June 27, 2012 at 9:23 pm
Comments posted to this topic are about the item Password Help
June 28, 2012 at 1:47 am
It's so much easier to use long and intricate passwords if you can type.
June 28, 2012 at 4:17 am
I did try using passphrases myself at some point (http://xkcd.com/936/) however unfortunately when you get to that length it typically takes 3 tries on a good day to type the things out right. Guess I'll have to stick to using 'password' everywhere - no-one will guess anything that obvious.
June 28, 2012 at 6:14 am
The one problem with using KeePass is that it's fine if you're only ever using these passwords from the machine where your password database is stored. Becomes more of an issue if you're on a different machine and can't access that anymore!
June 28, 2012 at 6:30 am
Keepers are fine, if you care
For LinkedIn? My PW is password (or Passw0rd, if they are more pesky)
For my Bank login? password isn't gonna go there, that's where I use a keeper
90% of my passwords are Passw0rd or password, cause I just find it an annoyance, and really don't care
And yes, Facebook is one of them.... All the social "junk", pretty much all that don't hit my bank account (With financial impact, view only, back to password...)
I'd prefer something other than a password to authenticate, possibly a "Global Id" linked to the smart phone (And yes, there are downsides and privacy concerns, many could be worked around)
If I could just link up my computer with my phone, and just surf... Let them work out one time codes that identify me. No annoying "log in to whatever", just keep going
June 28, 2012 at 6:47 am
I have the self contained version of KeyPass installed on my flash drive I carry with me. That way I can run the program from the flash drive no matter what computer I happen to be using.
Bill Soranno
MCP, MCTS, MCITP DBA
Database Administrator
Winona State University
Maxwell 143
"Quality, like Success, is a Journey, not a Destination" - William Soranno '92
June 28, 2012 at 6:49 am
I'm not surprised.
I knew a couple of years ago that Linkin was going to have security issues considering their lack of response to several rounds of spam and other annoyances, I canceled my account. Like 90% of security problems, this is a management issue.
June 28, 2012 at 6:57 am
We are rolling out an intranet AD-auth password store after increasing numbers of us have started using keepass and one or two other password stores in work. This will really help educate users on the practice of having stronger, more varied passwords.
I have one password that I use variations of for most day to day things, but then I randomly generate passwords for sites where security is more important and these all go in keepass. My keepass has a passphrase and key to access it with the database file and the key stored in dropbox folders. I'm a bit paranoid about passwords so I often play coy about naming where the login is for so that even if someone cracked the database files (which I worry about with a program where the code is downloadable and interragatable) they still would have to work a fair bit to match the logins to the right site and all my banking sites have a further auth step which isn't ever stored on my keepass.
June 28, 2012 at 6:59 am
William Soranno (6/28/2012)
I have the self contained version of KeyPass installed on my flash drive I carry with me. That way I can run the program from the flash drive no matter what computer I happen to be using.
...and therein lies the crux of the matter. The solution cannot be based on something that people are not allowed to use in all circumstances. I am often on client sites where I would be immediately escorted offsite (after a serious grilling and an inspection of the machines used, if not me physically) if I tried to install software or plug in a USB key.
I thought that a federated security system would do it but no. Every site has to hand roll their own security.
To keep the theme going the password that I use is "1fY0uB3l13v3Th1sTh3nY0uAr3..." 😉
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
June 28, 2012 at 8:17 am
Not only do you need to be able to access the password manager, but if someone cracks your password manager password, they
a) have a list of every online account you have and
b) now have access to every one of them.
Having a unique password and/or login to every site is one of those eggheaded ideas that sounds great on paper but has no real practical application in the real world.
I know I easily have over 100 online accounts in one form or another - there is no way that I could possibly have 100 passwords that I could remember. I would rather they have access to a small subset of my passwords than all of them!
June 28, 2012 at 8:27 am
Good topic, Steve, and a tough one. I just don't see a clean, easy, solution, although I do appreciate your listing those 2 password managers (I've never heard of either). Each solution I see has problems. I could put all my accounts and passwords onto my phone; but what if my phone gets stolen. I could use one of these 2 password managers; but what if the program or its database gets corrupted, my hard drive fails, etc? My wife said that paper day planners have a section for this very purpose; but what if that gets stolen? I could write everything down in a small notebook; but what if I loose that? I'll be interested to see how this conversation plays out.
Rod
June 28, 2012 at 8:48 am
Use keepass with its stored database on a service such as Dropbox. That way it will be available from any pc.
June 28, 2012 at 8:52 am
lwheeler (6/28/2012)
Use keepass with its stored database on a service such as Dropbox. That way it will be available from any pc.
So long as you can access Dropbox (or whatever online storage you use) from any pc, that works. But, of course, you need to have your Dropbox password, and KeePass password, memorized, changed frequently (or with high enough entropy to not require that), and so on.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
June 28, 2012 at 9:26 am
I use KeePass and encourage it's use to anyone I help out who runs into password troubles.
In terms of portability, there are versions for almost every platform out there, including phones. So if you can't use a flash drive have it on your phone. Yes, it's definitely harder to transcribe it from your phone, but it's manageable.
If you are concerned about one file having all you passwords, then break it in to two files one for high security and one for low security. The other option is to just make this one of your handful of really secure passwords that you simply need to remember to get in to your "machines". Machine login(s) and then your password safe login.
I have two files one for work and one for home, both are relatively secure passwords. To mitigate the possibility of losing everything with one file, I have a self enforced process of syncing the password file from my computer to my flash drive every time I change my password. For work, this has bailed me out twice after changing my login password which IT requires relatively high complexity and way too frequent of changes. I didn't end up using it enough that day that I changed it and muscle memory was still on the previous password. I came in the next day and blanked. Fortunately it was easy enough to bring up KeePass on a different computer and check my password. That has helped cement my process to ensure I have it synced after a password change.
June 28, 2012 at 9:28 am
I use a system of passwords, generated according to a fixed set of rules, that are easy to remember but impossible to guess. It's easy enough to think up such a system and adhere to it. I use one password from the system for all junk accounts that require me to log in, but where I have no data of any real value, like this one. For all others, I use unique passwords from the system and have never had any trouble using or remembering, and have never had an account hacked.
The trick is to use stuff that means something to you, but even people who know you would not be able to guess. For instance, if you're a football freak, the name of the team, combined with the jersey number and name of the quarterback, separated by plus signs, second and next-to-last letter of the team name capitalized, first and third letter of the QB's name capitalized, e.g. cOwboYs+9+RoMo.
No password guesser will ever hit something like that, nor will it be in any list of commonly used passwords, and your memory cue, which you can even safely write down is simply 'Dallas'. You adhere to the rules, which you can make as complex as you like, and the simple cue will give you the jog needed to reconstruct the password any time you need it, without actually having to remember it. It needn't be football, and isn't for me - I have very little interest in the game, but if you use something that DOES interest you, and contains such things that you remember without trying, BECAUSE it interests you, you will have an extremely safe and extremely easy to use system for creating and using secure passwords.
Viewing 15 posts - 1 through 15 (of 38 total)
You must be logged in to reply to this topic. Login to reply