[Homeroast] Email security ideas

Joseph Robertson theotherjo at gmail.com
Tue Mar 23 17:32:32 CDT 2010


Thanks Jim,
It's tempting to get way to far off homeroasting. So I will do my best to
keep these kind of side tracks off list.
Best regards,
Joe

On Tue, Mar 23, 2010 at 2:37 PM, Jim Carter <jcarter at ambersystems.com>wrote:

> Joe,
>
> As this is a homeroast list, I don't know the appetite of list members for
> a deep dive on the topic of password security. So I'll take a quick stab at
> your question and offer to continue this discussion with you offlist.
>
> Password security is not just about the string of characters that you call
> a password. It is also about the encryption methodology used for that
> password.  To illustrate, consider Microsoft Word. Versions prior to Word
> 2007 (i.e. Word 2003 and earlier) has password encryption that is relatively
> easy to crack. We're talking minutes, hours, or in worst case, maybe days.
>  With Microsoft Office 2007, one change they made was to implement an
> industrial-strength AES encryption algorithm. This is 128-bit encryption
> that makes password testing very slow (e.g. <100 passwords per second on an
> average PC). This makes the task of password cracking much more onerous.
> Brute force methods can take years to bust a password like the one you
> generated.
>
> Perhaps we should discuss it further offlist. If you are interested, drop
> me a direct email. The email address I use here is for another technology
> company I own. I do the computer forensics through a newer one that I
> established a couple of years ago.
>
> - Jim
>
>
> On Tue, 23 Mar 2010 16:02:05 -0400, Joseph Robertson <theotherjo at gmail.com>
> wrote:
>
> Jim,
>> Very nice to hear from a pro who's job it is to manage security on
>> systems.
>> As to how much work am I willing to spend on thwarting efforts? I have
>> been
>> the victim of ID theft more than once. As you probably know there are free
>> and very inexpensive password tools out there to generate and auto fill
>> for
>> you so not really much effort for personal system security.
>> I am curious I just generated this password "H&vhAtL27^5E$x at 5CL9
>> %XUt#cYC!"
>> How long would it take your best team with the best tools out there to
>> crack
>> this 168 bit password?
>> Joe
>>
>>
>>
>> On Tue, Mar 23, 2010 at 12:16 PM, Jim Carter <jcarter at ambersystems.com
>> >wrote:
>>
>> The ideas discussed in this thread are sound.  You CAN do things to
>>> improve
>>> the security of your passwords. Password length (longer is better), mixed
>>> case throughout, combination of numbers and letters, etc. Match the
>>> complexity to the importance of avoiding a security breach.
>>>
>>> I do computer forensics. We have password crackers for getting into
>>> password-protected files. I've got one running right now on a Microsoft
>>> Excel 2007 file. Because Microsoft Office uses 128-bit AES encryption
>>> this
>>> is a brute-force attack. It will try billions of passwords. This may take
>>> weeks, but we'll likely bust through.
>>>
>>> The point of my example is this: A true brute-force attack of a long
>>> password comprised of a random mix of characters (upper and lower
>>> case)and
>>> numbers could literally take years on a machine (or machines) with lots
>>> of
>>> horsepower and hardware accelerators. However, we can considerably
>>> shorten
>>> the duration if we can make some reasonable guesses at patterns the user
>>> may
>>> have followed.
>>>
>>> I guess it comes down to a question of whether or not the juice is worth
>>> the squeeze. How hard will somebody try to guess/crack your password? How
>>> much effort are you willing to expend to thwart their efforts?
>>>
>>> - Jim
>>>
>>>
>>> On Tue, 23 Mar 2010 14:34:43 -0400, Christopher Navarro <
>>> cnavarro2 at gmail.com> wrote:
>>>
>>>  As for completely random passwords, that's not possible either.  Nor is
>>>
>>>> gibberish impossible to guess.  :)   Security by obscurity just doesn't
>>>> work, no matter how obscure.
>>>>
>>>> -Chris
>>>>
>>>> On Tue, Mar 23, 2010 at 11:49 AM, Allon Stern <allon at radioactive.org>
>>>> wrote:
>>>>
>>>>
>>>> On Mar 23, 2010, at 11:35 AM, Christopher Navarro wrote:
>>>>>
>>>>> > Another issue is passwords that can be easily guessed so you might
>>>>> want
>>>>> to
>>>>> > use a password manager such as:  http://keepass.info/ for windows or
>>>>> > http://www.keepassx.org/ for other desktop platforms, both are free.
>>>>> >
>>>>> > You can read more, also at lifehacker, here:
>>>>> > http://lifehacker.com/5042616/five-best-password-managers
>>>>> >
>>>>> > You can use password managers to generate difficult to guess
>>>>> passwords
>>>>> and
>>>>> > store hard to guess password security questions, as suggested by
>>>>> Ryan.
>>>>>
>>>>> I really like Password Wallet. I've been using it for many years - I
>>>>> have
>>>>> unique completely random passwords for just about every site. I use
>>>>> primarily the Macintosh version.
>>>>> http://www.selznick.com/products/passwordwallet/index.htm
>>>>>
>>>>> And as for password security questions, hard to guess is not
>>>>> unguessable.
>>>>> I
>>>>> usually make 'em gibberish. Most security questions are much weaker
>>>>> than
>>>>> my
>>>>> passwords.
>>>>> -
>>>>> allon
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Homeroast mailing list
>>>>> Homeroast at host.sweetmariascoffee.com
>>>>>
>>>>>
>>>>>
>>>>> http://host.sweetmariascoffee.com/mailman/listinfo/homeroast_lists.sweetmariascoffee.com
>>>>> Homeroast community pictures -upload yours!) :
>>>>> http://www.sweetmariascoffee.com/gallery/main.php?g2_itemId=7820
>>>>>
>>>>>  _______________________________________________
>>>>>
>>>> Homeroast mailing list
>>>> Homeroast at host.sweetmariascoffee.com
>>>>
>>>>
>>>> http://host.sweetmariascoffee.com/mailman/listinfo/homeroast_lists.sweetmariascoffee.com
>>>> Homeroast community pictures -upload yours!) :
>>>> http://www.sweetmariascoffee.com/gallery/main.php?g2_itemId=7820
>>>>
>>>>
>>>
>>> --
>>> James B. Carter
>>> Amber Systems, Incorporated
>>> 248-652-3140
>>>
>>>
>>> _______________________________________________
>>> Homeroast mailing list
>>> Homeroast at host.sweetmariascoffee.com
>>>
>>>
>>> http://host.sweetmariascoffee.com/mailman/listinfo/homeroast_lists.sweetmariascoffee.com
>>> Homeroast community pictures -upload yours!) :
>>> http://www.sweetmariascoffee.com/gallery/main.php?g2_itemId=7820
>>>
>>>
>>
>>
>>
>
> --
> James B. Carter
> Amber Systems, Incorporated
> 248-652-3140
>
> _______________________________________________
> Homeroast mailing list
> Homeroast at host.sweetmariascoffee.com
>
> http://host.sweetmariascoffee.com/mailman/listinfo/homeroast_lists.sweetmariascoffee.com
> Homeroast community pictures -upload yours!) :
> http://www.sweetmariascoffee.com/gallery/main.php?g2_itemId=7820
>



-- 
Ambassador for Specialty Coffee and palate reform.


More information about the Homeroast mailing list