Improve Porteus security

[francois]

The best thing to do, would be for you to read about it in the above thread under the subtitle Generating passwords manually:
https://help.ubuntu.com/community/Stron ... ling%20APG
A tentative synthesis is:
. generate a general password with a simple sentence that you write without spaces: she is so pretty becomes sheissopretty
. replace some letters with numbers, capital letters or symbols: sh3!sS0pr3tty
. use prefixes or suffixes for your different accounts: bank (b4Nk), chrome (chr0M3)
. put the prefix together with the general password with the use of a specific caracter: b4Nk$sh3!sS0pr3tty and chr0M3$sh3!sS0pr3tty, respectively
. as the author writes:
... keep your passwords written somewhere private. It can take weeks or months to remember a strong password...

Personnally, I do not know how many characters are needed for a strong password. The author says that you need at least 15 characters.

This seems quite a job!

I wonder how many of us has this as a custom practice. I imagine that it depends on what you want to protect.

[donald]

A simple way to create a password:
In CLI do
date | md5sum | head -c16;echo

maybe better:
< /dev/urandom tr -dc '0-9a-zA-Z!§#+&' | head -c16;echo

[brokenman]

Substituting letters for numbers or vice versa (sh3!sS0pr3tty) in hacker speak is not going to help you much anymore. This example would take around 4 hours to break.

"A good password should be hard to guess and easy to remember."
Dan Wheeler - dropbox tech forums

#!horsehoreth <----- centuries to break.

https://www.elca.ch/en/password-strengt ... nd-reality

test a pass at this address: https://dl.dropboxusercontent.com/u/209 ... index.html

[francois]

The moral of this story is that you have to generate passwords in more than one language, and better if one of these is not english, and that you use symbols not repeatedly:
elle est si belle (in french) = she is so pretty = sh3!sS0pr3tty (bad password) => 3lleest4s!pretty (strong one: french english, no repetitive symbols)

testing pass at this address: https://dl.dropboxusercontent.com/u/209 ... index.html

The cracking time moves up to centuries.

Or am I wrong.

[beny]

hi in the history of live file system,everyone can read the files of a usb key ,with strong password or not,only an encrypted file system can be strong enough agaist bad user.

[Michele13]

the problem is that I can't store the password in clear text to protect the bootloader. it needs to be encrypted...

https://www.dropbox.com/s/6j5bbfsmxmjv3 ... x.png?dl=0

can you see the difference between a password created with md5sum and md5pass? it's different. Infact if I put the password created with md5sum in syslinux and type it's equivalent in the password field at boot up it won't work...

[francois]

hi in the history of live file system,everyone can read the files of a usb key ,with strong password or not,only an encrypted file system can be strong enough agaist bad user.

So a porteus hdd install is vulnerable!!

[beny]

hi francois if you have a hardware that allow you the usb ports block,yes it is a better choice for security,also the live cd can do the same ,so the bios password that not allow the change of the boot devices,well this is a paranoid word,a backup of the sensible data files in other media,btw this is only for real user that can do action on your devices,the net.......

[francois]

The manual approach (adapted, cited and tested experimentally) does not seem too good:
https://help.ubuntu.com/community/Stron ... ling%20APG
A.This does not seem a very good option according to the following results:
1) choose a phrase which you can easily remember, but is at least 8 words long... ... For this example, we'll choose "To be or not to be, that is the question".
2) ... convert your phrase to a single word. Exactly how you do so is not important, as long as you remember how you did it! We'll take the first letter of each word, which gives us "tbontbtitq"...
3) then get numbers or symbol but do not repeat them. The end result is "tb0^l7Bt!Tq"

Trying this password in the password tester:
https://dl.dropboxusercontent.com/u/209 ... index.html
password: tb0^l7Bt!Tq
guesses_log10: 11
score: 4 / 4
function runtime (ms): 4
guess times:
100 / hour: centuries (throttled online attack)
10 / second: 31 years (unthrottled online attack)
10k / second: 4 months (offline attack, slow hash, many cores)
10B / second: 10 seconds (offline attack, fast hash, many cores)
match sequence:
'tb0^l7Bt!Tq' pattern: bruteforce guesses_log10: 11

Very bad!

B. Simply a long password (but a long password is long to enter and maybe prone to errors) from a long sentence seems to be better:
tobeornottobethatisthequestion

password: tobeornottobethatisthequestion
guesses_log10: 22.69592
score: 4 / 4
function runtime (ms): 7
guess times:
100 / hour: centuries (throttled online attack)
10 / second: centuries (unthrottled online attack)
10k / second: centuries (offline attack, slow hash, many cores)
10B / second: centuries (offline attack, fast hash, many cores)

C. A 20 letter sentence in english "tobeornottobethatist" seems to do a very good job (here after computed) and you get as good results with french. So swahili must be a very good language for passwords.

password: tobeornottobethatist
guesses_log10: 18.79518
score: 4 / 4
function runtime (ms): 5
guess times:
100 / hour: centuries (throttled online attack)
10 / second: centuries (unthrottled online attack)
10k / second: centuries (offline attack, slow hash, many cores)
10B / second: 19 years (offline attack, fast hash, many cores)

[francois]

Everyone of you should try your actual or similar passwords on the algorithm. You would be surprised of the results:
https://dl.dropboxusercontent.com/u/209 ... index.html

I feel naked.

[Falcony]

Local password for porteus means nothing without encryption - so you may even use it empty and crypt only your data - in container - or - other ways.
Porteus isn't server and never planned to - so as desktop - so security have to be manages for desktop appliance - that is big differ.