Announcement

Collapse
No announcement yet.

Password Management

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • oz0ne
    replied
    Password Management Programs

    2 recommendations:
    1. Password Safe - written by Bruce Schneier; uses blowfish
    2. Password Agent - uses AES; lots of nice features; auto fill; password generation;
    designed to work from a flash drive; and many more.

    Google for them; Both are free

    Leave a comment:


  • beetle
    replied
    We used Keepass to both generate and store all the ShmooCon attendee registration badge pickup hashes.

    http://keepass.sourceforge.net/

    The database of passwords is encrypted itself with a master password and can be stored on a USB dongle or similar. Temp copy to clipboard features, and plenty of export mechanisms--we exported to CSV at the last minute and created a quick DB web front-end for actual registration.

    Something lightweight and similar would just be a gpg-encrypted file with server, username, and password fields on USB drive.

    Just don't lose that puppy. heh.

    Sincerely,

    Beetle

    Leave a comment:


  • Gadsden
    replied
    Originally posted by ck3k
    Twinvega, you could just tell me...that would work

    you could store them in a jpg ala Steganography
    This coming from the guy that entrusted his laptop to us with NO PASSWORD locking the poor windows box down?

    the jpg idea is a good one..

    The only flaw with AST's suggestion is for many different applications you would probably tend to start using the same passphrase for different apps, unless you associated a song with each app.

    A trick I have used (other then stenography) is to keep the passwords in a file that is gpg encrypted (both private key and password required). Private key is in different location (think removable media), and password file is on an encrypted partation.

    Another technique that Bruce Schneier suggested is have the password to be 2 parts.. one is something you can write down (or use the the above "Che being paranoid" technique), and memorize the other part.

    Leave a comment:


  • dYn4mic
    replied
    Good points....
    But my head is the most secure place that I feel they can be 'stored'. Hopefully that same head will prevent many methods of password interception.

    I don't use the same password for all my accounts (notice "passwords" in my post) and its plenty complex for almost any rainbow table out there. Plus each is 'rated' by level of importance.
    By that same token, i use a variation of a smilar set of complex chars and spaces, so its only a matter of time before i know the correct sequence (if i haven't logged into something in a long time..). Capturing even 3 of my passwords would not give you access to any of the others. Plus I have a good memory. I think i've said enough about my password scheme.

    This made me laugh for hours:
    http://it.slashdot.org/comments.pl?s...6&cid=11459507

    ppl might find this intresting if they didn't read it already:
    http://ask.slashdot.org/article.pl?s...&tid=172&tid=4

    Leave a comment:


  • Voltage Spike
    replied
    Originally posted by dYn4mic
    Im against the storage of passwords. I've gotta remember maybe... 10 or so... and manage fine with complex and secure passwords.
    Do you really believe this is more secure, though? Thoughts:
    • Any reasonable level of encryption is going to just as secure as you storing them in your head.
    • By the pigeon-hole principle, you are reusing passwords with sites such that a compromise of one server potentially means the compromise of many of your accounts.
    • When you accidentally use the incorrect password while accessing an account, you run the risk of revealing that password (although most sane shared-secret schemes avoid this problem).
    • You are likely to memorize the passwords for the accounts that you use the most, anyway.

    Leave a comment:


  • dYn4mic
    replied
    Cool. Thanks gzzah. AES is nice. heh.

    And dementeddemon, defaults\profile\localstore.rdf thats what i implied with saying: (are they in .mozilla/firefox/..).... but... nice try.

    ps. Your slashes are backwords, this isn't windows...and its not a rule you've gotta post a reply on every thread. I asked my brother and he said you should cut back on Posts per day. Just an idea....

    Leave a comment:


  • gzzah
    replied
    Originally posted by dYn4mic
    Anyone know what encryption method does firefox use or any tests of firefox password storage security? or where the data(hashes?) is stored? (in .mozilla/firefox/...)
    Mozilla/Netscape used to (probably still does) Base64 encode the username and passwords if you didn't set up a master password.

    These are all stored under your Profile directory: key3.db and signons.txt for Firefox.

    As for encryption type, I believe they are using AES.

    Leave a comment:


  • dementeddemon
    replied
    i didnt know where they were stored so i asked my brother and he looked around and said that they might be stored at Mozilla Firefox\defaults\profile\localstore.rdf but he isnt for sure.

    Leave a comment:


  • dYn4mic
    replied
    Friend,
    http://www.menopause-online.com/ginko.htm

    Im against the storage of passwords. I've gotta remember maybe... 10 or so... and manage fine with complex and secure passwords.

    Buuut... maybe http://passwordmanager.sourceforge.net/ if you are forced at loaded gunpoint.

    Questions.. on Firefox 1.0-
    "Privacy is also improved with the addition of a master password for protecting all saved passwords." You have to enter this each time you use a saved password i understand..and
    I know its all about your whole 'profile'... I searched a little but to no avail... sooo

    Anyone know what encryption method does firefox use or any tests of firefox password storage security? or where the data(hashes?) is stored? (in .mozilla/firefox/...)

    Leave a comment:


  • KeLviN
    replied
    heh, thats awsome. but i'm not learning piano just to randomize my passwords... but i like the idea........ keep 'em coming

    Leave a comment:


  • nske
    replied
    hmm here's an idea for those who know how to play the piano (just a little).
    You can assign a music note keyscheme on your keyboard (which you will keep in your mind) -as an example, in a qwerty keyboard you can use "y,"u","i","o","p","[","]" for the first scale of music notes, then use "shift" + "y,"u","i","o","p","[","]" for the second scale, etc, and then you just play the basic melody of some song (almost) as you would in the piano. This can easily be composed from 60+ characters, and obviously the password would appear to be nonsense. ;)

    The good thing is it works, with little exercise you can enter very large passwords quickly and with no fear of forgeting them.
    The bad thing is that you usually don't remember what keys you enter, which could cause you problems in a keyboard with different scheme.
    Last edited by nske; February 23, 2005, 10:50. Reason: corrected some mistakes

    Leave a comment:


  • Voltage Spike
    replied
    Originally posted by KeLviN
    it keeps all your passwords off your computer, does some minor encryption just for shitz-n-giggles, and a good password management program comes with most new ones.
    As someone else pointed out, your computer generally copies the passwords over during the synchronization. However, tools like Keyring and Strip use Triple-DES and AES. It breaks down into a single source of attack (i.e., it is susceptible to offline attacks), but it is going to be extremely difficult.

    Originally posted by pezz
    First off, let me state that I believe this thread to be a fishing trip used to discover the password storage techniques of other forum members.
    Perhaps, but if you are careful with your passwords, then such information should be the least of an attacker's worries.

    Leave a comment:


  • dementeddemon
    replied
    Originally posted by pezz
    First off, let me state that I believe this thread to be a fishing trip used to discover the password storage techniques of other forum members.

    However....

    I have 2 suggestions:

    Passphrase priority roll-down

    1. Assign priority to all sites, devices, systems, personal usage..

    Ex. Online Banking (1), Root(2), yahoo mail (3), etc...

    For all priority 1's use the same pass phrase, after 30 days roll that phrase down to prioty level 2, after 30 days roll to 3, etc....

    2. Obtain two secure, covert USB devices (Ex. DiskGO and istick). Store your PGP encrypted password list on one device, and the keys on the other.
    Keep both devices in different locations on your person. (ex. Pen in your pocket, and the istick tucked neatly into a personal orifice)
    I like this idea too, its kind of like adding on to the previous stated pass phrases to make it more secure, i might have to look into this too.

    Leave a comment:


  • pezz
    replied
    First off, let me state that I believe this thread to be a fishing trip used to discover the password storage techniques of other forum members.

    However....

    I have 2 suggestions:

    Passphrase priority roll-down

    1. Assign priority to all sites, devices, systems, personal usage..

    Ex. Online Banking (1), Root(2), yahoo mail (3), etc...

    For all priority 1's use the same pass phrase, after 30 days roll that phrase down to prioty level 2, after 30 days roll to 3, etc....

    2. Obtain two secure, covert USB devices (Ex. DiskGO and istick). Store your PGP encrypted password list on one device, and the keys on the other.
    Keep both devices in different locations on your person. (ex. Pen in your pocket, and the istick tucked neatly into a personal orifice)

    Leave a comment:


  • gzzah
    replied
    Originally posted by KeLviN
    time for a palm pilot.
    it keeps all your passwords off your computer, does some minor encryption just for shitz-n-giggles, and a good password management program comes with most new ones.
    c:\Palm\[userdir]\memopad\memopad.pdb

    Unless you use one of the many programs specifically written for storing and encrypting your password lists. :)

    Leave a comment:

Working...
X