SQLServerCentral / Editorials / SQLServerCentral.com / Serious Security / Latest Posts

RE: Serious Security

Jim P. — Thu, 17 Jan 2013 22:59:30 GMT

[quote][b]john.moreno (1/17/2013)[/b][hr]Except that for a site that you visit once a week, let alone once a month or once a year, you haven't memorized it, you've forgotten all about it. It may have taken you an hour of looking around to even FIND the site, you aren't going to remember the password, unless of course it's the password you use everywhere else.[/quote]I use XMarks for most of the web.My problem is when you get into some of these sites -- you have to have a capital, a number and a character. Then they advertise you can access them from a phone app. But you are restricted from saving the password, or even the strange login name that you have to use that is totally separated from your e-mail account or your typical user id.I have over five credit cards, a mortgage, a car loan, my work's website, more than seven SQL and other forums that I participate in. I also have my own website.I'm smart enough to group my passwords from financial, to e-mail to forums, etc. But I still have locked myself out so hard that a fin site had to send me a snail-mail to unlock my account.

RE: Serious Security

john.moreno — Thu, 17 Jan 2013 19:48:57 GMT

[quote][b]Jim P. (1/17/2013)[/b][hr]Any time someone brings up password security I always think of this [url=http://xkcd.com/936/]XKCD commentary[/url][/quote]Except that for a site that you visit once a week, let alone once a month or once a year, you haven't memorized it, you've forgotten all about it. It may have taken you an hour of looking around to even FIND the site, you aren't going to remember the password, unless of course it's the password you use everywhere else.Which is the advantage of OpenID -- you don't have to remember the password, you just have to be using the same OpenID provider as you were a year ago.Pasword safe's are fine, but they may not be trusted -- or used frequently enough to be considered worthwhile.

RE: Serious Security

Jim P. — Thu, 17 Jan 2013 18:59:55 GMT

Any time someone brings up password security I always think of this [url=http://xkcd.com/936/]XKCD commentary[/url][img]http://imgs.xkcd.com/comics/password_strength.png[/img]

RE: Serious Security

john.moreno — Thu, 17 Jan 2013 11:46:09 GMT

[quote][b]Barry Wright-268269 (1/17/2013)[/b][hr]It seems to me that a big factor in this is just password fatigue. We have so many password "protecting" things from the very important like bank accounts and company data to trivial things like this forum, frankly, and other such stuff.[/quote]Frankly just about the only reason to have a unique password at a site like this one, is so that it's not reused elsewhere where the password is important. That way if this site has bad practices or a disgruntled employee, nothing important is compromised.I wish this site used OpenID so that there'd be one less site to remember.

RE: Serious Security

TravisDBA — Thu, 17 Jan 2013 10:25:15 GMT

[quote][b]D.Oc (1/17/2013)[/b][hr]I use Keepass for storing my passwords, it is only way to remember them all.For example, password for my Gmail acc. is 56 characters long and I'm changing it every 2 months.I use shorter passwords for forums, it's all about priorities.[/quote]Same here, and you can't beat the price either.:-D

RE: Serious Security

cksid — Thu, 17 Jan 2013 08:52:16 GMT

1password from [url=https://agilebits.com/onepassword]https://agilebits.com/onepassword[/url]. I have it on my work computer, home PC and desktop, android phone. And it is updated between all three computer automatically. It will give you randomly generated password and is used directly in the browser (Firefox, Chrome and IE). I've used it for the past three years. Supports PC, Mac, Android and IOS.

RE: Serious Security

bj_fentress — Thu, 17 Jan 2013 08:14:31 GMT

Awesome! I will check it out! Thanks!

RE: Serious Security

Steve Jones - SSC Editor — Thu, 17 Jan 2013 08:12:04 GMT

[quote][b]bj_fentress (1/17/2013)[/b][hr]Hey Steve,Great post on security! I do use password safe here at work religiously, but I was curious if there was something out there that does the same thing on a mobile device (ie. idevice, droid, ect.)? Does anyone know the good ones from the crapware out there?Thanks!B.J. Fentress@bjfentress[/quote]I use pwsafe on iOS. Syncs with my Password Safe syncs on laptop/desktop with Dropbox.There's a few here: [url]http://pwsafe.org/relatedprojects.shtml[/url]

RE: Serious Security

Barry Wright-268269 — Thu, 17 Jan 2013 07:46:24 GMT

It seems to me that a big factor in this is just password fatigue. We have so many password "protecting" things from the very important like bank accounts and company data to trivial things like this forum, frankly, and other such stuff. Of course, some passwords are to protect the user and some are to protect the data provider. Personally, I am far less conscious about passwords when it is to protect the provider for knowledge bases, etc.

RE: Serious Security

thisisfutile — Thu, 17 Jan 2013 06:30:47 GMT

We have a credit card application that requires password complexity and that it be changed every 90 days and I imagine all of them are required to do this because of regulations deep in the bowels of the PCI compliance documentation. If I can find a software that doesn't require this, I'll switch. In the meantime, a post-it note is nearby (though not stuck to the monitor). Dito for our banking software (that only allows deposits...no check writing allowed).The human factor will always override the digitial factor.

RE: Serious Security

bj_fentress — Thu, 17 Jan 2013 05:55:15 GMT

Hey Steve,Great post on security! I do use password safe here at work religiously, but I was curious if there was something out there that does the same thing on a mobile device (ie. idevice, droid, ect.)? Does anyone know the good ones from the crapware out there?Thanks!B.J. Fentress@bjfentress

RE: Serious Security

D.Oc — Thu, 17 Jan 2013 05:44:51 GMT

I use Keepass for storing my passwords, it is only way to remember them all.For example, password for my Gmail acc. is 56 characters long and I'm changing it every 2 months.I use shorter passwords for forums, it's all about priorities.

RE: Serious Security

call.copse — Thu, 17 Jan 2013 02:43:54 GMT

I work with one client which has so many layers of security and training to access their network, it has taken me 2 days on occasion to even gain access to what I need. There's education and online training, dire warning of consequences of misuse etc etc.Unfortunately the effect is that people tend to quietly share account details simply to get the job done. I guess it's a tricky balance. I'm pretty disciplined but probably even then, I know, not as rigorous as I might be.

RE: Serious Security

SQLRNNR — Thu, 17 Jan 2013 00:24:37 GMT

I think that security is the duty of all involved from end-user to developer. However, one thing to consider in the economics of security is the annoyance and cost of too much security. There is a balance and going overboard will likely drive a bunch of users away.

Serious Security

Steve Jones - SSC Editor — Thu, 17 Jan 2013 00:12:36 GMT

Comments posted to this topic are about the item [B]Serious Security[/B]