password management

Hey all. I've been pretty lax about password management. I recently got a new desktop and there's still a bunch of websites I only visit on my laptop because I can't recall the passwords to some of the websites. I was even locked out of one of my financial websites from wrong guesses (gotta iron that out today). I've just started a search for a new mode of using passwords. What do folks here do? I like the look of LastPass and only needing to remember one password. I could make it ridiculously complicated if it were only one. Looking forward to hearing opinions from some experts and random forum n00bs like me.

I hung out on cypherpunks with the world's best for 6 months, and I have my own program that offers $15k for a successful crack, even allowing unlimited chosen plaintext attacks. I mention that only for background credibility.

What the world's best would tell you if they trusted you is that crypto programs currently in use by major websites are old and vulnerable, and despite the bogus claims of "128 bit" or higher security, they are easily cracked at the password level. Strong encryption is possible in limited cases, but requires a "passphrase" not a "password". Many more characters are needed.

Managing passwords, let alone the much lengthier passphrases, is a fatally flawed task. You either write them down (bad) or you put them into a file where *all* of the passwords are now secured by a single password to that file. Does anyone see the obvious problem here?

Edit: Then it gets worse - any sites, and even my employer, *require* mixed case passwords. I give you bonus points here if you see what the big security weakness is in requiring mixed case (i.e. limiting a person's selection from a full character set such as a to z, A to Z, and 0 to 9, thus making the passwords non-random). It's what killed the German's Enigma security in WW2, and the idiots making these requirements today haven't learned a thing.
 
so should I hide my money under my mattress and not go online, then? Should I learn to be mechanic and work on my own car. I'll only grow and cook my own food and learn everything I can about medicine and be my own doctor as well.
 
so should I hide my money under my mattress and not go online, then? Should I learn to be mechanic and work on my own car. I'll only grow and cook my own food and learn everything I can about medicine and be my own doctor as well.

It's always good to be informed, but it's also true that most people's paranoia drives them to prefer ignorance of many real-world dangers. I live in a city with a metro population of 500 thousand or so, where people routinely walk across streets right in front of cars, against traffic lights at intersections where cars are waiting to go with their green light, and they do so with young children in tow, and worst of all they don't even look around. So, they feel comfortable I guess, put I'd prefer to know, and to look...
 
How one assesses risk potential is highly driven by context; and an individual's personal risk-averseness is also dependent upon their personality and preferences.
Thus you might well be personally very risk-averse, but it's as well to remember that that doesn't necessarily translate into absolutes ...

So, "writing passwords down is bad" may be very accurate in a corporate context (for instance in an open-plan office where there is easy access from non-employees, and especially if the written-down passwords are on a post-it note stuck to a vdu) ... in an individual's secure dwelling, where the password is disguised and not near the computer, clearly not so accurate.

It is worth having a sense of proportion about these things. The likely target of "hackers" is not an individual home PC but a larger organisation (viz. the recent case of a gang arrested for attempting to compromise a high-street bank in the UK); but picking up a keylogger when surfing for porn or pirate torrents is a much greater risk for the home user, in which case it won't matter a bit whether you have your passwords as 128-character random streams, or have them tattooed on your buttocks in mirror-writing ...
 
How one assesses risk potential is highly driven by context; and an individual's personal risk-averseness is also dependent upon their personality and preferences.
Thus you might well be personally very risk-averse, but it's as well to remember that that doesn't necessarily translate into absolutes ... So, "writing passwords down is bad" may be very accurate in a corporate context (for instance in an open-plan office where there is easy access from non-employees, and especially if the written-down passwords are on a post-it note stuck to a vdu) ... in an individual's secure dwelling, where the password is disguised and not near the computer, clearly not so accurate. It is worth having a sense of proportion about these things. The likely target of "hackers" is not an individual home PC but a larger organisation (viz. the recent case of a gang arrested for attempting to compromise a high-street bank in the UK); but picking up a keylogger when surfing for porn or pirate torrents is a much greater risk for the home user, in which case it won't matter a bit whether you have your passwords as 128-character random streams, or have them tattooed on your buttocks in mirror-writing ...

The problem in your assessments is that you would likely accept a user's description of their needs without doing a professional and responsible assessment of same.

Let's look at a common scenario: I'm talking to some senior staff at the corp. over the lunch table - strictly informal. We're talking about the "government spying" etc. and a most senior and intelligent staffer says "I don't care if the govt. reads my mail etc.", and I respond "Which govt. is that, Bob? The faceless nameless far away in Washington, or the govt. employee who lives in your neighborhood and knows everyone, and belongs to all of the very influential clubs you belong to?"

And I haven't even scratched the surface of how mindless and stupid the forced mixed-case password requirement is. Nobody cares - even those who are trusted to care about these things.
 
I hung out on cypherpunks with the world's best for 6 months, and I have my own program that offers $15k for a successful crack, even allowing unlimited chosen plaintext attacks. I mention that only for background credibility.

What the world's best would tell you if they trusted you is that crypto programs currently in use by major websites are old and vulnerable, and despite the bogus claims of "128 bit" or higher security, they are easily cracked at the password level. Strong encryption is possible in limited cases, but requires a "passphrase" not a "password". Many more characters are needed.

Managing passwords, let alone the much lengthier passphrases, is a fatally flawed task. You either write them down (bad) or you put them into a file where *all* of the passwords are now secured by a single password to that file. Does anyone see the obvious problem here?

Edit: Then it gets worse - any sites, and even my employer, *require* mixed case passwords. I give you bonus points here if you see what the big security weakness is in requiring mixed case (i.e. limiting a person's selection from a full character set such as a to z, A to Z, and 0 to 9, thus making the passwords non-random). It's what killed the German's Enigma security in WW2, and the idiots making these requirements today haven't learned a thing.

Yeah it puts people in a tough position of trying to minimize the risk. What is your preferred best practices for password management?
 
Yeah it puts people in a tough position of trying to minimize the risk. What is your preferred best practices for password management?

I'd suggest people put their passwords into a plaintext file and encrypt it with a trusted private key program that doesn't have a back door. I make such a thing that's free and has no links to anything, and comes with full easy-to-read and fully commented source code.

I don't say all of that because I expect the average user to read or validate that code. I say it only so people know that such a thing exists, so they can demand the same from their preferred supplier.

The next thing besides using that text file and encrypting it is a few security measures. Don't encrypt or decrypt that file, or use passwords at all if someone is looking. That may include people with long zoom cameras who aren't obvious. Make certain you don't have any keyloggers or trojans on your computer. And never decrypt or encrypt your password file where it resides permanently - copy it somewhere and do your stuff, then if you have a modified and encrypted file you need to save, copy it from the temp location to the permanent folder location and erase the temp copy. If you're really paranoid you could use a good erase utility for that file.
 
I'd suggest people put their passwords into a plaintext file and encrypt it with a trusted private key program that doesn't have a back door. I make such a thing that's free and has no links to anything, and comes with full easy-to-read and fully commented source code.

I don't say all of that because I expect the average user to read or validate that code. I say it only so people know that such a thing exists, so they can demand the same from their preferred supplier.

The next thing besides using that text file and encrypting it is a few security measures. Don't encrypt or decrypt that file, or use passwords at all if someone is looking. That may include people with long zoom cameras who aren't obvious. Make certain you don't have any keyloggers or trojans on your computer. And never decrypt or encrypt your password file where it resides permanently - copy it somewhere and do your stuff, then if you have a modified and encrypted file you need to save, copy it from the temp location to the permanent folder location and erase the temp copy. If you're really paranoid you could use a good erase utility for that file.

Thanks for that. I've been using KeePass and have no complaints so far, seems to work well. It wouldn't be a big workflow change to use a plain text file (abit less convenient) combined with TrueCrypt (my drive encryption software of choice).
 
Thanks for that. I've been using KeePass and have no complaints so far, seems to work well. It wouldn't be a big workflow change to use a plain text file (abit less convenient) combined with TrueCrypt (my drive encryption software of choice).

Thanks - I don't think any of us will ever know all of the weak points in our day-to-day security, but it's good to just give each thing we do some thought, and question any advice that says "This is good enough, don't worry."
 
Back
Top