Password Help

  • Steve,

    I have not used KeePass, but I do use Password Safe. It is a fine product, and the ability to have all my passwords in one place is helpful. I even have a version for home now!

    The funny thing is seeing the look on someone's face when they complain about having too many passwords to remember (usually around 5 or so!) and I tell them that I have more than 500 passwords I have to use. Whether their mouth shuts, or opens fully, I have yet to hear another sound after telling them that.

    It can be quite fun!

    Dave

  • djackson 22568 (6/28/2012)


    I have not used KeePass, but I do use Password Safe. It is a fine product, and the ability to have all my passwords in one place is helpful. I even have a version for home now!

    I'd still be leery about that. What if someone gets into your password account? All eggs in one basket...

  • Steve,

    Excellent. I will be forwarding the link and a quote from the editorial to many in the management of the company I work with as my second job. Folks do not realize the fix they can get themselves into often until it is too late. A few words of simple wisdom can save our friends and colleagues a lot of heartache, and loss.

    Thank you! Very clear and concise.

    M.

    Not all gray hairs are Dinosaurs!

  • But...getting back to the more root of the problem. What the hell was LinkedIn.com doing storing hashed passwords without a salt value!!!!!

    This isn't the first time Steve has brought this topic up. Here is my response from before:

    From the editorial "Should You Write Down Your Passwords?" http://www.sqlservercentral.com/Forums/FindPost1017344.aspx

  • I have a different password for everything I log into. When I give other people advice about how to have strong and easy to remember passwords, this is what I suggest.

    First, use some numbers instead of letters. 1 for I, 0 for O, 3 for E, 4 for A, 5 for S, 6 for b, 9 for G. Don't use all of them, just pick one or two and use those in your passwords. So a person might pick 4 for A and 9 for G.

    Second, pick two or three characters that have a meaning to you.

    Third, use the above two with the site name. You can put the two or three characters anywhere.

    For example: my password for SQLServerCentral.com, might be (it's not):

    P9hSQLServerCentr4l

    P9h = Pgh - abbreviation for the city I'm originally from.

    It's easy to remember but not easy to guess; and meets all the normal requirements. 8 characters or more, one Uppercase letter, one lowercase, one number.

    Following those three easy steps, you can make a different password for every site you use. And there's very slim chance anyone else will come up with that. If the site's name is less than 8 characters (MSN.com), you can repeat the name. MSNP9hMSNP9h

    -SQLBill

  • djackson 22568 (6/28/2012)


    Steve,

    I have not used KeePass, but I do use Password Safe. It is a fine product, and the ability to have all my passwords in one place is helpful. I even have a version for home now!

    The funny thing is seeing the look on someone's face when they complain about having too many passwords to remember (usually around 5 or so!) and I tell them that I have more than 500 passwords I have to use. Whether their mouth shuts, or opens fully, I have yet to hear another sound after telling them that.

    It can be quite fun!

    Continuing in the vein seen previously...

    My password for Password Safe is "Ud*OekJchiahHudshjhDgydgcjhsdgnbfjhcbayksdfdndsgcykdsam c eyuy bewhbafjhyewbc uyewwiauh weoujfew 7fre1f 54ref1qwe6f6er46f51ew41c68er14f564qwer4f4erw54f156erd4f51ed56c165ds1c5ds1c5s0fv 5d1sf5fv1dsa51vc56ds1f56d1f561653fds" so it is unlikely anyone could break it.

    Seriously, one would have to know that I use it, and would have to know how I use it, and would have to hack into it, and would have to have access to the servers and systems I manage and use...

    Security works best by making others a target. An analogy is that when you and I are with a group in the woods and a bear attacks us, I don't have to be the fastest runner, just not the slowest. With security, just being a harder target can be helpful. We still have users who use the underside of their keyboard to store passwords.

    Dave

    Dave

  • I prefer to use qwerty12345

    Jason...AKA CirqueDeSQLeil
    _______________________________________________
    I have given a name to my pain...MCM SQL Server, MVP
    SQL RNNR
    Posting Performance Based Questions - Gail Shaw[/url]
    Learn Extended Events

  • paul.knibbs (6/28/2012)


    The one problem with using KeePass is that it's fine if you're only ever using these passwords from the machine where your password database is stored. Becomes more of an issue if you're on a different machine and can't access that anymore!

    I use Password Safe, synced from Win7 to OSX to iOS through Dropbox. Keeps my passwords everywhere I am.

  • GA Programmer (6/28/2012)


    Having a unique password and/or login to every site is one of those eggheaded ideas that sounds great on paper but has no real practical application in the real world.

    Absolutely disagree. Similar passwords on different sites is bad. A disclosure from one site means that all sites are compromised. How many people crack an XBOX, or Sarah's Cooking Site password list and then immediately start trying those accounts on eBay, Wells Fargo, etc.

    Use a very strong password on your manager, rotate it periodically, and rotate passwords on various sites over time. In 3 years, I've changed my Facebook password 5 times, for different reasons.

  • GSquared (6/28/2012)


    lwheeler (6/28/2012)


    Use keepass with its stored database on a service such as Dropbox. That way it will be available from any pc.

    So long as you can access Dropbox (or whatever online storage you use) from any pc, that works. But, of course, you need to have your Dropbox password, and KeePass password, memorized, changed frequently (or with high enough entropy to not require that), and so on.

    Yep, change the DropBox password regularly.

  • Steve Jones - SSC Editor (6/28/2012)


    GA Programmer (6/28/2012)


    Having a unique password and/or login to every site is one of those eggheaded ideas that sounds great on paper but has no real practical application in the real world.

    Absolutely disagree. Similar passwords on different sites is bad. A disclosure from one site means that all sites are compromised. How many people crack an XBOX, or Sarah's Cooking Site password list and then immediately start trying those accounts on eBay, Wells Fargo, etc.

    Use a very strong password on your manager, rotate it periodically, and rotate passwords on various sites over time. In 3 years, I've changed my Facebook password 5 times, for different reasons.

    I'll add my disagreement. Most sites ask you for an email address and password. I wonder how many people provide the password to their email without thinking about it? Also, if you are using the same password everywhere...all it would take is using your email address along with the password in any site you might be a member of. I am a firm believer in separate passwords for different sites.

    -SQLBill

  • I use 1Password as my password program. The portability is there as the chain and the ability to use it from any computer is available in dropbox. It also has an android and Apple apps, so I can have it on my phone which I can then access my passwords to type in at a computer that is not mine.

    I used the program when I had an Imac, then when I went back to a PC, I made sure 1Password program went with me. I didn't want a password service that could be hacked by someone then all my passwords would be compromised.

    I have the program installed on my work computers but if I couldn't do that then I would use my phone app to access the passwords. It is compatible with Firefox/Chrome/Safari/IE with the extensions installed so if I got to a website that I have a password set up on, I click a button in the toolbar, 1Password asks me for my master password which I enter, then based on the website, the user name and password are entered by the program and I get logged in.

    The program will generate strong passwords for you and you can tell the program the length, numbers/special characters for the password.

    Christy

  • kevin77 (6/28/2012)


    But...getting back to the more root of the problem. What the hell was LinkedIn.com doing storing hashed passwords without a salt value!!!!!

    This isn't the first time Steve has brought this topic up. Here is my response from before:

    From the editorial "Should You Write Down Your Passwords?" http://www.sqlservercentral.com/Forums/FindPost1017344.aspx

    Speaking only for myself, I've never even heard of a salt value, until the LinkedIn hack had occurred. I was surprised to see, at the time, all of the press saying that using a salt value was common practice. That may be, but I still haven't heard of it. Nor, do I admit, am I a security expert.

    Rod

  • Just a followup question. Steve mentioned, in this article, KeePass and Password Safe. Until I read his article I'd never heard of either. So I've done a web search, and am getting results to different websites to download them. That makes me very uncomfortable.

    Bottom line: what's the links to both of these products, please?

    Rod

  • For KeePass:

    http://keepass.info/download.html

Viewing 15 posts - 16 through 30 (of 38 total)

You must be logged in to reply to this topic. Login to reply