote:
> What are the weaknesses in the below plan?
>
> I'm addressing password/keyfile encryption file protection for work
> and home purposes. I'm considering using an easy password in the
> belief that complex ones need to be written down and therefore pose
> their own risk for being breached, and easy ones are nowhere to be
> found in writing.


If you still didn't notice how horribly wrong you're already getting
here, then good-bye.

> The keyfile will *not* be kept on the same computer that it was used
> to encrypt. It will be put on floppy, thumbdrive, etc. and kept in
> pocket or purse not in the computer case.


hint: USB keylock or, even better, smartcard

> This separation of the encryption key
> and the coming together of three elements, password - keyfile -
> computer, is what I'm banking on for relative security.


The computer doesn't count in, you're doing 2-factor-authentication.

> All personnel (road people) would use the same password/encryption key
> file.


D'oh!
 
Reply With Quote
 
 
 
 
lgr_joly@yahoo.com
Guest
Posts: n/a
 
      03-10-2006

It's easy to build and remember strong passwords:
"Michelle, ma belle, sont des mots qui vont très bien ensemble"
->M$mb$sdmqvtbe

 
Reply With Quote
 
Keanaz
Guest
Posts: n/a
 
      03-10-2006
most of the security you want would come from
security awareness training of your users

along with management buy in

"Dave McAuliffe" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> What are the weaknesses in the below plan?
>
> I'm addressing password/keyfile encryption file protection for work
> and home purposes. I'm considering using an easy password in the
> belief that complex ones need to be written down and therefore pose
> their own risk for being breached, and easy ones are nowhere to be
> found in writing. In addition, I'm considering the encryption key as
> being a part of the password.
>
> The keyfile will *not* be kept on the same computer that it was used
> to encrypt. It will be put on floppy, thumbdrive, etc. and kept in
> pocket or purse not in the computer case. Therefore you would need
> the floppy in order to decrypt the PC file, and if the keyfile were
> compromised, it would need to hook up to the PC and then the password
> would then need to be known. This separation of the encryption key
> and the coming together of three elements, password - keyfile -
> computer, is what I'm banking on for relative security.
>
> All personnel (road people) would use the same password/encryption key
> file. Any files sent to the office would be decrypted on that end. At
> employee turnover, 100% re-encryption would be done with a new keyfile
> based on a new password.
>
>
> --
> Dave
> Central Mass. USA
>
> To email: Replace
> mailinator.com with email.com



 
Reply With Quote
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      03-10-2006
http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
> It's easy to build and remember strong passwords:
> "Michelle, ma belle, sont des mots qui vont très bien ensemble"
> ->M$mb$sdmqvtbe


It's way easier:

"Michelle, ma belle, sont des mots qui vont très bien ensemble"

Now this is your password. Easier to remember, better to input and no
entropy stripped due to compression.
 
Reply With Quote
 
misbruik@gmail.com
Guest
Posts: n/a
 
      03-10-2006
I would recomend saying: M,$mb,$sdmqvtbe.

This gives you special characters, and normal text, the capital M gives
your password another dimension. This password still is easy to
remember, not to long (as quite a lot of systems don't support long
passwords) and i would like to see someone brute-forceing or even
better guessing this.

 
Reply With Quote
 
George Orwell
Guest
Posts: n/a
 
      03-11-2006
Sebastian Gottschalk wrote:

> (E-Mail Removed) wrote:
>> It's easy to build and remember strong passwords: "Michelle, ma belle,
>> sont des mots qui vont très bien ensemble" ->M$mb$sdmqvtbe

>
> It's way easier:
>
> "Michelle, ma belle, sont des mots qui vont très bien ensemble"


Actually, the other poster's password is considerably more secure then
yours due to the "over the shoulder" principal. Someone who would
incidentally or purposefully happen to see even a portion of your pass
phrase being typed in might guess and/or remember it easily.

The other poster's offering, while shorter, at least contains symbols and
can't be recognized as a common and well known phrase. This is why random
pass phrases are more secure than even "nonsensical" pass phrase
generators like Diceware. They can't be so easily assembled from bits and
pieces.

 
Reply With Quote
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      03-11-2006
George Orwell wrote:
> Sebastian Gottschalk wrote:
>
>> (E-Mail Removed) wrote:
>>> It's easy to build and remember strong passwords: "Michelle, ma belle,
>>> sont des mots qui vont très bien ensemble" ->M$mb$sdmqvtbe

>> It's way easier:
>>
>> "Michelle, ma belle, sont des mots qui vont très bien ensemble"

>
> Actually, the other poster's password is considerably more secure then
> yours due to the "over the shoulder" principal. Someone who would
> incidentally or purposefully happen to see even a portion of your pass
> phrase being typed in might guess and/or remember it easily.


This is a common misbelieve. The eye is always way faster than the hand.

> The other poster's offering, while shorter, at least contains symbols and
> can't be recognized as a common and well known phrase.


And the non-recognition as a common phrase isn't enough to compensate
for the speed of the eye. Besides that, a common phrase is much easier
and therefore faster to type so actually is is harder to recognize. But
still not hard enough.
 
Reply With Quote
 
George Orwell
Guest
Posts: n/a
 
      03-11-2006
Sebastian Gottschalk wrote:

>>> "Michelle, ma belle, sont des mots qui vont très bien ensemble"

>>
>> Actually, the other poster's password is considerably more secure then
>> yours due to the "over the shoulder" principal. Someone who would
>> incidentally or purposefully happen to see even a portion of your pass
>> phrase being typed in might guess and/or remember it easily.

>
> This is a common misbelieve. The eye is always way faster than the hand.


Uh... yeah. That's exactly WHY your pass phrase is less secure than the
other poster's. You can't type fast enough to keep someone in the right
place at the right time from seeing what you're typing, and if they see
even a portion of your suggested pass phrase they'll easily be able guess
the rest and remember all of it.

>
>> The other poster's offering, while shorter, at least contains symbols
>> and can't be recognized as a common and well known phrase.

>
> And the non-recognition as a common phrase isn't enough to compensate for
> the speed of the eye. Besides that, a common phrase is much easier and
> therefore faster to type so actually is is harder to recognize.


Baloney. After typing ANY password or phrase for a relatively short period
of time it becomes a matter of habit and thus faster, and most people can
type all things equally well with the notable exception of often used
words and phrases. A group your pass phrase belongs to, or should. I type
my random pass phrases a lot faster than I type a lot of large words for
instance, and almost anyone would type the other poster's suggestion a
lot faster than yours with a little practice.

 
Reply With Quote
 
Sebastian Gottschalk
Guest
Posts: n/a
 
      03-11-2006
George Orwell wrote:

>> This is a common misbelieve. The eye is always way faster than the hand.

>
> Uh... yeah. That's exactly WHY your pass phrase is less secure than the
> other poster's. You can't type fast enough to keep someone in the right
> place at the right time from seeing what you're typing, and if they see
> even a portion of your suggested pass phrase they'll easily be able guess
> the rest and remember all of it.


1. Usually we will be able to see the entire pass phrase.
2. The longer the pass phrase the more likely he won't catch it entirely.
3. You pass phrase should be that way that it's not possible to guess
the entire phrase from a part of it. So don't cite anything!

>>> The other poster's offering, while shorter, at least contains symbols
>>> and can't be recognized as a common and well known phrase.

>> And the non-recognition as a common phrase isn't enough to compensate for
>> the speed of the eye. Besides that, a common phrase is much easier and
>> therefore faster to type so actually is is harder to recognize.

>
> Baloney. After typing ANY password or phrase for a relatively short period
> of time it becomes a matter of habit and thus faster, and most people can
> type all things equally well with the notable exception of often used
> words and phrases.


Natural language usually is still much easier to type.
Even if it might take long to type is at all, you can type it much
faster and an advisary will most likely miss some part.
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Change a users password without knowing the old password nor the answer to the password question AAaron123 ASP .Net 1 01-16-2009 02:56 PM
Changing a users password without knowing the old password nor the answer to the password question AAaron123 ASP .Net 2 01-16-2009 02:08 PM
Which hard drive encryption program has the strongest tested encryption & security? =?iso-8859-1?Q?-=3D|__=28=BAL=BA=29__|=3D-____o=3D=5B:::::::::::::::=BB?= Computer Security 6 02-20-2008 01:35 PM
Application encryption scheme sqlvs ASP .Net 3 06-19-2004 04:01 PM
Password scheme/Persistent session... krakle Perl Misc 50 05-30-2004 07:51 PM



Advertisments