Slashdot Mirror
Users feel Password Rage
Pcol writes "The Baltimore Sun is reporting on Password Rage, the frustration users have with the abundance of codes they are required to memorize. Some cope by remembering their passwords with the help of a tune or a phrase, some use three or four levels of passwords with the most complex protecting financial information, and others keep all their passwords in a database - protected by a password. Security experts say that with the increased use of biometrics, our reliance on passwords will lessen in the future. Until then, it's ok to cheat - but wisely."
Built into every Mac is a utility called Keychain that remembers all your passwords for you. Of course you can get add-ons for Windows that give the same functionality for a price...
Now THAT gives me password-rage.
Because no password is uncrackable. One issue about cryptography is that things don't have to be uncrackable, so long as by the time they are cracked it is irrelevant.
If it's possible to crack your password in 7 months but you change it every 6, then the cracked password is useless. If you never change your password it can always be cracked.
those are smartcards you are talking about. They contain a small general purpouse microprocessor and special storage for OS and data. Once locked, data cannot be read out of the device but only used within the programs stored within. It appals me that those things aren't ubiquitous and/or used for POS C/C systems. Some cryptalalysts managed to weasel some data out of them only by physically interfering with the operating device to cause program execution failures (heating or EM interference). Still much safer than a crummy magnetic strip and a numeric code.
Mi domando chi à il mandante di tutte le cazzate che faccio - Altan
From "Outside the inner circle"
The book gets into details of the 'bad things' that could happen.
Some quick answers:
"Why would anyone want my account I just post pictures of my cat"
"Becouse some people are jerks, Some people hate cats, Some people hate FTP and some people can "make better use" of your account by distributing illegal or imortal matereal such as pirated software, MP3s, child porn or plans for bombs.
Then you take the blame."
"It's just an FTP account what could anyone possably do with that?"
"Besides distributing illegal matereal (child porn, bomb instructions) FTP is very powerful and contains a number of powerful features that could be used by people who how how FTP works to gain more access to the system."
"They couldn't access your root/admin from my account could they?"
"There is a whole book on the subject"
I don't actually exist.
Just protects the passwords so you don't have to lock down your whole PDA all the time (I don't really care if someone nabs my schedule/phone list). It works really well, and seems to be written with security in mind (as opposed to ease of use). According to the website, it uses "secure triple-DES encryption using a 112-bit key derived from the password". And the best part: it's open source. Pick it up here: http://gnukeyring.sourceforge.net/
I've never used Keychain so I'm not exactly sure what it's functionality is like. Many months ago an article in 2600 magazine informed me of "password bag" applications, software that stores multiple passwords in a file which is only accessible through a master password. Perhaps this is somewhat like Keychain?
One such application for Windows is Password Safe. It is free and open source. It stores all of a user's passwords in an encrypted database that is accessed with a "safe combination" (just another password). It then displays a table of all the stored accounts with accompanying usernames (it does not display the passwords by default). The user double clicks an entry and the corresponding password is copied to the clipboard. It can also generate passwords with some options to set their parameters (only uppercase letters, use symbols etc.).
I've been using Password Safe for several months and have found it incredibly convenient and well designed. Since it never actually displays the passwords on the screen, I can use it in public environments, and the encrypted database file can be easily transferred using a floppy.
P.S. I've found it unwise to use a different password for everything, relying of Password Safe for each one. I've now switched to using different passwords for things involving money, and for stuff like slashdot, gamespy and various messageboard accounts using a single password.
Apple has a nice solution to the password problem in their Keychain. The Keychain was originally part of the Mac OS back in 1993 with System 7 Pro, part of the AOCE toolkit. Most of AOCE has been abandoned, but a few pieces survive.
The keychain is basically a small, encrypted database with an accompanying API that software developers can use to store passwords. The keychain itself is locked with one's login password. Basically, when one logs in, the keychain is unlocked, and various applications can retrieve the credentials that were previous written into the keychain.
Apple uses this for storing various passwords for email, file servers, as well as passwords for web sites accessed from Safari. The Camino web browser also uses it. The SSH Agent program stores my passphrase for unlocking my ssh private key.
Using the Keychain application, users can use it to store secured notes. I use this feature for storing credit card PINs and other things that do not use the Keychain API.
One thing that would be really nice would be if software developers would use the keychain to store their serial numbers. Since I make backups of my keychain, having all my software serial numbers stored in one place would make a system rebuild a lot easier since I would not need to track down and re-enter all my software serial numbers.