Public Service Announcement On Password Security

[Coriolis]

You mean hand written or that you type it in and store it on a computer somewhere?

Mine is handwritten, and goes everywhere with me. My old boss uses a password-protected excel spreadsheet file.

 

[highlander]

Mine is handwritten, and goes everywhere with me. My old boss uses a password-protected excel spreadsheet file.

But when you change them, you cross the old ones off then?

I could never do this. I think I'm on over 80 sites. Everything from professional membership sites to social networking sites etc. etc.

 

[Coriolis]

But when you change them, you cross the old ones off then?

I could never do this. I think I'm on over 80 sites. Everything from professional membership sites to social networking sites etc. etc.

I tend to change them in batches. I remember, or am reminded to change one, and then change a bunch that are around the same age. I probably have only 25 or 30. There are some passwords I use only at work, which are on a separate list.

 

[highlander]

I tend to change them in batches. I remember, or am reminded to change one, and then change a bunch that are around the same age. I probably have only 25 or 30. There are some passwords I use only at work, which are on a separate list.

I wonder how many people do this.

 

[Coriolis]

I wonder how many people do this.

No idea. Anything that involves pencil and paper is considered too old school by most computer literate folks. I have been tempted to try the password-protected file method. That just turns your file into a password manager, but at least someone would have to know what to look for on your system to even get started with it. Still, paper in my wallet seems more secure, and I always have it, regardless of which computer I am using.

 

[highlander]

No idea. Anything that involves pencil and paper is considered too old school by most computer literate folks. I have been tempted to try the password-protected file method. That just turns your file into a password manager, but at least someone would have to know what to look for on your system to even get started with it. Still, paper in my wallet seems more secure, and I always have it, regardless of which computer I am using.

One way to hack into systems is to crack those password protected Microsoft Excel files so I'm not a fan. The paper is more secure I guess unless you lose your wallet or bag or something.

Edit: In which case could be bad because they might also have your credit cards, drivers license, etc. Unless of course you keep it in a money belt or your shoe. I have left belts in airline security scanners though...

 

[Cellmold]

I used to have a external hard drive that I would store information on like that in a notepad file.

I would only connect it for the brief time needed to enter more information (with internet off because dumb and paranoid) then every month I would print out the file onto a4 with the site names all mixed up as [MENTION=7]Totenkindly[/MENTION] mentioned.

Then I clear the text out and start again.

I stopped doing it because A) There are less management intense ways of doing this and B) No one gives a shit about my stuff.

 

[Totenkindly]

I stopped doing it because A) There are less management intense ways of doing this and B) No one gives a shit about my stuff.

Yeah, I think procedure might change if I was actually anyone of importance.

There's probably more chance of me getting my computer hard-hacked via the Internet than someone mugging me for a slip of paper in my purse with coded passwords that they might not even find let alone recognize (hence sticking to tangibles). No one is gonna Watergate my apartment looking for my passwords.

TBH, my internet activity has slowed tremendously anyway. I'm not active on very many sites that need accounts, and I only have a few banking and/or credit card sites.

 

[EcK]

This is a pretty nice demo and explanation.

http://www.typologycentral.com/forums/rules.php
Code of Conduct

2. Advertising
No advertising is allowed on the forum, whether for profit or not for profit. This includes advertising or soliciting participants for other internet forums or online communities.

 

[highlander]

http://www.typologycentral.com/forums/rules.php
Code of Conduct

2. Advertising
No advertising is allowed on the forum, whether for profit or not for profit. This includes advertising or soliciting participants for other internet forums or online communities.

That's not advertising. I'm not soliciting anything. It's an independent review of the software. I'm recommending something that I know and use that I think is good. The purpose for posting it is to educate the members on how this kind of software works. [MENTION=5999]PeaceBaby[/MENTION] recommended another product. It doesn't matter which one you use. Just use one of them.

If I had two recommendations that I could make, I would suggest that you
- Implement password management software and pick different passwords for every site you go to
- Don't run as a local administrator on your computer (by default). Set up two accounts - one which is a regular user and one which is an administrator. Only run as administrator when you need to install software or something similar.

The first thing reduces the potential that your compromised passwords on one system will lead to compromised passwords on another one. The second recommendation is important because it reduces the chance that you will get malware on your computer.

 

[EcK]

That's not advertising. I'm not soliciting anything. It's an independent review of the software. I'm recommending something that I know and use that I think is good. The purpose for posting it is to educate the members on how this kind of software works. [MENTION=5999]PeaceBaby[/MENTION] recommended another product. It doesn't matter which one you use. Just use one of them.

If I had two recommendations that I could make, I would suggest that you
- Implement password management software and pick different passwords for every site you go to
- Don't run as a local administrator on your computer (by default). Set up two accounts - one which is a regular user and one which is an administrator. Only run as administrator when you need to install software or something similar.

The first thing reduces the potential that your compromised passwords on one system will lead to compromised passwords on another one. The second recommendation is important because it reduces the chance that you will get malware on your computer.

Jokes aside (so 80% of what I say ) I've been considering adopting such a method.
I, and I suspect most net security conscious people, am constantly plagued by password amnesia due to regular password changes and different passwords everywhere.
At the same time centralizing it on one platform could make it more vulnerable - no code is 100% hack proof after all. But yeah overall I think it could result in a security net gain.

In general most sites have nonsensical password protections systems.
You can retrieve someone's password by knowing BASIC FACTS that anyone in their surrounding would be likely to know.
name of your pet
school name
birthdate ...
Have these people ever heard about social engineering? I could get that info in 3 phone calls to their relatives.

So I always have to makeup stuff and I eventually forget exactly what fib I gave for an old email account 8 years ago.

There's also this strange belief that weird passwords no human brain can easily memorize are somehow more secure - I don't think that's the case.


ie: yeah sure from a purely mathematical perspective assuming same password length it's often true - but as they're hard to remember people make them shorter and rely on crappy password recovery methods and use these impossible-to-remember-passwords on multiple platforms - ending up in a net loss in overall security


let's play a game, according to How Secure Is My Password? here's the time needed to crack these passwords

human-friendly password:
1mwithpeetreed1sh 227 MILLION YEARS to crack - easy to remember

classic 'recommended' password (more complicated so people will make them shorter)
13P72!Lisa : 6 years

So my pass is rougly 38,000,000 times more secure and takes about 1 second to memorize - furthermore i won't need to write it down everywhere to remember it etc.

 

[EcK]

xkcd: Password Strength - Creative Commons Attribution-NonCommercial License = content is free to share in full

 

[highlander]

Have these people ever heard about social engineering? I could get that info in 3 phone calls to their relatives.

There's also this strange belief that weird passwords no human brain can easily memorize are somehow more secure - I don't think that's the case.

So my pass is rougly 38,000,000 times more secure and takes about 1 second to memorize - furthermore i won't need to write it down everywhere to remember it etc.

You got it.

 

[Tilt]

Jokes aside (so 80% of what I say ) I've been considering adopting such a method.
I, and I suspect most net security conscious people, am constantly plagued by password amnesia due to regular password changes and different passwords everywhere.
At the same time centralizing it on one platform could make it more vulnerable - no code is 100% hack proof after all. But yeah overall I think it could result in a security net gain.

In general most sites have nonsensical password protections systems.
You can retrieve someone's password by knowing BASIC FACTS that anyone in their surrounding would be likely to know.
name of your pet
school name
birthdate ...
Have these people ever heard about social engineering? I could get that info in 3 phone calls to their relatives.

So I always have to makeup stuff and I eventually forget exactly what fib I gave for an old email account 8 years ago.

There's also this strange belief that weird passwords no human brain can easily memorize are somehow more secure - I don't think that's the case.


ie: yeah sure from a purely mathematical perspective assuming same password length it's often true - but as they're hard to remember people make them shorter and rely on crappy password recovery methods and use these impossible-to-remember-passwords on multiple platforms - ending up in a net loss in overall security


let's play a game, according to How Secure Is My Password? here's the time needed to crack these passwords

human-friendly password:
1mwithpeetreed1sh 227 MILLION YEARS to crack - easy to remember

classic 'recommended' password (more complicated so people will make them shorter)
13P72!Lisa : 6 years

So my pass is rougly 38,000,000 times more secure and takes about 1 second to memorize - furthermore i won't need to write it down everywhere to remember it etc.

Ha. I always pick obscure facts or details based on my life from many years years ago or add together a bunch of numbers which I consider significant..which no one in my personal life would be able to guess.. hope that's secure enough.

 

[EcK]

Ha. I always pick obscure facts or details based on my life from many years years ago or add together a bunch of numbers which I consider significant..which no one in my personal life would be able to guess.. hope that's secure enough.

Yeah and how do you remember it 8 years later. Knowing that for it to be secure you d have to give at least partially different answers to what are usually the same stupid questions..?

So you remember every bogus answer to everything years later? Also - if your answer is at least partially guessable then that can still be a security issue.

 

[Tilt]

I answer honestly but give the least obvious answer from what people know of me. I am not typically one to tell people much about my personal life or back history. The ones I am closest to know not to tell others much about me. I am quite guarded.

 

[EcK]

Ha. I always pick obscure facts or details based on my life from many years years ago or add together a bunch of numbers which I consider significant..which no one in my personal life would be able to guess.. hope that's secure enough.

Yeah and how do you remember it 8 years later. Knowing that for it to be secure you d have to give at least partially different answers to what are usually the same stupid questions..?

Also- it doesn't matter what patchwork strategy you have - that still doesn't make this security measure secure.

You can have a 70 character email of random characters but it wouldn't matter much if someone can get access by inputting your first school (listed on your fb or ome phone call away) etc.

If you have a complex "non human friendly password" you re going to store it on very accessible devices (mobile, on paper, computer...) so still not secure.

 

[Tilt]

Yeah and how do you remember it 8 years later. Knowing that for it to be secure you d have to give at least partially different answers to what are usually the same stupid questions..?

Also- it doesn't matter what patchwork strategy you have - that still doesn't make this security measure secure.

You can have a 70 character email of random characters but it wouldn't matter much if someone can get access by inputting your first school (listed on your fb or ome phone call away) etc.

If you have a complex "non human friendly password" you re going to store it on very accessible devices (mobile, on paper, computer...) so still not secure.

I typically don't tell people much about my past, family, personal info... and my Facebook doesn't reveal much of anything.

For better or worse, I don't write down my passwords, and I have a separate passwords for both my computer and mobile.

 

[EcK]

I typically don't tell people much about my past, family, personal info... and my Facebook doesn't reveal much of anything.

For better or worse, I don't write down my passwords, and I have a separate passwords for both my computer and mobile.

so you mean I can't figure out your old school's name, pet name etc. by calling your great aunty or something like that and giving her a boggus reason to give away the information ?

Dude, get real. This is not secure, giving me your personal story won't change how unsecure these ineffective and ubiquitous easy-to-hack security measures are.
I'm not attacking you personally. I'm happy for you if you make your passes a bit more secure - that still doesn't make the policy a good one. That's akin to saying that cars are perfectly safe because you've never died in one - not a good argument.

As to the passwords - the classic "ad at least one number and one symbol like !" well first off people will generally use the same symbols (! ? & ) and capitalize only the first letter of their password so it's not like it adds that much complexity to the password. You just set up your password breaking software to start with the most likely combination and it d probably cut down the time needed by a factor of thousands whether you use special symbols and numbers or not.

Secondly it's obvious the people who set it up are kind of low-level in terms of theory of mind / psychology. It's beyond obvious that you'll choose a shorter password if the site's asking you to setup a non-human-friendly password.+ you'll have to store it somewhere else than just in your brain because who the hell can remember :

a1rRbo4t& as easily as peachfetchingpricemarket.

So these passwords are not only in practice less secure by huge factors (generally millions time less secure ) but they're not user-friendly in any way.

in short - these policies suck and their wide adoption rate is just a testament to how short-sighted and frankly dull when it comes to any other type of intelligence than mathematical many developers are. Theories about what makes people and data safe are entirely irrelevant to what people actually do. Theory is always superseded by fact. .


Any questions ?

 

[prplchknz]

i tend to use the same 3 passwords for everything. and every semester when we have to change our email password i can never remember what it is because you only have to put in twice a year and i usually end up yelling at the computer.