If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#16
|
|||
|
|||
Those idiot password changes
VanguardLH on Tue, 12 Jun 2018 22:21:10 -0500 typed in
alt.windows7.general the following: T wrote: I have been bitching about this for ages. Time to rethink mandatory password changes https://www.ftc.gov/news-events/blog...ssword-changes If you pick a good solid password that is not hacked by the bad guys first attempt at running tables at you, why change your password just to give him a second chance to find you in his tables? Changing your passwords constantly is not a good security feature. Keep in mind though that picking an easy password is even worse. The best ones are run on phrases. Mine are up to 30 characters. Use a *different* password at every site (domain). Not some transformation of the same password but a completely different one. Use a *different* password at every host (unless it's a workstation on a domain and you want to reuse your user profile from the PDC). You could use software but then have to trust someone else with your passwords, unless they are locally encrypted using a passphrase you choose (but then you have to remember the passphrase). I prefer to use an algorithm that I can remember, so I don't need to install the software (not an option if a host is not your property) everywhere I go. Always use strong passwords. Not something stupid, like in the Comcast commercial where the parents tell their kid to set "YouMustStillVisitUs" as their password. Don't save passwords in software (e.g., web browsers) other than on the hosts to which only you have physical access. Use a different password for the system (BIOS) and OS login. When using a system password, lock the case. Now all I need is a record of all the various passwords, with a strong password needed to access it. -- pyotr filipivich Next month's Panel: Graft - Boon or blessing? |
Ads |
#17
|
|||
|
|||
Those idiot password changes
wryutirjgkhmmfioertuyie on Tue, 12 Jun 2018 21:32:13
-0700 typed in alt.windows7.general the following: On 6/12/2018 7:01 PM, Paul wrote: wryutirjgkhmmfioertuyie wrote: W10 allows me to pick a ONE character password on this tablet. So I picked "p". Sure makes it quick to get into. And reasonably safe since whomever unlawfully comes into possession of this tablet would never think of trying anything that easy... "would never think of trying" My key words above are "reasonably safe". Kali, rainbow tables, etc. This is what machines are for. They don't think. They just grind through the algorithmic possibilities. I'm not worried about the CIA or a hacker breaking my tablet's password. Since this tablet seldom leaves the house my greatest danger is losing it by burglary. And most burglars would not waste time trying to break my password. They would just reset and sell the tablet as quickly as possible. The idea is, you'd boot the tablet with a Kali USB stick and collect some info. The pwdump command would dump a table of all the accounts present. And if my burglar did turn out to be a hacker he would need to be quick about it. I'd know the device was gone within a few hours and quickly change my app passwords. Further since I use 2-factor authentication he'd need my phone to use or change any passwords obtained. So why make things difficult for me to open my tablet? Excessive security just wastes my time. Actually my greatest threat would probably be a grandkid blindly punching the keyboard one at a time and hitting "p"... 8-O Bingo. I had to use an assembly language simulator for a programming class. Stepping through a loop, I just started 'walking across the keyboard" - avoiding the keys I knew "caused things" {Q for example.) Found all manner of useful things - m for map memory{dump the current state to output} was the most useful. BTW one annoying feature I find about my new Chromebook is that it REQUIRES a 6 digit pin or my full Google password (13 characters). And the Google password is required at least once a day. And there is no automatic locking so if I forget to push the lock key it stays unlocked. Now THAT IS a real security threat at my age... -- pyotr filipivich Next month's Panel: Graft - Boon or blessing? |
#18
|
|||
|
|||
Those idiot password changes
On 6/13/2018 5:09 AM, Chris wrote:
I'm surprised no-one has mentioned password managers. You only need to remember one (secure) password and all your passwords are available on all your devices. Safely, securely and under your own control. Are you SURE?? Any chance they also can be hacked? https://www.cbsnews.com/news/lastpas...anager-hacked/ And: "Of course, for every expert who says he can't live without a password manager, there's another who says he'd gladly go the rest of his life without ever using one. That's the case for Terry Cutler, co-founder and chief technology officer of Montreal-based cybersecurity consultancy Digital Locksmiths. "I'm not a fan of password-management tools at all," Cutler said in an email interview. "If the tool got hacked, then all of your codes would be taken." Tyler Reguly, manager of security research at cybersecurity firm Tripwire in Portland, Oregon, agreed with Cutler. He argued that password managers may do more harm than good, especially for home users. “Password managers are society's method of moving bad habits to the computer," Reguly said. "It's bad form to 'write down' passwords, so instead we 'store' them on our computer. 'Store' is simply the digital equivalent to 'write down.'" Figuring out which tools are secure, and which ones aren't, isn't necessarily an easy task. As Ken Westin, a security researcher with Tripwire, pointed out, it's hard to know just how secure password managers really are. "Personally, I don't trust online password managers," Westin said in an email message. "This isn't because I think they're insecure; it's because I don't know how secure they are, how they store my information and if my data is properly encrypted." Because of this uncertainty, Westin said he wouldn't store his most sensitive information in Web-based password managers. For managing passwords to financial accounts and email accounts, Westin recommended using a tool that isn't connected to the Internet. "For maximum safety, the passwords to these services [financial and email accounts] should be kept in an offline, encrypted password manager application, like KeePass, that requires authentication to open and is backed up regularly and securely," Westin said." https://www.tomsguide.com/us/passwor...ews-19018.html |
#19
|
|||
|
|||
Those idiot password changes
On 6/13/2018 5:46 AM, Keith Nuttle wrote:
I have three computers, and non have passwords. One never leaves the upstairs studio My neighbor's computers were never supposed to leave his house either except that one day they did... in a burglary. While my laptop travels it is never left anywhere And while you and your laptop are traveling those burglars have access to your unsecured computers. You likely won't be aware of the theft until you return home days later. Have a burglar alarm? These days they do smash and grabs. Kick in the door, and grab the electronics before the cops can get there, in my town sometimes an hour later. Have a dog? He's dead. As an aside: My neighbors wife had her car broken into at work. The perps took her garage door opener and car registration for her address. They drove to her house opened the garage door, drove in, shut the door, and took their time removing all her electronics among other things. I walked by while it was happening and was unaware. Moral to this story? Hide your garage door opener and/or remove your address from any documents in your car. |
#20
|
|||
|
|||
Those idiot password changes
In article , pyotr
filipivich wrote: Now all I need is a record of all the various passwords, with a strong password needed to access it. that's called a password manager. |
#21
|
|||
|
|||
Those idiot password changes
In article , wryutirjgkhmmfioertuyie
wrote: On 6/13/2018 5:09 AM, Chris wrote: I'm surprised no-one has mentioned password managers. You only need to remember one (secure) password and all your passwords are available on all your devices. Safely, securely and under your own control. Are you SURE?? Any chance they also can be hacked? nothing is 100% secure. anything can be hacked given sufficient motivation and resources. the point is that you're *much* better off with a password manager than without, if for no other reason that it lets you use *much* *better* passwords than you otherwise would have. nobody is going to remember dAEvv@wmJ*5T_!# or 'h9/LMtCTbz7,@R&, especially when each site is different, so they choose something easy to remember, such as password, qwerty, 12345, etc., and use reuse it on multiple sites, or in the case of equifax, admin/admin (they really did that). https://www.cbsnews.com/news/lastpas...anager-hacked/ the master password was compromised, but not the individual passwords for each site. there are also password managers that store locally, not in the cloud, completely eliminating that attack vector. |
#22
|
|||
|
|||
Those idiot password changes
On 6/13/2018 8:36 AM, pyotr filipivich wrote:
wryutirjgkhmmfioertuyie on Tue, 12 Jun 2018 21:32:13 Actually my greatest threat would probably be a grandkid blindly punching the keyboard one at a time and hitting "p"... 8-O Bingo. I had to use an assembly language simulator for a programming class. Stepping through a loop, I just started 'walking across the keyboard" - avoiding the keys I knew "caused things" {Q for example.) Found all manner of useful things - m for map memory{dump the current state to output} was the most useful. Actually I was just trying to be funny. My grandkid would have to hit ONLY "p" (my password) and "Enter"- in that order - to open my tablet. Any extra keys would screw things up. So odds are pretty good this tablet is safe from grandkids too... that is to break into, not to break up... 8-O |
#23
|
|||
|
|||
Those idiot password changes
On 06/13/2018 08:36 AM, pyotr filipivich wrote:
"J. P. Gilliver (John)" on Wed, 13 Jun 2018 01:45:16 +0100 typed in alt.windows7.general the following: Keep in mind though that picking an easy password is even worse. The best ones are run on phrases. Mine are up to 30 characters. Well, best as a combination of security and chance that you'll remember them. Best for security alone are as near totally random as you can get, but they're going to be impossible to remember. I've heard it suggested that you keep an encrypted file on a thumb drive, and all you do is cut and past that random phrase to the password field. LUKS encrypt the flash drive an Bob's Your Uncle. Doesn't work with Windows though |
#24
|
|||
|
|||
Those idiot password changes
On 06/13/2018 08:41 AM, wryutirjgkhmmfioertuyie wrote:
Have a burglar alarm? These days they do smash and grabs. Kick in the door, and grab the electronics before the cops can get there, in my town sometimes an hour later. Have a dog? He's dead. Fortunately, I live in a place where most leave their doors (car and house) unlocked. Any a** h*** who breaks into my or my neighbors better be able to run a lot faster than 800 feet per second. (It is open season on a** h***s out here and they know it.) It is a nice place to live. That being said. My office computer is LUKS encrypted to protect both my and my customer sensitive information. |
#25
|
|||
|
|||
Those idiot password changes
On 06/13/2018 06:32 AM, SilverSlimer wrote:
Keep in mind though that picking an easy password is even worse. The best ones are run on phrases. Mine are up to 30 characters. Run-on sentences are an excellent idea, I'll have to try that. Throw some spaces in too. "All Hail Todd!" is already taken. What??? No I don't use that password and I am not stupid enough to write it in the Internet. |
#26
|
|||
|
|||
Those idiot password changes
wryutirjgkhmmfioertuyie wrote:
On 6/13/2018 5:09 AM, Chris wrote: I'm surprised no-one has mentioned password managers. You only need to remember one (secure) password and all your passwords are available on all your devices. Safely, securely and under your own control. Are you SURE?? Any chance they also can be hacked? https://www.cbsnews.com/news/lastpas...anager-hacked/ The two products I mentioned (Keepass and enpass) don't use an online server, so are immune to that type of hack. I tried to hack my own database file and despite even knowing my own password I wasn't able to get access to it. Nothing is perfectly secure, but I'm way down the list of easy targets. And: [Snip] "For maximum safety, the passwords to these services [financial and email accounts] should be kept in an offline, encrypted password manager application, like KeePass, that requires authentication to open and is backed up regularly and securely," Westin said." https://www.tomsguide.com/us/passwor...ews-19018.html Which is exactly as I was recommending. The best password managers are ones with encrypted database files that are stored locally. |
#27
|
|||
|
|||
Those idiot password changes
T wrote:
On 06/13/2018 08:36 AM, pyotr filipivich wrote: "J. P. Gilliver (John)" on Wed, 13 Jun 2018 01:45:16 +0100 typed in alt.windows7.general the following: Keep in mind though that picking an easy password is even worse. The best ones are run on phrases. Mine are up to 30 characters. Well, best as a combination of security and chance that you'll remember them. Best for security alone are as near totally random as you can get, but they're going to be impossible to remember. I've heard it suggested that you keep an encrypted file on a thumb drive, and all you do is cut and past that random phrase to the password field. LUKS encrypt the flash drive an Bob's Your Uncle. Doesn't work with Windows though Best hope you don't lose it |
#28
|
|||
|
|||
Those idiot password changes
On Wed, 13 Jun 2018 11:21:42 -0700, T wrote:
On 06/13/2018 06:32 AM, SilverSlimer wrote: Keep in mind though that picking an easy password is even worse. The best ones are run on phrases. Mine are up to 30 characters. Run-on sentences are an excellent idea, I'll have to try that. Throw some spaces in too. "All Hail Todd!" is already taken. What??? No I don't use that password and I am not stupid enough to write it in the Internet. If they're allowed, that's a pretty good idea too. |
#29
|
|||
|
|||
Those idiot password changes
On 6/13/2018 11:19 AM, T wrote:
Any a** h*** who breaks into my or my neighbors better be able to run a lot faster than 800 feet per second. Problem is burglars check to see if you're home before breaking in. Thus there's usually nobody there to shoot at when you get home and find your stuff missing. |
#30
|
|||
|
|||
Those idiot password changes
On 6/13/2018 12:36 PM, Chris wrote:
The two products I mentioned (Keepass and enpass) don't use an online server, so are immune to that type of hack... The best password managers are ones with encrypted database files that are stored locally. But apparently they are not immune to local corruption either: "KeePass has quite some features to avoid database file corruption"... ...."However, data corruption can still be caused by other programs, the system or broken storage devices"... ...."KeePass of course can't do anything when the data becomes corrupted/unreadable at a later point of time" https://keepass.info/help/base/repair.html Dunno. That sounds a bit scary to me. I can't imagine the problems I'd have if I lost all my passwords in one crash and couldn't log in anymore. Also I'd be nervous about putting all my passwords in some strange software's hands. Who knows for sure what it really does (paranoia on). YMMV. I just use a simple formula that includes certain place number characters of the web site intermingled with employee numbers from past employment. I keep the formula in my head so don't have to write the full passwords down. It's certainly not 30 character strong but with two-factor authentication (on the sensitive sites) it's reasonably secure. YMMV. |
Thread Tools | |
Display Modes | Rate This Thread |
|
|