Announcement

Collapse
No announcement yet.

Password Management

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #16
    First off, let me state that I believe this thread to be a fishing trip used to discover the password storage techniques of other forum members.

    However....

    I have 2 suggestions:

    Passphrase priority roll-down

    1. Assign priority to all sites, devices, systems, personal usage..

    Ex. Online Banking (1), Root(2), yahoo mail (3), etc...

    For all priority 1's use the same pass phrase, after 30 days roll that phrase down to prioty level 2, after 30 days roll to 3, etc....

    2. Obtain two secure, covert USB devices (Ex. DiskGO and istick). Store your PGP encrypted password list on one device, and the keys on the other.
    Keep both devices in different locations on your person. (ex. Pen in your pocket, and the istick tucked neatly into a personal orifice)

    Comment


    • #17
      Originally posted by pezz
      First off, let me state that I believe this thread to be a fishing trip used to discover the password storage techniques of other forum members.

      However....

      I have 2 suggestions:

      Passphrase priority roll-down

      1. Assign priority to all sites, devices, systems, personal usage..

      Ex. Online Banking (1), Root(2), yahoo mail (3), etc...

      For all priority 1's use the same pass phrase, after 30 days roll that phrase down to prioty level 2, after 30 days roll to 3, etc....

      2. Obtain two secure, covert USB devices (Ex. DiskGO and istick). Store your PGP encrypted password list on one device, and the keys on the other.
      Keep both devices in different locations on your person. (ex. Pen in your pocket, and the istick tucked neatly into a personal orifice)
      I like this idea too, its kind of like adding on to the previous stated pass phrases to make it more secure, i might have to look into this too.
      before asking a retarded question, google it. google knows all.

      Comment


      • #18
        Originally posted by KeLviN
        it keeps all your passwords off your computer, does some minor encryption just for shitz-n-giggles, and a good password management program comes with most new ones.
        As someone else pointed out, your computer generally copies the passwords over during the synchronization. However, tools like Keyring and Strip use Triple-DES and AES. It breaks down into a single source of attack (i.e., it is susceptible to offline attacks), but it is going to be extremely difficult.

        Originally posted by pezz
        First off, let me state that I believe this thread to be a fishing trip used to discover the password storage techniques of other forum members.
        Perhaps, but if you are careful with your passwords, then such information should be the least of an attacker's worries.

        Comment


        • #19
          hmm here's an idea for those who know how to play the piano (just a little).
          You can assign a music note keyscheme on your keyboard (which you will keep in your mind) -as an example, in a qwerty keyboard you can use "y,"u","i","o","p","[","]" for the first scale of music notes, then use "shift" + "y,"u","i","o","p","[","]" for the second scale, etc, and then you just play the basic melody of some song (almost) as you would in the piano. This can easily be composed from 60+ characters, and obviously the password would appear to be nonsense. ;)

          The good thing is it works, with little exercise you can enter very large passwords quickly and with no fear of forgeting them.
          The bad thing is that you usually don't remember what keys you enter, which could cause you problems in a keyboard with different scheme.
          Last edited by nske; February 23, 2005, 10:50. Reason: corrected some mistakes

          Comment


          • #20
            heh, thats awsome. but i'm not learning piano just to randomize my passwords... but i like the idea........ keep 'em coming
            the fresh prince of 1337

            To learn how to hack; submit your request

            Comment


            • #21
              Friend,
              http://www.menopause-online.com/ginko.htm

              Im against the storage of passwords. I've gotta remember maybe... 10 or so... and manage fine with complex and secure passwords.

              Buuut... maybe http://passwordmanager.sourceforge.net/ if you are forced at loaded gunpoint.

              Questions.. on Firefox 1.0-
              "Privacy is also improved with the addition of a master password for protecting all saved passwords." You have to enter this each time you use a saved password i understand..and
              I know its all about your whole 'profile'... I searched a little but to no avail... sooo

              Anyone know what encryption method does firefox use or any tests of firefox password storage security? or where the data(hashes?) is stored? (in .mozilla/firefox/...)
              The only constant in the universe is change itself

              Comment


              • #22
                i didnt know where they were stored so i asked my brother and he looked around and said that they might be stored at Mozilla Firefox\defaults\profile\localstore.rdf but he isnt for sure.
                before asking a retarded question, google it. google knows all.

                Comment


                • #23
                  Originally posted by dYn4mic
                  Anyone know what encryption method does firefox use or any tests of firefox password storage security? or where the data(hashes?) is stored? (in .mozilla/firefox/...)
                  Mozilla/Netscape used to (probably still does) Base64 encode the username and passwords if you didn't set up a master password.

                  These are all stored under your Profile directory: key3.db and signons.txt for Firefox.

                  As for encryption type, I believe they are using AES.
                  We own everything so you don't have to!

                  Comment


                  • #24
                    Cool. Thanks gzzah. AES is nice. heh.

                    And dementeddemon, defaults\profile\localstore.rdf thats what i implied with saying: (are they in .mozilla/firefox/..).... but... nice try.

                    ps. Your slashes are backwords, this isn't windows...and its not a rule you've gotta post a reply on every thread. I asked my brother and he said you should cut back on Posts per day. Just an idea....
                    The only constant in the universe is change itself

                    Comment


                    • #25
                      Originally posted by dYn4mic
                      Im against the storage of passwords. I've gotta remember maybe... 10 or so... and manage fine with complex and secure passwords.
                      Do you really believe this is more secure, though? Thoughts:
                      • Any reasonable level of encryption is going to just as secure as you storing them in your head.
                      • By the pigeon-hole principle, you are reusing passwords with sites such that a compromise of one server potentially means the compromise of many of your accounts.
                      • When you accidentally use the incorrect password while accessing an account, you run the risk of revealing that password (although most sane shared-secret schemes avoid this problem).
                      • You are likely to memorize the passwords for the accounts that you use the most, anyway.

                      Comment


                      • #26
                        Good points....
                        But my head is the most secure place that I feel they can be 'stored'. Hopefully that same head will prevent many methods of password interception.

                        I don't use the same password for all my accounts (notice "passwords" in my post) and its plenty complex for almost any rainbow table out there. Plus each is 'rated' by level of importance.
                        By that same token, i use a variation of a smilar set of complex chars and spaces, so its only a matter of time before i know the correct sequence (if i haven't logged into something in a long time..). Capturing even 3 of my passwords would not give you access to any of the others. Plus I have a good memory. I think i've said enough about my password scheme.

                        This made me laugh for hours:
                        http://it.slashdot.org/comments.pl?s...6&cid=11459507

                        ppl might find this intresting if they didn't read it already:
                        http://ask.slashdot.org/article.pl?s...&tid=172&tid=4
                        The only constant in the universe is change itself

                        Comment


                        • #27
                          Originally posted by ck3k
                          Twinvega, you could just tell me...that would work

                          you could store them in a jpg ala Steganography
                          This coming from the guy that entrusted his laptop to us with NO PASSWORD locking the poor windows box down?

                          the jpg idea is a good one..

                          The only flaw with AST's suggestion is for many different applications you would probably tend to start using the same passphrase for different apps, unless you associated a song with each app.

                          A trick I have used (other then stenography) is to keep the passwords in a file that is gpg encrypted (both private key and password required). Private key is in different location (think removable media), and password file is on an encrypted partation.

                          Another technique that Bruce Schneier suggested is have the password to be 2 parts.. one is something you can write down (or use the the above "Che being paranoid" technique), and memorize the other part.
                          Happiness is a belt-fed weapon.

                          Comment


                          • #28
                            We used Keepass to both generate and store all the ShmooCon attendee registration badge pickup hashes.

                            http://keepass.sourceforge.net/

                            The database of passwords is encrypted itself with a master password and can be stored on a USB dongle or similar. Temp copy to clipboard features, and plenty of export mechanisms--we exported to CSV at the last minute and created a quick DB web front-end for actual registration.

                            Something lightweight and similar would just be a gpg-encrypted file with server, username, and password fields on USB drive.

                            Just don't lose that puppy. heh.

                            Sincerely,

                            Beetle

                            Comment


                            • #29
                              Password Management Programs

                              2 recommendations:
                              1. Password Safe - written by Bruce Schneier; uses blowfish
                              2. Password Agent - uses AES; lots of nice features; auto fill; password generation;
                              designed to work from a flash drive; and many more.

                              Google for them; Both are free
                              "It's much more fun to be sand, than oil, in the machinery of life." - unknown

                              Comment

                              Working...
                              X