Re: [PLUG] Correct Horse Battery Staple

[JP Vossen via plug <plug@lists.phillylinux.org>]

On 4/30/22 14:03, JP Vossen wrote:
> I may have talked about this before, but it came up at work Friday, so...
>
> Go read https://xkcd.com/936/.
>
> Then try:
> `alias randomwords="shuf -n102 /usr/share/dict/words | perl -ne 'print qq(\u\$_);' | column"`

I started reading all the comments on this one and thought, wow, I should have provided more context.  But maybe not, I think the discussion was quite useful and interesting.

Tl;dr: `randomwords` is intended as an additional tool in your password toolkit, not as The One Solution to anything.

Details:
In particular, the work use-case was creating special accounts for some folks, then transmitting the change-at-first-login passwords.  We don't use default passwords for obvious reasons.  And sometimes we need to transmit the password to someone over the phone, possibly when one or both ends are in a noisy data center.  To trying to spell out xQ5g3u-PDX8rz3=oP{$y is just NOT going to work.  But "Vanguard's	Propriety	Slinkier	Unimpaired	Docked		Informant" (yes spaces, no quotes) will work just fine.  (That's really the line from a run just now! :)

I would also argue that some kind of password manager is a requirement these days, especially for most if not all on this list.  After that, it gets tricky fast.  I use various KeePass* because it is NOT in the cloud [1] and it runs on everything; there are multiple versions of Linux, Android, Mac, iOS, Windows, and CLI clients.  The advantage is that I control my data, the disadvantage, and it's a really big one, is that I also have to manage sync, backup and recovery.  Walt, Rich & others made some really good points there.  OTOH, a KeePass file is just a blob you can put into Git or rsync or whatever easily enough.

FWIW, some smart folks seem to trust 1Password, e.g., https://www.troyhunt.com/a-password-manager-isnt-just-for-christmas-its-for-life-so-heres-50-percent-off/ (but also https://www.troyhunt.com/ive-joined-the-1password-board-of-advisers/).  Semi-OT but amusing: https://www.troyhunt.com/building-password-purgatory-with-cloudflare-pages-and-workers/.

I also manually copy&paste both the user name and password from KeePass to the web site or whatever for anything important.  I don't trust browsers or browser extensions for that because of things like https://www.bleepingcomputer.com/news/security/redline-malware-shows-why-passwords-shouldnt-be-saved-in-browsers/.  Sure I cache creds for trivial stuff, but not important stuff.  And note your Google password is "important stuff" if you use GMail (I don't) because that email address is your identity, like it or not, and whoever owns that owns you.

Better yet, as we all know, use 2FA/MFA (Two or Multi Factor Authentication) everywhere you can, which KeePass supports, though the support and methods vary between clients more than I like.

Walt, as for the typo you pointed out, I was escaping the Perl "$_" (as "\$_") to protect it from unwanted shell interpolation.  That may vary depending on where you use the `alias` command, at the CLI or in a config file or what.  I should probably know all that off the top of my head, but I confess I'd have to go experiment again, and I don't have the energy right now.  But thanks for spotting and calling it out.

Later,
JP

[1] There is no such thing as "the cloud."  First, the sales and marketing folks have rendered the term meaningless, like they do everything else.  Second, there is no cloud, there are only computers and software in someone else's data center.

--  -------------------------------------------------------------------
JP Vossen, CISSP | http://www.jpsdomain.org/ | http://bashcookbook.com/
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug