Slashdot Mirror
Ask Slashdot: How To Keep Students' Passwords Secure?
First time accepted submitter bigal123 writes My son's school is moving more and more online and is even assigning Chromebooks or iPads to students (depending on the grade). In some cases they may have books, but the books stay home and they have user names and passwords to the various text book sites. They also have user names/passwords to several other school resources. Most all the sites are 3rd party. So each child may have many user names (various formats) and passwords. They emphasized how these elementary kids needed to keep their passwords safe and not share them with other kids. However when asked about the kids remembering all the user names and passwords the school said they are going to have the kids write them down in a notebook. This seemed like a very bad practice for a classroom and to/from home situation. Do others have good password management suggestions or suggestions for a single sign-on process (no/minimal cost) for kids in school accessing school provisioned resources?
They log on on one site, and use that login to log in to all other sites.
This scenario sounds like something a password manager can easily solve, especially something like LastPass Enterprise which has a Preloaded Password Vault and Policy configuration. While you can debate the security of having all your eggs in one basket (master password), the convenience from an administration perspective should outweigh whatever "sensitive" data is at stake to be compromised (homework, research resources), at least at the primary/secondary school level. Of course, if the roll-out has already begun then I would recommend your son install whatever password manager he prefers and choose a "secure" master password and lock his laptop/iPad when he isn't looking at it.
Yes! Use a password manager. But then also add 'a third password' to it, in the form of a finger print scan via a USB Yubi-Key for two-factor identification. Similarly you can also 'authorize' your specific mobile devices, (which can't accept a YubiKey). It's a hassle, but it is also an investment in security; which is how these things always work.
http://help.passpack.com/knowl...
You can't be ahead of the curve, if you're stuck in a loop.
passpack.com accounts can share passwords between user-accounts. This solves the 'what if Bob gets hit by a bus' problem, (because only Bob knew the passwords to the servers). It seems other services should be able to provide this also.
You can't be ahead of the curve, if you're stuck in a loop.
Set up a proxy system to access them. Use your dedicated password to access the proxy, then the device password can be in the open because it's behind a proxy.
Not idiot-proof, and if you can cross-access the devices it leaves holes in the solution unless you can segment the network they reside on.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
For children age 6 and up, and also for adults, the most important thing is to Keep It Simple.
Writing down passwords is actually a good thing for adults, as long as the passwords are written down in a secure place. A note in your wallet qualifies, as you know how to keep your wallet secure (right?). This is even more secure than a password safe on your smartphone: inputting a strong password is a pain (and easily observed), and witht it your sm artphone becomes a prime target for theft (if it isn't already).
For children of 6 years old and older (I'm assuming a US centric view here, triggered by the word 'elementary'), the situation is not that much different. The only problem is that children at this age usually do not have a wallet.
This is then the only problem to solve: creating a secure place to write down passwords.
However when asked about the kids remembering all the user names and passwords the school said they are going to have the kids write them down in a notebook. This seemed like a very bad practice for a classroom and to/from home situation.
Bruce Schneier says:
"Microsoft's Jesper Johansson urged people to write down their passwords.
This is good advice, and I've been saying it for years.
Simply, people can no longer remember passwords good enough to reliably defend against dictionary attacks, and are much more secure if they choose a password too complicated to remember and then write it down. We're all good at securing small pieces of paper. I recommend that people write their passwords down on a small piece of paper, and keep it with their other valuable small pieces of paper: in their wallet."
https://www.schneier.com/blog/...
Excellent password manager. Syncs an AES-encrypted file to all your devices. It also has plug-ins for most web browsers (Firefox, Chrome, Safari) that allow you to login automatically on a web site. I personnally don't use the plugins, but it's really good on both Android and Mac OS X.
The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
How To Keep Student's Passwords Secure?
How about we do away with passwords and have the kids get mandatory, government issued, RFID chips imbedded under their skin. Problem solved!
Brave Sir Robin ran away. ("No!") Bravely ran away away. ("I didn't!")
Just make sure they understand to keep the notebook safe. Ideally, they would write them down in a diary or the like, that contains other private information, bit at least here only girls usually have these.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
You still need to remember one password though; what I would with children is the following: ask them to say a poem/song they remember; pick a line of the lyrics that they are likely to recall clearly; tweak slightly the letters with *them* driving the process (e->3, o->0 etc); add a little salt in the beginning (one or two characters); use that for the password manager. Proposed solution is not of exotic entropy, yet will do the job with flying colours, for most children.
:-P
In fact, they would be in good enough shape to start teaching the adults around how to do the job
Tell them to put them in a notebook. Accept that they will get shared. If that bothers the school admins, too bad.
I have a feeling that this school is wasting a bunch of money on stuff "third party" salesmen have sold them, but that is another issue.
I think the question is completely wrong, it's not how they should remember their passwords. It's why do they have several usernames and passwords in the first place?
First the resources that are school controlled should of course be behind one username/password pair, preferably SSO for the web parts (e.g. a CAS variant is quite simple).
For external resources, is there a real reason they really need to log in? E.g. can IP based access control or something work for some cases. I understand you don't control everything, but as users(/customers) one can at least complain, and try to push it in the right direction. If there is a reson to log in, do they support something like Shibboleth/SAML or OpenID for login federation? If so, that should be used. It's not trivial, but making the lives of the students hard for something stupid like that is even worse
I think that for an elementary school student, if the amount of username/password pairs they need is over 1, there's something wrong somewhere.
I second that. I have LastPass on my mobile, on various WebBrowsers at home and work. Although the free version could be suficient for your child. I paid for the premium version which gives me the mobile option, and it's cheap, at only around $12/year (last time I looked). So for all websites I have different passwords which all have high entropy (think 16 characters, uppercase, lower case, numbers and special characters).
I only need to remember a few passwords which I don't store in LassPass, e.g. bank, email, etc.
It's school; all the computers are locked down and limited in access only to approved sites (whitelist). No outside software may be installed, and all USB ports are frozen. No personal electronics are allowed to be brought in by kids.
Remind me again how LastPass, 1Password, and KeePass work in these environments?
Is it just my observation, or are there way too many stupid people in the world?
Why not go all the way and change it to 00000000? Was good enough for the US nukes....
bickerdyke
LastPass, and make your master key be a sentence-like phrase. Thats what I use, but then I run the sentence-phrase through a generator I wrote which outputs things like:
tsÃMÃ--Ã09kÃÃyW>Ã17gËoeÂâsÃzxéYÃwMã8w
Of course we are on slashdot, almost none of the high-ansi characters will display.
Notebooks are non-installable (no e-viruses), portable, inexpensive, and do not require access to a third party online service (school access whitelists work).
They are as secure as they need to be - students are to use their own notebooks and note share them, and as long as a notebook is closed it is secure from prying eyes. These aren't nuclear codes, they're access to textbook sites used by grade school kids. If you're so concerned, have your child get a small, pocket sized notebook and write them down there, and remind him or her that they should keep it with them at all times and bring it home every night and back to school each morning.
PS - The admonition not to share passwords is a good way to train kids that security information should not be shared, even though it's not really a critical safety concern at this point.
Is it just my observation, or are there way too many stupid people in the world?
THis, or just write them down in a notebook. Who cares about those passwords anyways? They are kids for christsake. Just give the teacher admin password to reset and change everything. They WILL steal eachothers passwords, they will share them, they will make up "funny" passwords if they get to choose. They are kids, let them be kids. Being impulsive, naive, and, well, juvenile, is integral part of being a kid. Also, they already remember all the important passwords, such as their facebook, online games etc.
If you don't want to use a password manager, create each password with a base word that is not written down, then add characters to each password that are written down. For instance, the base word could be "boxcar". Then, actual passwords might be boxcar357a, just write down the 357a. Or some variation of this approach.
If they are using iPads with the latest version of iOS 8, they can just save the passwords using the keychain in safari with autofill (only works if a site is HTTPS, however)
Have you seen Memento?
It works. Creates secure passwords. Stores them.
Easy.
Tubby or not tubby. Fat is the question
That is so fucked up.
Oh, look, he's got a chromebook - he's a loser.
Watch this Heartland Institute video
They emphasized how these elementary kids needed to keep their passwords safe and not share them with other kids.
Yeah, it's still a crime, but at least the Software Protection Authority and Central Listening won't find out about it that way, right?
Ezekiel 23:20
Print out a password cheetsheet. even in plain sight, if you don't know how to read it it is meaning less. See reference at Lifehacker in an article called "How to Write Down and Encrypt Your Passwords with an Old-School Tabula Recta."
So long as the administrator agrees to whitelist it, and allow the browser add-on, it should work fine. It doesn't require any USB, or separate software to be installed. It doesn't save passwords anywhere locally. Everything is stored encrypted on their server, and unencrypted by the browser add-on. This is both very secure and very convenient.
I'd think this is something most administrators in such environments would allow if asked, since it's going to make their own lives a lot easier.
Just don't forget that - whatever Steve Gibson has to say on the matter - it does rely on the competence and integrity of the LastPass crew.
If LastPass rework their website so that your password is sent to them (rather than the encrypted hash generated by JavaScript), they can do decryption locally on their side (rather than in JavaScript in your browser), then they can read your passwords.
If they get man-in-the-middled somehow - by a malicious employee, say - your passwords are no longer yours.
They could engineer their site to be subpoena-friendly. (Whether they have, I don't know.)
Also, if someone hits you on the head after you've signed in to LastPass, they have all your passwords.
It is better to have a good password written down somewhere, than using the name of your dog and knowing it by hard.
Rhymes can stick nicely in the mind. Twist a rhyme to form a password. Jack and Jill climbed up the Pill would stick in most kid's minds. Or twist a popular phrase. Jose can you see instead of Oh say can you see might work.
Grille
He could have a folded one in his wallet or whatever. If he loses his notebook, it's just a random set of letters.
You don't deal with school systems much, I see. In most places this isn't a simple request. And have you ever used Lastpass on an original iOS device (original iPads cannot update past iOS 5.1.1)? Convenient isn't the word I would use.
Besides, what happens if the 7 year old forgets his or her master password? If he has it in his notebook, the teacher can help him. If not, she will spend the next hour setting up and approving all of his logins on all of the sites they use. And 7 year olds forget things like passwords. A lot.
Is it just my observation, or are there way too many stupid people in the world?
Don't expect them to get it perfect the first time. And depending on their age, don't start them off with what you'd consider the best final approach. You're in a school, treat it like any other learning experience.
Just using passwords may be a new experience for some of them. Start with the basics. I wouldn't focus too much to start with on "strong passwords", they can work on that later. For now, work on selecting a password they can remember, NOT sharing their password, and changing their password as needed.
Once they've spent some time on that and feel more comfortable with it and don't feel like the world is going to explode if they forget their password, move on to password security. Using stronger, longer passwords, using different passwords in different places, password managers, advoiding and dealing with a password lockout, password resetting, etc.
This is just one of those "things they should have taught us in school", treat it as such. Like time/money management, basic cooking, resume writing / job huting etc.
I work for the Department of Redundancy Department.
I mean thats the obvious question ... if all an attacker can do is read some textbooks then I don't give crap about how secure the password is.
Most kids are required to have school IDs now. Write the information on a card of the same size as the ID, laminate it, and attach it to the lanyard that holds the ID.
The school imposes this burden; the school should shoulder the work of the solution. Set up a federated authentication IDP (using ForgeRock or some other OSS); store the passwords for each child in there, a central site maintained by the school district. Then the children need only one username/password for their time in the school district. Incidentally it will encourage the school district to streamline the process :-).
Issue the students smart cards or integrate them with their student ID. The costs have smartcards have come down so much now that my local laundromat uses them in place of coins. If a student loses their ID, an administrator simply deactivates the card.
"The dog chased 3 chickens around the house."=Tdc3cath. "I use Google to write emails to Grandma."=IuGtwetG.
If the school is going to have access to this notebook, assume from day 1 they are going to use it to log onto your child's account and monitor it, thus you should encourage your child to only use it for school activity and not for any personal activity. Schools have done worse.
I'd say keeping the list in the last page of a notebook or binder should be sufficient... and I feel like it's pretty reasonable for the teacher to have a copy of the students passwords in case they lose/forget the notebook.
I've not heard of Lastpass. But when I was looking for a password generator I found KeePass & use that. I then have a cloud drive I keep the DB stored on & install the app on w/e device I need/want to access the accounts stored within on. And while I've not done this myself, I have see KeePass auto enter Username/Password into a website. I just copy/paste them manually, and the apps erase the clipboard after 30sec for the more security conscience.
Using a password manager of any sort allows you to have long random passwords and not have to actually remember any of them, unless you secure access to them with another password. Considering the issues that have been highlighted where having multiple significant accounts tied to the same username & password, I would highly recommend everybody use some sort of a password manager besides a web browser password storage.
Master password system of some kind is about the only reasonable solution. KeyPass etc.
https://www.gnu.org/philosophy...
Thank you, I've been posting this to every password-related Slashdot article for years and never managed to get modded up. My scheme is a slight variation, where the "357a" part is derived from the name of the web site or application you are logging into. Maybe you use the vowels in the web site name and their count: so the password for homework.com might produce "boxcaroeoo4." With this approach, instead of writing down "357a" or "oeoo" you write down "vowels + count" or "standard derivation" or something like that. The benefit is that if you use the same algorithm most of the time you don't have to write anything down.
Or OTPIE on top of a less complicated password
See Spot.
See Spot3 run.
Run, Spot$# run!
Like this?
Faster! Faster! Faster would be better!
Also, if someone hits you on the head after you've signed in to LastPass, they have all your passwords.
I see this as a positive thing if you don't wish to get hit on the head multiple times.
What assets are you protecting? What is the risk?
1 ) If the account is compromised can you get access to it again via alternate means?
Be the parent. Have all of the accounts go to an email box you control, or have all of the accounts go to an email box that you know you can get access to beyond the password. In case of breach make sure you have a path to regain access and control.
2) What are the accounts for? Minimize the risk.
Don't allow the kids accounts to be an attack vector for *YOU*. Consider them like an untrusted source. Don't open unknown attachments. Bad scenario: Opening an attachment entitled "My homework" with an attached malware. Then go check on your bank account... Don't be that guy/gal!
3) What do you want their learning experience or take away to be?
Chances are if they get compromised it won't be a focused attack, it will be someone they know. Decide what you want the worst case scenario to be and minimize the risk... Whether that is removing photo's or setting up rules on do's and don'ts. Don't post your journal on a school resource. Childhood is the chance to ramp up to adulthood.
"Don't fear death... fear not living..." -me
Our school district has an information system parents can log into for registration, to check grades, etc. My wife and I each have our own logins.
Our HS student went up to register in person this year and although we'd already filled out the necessary paper work, the registrar demanded she do it again. She said, "I can't. I can't login as my parents." No, problem the school replied: here's your Mom's id and password!
Fortunately my wife had recently changed her password so it didn't work. No worries though, when that didn't work they simply gave my daughter my id and password. (Which of course did work.) When I found out about this I went back and changed my pwd to something crude and socially unacceptable. Can't wait till next year!
The software our district is using is installed in hundreds of similar school districts across the country...
Use Dropbox (or any cloud service that sync local files) and Keepass 2 (open source) to keep them in an encrypted file that is shared among anyone. You can also do group file sharing in dropbox, though I don't do that with my passwords file.
The keepass file is encrypted.
I've done this for several years. It's awesome. It allows you to change your password for the same site without depending on some algorithm to lock you into only one possible password for that site.
You can add and edit the file and it synchronizes. I can even use mini-keepass on my iphone, also with dropbox, so if I'm ever needing info without my PC, I can grab the password.
I keep credit card info (easier to cut and paste when ordering online) and game and website login info.
> I have too many important passwords that could ruin my life. ... If I kept the passwords for my bank/retirement fund/etc.'s web site in my wallet they could put my in the poor house. I haven't figured out what to do about this yet.
First, don't use the same password for Slashdot and Facebook that you use for your retirement account. Using the same password, or a similar password for two important accounts is fine. So let's say your PIN you use for important stuff is "5918", and the base password for important stuff is "LipCamLAG". Thats all you need to remember, a pin and a password stub. You then right down:
scottrade: pass + pin
schwab: pass + !?
wells fargo: pin + pass
A bad guy who gets the written information hasn't gained anything useful, and you only have to remember one password and one pin. Actually, two password: one for crap that doesn't matter, like Slashdot, and one more critical stuff like your bank account.
Start with a core that involves a Capital letter, a lowercase letter, a number and a symbol. You want it be about 7 letters long, something like this:
Sp1tab$
ALL your passwords will start with that. Next decide if you are going to use the first, second, last, or second to last letter.. Let's go with "first"
Add the "first" letter of the name of the device/software for which you are using a password. Then add the "first" letter of your username.
Conclusion: Using this system, my password for slashot would be:
Sp1tab$sg
My password for my Dell Laptop, with a username of "Me" would be:
Sp1tab$dm
If something says 'no symbols', drop the $.
If something says "at least 10 characters (haven't seen that yet), then add a 0.
You now have ONE not that hard to remember word, plus a few simple rules to figure out what the password is.
The only problem with this system is obnoxious requirements to change your password every X days, combined with prevents from reusing parts of old passwords. To solve that problem, Try continuously raising the number you inserted in the core password.
excitingthingstodo.blogspot.com
I'm the Google site admin for my elementary school where I teach 4th grade. That makes me responsible for maintaining my class's passwords, as well as the passwords of five other classes - that's nearly 200 4th and 5th grade kids with a fairly transient population. The Google username scheme is non-negotiable because of security issues and committee decision making and consists of the first three letters (if there are three) of the first name, the first three (if there are three) letters of the last name, and the first three digits of their numerical student ID (which they do not know). The password scheme I came up with has the kids choosing two words from a table of common four-letter words. They put those words together with the last digit of their year of birth. They must use this username and password to even get into the Chromebook for most purposes (anything that involves document editing). The classroom app that Google unveiled this Fall is awesome. It's simple and perfect for what it does. I have the kids write their username and passwords down on a post-it. Secure enough. 90% of them have no problem remembering it, but some of them come with their shoes on the wrong feet, so I've been satisfied. I just set the other kids passwords manually after making them write it neatly on a post-it note and usually finding their error. The only third-party thing I use is Scratch, and I make my kids manage their own credentials (I offer a post-it). Scratch is amazing and my kids are motivated to manage it themselves. Scratch, by the way, could be the best thing to happen to math in 200 years of education if people would stop teaching math and start doing math. [Brag warning] Check these out, and tell me you wouldn't have died to build them in 4th grade: http://goo.gl/pHF6Hd We do one every week now.
Simpler for kids is use a pattern, and base the first key off a letter in the website.
So password for Slashdot might be sdsasd (right, left, right). For Google+, ghgfgh. For pornhub, p[pop[
These are just examples, nowadays many require a number/shifted number be part of it, so I'd include that before or after the pattern. That way it's easy, the same pattern everywhere, just a different start point, unique, relatively secure, doesn't teach the bad idea of writing a password down, and is much faster to enter.
(Note, these types of passwords are hard to enter on a mobile device without a qwerty keyboard.)
I've been using this scheme (base word + something connected to what the service does, usually in leetspeak) for about 15 years now to help me remember passwords for obscure/rarely used accounts.
The most important insight is: use it ONLY for unimportant/throwaway stuff and PLEASE stop recommending it as a general method to people.
I have more than three dozen accounts and passwords. At some point one of those WILL be breached, probably without you ever being aware of it, and without any blame on your side. It happens even to the likes of Amazon. And then what? Anybody who takes more than 5 seconds to look at your password, or even a malicious system maintainer who grabs passwords at login, will be in a position where your passwords are just 3-4 token variations (and we're all are aware how quickly you can break 4 character passwords even by hand).
Sure, it's not very vulnerable to automation (unless somebody decides that enough people are using this and couples it to pattern matching with the service and identified base words as input, and a brute forcer), but once a human mind sets you as a target, your online world is SOL.
IMO the best password scheme is still 8+ tokens (letters like 'a', words like "house", numbers like 123) that have absolutely NO CONNECTION to the service that offers the account or to publicly available information about you.
A good pattern (among many others) is to draw from an unrelated memorable sentence at the time you are creating the account. For example if you joined Slashdot last month while listening to the news, you may have thought "Hopefully the Russian annexation of Crimea doesn't start a war" and take the first letter of every word: "HtRaoCdsaw".
Or for a shorter sentence ("Let's not have a war again") every second word: "notaagain", but note that these are only 3 tokens, i.e. as bad as a 3 character password, so you have to spice it up through punctuation and leetspeak, according to a personal scheme of yours. But the important part is that when someone discovers and understands your scheme by looking at a leaked password, they will still have no chance of cracking your other accounts because the base sentence is unrelated. And since you picked something memorable, the mnemonic hook will help you remember it for years.
Dictionary attacks are not the only attack vector now days. With all of the account server break-ins lately, a very big problem is people re-using the same password and login (often an email address) on different websites. So if your account to l33twarez.com gets compromised and you used the same account info as your email or bank, then those too are compromised. This has been a big problem with online gaming for years.
Or better yet, use things that you will remember, for me it's song lyrics, and then transpose numbers and symbols for characters using a pattern that you create and remember, e.g., "Row, Row, Row Your Boat!" becomes R0wR0wR0wY0urB0@t! I create secure, strong, easy to remember passwords that way and it's a process even a thrid grader can learn, probably even earlier. I do not advocate storing passwords nor wrinting them down unless they aren't used regularly. The ones I use often I keep in my head! It's just not that difficult to come up with a good scheme.
For additional security, the non-base part can be writen down in a non-obvious way, for example a spiral. If my password was aBcDe123$, I would write down:
aBc
3$D
21e
Or a zig-zag with a bunch of unused symbols:
aoooeooo$
oBoDo1o3o
oocooo2oo
Support Right To Repair Legislation.
I agree, but as with above this is a problem with eduction. If you teach people to use different passwords, and provide them a method of generating different (yet similar) passwords the problems are greatly reduced.
When was the last time you heard your security team remind people not to re-use passwords? This is of course in addition to training people on strong memorable passwords. If you can't remember, something is wrong.
As much as security experts enjoy hacking and finding vulnerabilities, their job extends way beyond those two things. If they are not good teachers they should be hiring someone that is to assist.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
what ou are securing as much as it's about the secrity.
I it just access to text books? then who cares. Are we worried one to many of the kids might learn?
Writing them down is fine for what we re trying to protect.
That said, it's a good time to teach them how to make easy to remember hard to crack passwords.
"Mary_Had_A_Little_Lamb_2004"
As an example.
The Kruger Dunning explains most post on
Give them hardware keys (RSA tokens or whatever they use these days.
The number of extremely viable suggestions to solve the OP's problem made here is significant, but in my experience another limiting factor will be the teachers' IT competence. The lack of basic understanding among some school instructors for anything IT related can be rather shocking. So I do hope they train their teaching staff well enough, so that they are indeed able to reset a student's account if the password is lost/stolen. Sounds simple, but you'd be surprised.
But seriously, why do primary school children (or 'elementary') need computers in class? I'm not saying that everything was better in the olden days (hey, I'm far too young to say anything like that), but some things of the modern day and age seem rather unnecessary. I get that not having to carry books is a good thing, but primary school books are usually pretty small and light anyway and there aren't that many of them, so it's not that much of an issue. And students forget them at home? Sure, then they'll get told off (and get penalty assignments, or whatever) and have to learn basic organisation skills.
Wouldn't Lastpass Enterprise's Shared Folders suffice for that?
Both of my kids are also being issued chromebooks this school year. The first thing that came to mind was, "what an effective way for someone to harvest wifi passwords, or even chrome remote desktop their way into someones home network". We've seen this type of activity before with schools spying via webcam. I figure I'll setup a secondary isolated wifi network just for those machines.
Writing down passwords isn't an automatic fail—it just means you need good physical security on whatever you write them down in. A notebook is bad advice, but writing them down on a wallet card or similar wouldn't be too bad.
Something like LastPass is probably your best bet, since it works everywhere (including Chromebook); though it isn't free if you want to use the mobile app, it is pretty inexpensive. Of course, if LastPass has an outage, you're gonna have a bad time.
As a security professional, I often recommend Password Cards (passwordcard.org) as a free, low-tech solution that hits a good balance among cost, security, and ease of use. The site generates a printable card (which is easy to make a backup of!) that has a row of symbols and then several rows of random text elements in color-coded rows. All you need to remember for each site is a symbol+color combo; then you simply start from that grid point and type the required number of characters. You could even safely note down the symbol+color for each site, because as long as you keep the card safe in your wallet, that information isn't useful.
It's not perfect, but it's quite good, free, and simple.
We may not imagine how our lives could be more frustrating and complex—but Congress can. – Cullen Hightower
Why need to make it that complicate?
- Use your password as a salt and the website then cut it down to how many characters you use. Most websites allow for 8.
- md5("hunter2" + "slashdot.org")
- sha265(md5("hunter2" + "slashdot.org"))
For websites that insist on upper and lowercase or special characters I wrote my own "rot72" that will rotate the numbers and lowercase letters through specials and uppercase.
It's trivial to implement in about any language:
echo -n hunter2slashdot.org | md5sum | sha1sum
f096039fd8dc0ff71e3144526321639d5ecd4622 -
Then just clip off 6-10 characters and you have a very easy to find password (I honestly don't any of my passwords) but very hard to go the other way.
For work where they insist on changing a password every quarter I add "Q1-4" to the beginning of that.
Why is this post modded down? A password manager is an excellent solution, and teaching people to use them while they're young would save them (and me) problems for the rest of their life. Aside from storing passwords, a good password manager can be used to generate solid, unique, (and memorable, for those few you need to memorize), passwords for each site. I don't know about you, but I'm sick of having to jump through extra hoops in order to accommodate the lazy and ignorant. Please teach these kids to use a password manager.
-- sudon't
Air-ride Equipped
Because otherwise it would leak passwords to insecure sites, in plain text.
Hmm, I strongly dislike the idea of sitting in a public place and typing my "salt password" visibly into a prompt (especially if it litters the bash history), and then also getting the resulting login password in clear text.
I guess you're not proposing to remember those pseudorandom login passwords, because that's a pain for dozens of accounts (and you could then simply use any input or even sites like http://www.passwordgenerator.e...)
I cannot vouch for it, but my next door office neighbor is using evernote for this specifically as well as other things.
All nice systems, but my password manager popped up these choices instantly:
howl#6crusher
vetch*402tweed
Aswan56]japans
shared-69.cocoA
scarfs488/fats
tank59)Madelyn
All solid enough passwords, (entropy ~80 as measured by Keychain, but you can move the slider if you want longer/stronger ones), and memorable if you need to memorize one. And whichever one you choose, it's saved forever, along with the rest of your login info in the password manager. There is a free password manager included with Mac OS since at least 2002, called Keychain, which is well integrated with other apps, and password managers are available for other OS's. I've never had an account compromised, and if one were, it would not affect any of the others.
Also, why am I getting double line breaks with the BR tag?
-- sudon't
Air-ride Equipped
You don't have to do it that way. It was a case and point on how you can easily remember a password but not your password
I made a javascript that does it locally (no sending my passwords cleartext over the internet).
If SSH to my home computer is compromised a password to Slashdot is the least I have to worry about. SSH is also protected with Google Authenticator so I have to have my phone with me to log in with 2-factor.
I use LastPass to remember my passwords but in a pinch, (not on a machine with LastPass, Last Pass goes out of business, etc) I can always regenerate my passwords.
If the new password must vary by at least five characters, they must be keeping a copy of the password, so you know they have crap security anyway. Use a base and append the month name or something (except that they're likely to have a character limit). Don't sweat the security too badly, because it's more likely to leak on their end. (Don't neglect it completely, though, because this is doubtless your bank password. The worst password restrictions I've seen were for banks and other financial institutions. 6-8 alphanumeric characters beginning with a letter, and they expect me to trust them?)
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Crackers already know about substituting 0 for o and @ for a and the common trailing exclamation point. I don't think that's secure at all, since what you've got is trivial modifications on a four-word phrase in common use. Come up with some of your own substitutions and memorize them. For example, if you switch "a" and "i" and "e" with "o", you've got a variation that isn't likely in the cracker's software (RewRewYeurBeit).
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
What system forces you to change your password by at least 5 characters?
If the system stores in password as a hash, like all good systems do, how would they know that you changed your password by at least 5 characters?
If they are using iPads with the latest version of iOS 8, they can just save the passwords using the keychain in safari with autofill (only works if a site is HTTPS, however)
So long as it can be backed up, that is fine. But you need to have a backup for safety in case something happens to that particular iPad or Chromebook, which will in part depend on the web browser being used - whether it uses its own set or the system's, and if it is its own if that gets included in the backups.
But yes, I would highly recommend using a password manager and teaching the kid how to use it properly, possibly even having them setup a master password for it, that only you (and those you authorize) have access to that the kid knows and is instructed not to provide to anyone without your permission, even their teacher.
Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
I made a javascript that does it locally (no sending my passwords cleartext over the internet).
It's usually not your choice whether or not to send the password in clear text over the internet, but I strongly recommend simply not using services that don't offer encryption.
But that has nothing to do with my previous comment... again: I don't want my password to be visible on screen (neither the "salt" one, nor the resulting hashed password). And if it gets saved anywhere on disk in clear text (like it does with your bash one-liner), even worse! You shouldn't present such a bad example as a viable method only to mention in a follow-up comment that you have something actually usable.
I assume your JavaScript (which presumably is geared to web logins?) shows a "password" dialog (the input characters starred) and then enters the result into the password entry field on your current web page? Is it Greasemonkey script or a plugin?
If SSH to my home computer is compromised a password to Slashdot is the least I have to worry about. SSH is also protected with Google Authenticator so I have to have my phone with me to log in with 2-factor.
Good, but I'm not sure why you bring that up. The topic is how to teach people to remember passwords to arbitrary (website among others) logins efficiently.
LastPass, SeaHorse and all the other vaults are good options with only few drawbacks (for example that you have to have the software with you). A solid mental scheme as I presented further above is another option.
anybody who takes more than 5 seconds to look at your password, or even a malicious system maintainer who grabs passwords at login, will be in a position where your passwords are just 3-4 token variations... once a human mind sets you as a target, your online world is SOL.
This objection only applies to the really simplistic example I give, and only if they see 2 or more passwords. "His passwords are boxcar73 and boxcar98? Duh..." In reality, you can do something only slightly more mentally complex than tacking the service name onto the end that yields an essentially random string. Think ROT13, but not using a constant 13. :-) Since my employer requires me to rotate passwords every 90 days, I feel safe writing "dellbattery" on a post-it on my monitor knowing that nobody is going to get "xy4platypus2&Zp" from that, no matter how many of my passwords they look at.
The 2 benefits to using the service name are that you don't have to write anything down for those services, and your spouse can login to your account without needing to read the keyword list. But you still need some written list because sometimes you can't use the service name though: rotating passwords, changing passwords, or when the algorithm produces a password that the site doesn't accept (too long, too many special characters). One of the items in my list is exceptions like "standard hash but no special characters" which I hate doing.
I do like your scheme though too. I think the real take away is that everyone can come-up with a scheme like this that is easy for them to remember, and now they can have secure passwords without having to write anything down. Don't write-down the password. Write down a reminder of the password that requires special knowledge in order to use. It is far far more secure than what most people are recommending.
A checksum that you can do in your head would be better than something you must use an external tool on. You don't want to expose "hunter2" in your example by typing it in there.
It's usually not your choice whether or not to send the password in clear text over the internet, but I strongly recommend simply not using services that don't offer encryption.
Um. Yeah. It kind of is. If I made a *local* html script and run it on my local machine. I'm fairly certain it's not sending passwords out cleartext over the internet. You can make it so that it just copies a result to the clipboard, etc.
I'm not sure why it's such a terrible example. If you're in a situation where you're scared about screen readers there's really no safe way to enter your password anyway because you might as well assume the NSA is logging everything on that machine.
Its a standalone everything. There is no grease money. I don't try to inject my password into pages.
If I ever need to generate my password I can open a .html file on my desktop and generate one.
I could write a SHA1 method for my TI-89 and use that to generate passwords. I could have a different salt depending on what type of website it was (Social, health, banking).
Hmm, I strongly dislike the idea of sitting in a public place and typing my "salt password" visibly into a prompt (especially if it litters the bash history), and then also getting the resulting login password in clear text.
No sure if the parent does the following, but your extra requirements are easy to get around.
* not in bash history? just put a space before the command (if you didn't know that already, you're welcome... it's so much easier than "rm .bash_history && ln -s /dev/null .bash_history" :-)
* result in the clear? Just use your clipboard: echo -n hunter2slashdot.org | md5sum | sha1sum | cut -c1-16 | xclip ... then just [SHIFT]+[INSERT] to paste it into the password field. You can also change the xclip selection by adding "-selection c" and then you can use [CTRL]+v to paste it.
* don't want to see yourself type it? enter "stty -echo" first, and be very careful typing the whole command. ... or make a small script to do it for you:
#!/bin/bash
LENGTH=$1
if [ "x$LENGTH" = "x" ]; then LENGTH=16; fi
echo -n "basepw: "
stty -echo
read PW
stty echo
echo
echo -n "site: "
read SITE
echo "$PW:$SITE" | md5sum | sha1sum | cut -c1-$LENGTH | xclip
I'm aware that you can write a password vault in bash script :)
But the ggp doesn't show this and instead proposes a highly questionable example as a "quick and simple" solution, which - my point - it's not.
Besides, I don't like the "space before command" because it doesn't default to omitting history entries on zsh (you can set it up of course). And due to being a tiny visual clue... it's almost as inelegant as shooting down the session. The best way to solve this problem is to not even pose the question: don't set up your workflow in a way where you have to work around entering sensitive information on screen while often sitting in different places.
You're either not understanding what I'm saying or need to try applying the Charity Principle more.
Um. Yeah. It kind of is. If I made a *local* html script and run it on my local machine. I'm fairly certain it's not sending passwords out cleartext over the internet. You can make it so that it just copies a result to the clipboard, etc.
Your local HTML script (a HTML file with JavaScript?) generally can't decide whether to send information to an arbitrary server encrypted or not. For example with a login web page, either the server offers TLS/SSL (the URL starts with https) to your browser, in which case you send your login credentials encrypted, or it doesn't, in which case you can't choose to send them encrypted. What you do locally is of no consequence.
As for the NSA argument, well that's several steps up from people looking at your screen in a crowded room or train. And it necessiates getting rid of the display as soon as possible. And again, throwing clear text passwords onto your drive (like you did in your bash example) is a very bad idea, I hope everyone can agree with that?
That's why it's a terrible example.
Its a standalone everything. There is no grease money. I don't try to inject my password into pages.
Hehe, not "grease money", you give off the impression as if you don't care about reading carefully what your discussion partners have to say ;)
For example, I'm assuming your script can help you remember a password to log into, say, your airline customer account you created two years ago in order to change some bookings. If it could inject it automatically into the field (say through the context menu as a Firefox or Chromium extension) from the clipboard, that'd be a nice bonus, no?
Your local HTML script (a HTML file with JavaScript?) generally can't decide whether to send information to an arbitrary server encrypted or not.
Yes it can. Because the local HTML script doesn't send anything. I think you're completely missing the point. My local HTML doesn't interact with the outside world. I don't use it to populate any forms. I use it to determine my password.
I'm assuming your script can help you remember a password to log into, say, your airline customer account you created two years ago in order to change some bookings.
MY SCRIPT REMEMBERS NOTHING. Do you people need a drawing to understand this?
My password is formulated out of a salt (my 'password') and the website I'm booking at.
Say I go back to delta.com to book tickets. I have no clue what my login or password is. But I have a guess: The e-mail is going to be "delta.com@example.com" (I have my own domain) and the password is going to be an 8 character substring from: sha1(md5(hunter2delta.com))
I have a Javascript implementation because it is the easiest. I have a little bookmarklet with the code in it. I have a bash implementation. I've written implementations in other stuff but use the Javascript the most because I use the password maker on the web the most.
Hehe, not "grease money"
I know it's not 'grease monkey'. I haven't used GreaseMonkey since I switched to Chrome years ago. It's not that funny. You see people write MAC or mbps. I haven't used GreaseMonkey in long enough to remember the proper camelcase.
I understand your position, but I think it has flaws in general applicability.
From a more structured approach: we ask where to draw the randomness (=strength) for your password from. If your generator (boxcar+ID -> f-a2#s:d__x1y) is extremely strong, "boxcar" simply salts the projection and you can keep the ID part very short.
Is having such a complex mental generator preferable to rote memorisation of pseudorandom strings? I guess it might as well be, as the ID part can be as few as 2 characters.
But that's conditional on the strength of the generator, so when recommending a password scheme to your kids and grandmother, how confident are you that they'll not mess up? Case in point: ID=sitename as proposed in the thread branch below, so you get simply boxcarfacebook.com as login password.
I fear with many users "boxcar" would be false security when applied to all their passwords.
This used to be my main password scheme, but I've gradually shifted it out for the other one over the years.
Instead of relying on generating pseudoentropy through a memorised algorithm, it's preferrable to have a randomised and unconnected (but easily memorisable) seed in the first place!
In general, drawing additonal entropy from a highly biased source (fixed string like "boxcar") makes me uneasy (as it should everyone with a CS background).
Just to add for clarity: of course salting is very important and highly useful, but it's only applicable when your generator has the strength of SHA-2. If you're "only" capable of doing MD5 in your head then salting has demonstrable weaknesses.
>> If the new password must vary by at least five characters, they must be keeping a copy of the password Wrong. If the password updating page asks for your old and your new passords, the difference can be policed in Javascript before you even hit the submit button.
Yes. Any further questions?
Google turned up this incident.
I still don't really get what happened. Their system is supposed to be architected such that stealing all the data on their servers shouldn't get you much - everything is encrypted.
sha265(md5("hunter2" + "slashdot.org"))
I don't think it is necessary to double encrypt your password or increase security; especially the way you do (using SHA256 and MD5). A good explanation about why double/triple/etc encryption may not be necessary can be found at http://security.stackexchange.... (look at the answer to the question).
Already being used by many educational institutes - specifically higher ed: https://shibboleth.net/
We are being told all the time about back problems in children, caused by the heavy school bags they need to take to and from school each day. The weight of the poor kids bags is well over the recommendations. Now young adults are complaining of back problems, and maybe this is, among other causes, related to the school bags they carried in their time. Tablet PCs are a very practical solution to the weight problem and also a very useful introduction into the future work environment, which will be more and more ruled by informatics. In my opinion it is both healthier and educational for today's children to use Tablet PCs or whatever, but PCs, for their school and home studies, and those who do will have a definite advantage in the search for a job, their education finished. Not to mention the obvious economies made in paper and the trees which are so vital for our atmosphere.
Sent from Puppy Linux, by an Ecig vaper
I want to write a book on bikram yoga lol. All the craziness that went on with them http://bikramyoga1.com/