I too use password manager (KeePass if anyone is interrested).
I use another technique as well (for instance to get master password or to mount encrypted disk volume). I use really cheap, truly “hardware” password generator.
I carry with me (in my wallet) small piece of paper, that has a substitution table similar that you can generate here: Password Chart
Only my table has for each letter/digit sequence of three randomly generated letters/symbols/numbers. Example (do not use, generate one yourself if you like - you can use this to generate trigrams from characterset of your choice):
Now using that chart the simple password simplething becomes mS>W!jAD:zKOf}rvfYzOK:,sW!jX4C\8:
Of course you can create such table for all characters found on keyboard not just for letters and digits, but for me this is enough.
I too use password manager (KeePass if anyone is interrested).
GPass here, but the disadvantage of it (unless they’ve changed this) is it’s stuck on my machine. Can’t keep an encrypted copy on a USB or anything.
Which means I have a piece of paper somewhere for when catastrophe hits this machine. Meaning I need to find another Linux passmanager
I really think some pressure needs to come down on banks and similar groups about the “security questions”. They really bother me. Apparently that’s how Sarah Palin’s AOL (gosh didn’t know that still existed!) email was broken into. They asked her her High School. Public record (and nowadays everyone blabs it on their spacebook). Stupid question.
Given any decent system should lock out the account after 3 guesses, yeah.
I’m against lockout after three. I like what SitePoint does: after 5 tries you have to wait 15 minutes. You can do any kind of mix of wait-times and add a lockout at the end if you need to.
I’ve also been a fan of the idea that the input type=“password” should only show stars if the user chooses that. Especially when people are filling in new passwords. It is in fact extremely possible to mistype a new password twice: I’ve done it several times actually. I’ve had to resort to opening a text file, typing what I want (so, in plain view of anyone looking over my shoulder anyway) and then pasting twice. Since that defeats the purpose, it should be something users can turn off.
Which I started my own thread at about the same time on improving:
But yeah, it would be great if it was something browsers implemented all on their own – should be something even the site coder shouldn’t have to think about as that really should be a user agent behavior.
One of our systems at work changes every 3 months and you can not use the same password twice.
Do not tell our IT department this but I got so pissed off with it after a while my password started off at qqqqqqqq and I am slowly working along my keyboard
It is irritating that all passwords are different in that some you need a minimium of 8 characters and others you do not. Some insist on having numbers and punctuations but others will not allow numbers and punctuations etc.
I worked at a bank. To log into our Windows NT computers, we used passwords that:
minimum of 10 characters
at least one capital letter
at least one lowercase letter
at least one number
at least one punctuation mark
changed every month
may not be the same or even similar to passwords used within the last 12 months
Nice.
Even nicer, when we implemented our online banking and brokerage service, which used a full blown PKI solution for signing transactions we had a ‘key ceremony’ (it’s the official term ) during which we generated the CA certificate for the bank (which is sort of the root certificate, the core of the entire security setup, one of those things stored on a tamper-proof hardware module which destroys itself violently if it’s moved or tilted more than 5 degrees or so).
During this ceremony I had to make up passwords and PIN-codes for about 20 different systems, subsystems and keypads etc. I wrote them all down (as dictated in the key ceremony’s plan), popped them into an envelope which was then stored in the bank’s vault. These passwords were all very difficult and impossible to remember, as we’d never need them anyway (according to the vendor of the PKI stuff).
Of course, within a month it turned out we’d need those passwords almost every day to restart the system and whatnot, so we ended up carrying a piece of paper around with all the passwords on it :o
A system I set up has a 30 second lock each time an incorrect password is entered - the system rejects any attempt to log in during 30 seconds after an invalid attempt. Since it unlocks again automatically when there have been no invalid passwords entered in the last 30 seconds it effectively locks any automated attempt to break in after the first attempt and stays locked until they stop trying while not providing any lock out on the account for the account owner provided that they wait a short while after having mistyped their password before they try again. Even if someone realised the delay was there and set up an automated process to wait that long between tries they can now only try one password every 30 seconds and not thousands every second and so you will have easily detect that someone is trying to break into your account due to the fact that your correct password doesn’t work even though it did a thousand years earlier the last time you used the account and definitely hasn’t been changed since.
As for those password managers where you need to remember the master password - the main benefit in those is that most of the passwords you store in them will be used on the web and so you want complicated hard to remember passwords for security there. The password manager itself sits on your computer and so the master password never gets sent anywhere - to steal your master password someone would need to break into your computer and not just visit a web site where you have an account.
Why is carrying a piece of paper around with your password on considered so bad? I’m sure there was some security expert recently who was encouraging it, because it’s a lot better than the alternative (a weak password so you can remember it), and your wallet is a pretty secure place!
I remember my college years, lecturers use to recommend us to remember our passwords, unless you have the same password for everything then you’re unlikely to remember it. Without giving too much away I don’t really change my password. I fidn that the main cause of password stealing is down to use not having the proper security on our machines, otherwise, unless my mother or younger brother was interested, nobody would really come on my desk and scour for passwords.
I really think some pressure needs to come down on banks and similar groups about the “security questions”. They really bother me. Apparently that’s how Sarah Palin’s AOL (gosh didn’t know that still existed!) email was broken into. They asked her her High School. Public record (and nowadays everyone blabs it on their spacebook). Stupid question.
Can’t stand banks security. In fact I want to be part of online banking, but giving me a 11+ digit subscribing number, alongside with a changing secret pin derived from some calculator-like gizmo which requires my actual PIN to work. Followed naturally by some silly questions, just puts me off the whole idea. My solution is to get in the car and drive to the bank, which half of the times, they don’t even ask for ID, knowing me or otherwise. Just illustrates how fearful banks are. I don’t know why they just can’t operate like PayPal.
But only at the account level so the person gets their account moved to a different username and they are back in business while the attacker wastes time continuing to attack a permanently locked account.
Perhaps, but anything that inconveniences the user that much has something wrong with it. Why should I have to change my username on a system just because someone is trying to hack it? Even something as simple as only allowing login attempts once every 5 seconds can work well - the user is unlikely to ever notice but it stops loads of login attempts on the same account, making brute forcing ineffective / impractical.
Following the link earlier in this thread, my password’s space would take 14.1 billion trillion years at a thousand guesses a second - already impractical, but imagine only being able to try this at 1/5000th the speed as well?
I had three sites hacked, one via FTP, two I don’t know. All had so-called strong passwords, known only to me. I only access them from one, malware-free Linux machine, to which nobody else has access, so I’m pretty confident the problem was not at this end. Anyway, I cleaned up the sites, changed the passwords, etc. Unfortunately, I forgot to update the stored password for one site, so next time I logged in, it used the old password and (obviously) failed. I realised my mistake at once, entered the correct password and was met by a message that my account had been temporarily locked because of multiple unsuccessful log-in attempts and I should try again “in a short while”. I couldn’t decide whether to laugh or cry.
On a related point, we’ve all been told not to use the same password for every site, so am I alone in being dubious about Windows Live ID, which uses the same log-in for everything from Hotmail to Bing Webmaster Tools? Seems like a security nightmare to me.
Except Bing and Hotmail do not see your password. Only login.live.com gets your password. These services, like Windows Live ID, Google ID, OpenID, etc. Are in fact more secure then having a username and password for every single site. First the sites in question never get your password only a token. And the sites that do take your password are secured at every level.
In other words, you should not be dubious about it.
When I am faced with a situation where I choose to ‘write down’ a password (and I try to avoid doing so) I always purposely mangle the password.
For example: if my password is “G698DDf" I will write down "G698DfD”.
Only I know the transposition and that is much easier to remember than the entire password!
Indeed. Even without that though, I’d say it’s still more secure to use a strong password and keep it in your wallet than use a weak password and memorise it.
Password manager is still the best solution of all I reckon though.
) during which we generated the CA certificate for the bank (which is sort of the root certificate, the core of the entire security setup, one of those things stored on a tamper-proof hardware module which destroys itself violently if it’s moved or tilted more than 5 degrees or so).
Just illustrates how fearful banks are. I don’t know why they just can’t operate like PayPal.