How do you manage internet passwords?

56 posts in this topic

 

To make matters more fun sites have contradictory security requirements on their passwords; some must be over six characters, others exactly five, containing punctuation characters, others only A-Z and numbers.

 

This drives me completely bonkers. The more complicated they require the password to be, the more likely people will have to take insecure measures to remember it. These companies are so self-important: do they not realise that their password is just one of many that we have to remember?

0

Share this post


Link to post
Share on other sites

Something that increasingly annoys me about passwords is the fact that password fields on internet forms are obscured, I.E. you type and only see asterisks. Used to occasionally screw me temporarily if the caps lock ley was on, but nowadays, the problem is that we access so many websites on our phones.

 

OK, on my phone at least, the character I typed is monetarily displayed before it changes to an asterisk, but frankly, I think obscured password fields have become completely shit on a usability level.

 

I personally cannot remember the last time I was typing a password, and though, "ooh, glad it is obscured, somebody is looking over my shoulder." It simply never happens. I can however remember the countless times when I have got fucking irritated when faced with typing a password on my phone, for a site where you have to use at least one non-alphanumeric character, which you cannot bloody find on the phone keyboard, or have to hold a key down to access, then you fuck it up, press backspace, but miss the tiny key with your chunky fingers and press return instead, then it submits, fails, and you start all over again. AAAARRRRRGGGGGGHHH.

1

Share this post


Link to post
Share on other sites

don_riina: if I had to write down my hard passwords I wouldn't be able to, I remember the action of my hands rather than the characters I'm typing, if I get distracted while typing it out or make a mistake I have to start again. Obscured fields are absolutely necessary, it only takes one shoulder surfer to know that password and possibly other accounts by association (we're all guilty of 'life passwords' to some degree).

 

p.s. you seriously use the caps lock key?! You probably shouldn't say that out-loud ever again :lol:

0

Share this post


Link to post
Share on other sites

 

To be honest the Ironkey doesnt do anything that Keepass wont do and for free. If you spend 5€ on a USB stick and keep the data physically on that, voila, an ironkey-style solution for 5€.

 

If you use a USB stick on a computer not belonging to you, all its contents including your KeePass database could be copied off in the background without your knowledge, because KeePass resides on the stick as a collection of files. This data could then be attacked at leisure. Your KeePass password might also have been copied as you entered it.

 

The IronKey Identity Manager (IDM) on the other hand, is built-into a dedicated part of the the IronKey memory that cannot be copied at all, because it's not in a file. The only way to access the IronKey passwords data is through the built-in app, a lightweight front-end to the IDM.

 

Overall IDM is more secure and very flexible. It monitors your manual logins and offers you the chance to creating new accounts on the fly for future use. IDM can be backed up as an encrypted lump of data to IronKey's secure online server that can be reached or accessed only with your IronKey and your password. Similarly you can back up this data to (and restore it from) another IronKey if you wish. Other features of the IronKey are also unique, such as its "Secure Sessions" enabling encrypted, private browsing from any PC using the on-IronKey Firefox browser.

 

Furthermore, most USB sticks are pretty flimsy things. IronKeys will survive any number of other disasters, such as being submerged in water, frozen to -40°C, heated to 85°C, being run over by a truck, dropped from a great height onto concrete...

 

But at the end of the day it's as always a case of horses for courses - although I reckon IronKey is the best solution, if KeePass ticks all your boxes, then it's the best for you.

0

Share this post


Link to post
Share on other sites

 

If you use a USB stick on a computer not belonging to you, all its contents including your KeePass database could be copied off in the background without your knowledge, because KeePass resides on the stick as a collection of files. This data could then be attacked at leisure.

 

You cracked a few AES-256 files in your time have you(?) <_<

 

Keepass is not weak because it's file-based (I don't even know what you mean by that, big deal if the data can be copied), it's contents is weak if someone picks a shitty password/passphrase, but then again so would IronKey Identity Manager.

 

The bigger danger here is vendor lock-in, i.e., if IronKey suddenly went out of business would you be screwed?

0

Share this post


Link to post
Share on other sites

 

But at the end of the day it's as always a case of horses for courses - although I reckon IronKey is the best solution, if KeePass ticks all your boxes, then it's the best for you.

 

If ironkey float your boat, thats fine, Im happy with Keepass. Personally, I reckon if anyone wanted a password from me THAT bad, theyd just come and hold a gun in my face or similar.

0

Share this post


Link to post
Share on other sites

 

Furthermore, most USB sticks are pretty flimsy things. IronKeys will survive any number of other disasters, such as being submerged in water, frozen to -40°C, heated to 85°C, being run over by a truck, dropped from a great height onto concrete...

 

Jason Bourne?

 

Keepass is free and incredibly more flexible and easy to use (for beginners) that any other similar software. Just as TrueCrypt beats the sh!t out of most commercial competitors...

0

Share this post


Link to post
Share on other sites

 

If ironkey float your boat, thats fine, Im happy with Keepass. Personally, I reckon if anyone wanted a password from me THAT bad, theyd just come and hold a gun in my face or similar.

 

Close enough, http://xkcd.com/538/ ;)

1

Share this post


Link to post
Share on other sites

 

p.s. you seriously use the caps lock key?!

I have kids. They can reach the keyboard, particularly the caps lock key.

0

Share this post


Link to post
Share on other sites

@don: to be honest most forms today are extremely outdated. A small JS snippet can detect and inform the user if the caps lock is on.

0

Share this post


Link to post
Share on other sites

 

So I guess nobody uses sticky notes anymore?

 

I have an iMac in the cellar in the heating oil room with a sticky note on the bezel saying:

 

Password: password

0

Share this post


Link to post
Share on other sites

 

Jason Bourne?Keepass is free and incredibly more flexible and easy to use (for beginners) that any other similar software. Just as TrueCrypt beats the sh!t out of most commercial competitors...

 

I used to use Truecrypt when I was windows-based, I was pleasantly suprised with OSX's own "Disk Utility" it supports AES-128/256 and with sparsebundle image support (so time machine will only backup the sector changes not the whole image everytime like it would with a TC volume) it's great for storing sensitive client data.

 

 

I have an iMac in the cellar in the heating oil room with a sticky note on the bezel saying:Password: password

 

Great tactic for demoralising the wannabie Ferris Bueller hax0r...

Password: password

Invalid username/password, try again.

Password: password

Invalid username/password, try again.

Password: password

Invalid username/password, try again.

Password: password

Invalid username/password, try again.

Password: password

Invalid username/password, try again.

 

Arghhhhhh! *walks away in frustration*

 

Password: Password: password

Welcome back Sir Kreig! Would you like to play a nice game of chess?

0

Share this post


Link to post
Share on other sites

To be honest, 10 minutes looking at somebody's facebook account would probably equip you with enough information to answer most of their security questions. Mothers maiden name, name of pet, town of birth etc.

Obscured password fields should be made defunct, or at the very least, something you can disable.

1

Share this post


Link to post
Share on other sites

 

To be honest, 10 minutes looking at somebody's facebook account would probably equip you with enough information to answer most of their security questions. Mothers maiden name, name of pet, town of birth etc.

Obscured password fields should be made defunct, or at the very least, something you can disable.

 

Exactly. Was the latest trend in social engineering at Defcon aswell.

 

 

Obscured password fields should be made defunct, or at the very least, something you can disable.

 

Unfortunately, it's a legal matter that makes any company who offers a webbrowser vulnerable to lawsuits a la "it's the browsers fault for not hiding my test123 password."

0

Share this post


Link to post
Share on other sites

If you haven't read this one before it should give you a laugh 'hunter2'

2

Share this post


Link to post
Share on other sites

I find car registration numbers do the job, as they are memorable but random. The various Austin Maxis that we had in the 70's keep me in passwords, as I memorised the numberplates as a kid.

0

Share this post


Link to post
Share on other sites

 

To be perfectly serious about this, the IronKey Identity Manager is the way to store, manage and automate your passwords (and other data) as securely as it gets: see https://www.ironkey.com/demo-personal

Is it cross-platform? Keepass has Windows, Mac and Linux versions. As someone who works with Windows & Linux and has a Mac at home I find this very useful as I can store all my passwords in the same file on the same USB stick. It gets backed up regularly so it's reasonably secure.

 

 

The IronKey also enables secure, encrypted, private browsing from any PC.

There are various free solutions for doing the same including a PortableApp version of Firefox and the Xerosoft browser which uses Tor.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now