Go Back   Wireless and Wifi Forums > News > Newsgroups > comp.security.misc
Register FAQ Forum Rules Members List Calendar Search Today's Posts Advertise Mark Forums Read

 
Reply
 
LinkBack Thread Tools Display Modes
  #1 (permalink)  
Old 10-19-2007, 03:42 PM
Andy Fish
Guest
 
Posts: n/a
Default passwords

Hi,

I just got a nice email from fasthosts - a UK ISP - saying that they have
had a security breach and have lost security details including my password
IN PLAIN TEXT !!

because I use the same password for different online systems, this means
someone who found out my email address (the real one - not the one I'm using
to post this) and fasthosts password could potentially log on as me to many
different sites.

fortunately I use several different passwords including a separate one for
sites who I think might store it in plain text. unfortunately I didn't think
for a minute that an ISP would do this, so I used a relatively secure
password for them.

if I can't trust anyone to encrypt my password, it seems that the only way
to be secure is to use a different password for every system and then write
them all down somewhere.

I am an IT professional and I get the impression that most people currently
take a similar approach to me. If not, what's the best way to manage so many
passwords?

Andy




Reply With Quote
  #2 (permalink)  
Old 10-19-2007, 04:00 PM
Sebastian G.
Guest
 
Posts: n/a
Default Re: passwords

Andy Fish wrote:


> I am an IT professional and I get the impression that most people currently
> take a similar approach to me. If not, what's the best way to manage so many
> passwords?


Very simple thing: Use a password manager. It allows you to use and create a
lot of long and strong passwords that you don't even need to remember, and
encrypt them with one master password. Even further, such a tools allows you
to enter a password via copy'n'paste or auto-typing, thus also deflects
over-the-shoulder-looking.

Reply With Quote
  #3 (permalink)  
Old 10-19-2007, 05:54 PM
Shenan Stanley
Guest
 
Posts: n/a
Default Re: passwords

Andy Fish wrote:
> I just got a nice email from fasthosts - a UK ISP - saying that
> they have had a security breach and have lost security details
> including my password IN PLAIN TEXT !!
>
> because I use the same password for different online systems, this
> means someone who found out my email address (the real one - not
> the one I'm using to post this) and fasthosts password could
> potentially log on as me to many different sites.
>
> fortunately I use several different passwords including a separate
> one for sites who I think might store it in plain text.
> unfortunately I didn't think for a minute that an ISP would do
> this, so I used a relatively secure password for them.
>
> if I can't trust anyone to encrypt my password, it seems that the
> only way to be secure is to use a different password for every
> system and then write them all down somewhere.
>
> I am an IT professional and I get the impression that most people
> currently take a similar approach to me. If not, what's the best
> way to manage so many passwords?


Search using Google!
http://www.google.com/
(How-to: http://www.google.com/intl/en/help/basics.html )

Normal blurb from me:

Understanding what a good password might be is vital to your
personal and system security. You may think you do not need to password
your home computer, as you may have it in a locked area (your home) where
no one else has access to it. Remember, however, you aren't always
"in that locked area" when using your computer online - meaning you likely
have usernames and passwords associated with web sites and the likes that
you would prefer other people do not discover/use. This is why you should
understand and utilize good passwords.

Good passwords are those that meet these general rules
(mileage may vary):

Passwords should contain at least six characters, and the character
string should contain at least three of these four character types:
- uppercase letters
- lowercase letters
- numerals
- nonalphanumeric characters (e.g., *, %, &, !, :)

Passwords should not contain your name/username.
Passwords should be unique to you and easy to remember.

One method many people are using today is to make up a phrase that
describes a point in their life and then turning that phrase into their
password by using only certain letters out of each word in that phrase.
It's much better than using your birthday month/year or your anniversary
in a pure sense. For example, let's say my phrase is:
'Great new job in November 2006'
I could come up with this password from that:
'Gr8n3wj0bNOV2006'

I highly recommend you periodically change your passwords.
The suggested time varies, but I will throw out a 'once in
every 3 to 6 months for every account you have.'

Also - many people complain that they just cannot remember the passwords
for all the sites they have - so they choose one password and use it for
everything. Not a good idea. A much better method would be to use a
Password Management tool - so you only have to remember one password,
but it opens an application that stores your username/passwords for
everything else - plus other valuable information. One that I can
recommend:

KeePass Password Safe
http://keepass.sourceforge.net/

It can even generate passwords for you.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html



Reply With Quote
  #4 (permalink)  
Old 10-20-2007, 01:13 AM
Mark Trimble
Guest
 
Posts: n/a
Default Re: passwords

Quoting Andy Fish on Fri, 19 Oct 2007 15:42:01 +0000:

> Hi,
>
> I just got a nice email from fasthosts - a UK ISP - saying that they
> have had a security breach and have lost security details including my
> password IN PLAIN TEXT !!...
>
> Andy


Never heard of a notice like that coming by e-mail. Looks to me like
someone's bucking for their advanced credentials in social engineering
(read: phishing). Proceed with caution.

Reply With Quote
  #5 (permalink)  
Old 10-20-2007, 04:08 AM
Todd H.
Guest
 
Posts: n/a
Default Re: passwords

"Shenan Stanley" <newshelper@gmail.com> writes:

> Andy Fish wrote:
> > I just got a nice email from fasthosts - a UK ISP - saying that
> > they have had a security breach and have lost security details
> > including my password IN PLAIN TEXT !!
> >
> > because I use the same password for different online systems, this
> > means someone who found out my email address (the real one - not
> > the one I'm using to post this) and fasthosts password could
> > potentially log on as me to many different sites.
> >
> > fortunately I use several different passwords including a separate
> > one for sites who I think might store it in plain text.
> > unfortunately I didn't think for a minute that an ISP would do
> > this, so I used a relatively secure password for them.
> >
> > if I can't trust anyone to encrypt my password, it seems that the
> > only way to be secure is to use a different password for every
> > system and then write them all down somewhere.
> >
> > I am an IT professional and I get the impression that most people
> > currently take a similar approach to me. If not, what's the best
> > way to manage so many passwords?

>
> Search using Google!
> http://www.google.com/
> (How-to: http://www.google.com/intl/en/help/basics.html )


Advising someone to trust whatever comes up in google to manage all
his passwords without asking other humans for opinions? Are you
nuggin futs?

The issue is that you can't swing a dead cat on google without
receiving adwords or "legit" results that may include spyware
including keyloggers.


Password Safe http://passwordsafe.sourceforge.net/ however is an
open source, free, peer reviewed and rather trusted solution to this
problem of managing a bashitload of passwords.

Your situation points out the problem with using a single password at
different sites and never changing it--because there are so few sites
out there that are actually rather secure and who've never ever had a
data breach.

Best Regards,
--
Todd H.
http://www.toddh.net/

Reply With Quote
  #6 (permalink)  
Old 10-20-2007, 04:45 AM
Shenan Stanley
Guest
 
Posts: n/a
Default Re: passwords

Andy Fish wrote:
> I just got a nice email from fasthosts - a UK ISP - saying that
> they have had a security breach and have lost security details
> including my password IN PLAIN TEXT !!
>
> because I use the same password for different online systems, this
> means someone who found out my email address (the real one - not
> the one I'm using to post this) and fasthosts password could
> potentially log on as me to many different sites.
>
> fortunately I use several different passwords including a separate
> one for sites who I think might store it in plain text.
> unfortunately I didn't think for a minute that an ISP would do
> this, so I used a relatively secure password for them.
>
> if I can't trust anyone to encrypt my password, it seems that the
> only way to be secure is to use a different password for every
> system and then write them all down somewhere.
>
> I am an IT professional and I get the impression that most people
> currently take a similar approach to me. If not, what's the best
> way to manage so many passwords?


Shenan Stanley wrote:
> Search using Google!
> http://www.google.com/
> (How-to: http://www.google.com/intl/en/help/basics.html )
>
> Normal blurb from me:
>
> Understanding what a good password might be is vital to your
> personal and system security. You may think you do not need to
> password your home computer, as you may have it in a locked area
> (your home) where no one else has access to it. Remember, however,
> you aren't always "in that locked area" when using your computer
> online - meaning you likely have usernames and passwords associated
> with web sites and the likes that you would prefer other people do
> not discover/use. This is why you should understand and utilize
> good passwords.
>
> Good passwords are those that meet these general rules
> (mileage may vary):
>
> Passwords should contain at least six characters, and the character
> string should contain at least three of these four character types:
> - uppercase letters
> - lowercase letters
> - numerals
> - nonalphanumeric characters (e.g., *, %, &, !, :)
>
> Passwords should not contain your name/username.
> Passwords should be unique to you and easy to remember.
>
> One method many people are using today is to make up a phrase that
> describes a point in their life and then turning that phrase into
> their password by using only certain letters out of each word in
> that phrase. It's much better than using your birthday month/year
> or your anniversary in a pure sense. For example, let's say my
> phrase is: 'Great new job in November 2006'
> I could come up with this password from that:
> 'Gr8n3wj0bNOV2006'
>
> I highly recommend you periodically change your passwords.
> The suggested time varies, but I will throw out a 'once in
> every 3 to 6 months for every account you have.'
>
> Also - many people complain that they just cannot remember the
> passwords for all the sites they have - so they choose one password
> and use it for everything. Not a good idea. A much better method
> would be to use a Password Management tool - so you only have to
> remember one password, but it opens an application that stores
> your username/passwords for everything else - plus other valuable
> information. One that I can recommend:
>
> KeePass Password Safe
> http://keepass.sourceforge.net/
>
> It can even generate passwords for you.


<inline below here...>

Todd H. wrote:
> Advising someone to trust whatever comes up in google to manage all
> his passwords without asking other humans for opinions? Are you
> nuggin futs?


Cutting off the meat of the post, who's 'nuggin futs'?
No worries - I put it back.

You should also know your audience when giving advice...
From the original postting:
'I am an IT professional ...'

You'd think they might be able to figure out the false from the true when it
comes to software - or at least know how to test that safely...

> The issue is that you can't swing a dead cat on google without
> receiving adwords or "legit" results that may include spyware
> including keyloggers.


Yes - common sense is required for using Google...

For example - you have to learn to use Google (thus my link) and I would not
search for "Password Manager" and expect much, but, if you simply add a few
things...

"Password Manager" freeware review rank
http://www.google.com/search?q=%22Pa...re+review+rank

You get some decent hits, like...
http://www.snapfiles.com/get/keepass.html
Which can lead you to more ranked Password Managers:
http://www.snapfiles.com/Freeware/security/fwpass.html

And more...

Yes - you have to sift and test - but once you lock onto a single product
you like the looks of - research it... Use Google to search for reviews on
the product..

http://www.download.com/KeePass-Pass....html?sb=1&v=0
http://www.snapfiles.com/opinions/Ke...word_Safe.html

So, yeah - in order to do the first part - and only the first part - of my
response - you have to have a bit of common sense.

> Password Safe http://passwordsafe.sourceforge.net/ however is an
> open source, free, peer reviewed and rather trusted solution to this
> problem of managing a bashitload of passwords.


One of many - just like the one I gave...
I used it once - switched to KeePass.

Giving the OP more options is what this is all about.
Having a ranking system would be good too.

http://fileforum.betanews.com/browse...&sortby=rating
*note - I don't recommend necessarily using the BETAS and ALPHA versions of
software - but you can get an idea here of what they are doing in their next
version and how well they are doing it and then visit the main site and get
their full release product.

> Your situation points out the problem with using a single password
> at different sites and never changing it--because there are so few
> sites out there that are actually rather secure and who've never
> ever had a data breach.


....

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html



Reply With Quote
  #7 (permalink)  
Old 10-20-2007, 06:18 AM
Todd H.
Guest
 
Posts: n/a
Default Re: passwords

"Shenan Stanley" <newshelper@gmail.com> writes:

> Cutting off the meat of the post, who's 'nuggin futs'?
> No worries - I put it back.


Oh goody! I have a live one it seems.

> You should also know your audience when giving advice...
> From the original postting:
> 'I am an IT professional ...'


Likewise, consider that your audience for this post (me) is literate
and read that line too.

> You'd think they might be able to figure out the false from the true
> when it comes to software - or at least know how to test that
> safely...


You came out of the gate with the eye rolling "Search using Google!"
line of advice that's so condescending to begin with, and furthermore,
is rather ill advised when searching for things where strong trust is
involved it makes me want to puke. Call it a pet peeve.

Now, you eventually got around to some specific advice that he
wouldn't get of google, so kudos on eventually getting that right.

If you think every IT professional is capable of, has the knowledge of
the virtualization tools to, and has the time to reverse engineer
binaries or audit source code to make a judgement of "safety" of the
things that often come from a google search, then you you know a
different subset of the folks who call themselves "IT professionals"
than I have experienced. I'd say it's a far safer bet that every IT
professional knows how to enter search terms in Google and generally
will before asking a question of their peers in a forum like this. So
do you know your audience?

It's just highly annoying when someone opens with the "Search using
Google!" advice quite condescendingly when someone is asking a
question that is best answered from the experience and interactive
advice from fleshy humans, and not just text matches from a
programatic search engine. You might reconsider that opening--that's
all I'm sayin.


Best Regards,
--
Todd H.
http://www.toddh.net/

Reply With Quote
  #8 (permalink)  
Old 10-20-2007, 06:48 AM
Shenan Stanley
Guest
 
Posts: n/a
Default Re: passwords

Todd H. wrote:
> "Shenan Stanley" <newshelper@gmail.com> writes:
>
>> Cutting off the meat of the post, who's 'nuggin futs'?
>> No worries - I put it back.

>
> Oh goody! I have a live one it seems.
>
>> You should also know your audience when giving advice...
>> From the original postting:
>> 'I am an IT professional ...'

>
> Likewise, consider that your audience for this post (me) is
> literate and read that line too.
>
>> You'd think they might be able to figure out the false from the
>> true when it comes to software - or at least know how to test that
>> safely...

>
> You came out of the gate with the eye rolling "Search using Google!"
> line of advice that's so condescending to begin with, and
> furthermore, is rather ill advised when searching for things where
> strong trust is involved it makes me want to puke. Call it a pet
> peeve.
>
> Now, you eventually got around to some specific advice that he
> wouldn't get of google, so kudos on eventually getting that right.
>
> If you think every IT professional is capable of, has the knowledge
> of the virtualization tools to, and has the time to reverse engineer
> binaries or audit source code to make a judgement of "safety" of the
> things that often come from a google search, then you you know a
> different subset of the folks who call themselves "IT professionals"
> than I have experienced. I'd say it's a far safer bet that every IT
> professional knows how to enter search terms in Google and generally
> will before asking a question of their peers in a forum like this.
> So do you know your audience?
>
> It's just highly annoying when someone opens with the "Search using
> Google!" advice quite condescendingly when someone is asking a
> question that is best answered from the experience and interactive
> advice from fleshy humans, and not just text matches from a
> programatic search engine. You might reconsider that
> opening--that's all I'm sayin.


You're welcomed to your opinion...
Perhaps you should take your own advice. ;-)

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html



Reply With Quote
  #9 (permalink)  
Old 10-20-2007, 10:31 AM
Andy Fish
Guest
 
Posts: n/a
Default Re: passwords

http://www.theregister.co.uk/2007/10...investigation/

this is a very well regarded tech news site in the UK

BTW I have decided to go with RoboForm which seems to be well reviewed.

One interesting point that occurred to me though. say my fasthosts password
was the same as my paypal password, then someone who had got the password
from fasthosts made a fraudulent paypal payment.

would I have a claim against ukreg for not protecting my private details, or
would paypal claim that I was negligent for using the same password for 2
online services?


"Mark Trimble" <user@127.0.0.1> wrote in message
news:pan.2007.10.20.01.13.19@127.0.0.1...
> Quoting Andy Fish on Fri, 19 Oct 2007 15:42:01 +0000:
>
>> Hi,
>>
>> I just got a nice email from fasthosts - a UK ISP - saying that they
>> have had a security breach and have lost security details including my
>> password IN PLAIN TEXT !!...
>>
>> Andy

>
> Never heard of a notice like that coming by e-mail. Looks to me like
> someone's bucking for their advanced credentials in social engineering
> (read: phishing). Proceed with caution.




Reply With Quote
  #10 (permalink)  
Old 10-20-2007, 06:51 PM
Unruh
Guest
 
Posts: n/a
Default Re: passwords

"Shenan Stanley" <newshelper@gmail.com> writes:

>Andy Fish wrote:
>> I just got a nice email from fasthosts - a UK ISP - saying that
>> they have had a security breach and have lost security details
>> including my password IN PLAIN TEXT !!
>>
>> because I use the same password for different online systems, this
>> means someone who found out my email address (the real one - not
>> the one I'm using to post this) and fasthosts password could
>> potentially log on as me to many different sites.
>>
>> fortunately I use several different passwords including a separate
>> one for sites who I think might store it in plain text.
>> unfortunately I didn't think for a minute that an ISP would do
>> this, so I used a relatively secure password for them.


You can always tell if they told you to put in a phrase only you know or
something like that, or say they can recover your password for you.
They cannot do that if they do not have your cleartext password on file.



>>
>> if I can't trust anyone to encrypt my password, it seems that the
>> only way to be secure is to use a different password for every
>> system and then write them all down somewhere.
>>
>> I am an IT professional and I get the impression that most people
>> currently take a similar approach to me. If not, what's the best
>> way to manage so many passwords?


>Shenan Stanley wrote:
>> Search using Google!
>> http://www.google.com/
>> (How-to: http://www.google.com/intl/en/help/basics.html )
>>
>> Normal blurb from me:
>>
>> Understanding what a good password might be is vital to your
>> personal and system security. You may think you do not need to
>> password your home computer, as you may have it in a locked area
>> (your home) where no one else has access to it. Remember, however,
>> you aren't always "in that locked area" when using your computer
>> online - meaning you likely have usernames and passwords associated
>> with web sites and the likes that you would prefer other people do
>> not discover/use. This is why you should understand and utilize
>> good passwords.
>>
>> Good passwords are those that meet these general rules
>> (mileage may vary):
>>
>> Passwords should contain at least six characters, and the character
>> string should contain at least three of these four character types:
>> - uppercase letters
>> - lowercase letters
>> - numerals
>> - nonalphanumeric characters (e.g., *, %, &, !, :)
>>
>> Passwords should not contain your name/username.
>> Passwords should be unique to you and easy to remember.
>>
>> One method many people are using today is to make up a phrase that
>> describes a point in their life and then turning that phrase into
>> their password by using only certain letters out of each word in
>> that phrase. It's much better than using your birthday month/year
>> or your anniversary in a pure sense. For example, let's say my
>> phrase is: 'Great new job in November 2006'
>> I could come up with this password from that:
>> 'Gr8n3wj0bNOV2006'
>>
>> I highly recommend you periodically change your passwords.
>> The suggested time varies, but I will throw out a 'once in
>> every 3 to 6 months for every account you have.'
>>
>> Also - many people complain that they just cannot remember the
>> passwords for all the sites they have - so they choose one password
>> and use it for everything. Not a good idea. A much better method
>> would be to use a Password Management tool - so you only have to
>> remember one password, but it opens an application that stores
>> your username/passwords for everything else - plus other valuable
>> information. One that I can recommend:
>>
>> KeePass Password Safe
>> http://keepass.sourceforge.net/
>>
>> It can even generate passwords for you.


><inline below here...>


>Todd H. wrote:
>> Advising someone to trust whatever comes up in google to manage all
>> his passwords without asking other humans for opinions? Are you
>> nuggin futs?


>Cutting off the meat of the post, who's 'nuggin futs'?
>No worries - I put it back.


>You should also know your audience when giving advice...
>From the original postting:
>'I am an IT professional ...'


>You'd think they might be able to figure out the false from the true when it
>comes to software - or at least know how to test that safely...


>> The issue is that you can't swing a dead cat on google without
>> receiving adwords or "legit" results that may include spyware
>> including keyloggers.


>Yes - common sense is required for using Google...


>For example - you have to learn to use Google (thus my link) and I would not
>search for "Password Manager" and expect much, but, if you simply add a few
>things...


>"Password Manager" freeware review rank
>http://www.google.com/search?q=%22Pa...re+review+rank


>You get some decent hits, like...
>http://www.snapfiles.com/get/keepass.html
>Which can lead you to more ranked Password Managers:
>http://www.snapfiles.com/Freeware/security/fwpass.html


>And more...


>Yes - you have to sift and test - but once you lock onto a single product
>you like the looks of - research it... Use Google to search for reviews on
>the product..


>http://www.download.com/KeePass-Pass....html?sb=1&v=0
>http://www.snapfiles.com/opinions/Ke...word_Safe.html


>So, yeah - in order to do the first part - and only the first part - of my
>response - you have to have a bit of common sense.


>> Password Safe http://passwordsafe.sourceforge.net/ however is an
>> open source, free, peer reviewed and rather trusted solution to this
>> problem of managing a bashitload of passwords.


>One of many - just like the one I gave...
>I used it once - switched to KeePass.


>Giving the OP more options is what this is all about.
>Having a ranking system would be good too.


>http://fileforum.betanews.com/browse...&sortby=rating
>*note - I don't recommend necessarily using the BETAS and ALPHA versions of
>software - but you can get an idea here of what they are doing in their next
>version and how well they are doing it and then visit the main site and get
>their full release product.


>> Your situation points out the problem with using a single password
>> at different sites and never changing it--because there are so few
>> sites out there that are actually rather secure and who've never
>> ever had a data breach.


>...


>--
>Shenan Stanley
> MS-MVP
>--
>How To Ask Questions The Smart Way
>http://www.catb.org/~esr/faqs/smart-questions.html




Reply With Quote
  #11 (permalink)  
Old 10-20-2007, 06:56 PM
Mark Randall
Guest
 
Posts: n/a
Default Re: passwords


"Andy Fish" <ajfish@blueyonder.co.uk> wrote:
> would I have a claim against ukreg for not protecting my private details,
> or would paypal claim that I was negligent for using the same password for
> 2 online services?


You'd have a claim for them allowing personally identifiable material and
passwords to be revealed.

I and many others have been considering it also who are in the same
situation.

Regards,

Mark Randall


Reply With Quote
  #12 (permalink)  
Old 10-24-2007, 05:42 PM
Ari
Guest
 
Posts: n/a
Default Re: passwords

On Fri, 19 Oct 2007 15:42:01 GMT, Andy Fish wrote:

> if I can't trust anyone to encrypt my password, it seems that the only way
> to be secure is to use a different password for every system and then write
> them all down somewhere.
>
> I am an IT professional and I get the impression that most people currently
> take a similar approach to me. If not, what's the best way to manage so many
> passwords?
>
> Andy


KeePass
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

Reply With Quote
  #13 (permalink)  
Old 10-24-2007, 06:54 PM
AnthonyM
Guest
 
Posts: n/a
Default Re: passwords

On Oct 24, 12:42 pm, Ari <arisilverst...@yahoo.com> wrote:
> On Fri, 19 Oct 2007 15:42:01 GMT, Andy Fish wrote:
> > if I can't trust anyone to encrypt my password, it seems that the only way
> > to be secure is to use a different password for every system and then write
> > them all down somewhere.

>
> > I am an IT professional and I get the impression that most people currently
> > take a similar approach to me. If not, what's the best way to manage so many
> > passwords?

>
> > Andy

>
> KeePass
> --
> "You can't trust code that you did not totally create yourself"
> Ken Thompson "Reflections on Trusting Trust"http://www.acm.org/classics/sep95/


I use a modified approach to all the solutions mentioned above. Truly
it doesn't matter if you keep them in an excel file. If they are
stored somewhere, there is a potential vulnerability. So I use
different passwords for every site, and I do store 1/2 of the password
in a system (I won't endorse a particular one, but I've used several
methods, Excel, RoboForm, Keepass, UltraSafe). So I put 1/2 of the
password in the system. I usually do a random generated 8-10
character key. Then, I memorize a 2nd 1/2 that is a keyphrase. This
helps me feel secure that even if my method of storing passwords is
comprimized, they still have to come up with the 2nd half of the
password that is memorized.

Just a thought.

Anthony Maughan
Systems Engineer, MCSE + Security
Positive Networks
http://www.phonefactor.net - Strong Authentication


Reply With Quote
  #14 (permalink)  
Old 10-24-2007, 09:11 PM
Sebastian G.
Guest
 
Posts: n/a
Default Re: passwords

AnthonyM wrote:


> I use a modified approach to all the solutions mentioned above. Truly
> it doesn't matter if you keep them in an excel file. If they are
> stored somewhere, there is a potential vulnerability. So I use
> different passwords for every site, and I do store 1/2 of the password
> in a system (I won't endorse a particular one, but I've used several
> methods, Excel, RoboForm, Keepass, UltraSafe). So I put 1/2 of the
> password in the system. I usually do a random generated 8-10
> character key. Then, I memorize a 2nd 1/2 that is a keyphrase. This
> helps me feel secure that even if my method of storing passwords is
> comprimized, they still have to come up with the 2nd half of the
> password that is memorized.



Or written in another way: If one of your passwords gets compromised
externally, half of each of your other passwords is also compromised.
Very very very stupid idea!

> Systems Engineer, MCSE + Security


~~~~

Oh well, you're a Minesweeper Consultant and Solitaire Expert?

> http://www.phonefactor.net - Strong Authentication



Nah... that's too easy...

Reply With Quote
  #15 (permalink)  
Old 10-24-2007, 10:09 PM
Ari
Guest
 
Posts: n/a
Default Re: passwords

On Wed, 24 Oct 2007 18:54:08 -0000, AnthonyM wrote:

>>> I am an IT professional and I get the impression that most people currently
>>> take a similar approach to me. If not, what's the best way to manage so many
>>> passwords?

>>
>>> Andy

>>
>> KeePass
>> --
>> "You can't trust code that you did not totally create yourself"
>> Ken Thompson "Reflections on Trusting Trust"http://www.acm.org/classics/sep95/

>
> I use a modified approach to all the solutions mentioned above. Truly
> it doesn't matter if you keep them in an excel file. If they are
> stored somewhere, there is a potential vulnerability.


The level of vulnerability is the question. if you placed KeePass in a
truecrypted container, then placed fake passwords in an "open" Excel
file, you may have the best of the best.

> So I use
> different passwords for every site, and I do store 1/2 of the password
> in a system (I won't endorse a particular one, but I've used several
> methods, Excel, RoboForm, Keepass, UltraSafe). So I put 1/2 of the
> password in the system. I usually do a random generated 8-10
> character key. Then, I memorize a 2nd 1/2 that is a keyphrase. This
> helps me feel secure that even if my method of storing passwords is
> comprimized, they still have to come up with the 2nd half of the
> password that is memorized.
>
> Just a thought.
>
> Anthony Maughan


Depending on the password, that isn't hard to do.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

Reply With Quote
  #16 (permalink)  
Old 10-25-2007, 02:27 AM
Steve Riley [MSFT]
Guest
 
Posts: n/a
Default Re: passwords

Contrary to what a lot of others claim, it's even ok to write your passwords
down. Now, you just need to protect the piece of paper.

Your choice of password management tools is less important than your method
of protecting the storage.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Andy Fish" <ajfish@blueyonder.co.uk> wrote in message
news:df4Si.204905$BW4.136223@fe1.news.blueyonder.c o.uk...
> Hi,
>
> I just got a nice email from fasthosts - a UK ISP - saying that they have
> had a security breach and have lost security details including my password
> IN PLAIN TEXT !!
>
> because I use the same password for different online systems, this means
> someone who found out my email address (the real one - not the one I'm
> using to post this) and fasthosts password could potentially log on as me
> to many different sites.
>
> fortunately I use several different passwords including a separate one for
> sites who I think might store it in plain text. unfortunately I didn't
> think for a minute that an ISP would do this, so I used a relatively
> secure password for them.
>
> if I can't trust anyone to encrypt my password, it seems that the only way
> to be secure is to use a different password for every system and then
> write them all down somewhere.
>
> I am an IT professional and I get the impression that most people
> currently take a similar approach to me. If not, what's the best way to
> manage so many passwords?
>
> Andy
>
>
>


Reply With Quote
  #17 (permalink)  
Old 10-25-2007, 06:30 AM
Ari
Guest
 
Posts: n/a
Default Re: passwords

On Wed, 24 Oct 2007 19:27:16 -0700, Steve Riley [MSFT] wrote:

> Contrary to what a lot of others claim, it's even ok to write your passwords
> down. Now, you just need to protect the piece of paper.
>
> Your choice of password management tools is less important than your method
> of protecting the storage.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com


Accessibility, functional use come into play. A piece of paper that you
have to hide in your butthole and pull out several times a day isn't
what I would call practical.

Keepass is.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

Reply With Quote
  #18 (permalink)  
Old 10-25-2007, 07:06 AM
Steve Riley [MSFT]
Guest
 
Posts: n/a
Default Re: passwords

LOL. There would be moisture problems with that approach, as well.

Nevertheless, my point was the second paragraph. Personally, I prefer to
keep the passwords off the computer. For some folks, paper works fine. I use
a password-protected list application on my smart phone.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Ari" <arisilverstein@yahoo.com> wrote in message
news:s8a5gokzxxsu.v46tqbdpgycy.dlg@40tude.net...
> On Wed, 24 Oct 2007 19:27:16 -0700, Steve Riley [MSFT] wrote:
>
>> Contrary to what a lot of others claim, it's even ok to write your
>> passwords
>> down. Now, you just need to protect the piece of paper.
>>
>> Your choice of password management tools is less important than your
>> method
>> of protecting the storage.
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com

>
> Accessibility, functional use come into play. A piece of paper that you
> have to hide in your butthole and pull out several times a day isn't
> what I would call practical.
>
> Keepass is.
> --
> "You can't trust code that you did not totally create yourself"
> Ken Thompson "Reflections on Trusting Trust"
> http://www.acm.org/classics/sep95/



Reply With Quote
  #19 (permalink)  
Old 10-25-2007, 03:29 PM
Ari
Guest
 
Posts: n/a
Default Re: passwords

On Thu, 25 Oct 2007 00:06:20 -0700, Steve Riley [MSFT] wrote:

> Nevertheless, my point was the second paragraph. Personally, I prefer to
> keep the passwords off the computer. For some folks, paper works fine. I use
> a password-protected list application on my smart phone.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com


Steve, I'll take your word for it but I have never had one person who
used paper to be able to develop any scheme that was sufficiently safe.
The smart phone idea seems unneccesarily impractical in view of the
number of ways you can encrypt and launch URLs, etc from a program like
KeePass. Or a Cryptainer LE where you could keep a spreadsheet.

What is it, I'm curious, that keeps you distant from the use of these
alternatives?
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

Reply With Quote
  #20 (permalink)  
Old 10-26-2007, 09:45 AM
Steve Riley [MSFT]
Guest
 
Posts: n/a
Default Re: passwords

Several colleagues use their wallets to protect their pieces of paper.

I use my smart phone because I'm often having to use many different
computers. My choice to use my smart phone is purely out of convenience. I'm
not opposed to the category of products that KeePass represents.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Ari" <arisilverstein@yahoo.com> wrote in message
news:emrt6nz7cya7$.3o30xlxbsial.dlg@40tude.net...
> On Thu, 25 Oct 2007 00:06:20 -0700, Steve Riley [MSFT] wrote:
>
>> Nevertheless, my point was the second paragraph. Personally, I prefer to
>> keep the passwords off the computer. For some folks, paper works fine. I
>> use
>> a password-protected list application on my smart phone.
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com

>
> Steve, I'll take your word for it but I have never had one person who
> used paper to be able to develop any scheme that was sufficiently safe.
> The smart phone idea seems unneccesarily impractical in view of the
> number of ways you can encrypt and launch URLs, etc from a program like
> KeePass. Or a Cryptainer LE where you could keep a spreadsheet.
>
> What is it, I'm curious, that keeps you distant from the use of these
> alternatives?
> --
> "You can't trust code that you did not totally create yourself"
> Ken Thompson "Reflections on Trusting Trust"
> http://www.acm.org/classics/sep95/



Reply With Quote
  #21 (permalink)  
Old 10-26-2007, 05:11 PM
Ari
Guest
 
Posts: n/a
Default Re: passwords

On Fri, 26 Oct 2007 02:45:45 -0700, Steve Riley [MSFT] wrote:

> Several colleagues use their wallets to protect their pieces of paper.
>
> I use my smart phone because I'm often having to use many different
> computers. My choice to use my smart phone is purely out of convenience. I'm
> not opposed to the category of products that KeePass represents.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com


Thx, appreciate the response.

Wallets? lol
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

Reply With Quote
  #22 (permalink)  
Old 10-31-2007, 06:54 PM
AnthonyM
Guest
 
Posts: n/a
Default Re: passwords

On Oct 24, 4:11 pm, "Sebastian G." <se...@seppig.de> wrote:
> AnthonyM wrote:
> > I use a modified approach to all the solutions mentioned above. Truly
> > it doesn't matter if you keep them in an excel file. If they are
> > stored somewhere, there is a potential vulnerability. So I use
> > different passwords for every site, and I do store 1/2 of the password
> > in a system (I won't endorse a particular one, but I've used several
> > methods, Excel, RoboForm, Keepass, UltraSafe). So I put 1/2 of the
> > password in the system. I usually do a random generated 8-10
> > character key. Then, I memorize a 2nd 1/2 that is a keyphrase. This
> > helps me feel secure that even if my method of storing passwords is
> > comprimized, they still have to come up with the 2nd half of the
> > password that is memorized.

>
> Or written in another way: If one of your passwords gets compromised
> externally, half of each of your other passwords is also compromised.
> Very very very stupid idea!
>
> > Systems Engineer, MCSE + Security

>
> ~~~~
>
> Oh well, you're a Minesweeper Consultant and Solitaire Expert?
>
> >http://www.phonefactor.net- Strong Authentication

>
> Nah... that's too easy...


I will happily respond to an intelligent, even sort of thought through
opinion. What I can't respond to is an infantile attack on my
credentials and my idea without any supporting information. Do you
really think that having half of a 25 character password of an
unknown number of passwords to an unknown number of sources is
meaningful in any way other than being proud of it? What about if
someone releases the sourcecode to keepass or roboform etc? Perhaps
you can easily memorize 40 25 character passwords every 30 days, but I
can't. So rather than recording all 40 passwords in some hopefully
secure manner, I store half of them. I read several of your other
posts, it seems you are intelligent. Couldn't you be more helpful
rather than sarcastic and condescending? Thanks Sebastian, for making
one of my first attempts at responding in a newsgroup so pleasant.


Reply With Quote
  #23 (permalink)  
Old 10-31-2007, 11:42 PM
Sebastian G.
Guest
 
Posts: n/a
Default Re: passwords

AnthonyM wrote:

> Do you really think that having half of a 25 character password of an
> unknown number of passwords to an unknown number of sources is
> meaningful in any way other than being proud of it?



Yes. Not just that you assume the number of passwords and the corresponding
sources to the attackers to be known, you should also understand what
entropy means and how it turns the remaining 12 characters into a feasible
dictionary attack.

> What about if someone releases the sourcecode to keepass or roboform etc?



Aside from the fact that keepass already is open source, why should this be
any problem at all? Quite the contrary holds: Roboform is unacceptable
because it's not open source.
Even if you trust the vendor to not send out your passwords in a covert
channel, you cannot trust them about the crypto implementation. How sure are
you that the entropy collection does a proper job and not just takes some
well guessable or even highly choosable input? How sure are you that they
properly protect the memory region where the cryptographic key is stored
from being paged out to disc? Without the source code, you can assure that
their programmers didn't fall into at least one of the common pitfalls,
which is very likely.

> Perhaps you can easily memorize 40 25 character passwords every 30 days,


> but I can't.


Sure you can, it's very easy: It's called a "pass phrase" for a reason.
BTW, just exactly this sentence gives you an easily memorizable, fastly
typeable pass phrase with sufficient entropy.

And with using a password manager, you need to memorize only exactly *one*
pass phrase.

Reply With Quote
  #24 (permalink)  
Old 11-02-2007, 04:31 PM
Alun Jones
Guest
 
Posts: n/a
Default Re: passwords

"Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
news:eFKW9U7FIHA.4808@TK2MSFTNGP05.phx.gbl...
> Several colleagues use their wallets to protect their pieces of paper.


What a strange idea, using a device whose very purpose is to collect small
pieces of paper and prevent them from falling into other people's hands!

Alun.
~~~~



Reply With Quote
  #25 (permalink)  
Old 11-04-2007, 09:20 PM
Steve Riley [MSFT]
Guest
 
Posts: n/a
Default Re: passwords

Yeah, the utility of the idea is shocking, indeed. :)

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Alun Jones" <alun@texis.invalid> wrote in message
news:OmW98FXHIHA.4880@TK2MSFTNGP03.phx.gbl...
> "Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
> news:eFKW9U7FIHA.4808@TK2MSFTNGP05.phx.gbl...
>> Several colleagues use their wallets to protect their pieces of paper.

>
> What a strange idea, using a device whose very purpose is to collect small
> pieces of paper and prevent them from falling into other people's hands!
>
> Alun.
> ~~~~
>


Reply With Quote
Reply


« How to tell a fake SSL certificate from a real one | Free Prescription Assistance Provided By American Consultants Rx »
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are Off
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On


Similar Threads
Thread Thread Starter Forum Replies Last Post
Image files as passwords Saul alt.computer.security 16 02-25-2007 10:55 PM
Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali comp.security.misc 7 09-07-2006 03:58 PM
Device Authentication - The answer to attacks lauched using stolen passwords? Saqib Ali alt.computer.security 7 09-07-2006 03:58 PM
Commercial Product to Automate Changing Windows Local and Service Account Passwords Will comp.security.misc 0 09-04-2006 03:24 AM


All times are GMT. The time now is 11:19 AM.



Powered by vBulletin® Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.6.0 PL2

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45