"Honey Encryption" - LastPass mentioned

Moderators: admin, azitnay, anatoly_LP, chantieLP, JoeSiegrist, robyn

"Honey Encryption" - LastPass mentioned

Postby jonat » Wed Jan 29, 2014 3:37 pm

“Honey Encryption” Will Bamboozle Attackers with Fake Secrets

A new approach to encryption beats attackers by presenting them with fake data.

http://www.technologyreview.com/news/52 ... e-secrets/
jonat
 
Posts: 2198
Joined: Thu Dec 09, 2010 8:42 pm

Re: "Honey Encryption" - LastPass mentioned

Postby Lars » Wed Jan 29, 2014 5:09 pm

Interesting read indeed. Just curious what it would do to the size of your encrypted data, since it now has to be encrypted with a massive amount of keys, not to mention what it would do to the usability of such implementation (I'm thinking speed).
http://www.technologyreview.com/news/523746/honey-encryption-will-bamboozle-attackers-with-fake-secrets/ Wrote:Password managers are a tasty target for criminals, says Juels. He believes that many people use an insecure master password to protect their collection. “The way they’re constructed discourages the use of a strong password because you’re constantly having to type it in—also on a mobile device in many cases.”

So they're attacking the way it's used (used incorrectly I might add), and not the system it self.
You should always use as strong a password as possible (I use no less than 24 characters, CAPS/lower/num8ers/$pec1alChar$).
Lars
 
Posts: 2577
Joined: Wed Jul 14, 2010 10:48 pm
Location: So Cal

Re: "Honey Encryption" - LastPass mentioned

Postby JoeSiegrist » Thu Jan 30, 2014 12:38 am

It's definitely an interesting idea -- we're interested in anything that changes the cat & mouse game of increasing processor speed versus more rounds of PBKDF2.
JoeSiegrist
 
Posts: 4185
Joined: Wed Aug 20, 2008 10:40 am

Re: "Honey Encryption" - LastPass mentioned

Postby jonat » Thu Jan 30, 2014 12:53 pm

Lars, I didn't read it as requiring "massive amount of keys". Rather, the decrypting software would return a false but valid-looking result. It's unclear to me how practical this is unless the decryption software is a "black box" that must be used, and it must have some notion of what the encrypted data might look like. I wish that the article had a link to the original paper so I could see more details. The researcher's web site doesn't have it either.

The "Honeywords Project" linked from the article seemed more practical - a way of detecting when someone had stolen and decrypted a database by inserting fake data in the database.
jonat
 
Posts: 2198
Joined: Thu Dec 09, 2010 8:42 pm

Re: "Honey Encryption" - LastPass mentioned

Postby Lars » Thu Jan 30, 2014 2:14 pm

I agree, more info would be nice.. :)
Lars
 
Posts: 2577
Joined: Wed Jul 14, 2010 10:48 pm
Location: So Cal

Re: "Honey Encryption" - LastPass mentioned

Postby lusich » Fri Jan 31, 2014 4:18 pm

I would like to add to @Lars first comment -- having a long, complex, random password is crucial. However, it is difficult in practice if you have to remember and type it in every time.

For the LP users, perhaps a good solution is to program the second slot of their Yubikey's (if they use them) to emit a static password. I believe that the Yubikey can hold a 64 character static password (containing numbers, small and large letters, and a special character). That's a pretty strong password all within itself. However, one can and should make it even stronger by simply adding a short phrase or keystroke sequence to the beginning or the end of the static-yubikey-password.
https://www.yubico.com/products/service ... -password/

This way you only need to remember a small portion of an extremely long and random password, which would be impossible to crack by brute force. Also, if you were to loose your yubikey, the attacker still wouldn't be able to immediately access your account because the static password stored on the yubikey is only a portion of your total password. You would (in most scenarios) have plenty of time to change the password yourself before any harm is done. If you also combine this with the OTP verification of the yubikey (in slot one), which is available for LP Premium users you have a very strong way of securing your LP account.
lusich
 
Posts: 41
Joined: Tue Dec 31, 2013 11:23 am

Re: "Honey Encryption" - LastPass mentioned

Postby Lars » Fri Jan 31, 2014 5:18 pm

lusich Wrote:I would like to add to @Lars first comment -- having a long, complex, random password is crucial. However, it is difficult in practice if you have to remember and type it in every time.

Until a better solution has presented itself, using a very strong password remains crucial. I also use a Yubikey, actually a couple - a NANO for home use and a NEO for my smartphone.

lusich Wrote:For the LP users, perhaps a good solution is to program the second slot of their Yubikey's (if they use them) to emit a static password. I believe that the Yubikey can hold a 64 character static password (containing numbers, small and large letters, and a special character). That's a pretty strong password all within itself. However, one can and should make it even stronger by simply adding a short phrase or keystroke sequence to the beginning or the end of the static-yubikey-password.
https://www.yubico.com/products/service ... -password/

I was about to pull the hair out of my head, until I read the "adding a short phrase" part. Yes, that is very usable and secure way of going about it. Adding that phrase is paramount though, or you could be in serious trouble.
Lars
 
Posts: 2577
Joined: Wed Jul 14, 2010 10:48 pm
Location: So Cal

Re: "Honey Encryption" - LastPass mentioned

Postby lusich » Fri Jan 31, 2014 11:36 pm

@Lars Yes,I agree with you :) ... the short phrase is absolutely crucial to this method. Otherwise, in the event that you loose your yubikey, you would give someone complete and immediate access to your LP vault. The nice part about this yubikey method is that the phrase doesn't have to be too long or too hard to memorize (for an average person), but the overall password is still very very strong.
lusich
 
Posts: 41
Joined: Tue Dec 31, 2013 11:23 am


Return to Off Topic

Who is online

Users browsing this forum: No registered users and 3 guests