HomeRoast Digest


Topic: Email security ideas (17 msgs / 399 lines)
1) From: Ryan M. Ward
He everyone,
We have recieved two suspicious emails now from the email addresses of legi=
timate list members. I did a quick google search and found this site, the s=
uggestions here seem pretty good.http://lifehacker.com/5051905/how-to-protect-your-email-from-hackers-- =
Ryan M. Ward
*Note: This email was sent from a computer running Ubuntu Linux 9.10 (Karmi=
c Koala)http://www.ubuntu.com**Note: This signature was placed here by me and is not automatically-gener=
ated-annoying-end-of-email-spam placed here by anyone other than myself. I =
am a Linux nut and am doing my part to support open source software and the=
 Linux and Ubuntu communities by getting the word out with each email I sen=
d, I encourage you to do the same.
 		 	   		  =
Hotmail: Trusted email with Microsoft’s powerful SPAM protection.http://clk.atdmt.com/GBL/go/210850552/direct/01/Homeroast mailing list
Homeroasthttp://host.sweetmariascoffee.com/mailman/listinfo/homeroast_lists.sweetmar=iascoffee.com
Homeroast community pictures -upload yours!) :http://www.sweetmariascoffee=.com/gallery/main.php?g2_itemId=7820

2) From: Christopher Navarro
Another issue is passwords that can be easily guessed so you might want to
use a password manager such as: http://www.keepassx.org/for other desktop platforms, both are free.">http://keepass.info/for windows orhttp://www.keepassx.org/for other desktop platforms, both are free.
You can read more, also at lifehacker, here:http://lifehacker.com/5042616/five-best-password-managersYou can use password managers to generate difficult to guess passwords and
store hard to guess password security questions, as suggested by Ryan.
-Chris
On Tue, Mar 23, 2010 at 10:00 AM, Ryan M. Ward 

3) From: Allon Stern
On Mar 23, 2010, at 11:35 AM, Christopher Navarro wrote:
<Snip>
I really like Password Wallet. I've been using it for many years - I have unique completely random passwords for just about every site. I use primarily the Macintosh version.http://www.selznick.com/products/passwordwallet/index.htmAnd as for password security questions, hard to guess is not unguessable. I usually make 'em gibberish. Most security questions are much weaker than my passwords.
-
allon
Homeroast mailing list
Homeroasthttp://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20">http://host.sweetmariascoffee.com/mailman/listinfo/homeroast_lists.sweetmariascoffee.comHomeroast community pictures -upload yours!) :http://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20

4) From: Christopher Navarro
As for completely random passwords, that's not possible either.  Nor is
gibberish impossible to guess.  :)   Security by obscurity just doesn't
work, no matter how obscure.
-Chris
On Tue, Mar 23, 2010 at 11:49 AM, Allon Stern  wrote:
<Snip>
Homeroast mailing list
Homeroasthttp://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20">http://host.sweetmariascoffee.com/mailman/listinfo/homeroast_lists.sweetmariascoffee.comHomeroast community pictures -upload yours!) :http://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20

5) From: Joseph Robertson
Allon,
I used to use Roboform but have since changed to
https://lastpass.com/
Very nice, my fav.
Joe
On Tue, Mar 23, 2010 at 9:49 AM, Allon Stern  wrote:
<Snip>
-- 
Ambassador for Specialty Coffee and palate reform.
Homeroast mailing list
Homeroasthttp://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20">http://host.sweetmariascoffee.com/mailman/listinfo/homeroast_lists.sweetmariascoffee.comHomeroast community pictures -upload yours!) :http://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20

6) From: David Martin
True to a certain extent, but not entirely. Passwords based on
dictionary words are significantly more likely to be cracked,
especially in this case, where the attackers are spammers who don't
care which account they break into.
-Dave
On Tue, Mar 23, 2010 at 11:34 AM, Christopher Navarro
 wrote:
<Snip>
't
<Snip>
Homeroast mailing list
Homeroasthttp://host.sweetmariascoffee.com/mailman/listinfo/homeroast_lists.sweetmar=iascoffee.com
Homeroast community pictures -upload yours!) :http://www.sweetmariascoffee=.com/gallery/main.php?g2_itemId=7820

7) From: Joseph Robertson
Christopher,
What kind of encription do you feel is adaquate for a password? 164bit?
military grade?
Joe
On Tue, Mar 23, 2010 at 11:34 AM, Christopher Navarro
wrote:
<Snip>
-- 
Ambassador for Specialty Coffee and palate reform.
Homeroast mailing list
Homeroasthttp://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20">http://host.sweetmariascoffee.com/mailman/listinfo/homeroast_lists.sweetmariascoffee.comHomeroast community pictures -upload yours!) :http://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20

8) From: Joseph Robertson
Christopher,
What kind of encryption do you feel is adequate for a password? 164bit?
military grade?
I'm resending this because I misspelled a couple of words and I hate it when
I send a message with misspelled words when spell check is right in front of
me.
Joe
-- 
Ambassador for Specialty Coffee and palate reform.
On Tue, Mar 23, 2010 at 11:34 AM, Christopher Navarro
wrote:
<Snip>
-- 
Ambassador for Specialty Coffee and palate reform.
Homeroast mailing list
Homeroasthttp://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20">http://host.sweetmariascoffee.com/mailman/listinfo/homeroast_lists.sweetmariascoffee.comHomeroast community pictures -upload yours!) :http://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20

9) From: Jim Carter
The ideas discussed in this thread are sound.  You CAN do things to  
improve the security of your passwords. Password length (longer is  
better), mixed case throughout, combination of numbers and letters, etc.  
Match the complexity to the importance of avoiding a security breach.
I do computer forensics. We have password crackers for getting into  
password-protected files. I've got one running right now on a Microsoft  
Excel 2007 file. Because Microsoft Office uses 128-bit AES encryption this  
is a brute-force attack. It will try billions of passwords. This may take  
weeks, but we'll likely bust through.
The point of my example is this: A true brute-force attack of a long  
password comprised of a random mix of characters (upper and lower case)and  
numbers could literally take years on a machine (or machines) with lots of  
horsepower and hardware accelerators. However, we can considerably shorten  
the duration if we can make some reasonable guesses at patterns the user  
may have followed.
I guess it comes down to a question of whether or not the juice is worth  
the squeeze. How hard will somebody try to guess/crack your password? How  
much effort are you willing to expend to thwart their efforts?
- Jim
On Tue, 23 Mar 2010 14:34:43 -0400, Christopher Navarro  
 wrote:
<Snip>
-- 
James B. Carter
Amber Systems, Incorporated
248-652-3140
Homeroast mailing list
Homeroasthttp://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20">http://host.sweetmariascoffee.com/mailman/listinfo/homeroast_lists.sweetmariascoffee.comHomeroast community pictures -upload yours!) :http://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20

10) From: Joseph Robertson
Jim,
Very nice to hear from a pro who's job it is to manage security on systems.
As to how much work am I willing to spend on thwarting efforts? I have been
the victim of ID theft more than once. As you probably know there are free
and very inexpensive password tools out there to generate and auto fill for
you so not really much effort for personal system security.
I am curious I just generated this password "H&vhAtL27^5E$x%XUt#cYC!"
How long would it take your best team with the best tools out there to crack
this 168 bit password?
Joe
On Tue, Mar 23, 2010 at 12:16 PM, Jim Carter wrote:
<Snip>
-- 
Ambassador for Specialty Coffee and palate reform.
Homeroast mailing list
Homeroasthttp://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20">http://host.sweetmariascoffee.com/mailman/listinfo/homeroast_lists.sweetmariascoffee.comHomeroast community pictures -upload yours!) :http://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20

11) From: Jim Carter
Joe,
As this is a homeroast list, I don't know the appetite of list members for  
a deep dive on the topic of password security. So I'll take a quick stab  
at your question and offer to continue this discussion with you offlist.
Password security is not just about the string of characters that you call  
a password. It is also about the encryption methodology used for that  
password.  To illustrate, consider Microsoft Word. Versions prior to Word  
2007 (i.e. Word 2003 and earlier) has password encryption that is  
relatively easy to crack. We're talking minutes, hours, or in worst case,  
maybe days.  With Microsoft Office 2007, one change they made was to  
implement an industrial-strength AES encryption algorithm. This is 128-bit  
encryption that makes password testing very slow (e.g. <100 passwords per  
second on an average PC). This makes the task of password cracking much  
more onerous. Brute force methods can take years to bust a password like  
the one you generated.
Perhaps we should discuss it further offlist. If you are interested, drop  
me a direct email. The email address I use here is for another technology  
company I own. I do the computer forensics through a newer one that I  
established a couple of years ago.
- Jim
On Tue, 23 Mar 2010 16:02:05 -0400, Joseph Robertson  
 wrote:
<Snip>
-- 
James B. Carter
Amber Systems, Incorporated
248-652-3140
Homeroast mailing list
Homeroasthttp://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20">http://host.sweetmariascoffee.com/mailman/listinfo/homeroast_lists.sweetmariascoffee.comHomeroast community pictures -upload yours!) :http://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20

12) From: Steven Van Dyke
It's also pretty easy to come up with a very secure password that's 
easy to remember.
For example, if you wanted a very secure password for the Sweet 
Maria's Coffee Mailing list you could use:
42BeAVSPword4TSMCML
At 03:02 PM 3/23/2010, you wrote:
<Snip>
Homeroast mailing list
Homeroasthttp://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20">http://host.sweetmariascoffee.com/mailman/listinfo/homeroast_lists.sweetmariascoffee.comHomeroast community pictures -upload yours!) :http://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20

13) From: Ira
At 12:06 PM 3/23/2010, you wrote:
<Snip>
It's not encryption that's the problem, it's passwords like "qwerty", 
"ilovelucy", "george", "corvette" or "harley" that are the problem. 
Passwords like "jkk_^shdai5k" won't get guessed because it's not 
worth the effort.  If you run the right 200 passwords against the set 
of gmail users you probably get a few thousand hits. Even small 
things like adding a extra character. sistermary is ever so much 
likely to get cracked than sister,mary. People are lazy about 
passwords and backups until they get bit in the rear.
Ira
Homeroast mailing list
Homeroasthttp://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20">http://host.sweetmariascoffee.com/mailman/listinfo/homeroast_lists.sweetmariascoffee.comHomeroast community pictures -upload yours!) :http://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20

14) From: Joseph Robertson
Thanks Jim,
It's tempting to get way to far off homeroasting. So I will do my best to
keep these kind of side tracks off list.
Best regards,
Joe
On Tue, Mar 23, 2010 at 2:37 PM, Jim Carter wrote:
<Snip>
-- 
Ambassador for Specialty Coffee and palate reform.
Homeroast mailing list
Homeroasthttp://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20">http://host.sweetmariascoffee.com/mailman/listinfo/homeroast_lists.sweetmariascoffee.comHomeroast community pictures -upload yours!) :http://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20

15) From: sci
Jim,
I've been using a convention like you mentioned for many years. You get a
different password for each site, but it is easy to remember. Of course
brute force cracking can crack it, but you only need a password that is
harder to crack than most people. It is like hunting. If a lion chases you,
you don't have to outrun the lion, just outrun your fellow hunters.
I'm holding out for Quantum Cryptology. No, it's not sci-fi, but is the holy
grail of cryptology that is unbreakable due to the Heisenberg principle of
uncertainty.
Ivan
+++++++++++++++++++++++++++++++++++++++++++++
Date: Tue, 23 Mar 2010 18:54:39 -0300
From: "Jim Carter" 
To: "A list to discuss home coffee roasting. There are rules for this
       list,   available athttp://www.sweetmarias.com/maillistinfo.html"       
Subject: Re: [Homeroast] Email security ideas
Message-ID: 
Content-Type: text/plain; charset=iso-8859-15; format=flowed;
       delsp=yes
Here's something else to consider that might be a good balance between
effective and easy-to-use.
Consider developing your own personal formula for a password. You could
fashion a password to use for websites as follows: a string of
alphanumerics + some portion of the domain name + another string of
alphanumerics. e.g. "1ststringsw2ndstrinG" for sweetmarias.com. Create a
different formula for other types of passwords.
This is better than using the same password, or a handful of them, for
everything. Get creative with your formula. Change case. Insert numbers.
Now, instead of somebody guessing your dog's name, or anniversary date,
they would have to guess your formula. Of course, the risk is that you are
establishing some sort of pattern. But, make it weird enough and it will
be effective for most things.
Back to my "juice being worth the squeeze" comment. Adjust the complexity
of your password scheme to the importance of the data you're protecting.
No need to shoot a fly with a cannon.
Homeroast mailing list
Homeroasthttp://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20">http://host.sweetmariascoffee.com/mailman/listinfo/homeroast_lists.sweetmariascoffee.comHomeroast community pictures -upload yours!) :http://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20

16) From: Allon Stern
On Mar 24, 2010, at 11:10 PM, sci wrote:
<Snip>
Quantum crypto is only good for point to point privacy, and detection of man-in-the-middle. That's about it.
Its best use is for establishing a secure connection that is then maintained by other means.
-
allon
Homeroast mailing list
Homeroasthttp://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20">http://host.sweetmariascoffee.com/mailman/listinfo/homeroast_lists.sweetmariascoffee.comHomeroast community pictures -upload yours!) :http://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20

17) From: Rich
The g-mail passwords are not being hacked.  This CNN story will shed a 
bit of light on the source of the leak.  Keep in mind that smart people 
tried to convince our government that back doors were fraught with 
problems.  This will be the big one in the future.http://www.cnn.com/2010/OPINION/01/23/schneier.google.hacking/index.htmlAllon Stern wrote:
<Snip>
Homeroast mailing list
Homeroasthttp://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20">http://host.sweetmariascoffee.com/mailman/listinfo/homeroast_lists.sweetmariascoffee.comHomeroast community pictures -upload yours!) :http://www.sweetmariascoffee.com/gallery/main.php?g2_itemIdx20


HomeRoast Digest