It has got to the stage that I have forty gazillion bits of paper stuck round the monitor with little mnemonics all over them to help me remember all the different passwords I have to use these days to access all those different websites.

It was mentioned to me recently that this person had downloaded some kind of password management program. I thought such a thing might be useful. But I have questions.

1. Are they secure enough to be trusted over one's own (albeit failing) memory?
2. If the answer to 1, above, is "yes", then which such program is a good one to use?

Ta.

The program I use is the pocket notebook purchased from the red shed. Cheap and doesn't crash. (untill you lose the bloody thing)

security, simple answer I'll say yes

I used to use KeePass (http://keepass.info/), and to keep it secure you can choose a password, keyfile (which can be kept on USB stick or the likes) or combination of both

I have an old school telephone index note book which I keep passwords and other relevant data in. Do you remember the things? They had a

slide on the front with the letters , you slid the indicator to the letter, pushed the button, it would pop up and there's the info. When I'm not

around it just sits there looking like an old bit of 80's technology. Very handy as the pages can be replaced too.

I use the same password for all my low risk sites, even email. Anything that does not have financial or personal info. I have another for the Bank, credit card etc.
Admittedly it's getting harder, sites require bigger passwords & if somebody does access your email or facepoop you still have to come up with another password. I'm still at the bit of paper stage.

Browse Downloads.com & check the user ratings & reviews for password managers.

i'm some kind of genius. i use random alpha-numerical passwords and remember them all. things like h94gfn or ffi5x172.

as far as "programs" for it... i would suggest a browser upgrade to opera or google or firefox. (google is the new umbrella corp :yeah:). all of which have built in "password managers"

opera tops my list, of those choices, cos it incorporates email and other useful things.
(newsreaders, script debugger, aquarium app, adressbook...)

I'll manage you passwords for you. PM me your login and password details (especially internet banking).

Chur.

I use the same password for all my low risk sites, even email. Anything that does not have financial or personal info. I have another for the Bank, credit card etc.
Admittedly it's getting harder, sites require bigger passwords & if somebody does access your email or facepoop you still have to come up with another password. I'm still at the bit of paper stage.

Browse Downloads.com & check the user ratings & reviews for password managers.

I have my browser (Opera) remember the non-important ones, often don't bother changing them from the one they give me to begin with. And like you, the same password for the medium importance ones (also remembered by Opera in most cases, and then different ones for bank accounts etc.
But yeh, those fuckers which require 8 character with one capital, one numeric and one letter piss me off. Either write it in a password file, or get the browser to remember them. Now I'm no cryptographist, but surely a 6 digit alphanumeric stored only in ones head, is less likely to be broken than an uberhard to crack one, which is written down everywhere :facepalm:

I'm still at the bit of paper stage.

Still by far the best option, imho, as you don't have to remember the password to your password store... just need a safe spot in the hoose, and need to remember not to keep the paper in your trousers in case the missus does a surprise clothes wash.

Now I'm no cryptographist, but surely a 6 digit alphanumeric stored only in ones head, is less likely to be broken than an uberhard to crack one,

not really.
nowadays people "hack" people.
having "wifesname21" or "dogsname,phonenumber" is incredibly common. so you chuck all the info you know about someone into a brute force program (or get it to scan their facebook) then let it loose at their password file.

the phrase "purple monkey dishwasher 1" is a more secure password than 27Qwx1P, simply for it's length, and the presence of spaces. and it's easy to remember, fucking horse shit, aunt tommys handbag etc etc.

things with fixed length passowrds (ICQ, WEP encryption etc) narrow down the odds, but basically you exponentially add ^36 for every other letter/number in your password.

any passwords stored on your PC are quite vulnerable to "hacking" any stored server-side are less so, because they're stored encrypted. (you can encrypt your HDD etc, but really. you're not that fucking important, and the FBI already know all your shit.)

Browsers like Firefox have built in management, but, anyone with access to your PC can show the passwords.

I tend to keep a password excel file for about 50 sites. I used to remember the lot, but I used a combination of usernames and passwords and it became a bit hard :pinch:

not really.

[snip]

any passwords stored on your PC are quite vulnerable to "hacking" any stored server-side are less so, because they're stored encrypted. (you can encrypt your HDD etc, but really. you're not that fucking important, and the FBI already know all your shit.)

Reading comprehension not your strong suit then?

as you said people hack people, a 6 digit alphanumeric isn't going to get hacked, sure a 12 digit one is exponentially harder, but its irrelevant as nobody is going to brute force that shit so they can change my facebook sexual orientation or like nickleback for me.

or like nickleback for me.

Ahh that old chestnut, 'oh no of course I don't like them, whatever, someone must've hacked my FB account'.

I use password safe - just one password to remember to open the safe.

About Password Safe
Password Safe and the Twofish encryption algorithm it uses were originally developed and released to the public by Bruce Schneier and Counterpane Labs.

Password Safe is now an open source project hosted at sourceforge.net. The latest program updates, documentation, and news can be located at http://pwsafe.org.

Password Safe is freely available and distributable under the restrictions set forth in the standard Open Source Initiative (OSI) "Artistic License 2.0." A copy of this license is included with the Password Safe installation package in the file named LICENSE.

Twofish is a fast, free alternative to the AES, DES and IDEA encryption algorithms. Details on the Twofish algorithm, including speed comparisons and an extensive list of products that use Twofish, are available at http://www.schneier.com/twofish.html.

Firefox has a built-in password manager but I also use Securelogin and used to have XMarks but it became a pain.

Essentially I use one password for internet forums cos I really don't care if somebody steals that. A more complex one for email and same for internet banking.

Use a method for generating your passwords and save the means to generate it to a place you can get to from anywhere and you'll never go wrong.

NOTE these are examples of methods that I just pulled out of the air in 2 minutes, come up with your own variations/methods

Method 1.

Take one photo

<img src="http://online-celebrity.com/webvideo_bestanden/nicky-whelan02.jpg" height="640px" />

Save it as the username you will use, eg psycho-panties.jpg.

Save it to a web site you can access from anywhere, eg your photo albums on KB

Pass it through a cryptographic hash function of some sort (sha1sum, sha256sum, sha512sum, sha224sum, sha384sum ....)

Use the first 5 digits of the hash, a symbol, the initials of the chick in the photo and the year she was born

8edbe=NW1981

Method 2.

Pick a pornstar

<img src="http://greenobles.com/data_images/tera-patrick/tera-patrick-02.jpg" Height="640px" />

Edit the photo and embed the username on her right boob so that you can only read it if you zoom right in

Save the image to a place you can access it from anywhere, eg your photo albums on KB

Use her details as a password (according to Wikipedia Tera Patrick was born Linda Ann Hopkins)

LAH_36-24-38

Reading comprehension not your strong suit then?

i believe the quantifier LESS was used in the original point i responded to.

if one is going to brute force your pwd, it doesn't matter how random or if/where it's written/remembered, as it's simply an algorithm that matches little bits of 01101 type shit.

I use the password "b" , seems to work for everything ,,,so far

Stephen

Keypass is excellent, you can get a USB keyring fob/credit card to save it on and run it directly from there - only need one master password to open it plus your unlock code if your running it from you iPhone/iPad. Will automatically generate passwords as strong as you want - just copy and paste them if you´ve chosen super long passwords. Don´t ever use any "real" words - makes it easier for dictionary attacks - ie change dog to d09.

Don´t ever use any "real" words - makes it easier for dictionary attacks - ie change dog to d09.
Misconception... number substitution is now often included in hacks...

Misconception... number substitution is now often included in hacks...

So you think it would take the same time to hack a substituted combination of numbers of letters or a plain english/foreign language word?

So you think it would take the same time to hack a substituted combination of numbers of letters or a plain english/foreign language word?

yes.
. .

i believe the quantifier LESS was used in the original point i responded to.

if one is going to brute force your pwd, it doesn't matter how random or if/where it's written/remembered, as it's simply an algorithm that matches little bits of 01101 type shit.

Funny thing is, when you cut off the end of the sentence, it makes it difficult to comprehend what you are reading. Probably why you disagreed with my point, then proceeded to make the same point.

Only problem is, a brute force attempt processing 500,000 passwords per second might raise some alarms on the server, especially since at that rate you'll be going for up to 32 hours (with a known 6 digit password). Much higher chances of somebody finding that uberhard to crack one that you have to write down imo. Brute force isn't as practical in the real world, as it is infallible in textbook land.

Probably the main downside with using the same simple password, is if one thing you use it for gets hacked (yes they use better encryption, but a much more attractive target) people can use your details and the known password to get into your other websites etc.

yes.
. .

Well your wrong, try it. Marian will take less time than M@r1@n

So you think it would take the same time to hack a substituted combination of numbers of letters or a plain english/foreign language word?

If in a attempt to hack a password ... machine vs machine. Logical sequence has no place.

In a 6 figure password ... the changing of one digit can change a word. Even the simple changing a B to a 3 (or similar) can make it appear more difficult to hack in a human mind. But to a machine ... just a different combination to check.

The key to hacking ... is time/chances available to try the possible combinations.

If in a attempt to hack a password ... machine vs machine. Logical sequence has no place.

In a 6 figure password ... the changing of one digit can change a word. Even the simple changing a B to a 3 (or similar) can make it appear more difficult to hack in a human mind. But to a machine ... just a different combination to check.

Unless the password hacking algorithm is designed to run the more common combinations (words) first; which seems an extremely simple time-saving measure I'd be surprised if any decent hacker didn't make sure that was the case. In fact it wouldn't surprise me if words were run with numerical letter replacements straight after the correct spelling.

Unless the password hacking algorithm is designed to run the more common combinations (words) first; which seems an extremely simple time-saving measure I'd be surprised if any decent hacker didn't make sure that was the case. In fact it wouldn't surprise me if words were run with numerical letter replacements straight after the correct spelling.

The effort made by hackers is in direct proportion to their expected gain from any resulting success.

The key is regular change to passwords as a matter of course. Depending how much you have to loose ... or how much you value what your privacy ...

The key is regular change to passwords as a matter of course. Depending how much you have to loose ... or how much you value what your privacy ...

I don't buy into that, I figure if somebody cracks your password you'll know about it, and if they haven't, getting a new one doesn't make it any more difficult.

I don't buy into that, I figure if somebody cracks your password you'll know about it, and if they haven't, getting a new one doesn't make it any more difficult.

Depends, if they've intercepted something and are trying to break an encryption that takes say 4 weeks to crack and you change your encryption every 3 weeks it makes things a lot harder. Extreme example.

I don't buy into that, I figure if somebody cracks your password you'll know about it, and if they haven't, getting a new one doesn't make it any more difficult.

They wouldn't expect a common bogan to have much of value. And depending on the length of time spent looking/checking combinations ... if they thought you might have ... keeping the same password just makes it a matter of time before they get it. You may have changed it to one they have already checked.

Money gain may be less important than information gained to a hacker. One piece of information you have, may be the key to another greater prize. You wont even know it's been taken.

Plenty of online password checkers, try examples yourselves.

They wouldn't expect a common bogan to have much of value.

And that, is why stealth is better than security!






... and poverty trumps both :facepalm:

Well your wrong, try it. Marian will take less time than M@r1@n
no.
assuming the pwd allows the @...
a hex cracker will go something like:
abscdefhijklM
Mabcde....z12345...@
M@abcdef...r
etc.


Only problem is, a brute force attempt processing 500,000 passwords per second might raise some alarms on the server, especially since at that rate you'll be going for up to 32 hours (with a known 6 digit password). Much higher chances of somebody finding that uberhard to crack one that you have to write down imo. Brute force isn't as practical in the real world, as it is infallible in textbook land...

that's why don't dont hack liek that. (most servers wont allow more than 3/minute then lock you out for X amount of time)
you lift their pwd files and run them through teh h4cKzor5 program.

but we agree. brute force is almost null now. especially with the rollout of 128 bit. that shit is nasty.


Unless the password hacking algorithm is designed to run the more common combinations (words) first; which seems an extremely simple time-saving measure I'd be surprised if any decent hacker didn't make sure that was the case. In fact it wouldn't surprise me if words were run with numerical letter replacements straight after the correct spelling.
yuhuh.


Depends, if they've intercepted something and are trying to break an encryption that takes say 4 weeks to crack and you change your encryption every 3 weeks it makes things a lot harder. Extreme example.
perfect example. everyone should.

no.
assuming the pwd allows the @...
a hex cracker will go something like:
abscdefhijklM
Mabcde....z12345...@
M@abcdef...r
etc.


that's why don't dont hack liek that. (most servers wont allow more than 3/minute then lock you out for X amount of time)
you lift their pwd files and run them through teh h4cKzor5 program.

but we agree. brute force is almost null now. especially with the rollout of 128 bit. that shit is nasty.


yuhuh.


perfect example. everyone should.

Really? Might want to check that, put Marina and M@r1n@ into http://howsecureismypassword.net/

no.
assuming the pwd allows the @...
a hex cracker will go something like:
abscdefhijklM
Mabcde....z12345...@
M@abcdef...r
etc.


even a hex cracker will try a before @, and i before 1; as you have listed, not sure why your third line gets to M@... before Ma...


Really? Might want to check that, put Marina and M@r1n@ into http://howsecureismypassword.net/

That site is scaremongering just a little bit, 4 billion goes per second is a little unlikely!

even a hex cracker will try a before @, and i before 1; as you have listed, not sure why your third line gets to M@... before Ma...



That site is scaremongering just a little bit, 4 billion goes per second is a little unlikely!

Maybe but it gives you an idea of how to turn seconds of working into years by just substituting a few characters without making it that much harder to remember.

even a hex cracker will try a before @, and i before 1; as you have listed, not sure why your third line gets to M@... before Ma...
because it checked for Ma, which was incorrect.. so it kept going 'till it found M@...
that is one very basic example. as some wont tell you letter by letter, and you need to put in a whole password, then encrypt it and check the hashes against what the poached file gives up...

doesn't really matter, because if you have a hack tool, you may decide to re-script it, if you happen to know that your hackee is likely to use substitution...

To take Akzels recommendation in a previous post of just 8 characters lower case and numbers would take 66 days at 500,000 attempts per second fine for joe publics email but just adding upper case characters extends that to 15 years, adding some commas or full stops - 58 years.

Marian would take 11 hours, M@r1@n would take 4 days.

http://lastbit.com/pswcalc.asp

http://lastbit.com/pswcalc.asp[/url]"]IMPORTANT NOTE: Password Calculator estimates recovery time for Brute-force attack only. Brute-force attack is the worst case, sometimes other more effective recovery methods are available. For example any password-protected Word or Excel document could be recovered using our unique Guaranteed Recovery or Express Recovery within a reasonable time frame

. .

Maybe but it gives you an idea of how to turn seconds of working into years by just substituting a few characters without making it that much harder to remember.

Yeh, guess if it is easy to remember then no reason not to. But I'm not seeing any motivation to change mine, more difficult is well and good, but as long as it is difficult enough...
I don't encrypt files locally, all my passwords are for websites (which I think is pretty common), rate of trying passwords for site is so slow I would think instead of seconds turned to years, it would be years turned to millenia! Actually maybe thats why they recomend the change every 3 months, so any fucker thats started hacking has to start all over again :laugh:



because it checked for Ma, which was incorrect.. so it kept going 'till it found M@...
that is one very basic example. as some wont tell you letter by letter, and you need to put in a whole password, then encrypt it and check the hashes against what the poached file gives up...

doesn't really matter, because if you have a hack tool, you may decide to re-script it, if you happen to know that your hackee is likely to use substitution...


True, but I only thought by character matching worked in the movies. I guess if they start off looking through the full set it will be more or less just as hard, but if they start off with the basic char set, or a dictionary set, its a much different story. I've tried getting into a few rar/zips, downloaded without realising they were passworded, only cracked one, and it was a dictionary attempt starting with a!

Yeah there are some smart people out there, if they can get past government/ heavy corporate security I don´t think our email accounts are safe no matter how long our passwords are. Only reason "we" haven´t been "hacked" is because a pro hasn´t tried. Just as the only reason your house hasn´t been broken into is because a pro hasn´t tried.

Leaving your password as your wifes/dogs/cats name in plain case text is a bit like leaving a ground floor window open in your house, a burglar can always get in but they are inherently lazy and will always look for an easy target unless you have something they really want.

Google "password manager review" or similar and spend 30 minutes or so to school up. BTW I purchased Roboform -does everything and more.

Just wait till the BFL ASICs start shipping. They will completely revolutionize brute force cracking compared to AMD GPU cracking, and prices are low enough for most script kiddies to afford ($US149 for the Jalapeno).

Password managers have a few constraints namely:


Only works on the machine it's loaded on. Want to log on from a mates PC/internet kiosk?? - Hard luck!
You lose the password file/app/PC without backup, you lose all your passwords.
Who the hell wants to open an spreadsheet/app everytime they want to log into anything?


If none of the above apply to you then go for it. If not then here is my alternative.

For me I have multiple devices in multiple locations I use to access various areas. I have developed my own system where I only have 4 passwords I need to remember for my 4 levels of security.

Level 1 - "Don't care, share with anyone" password for untrusted internet forums, non financial/non personal website logins, most online buying websites, guest PC logins, etc. Password is very simple and more for speed and simplicity rather than security (i.e. "123qwe" type passwords)

Level 2 - "Trusted shared password" for more personal stuff but willing to share this password with trusted others (wife, best mate etc) say Home PC, trademe, itunes, wireless access key etc.

Level 3 - Real password. The one I use for personal email accounts, windows accounts.

Level 4 - High security. Strong password used for all financial stuff where my money can be transferred or spent without further authentication.

A few points:



Web/Server administrators of the site you have joined can extract your password at will. This is why all untrusted web sites go under the Lvl 1 "untrusted" password.
I have a few environments where my password needs to be changed every 60 days. For these I just tack a number on the end and increment it each cycle and then update all other environments I use this lvl password next time I attempt to log in.
Once I had to give my wife temp access to my bank account. Instead of giving her my lvl 4 password, I changed my bank password to my lvl 2 and gave her that one instead.
For level 3 and 4 passwords be sure to use strong passwords that will not be rejected by sites for not being complex enough.
Keep in mind that your personal email account should also be treated as highish level as anyone that gains access to this can also "forgot my password" on any site you are registered to and reset the password thereby gaining control of that also.
And of course the biggest vulnerability is that if one site is hacked/compromised then all sites using that level password are also compromised so will need to be changed. I'm willing to accept this but others may not.

I notice Mr Fox hasn't posted here.
Maybe he used one of the password programs, lost the main password and can't log into Kiwibiker anymore!

solid but:


Web/Server administrators of the site you have joined can extract your password at will.
not true. most passwords stored server side are encrypted and cannot be "recovered" and that's why:


...anyone that gains access to this can also "forgot my password" on any site you are registered to and reset the password

For level 3 and 4 passwords be sure to use strong passwords that will not be rejected by sites for not being complex enough.
[/LIST]
Interesting and annoying thing here... two banks (went from National to ASB) wouldn't let me use characters such as #, &, % etc in my password... rather annoying that a password is too complex!

not true. most passwords stored server side are encrypted and cannot be "recovered" and that's why:

This is dependant on the user management web software that the web/server admin chooses to use. Some may use industry standard and compliant methods while others can create their own storing passwords in a text file if they choose.

Aside from that there's a multiude of ways an unscrupulous web/server admin can access your password. The most obvious ones are:


On non-https sites your password is sent in clear text and can be read by a packet sniffer/logger running on the web server....theres a funny story at our work (large IT company) where a collegue sniffed out another collegues NZDating credentials, created a false profile and resulted in him being stood up at the airport arrivals gate holding a bunch of flowers :).
Web admins can easily recode the login page to do whatever they want with your password.
If the admins really want access and aren't concerned that you'll find out then they can just reset your password (and explain it as a corrupted user database if they needed to)


Most people don't realise that their data belongs to the web admins. They have full control over the website and and everything in it Only law and company policy prevent them from abusing this but it only takes one pissed off IT worker to go postal or give into temptation and compromise your security. This happens more often than you'd think.

This is dependant on the user management web software that the web/server admin chooses to use. Some may use industry standard and compliant methods while others can create their own storing passwords in a text file if they choose.

Aside from that there's a multiude of ways an unscrupulous web/server admin can access your password. The most obvious ones are:


On non-https sites your password is sent in clear text and can be read by a packet sniffer/logger running on the web server....theres a funny story at our work (large IT company) where a collegue sniffed out another collegues NZDating credentials, created a false profile and resulted in him being stood up at the airport arrivals gate holding a bunch of flowers :).
Web admins can easily recode the login page to do whatever they want with your password.
If the admins really want access and aren't concerned that you'll find out then they can just reset your password (and explain it as a corrupted user database if they needed to)


Most people don't realise that their data belongs to the web admins. They have full control over the website and and everything in it Only law and company policy prevent them from abusing this but it only takes one pissed off IT worker to go postal or give into temptation and compromise your security. This happens more often than you'd think.

Not to mention just because it might be stored in an encrypted format doesn't mean it cant be un-encrypted either by the website owner or someone who manages to gain access to the database.