Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

Don't Share Passwords Across Sites Expand / Collapse
Author
Message
Posted Saturday, July 28, 2012 2:03 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 12:29 PM
Points: 33,200, Visits: 15,344
Comments posted to this topic are about the item Don't Share Passwords Across Sites






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1336946
Posted Sunday, July 29, 2012 1:25 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Tuesday, July 1, 2014 1:16 AM
Points: 11, Visits: 61
Totally agree.

My own strategy rather than using a password safe is that I have a fixed random-looking collection of capitals, numbers and symbols (which is actually memorable to me) into which I then incorporate parts of the name of the site I'm logging in to (should that be "in to which I'm logging?").

Again, it may not be perfect, but it would be very difficult for a human to get from one of my passwords to the next, and even harder for a machine.
Post #1336969
Posted Sunday, July 29, 2012 6:12 AM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Monday, July 30, 2012 9:21 AM
Points: 15, Visits: 15
Using a product to store passwordss for various sites is all well and good, but many of us have multiple devices (Laptop, desktop, smart phone, tablet). Our smart phone might be Android, or iOS based, our desktops and laptops could be Windows, linux (or both). There is no one tool that serves them all, unfortunately---except for writing them down (bad!!) or memory. This is why most of us use the same (or very similar) passwords on all of our sites; both secured and unsecured. It just really isn't practical for most of us to use the one-site/one-password rule. Until there is cross platform 'password storage' (which will probably require encrypted secure cloud storage--with a password to access), re-using passwords will, unfortunately, be the rule, rather than the exception.
Post #1336988
Posted Sunday, July 29, 2012 10:09 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Sunday, January 12, 2014 10:23 PM
Points: 6, Visits: 51
Everyone knows usename and password is not enough. Stop blaming users for your flawed security implementations.

How about we stop reinventing the wheel and come up with a SAFE, SECURE, REUSABLE online identity. Something tied to more than just a password. Oh wait, it's already done: http://openid.net/. Seriously, I am tired of hearing about every site needing a unique 12+ character mixed case letters, numbers, symbols password, that's ridiculous and works against rational user friendliness and usability design constraints.
Post #1336998
Posted Sunday, July 29, 2012 10:19 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 12:29 PM
Points: 33,200, Visits: 15,344
ldsudduth1 (7/29/2012)
Using a product to store passwordss for various sites is all well and good, but many of us have multiple devices (Laptop, desktop, smart phone, tablet). Our smart phone might be Android, or iOS based, our desktops and laptops could be Windows, linux (or both). There is no one tool that serves them all, unfortunately...


Not true,

I used Password safe, with my safes synced by Dropbox. I have a Windows 7 desktop, an iOS phone, and a OSX Macbook, keeping my passwords synced across all of them. There are Android and *nix ports as well. I believe KeePass works the same way.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1337000
Posted Sunday, July 29, 2012 10:20 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 12:29 PM
Points: 33,200, Visits: 15,344
eric.rini (7/29/2012)
Everyone knows usename and password is not enough. Stop blaming users for your flawed security implementations.

How about we stop reinventing the wheel and come up with a SAFE, SECURE, REUSABLE online identity. Something tied to more than just a password. Oh wait, it's already done: http://openid.net/. Seriously, I am tired of hearing about every site needing a unique 12+ character mixed case letters, numbers, symbols password, that's ridiculous and works against rational user friendliness and usability design constraints.


Yes and no. This isn't necessarily a bad solution, and may be the best one. But if someone cracks into your OpenID site, then they access all your information. There is some value to having different identities. I'm not sure I want my OpenID linked to my bank account.







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1337001
Posted Sunday, July 29, 2012 10:41 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Sunday, January 12, 2014 10:23 PM
Points: 6, Visits: 51
We all know username + password doesnt meet the basic requirement of "something you have and something you know"... its more "something you know and something you know". If more developers were using centralized identities, it becomes cost effective to secure these centralized accounts with physical security measures rather than passwords.

For example a physical authentication like linking an account to a mobile phone (it sends u a text with a unique key to login) or using a token like this - http://us.battle.net/support/en/article/battle-net-authenticator-faq simply cannot be cracked, no matter how irresponsible or uneducated the user is about security.

If you had a single online presence it could be linked to a physical form of authenitcation and the web becomes a much more secure place. You can't have this though until people stop doing two things.

- Stop blaming your users as if it is a solution to the problem.
- Stop re-inventing the wheel when designing login portals, its too complicated and the risk is too high.
Post #1337004
Posted Sunday, July 29, 2012 1:10 PM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Monday, July 30, 2012 9:21 AM
Points: 15, Visits: 15
And if dropbox and other sites like that are blocked by policy.....then what?
Post #1337023
Posted Monday, July 30, 2012 3:38 AM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Sunday, May 4, 2014 7:48 PM
Points: 369, Visits: 217
Actually it is the sites fault for not storing passwords as one way encrypted hashes. On my site I store all user passwords as twofish encrypted a hundred times by itself and the user name. No way you can get back the original password text from the hash even if I publish the user/password file. With the password file in hand you cant even log in to my site let alone other sites. I cant believe yahoo stored passwords in clear text.
Post #1337133
Posted Monday, July 30, 2012 7:01 AM
Right there with Babe

Right there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with BabeRight there with Babe

Group: General Forum Members
Last Login: Friday, August 22, 2014 9:18 AM
Points: 751, Visits: 1,915
eric.rini (7/29/2012)
Everyone knows usename and password is not enough. Stop blaming users for your flawed security implementations.

How about we stop reinventing the wheel and come up with a SAFE, SECURE, REUSABLE online identity. Something tied to more than just a password. Oh wait, it's already done: http://openid.net/. Seriously, I am tired of hearing about every site needing a unique 12+ character mixed case letters, numbers, symbols password, that's ridiculous and works against rational user friendliness and usability design constraints.


I disagree. Having a single ID (this includes things like Facebook, Google+ etc) is essentially the same thing as having a single password. If that ID is compromised, everything is compromised, there is no 'firewall' between identities. Actually it's WORSE because there is a single dashboard with record of EVERY place you use it. The potential thief/snoop doesn't even have to go looking for where you were using your account... it's right there.

If you use that ID for posting on a lot of sites where your screen name is visible, it enables a lot of information to be extracted about you though a websearch (this is especially true if it's your real name) by potential employers, nosy or pissed off neighbors, stalkers etc.

The sad thing is, many websites are getting lazy and moving to this model, giving you a 'choice' of Facebook, Google, OpenID etc without even the option of establishing an unrelated account.

One more thing: if you look at the OpenID website, one of their 'advantages' is this little gem: Many OpenID providers collect and share a wide range of demographic information, including name, date of birth, location, gender and an email address. This data allows you to optimize your marketing efforts and tailor your website to better target the needs of your core audience.


...

-- FORTRAN manual for Xerox Computers --
Post #1337216
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse