Slashdot Mirror
Too Many Passwords
LK3 writes "A survey of 1700 technology end users in the United States released today reveals some interesting findings about password management habits. 'The results suggest that having to juggle multiple passwords causes users to compensate with risky security techniques and creates a drain on productivity by taxing the resources of IT support centers.' Further, corporate requirements of frequent password replacement further exacerbates the toll on human memory. Is the solution a master password, with all of the potential problems that represents, or biometrics, or are we stuck with post-it notes and a call to the help desk?"
I have a very very clever comment to add to that thread, but I forgot my password :(
Nothing for you to see here. Please move along.
/. stories?
Crap, what was the password to view
Becoming tired of remembering passwords, I wrote a little perl program to randomly generate a matrix like this:
:-) ).
a-E9 b-?p c-&m
d-6K e-aY f-eP
g-!S h-gn i-D=
j-Hd k-vw l-Cb
m-W5 n-4$ o-R3
p-x% q-7M r-NF
s-+2 t-s* u-Ay
v-fL w-zG x-Zu
y-cX z-Qr
I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw
Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password
I Am My Own Worst Enemy
This frustration is leading to behaviors that could jeopardize IT security, as well as compliance initiatives.
Any good sysadmin knows that if you make the password policy to strick you could actually be worsening your security situation. People will start sticking their passwords under their keyboards or on their monitors.
Bradley Holt
(BTW, this is basically a dupe from about four or five years ago...)
From the article (and the post):
First, I can't let this pass. I was on the IT team for a large company that had the described oodles of systems and oodles of passwords dilemma. And I'd been out on the floor where our users had to use these systems. The last thing in the world someone should be saying to them is, "You know how you are", as if these people are doing some wrong. Their jobs of dealing with the consumer public is hard enough without having to genuflect to the "security" (inconsistent, obfuscated, inane, ineffective, and myriad) measures of the systems from which they are supposed to server the consumers. I never had to deal with as many passwords as they did, but had I had to, I'd have been tempted to do the same thing.
As for the dilemma of too many passwords... yeah, there are too many passwords. And the funny thing about that is, they (in my opinion) provide little to no security and may even subtract from the overall security of the network. Especially in a closed access building (which these users were), passwords were and are a hindrance, not an enabler. I'd submit the entire organization would function more effectively were they all allowed access to the various systems sans passwords once they'd entered the building. Most stolen and broken passwords are via social engineering, and half the social engineering is just gaining access.
In the personal computing arena, I'd be awfully surprised if even 10% of the problems occur because of too many passwords. More likely it's because of incorrectly configured access levels for general users.
I'm guessing the world of passwords will never go away, but in settings where users have to deal with many (in the case described above, literally hundreds) of systems and their various password paradigms, passwords SHOULD go away (NOTE: the use of the plural... I'd be okay with somehow consolidating total access down to ONE password). Somehow it must be comforting to PHB's to know their universe is multiply protected by multiple schema, whether or not it affords any protection.
I find that kwallet works well for this in KDE, but its a feature sorely lacking in WinXP, though I am not sure I trust XP to store my passwords ;-)
I just use the same 4 passwords for everything, but trying to figure out which one of the four a certain one is can be a problem, since in some cases you only get 3 login attempts...
What could possibly hurt the security of the American people more than giving our own government the ability to hide its
Don't forget to add that programs use inconsistant rules for passwords. Some programs are case-sensitive, others aren't. Some programs don't allow special charaters, some require them. What's worse are programs that require a numerical password. For example, I refuse to use Verizon's online system because instead of using a username/password combination, I have to use an account number and a randomly-generated PIN.
No, I will not work for your startup
I'd answer, but then it'll give insight into my password preferences, and then I'll get c00tz0rs from t3h l33t h4x0r2!!1!eleventyone etc.
You can hold down the "B" button for continuous firing.
I can definitely relate to what they're saying in the article. At the company where I work, we are required to change our Windows password every 8 weeks and the password to get into the financial software every 3 months. To make matters worse, we can't use a password we used in the past again. So, you have a bunch of folks here that aren't concerned at all about passwords creating anything they can think of every 2 months minimum, and forgetting it that same day. It's a huge drain on the IT department and it constantly happens. Also, after 3 unsuccessful attemps at getting in the financial software, you're locked out. You have to call a completely different person that the usual IT guys to get the specialist for PeopleSoft to fix the screw up. It really amazes me at how much time gets wasted in our IT department alone, just fixing passwords for people.
Finance tutorials and more! Understandfinance
Something you have (physical key)
Something you know (password)
Something you are (biometrics)
One is good, two is better. Give your users an RFID card, smartcard, RSA SecurID (or similar) or fingerprint reader. Tie in your gift(s) to your authentication scheme.
You can't lose your finger NEARLY as easily as you can lose your physical token or forget your password.
Dare to Hope. Prepare to be Disappointed.
Then there's also the fact that Lloyds performed a survey that contradicts the findings - passwords are fine as long as there's proper education.
... nobody seems to be a big fan ...
-everphilski-
I use Password Safe on a USB pen drive. It has a master password that it uses to encrypt all my other passwords in a tidy MFC application. In x86 Linux I access it using Wine, which works fine. For my OS X machine, I use pwsafe, a console app that lets you access Password Safe databases, and dumps the password directly into the X clipboard buffer. (Use the CVS version, the latest regular build can't access the latest Password Safe database format.) I found other unix password safe compatible workalikes to be extremely poor.
This solution works well for me. Just make sure you back up your pen drive.
In the (California-based!) tech support center. You might be shocked at the number of people who have no idea how security works.
Prime example. When a customer wants to cancel their account, we direct them to an online form which asks for their registration # or domain name and their password to verify their identity. Invariably, the customer forgets their password and when we respond that we can't cancel their account without that information, they ALWAYS ask, "can you tell me my password?"
I am not joking. People call in all the time wanting their login information without being able to verify a thing. By the way, when this happens, there are two options - the "forgot password" form which mails the info to the admin address on record, or providing the billing CC# (you pay the bill, you get the key)
But I digress. Ultimately, the general public couldn't care less about passwords because they don't truly understand their function other than "it gets me where I need to be"
Sony ha
Just use your Social Security number... Good idea?
No.
That's about as secure as your mother's maiden name, or your dog's name.
Which is to say, it's the worst password imaginable.
Do you want your father/mother to have access to all your accounts?
Hell, for wellsfargo.com, your SSN is your username!
Not to mention there are under 10^9 possible SSNs, and the first 3 (5?) digits can be calculated based on your place and date of birth! That reduces your number space to 10^6 or less, which, at one request/second, could be cracked in 11 days -- And 1/second is a very slow rate!
..... Single Sign-On Manager by RSA. The IT manager then has the choice of using an RSA SecurID Authenticator, RSA Smart Card, RSA USB Authenticator, a biometric or (god forbid) a password.
This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
Thsi is why i use a free a free program called Password Safe (http://www.schneier.com/passsafe.html) You remember 1 password to login to your safe and then you can see all your entries from there..and as far as i know there is no limit on #1 the entries in each list, #2 The amount of lists you can have..you just have to remember that one password..a definitely good utility for windows..all you apple and linux heads..dont know if it will work for you.It only takes a second to login and your are ready to go.. and when the fiel that stores them auto encrypts your data..as far as i know no one has broken it..From thier front page
With Password Safe, a free Windows utility designed by Bruce Schneier, users can keep their passwords securely encrypted on their computers. A single Safe Combination--just one thing to remember--unlocks them all. Password Safe protects passwords with the Blowfish encryption algorithm, a fast, free alternative to DES. The program's security has been thoroughly verified by Counterpane Labs under the supervision of Bruce Schneier, author of Applied Cryptography and creator of the Blowfish algorithm. Password Safe features a simple, intuitive interface that lets users set up their password database in minutes. You can copy a password just by double-clicking, and paste it directly into your application. Best of all, Password Safe is completely free: no license requirements, shareware fees, or other strings attached.
~~"Of course, that's just my opinion. I could be wrong." ~~Dennis Miller
Too many passwords? Definately, especially if you work in IT, I have dozens of them to remember... Even for home stuff I got dozens: different forums (web related, IT related, AV related, etc), news sites like /., dozens of online stores, email, etc... It's just too much for my memory, so instead of using the same password everywhere or writing them down or such, I resorted to use a decent password manager. I've picked KeyPass (worth every penny they ask IMHO), but there's lots of others - including some F/OSS ones like KeePass or Oubliette, you can even find a bunch on sourceforge, and they're usually quite simple programs to "tweak or enhance" if they're not exactly like you wish they were (add new cryptos, GUI changes, new features, etc). I've looked at the code of a couple and it was nicely done, good quality code, pretty secure stuff. It would be quite simple to make a basic one from scratch too (using some of the high level languages with very complete libraries and frameworks like we have nowadays), the DPAPI could be useful too.
Ideally it should run without being installed (and without too many dependancies), off a memory stick or PDA for portability. Some browsers have password managers, but it's a partial solution (only good for websites, and only work in this specific browser on this very PC), and I have problems trusting some of them (IE) to keep passwords secure at all.
Not sure what's out there for linux though...
///<sig
I have two apps on my Palm: one generates passwords, another stores them in a "vault" with a master password. Works well especially the password generator. I just select upper/lower/mixed case, alpha characters and how long to make the password string. Copy-paste into the password vault. Done.
I made the argument, some time ago, that instead of forcing us to make new passwords every 45 days ( which is basically a solid way to guarantee weak, easily dictionary-attacked passwords stuck on the monitor ) they should allow us to keep our passwords longer the more complicated they are.
Say, I choose an easily dictionary attacked password with just 5 lowercase letters. Whammo -- I'm told I can use that password for 3 days. So I make a 20 character, non-dictionary password with a mix of letters, numbers, random symbols, etc and I'm told I can keep it for a year.
Seems to me that's a reasonable approach: reward people for better passwords.
Suffice to say, I was told: "No way, we like it as it is"
lorem ipsum, dolor sit amet
is there really a serious threat of people hax0ring other workers' accounts and taking their online sexual harassment training for them?
Funny you should ask... I found the web-based Sexual Harassment training a stupid waste of time and energy. I tried to get it stopped, but management wouldn't listen. So, I wrote a script that pulled everyone's username from LDAP and completed the training for them on the first day it was available. Everyone got a "thank you" email and nobody wasted any time (except me - but then I spend my day reading slashdot).
The previous comment is purposely vague and generalized, but all of the facts are completely true.
There's a way to exploit just about anything. It's guaranteed someone is going to invent a way to fake a fingerprint or a retina to gain access. At least a password can be changed once guessed. I'd like to see you try changing your fingerprints.
Did anyone bother to ask the customers what they want?
Revelation for linux/gnome.
Lots more you can find on http://tucows.com/ or your favourite software download site..
I have close to a hundred logins stored (encrypted) and gave up trying to remember them all a long time ago.. its really not an issue with such a program. Just make sure to keep a backup somewhere or you are screwed when your pc dies.. ;)
I have three "good" passwords upon which I create variants. The three basic passwords all have a pseudo random combination of caps, lowercase, numbers, and punctuation. Then, when I have to change a password due to corporate policy, I simply change a single character so that my password gradually evolves... and stays very memorable. Admittedly, remembering the base passwords in the first place was a bit painful. But so far that I know of in over ten years of use, I have never had a password compromised, including passwords on servers that are publicly accessible. In my own experience, most tech users who are not technically inclined do indeed have very poor passwords: sometimes just their names even. I try to educate people on it but it is hard going. Most people just don't feel that it is worth the bother... and probably from their own perspective, a risk analysis would show they are correct.
Helping with organizational effectiveness is our job.
I have offloaded Internet security into Material security.
I use a separate password for every forum I care about. My passwords on my personal computers are changed regularly. I can do this, because of my password book. Without it, this would be implausible.
It is conceivable that someone will get my password by taking my book from me, and snapping pictures of the password pages with their cell phone. Very well then, let someone make the $500 airplane trip over here, come into the office, find my book, and then start snapping pictures. Or maybe find me on the streets if it's lunch time, and rip the book out of my backpack. Conceivable.
But I think this is prohibitively expensive for most people. It would be cheaper to hack a website, and get some other guy's password, and see where else the password might be usable.
I think it is less risky to keep a watchful eye on my password book, than to use only a finite number of passwords.
If someone thinks this is wrong, tell me what you do, and tell me why it is more secure. Not what you can imagine doing; Rather, tell me what you really do.
I saw on a web site somewhere (sorry can't remember where) a simple, elegant solution to this problem, at least when it concerns logging on to web sites.
You have a single password. This password is combined with the domain name and then processed with an appropriate mechanism (e.g. MD5) to produce a unique password for an individual site.
I think that's a great solution and think it should be incorporated into all open source web browsers. The user doesn't even have to know it is happening. Much more practical than biometric solutions.
If you try and force users to use stronger passwords than they can remember or change them too frequently you'll just get post-its and helpdesk. If their passwords aren't secure enough, get them to use etokens or something similar.
I am trolling
And I had some app running in the background (something FF related?) that kept trying to auto apply my original password (yes I cleared password from inside FF). After the 6th lock out of the day, I got my network tek's to let me reset my password.
Total cost of the password change? Maybe a manhour's worth of time (between myself and waiting on the teks, and the teks stoping their work to fix my account). So maybe a hundred dollars or so. But we have 800+ employees in 5 branches. That's a lot of password change headaches.
-Rick
"Most people in the U.S. wouldn't know they live in a tyrannical state if it walked up and grabbed their junk." - MyFirs
I wonder how long before we figure out that this very requirement frequently leads to sequencing of the password, which completely defeats the purpose of changing it every so often.
I do like your idea, though, for places where I don't have to change the password every so often.
No-one seemed to have mentioned that the pass-phrase to decrypt everything in the world in the movie "Sneakers" was "Too Many Secrets". I guess it could have been too obvious.
I just use an algorithm based on the web site, plus an additional few letters. For example if the site is Slashdot your password could be slashDOG8cAt, on Google it could be googDOG8cAt, etc. You can get a little more creative when financial or other stuff is valuable, e.g. a different user name and password algorithm for banks/credit card sites, etc. One important note - treat every computer not in your home as being infected with a virus/key logger - DON'T use public computers for your financial stuff.
Obviously - for many websites, security really doesn't matter, and so the same password can be used for most of them - just don't use the same one for the important stuff.
..........FULL STOP.
This is a problem, however at my work (and a few other gigs) I've seen Password deficiency in the workplace. Too many projects headed up by non-technical people that don't understand the importance of passwords. Obviously a unified solution (NFS or the like) would help tremdously, but for things like servers, getting to a root acount woudln't be a good use, so I think it'd need to be a biometrics (fingerprints) solution, with a "sudo like" funtionality on the server. ie- the user with this fingerprint can do these things, etc.
fak3r.com
I use Another Password Generator for all my passwords. http://www.adel.nursat.kz/apg/
As a general security measure, I use different passwords for all the Internet services I use. I simply do not trust the random forum and service owners I use enough; not because I distrust any concrete service like say Slashdot, but because it only takes one dishonest service owner to look up my password in order to have them all if I were to use the same one everywhere. Instead, I have a very long, huge text-file with all my password which is stored on my bestcrypt http://www.jetico.com/ partition. The system works great for me. Alright, I have to look up the service and password every time, but as I always have that file open in kate since I use it frequently it is not a big deal. This works fine for me and I recommend it. This way I only have to remember the actual sentence I use as a password for my bestcrypt drive, and nobody can use the password on one service to guess my password on another since they are all random garbage like we4kBoc3fis...
So I think that a "a master password" IS the solution. Every employee can easily have their own personal master password where they keep a record of all their passwords, and this allows every employee to have a random password that only works for them assigned for each service they use.
9/11: Never forget it was a false-flag operation
But I kept getting access to John Holmes account. And they say those e-mail elargement ads never work! Ha!
(hopefully moderated for humor)
...OneBigTextFile?
Why don't sheep shrink when it rains?
I started using robotron, way too many passwords to type in daily. I have password safe with over 300 passwords, from sites, servers or applications. Crazy.
Then IT thinks its good to change passwords every 30 days on some sites, password management alone takes 1-2 hours a week, not counting the times I have to change passwords for other people.
If anyone knows a opensource robotron replacement that works in both IE and Firefox, reply. As for password safe, been trying a new opensource one called Keepass that looks pretty nice, and ported to multiple platforms.
Don't even need to break the scheme really. Ever notice that some sites, when you forget your password, will email it to you? Email you YOUR password, plain text, through email. Which means they're storing it in a format that is readable to them, AND they think email is an acceptable medium for transporting passwords. Oy vey.
That kind of stuff makes me crazy. Any system I design has completely obfuscated passwords, the sort that can't be retrieved but have to be reset. To authenticate I mangle the password that they submit, and see if it matches the mangled one on file. Sure it's possible to de-mangle them, but it's a hell of a lot harder than cracking a piece of 2-way encryption, and you don't have to worry about people who are merely curious or unskilled.
I can't think of a situation where I would want someone to be able to find out my password. I don't want them to be able to email it to me. If I forget, just reset it and send me a temporary password. Anything else is begging to be broken.
ad logicam Claiming a proposition is false because it was presented as the conclusion of a fallacious argument.
I use a mnemonic , usually a shape. As in, my yahoo mail password is shaped like a "Y", Amazon is an "A", etc. That is usually enough to trigger the rest from memory. Work is a "W". Since they do have a password expiration policy, I just walk the "W" around the keyboard since there are dozens of variations possible.
Good judgement comes from experience, and experience comes from bad judgement.
- W. Wriston, former Citibank CEO
I hope you don't start with 31415926...
After all, I am strangely colored.
Identity 2.0 it's nearly been blogged to death.
/. news for the lazy and ignorant
Take a look at this really cool presentation, even if you find the subject matter boring the presentation is sharp, http://www.identity20.com/media/OSCON2005/
Augh! You bastard!
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
the key problem here, is that people are lazy and stupid.
the best way to secure something without taxing the average persons feeble brain is to use a password and an ssh key on a swipe card or a usb drive.
that way even if someone gets one they are very very unlikely to get the other. it also means you can change the ssh key on them without them having to remmeber anything. hell in a system i'm impementing everyone get a new key when they swipe in for the day and it expires after 24 hours.
If you mod me down, I will become more powerful than you can imagine....
Here's my solution: I keep one good password in my head. On a piece of paper (or two - no need to keep it private, you can write it in the sky if you want), I write a "hint" for each password I need to remember. For instance, my yahoo hint is "yahoo". My ebay hint is "ebay".
The actual password for each site is the first 8 chars of the SHA1 hash of my memorized password concatenated with the hint (sha1(passwordyahoo), sha1(passwordebay) etc).
I keep a gdesklet applet open on my desktop to generate passwords when needed. The SHA1 algorithm is freely available and already implemeted as libraries in many languages, so moving to a new computer or rebuilding the password generator is simple.
Take a look at apg.. Find it on freshmeat/google..
apg -m 12 -x 14 -t
IgcusbavZeb7 (Ig-cus-bav-Zeb-SEVEN)
koatDokwepht (koat-Dok-wepht)
AwUkTeduldAc (Aw-Uk-Ted-uld-Ac)
gizJogcypnot} (giz-Jog-cyp-not-RIGHT_BRACE)
NodwacIbVawl (Nod-wac-Ib-Vawl)
vekOypevpast5 (vek-Oyp-ev-past-FIVE)
It pronunces nicely random passwords that can be pronounced so that you can remember then.
Pronounciation is in brackets.
Jason
But now you've got bigger problems 'cause they're all running around playing grab-ass.
> koat-Dok-wepht
Sorry, I don't recognise that spell.
What next?
> Aw-Uk-Ted-uld-Ac
Sorry, I don't recognise that spell.
What next?
> Nod-wac-Ib-Vawl
You summon a grue.
The grue eats you.
Your score was 0.
You cast 1 spell.
Play again?
Windows (as would be any OS that attained broad use) and/or disk hardware are sufficiently unstable that I occasionally have to scrap my existing data and start over from scratch. Additionally, I use many different computers on different networks to access the same websites, etc. Backups are a pathetic workaround for this, and are themselves a vulnerability.
In fact, any scheme that relies on a password safe resident on one machine will always be susceptible to catastropic lossage, and is a pain to use on other machines. And any scheme that relies on 3rd party storage of the passwords is vulnerable to attacks on that storage and is inherently harder to maintain.
Personally, I think the only thing that will eventually solve this problem is a single password plus a smartcard-like system (with automated backup to some other local storage). We're not going to get there easily, though. And it's not a panacea either, because smart cards can be lost, stolen or fried just as easily.
Ironically, this problem is essentially another variant of the fundamental issue surrounding identity theft: in an information society, it's absolutely crucial that we be able to reliably uniquely identify every person, but anything we use to do that will end up being abused just like SSNs.
Hook up your windoze computer to a network and have it owned in 12 minutes anyway. All good practices, when applied to insecure softare, are just an inconvenience to the user. What good are passwords, expensive biometric scanners and all that when your users have Outlook, IE and your "server" runs junk that gets owned all the time? That's just good money after bad.
Friends don't help friends install M$ junk.
At the top, are your ultra secure passwords that you only use for your bank / brokerage / etc. At the next level down, is your password that you use on all your personal computers, encrypted volumes, shell account, etc. Below that, is your password that you use for stuff you login to over the internet and don't want other people logging into (e-commerce, etc). Below that, is the one you use for crap you couldn't care less if people use (nytimes.com, etc.).
If you follow that system, you'll end up with only half a dozen passwords or so, and you'll still be pretty secure, as the important passwords aren't used as often as the less important ones.
I have a password that will be easy for everyone to remember, foo.bar. Change it to that and everyone send me your id's and I'll make sure it's secure. That way everyone only ever has to have one password.
I worked for a company that had the most retarded rules for passwords. It had to have a number and a capital letter in it. The number had to between the first and last letters. We had multiple logins for various systems. We had a separate login for our computer, then a login to access our application suite, then a password for each application. And we had 7 or 8 of them. Needless to say, I kept the same password for as many of them as I could. My password was ih8Sprint. And then they made us change them every 60 days, so it became Ih8sprint, then iH8sprint, then Ih85print. You'd never guess who I worked for.
"You'll get nothing, and you'll like it!"
I don't work for sun, but I think that the mobile phone makes a pretty good store for passwords encrypted by a master password.
The PC is obviously out of the question if you use different operating systems... for instance, my home PC is primarily a KDE desktop, so its wallet app is used for storing all passwords. But I have no simple way to access that wallet from the Winblows machine I have to use at work.
Phones, however, usually have this "code memo" feature these days, which lets you wrap any information you want in crypto, and seems to be quite useful for password storage.
Of course, the same master password problems apply... if you lose that one password, you lose them all. And if someone steals that one password (and the phone) they steal all your passwords. But it's better than a simple text file on disk somewhere, and much better than the post-it notes.
Karma: It's all a bunch of tree-huggin' hippy crap!
Where I work (a university) we used to have a fairly fierce password regime. Change it every four weeks, no re-using of old passwords, minimum eight characters including mixed case, numerals and punctuation - that kind of thing.
Later on, we learned better, and adopted a much more relaxed regime, in which we specifically didn't force expiry or insist on passwords like tH1s#0n£3&@ for most of the users (we were stricter with people who could order goods or edit the payroll!).
The main reason was that we evaluated (for a range of typical users) the potential financial cost and likelihood of being prevented from working by our password regime, against the potential financial cost and likelihood of suffering a security breach. And in almost all cases, our security policy turned out to be much more damaging than any plausible security breach.
What I'm wondering, in connection with the requirement by many companies that passwords be changed regularly, is this: is there any empirical evidence as to how much password hacking actually occurs, and whether this policy has any real effect? By "password hacking" I mean anything other than theft of the actual password files housed by the authenticating system.
Because unless someone has stolen your password from another source (like the authenticating system itself, in which case changing the password regularly has no effect), changing passwords just provides another opportunity for your password to be written down and then lost/stolen. The fact that most people write the password down somewhere in the vicinity of their computer makes this even worse.
And changing passwords can't prevent brute force attacks, which rely on running through multiple combinations automatically.
(By the way, anyone want to guess how unlikely it is that bad guys will try to figure out your password by determining your dog's name and your birthday, or whatever silly mnemonic device you've converted into a password? Bruce Schneier calls some bad terrorism response plans "movie plot" scenarios because they are responding to things that only occur in movies, not real life. Although the movie scene with someone breaking into someone's computer by reasoning out what the person would use as a password is ubiquitous, does this really happen?)
Finally, the other justification for this policy of having ever-changing passwords is that if someone does get access to your password, it will either be outdated already or will become outdated. But how many situations does this really cover -- and how much of a help is it if you are not scheduled to change your password until 2 months later (now, a password that changed every day or every minute would be a different story -- oh, wait, isn't that encryption?)? And even it it helps somwhat, does that outweigh the risk of having employees post their passwords next to their computer?
Know what these policies may really represent, at least in some instances? Businesses trying to make it appear that they are putting security into place, when it's really just a fig leaf.
- Web Passwords
- Application Passwords
- Security Certificates
- Public/Private keypairs
- Secure Notes
It integrates with most apps on the system so, for instance, if I go to a passworded site in Safari (the Web browser) and Safari can get the username and password from the keychain (by asking me for my keychain password) and then I can optionally allow Safari to always access this item without asking me first. You can have multiple keychains, have some unlocked automatically and have more secure ones that you have to unlock each time, or even go into the Keychain Access application and manually unlock...Specialist Mac support for creative pros, Melbourne
One USB stick is not enough for your passwords.
I picked one of my PDAs fully dedicated for only password database, plus other technical details for my machines, net services or other accounts. Methodically not using it for anything else, no network, no usb plug to any machine, ever. Backups on flashcards. Second identical PDA in the drawer, without data but ready to accept backup flashcard at any moment, usualy used for playing with NetBSD.
Today, the database has 726 records of active nick/identities, Maljin Jolt on Slashdot among others. What a pile of sticky labels could that be!
There you are, staring at me again.
I've written an online service called www.muyseguro.com (which stands for "very safe" in spanish). Currently is in spanish only. It is a digital vault online for storing passwords, credit card info, and any other sensitive information that you may need to keep it safe and ubiquitous. The info you store there is encrypted with powerfull algorithms (128 bits encription), so it can be kept safe. Please, review it and let me know your thoughts about it.
.....I hope you don't start with 31415926......
No, he starts at the other end of PI.
All theory is gray