My quest to eliminate passwords

In some cases, in some countries, this may not be the developer’s choice i.e. government forcing web sites to use better auth for important things (not random forums), important things like telecommunications and banking and maybe health.

There are tried and true defences against that. For example, as stated in the article:

Apple’s iOS, for instance, makes the user wait increasing lengths of time after each incorrect PIN guess.

It is arguable that the Librem 5 should offer the same (but that’s really an upstream problem).

I usually work to the theory that it should not be possible to online brute force in under 4 days i.e. the length of a long weekend (from someone who lives in the so-called “Land of the Long Weekend”) after which someone should detect the problem and raise the alarm etc.

So let’s say: your first 30 PIN attempts are standard 3 second delay, after which there is a mandatory 120 second delay between attempts. 4 digit PIN on average broken in 7 days (worst case 14 days).

Of course there are also other tried and true defences that are more aggressive e.g. after X failed attempts, the password is “locked” in /etc/shadow so that password login to that account is not possible at all and you will be forced to do something else to gain access.

The article says

“There’s nothing to stop someone from guessing all the possible PINs,” says Engler, a security engineer at San Francisco-based security consultancy iSec Partners. "We often hear ‘no one would ever do that.’

Whether it is true or not that ‘no one would ever do that’, no legitimate user would ever do that. You would try a dozen times and then realise that you are “stuffed” and seek some other approach.

Note though that if you don’t use LUKS then your 4 digit PIN can be broken in a fraction of a second (offline) and no amount of defence within the system itself will make any difference.

I really think we should get some options too choose. We have different needs and could create our own solutions based on options in Mobile Settings app.

Some want no password. Some want no LUK, so increasing delay would be nice. I personally want to shut down device after few attempts to protect L5 via stronger encryption password (to make sure lost devices even prevent from professional hacking).

For even more advantages in future things like guest PINs would be cool. Giving family the ability to get access, without rights to enter everything on device (no sudo, no read and/or write access to specific folders if wanted etc).
Or alternative forms of login (graphical etc).

At the end Login is something every phone user has to do a lot while using those devices. So it’s something that definitely should give best user experience on each personal preferences. Not everything in current stage of PureOS/Phosh, but some day in future when all more important things got implemented.

This would be great. How can we monitor via a script for failed attempts to enter the pin code?

Yes, PAM should provide that option in Linux. Most Linux devices don’t have this problem, since their passwords use a full character set and are a variable length, so the number of combinations becomes almost infinite, so this is a case where mobile Linux devices that use PINs are introducing a new problem for Linux.

In contrast, Linux has long had to worry about brute force login attempts through ssh, which is why it is configured by default to allow a maximum of 6 failed login attempts before it blocks further attempts from a particular IP address. On my servers, I can see the botnets trying to do brute force logins. I am getting about 3000 login attempts per day on one of my servers, so I do my best to use as tight of security as possible there.

The issue for me is that the probability of locking myself out of my device is higher than the probability that my device will be stolen. For example, I just screwed up the L5 trying to figure out how to boot with Phosh unlocked. I was able to fix the problem, by booting with jump drive and fixing the file, which I wouldn’t have been able to do with an encrypted drive. I have lost files on my PC, because my drive was encrypted and I wasn’t able to boot my PC. For a normal person, who never plays around with the configuration files, it may not be a problem, but I’m far from normal.

As long as you can type in LUKS you can repair it from another PC. I also screwed up login screen (had black screen) and could fix this. But even if the issue is worse: creating backups on SD-card before playing with such configurations can save the day. In worst case you would reinstall OS and load all backups back to system.

sudo lastb will show you a list of the failed login attempts (that are stored in the /var/log/btmp file) and sudo last will show you a list of the successful logins (that are stored in the /var/log/wtmp file). You can also do something like this:

sudo grep -i -E "(authentication failure|FAILED SU|Failed password)" /var/log/auth.log | grep -v "grep"

Jost noting that statistically the expected number of attempts required to crack is half the number of possibilities (under possibly oversimplified assumptions).

And a mere 100 fractions of a second for 6 digits, but for some attacks, 6 vs 4 might still be worthwhile.

As @Ick already has, I would question that statement. LUKS is standard Linux and there is no inherent reason why you can’t unlock an encrypted partition on a desktop/laptop where the partition was set up on your Librem 5 - or any other combination.

I’m not saying you are certainly wrong - maybe there is some esoteric or niche aspect to your environment - just that in principle you can successfully move LUKS encrypted partitions from one Linux computer to another.

Of course if you forget your unlock passphrase (and you didn’t back up the master encryption key, or take other similar contingency actions) then you will be stuffed everywhere.

I will also endorse the idea of imaging the eMMC drive. It doesn’t matter how badly you stuff up the contents, if you create an image (which you can easily do with Jumpdrive) then you can restore an image (again using Jumpdrive). Because that operates below the level of encryption, there isn’t even any need for these operations to know that the contents are encrypted or to be able to decrypt the contents.

Yes, that is a relatively slow way to fix things up if you just buggered up one text file (config file, shell script, …) but if you are not even sure what you broke, it’s a good way to fix things.

If you are determined not to encrypt your partition then it is possible that “cipher null” used with LUKS is a better option, as compared with using an unencrypted partition. That way you should be able to change your mind (in either direction) without having to reflash and set up your computer from scratch.

Of course in that case you are still trusting that a LUKS partition from your phone can be opened on your desktop/laptop and you know what they say: доверяй, но проверяй

PS In the early days before Purism had the automatic re-encrypt in the LUKS variant of the flash image, the recommended procedure was to

• download the LUKS variant of the flash image to your desktop/laptop
• re-encrypt on the desktop/laptop
• then flash the image onto your phone.

This by itself illustrates a high degree of compatibility between LUKS on desktop/laptop and LUKS on the Librem 5. This just wouldn’t work at all if they were not compatible.

Are you using the default ssh port? I use a non-default port, not because it improves security (it is just security through obscurity) but because it cuts down on the noise and helps to make it more likely that a potential intrusion can be noticed and responded to.

I use -F with last and lastb. That is because my records do and can stretch back over several years. Perhaps with thousands of attempts each day that won’t make much difference in your situation.

I am not worried about what a hacker may find on my devices, I worry about them using my device for their illegal purposes. I am safe behind my many pass-worded accessories and devices. I’ve been very fortunate so far and I owe it all to my tinfoil hat.

There had been remote attempts in the past, and some were successful. Ergo my move to Linux. Like the “The Girl” in Anon said “It’s not that I have something to hide. I have nothing I want you to see.”
I’m one that would welcome a better system that protects access to my devices. This IS about me - right?

I will be using your very well written chronological approach of ‘How To’ take Shields off-line. I will use the pwr button and not have to enter pword part.

Thanks
~s

My servers settings/configs:

• PasswordAuthentication no
• PermitRootLogin no
• ChallengeResponseAuthentication no
• PubkeyAuthentication yes

Additionally I am using fail2ban to ban IP after 2 failed attempts.

I gave my new L5 very gentle 8 weeks to convince me as a daily driver… that being said, it’s now used as a weight to keep letters flying off my desk…

Your i hate being forced to enter passwords all the time in my case nailed the coffin for my L5. Compared with my other phones it was “really demanding” to be used.

On first hand it was a real brick in my trousers pockets. Often also a pretty hot one.

On second hand i always had to manually send it to suspend. Otherwise the battery would not have lasted long enough with everything except phone being deactivated. Being able to at least suspend it, was a very good compromise.

But, to suspend it again after say a received phonecall (by the hand usually i was told, that i’m badly understandable, my voice not clearly myselfs one), you had to enter all the besaid passwords. If i remember right, first disc decryption (sometimes the process did not move forward after that). Or was it phone-pwd and the sim-pwd (by the way the contacts on my sim were not recognized by the phone).

There were several small other bugs and annoyances. But i always told myself to be kind, tolerant, move on and wait to let things become better (btw the L5 might really be the only phone where that dream’s true…).

Around 8 weeks after 1st use i gave up having it with me all the time. The time waisted for every bloody simple phonecall no matter if calling or receiving was a nightmare. Always having to enter all those passwords (a process that quite often did not move on). The need to enter all those passwords again to send the phone to suspend. People - not always - telling me, im badly understandable. Entering passwords again…

I’m able to see the point of the L5. I understand and try to tolerate the shortcomings. But it was just unbearable in my special case - no matter how pro i tried to be (i’ll keep it). I bought an S20+ with display-error for some bucks, set up firewalls and the like and - unfortunately - life became easier after switching phones.

That story being told, @amosbatto i’m really with you on your first sentences. And i can really understand, why you came up with your solution. Thanks a lot for sharing it, mate.

I am a little confused - it’s not normal to be getting asked for passwords when answering the phone or putting the phone into suspend manually.

Phone calls can be answered without unlocking the phone.
The phone can be suspended from the top swipe-down menu > Power button.

There is an option in Settings > Privacy > Screen Lock too that will let you extend the time until the phone locks, if you don’t want to unlock it so often.

Ok - thanks for that info. That might become handy as follows:

1.) Calling somebody
You first need to unlock the phone to be able to dial. After finishing the call you’ve got to send phone into suspend (might already be automatic by updates - i still had to do it manually).

2.) Receiving a call
You accept the call. You finish it. Phone locks again. Now you’ve got to unlock it again to manually send it to suspend.

Those things might already be outdated as Purism updates features on a regular base. As mentioned the L5 might be one of only few or even the only phone becoming better over time…

You can set the automatic suspend in the phone settings >> Power
But it’s still a work in progress, for example the phone will go automatically into full suspend even if you are listening to music

Like any other “smartphones”, no ? And seems to me it’s a good thing
I think something is in the pipe (if not already available) to be able to activate the emergency calls without unlocking the phone

That’s the part where I might say to someone …‘but your lack of security puts my device at risk - it’s a two way highway’. And it’s the reason I hope to set up a whitelisted phone # gets past the recycle bin.
~s