Slashdot Mirror
Too Many Passwords
LK3 writes "A survey of 1700 technology end users in the United States released today reveals some interesting findings about password management habits. 'The results suggest that having to juggle multiple passwords causes users to compensate with risky security techniques and creates a drain on productivity by taxing the resources of IT support centers.' Further, corporate requirements of frequent password replacement further exacerbates the toll on human memory. Is the solution a master password, with all of the potential problems that represents, or biometrics, or are we stuck with post-it notes and a call to the help desk?"
Something you have (physical key)
Something you know (password)
Something you are (biometrics)
One is good, two is better. Give your users an RFID card, smartcard, RSA SecurID (or similar) or fingerprint reader. Tie in your gift(s) to your authentication scheme.
You can't lose your finger NEARLY as easily as you can lose your physical token or forget your password.
Dare to Hope. Prepare to be Disappointed.
Then there's also the fact that Lloyds performed a survey that contradicts the findings - passwords are fine as long as there's proper education.
... nobody seems to be a big fan ...
-everphilski-
b-?p
a-E9
n-4$
k-vw
He actually did make it a bit easier to read, but he forgot to use the ecode tags. Try this version:
Javascript + Nintendo DSi = DSiCade
I use Password Safe on a USB pen drive. It has a master password that it uses to encrypt all my other passwords in a tidy MFC application. In x86 Linux I access it using Wine, which works fine. For my OS X machine, I use pwsafe, a console app that lets you access Password Safe databases, and dumps the password directly into the X clipboard buffer. (Use the CVS version, the latest regular build can't access the latest Password Safe database format.) I found other unix password safe compatible workalikes to be extremely poor.
This solution works well for me. Just make sure you back up your pen drive.
Just GPG one file full of passwords, and remember your GPG key.
That's more or less what he did. Look again. The table isn't a list of passwords, rather, it's a standard substitution cipher. For each of the letters, he simply looks up the value to produce the password. The scheme is reversable as well, so you can retrieve the keyword from the password.
Here's an article on substitution ciphers.
Javascript + Nintendo DSi = DSiCade
Just use your Social Security number... Good idea?
No.
That's about as secure as your mother's maiden name, or your dog's name.
Which is to say, it's the worst password imaginable.
Do you want your father/mother to have access to all your accounts?
Hell, for wellsfargo.com, your SSN is your username!
Not to mention there are under 10^9 possible SSNs, and the first 3 (5?) digits can be calculated based on your place and date of birth! That reduces your number space to 10^6 or less, which, at one request/second, could be cracked in 11 days -- And 1/second is a very slow rate!
Thsi is why i use a free a free program called Password Safe (http://www.schneier.com/passsafe.html) You remember 1 password to login to your safe and then you can see all your entries from there..and as far as i know there is no limit on #1 the entries in each list, #2 The amount of lists you can have..you just have to remember that one password..a definitely good utility for windows..all you apple and linux heads..dont know if it will work for you.It only takes a second to login and your are ready to go.. and when the fiel that stores them auto encrypts your data..as far as i know no one has broken it..From thier front page
With Password Safe, a free Windows utility designed by Bruce Schneier, users can keep their passwords securely encrypted on their computers. A single Safe Combination--just one thing to remember--unlocks them all. Password Safe protects passwords with the Blowfish encryption algorithm, a fast, free alternative to DES. The program's security has been thoroughly verified by Counterpane Labs under the supervision of Bruce Schneier, author of Applied Cryptography and creator of the Blowfish algorithm. Password Safe features a simple, intuitive interface that lets users set up their password database in minutes. You can copy a password just by double-clicking, and paste it directly into your application. Best of all, Password Safe is completely free: no license requirements, shareware fees, or other strings attached.
~~"Of course, that's just my opinion. I could be wrong." ~~Dennis Miller
Too many passwords? Definately, especially if you work in IT, I have dozens of them to remember... Even for home stuff I got dozens: different forums (web related, IT related, AV related, etc), news sites like /., dozens of online stores, email, etc... It's just too much for my memory, so instead of using the same password everywhere or writing them down or such, I resorted to use a decent password manager. I've picked KeyPass (worth every penny they ask IMHO), but there's lots of others - including some F/OSS ones like KeePass or Oubliette, you can even find a bunch on sourceforge, and they're usually quite simple programs to "tweak or enhance" if they're not exactly like you wish they were (add new cryptos, GUI changes, new features, etc). I've looked at the code of a couple and it was nicely done, good quality code, pretty secure stuff. It would be quite simple to make a basic one from scratch too (using some of the high level languages with very complete libraries and frameworks like we have nowadays), the DPAPI could be useful too.
Ideally it should run without being installed (and without too many dependancies), off a memory stick or PDA for portability. Some browsers have password managers, but it's a partial solution (only good for websites, and only work in this specific browser on this very PC), and I have problems trusting some of them (IE) to keep passwords secure at all.
Not sure what's out there for linux though...
///<sig
Revelation for linux/gnome.
Lots more you can find on http://tucows.com/ or your favourite software download site..
I have close to a hundred logins stored (encrypted) and gave up trying to remember them all a long time ago.. its really not an issue with such a program. Just make sure to keep a backup somewhere or you are screwed when your pc dies.. ;)
the first 3 digits aren't related to where you were born. they're related to where you were living when received your SSN. i didn't get a SSN until the 5th city I lived in, it has nothing to do with where I was born, and everything to do with where I was living when I was registered.
sometimes i wish my parents would have just not gotten me an SSN, not like I get much use out of it.
Security through obfuscation is not security.
I have heard that 2 short unrelated words with a number in between them that is not 2 or 4 is pretty secure against dictionary attacks and much more easy to remember than giberish.
Avoid Missing Ball for High Score
That is also what Bruce Schneier does.
Test 1 2 3 4
Take a look at apg.. Find it on freshmeat/google..
apg -m 12 -x 14 -t
IgcusbavZeb7 (Ig-cus-bav-Zeb-SEVEN)
koatDokwepht (koat-Dok-wepht)
AwUkTeduldAc (Aw-Uk-Ted-uld-Ac)
gizJogcypnot} (giz-Jog-cyp-not-RIGHT_BRACE)
NodwacIbVawl (Nod-wac-Ib-Vawl)
vekOypevpast5 (vek-Oyp-ev-past-FIVE)
It pronunces nicely random passwords that can be pronounced so that you can remember then.
Pronounciation is in brackets.
Jason
Oddly enough, I have been doing something very similar. This should generate a key for you:
perl -e 'foreach $x(A..Z) { print "$x: ".chr(int(rand 94)+33).chr(int(rand 94)+33)."\n"}'
One USB stick is not enough for your passwords.
I picked one of my PDAs fully dedicated for only password database, plus other technical details for my machines, net services or other accounts. Methodically not using it for anything else, no network, no usb plug to any machine, ever. Backups on flashcards. Second identical PDA in the drawer, without data but ready to accept backup flashcard at any moment, usualy used for playing with NetBSD.
Today, the database has 726 records of active nick/identities, Maljin Jolt on Slashdot among others. What a pile of sticky labels could that be!
There you are, staring at me again.
I have heard that 2 short unrelated words with a number in between them that is not 2 or 4 is pretty secure against dictionary attacks and much more easy to remember than giberish.
No offense, but get better sources. Checking for two dictionary words with a number or special character between them is standard, and in fact limiting it to 8 possibilities instead of 10 makes it less secure, albeit imperceptibly so.