Password / Encryption Scheme

Discussion in 'Computer Security' started by Dave McAuliffe, Mar 10, 2006.

  1. What are the weaknesses in the below plan?

    I'm addressing password/keyfile encryption file protection for work
    and home purposes. I'm considering using an easy password in the
    belief that complex ones need to be written down and therefore pose
    their own risk for being breached, and easy ones are nowhere to be
    found in writing. In addition, I'm considering the encryption key as
    being a part of the password.

    The keyfile will *not* be kept on the same computer that it was used
    to encrypt. It will be put on floppy, thumbdrive, etc. and kept in
    pocket or purse not in the computer case. Therefore you would need
    the floppy in order to decrypt the PC file, and if the keyfile were
    compromised, it would need to hook up to the PC and then the password
    would then need to be known. This separation of the encryption key
    and the coming together of three elements, password - keyfile -
    computer, is what I'm banking on for relative security.

    All personnel (road people) would use the same password/encryption key
    file. Any files sent to the office would be decrypted on that end. At
    employee turnover, 100% re-encryption would be done with a new keyfile
    based on a new password.


    --
    Dave
    Central Mass. USA

    To email: Replace
    mailinator.com with email.com
     
    Dave McAuliffe, Mar 10, 2006
    #1
    1. Advertising

  2. Dave McAuliffe wrote:
    > What are the weaknesses in the below plan?
    >
    > I'm addressing password/keyfile encryption file protection for work
    > and home purposes. I'm considering using an easy password in the
    > belief that complex ones need to be written down and therefore pose
    > their own risk for being breached, and easy ones are nowhere to be
    > found in writing.


    If you still didn't notice how horribly wrong you're already getting
    here, then good-bye.

    > The keyfile will *not* be kept on the same computer that it was used
    > to encrypt. It will be put on floppy, thumbdrive, etc. and kept in
    > pocket or purse not in the computer case.


    hint: USB keylock or, even better, smartcard

    > This separation of the encryption key
    > and the coming together of three elements, password - keyfile -
    > computer, is what I'm banking on for relative security.


    The computer doesn't count in, you're doing 2-factor-authentication.

    > All personnel (road people) would use the same password/encryption key
    > file.


    D'oh!
     
    Sebastian Gottschalk, Mar 10, 2006
    #2
    1. Advertising

  3. Dave McAuliffe

    Guest

    It's easy to build and remember strong passwords:
    "Michelle, ma belle, sont des mots qui vont très bien ensemble"
    ->M$mb$sdmqvtbe
     
    , Mar 10, 2006
    #3
  4. Dave McAuliffe

    Keanaz Guest

    most of the security you want would come from
    security awareness training of your users

    along with management buy in

    "Dave McAuliffe" <> wrote in message
    news:...
    > What are the weaknesses in the below plan?
    >
    > I'm addressing password/keyfile encryption file protection for work
    > and home purposes. I'm considering using an easy password in the
    > belief that complex ones need to be written down and therefore pose
    > their own risk for being breached, and easy ones are nowhere to be
    > found in writing. In addition, I'm considering the encryption key as
    > being a part of the password.
    >
    > The keyfile will *not* be kept on the same computer that it was used
    > to encrypt. It will be put on floppy, thumbdrive, etc. and kept in
    > pocket or purse not in the computer case. Therefore you would need
    > the floppy in order to decrypt the PC file, and if the keyfile were
    > compromised, it would need to hook up to the PC and then the password
    > would then need to be known. This separation of the encryption key
    > and the coming together of three elements, password - keyfile -
    > computer, is what I'm banking on for relative security.
    >
    > All personnel (road people) would use the same password/encryption key
    > file. Any files sent to the office would be decrypted on that end. At
    > employee turnover, 100% re-encryption would be done with a new keyfile
    > based on a new password.
    >
    >
    > --
    > Dave
    > Central Mass. USA
    >
    > To email: Replace
    > mailinator.com with email.com
     
    Keanaz, Mar 10, 2006
    #4
  5. wrote:
    > It's easy to build and remember strong passwords:
    > "Michelle, ma belle, sont des mots qui vont très bien ensemble"
    > ->M$mb$sdmqvtbe


    It's way easier:

    "Michelle, ma belle, sont des mots qui vont très bien ensemble"

    Now this is your password. Easier to remember, better to input and no
    entropy stripped due to compression.
     
    Sebastian Gottschalk, Mar 10, 2006
    #5
  6. Dave McAuliffe

    Guest

    I would recomend saying: M,$mb,$sdmqvtbe.

    This gives you special characters, and normal text, the capital M gives
    your password another dimension. This password still is easy to
    remember, not to long (as quite a lot of systems don't support long
    passwords) and i would like to see someone brute-forceing or even
    better guessing this.
     
    , Mar 10, 2006
    #6
  7. Sebastian Gottschalk wrote:

    > wrote:
    >> It's easy to build and remember strong passwords: "Michelle, ma belle,
    >> sont des mots qui vont très bien ensemble" ->M$mb$sdmqvtbe

    >
    > It's way easier:
    >
    > "Michelle, ma belle, sont des mots qui vont très bien ensemble"


    Actually, the other poster's password is considerably more secure then
    yours due to the "over the shoulder" principal. Someone who would
    incidentally or purposefully happen to see even a portion of your pass
    phrase being typed in might guess and/or remember it easily.

    The other poster's offering, while shorter, at least contains symbols and
    can't be recognized as a common and well known phrase. This is why random
    pass phrases are more secure than even "nonsensical" pass phrase
    generators like Diceware. They can't be so easily assembled from bits and
    pieces. ;)
     
    George Orwell, Mar 11, 2006
    #7
  8. George Orwell wrote:
    > Sebastian Gottschalk wrote:
    >
    >> wrote:
    >>> It's easy to build and remember strong passwords: "Michelle, ma belle,
    >>> sont des mots qui vont très bien ensemble" ->M$mb$sdmqvtbe

    >> It's way easier:
    >>
    >> "Michelle, ma belle, sont des mots qui vont très bien ensemble"

    >
    > Actually, the other poster's password is considerably more secure then
    > yours due to the "over the shoulder" principal. Someone who would
    > incidentally or purposefully happen to see even a portion of your pass
    > phrase being typed in might guess and/or remember it easily.


    This is a common misbelieve. The eye is always way faster than the hand.

    > The other poster's offering, while shorter, at least contains symbols and
    > can't be recognized as a common and well known phrase.


    And the non-recognition as a common phrase isn't enough to compensate
    for the speed of the eye. Besides that, a common phrase is much easier
    and therefore faster to type so actually is is harder to recognize. But
    still not hard enough.
     
    Sebastian Gottschalk, Mar 11, 2006
    #8
  9. Sebastian Gottschalk wrote:

    >>> "Michelle, ma belle, sont des mots qui vont très bien ensemble"

    >>
    >> Actually, the other poster's password is considerably more secure then
    >> yours due to the "over the shoulder" principal. Someone who would
    >> incidentally or purposefully happen to see even a portion of your pass
    >> phrase being typed in might guess and/or remember it easily.

    >
    > This is a common misbelieve. The eye is always way faster than the hand.


    Uh... yeah. That's exactly WHY your pass phrase is less secure than the
    other poster's. You can't type fast enough to keep someone in the right
    place at the right time from seeing what you're typing, and if they see
    even a portion of your suggested pass phrase they'll easily be able guess
    the rest and remember all of it.

    >
    >> The other poster's offering, while shorter, at least contains symbols
    >> and can't be recognized as a common and well known phrase.

    >
    > And the non-recognition as a common phrase isn't enough to compensate for
    > the speed of the eye. Besides that, a common phrase is much easier and
    > therefore faster to type so actually is is harder to recognize.


    Baloney. After typing ANY password or phrase for a relatively short period
    of time it becomes a matter of habit and thus faster, and most people can
    type all things equally well with the notable exception of often used
    words and phrases. A group your pass phrase belongs to, or should. I type
    my random pass phrases a lot faster than I type a lot of large words for
    instance, and almost anyone would type the other poster's suggestion a
    lot faster than yours with a little practice.
     
    George Orwell, Mar 11, 2006
    #9
  10. George Orwell wrote:

    >> This is a common misbelieve. The eye is always way faster than the hand.

    >
    > Uh... yeah. That's exactly WHY your pass phrase is less secure than the
    > other poster's. You can't type fast enough to keep someone in the right
    > place at the right time from seeing what you're typing, and if they see
    > even a portion of your suggested pass phrase they'll easily be able guess
    > the rest and remember all of it.


    1. Usually we will be able to see the entire pass phrase.
    2. The longer the pass phrase the more likely he won't catch it entirely.
    3. You pass phrase should be that way that it's not possible to guess
    the entire phrase from a part of it. So don't cite anything!

    >>> The other poster's offering, while shorter, at least contains symbols
    >>> and can't be recognized as a common and well known phrase.

    >> And the non-recognition as a common phrase isn't enough to compensate for
    >> the speed of the eye. Besides that, a common phrase is much easier and
    >> therefore faster to type so actually is is harder to recognize.

    >
    > Baloney. After typing ANY password or phrase for a relatively short period
    > of time it becomes a matter of habit and thus faster, and most people can
    > type all things equally well with the notable exception of often used
    > words and phrases.


    Natural language usually is still much easier to type.
    Even if it might take long to type is at all, you can type it much
    faster and an advisary will most likely miss some part.
     
    Sebastian Gottschalk, Mar 11, 2006
    #10
  11. On Fri, 10 Mar 2006 15:01:55 +0000 (UTC), "Keanaz"
    <> wrote:

    >most of the security you want would come from
    >security awareness training of your users
    >
    >along with management buy in
    >


    I wholeheartedly agree. I also believe in the adage, "sh*t happens".
    --

    Dave
    Central Mass. USA

    To email: Replace
    mailinator.com with email.com
     
    Dave McAuliffe, Mar 11, 2006
    #11
  12. Sebastian Gottschalk wrote:

    > George Orwell wrote:
    >
    >>> This is a common misbelieve. The eye is always way faster than the
    >>> hand.

    >>
    >> Uh... yeah. That's exactly WHY your pass phrase is less secure than the
    >> other poster's. You can't type fast enough to keep someone in the right
    >> place at the right time from seeing what you're typing, and if they see
    >> even a portion of your suggested pass phrase they'll easily be able
    >> guess the rest and remember all of it.

    >
    > 1. Usually we will be able to see the entire pass phrase.


    Faulty logic, and irrelevant anyway. If the entire pass phrase is
    compromised then neither is any more secure than the other, with the
    notable exception that even a very long pass phrase comprised of
    recognizable words/phrases is far easier to remember than a shorter random
    pass phrase. Thus recognizable phrases are inherently less secure from
    this sort of compromise. That being fact, logic and common sense dictate
    there WILL be situations where someone will only get a "glimpse" of
    someone entering a pass phrase. When that is the case it's impossible to
    "reconstruct" a random pass phrase from a segment, but "easy" really
    doesn't do justice to the effort someone would have to invest in
    reconstructing a common, recognizable phrase.

    > 2. The longer
    > the pass phrase the more likely he won't catch it entirely.


    That's the point entirely... if it's a recognizable phrase, you don't have
    to. Just a tiny segment could be more than enough. That's just undeniable
    logic. If someone sees you typing the three characters of 'to be or not to
    be" you're pretty much toast. If the see the first three characters of a
    random text of the same length even, you are not automatically compromised.

    > 3. You pass
    > phrase should be that way that it's not possible to guess the entire
    > phrase from a part of it. So don't cite anything!


    You just completely contradicted your entire argument! The phrase you
    offered as "secure" was exactly the sort of pass phrase that could be
    EASILY reconstructed from a portion. You've been defending that bit in
    nonsense through several posts now, but here you've just done a complete
    180 and stated your original example wasn't an acceptable pass phrase.

    You could have saved some time and avoided a bit of embarrassment if you
    had just acknowledged your mistake from the beginning... :(

    >
    >>>> The other poster's offering, while shorter, at least contains symbols
    >>>> and can't be recognized as a common and well known phrase.
    >>> And the non-recognition as a common phrase isn't enough to compensate
    >>> for the speed of the eye. Besides that, a common phrase is much easier
    >>> and therefore faster to type so actually is is harder to recognize.

    >>
    >> Baloney. After typing ANY password or phrase for a relatively short
    >> period of time it becomes a matter of habit and thus faster, and most
    >> people can type all things equally well with the notable exception of
    >> often used words and phrases.

    >
    > Natural language usually is still much easier to type. Even if it might


    False. To be technically correct the ease with which someone types
    something has more to do with where the keys are on the keyboard and the
    specific sequence of characters than it does the with any sequence of
    characters being a "valid" word or phrase. Something like "decadence" is a
    lot harder to type than "asdfghjkl" because the former is a rather awkward
    sequence on a standard QWERTY keyboard, and the latter can be "typed" by
    dragging a single finger across a row of keys.

    That's just an extreme example of a well known principal, by the way,
    that's resulted in some success in the area of recognizing what someone
    types by analyzing only the sound of their typing.

    > take long to type is at all, you can type it much faster and an advisary
    > will most likely miss some part.


    And with "natural language" pass phrases that becomes mostly if not
    totally meaningless.

    Again, using recognizable phrases is NEVER a good idea. Implementations
    like Diceware get around using recognizable words by combining them in
    nonsensical ways, using sufficiently long lists and combinations. And even
    Diceware's security is open to debate in real life scenarios.
     
    George Orwell, Mar 12, 2006
    #12
  13. George Orwell wrote:

    >> 3. You pass
    >> phrase should be that way that it's not possible to guess the entire
    >> phrase from a part of it. So don't cite anything!

    >
    > You just completely contradicted your entire argument! The phrase you
    > offered as "secure" was exactly the sort of pass phrase that could be
    > EASILY reconstructed from a portion.


    But only for the owner of the password.

    > You've been defending that bit in
    > nonsense through several posts now, but here you've just done a complete
    > 180 and stated your original example wasn't an acceptable pass phrase.


    If it was cited from some known text, then I didn't catch it.
    I thought it would be a phrase that is only known to the owner.

    > That's just an extreme example of a well known principal, by the way,
    > that's resulted in some success in the area of recognizing what someone
    > types by analyzing only the sound of their typing.


    You know that this doesn't work with usual passwords. You need about
    5000+ words to get clear indication.
     
    Sebastian Gottschalk, Mar 12, 2006
    #13
  14. Sebastian Gottschalk wrote:

    > George Orwell wrote:
    >
    >>> 3. You pass
    >>> phrase should be that way that it's not possible to guess the entire
    >>> phrase from a part of it. So don't cite anything!

    >>
    >> You just completely contradicted your entire argument! The phrase you
    >> offered as "secure" was exactly the sort of pass phrase that could be
    >> EASILY reconstructed from a portion.

    >
    > But only for the owner of the password.


    Utter nonsense. Given that the example was a popular song lyric it's
    likely many if not most people could guess that particular line knowing
    only a portion of it. And even if no such lyric is used guessing
    meaningful, logical sentences is a lot easier than guessing first letter
    and symbol combinations derived from those sentences if those letters are
    all you have.

    >> That's just an extreme example of a well known principal, by the way,
    >> that's resulted in some success in the area of recognizing what someone
    >> types by analyzing only the sound of their typing.

    >
    > You know that this doesn't work with usual passwords. You need about 5000+
    > words to get clear indication.


    False. The subject was brought up here a couple months ago, with
    references and cites given. Google be thy savior....
     
    George Orwell, Mar 13, 2006
    #14
  15. George Orwell wrote:

    > Utter nonsense. Given that the example was a popular song lyric


    is something I didn't catch. Of course you should not cite any public works.

    > And even if no such lyric is used guessing
    > meaningful, logical sentences is a lot easier than guessing first letter
    > and symbol combinations derived from those sentences if those letters are
    > all you have.


    Usually you'll have only a contigous part of the phrase and not randomly
    picked symbols.
     
    Sebastian Gottschalk, Mar 13, 2006
    #15
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Scotchy
    Replies:
    2
    Views:
    548
    Scotchy
    Oct 7, 2004
  2. Replies:
    2
    Views:
    1,110
    Barry Margolin
    Nov 18, 2005
  3. PSMB Graduate Training Scheme II

    PSMB Graduate Training Scheme II

    PSMB Graduate Training Scheme II, Aug 28, 2003, in forum: MCSD
    Replies:
    0
    Views:
    532
    PSMB Graduate Training Scheme II
    Aug 28, 2003
  4. PSMB Graduate Training Scheme II

    PSMB Graduate Training Scheme II

    PSMB Graduate Training Scheme II, Aug 28, 2003, in forum: MCSE
    Replies:
    1
    Views:
    854
    Consultant
    Aug 28, 2003
  5. =?iso-8859-1?Q?-=3D|__=28=BAL=BA=29__|=3D-____o=3D

    Which hard drive encryption program has the strongest tested encryption & security?

    =?iso-8859-1?Q?-=3D|__=28=BAL=BA=29__|=3D-____o=3D, Sep 24, 2004, in forum: Computer Security
    Replies:
    6
    Views:
    3,971
    Kornholio
    Feb 20, 2008
Loading...

Share This Page