
Passwords, Backups and a false sense of security - eliaskg
http://blog.julieng.me/post/28699002154/passwords-backups-and-a-false-sense-of-security
======
peterwwillis
Generating hard passwords is actually kind of pointless.

Yes, a hard password means it's difficult to brute force the authentication or
crack a password hash you've stolen. But if you just use unique passwords for
each service you use, it multiplies the work required to crack all the
accounts.

The biggest risk to your accounts and your data is simply having everything in
one basket. The other biggest risk is saving passwords, but nobody wants to
memorize a bunch of difficult passwords. So it's actually easier to have a
whole bunch of kinda similar easy-to-remember passwords, so you don't have to
save them.

See, if you use Windows, chances are you've had some malware before. And if
you've had malware, everything you type, everything you've seen or stored,
including live browsing sessions, are controlled by somebody else. So doesn't
really matter what your password is or how many you have if somebody's on your
PC extracting your password database.

But nobody wants to think about that. So they craft themselves a false sense
of security, using password generators and copying files to the ends of the
earth. Truth is, if someone wanted to, they could probably ruin your day. The
only safe backup is an offline backup, and the only safe password is one
that's never saved anywhere.

~~~
wrekkuh
Just to chime in: The only safe back-up is actually more than one physical
back-up, in more than one location.

~~~
larrys
"more than one physical back-up, in more than one location"

And to take that even one step further, one of the onsite versions that we do
is to a fireproof drive. (Other versions are physically offsite as you
mentioned).

Anyway on the onsite version the fireproof drive is physically disconnected
(USB) from the computer after the backup is complete. (It could be powered off
but that would spin up and spin down it seems less detrimental to not do
that..)

But it gets even better. There is also hidden safe that contains hard drives
only (which are encrypted). The safe is left unlocked (it's not physically
attached and could be hauled away). In the unlocked safe, in addition to the
hard drives, is some money (cash). The theory being that if someone breaks in
and easily opens the safe (if they find it) they will take the money and leave
the drives alone.

(This dates back from the same practice being done with cash registers you
leave a little money so the thief doesn't trash your place. I know this will
raise questions as far as having a tempting cash stash but it is known by only
a select group of people and there are pros and cons to any approach
obviously.)

~~~
peterwwillis
_(It could be powered off but that would spin up and spin down it seems less
detrimental to not do that..)_

Uh, actually, you want to do that. First of all, spinning down does not do
anything bad - it actually saves the life of the drive. Secondly, the whole
point of backup tape robots is to constantly re-check tapes to see if they're
readable, and report bad tapes to be replaced. You should really be turning
off the drive, turning it back on, and doing a full disk block check to see if
there's any corruption. Welcome to the nightmare that is backing up petabytes
of enterprise data.

 _An unlocked safe?_ The whole point of a dummy safe is to make it seem like
the real safe, so you _keep it locked._ And there's no reason they wouldn't
take the extra two seconds to pick up some valuable intellectual property with
their cash. What kind of crack are you people smoking, and what is your
business so I can avoid it in the future?

~~~
larrys
"First of all, spinning down does not do anything bad - it actually saves the
life of the drive."

That's your opinion I disagree. And it's not the spin down anyway. It's the
spin up. You've also got the cycle on the on off switch for that matter as
well as the power surge. Trivial but it's there. All in all the solution is to
cut the cord. You also don't know if we are doing this procedure 1 time per
month or 7 times per hour. Do you? So you make an assumption on what you think
we are doing.

"Secondly, the whole point of backup tape robots is to constantly re-check
tapes to see if they're readable, and report bad tapes to be replaced."

What in the world are you talking about? We don't have "backup tape robots" we
have a hard drives that we backup our data to. You have no idea of how much
data we are talking about nor do you know what the purpose of the backup is.
Thanks for your concern and assumptions.

"nightmare that is backing up petabytes of enterprise data"

You are solving a different problem that we are working on. We don't have
petabytes of data.

"And there's no reason they wouldn't take the extra two seconds to pick up
some valuable intellectual property with their cash."

Once again you are making assumptions as far as the thief we are protecting
against. You don't know where we are located and you don't know anything
about, once again, what we are protecting.

"What kind of crack are you people smoking, and what is your business so I can
avoid it in the future?"

Seriously, who writes stuff like that?

Your comment illustrates what happens when people try to learn something from
what they read online (as PG says "don't believe what you read in online
forums"). I've illustrated what we do which fits a particular purpose. You do
something else. Neither of us provides (either time or space wise) enough
detail for anyone to decide for themselves only gives information so they can
further think about this.

------
larrys
Instead of the program suggested in the OP, on the command line you can also
do this to generate random passwords:

perl -le'print map { (a..z,a..z,0..9,"\$","!","-")[rand 65] } 0..pop' 7

Note this particular one only generates 7 digits with no UC. You can alter it
to your taste or needs.

You can also wrap it in a shell script to generate a bunch in a row (in this
case 10), like this:

for i in {1..10}

do

perl -le'print map { (a..z,a..z,0..9,"\$","!","-")[rand 65] } 0..pop' 20

done

As an aside I don't like any web based site that generates passwords (nor do
you need that as just shown) since there is no way to know if the passwords
generated are being logged along with some identifying information.

~~~
DavidSJ
_rand() is not cryptographically secure. You should not rely on it in
security-sensitive situations._

<http://perldoc.perl.org/functions/rand.html>

~~~
rane
Can you give a practical example how this can become a problem if I use rand()
to generate a password to be used on a website?

~~~
barrkel
Many PRNGs only have 32 bits of state. If someone knows your settings
(alphabet chosen and length) the max number of passwords to check is 4
billion.

------
Tichy
What about the password manager of Firefox? It seems to be better at
remembering passwords from signup, so the only missing ingredient seems to be
generating a random password upon signup.

~~~
rkudeshi
Last time I checked, Firefox saved passwords in plain text. Has that changed?

~~~
apawloski
Firefox is perfectly capable of encrypting the passwords you save -- you
simply have to set a master password for your keyring.

------
larrys
You might also want to try "Super Duper" which allows you to clone an entire
Mac disk very easily. You can then test the backup by booting from the disk.
It's also helpful when installing a new OS. Clone your existing disk, install
the new OS on the clone (or on the original knowing you have an exact clone if
anything goes wrong).

------
mapgrep
I'm a little disappointed how this article and many of the comments here
ignore the specifics of what actually happened.

Yes "use different passwords" and "use a password manager" are good general
advice. But this blog post expressly uses a specific case - the Honan hack -
as a case study, without highlighting the one major lesson from that case.

The _actual problem_ most strongly highlighted by the Honan case is that _your
Gmail account is only as strong as the "backup email address" it is tied to_.
Honan's problem has nothing to do with using the same password -- he /had/
different passwords which you know if you read his post carefully. Problem is,
his iCloud email was his Gmail backup email, and Gmail apparently allows
arbitrary persons to instantly take over an account as long as they control
the backup email. No waiting period, no warning email to the Gmail account, no
SMS notification. Yes this can be fixed with two-factor auth (apparently) but
by default that is off and by default Google badgers you about setting up a
backup email address until you do so. By default Google does not badger you
about two-factor auth.

The other big issue highlighted by the Honan case is that _it is way too easy
for bad guys to wipe your Apple devices._ In retrospect, it really seems like
there should be more between having your laptop, phone, and tablet wiped than
a single password. At the very least, a security question, but ideally
something like a credit card number (compared against a stored hash),
confirmation SMS to a pre-registered backup phone (spouse's phone, friend's
phone, relative's phone, etc) or a confirmation robo-call to a work phone
number.

If you think about it, it's a little insane that you can protect your Gmail
with two-factor auth but you can't protect your laptop the same way.

Maybe a password manager would have encouraged Honan to use a stronger iCloud
password, and maybe a stronger iCloud password would have prevented this
attack, but that's not established because we don't know how the attack was
pulled off. It was a seven char alphanumeric password and the attacker
specifically told Honan it was not a brute force attack.

~~~
bigiain
"The other big issue highlighted by the Honan case is that it is way too easy
for bad guys to wipe your Apple devices. In retrospect, it really seems like
there should be more between having your laptop, phone, and tablet wiped than
a single password. At the very least, a security question, but ideally
something like a credit card number (compared against a stored hash),
confirmation SMS to a pre-registered backup phone (spouse's phone, friend's
phone, relative's phone, etc) or a confirmation robo-call to a work phone
number."

That depends a lot on what kind of threats you're trying to protect yourself
against. I suspect there's a lot of people for whom the correct response to a
misplaced phone/laptop is "remote wipe immediately - if it turns up in the
back seat of my car I'll just restore from backup - if was left in a
plane/taxi/competitors-office/deacon I want everything o. It wiped _right
now_!"

I bet if pg lost a laptop with emails/documents about current and prospective
YC deals or exits, he'd rather not have to wait till a office hours robo-call
gave him a remote-wipe-PIN.

It didn't work out for @mat, but I think "good backups and easy remote wipe"
is a better default than "making remote wipe harder just in case your backups
don't exist."

------
sdizdar
I don't think generating more complex passwords will completely solve the
problem.

The problem is using only one cloud service for your data.

Basically, don't put all your eggs in one basket. I always recommend to
replicate all your data and files to other cloud service which has different
security characteristics. For example, if you use Google Docs and Evernote -
replicate everything to a separate Dropbox or Google Drive account (using
cloudHQ or some other system). Doing offline backup manually is also a
solution but it is easier just to replicate everything to a separate Dropbox
account and Dropbox will put everything to your PC - you can map that Dropbox
account to an external drive.

------
sxcurry
A second on Super Duper - I do this at least once a month to have a completely
cloned system on an external USB Drive. Equally important - take the USB drive
off site! I plan to buy a 1TB drive every six months so that I can take a
complete clone to my cabin, just in case of a disastrous fire at my house.
That's in addition to Time Machine, Dropbox, etc.

