On Sat, April 12, 2014 20:02, Gilles Schipper wrote:
> And should we be using your same random-generated secure password for ALL of
> our sites - or a separate one for each.
>
> If the latter, presumably we'd need much thicker wallets.
>

Well, personally I have just five or so separate passwords for use on public
websites.  For banks and financial institutions I use the same high-security
randomly generated password.  Except for one bank that only permits letters
and digits, go figure.

For other places like eBay and Paypal, I have a different high-security
password and a different login ID.  For Credit Card accounts another different
high-security password and user ID.  These five or so I keep on a single slip
of paper in my wallet and a copy in an envelope in my safe at home.

For places that I need to have account access security but I do not trust (a
certain high-profile online ebook and merchandise retailer for example) I use
disposable passwords.  When I want to log on I ask for a password reset,
generate a high-security password, change the account to that, log in, do my
work, log out and forget it.

For those sites that do not use https and yet require a user login, a most
appalling case of appearance before substance, I use a satirical password. 
For sites that use https but are simply BBs or web forums or use poor ciphers,
I use a slightly less satirical password that is somewhat more robust.

But this hodge-podge of logins and passwords is why I feel that X.509
certificates on electronic memories such as so-called 'smart cards' or 'flash'
memory cards is the only presently available technology to handle the need for
secure authentication.  You then keep your private keys and public
certificates on a physical device separate from any computer system and
connect them physically to any single device only long enough to establish
secure communication between that device and another.  Once the two endpoints
are connected then you physically remove the memory device containing the
keys.

All of your private keys on that device are themselves encrypted using one
randomly generated high security pass-phrase of at least 25 characters and you
keep that pass-phrase only in hard copy format so that it simply cannot be
snooped. Unless of course you let a key-logger get onto your personal digital
device, in which case nothing will work to protect you.

In our case I made the decision to employ a single login for all of our
services so that our employees only have to know one user ID and one password.
 Said user ID and password are provided by us and not picked by the user.
However, besides using a password provided by us they also all must connect to
our business systems via ssh through a single gateway sshd server. This
applies to LAN and WAN access so the technique used is identical whether
working on-site or remotely.

Out-of-band confirmation, so-called two-factor authentication, is another
technique presently in use to increase reliability of challenge-response
authentication.  The problem being that the meta-data that this provides to
any potential attackers is extremely valuable in itself.  It can be very
interesting to some people to know when you login to certain sites and where
you are located when you do so.

As I write this via an https webform I am connected to our internal webmail
service through our sshd gateway system located at our premises via an ssh
tunnel.  Once you receive this message then the message routing appears to
begin at our webmail host and nowhere else.  Wherever I was when I composed
the message appears in the ssh login records on our sshd server which is where
the httpd logs on the webmail host show as the point of origin for the webmail
https session.  This makes it really hard to determine my originating traffic
patterns without actually obtaining root access to at least two separate hosts
simultaneously.  It does not help with traffic analysis where the the endpoint
is concerned but it does obscure to some extent where I am located at any
given moment.

When I am searching for things on the web I now use the Tor Browser and either
DuckDuckGo or StartPage.  If you have a Google account, log on to it, go to
tools and look at the complete record of all the Google searches you
performed, by date, while logged onto your Google account. All of them. Since
2006.  Anything there that you would feel, shall we say awkward, explaining to
your parents, kids, wife or employer?  They sell that stuff.  Or they are
compelled to cough it up on demand to whenever the authority-du-jour asks for
it.

Communication security on the Internet is, in my opinion, never anything more
than a illusion.  Traffic analysis is far more revealing than the contents of
many messages.  The details of the contents of ten or so messages between you
and a collections agency will reveal little more of interest to a snooper than
the fact of those ten message do by their very existence.   How would you feel
if the existence of those messages were revealed to your spouse, your
neighbour, your employer, or colleagues, or potential clients, or insurance
company, or religious community, or social club?

What would you do if someone threatened to reveal the existence of such
messages to some sensitive third party unless you complied with some request? 
What if it was an AIDS clinic? A mental health provider? An LGBT support
group?  How much is your privacy worth to you then?  And recall that those
conducting such surveillance do not have to read your email, although they
most certainly are. All that they need know is that it was sent by you, the
approximate number of communications, and the nature of the parties it was
sent to or received from.

Unless you can hide the protocols and the routing as well as the message then
a determined adversary is going to find a weakness and penetrate your system. 
It is just a question of how long and what form it will take.  Some passwords
just make it a little more difficult than others.  Just like locks on your
house.  None of them will keep out a professional but some of them make the
amateurs go somewhere else.

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:[log in to unmask]
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *