Silk Road forums

Discussion => Security => Topic started by: psil0 on August 08, 2013, 06:44 am

Title: Password Tips
Post by: psil0 on August 08, 2013, 06:44 am
It's a good idea to use a different password for every service you use on Tor. This is because we don't know how different services store passwords in their database. If a Tor service is compromised, LE may be able to compare plaintext passwords or alike password hashes to make a positive match and to further their profile building efforts.

If your password is very unique and used across multiple services, it wouldn't be difficult to use previously acquired passwords from clearnet databases to discover a real identify.

Example:
Jill is clever and she has created a very unique strong password: 3829h1MyN4MeIsJ1ll929384. She signs up for a TorMail account using her strong password even though she's used it before on Facebook and GMail because she feels it's so secure, nobody will ever crack it.
Unfortunately, TorMail and Facebook both hash their user passwords with standard SHA-1 and the resulting hash (c2bba34ee795b9b161b104f5949ee1d0a117e782) is unique enough to identify Jill as the TorMail account owner. She is discovered without any passwords being cracked.

With the amount of government surveillance, this type of attack seems very possible.

- Your passwords should be the maximum allowed length with symbols if the service allows it. Clearnet and darknet passwords should remain isolated.
- Save your passwords in a heavily encrypted file. You don't need to remember all of your passwords and the ones you do remember should be extremely strong.
- Use a USB bootable hardened version of Linux. When you're on Tor, you need to make no connections whatsoever to your identity (including passwords).

I got tired of using web password generators so I'll share my little bash script random password generator anyone can use.

Code: [Select]
# a simple (pseudo) random password generator
# syntax: ./passgen.sh charactercount -s
# charactercount = password length, -s = include symbols
# example: ./passgen.sh 32 -s

if [ $# -lt 1 ] ; then
    echo 'syntax: ./passgen.sh length -s'
    echo 'example: ./passgen.sh 32 -s'
    echo '-s removes symbols and is an optional parameter'
    exit 0
fi

if [ "$2" == "-s" ] ; then
    < /dev/urandom tr -dc A-Za-z0-9 | head -c$1
    echo ''
    < /dev/urandom tr -dc A-Za-z0-9 | head -c$1
    echo ''
    < /dev/urandom tr -dc A-Za-z0-9 | head -c$1
else
    < /dev/urandom tr -dc A-Za-z0-9!@#$%^* | head -c$1
    echo ''
    < /dev/urandom tr -dc A-Za-z0-9!@#$%^* | head -c$1
    echo ''
    < /dev/urandom tr -dc A-Za-z0-9!@#$%^* | head -c$1
fi
echo ''
exit 0
.

$ ./passgen.sh 32
%muuBS1YhD*%2WzDYRxyt6L!S4Mb^o9V
g*aKKlSwpKPTj2bdsJjxG!BB*vA%y!iR
AsuCARPIn3l7J8ZIz1rfKutzcvpbPZ%n

$ ./passgen.sh 18 -s
zfqpLYzXRTwFfIBUXj
IS6smPNC1O91jwjtg0
71MORAcc5Hn7AscJzs

I'm sure it could be written better, but it works for me.

Remember: There's a difference between being knowledgeable and being paranoid.

psil0