![In The Real World
Public/Private Key Pair Encryption
Each Estonian citizen is
provided with a crypto
keypair instead of an
SSN.
The public key is printed
on their government ID.
"EST2011IDcard" by [1]. Licensed under Fair use via Wikipedia -
https://en.wikipedia.org/wiki/File:EST2011IDcard.png](https://image.slidesharecdn.com/jimsalter-2015-trends-passwords-in-the-internet-age-151102171642-lva1-app6892/85/Passwords-in-the-Internet-Age-Jim-Salter-18-320.jpg)
Passwords in the Internet Age - Jim Salter
- 1. Passwords In The Internet Age what, how, and why - a practical guide This presentation is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported License. (C) 2015 jim@openoid.net Jim Salter Mercenary Sysadmin, Small Business Owner Today's slides can be found at: http://openoid.net/presentations/
- 2. Passwords are much, much older than the internet.
- 3. The password was originally only a layer of security!
- 4. … and there were severe consequences for attackers.
- 5. We use passwords very differently these days.
- 6. There's little or no penalty for trying to “game” the password.
- 7. There's not even much risk of exposure for the attacker.
- 8. The dialog we all dread
- 9. Let's talk about entropy.
- 10. Consider all the approaches
- 11. So let's get back to entropy. www.zdnet.com/article/25-gpus-devour-password -hashes-at-up-to-348-billion-per-second/ 3.65615844×10¹ possible four-word Diceware⁵ passphrases ~~ same entropy as 8 random chars using FULL typeable set Offline brute force (SHA1) succeeds in 16 hours Online brute force succeeds in 115,936 years … at 1,000 tries/sec!
- 12. There's no WAY I can remember so many different passwords! Diceware makes it easier than you'd think, but yes, you're going to need some backup. Browser-integrated password manager? NO. Oldschool little black book? OK, actually :) Offline, mobile-capable manager: YES! KeePass
- 13. But I LIKE my browser-integrated password manager! What happens when you don't have it available? What if the company goes out of business? What if a malicious site tricks it into divulging passwords? Keep it offline, keep it away from the web. KeePass
- 14. Securing your secure DB What if you forget your KeePass passphrase? Option 1: it's just one passphrase… so, you know, don't forget it. Option 2: paper backup, preferably in an extremely safe place Keep it offline, keep it away from the web. KeePass
- 15. Thinking in “rings” Ring 4: “one time” signups Ring 3: “hobby/social” sites / services Ring 2: “professional” sites/services Ring 1: “money” sites/services Ring 0: primary email account
- 16. Adding Extra Layers Two-factor authentication
- 17. Beyond Passwords Public/Private Key Pair Encryption Encrypt with public key Decrypt with private key Public key is PUBLIC! Private key is PRIVATE! Safely use same private key everywhere
- 18. In The Real World Public/Private Key Pair Encryption Each Estonian citizen is provided with a crypto keypair instead of an SSN. The public key is printed on their government ID. "EST2011IDcard" by [1]. Licensed under Fair use via Wikipedia - https://en.wikipedia.org/wiki/File:EST2011IDcard.png