[Homeroast] Email security ideas

Jim Carter jcarter at ambersystems.com
Tue Mar 23 16:37:23 CDT 2010


Joe,

As this is a homeroast list, I don't know the appetite of list members for  
a deep dive on the topic of password security. So I'll take a quick stab  
at your question and offer to continue this discussion with you offlist.

Password security is not just about the string of characters that you call  
a password. It is also about the encryption methodology used for that  
password.  To illustrate, consider Microsoft Word. Versions prior to Word  
2007 (i.e. Word 2003 and earlier) has password encryption that is  
relatively easy to crack. We're talking minutes, hours, or in worst case,  
maybe days.  With Microsoft Office 2007, one change they made was to  
implement an industrial-strength AES encryption algorithm. This is 128-bit  
encryption that makes password testing very slow (e.g. <100 passwords per  
second on an average PC). This makes the task of password cracking much  
more onerous. Brute force methods can take years to bust a password like  
the one you generated.

Perhaps we should discuss it further offlist. If you are interested, drop  
me a direct email. The email address I use here is for another technology  
company I own. I do the computer forensics through a newer one that I  
established a couple of years ago.

- Jim

On Tue, 23 Mar 2010 16:02:05 -0400, Joseph Robertson  
<theotherjo at gmail.com> wrote:

> Jim,
> Very nice to hear from a pro who's job it is to manage security on  
> systems.
> As to how much work am I willing to spend on thwarting efforts? I have  
> been
> the victim of ID theft more than once. As you probably know there are  
> free
> and very inexpensive password tools out there to generate and auto fill  
> for
> you so not really much effort for personal system security.
> I am curious I just generated this password  
> "H&vhAtL27^5E$x at 5CL9%XUt#cYC!"
> How long would it take your best team with the best tools out there to  
> crack
> this 168 bit password?
> Joe
>
>
>
> On Tue, Mar 23, 2010 at 12:16 PM, Jim Carter  
> <jcarter at ambersystems.com>wrote:
>
>> The ideas discussed in this thread are sound.  You CAN do things to  
>> improve
>> the security of your passwords. Password length (longer is better),  
>> mixed
>> case throughout, combination of numbers and letters, etc. Match the
>> complexity to the importance of avoiding a security breach.
>>
>> I do computer forensics. We have password crackers for getting into
>> password-protected files. I've got one running right now on a Microsoft
>> Excel 2007 file. Because Microsoft Office uses 128-bit AES encryption  
>> this
>> is a brute-force attack. It will try billions of passwords. This may  
>> take
>> weeks, but we'll likely bust through.
>>
>> The point of my example is this: A true brute-force attack of a long
>> password comprised of a random mix of characters (upper and lower  
>> case)and
>> numbers could literally take years on a machine (or machines) with lots  
>> of
>> horsepower and hardware accelerators. However, we can considerably  
>> shorten
>> the duration if we can make some reasonable guesses at patterns the  
>> user may
>> have followed.
>>
>> I guess it comes down to a question of whether or not the juice is worth
>> the squeeze. How hard will somebody try to guess/crack your password?  
>> How
>> much effort are you willing to expend to thwart their efforts?
>>
>> - Jim
>>
>>
>> On Tue, 23 Mar 2010 14:34:43 -0400, Christopher Navarro <
>> cnavarro2 at gmail.com> wrote:
>>
>>  As for completely random passwords, that's not possible either.  Nor is
>>> gibberish impossible to guess.  :)   Security by obscurity just doesn't
>>> work, no matter how obscure.
>>>
>>> -Chris
>>>
>>> On Tue, Mar 23, 2010 at 11:49 AM, Allon Stern <allon at radioactive.org>
>>> wrote:
>>>
>>>
>>>> On Mar 23, 2010, at 11:35 AM, Christopher Navarro wrote:
>>>>
>>>> > Another issue is passwords that can be easily guessed so you might  
>>>> want
>>>> to
>>>> > use a password manager such as:  http://keepass.info/ for windows or
>>>> > http://www.keepassx.org/ for other desktop platforms, both are free.
>>>> >
>>>> > You can read more, also at lifehacker, here:
>>>> > http://lifehacker.com/5042616/five-best-password-managers
>>>> >
>>>> > You can use password managers to generate difficult to guess  
>>>> passwords
>>>> and
>>>> > store hard to guess password security questions, as suggested by  
>>>> Ryan.
>>>>
>>>> I really like Password Wallet. I've been using it for many years - I  
>>>> have
>>>> unique completely random passwords for just about every site. I use
>>>> primarily the Macintosh version.
>>>> http://www.selznick.com/products/passwordwallet/index.htm
>>>>
>>>> And as for password security questions, hard to guess is not  
>>>> unguessable.
>>>> I
>>>> usually make 'em gibberish. Most security questions are much weaker  
>>>> than
>>>> my
>>>> passwords.
>>>> -
>>>> allon
>>>>
>>>>
>>>> _______________________________________________
>>>> Homeroast mailing list
>>>> Homeroast at host.sweetmariascoffee.com
>>>>
>>>>
>>>> http://host.sweetmariascoffee.com/mailman/listinfo/homeroast_lists.sweetmariascoffee.com
>>>> Homeroast community pictures -upload yours!) :
>>>> http://www.sweetmariascoffee.com/gallery/main.php?g2_itemId=7820
>>>>
>>>>  _______________________________________________
>>> Homeroast mailing list
>>> Homeroast at host.sweetmariascoffee.com
>>>
>>> http://host.sweetmariascoffee.com/mailman/listinfo/homeroast_lists.sweetmariascoffee.com
>>> Homeroast community pictures -upload yours!) :
>>> http://www.sweetmariascoffee.com/gallery/main.php?g2_itemId=7820
>>>
>>
>>
>> --
>> James B. Carter
>> Amber Systems, Incorporated
>> 248-652-3140
>>
>>
>> _______________________________________________
>> Homeroast mailing list
>> Homeroast at host.sweetmariascoffee.com
>>
>> http://host.sweetmariascoffee.com/mailman/listinfo/homeroast_lists.sweetmariascoffee.com
>> Homeroast community pictures -upload yours!) :
>> http://www.sweetmariascoffee.com/gallery/main.php?g2_itemId=7820
>>
>
>
>


-- 
James B. Carter
Amber Systems, Incorporated
248-652-3140



More information about the Homeroast mailing list