The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.
Password management, and the DOs and DONTs of internet security
uean
Registered User regular
Registered User regular
I am thinking this might be better put in Moe's Stupid Technology Tavern, but since this is such a large topic and can conceivably branch out to cover almost anything we talk about in this forum in one way or another, it'll go here.
I was sitting here contemplating life, passwords, and what would happen to me and my terrible practices should a password be unearthed or discovered. The thought process started when I was sitting on the couch, no TV in site, no superbowl party to attend, wondering what kinda lame project I might entertain myself with, when the thought came that it has been awhile since I changed my passwords. And it dawned on me then and there that 'change my passwords' really just meant, change the one password I use for every conceivable site ever. And then the crushing weight of security bore down on my shoulders as I tried to think of a way to protect myself, my identity, my finances, my onlife presence and its connection to the realworld me. Pretty much one password would grant someone access to all sorts of sites under my name, get some money from my bank account, and allow copious unmentionables to be posted to all 293 friends on facebook.
I think that there are many others like me. I used to think that I was 'better than the rest' because my password contained an upper case letter, two digits, and a special symbol. And it was *9* characters. But that means jacksh*t if someone were to have that one password just once, somehow socially engineered, and manage to link to all my online identities.
So I come here to ask these questions. What password creation convention do you hold to? What are some best practices for online security? How do you keep track of it all, and is there a way to secure yourself and all your instances without making living the duality of on and offline living a tedious chore of password recollection to plough through with every new site?
Maybe it'll provoke some thought on what we're doing for security, or maybe it'll reveal that I am the only idiot out there. Or maybe you're all like me and we're doing it right. But it just feels wrong.
I was sitting here contemplating life, passwords, and what would happen to me and my terrible practices should a password be unearthed or discovered. The thought process started when I was sitting on the couch, no TV in site, no superbowl party to attend, wondering what kinda lame project I might entertain myself with, when the thought came that it has been awhile since I changed my passwords. And it dawned on me then and there that 'change my passwords' really just meant, change the one password I use for every conceivable site ever. And then the crushing weight of security bore down on my shoulders as I tried to think of a way to protect myself, my identity, my finances, my onlife presence and its connection to the realworld me. Pretty much one password would grant someone access to all sorts of sites under my name, get some money from my bank account, and allow copious unmentionables to be posted to all 293 friends on facebook.
I think that there are many others like me. I used to think that I was 'better than the rest' because my password contained an upper case letter, two digits, and a special symbol. And it was *9* characters. But that means jacksh*t if someone were to have that one password just once, somehow socially engineered, and manage to link to all my online identities.
So I come here to ask these questions. What password creation convention do you hold to? What are some best practices for online security? How do you keep track of it all, and is there a way to secure yourself and all your instances without making living the duality of on and offline living a tedious chore of password recollection to plough through with every new site?
Maybe it'll provoke some thought on what we're doing for security, or maybe it'll reveal that I am the only idiot out there. Or maybe you're all like me and we're doing it right. But it just feels wrong.
Guys? Hay guys?
PSN - sumowot
PSN - sumowot
uean on
0
Posts
Then I had a hotmail account hacked, and taken over by a spammer. So I tried using a unique password for everything on the web, but frankly that just became way too cumbersome, and I found it impossible to log into any sites when I wasn't at home with the list of passwords right in front of me.
So I've struck a compromise. I still use the same password for basic sites that don't contain personal info on me, and where I won't be too bothered if I have to go to the trouble of fixing up the situation should it be hacked. For sites that still require numbers as part of the password, I just substitute them for the vowels. For sites where security is a concern, I still use a single password, but this one is a medical term, mixed with upper and lower case letters and numbers.
It's not the perfect situation, I'm aware, but it's the best situation where I can still remember what the fuck the passwords are when I'm away from home.
Keychain with passwords is probably the 'best' as it compartmentalizes your accounts. If someone manages to brute force your password or get it from a site with weak protections (like Gawker), all they got was that one account.
The single password for the keychain is technically a weak point, but you only enter it on the local machine. If your local machine is compromised, well no passwords will really protect you at that point, unless you're using Truecrypt to encrypt the entire machine. And all that will do is force them to format it after they steal your computer.
This is pretty much exactly my thinking right now, but I need to know a lot of passwords and have access to a lot of sites, and I can't come up with anything simple to remember. The thought of using a key management tool like keydb or something sounded cool until it fell to the 'one password grants access to everything' downside.
PSN - sumowot
This shifts the burden of security onto the password store however, so it can be a mixed blessing. If you can access a secure password server, then this is good, as you can conceivably isolate it from attack. On the other hand, if you're doing the road warrior thing, then this often leads to the need for a local password storage solution which A) has the problem that computers (and more specifically the applications, specifically browsers, email clients and the adobe internet suite) that you use interactively are the major attack surfaces of modern times. Which can be problematic.
Most of my passwords are phrases, each individual to a particular website.. A log-in password for a cosmetics review site was protected with the password 'theoctopuslives' because of a plush toy my sister had at the time, as an example..
Having a smartphone is kind of a blessing here. If I'm in unfamiliar territory I can get the password off the phone then type it into whatever site I need.
I was IT, basically (S-6, for those curious and in the know), and we had just started implementing Active Directory stuff, Army-wide, and one of the big changes was password security. Passwords now had to contain at least ten characters, with at least two of each of the following:
1) lower-case letters
2) upper-case letters
3) numbers
4) non-alpha-numeric characters.
No big deal, right? Wrong. My job was basically to teach a bunch of people twice my age and half my computer-literacy how to come up with a password that they could remember without writing it down (that's what we call InfoSec). I had to figure out a way to bridge the gap between myself (younger, more tech-savvy), and people who outranked me so hard they could probably order my death. So I went through some old notes, and stumbled across a lesson we'd been taught during job training (AIT), and did the simplest, easiest thing I could do.
I taught them L33t speak.
Basically what we were taught was that the easiest way to secure a password is to take an easy to remember word (the example used was "password") and use character substitution, alternating between the various required types of characters. "password" becomes, instead, "Pa$5_w0Rd" for instance.
You cannot imagine how weird it was using something you consider so vile as a basis for data security. I felt like I was trolling them. Because of where and how I had to do it, I even had to make up a neat little Powerpoint presentation (because at the time, Powerpoint was the hip and with-it way to do anything in the Army).
I still actually use it, though, with my passwords. I have one standard password that I use for everything, but in addition, I use another password, that I generate in L33t, based in some way on the website I'm signing up for (so it'd be "password-gaming" for PA, and "password-friends" for facebook, etc). I've found it's probably the most secure form of password generation I can be bothered with, and I just change the generic password every so often, just to be extra safe.
Yep, the the password complexity requirements in AD 2008 and newer is the fucking pits. I hate supporting that shit.
It's the "at least three of the following categories" bullshit that trips people up. There will always be a large minority of users who will not understand that system no matter how you explain it to them.
Guess what's super extra stupid about that!
Brute force dictionary attacks like PRTK will do basic l33tspeak substitutions of dictionary words - subbing in 5 or $ for S, for instance.
So going to l33tspeak isn't entirely useless, but it's not entirely helpful either. It's far better to enforce a password length requirement than a password complexity requirement and then encourage users to use a long but memorable phrase. "ilovemysontaylorheisthebestatsoccer" is an immeasurably better password than "Tayl0r12" where January 2 is Taylor's birthday. :P
the "no true scotch man" fallacy.
One was the username out of a hacked username/password combination for some porn site that I found in college. I have no idea why it stuck in my head.
One is part of a generations-removed ancestor's last name combined with some numbers.
One was stolen from the common passwords at my first job out of college, because I liked it and because it can be typed with only one hand.
One I appropriated from my wife.
Both my email passwords are unique, although the hotmail one is easy. But what are they going to do with it, recover my profile and get me some achievements? Go right ahead.
Of course, a lot of stuff ends up under my least secure password. So it's not ideal, but I really can't be bothered to worry too much about accounts on random small forums, or my NeoPets login that I haven't used in years.
Oh yeah probably. I'm not sure when brute force utilities started doing l33tspeak substitutions, but I first read about it sometime after 2007. (Based on where I was working when I first encountered that info..)
A lot of them do basic numeric suffixes, too. So adding two numbers or a number and a common punctuation mark like a bang doesn't help that much.
But yeah, just to reiterate for spectators, the key to a secure password is length. A long English phrase is usually the best you can possibly do without resorting to something completely random.
the "no true scotch man" fallacy.
As Feral mentioned, most brute force attacks use l33tspeak substitutions by default, so while that will help you satisfy password security requirements, it won't make you all that much safer.
I've taken to using a "tiered" approach similar to what Bionic Monkey described. I have one password that I use for low level stuff like Facebook or forums, things that I wouldn't be heartbroken over if they were compromised. I have a second that I use for semi-valuable stuff like Steam or online games, things that have an actual monetary value attached to them. I then have a third for things like my banking or whatever. I feel like it's a pretty good compromise between variety and something I can realistically memorize, and it means that there's no link between the unsecured and secured stuff.
For people trying to come up with long passwords that are easy to remember, one thing I've found is to use a phrase or sentence and then take the characters from that. So "I love the Penny Arcade forums since 2005" becomes "IltP_A4s'05" which is complex enough that it's not likely to be cracked while being tied to reality so that you can remember it.
Yeah, I do the same thing.
BTW, a pox on blogs that require you to sign up for an account just to post a comment. A pox on software vendors that require you to sign up for routine patches as well.
Why halo thar Bruce Schneier
the "no true scotch man" fallacy.
Edit: If I forget that main password, I am fucked royally.
I dunno.
It doesn't hurt, necessarily.
There are markov chain based brute force attacks, where once the attacker has exhausted the dictionary (plus common substitutions and suffixes) they'll start generating pseudo-English strings from a markov algorithm. A long English password would be vulnerable to that, where a password generated using rndmhero's technique would not be.
Now, whether an attacker would go to purely random string generation, or markov chain generation, or give up entirely and move to a different target after exhausting a dictionary list... well, I dunno. Depends on the attacker, I guess.
the "no true scotch man" fallacy.
That said, such an attack would be irrelevant for the vast majority of scenarios that end users care about (like random people trying to steal money from your bank account).
Unless that laptop was stolen from, ohidunno, some dude who worked for Paypal's transaction processing department. :rotate:
the "no true scotch man" fallacy.
The thing about password security is you really have to ask what kind of attack you're likely to encounter. The vast, vast majority of compromises come from idiots getting phished or installing keyloggers, and no amount of complexity is going to help you if you're dumb enough to do that. Conversely, your password might get compromised on the back end of some site, like what happened with Gawker, which is a good reason to have separate passwords for separate accounts. If someone really is trying a brute force attack with significant hardware and some of the more advanced algorithms in place, it doesn't matter if you have a 20 character long string of randomly-generated characters; they're going to crack it. If the NSA wants your hotmail account, they're not going to be defeated by your awesome password. Realistically, though, this isn't something any of us are likely to ever encounter.
As to your question, it depends what kind of substitutions you're talking about. For something like I posted above (IltP_A4s'05), the _, 4, and ' improve the complexity substantially. Going from "hello" to "h3ll0" probably doesn't matter for any serious attempts, but it might make it harder for some jerk roommate to log onto your account.
I recently started using Ubuntu. Ever since I installed it, I've been going back and forth between feeling like I'm indestructable vs. keyloggers and being absolutely terrified that there's now a bunch of even worse shit I'm potentially being exposed to.
How much does having a particular OS contribute to security vs. phishing/keylogging/all that kind of crap?
Ooh, religious war.
Honestly, one of the best things you can do is stop doing your day-to-day activities while logged in as an administrative/root account. Ubuntu is pretty good about that, so is Mac OSX. Windows... not so much. XP failed at that entirely, Vista and 7 out-of-the-box are a little better, but they still haven't quite gotten it right.
Beyond that, the biggest vulnerabilities are going to come from cross-platform plugins. Adobe Flash has had some huge vulnerabilities in the last couple of years.
the "no true scotch man" fallacy.
You're certainly less vulnerable.
How much less... I dunno. It depends on whether somebody out there has written one for your flavor of Linux and taken the time to package it in a form that is easily delivered (via a trojan or a Flash vulnerability) and whether you manage to stumble across it.
I don't know. I don't have a good answer for you.
the "no true scotch man" fallacy.
Feral's spot on, as the administrative privileges we allow by default for convenience can allow quite a bit to run without your knowing.
There was actually a really interesting article out there following one of the Pwn2Own hacker competitions. People were asking what OS/browser combinations were more "secure" against conventional hacking (meaning not the password security stuff we're talking about here), and the general consensus was that it didn't much matter. Most of the attacks commonly used exploit vulnerabilities in stuff like Quicktime or Flash, things that everyone uses regardless of OS or browser. That's why it's really important to constantly install updates even for stuff you don't use regularly, as many of them are security fixes that patch these things as they're discovered.
Thanks Kanji!
5 things we all do that make hackers' lives incredibly easy
Example Tokens (not my actual ones): Drt, Kiz, Lqp, Npx, Z@0
Example password: DrtkizNpxz@0
Remembered password: DkNz
This also lets me theoretically write them down since the written down passwords require knowledge of the tokens to understand.
Not likely, it's more likely their wife's name, or their kids.
...or mistress...or [strike]secret[/strike] gay lover.
But at least I have a tiered system. Low-security stuff like random website signups and web shops tend to get the same low-security password.
My email account password, on the other hand. That's triple-max security right there. My email account is essentially my entire internet life. Get access to that and you get access to all password reminder emails for every site I've used ever.
Your best bet is to come up with your own mental algorithm (something you can do in your head) for modifying something real in a consistent way (example: hamburger:lettuce->haembruger:letus). Also have an algorithm for high-security and low-security sites. And maybe a third for your e-mail.
Not really sure why any of those are an issue anymore. I mean the special characters were removed back in like... 1995 because of SQL injection because everyone didn't know how to handle it and alphanumeric was a good counter.
The PIN number I use to this day is derived from Brian Grubagh's password. Hi, Brian!
Same with the government of Canada.
.....
PSN - sumowot
It's out of consideration for people with bandwidth caps.
Those extra characters add up!
What is your favorite fruit?
Gr@|>3s