Improve Porteus security

Talk here about security in general. Posting illegals software is prohibited. All stuffs in this forum must be considered as for "Educational purpose only".
User avatar
francois
Contributor
Contributor
Posts: 6433
Joined: 28 Dec 2010, 14:25
Distribution: xfce plank porteus nemesis
Location: Le printemps, le printemps, le printemps... ... l'hiver s'essoufle.

Re: Improve Porteus security

Post#16 by francois » 08 Feb 2015, 14:30

The best thing to do, would be for you to read about it in the above thread under the subtitle Generating passwords manually:
https://help.ubuntu.com/community/Stron ... ling%20APG
A tentative synthesis is:
. generate a general password with a simple sentence that you write without spaces: she is so pretty becomes sheissopretty
. replace some letters with numbers, capital letters or symbols: sh3!sS0pr3tty
. use prefixes or suffixes for your different accounts: bank (b4Nk), chrome (chr0M3)
. put the prefix together with the general password with the use of a specific caracter: b4Nk$sh3!sS0pr3tty and chr0M3$sh3!sS0pr3tty, respectively
. as the author writes:
... keep your passwords written somewhere private. It can take weeks or months to remember a strong password...

Personnally, I do not know how many characters are needed for a strong password. The author says that you need at least 15 characters.

This seems quite a job!

I wonder how many of us has this as a custom practice. I imagine that it depends on what you want to protect.
Prendre son temps, profiter de celui qui passe.

donald
Full of knowledge
Full of knowledge
Posts: 2061
Joined: 17 Jun 2013, 13:17
Distribution: Porteus 3.2.2 XFCE 32bit
Location: Germany

Re: Improve Porteus security

Post#17 by donald » 08 Feb 2015, 14:52

A simple way to create a password:
In CLI do
date | md5sum | head -c16;echo

maybe better:
< /dev/urandom tr -dc '0-9a-zA-Z!§#+&' | head -c16;echo

User avatar
brokenman
Site Admin
Site Admin
Posts: 6105
Joined: 27 Dec 2010, 03:50
Distribution: Porteus v4 all desktops
Location: Brazil

Re: Improve Porteus security

Post#18 by brokenman » 08 Feb 2015, 20:57

Substituting letters for numbers or vice versa (sh3!sS0pr3tty) in hacker speak is not going to help you much anymore. This example would take around 4 hours to break.

"A good password should be hard to guess and easy to remember."
Dan Wheeler - dropbox tech forums

#!horsehoreth <----- centuries to break.

https://www.elca.ch/en/password-strengt ... nd-reality

test a pass at this address: https://dl.dropboxusercontent.com/u/209 ... index.html
How do i become super user?
Wear your underpants on the outside and put on a cape.

User avatar
francois
Contributor
Contributor
Posts: 6433
Joined: 28 Dec 2010, 14:25
Distribution: xfce plank porteus nemesis
Location: Le printemps, le printemps, le printemps... ... l'hiver s'essoufle.

Re: Improve Porteus security

Post#19 by francois » 11 Feb 2015, 00:36

The moral of this story is that you have to generate passwords in more than one language, and better if one of these is not english, and that you use symbols not repeatedly:
elle est si belle (in french) = she is so pretty = sh3!sS0pr3tty (bad password) => 3lleest4s!pretty (strong one: french english, no repetitive symbols)

testing pass at this address: https://dl.dropboxusercontent.com/u/209 ... index.html

The cracking time moves up to centuries. :)

Or am I wrong.
Prendre son temps, profiter de celui qui passe.

beny
Full of knowledge
Full of knowledge
Posts: 2083
Joined: 02 Jan 2011, 11:33
Location: italy

Re: Improve Porteus security

Post#20 by beny » 11 Feb 2015, 18:58

hi in the history of live file system,everyone can read the files of a usb key ,with strong password or not,only an encrypted file system can be strong enough agaist bad user.

Michele13
Black ninja
Black ninja
Posts: 60
Joined: 18 Aug 2013, 10:23
Distribution: Based on Debian and Slackware
Location: Italy

Re: Improve Porteus security

Post#21 by Michele13 » 14 Feb 2015, 10:43

the problem is that I can't store the password in clear text to protect the bootloader. it needs to be encrypted...

https://www.dropbox.com/s/6j5bbfsmxmjv3 ... x.png?dl=0

can you see the difference between a password created with md5sum and md5pass? it's different. Infact if I put the password created with md5sum in syslinux and type it's equivalent in the password field at boot up it won't work...

User avatar
francois
Contributor
Contributor
Posts: 6433
Joined: 28 Dec 2010, 14:25
Distribution: xfce plank porteus nemesis
Location: Le printemps, le printemps, le printemps... ... l'hiver s'essoufle.

Re: Improve Porteus security

Post#22 by francois » 15 Feb 2015, 18:49

beny wrote:hi in the history of live file system,everyone can read the files of a usb key ,with strong password or not,only an encrypted file system can be strong enough agaist bad user.
So a porteus hdd install is vulnerable!! :shock:
Prendre son temps, profiter de celui qui passe.

beny
Full of knowledge
Full of knowledge
Posts: 2083
Joined: 02 Jan 2011, 11:33
Location: italy

Re: Improve Porteus security

Post#23 by beny » 16 Feb 2015, 11:23

hi francois if you have a hardware that allow you the usb ports block,yes it is a better choice for security,also the live cd can do the same ,so the bios password that not allow the change of the boot devices,well this is a paranoid word,a backup of the sensible data files in other media,btw this is only for real user that can do action on your devices,the net.......

User avatar
francois
Contributor
Contributor
Posts: 6433
Joined: 28 Dec 2010, 14:25
Distribution: xfce plank porteus nemesis
Location: Le printemps, le printemps, le printemps... ... l'hiver s'essoufle.

Re: Improve Porteus security

Post#24 by francois » 29 Jan 2016, 14:28

The manual approach (adapted, cited and tested experimentally) does not seem too good:
https://help.ubuntu.com/community/Stron ... ling%20APG
A.This does not seem a very good option according to the following results:
1) choose a phrase which you can easily remember, but is at least 8 words long... ... For this example, we'll choose "To be or not to be, that is the question".
2) ... convert your phrase to a single word. Exactly how you do so is not important, as long as you remember how you did it! We'll take the first letter of each word, which gives us "tbontbtitq"...
3) then get numbers or symbol but do not repeat them. The end result is "tb0^l7Bt!Tq"

Trying this password in the password tester:
https://dl.dropboxusercontent.com/u/209 ... index.html
password: tb0^l7Bt!Tq
guesses_log10: 11
score: 4 / 4
function runtime (ms): 4
guess times:
100 / hour: centuries (throttled online attack)
10 / second: 31 years (unthrottled online attack)
10k / second: 4 months (offline attack, slow hash, many cores)
10B / second: 10 seconds (offline attack, fast hash, many cores)
match sequence:
'tb0^l7Bt!Tq' pattern: bruteforce guesses_log10: 11

Very bad!

B. Simply a long password (but a long password is long to enter and maybe prone to errors) from a long sentence seems to be better:
tobeornottobethatisthequestion

password: tobeornottobethatisthequestion
guesses_log10: 22.69592
score: 4 / 4
function runtime (ms): 7
guess times:
100 / hour: centuries (throttled online attack)
10 / second: centuries (unthrottled online attack)
10k / second: centuries (offline attack, slow hash, many cores)
10B / second: centuries (offline attack, fast hash, many cores)

C. A 20 letter sentence in english "tobeornottobethatist" seems to do a very good job (here after computed) and you get as good results with french. So swahili must be a very good language for passwords.

password: tobeornottobethatist
guesses_log10: 18.79518
score: 4 / 4
function runtime (ms): 5
guess times:
100 / hour: centuries (throttled online attack)
10 / second: centuries (unthrottled online attack)
10k / second: centuries (offline attack, slow hash, many cores)
10B / second: 19 years (offline attack, fast hash, many cores)
Prendre son temps, profiter de celui qui passe.

User avatar
francois
Contributor
Contributor
Posts: 6433
Joined: 28 Dec 2010, 14:25
Distribution: xfce plank porteus nemesis
Location: Le printemps, le printemps, le printemps... ... l'hiver s'essoufle.

Re: Improve Porteus security

Post#25 by francois » 29 Jan 2016, 14:58

Everyone of you should try your actual or similar passwords on the algorithm. You would be surprised of the results:
https://dl.dropboxusercontent.com/u/209 ... index.html

I feel naked. :oops:
Prendre son temps, profiter de celui qui passe.

Falcony
Full of knowledge
Full of knowledge
Posts: 237
Joined: 01 Jan 2011, 12:44
Location: Russia

Improve Porteus security

Post#26 by Falcony » 18 Sep 2017, 08:20

Local password for porteus means nothing without encryption - so you may even use it empty and crypt only your data - in container - or - other ways.
Porteus isn't server and never planned to - so as desktop - so security have to be manages for desktop appliance - that is big differ.

Post Reply