Those idiot password changes

VanguardLH on Tue, 12 Jun 2018 22:21:10 -0500 typed in
alt.windows7.general the following:
T wrote:

I have been bitching about this for ages. Time to rethink mandatory
password changes

https://www.ftc.gov/news-events/blog...ssword-changes

If you pick a good solid password that is not hacked by the
bad guys first attempt at running tables at you, why change
your password just to give him a second chance to
find you in his tables? Changing your passwords constantly is
not a good security feature.

Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases. Mine are up to 30 characters.

Use a *different* password at every site (domain). Not some
transformation of the same password but a completely different one.

Use a *different* password at every host (unless it's a workstation on a
domain and you want to reuse your user profile from the PDC).

You could use software but then have to trust someone else with your
passwords, unless they are locally encrypted using a passphrase you
choose (but then you have to remember the passphrase). I prefer to use
an algorithm that I can remember, so I don't need to install the
software (not an option if a host is not your property) everywhere I go.

Always use strong passwords. Not something stupid, like in the Comcast
commercial where the parents tell their kid to set "YouMustStillVisitUs"
as their password.

Don't save passwords in software (e.g., web browsers) other than on the
hosts to which only you have physical access.

Use a different password for the system (BIOS) and OS login. When using
a system password, lock the case.

Now all I need is a record of all the various passwords, with a
strong password needed to access it.
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?

wryutirjgkhmmfioertuyie on Tue, 12 Jun 2018 21:32:13
-0700 typed in alt.windows7.general the following:
On 6/12/2018 7:01 PM, Paul wrote:
wryutirjgkhmmfioertuyie wrote:

W10 allows me to pick a ONE character password on this tablet. So I
picked "p". Sure makes it quick to get into. And reasonably safe
since whomever unlawfully comes into possession
of this
tablet would never think of trying anything that easy...

"would never think of trying"

My key words above are "reasonably safe".

Kali, rainbow tables, etc. This is what machines are for. They don't
think. They just grind through the algorithmic possibilities.

I'm not worried about the CIA or a hacker breaking my tablet's password.
Since this tablet seldom leaves the house my greatest danger is losing
it by burglary. And most burglars would not waste time trying to break
my password. They would just reset and sell the tablet as quickly as
possible.

The idea is, you'd boot the tablet with a Kali USB stick and collect
some info. The pwdump command would dump a table of all the accounts
present.

And if my burglar did turn out to be a hacker he would need to be quick
about it. I'd know the device was gone within a few hours and quickly
change my app passwords. Further since I use 2-factor authentication
he'd need my phone to use or change any passwords obtained.

So why make things difficult for me to open my tablet? Excessive
security just wastes my time.

Actually my greatest threat would probably be a grandkid blindly
punching the keyboard one at a time and hitting "p"... 8-O

Bingo.

I had to use an assembly language simulator for a programming
class. Stepping through a loop, I just started 'walking across the
keyboard" - avoiding the keys I knew "caused things" {Q for example.)
Found all manner of useful things - m for map memory{dump the current
state to output} was the most useful.


BTW one annoying feature I find about my new Chromebook is that it
REQUIRES a 6 digit pin or my full Google password (13 characters). And
the Google password is required at least once a day. And there is no
automatic locking so if I forget to push the lock key it stays unlocked.
Now THAT IS a real security threat at my age...
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?

On 6/13/2018 5:09 AM, Chris wrote:

I'm surprised no-one has mentioned password managers. You only need
to remember one (secure) password and all your passwords are
available on all your devices.

Safely, securely and under your own control.

Are you SURE?? Any chance they also can be hacked?

https://www.cbsnews.com/news/lastpas...anager-hacked/

And:

"Of course, for every expert who says he can't live without a password
manager, there's another who says he'd gladly go the rest of his life
without ever using one. That's the case for Terry Cutler, co-founder and
chief technology officer of Montreal-based cybersecurity consultancy
Digital Locksmiths.

"I'm not a fan of password-management tools at all," Cutler said in an
email interview. "If the tool got hacked, then all of your codes would
be taken."

Tyler Reguly, manager of security research at cybersecurity firm
Tripwire in Portland, Oregon, agreed with Cutler. He argued that
password managers may do more harm than good, especially for home users.

“Password managers are society's method of moving bad habits to the
computer," Reguly said. "It's bad form to 'write down' passwords, so
instead we 'store' them on our computer. 'Store' is simply the digital
equivalent to 'write down.'"

Figuring out which tools are secure, and which ones aren't, isn't
necessarily an easy task. As Ken Westin, a security researcher with
Tripwire, pointed out, it's hard to know just how secure password
managers really are.

"Personally, I don't trust online password managers," Westin said in an
email message. "This isn't because I think they're insecure; it's
because I don't know how secure they are, how they store my information
and if my data is properly encrypted."

Because of this uncertainty, Westin said he wouldn't store his most
sensitive information in Web-based password managers. For managing
passwords to financial accounts and email accounts, Westin recommended
using a tool that isn't connected to the Internet.

"For maximum safety, the passwords to these services [financial and
email accounts] should be kept in an offline, encrypted password manager
application, like KeePass, that requires authentication to open and is
backed up regularly and securely," Westin said."

https://www.tomsguide.com/us/passwor...ews-19018.html

On 6/13/2018 5:46 AM, Keith Nuttle wrote:

I have three computers, and non have passwords. One never leaves
the upstairs studio

My neighbor's computers were never supposed to leave his house either
except that one day they did... in a burglary.

While my laptop travels it is never left anywhere

And while you and your laptop are traveling those burglars have access
to your unsecured computers. You likely won't be aware of the theft
until you return home days later.

Have a burglar alarm? These days they do smash and grabs. Kick in the
door, and grab the electronics before the cops can get there, in my town
sometimes an hour later. Have a dog? He's dead.

As an aside: My neighbors wife had her car broken into at work. The
perps took her garage door opener and car registration for her address.
They drove to her house opened the garage door, drove in, shut the door,
and took their time removing all her electronics among other things. I
walked by while it was happening and was unaware. Moral to this story?
Hide your garage door opener and/or remove your address from any
documents in your car.

In article , pyotr
filipivich wrote:

Now all I need is a record of all the various passwords, with a
strong password needed to access it.

that's called a password manager.

In article , wryutirjgkhmmfioertuyie
wrote:

On 6/13/2018 5:09 AM, Chris wrote:

I'm surprised no-one has mentioned password managers. You only need
to remember one (secure) password and all your passwords are
available on all your devices.

Safely, securely and under your own control.

Are you SURE?? Any chance they also can be hacked?

nothing is 100% secure. anything can be hacked given sufficient
motivation and resources.

the point is that you're *much* better off with a password manager than
without, if for no other reason that it lets you use *much* *better*
passwords than you otherwise would have.

nobody is going to remember dAEvv@wmJ*5T_!# or 'h9/LMtCTbz7,@R&,
especially when each site is different, so they choose something easy
to remember, such as password, qwerty, 12345, etc., and use reuse it on
multiple sites, or in the case of equifax, admin/admin (they really did
that).

https://www.cbsnews.com/news/lastpas...anager-hacked/

the master password was compromised, but not the individual passwords
for each site.

there are also password managers that store locally, not in the cloud,
completely eliminating that attack vector.

On 6/13/2018 8:36 AM, pyotr filipivich wrote:
wryutirjgkhmmfioertuyie on Tue, 12 Jun 2018
21:32:13

Actually my greatest threat would probably be a grandkid blindly
punching the keyboard one at a time and hitting "p"... 8-O

Bingo.

I had to use an assembly language simulator for a programming class.
Stepping through a loop, I just started 'walking across the keyboard"
- avoiding the keys I knew "caused things" {Q for example.) Found all
manner of useful things - m for map memory{dump the current state to
output} was the most useful.

Actually I was just trying to be funny. My grandkid would have to hit
ONLY "p" (my password) and "Enter"- in that order - to open my tablet.
Any extra keys would screw things up. So odds are pretty good this
tablet is safe from grandkids too... that is to break into, not to break
up... 8-O

On 06/13/2018 08:36 AM, pyotr filipivich wrote:
"J. P. Gilliver (John)" on Wed, 13 Jun 2018
01:45:16 +0100 typed in alt.windows7.general the following:

Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases. Mine are up to 30 characters.

Well, best as a combination of security and chance that you'll remember
them. Best for security alone are as near totally random as you can get,
but they're going to be impossible to remember.

I've heard it suggested that you keep an encrypted file on a thumb
drive, and all you do is cut and past that random phrase to the
password field.


LUKS encrypt the flash drive an Bob's Your Uncle. Doesn't
work with Windows though

On 06/13/2018 08:41 AM, wryutirjgkhmmfioertuyie wrote:
Have a burglar alarm? These days they do smash and grabs. Kick in the
door, and grab the electronics before the cops can get there, in my town
sometimes an hour later. Have a dog? He's dead.

Fortunately, I live in a place where most leave their doors
(car and house) unlocked. Any a** h*** who breaks into my or my
neighbors better be able to run a lot faster than 800 feet per
second. (It is open season on a** h***s out here and they
know it.) It is a nice place to live.

That being said. My office computer is LUKS encrypted
to protect both my and my customer sensitive information.

On 06/13/2018 06:32 AM, SilverSlimer wrote:
Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases. Mine are up to 30 characters.

Run-on sentences are an excellent idea, I'll have to try that.

Throw some spaces in too.

"All Hail Todd!" is already taken. What??? No I don't use that
password and I am not stupid enough to write it in the Internet.

wryutirjgkhmmfioertuyie wrote:
On 6/13/2018 5:09 AM, Chris wrote:

I'm surprised no-one has mentioned password managers. You only need
to remember one (secure) password and all your passwords are
available on all your devices.

Safely, securely and under your own control.

Are you SURE?? Any chance they also can be hacked?

https://www.cbsnews.com/news/lastpas...anager-hacked/

The two products I mentioned (Keepass and enpass) don't use an online
server, so are immune to that type of hack.

I tried to hack my own database file and despite even knowing my own
password I wasn't able to get access to it.

Nothing is perfectly secure, but I'm way down the list of easy targets.

And:

[Snip]
"For maximum safety, the passwords to these services [financial and
email accounts] should be kept in an offline, encrypted password manager
application, like KeePass, that requires authentication to open and is
backed up regularly and securely," Westin said."

https://www.tomsguide.com/us/passwor...ews-19018.html

Which is exactly as I was recommending. The best password managers are ones
with encrypted database files that are stored locally.

T wrote:
On 06/13/2018 08:36 AM, pyotr filipivich wrote:
"J. P. Gilliver (John)" on Wed, 13 Jun 2018
01:45:16 +0100 typed in alt.windows7.general the following:

Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases. Mine are up to 30 characters.

Well, best as a combination of security and chance that you'll remember
them. Best for security alone are as near totally random as you can get,
but they're going to be impossible to remember.

I've heard it suggested that you keep an encrypted file on a thumb
drive, and all you do is cut and past that random phrase to the
password field.


LUKS encrypt the flash drive an Bob's Your Uncle. Doesn't
work with Windows though


Best hope you don't lose it

On Wed, 13 Jun 2018 11:21:42 -0700, T wrote:

On 06/13/2018 06:32 AM, SilverSlimer wrote:
Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases. Mine are up to 30 characters.

Run-on sentences are an excellent idea, I'll have to try that.

Throw some spaces in too.

"All Hail Todd!" is already taken. What??? No I don't use that
password and I am not stupid enough to write it in the Internet.

If they're allowed, that's a pretty good idea too.

On 6/13/2018 11:19 AM, T wrote:

Any a** h*** who breaks into my or my neighbors better be able to run
a lot faster than 800 feet per second.

Problem is burglars check to see if you're home before breaking in. Thus
there's usually nobody there to shoot at when you get home and find your
stuff missing.

On 6/13/2018 12:36 PM, Chris wrote:

The two products I mentioned (Keepass and enpass) don't use an
online server, so are immune to that type of hack...

The best password managers are ones with encrypted database files
that are stored locally.

But apparently they are not immune to local corruption either:

"KeePass has quite some features to avoid database file corruption"...

...."However, data corruption can still be caused by other programs, the
system or broken storage devices"...

...."KeePass of course can't do anything when the data becomes
corrupted/unreadable at a later point of time"

https://keepass.info/help/base/repair.html

Dunno. That sounds a bit scary to me. I can't imagine the problems I'd
have if I lost all my passwords in one crash and couldn't log in
anymore. Also I'd be nervous about putting all my passwords in some
strange software's hands. Who knows for sure what it really does
(paranoia on). YMMV.

I just use a simple formula that includes certain place number
characters of the web site intermingled with employee numbers from past
employment. I keep the formula in my head so don't have to write the
full passwords down. It's certainly not 30 character strong but with
two-factor authentication (on the sensitive sites) it's reasonably
secure. YMMV.