This one, like last time, skip to the jam please #KDF #phish #jamdevilfalls

Guten Morgen,
🌡️22°C 🌤️
Auch schon mal den Kofferraum an der falschen Stelle gesucht?

Heute vor 20 Jahren lief der letzte #VW #Käfer in #Mexico vom Band.
Ursprünglich in der Nazizeit als #KdF Wagen von Ferdinand #Porsche geplant wurde durch die Briten nach Kriegsende die Produktion des VW Typ1 in Wolfsburg forciert.
Bereits 7 Jahre zuvor nannte die #nytimes den kleinen "beetle".
Populär wurde er hauptsaechlich durch seine sparsame Bauweise, weiss das #Kalenderblatt zu berichten.

【1897年7月27日】ボード・ラフェレンツ（Bodo Lafferentz）誕生。
NSDAP党員、歓喜力行団（KdF）代表。親衛隊上級大隊指導者。
リヒャルト・ワーグナーの孫娘フェレーナ（Verena）の夫。

#今日は何の日
#ボード・ラフェレンツ
#Bodo_Lafferentz
#NSDAP党員
#NSDAP
#歓喜力行団代表
#歓喜力行団
#Kraft_durch_Freude
#KdF
#ドイツ労働戦線
#Deutsche_Arbeitsfront
#DAF
#親衛隊
#Schutzstaffel
#1897年7月27日
#7月27日

Yup, this is gas. #KDF

Tails - Weak cryptographic parameters in LUKS1 https://tails.boum.org/security/argon2id/index.en.html #cryptsetup #parameter #dm-crypt #argon2id #weakness #crypto #pbkdf2 #tails #luks #kdf

High @sc00bz and @epixoip, I recently came across your recommendations not to (blindly) use #Argon2 as a #PHF (but it's a good #KDF) due to this requiring runtimes that make it (usually) inapplicable for password hashing. Or, phrased differently, would require lowering security parameters in order to stay performant, that the security of the hashing would be compromised.

The #Bcrypt article on Wikipedia put forth a similar claim but without any citations and phrased a bit misleading (IMO). I've adjusted the article and added two citations. If you have time, I'd be glad if you could give some feedback on this, as there are only few citable sources on this and I'm by far no expert on the matter:

https://en.wikipedia.org/w/index.php?title=Bcrypt&diff=prev&oldid=1157855165

Thank you!

adieu, christian! möge es Dir gutgehen, wo auch immer Du jetzt bist. 🖤 #KdF

@hib_Nachrichten #KdF

Little Man 1 is going on an Orchestra/Band trip to Chicago this weekend. So I told him he should take a Pegasus Pin for Derby spirit.

I unpeeled the envelope and saw a gold Pegasus Pin for the first time ever in the wild.

Winner = you can register for a special grand prize drawing. No more instant winners like the 20th century era.

#Louisville #KentuckyDerby #Kentucky #KDF

@Ihazchaos Hey Terri, zu dem Thema LUKS hat mein @ct_Magazin-Kollege Sylvester Tremmel (@syt) was auf @heiseonline geschrieben.

https://www.heise.de/news/Alte-LUKS-Container-unsicher-Ein-kleiner-Update-Ratgeber-8981054.html?wt_mc=sm.red.ho.mastodon.mastodon.md_beitraege.md_beitraege

#LUKS #KDF #PBKDF2 #Cryptsetup

O Bitwarden está a um passo de finalizar a implementação do KDF, Argon2.
Foram englobados no código os últimos dois Pull-requests.

#bitwarden #kdf #algorithm #security #argon2 #opensource

@epixoip btw. #Bitwarden uses the same #KDF but has the advantage of self-hosting. So a breach to Bitwardens infrastructure would not leak self-hosted instances.

Many of you have been asking for my thoughts on the #LastPass breach, and I apologize that I'm a couple days late delivering.

Apart from all of the other commentary out there, here's what you need to know from a #password cracker's perspective!

Your vault is encrypted with #AES256 using a key that is derived from your master password, which is hashed using a minimum of 100,100 rounds of PBKDF2-HMAC-SHA256 (can be configured to use more rounds, but most people don't). #PBKDF2 is the minimum acceptable standard in key derivation functions (KDFs); it is compute-hard only and fits entirely within registers, so it is highly amenable to acceleration. However, it is the only #KDF that is FIPS/NIST approved, so it's the best (or only) KDF available to many applications. So while there are LOTS of things wrong with LastPass, key derivation isn't necessarily one of them.

Using #Hashcat with the top-of-the-line RTX 4090, you can crack PBKDF2-HMAC-SHA256 with 100,100 rounds at about 88 KH/s. At this speed an attacker could test ~7.6 billion passwords per day, which may sound like a lot, but it really isn't. By comparison, the same GPU can test Windows NT hashes at a rate of 288.5 GH/s, or ~25 quadrillion passwords per day. So while LastPass's hashing is nearly two orders of magnitude faster than the < 10 KH/s that I recommend, it's still more than 3 million times slower than cracking Windows/Active Directory passwords. In practice, it would take you about 3.25 hours to run through rockyou.txt + best64.rule, and a little under two months to exhaust rockyou.txt + rockyou-30000.rule.

Keep in mind these are the speeds for cracking a single vault; for an attacker to achieve this speed, they would have to single out your vault and dedicate their resources to cracking only your vault. If they're trying 1,000 vaults simultaneously, the speed would drop to just 88 H/s. With 1 million vaults, the speed drops to an abysmal 0.088 H/s, or 11.4 seconds to test just one password. Practically speaking, what this means is the attackers will target four groups of users:

1. users for which they have previously-compromised passwords (password reuse, credential stuffing)
2. users with laughably weak master passwords (think top20k)
3. users they can phish
4. high value targets (celebs, .gov, .mil, fortune 100)

If you are not in this list / you don't get phished, then it is highly unlikely your vault will be targeted. And due to the fairly expensive KDF, even passwords of moderate complexity should be safe.

I've seen several people recommend changing your master password as a mitigation for this breach. While changing your master password will help mitigate future breaches should you continue to use LastPass (you shouldn't), it does literally nothing to mitigate this current breach. The attacker has your vault, which was encrypted using a key derived from your master password. That's done, that's in the past. Changing your password will re-encrypt your vault with the new password, but of course it won't re-encrypt the copy of the vault the attacker has with your new password. That would be impossible unless you somehow had access to the attacker's copy of the vault, which if you do, please let me know?

A proper mitigation would be to migrate to #Bitwarden or #1Password, change the passwords for each of your accounts as you migrate over, and also review the MFA status of each of your accounts as well. The perfect way to spend your holiday vacation! Start the new year fresh with proper password hygiene.

For more password insights like this, give me a follow!

【1933年11月27日】歓喜力行団（Kraft durch Freude、略称 KdF）が設立される。

#今日は何の日
#歓喜力行団
#Kraft_durch_Freude
#KdF
#1933年11月27日
#11月27日

RT @MatthiasMeisner@twitter.com

Der #mdr hält #Steimle für einen Kabarettisten und Satiriker. Für jeden erkennbar ist seine Sympathie mit Rechtsradikalen. Der Sender sieht nicht einmal Anlass für einen Tadel. #KdF https://twitter.com/mdrpresse/status/1138826316847996933