How do you manage internet passwords?

56 posts in this topic

 

You cracked a few AES-256 files in your time have you(?)

 

No, but never underestimate how many flaws there are even in great security. A fairly simple key logging trojan installed on your PC, with a virus able to copy your password database off your USB key, would leave you well and truly screwed and especially so if your database contains your TAN list too. No, whatever is used to store the passwords must not be easily copyable or require some external physical key to unlock it.

 

I also thought about using my phone (Android based) to store passwords in some sort of secure thingy, but then I thought about it a bit longer and decided against it. In the end an Android phone is little more than a Linux based, network connected, device and we could open a book on how long it will be before these devices start getting hacked wholesale. At the moment these 'smart'phones seem secure but I bet that won't last all that long.

 

Perhaps I'm just a bit too paranoid...

0

Share this post


Link to post
Share on other sites

 

Is it cross-platform? Keepass has Windows, Mac and Linux versions. As someone who works with Windows & Linux and has a Mac at home I find this very useful as I can store all my passwords in the same file on the same USB stick. It gets backed up regularly so it's reasonably secure...

Currently the IronKey Identity Manager is Windows only. Other IK features are Mac- & Linux-compatible.

 

 

... There are various free solutions for doing the same including a PortableApp version of Firefox and the Xerosoft browser which uses Tor.

 

Just FYI the IronKey comes with Firefox. I'm not familiar with the Xerosoft (Xerobank xB) browser but as I understand it, public Tor can be painfully slow and is subject to malicious attacks. The IronKey Secure Sessions browsing is pretty much as fast as your connection allows. It uses a 3-hop system with the 1st, 2nd & 3rd servers in various countries across the globe and with the traffic between each being encrypted. The servers are changed randomly each time you connect or with just a click of the mouse.

0

Share this post


Link to post
Share on other sites

I use family catch phrase words that are easy to remember and long enough that I can use digits and punctuation marks as well as letters. The hint has something to do with the catch phrase, then the number of digits used. The clear passwords are in a sealed envelope on the pinboard next to the phone - I have to remember to send my brother a copy just in case something happens to both me and Lou.

 

For example "Pinkle Purr", a figure from A. A. Milne's poems might become p1nk!ePu4r, the hint would be (PP's mother) Tattoo, 2 digits, 1 mark, 1 cap.

 

But that's not one of my passwords, of course.

0

Share this post


Link to post
Share on other sites

While all the comments are interesting, it would be more helpful for a true hacker to comment on the ease of cracking each method described. My guess is that if the U.S./Israel can enter Iran, a determined hacker can enter all the above methods. Always ask a burglar how to protect your house.

The Ironkey offering looks interesting, but what I don't like to see is 3k posts on their forum (apparently not so straightforward) and no access to see what is posted without registration.

0

Share this post


Link to post
Share on other sites

Strong passwords only protect you from brute/guessing attacks. Most password cracking nowadays is based on getting access to your password by deceiving you in some way. (i.e. fishing, trojans, data collection, etc).

0

Share this post


Link to post
Share on other sites

Indeed, but then if your PC has a trojan on it then all your attempts at securing anything could very easily be compromised although you'd also be fairly well assured that picking passwords out of the mountain of data this thing could generate wouldn't be so easy.

 

British banks have an interesting solution - they ask you to submit some 'memorable information', a piece of text something like 'ILoveT0yt0wn' and on each login attempt they ask you for three characters from this. The characters are chosen by some psuedo-random algorithm that (it seems) maximises the number of attempts a key logger would have to observe before they have enough to log in. While it's annoying trying to count letters on your fingers, and it's yet another piece of information to remember somehow, it's an interesting solution.

0

Share this post


Link to post
Share on other sites

Apropos key-logging Trojans, I keep Word files with random unexplained info, so when it comes to passwords or bank/credit card details, I copy and paste the relevant info where needed.

0

Share this post


Link to post
Share on other sites

If you type it in a trojan can see it, if you copy/paste it a trojan can see it, if you can look at it a trojan can see it. You get the idea.

0

Share this post


Link to post
Share on other sites

Even if you drag and click with your mouse there are some trojans I've heard which screen shot the area of the screen for later analysis.

 

The point I think is a reasonable level of security (for what is involved):

* Pick reasonably hard, non-dictionary passwords, or if it's more sensitive, use a harder password

* Don't do anything sensitive (login to Internet banking/email etc.) on other computers which aren't your own

* Don't do anything sensitive on other networks which aren't your own

* Virus/malware check regularly

* Store sensitive information in encrypted volumes

 

I say 'reasonable' because some admins think they have to use the tightest security for even the most mundane of things and end up shooting themselves in the foot, e.g., giving some office worker with little or no-access to sensitive data a horribly complicated password & password policy that ends up forcing them through frustration to write the damn thing down.

0

Share this post


Link to post
Share on other sites

I use a few letters plus hexadecimal (Web) colors saved in the form of RGB equivalents, usually as raster images rather than type: easy to store and retrieve, hard to decipher or to recognize as stored passwords.

0

Share this post


Link to post
Share on other sites

I'm starting to think that using sticky notes protected by two vicious dogs isn't all that bad a security system. :ph34r:

1

Share this post


Link to post
Share on other sites

If it is something that matters, you really should have some sort of 2 factor authentication - gizmo on your keyring, one time password list on a card in your wallet, something like that. For stuff that doesn't matter so much, keypassx or similar.

0

Share this post


Link to post
Share on other sites

Not really the conspiracy theorist type, but how's this for one. A cover company develops a free program that promises a secure password protection system. It is offered on the internet. People download it and use it. There is a backdoor built into the program or a tracker or whatever that makes it possible for the program authors to enter/collect the passwords if they desire. Walla! By purposely putting all your passwords in one program/area you are effectively advertising where to attack....

0

Share this post


Link to post
Share on other sites

I keep a journal full of em. A lot of them are repeats and cross-outs. This gets complicated when changing countries and the keyboards correspond to different languages.not fun. then the keyboard just stares blankly.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now