Strong Passwords
|
I'm not sure changing passwords on a regular basis is all
that helpful. Monitoring users has shown that requesting
them to change passwords on a regular basis leads to
predictable sequences like : duck01, duck02, ... The Federal
Trade Commission site has a page about changing passwords :
Time to rethink mandatory password changes
(https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes).
There are more than 800 different passwords in my password
manager database, changing them periodically would be very
time consuming.
Password managers that work across platforms can be found
for free. The one I use is KeePass and runs on my Windows,
Linux, and Android devices. There are also versions of
KeePass for Apple products but I don't have any of those
products. A review from PC Magazine, of free password
managers, updated June 27, 2019 may be viewed at :
https://www.pcmag.com/picks/the-best-free-password-managers.
A sample of passwords that I let it generate looks like:
Tgqt_8EH+{JFK;9zS]X}
;Q^_)Hm!*?RPCNLwy.]a
Rzf9#(E4P+,wck=KYNd:
Sites that allow me to pick my own user name instead of my
email address seem more secure to me. When I have the
opportunity, I will pick a user name that looks like the
passwords above. The downside of this practice is that if I
ever have to type one of these passwords by hand, it take me
a couple tries to get it right. I hope that made someone
chuckle.
that helpful. Monitoring users has shown that requesting
them to change passwords on a regular basis leads to
predictable sequences like : duck01, duck02, ... The Federal
Trade Commission site has a page about changing passwords :
Time to rethink mandatory password changes
(https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes).
There are more than 800 different passwords in my password
manager database, changing them periodically would be very
time consuming.
Password managers that work across platforms can be found
for free. The one I use is KeePass and runs on my Windows,
Linux, and Android devices. There are also versions of
KeePass for Apple products but I don't have any of those
products. A review from PC Magazine, of free password
managers, updated June 27, 2019 may be viewed at :
https://www.pcmag.com/picks/the-best-free-password-managers.
A sample of passwords that I let it generate looks like:
Tgqt_8EH+{JFK;9zS]X}
;Q^_)Hm!*?RPCNLwy.]a
Rzf9#(E4P+,wck=KYNd:
Sites that allow me to pick my own user name instead of my
email address seem more secure to me. When I have the
opportunity, I will pick a user name that looks like the
passwords above. The downside of this practice is that if I
ever have to type one of these passwords by hand, it take me
a couple tries to get it right. I hope that made someone
chuckle.
I hear more and more of my friends talk about password management apps. Perhaps my fears are misplaced, but I keep thinking about what would happen if the password manager was hacked. Any thoughts?
Peter Dunkelberger
I'm not sure changing passwords on a regular basis is all
that helpful. Monitoring users has shown that requesting
them to change passwords on a regular basis leads to
predictable sequences like : duck01, duck02, ... The Federal
Trade Commission site has a page about changing passwords :
Time to rethink mandatory password changes
(https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes).
There are more than 800 different passwords in my password
manager database, changing them periodically would be very
time consuming.
Password managers that work across platforms can be found
for free. The one I use is KeePass and runs on my Windows,
Linux, and Android devices. There are also versions of
KeePass for Apple products but I don't have any of those
products. A review from PC Magazine, of free password
managers, updated June 27, 2019 may be viewed at :
https://www.pcmag.com/picks/the-best-free-password-managers.
A sample of passwords that I let it generate looks like:
Tgqt_8EH+{JFK;9zS]X}
;Q^_)Hm!*?RPCNLwy.]a
Rzf9#(E4P+,wck=KYNd:
Sites that allow me to pick my own user name instead of my
email address seem more secure to me. When I have the
opportunity, I will pick a user name that looks like the
passwords above. The downside of this practice is that if I
ever have to type one of these passwords by hand, it take me
a couple tries to get it right. I hope that made someone
chuckle.
I've been using Keepass for a number of years. It allows you to
create a master password to get into the file. My assumption is .... by
using a very strong master password, I should be safe from hackers. Hope
I'm not wrong.
The downside of this program, which by the way is a free download, is that
it doesn't have a version for smart phones.
Dick Lewis
GMIC
Sent: Monday, May 18, 2020 5:07 PM
Subject: Re: [club_cafe] Re: Strong Passwords
I hear more and more of my
friends talk about password management apps. Perhaps my fears are
misplaced, but I keep thinking about what would happen if the password manager
was hacked. Any thoughts?
Peter Dunkelberger
I'm not sure changing passwords on a regular basis is all
that helpful. Monitoring users has shown that requesting
them to change passwords on a regular basis leads to
predictable sequences like : duck01, duck02, ... The Federal
Trade Commission site has a page about changing passwords :
Time to rethink mandatory password changes
(https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes).
There are more than 800 different passwords in my password
manager database, changing them periodically would be very
time consuming.
Password managers that work across platforms can be found
for free. The one I use is KeePass and runs on my Windows,
Linux, and Android devices. There are also versions of
KeePass for Apple products but I don't have any of those
products. A review from PC Magazine, of free password
managers, updated June 27, 2019 may be viewed at :
https://www.pcmag.com/picks/the-best-free-password-managers.
A sample of passwords that I let it generate looks like:
Tgqt_8EH+{JFK;9zS]X}
;Q^_)Hm!*?RPCNLwy.]a
Rzf9#(E4P+,wck=KYNd:
Sites that allow me to pick my own user name instead of my
email address seem more secure to me. When I have the
opportunity, I will pick a user name that looks like the
passwords above. The downside of this practice is that if I
ever have to type one of these passwords by hand, it take me
a couple tries to get it right. I hope that made someone
chuckle.
Peter Dunkelberger wrote:
> I hear more and more of my friends talk about password management apps. Perhaps my fears are misplaced, but I keep thinking about what would happen if the password manager was hacked. Any thoughts?
> I hear more and more of my friends talk about password management apps. Perhaps my fears are misplaced, but I keep thinking about what would happen if the password manager was hacked. Any thoughts?
We have been using password managers at Bivio for many years. In fact I wrote an article about how to set up LastPass properly in 2016: https://www.robnagler.com/2016/07/27/Password-Management.html In particular, it's important to use a different and unique email address for the password manager. Today, I use 1Password, which I find easier to use and more reliable.
Why trust a password manager? Because it's their business to keep your information secure whereas site-selling-masks.com is primarily focused on getting you to buy something. The difference is critical: if a password manager has a security flaw, it will be fixed right away. If an arbitrary e-commerce site is relying on a software package with a security flaw, it probably won't be fixed right away. Likely, they don't have the expertise to make sure the site is secure. By using a password manager, you will limit your risk exposure to the more likely event: the e-commerce will get cracked. As far as I know, no major password manager has been cracked. Many e-commerce sites including multi-billion dollar sites like LinkedIn, Yahoo, and Google have been cracked.
Scott Freeman wrote:
> The downside of this practice is that if I ever have to type one of these passwords by hand, it take me a couple tries to get it right. I hope that made someone chuckle.
Yes, I've had to do this with an Xbox controller. :)
Also, as Scott said, the advantage is that every site can have its own username and password. I would add: give unique answers to "secret questions". This last point is less obvious, but a secret-question answer is just another password so it shouldn't be reused from site to site. I generate random answers in the password manager's notes section for each site.
Cheers,
Rob
To Rob's last point, NEVER answer security questions with valid answers as that just provides more information if someone wishes to steal your identity. The questions are meant to make it easy for you to remember the answer but the answer should be a random set of characters that are stored (written down) somewhere.
Bob
On May 18, 2020 at 5:44 PM Rob Nagler <nagler@bivio.biz> wrote:
Peter Dunkelberger wrote:
> I hear more and more of my friends talk about password management apps. Perhaps my fears are misplaced, but I keep thinking about what would happen if the password manager was hacked. Any thoughts?
We have been using password managers at Bivio for many years. In fact I wrote an article about how to set up LastPass properly in 2016: https://www.robnagler.com/2016/07/27/Password-Management.html In particular, it's important to use a different and unique email address for the password manager. Today, I use 1Password, which I find easier to use and more reliable.
Why trust a password manager? Because it's their business to keep your information secure whereas site-selling-masks.com is primarily focused on getting you to buy something. The difference is critical: if a password manager has a security flaw, it will be fixed right away. If an arbitrary e-commerce site is relying on a software package with a security flaw, it probably won't be fixed right away. Likely, they don't have the expertise to make sure the site is secure. By using a password manager, you will limit your risk exposure to the more likely event: the e-commerce will get cracked. As far as I know, no major password manager has been cracked. Many e-commerce sites including multi-billion dollar sites like LinkedIn, Yahoo, and Google have been cracked.
Scott Freeman wrote:
> The downside of this practice is that if I ever have to type one of these passwords by hand, it take me a couple tries to get it right. I hope that made someone chuckle.
Yes, I've had to do this with an Xbox controller. :)
Also, as Scott said, the advantage is that every site can have its own username and password. I would add: give unique answers to "secret questions". This last point is less obvious, but a secret-question answer is just another password so it shouldn't be reused from site to site. I generate random answers in the password manager's notes section for each site.
Cheers,Rob
I would have to know more about what you mean by the
password manager being hacked.
The worst case or doomsday hack, would be that the author of
the software wrote code to send the usernames and passwords
out of the system. This applies to many types of software.
Let's say for example that the author of your browswer
(Safari, Edge, Chrome) has coded it to capture and report
10,000 characters following the reciept or transmission of
the phrase "TDAmeritrade". Maybe the only way to protect
against this is to use Free and open-source software
(https://en.wikipedia.org/wiki/Free_and_open-source_software)
where the code may be examined by anyone.
If you mean by being hacked that access to your computer is
available to a bad actor then this is a more common problem.
Malware can take many forms that are described here :
https://en.wikipedia.org/wiki/Malware
What one can hope to thwart by using a password manager and
a different password at every site is making it easy for
someone to capture your user name and password from a
retailer or site you view as unimportant and then try that
combination at BOA, Fidelity and other places that might be
important to you. As we slide further towards digital
currency, personal online habits become more important in
avoiding being 'hacked'
password manager being hacked.
The worst case or doomsday hack, would be that the author of
the software wrote code to send the usernames and passwords
out of the system. This applies to many types of software.
Let's say for example that the author of your browswer
(Safari, Edge, Chrome) has coded it to capture and report
10,000 characters following the reciept or transmission of
the phrase "TDAmeritrade". Maybe the only way to protect
against this is to use Free and open-source software
(https://en.wikipedia.org/wiki/Free_and_open-source_software)
where the code may be examined by anyone.
If you mean by being hacked that access to your computer is
available to a bad actor then this is a more common problem.
Malware can take many forms that are described here :
https://en.wikipedia.org/wiki/Malware
What one can hope to thwart by using a password manager and
a different password at every site is making it easy for
someone to capture your user name and password from a
retailer or site you view as unimportant and then try that
combination at BOA, Fidelity and other places that might be
important to you. As we slide further towards digital
currency, personal online habits become more important in
avoiding being 'hacked'
Agreed - Real answers to Security Questions are just giving
away data that is personal and can be used for identity
theft. Storing them without encryption or writing them down
creates a vulnerability.
away data that is personal and can be used for identity
theft. Storing them without encryption or writing them down
creates a vulnerability.
Good thoughts.
Peter Dunkelberger
I would have to know more about what you mean by the
password manager being hacked.
The worst case or doomsday hack, would be that the author of
the software wrote code to send the usernames and passwords
out of the system. This applies to many types of software.
Let's say for example that the author of your browswer
(Safari, Edge, Chrome) has coded it to capture and report
10,000 characters following the reciept or transmission of
the phrase "TDAmeritrade". Maybe the only way to protect
against this is to use Free and open-source software
(https://en.wikipedia.org/wiki/Free_and_open-source_software)
where the code may be examined by anyone.
If you mean by being hacked that access to your computer is
available to a bad actor then this is a more common problem.
Malware can take many forms that are described here :
https://en.wikipedia.org/wiki/Malware
What one can hope to thwart by using a password manager and
a different password at every site is making it easy for
someone to capture your user name and password from a
retailer or site you view as unimportant and then try that
combination at BOA, Fidelity and other places that might be
important to you. As we slide further towards digital
currency, personal online habits become more important in
avoiding being 'hacked'
That's why I haven't used one.
Linda
On Mon, May 18, 2020 at 2:08 PM Peter Dunkelberger via bivio.com <user*26984900001@bivio.com> wrote:
I hear more and more of my friends talk about password management apps. Perhaps my fears are misplaced, but I keep thinking about what would happen if the password manager was hacked. Any thoughts?Peter DunkelbergerI'm not sure changing passwords on a regular basis is all
that helpful. Monitoring users has shown that requesting
them to change passwords on a regular basis leads to
predictable sequences like : duck01, duck02, ... The Federal
Trade Commission site has a page about changing passwords :
Time to rethink mandatory password changes
(https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes).
There are more than 800 different passwords in my password
manager database, changing them periodically would be very
time consuming.
Password managers that work across platforms can be found
for free. The one I use is KeePass and runs on my Windows,
Linux, and Android devices. There are also versions of
KeePass for Apple products but I don't have any of those
products. A review from PC Magazine, of free password
managers, updated June 27, 2019 may be viewed at :
https://www.pcmag.com/picks/the-best-free-password-managers.
A sample of passwords that I let it generate looks like:
Tgqt_8EH+{JFK;9zS]X}
;Q^_)Hm!*?RPCNLwy.]a
Rzf9#(E4P+,wck=KYNd:
Sites that allow me to pick my own user name instead of my
email address seem more secure to me. When I have the
opportunity, I will pick a user name that looks like the
passwords above. The downside of this practice is that if I
ever have to type one of these passwords by hand, it take me
a couple tries to get it right. I hope that made someone
chuckle.
The task of using a different password at every site and keeping them encrypted is very difficult without software designed to take care of those tasks. Not doing so creates a greater risk than those posed by using a password management tool. The link, to the Dept. of Homeland Security site, provided by Ms. Laurie Frederiksen of bivio, Inc. , describing how to create and protect passwords recommends using a password manager.
As guidance, if one's passwords are in a file that can be read by a word processor or written down on paper then they are more vulnerable than those kept by a password management system.
That's why I haven't used one.LindaOn Mon, May 18, 2020 at 2:08 PM Peter Dunkelberger via bivio.com <user*26984900001@bivio.com> wrote:I hear more and more of my friends talk about password management apps. Perhaps my fears are misplaced, but I keep thinking about what would happen if the password manager was hacked. Any thoughts?Peter DunkelbergerI'm not sure changing passwords on a regular basis is all
that helpful. Monitoring users has shown that requesting
them to change passwords on a regular basis leads to
predictable sequences like : duck01, duck02, ... The Federal
Trade Commission site has a page about changing passwords :
Time to rethink mandatory password changes
(https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes).
There are more than 800 different passwords in my password
manager database, changing them periodically would be very
time consuming.
Password managers that work across platforms can be found
for free. The one I use is KeePass and runs on my Windows,
Linux, and Android devices. There are also versions of
KeePass for Apple products but I don't have any of those
products. A review from PC Magazine, of free password
managers, updated June 27, 2019 may be viewed at :
https://www.pcmag.com/picks/the-best-free-password-managers.
A sample of passwords that I let it generate looks like:
Tgqt_8EH+{JFK;9zS]X}
;Q^_)Hm!*?RPCNLwy.]a
Rzf9#(E4P+,wck=KYNd:
Sites that allow me to pick my own user name instead of my
email address seem more secure to me. When I have the
opportunity, I will pick a user name that looks like the
passwords above. The downside of this practice is that if I
ever have to type one of these passwords by hand, it take me
a couple tries to get it right. I hope that made someone
chuckle.
How secure is Apple's keychain?
On May 19, 2020, at 12:47 PM, SB via bivio.com <user*1595500001@bivio.com> wrote:The task of using a different password at every site and keeping them encrypted is very difficult without software designed to take care of those tasks. Not doing so creates a greater risk than those posed by using a password management tool. The link, to the Dept. of Homeland Security site, provided by Ms. Laurie Frederiksen of bivio, Inc. , describing how to create and protect passwords recommends using a password manager.As guidance, if one's passwords are in a file that can be read by a word processor or written down on paper then they are more vulnerable than those kept by a password management system.That's why I haven't used one.LindaOn Mon, May 18, 2020 at 2:08 PM Peter Dunkelberger via bivio.com <user*26984900001@bivio.com> wrote:I hear more and more of my friends talk about password management apps. Perhaps my fears are misplaced, but I keep thinking about what would happen if the password manager was hacked. Any thoughts?Peter DunkelbergerI'm not sure changing passwords on a regular basis is all
that helpful. Monitoring users has shown that requesting
them to change passwords on a regular basis leads to
predictable sequences like : duck01, duck02, ... The Federal
Trade Commission site has a page about changing passwords :
Time to rethink mandatory password changes
(https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes).
There are more than 800 different passwords in my password
manager database, changing them periodically would be very
time consuming.
Password managers that work across platforms can be found
for free. The one I use is KeePass and runs on my Windows,
Linux, and Android devices. There are also versions of
KeePass for Apple products but I don't have any of those
products. A review from PC Magazine, of free password
managers, updated June 27, 2019 may be viewed at :
https://www.pcmag.com/picks/the-best-free-password-managers.
A sample of passwords that I let it generate looks like:
Tgqt_8EH+{JFK;9zS]X}
;Q^_)Hm!*?RPCNLwy.]a
Rzf9#(E4P+,wck=KYNd:
Sites that allow me to pick my own user name instead of my
email address seem more secure to me. When I have the
opportunity, I will pick a user name that looks like the
passwords above. The downside of this practice is that if I
ever have to type one of these passwords by hand, it take me
a couple tries to get it right. I hope that made someone
chuckle.
I wish I could speak about Apple products from experience. I am primarily a Linux user and the Keyrings are very secure. There are some similarities between iOS and Linux.
How secure is Apple's keychain?On May 19, 2020, at 12:47 PM, SB via bivio.com <user*1595500001@bivio.com> wrote:The task of using a different password at every site and keeping them encrypted is very difficult without software designed to take care of those tasks. Not doing so creates a greater risk than those posed by using a password management tool. The link, to the Dept. of Homeland Security site, provided by Ms. Laurie Frederiksen of bivio, Inc. , describing how to create and protect passwords recommends using a password manager.As guidance, if one's passwords are in a file that can be read by a word processor or written down on paper then they are more vulnerable than those kept by a password management system.That's why I haven't used one.LindaOn Mon, May 18, 2020 at 2:08 PM Peter Dunkelberger via bivio.com <user*26984900001@bivio.com> wrote:I hear more and more of my friends talk about password management apps. Perhaps my fears are misplaced, but I keep thinking about what would happen if the password manager was hacked. Any thoughts?Peter DunkelbergerI'm not sure changing passwords on a regular basis is all
that helpful. Monitoring users has shown that requesting
them to change passwords on a regular basis leads to
predictable sequences like : duck01, duck02, ... The Federal
Trade Commission site has a page about changing passwords :
Time to rethink mandatory password changes
(https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes).
There are more than 800 different passwords in my password
manager database, changing them periodically would be very
time consuming.
Password managers that work across platforms can be found
for free. The one I use is KeePass and runs on my Windows,
Linux, and Android devices. There are also versions of
KeePass for Apple products but I don't have any of those
products. A review from PC Magazine, of free password
managers, updated June 27, 2019 may be viewed at :
https://www.pcmag.com/picks/the-best-free-password-managers.
A sample of passwords that I let it generate looks like:
Tgqt_8EH+{JFK;9zS]X}
;Q^_)Hm!*?RPCNLwy.]a
Rzf9#(E4P+,wck=KYNd:
Sites that allow me to pick my own user name instead of my
email address seem more secure to me. When I have the
opportunity, I will pick a user name that looks like the
passwords above. The downside of this practice is that if I
ever have to type one of these passwords by hand, it take me
a couple tries to get it right. I hope that made someone
chuckle.
Hi Pam,
> How secure is Apple's keychain?
> How secure is Apple's keychain?
When I want to understand "how secure" a product is, I ask some questions:
* Do they have a bug bounty program?
* How do they respond to public breeches?
* How is their record on reporting vulnerabilities?
* Is it open source? And, if so, is there an active community?
* How old is it?
You can search on these things. For example, there's a database of vulnerabilities that can be searched for apple keychain. There are a lot of vulnerabilities. The most recent vulnerability was reported in 2018. The technical details are not important, but you can see that "It allows local users to bypass intended restrictions on Keychain state modifications." That's not good. However, Apple responded quickly and publicly. That's a good thing.
Apple has an active bug bounty program. They have made significant payments. Another good thing.
Keychain is closed source so nobody can inspect the code to see if it has security flaws. All security research has to be done without inside knowledge.
Keychain has been around several decades. That means many of the bugs have been shaken out.
Comparing with KeePass. A search for KeePass has only a handful of vulnerabilities. The most recent "bypass" vulnerability was in 2016. The author responded quickly.
There is no bug bounty program. For open source software, that's not unusual.
It's open source, and they have an active community.
KeePass was initially released in 2003 so it is old enough.
To be fair to Keychain, it's a much more visible tool, because it is installed on every Mac and iPhone. Therefore, it's much more likely to be the subject of security research and attacks by black hats.
It's not much of an answer, I realize. Keychain is probably just fine for the general user who only has Apple devices.
One concern I have with Keychain is that it doesn't make it easy to generate unique passwords. It's not as integrated as independent password managers like KeePass and 1Password.
I hope this helps.
Cheers,
Rob