Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase ««123»»

Password Ninjas Expand / Collapse
Author
Message
Posted Friday, July 19, 2013 12:03 PM
Old Hand

Old HandOld HandOld HandOld HandOld HandOld HandOld HandOld Hand

Group: General Forum Members
Last Login: Wednesday, August 27, 2014 5:18 PM
Points: 320, Visits: 1,482
How is this different than Password Safe? Just wondering if I'm missing something. I sync through dropbox, but the safe itself is encrypted on my machines/devices and decrypted there as well.


Hey Steve,

Sorry, I might have made that a little confusing. I didn't mean to compare PasswordSafe and LastPass directly - my description was really meant to distinguish LastPass's model from other online providers, for example Dropbox.

Dropbox manages your encryption keys, so they can decrypt your data. Contrast that with LastPass - or SpiderOak would be a great comparison. SpiderOak is an online storage / syncing provider just like Dropbox. LastPass and SpiderOak do not have your encryption keys - they can not decrypt your data.

Of course, you could put a PasswordSafe or TrueCrypt file in Dropbox and they couldn't read it, but that's you working around Dropbox's inherent insecurity by encrypting your data locally. I'm not suggesting there's anything wrong with this approach, I just think it is important folks distinguish between what Dropbox does versus what companies like LastPass and SpiderOak do.
Post #1475632
Posted Friday, July 19, 2013 12:16 PM


SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Today @ 1:50 PM
Points: 1,652, Visits: 4,713
Steve Jones - SSC Editor (7/19/2013)
djackson 22568 (7/18/2013)

Unmentioned in the article is an issue the industry needs to address, which is that a lot of vendors develop software that requires a specific password in order to function. Sometimes these are database accounts and passwords, sometimes they are internal application accounts, but I have seen vendors request network accounts that must have a particular name and password.



Thanks for the mention here, Dave. This is a huge problem, and one I worry about. I always try System and Manager on Oracle instances, just to see. Those defaults are bad, but the back doors or "support" logins are horrible.


For identifying weak SQL Server accounts, I use the following.
-- There are several frequently used password lists posted on the web. 
-- Here are a few, but perhaps 100 or more could be inserted here.
declare @pw table (pwtext varchar(180) not null primary key);
insert into @pw (pwtext)
values ('password'), ('123456'), ('12345678'), ('1234'), ('qwerty'), ('12345');
select name, type_desc, create_date, modify_date, password_hash
from sys.sql_logins l
join @pw pw on pwdcompare(pw.pwtext, l.password_hash) = 1;

-- Query accounts with empty password:
select name, type_desc, create_date, modify_date, password_hash
from sys.sql_logins
where pwdcompare('', password_hash) = 1;

-- Query accounts where password = account name:
select name, type_desc, create_date, modify_date, password_hash
from sys.sql_logins
where pwdcompare(name, password_hash) = 1;


As for 3rd party service accounts, we often times have to live with the fact that it has to exist, but we can still control what role membership and permissions it has. They may reccomend sysadmin, but you can grant them dbo membership on the application database, sqlagent, and perhaps view server state as needed.
Post #1475636
Posted Friday, July 19, 2013 12:59 PM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 12:57 PM
Points: 33,206, Visits: 15,361
Henry_Lee (7/19/2013)
How is this different than Password Safe? Just wondering if I'm missing something. I sync through dropbox, but the safe itself is encrypted on my machines/devices and decrypted there as well.


Hey Steve,

Sorry, I might have made that a little confusing. I didn't mean to compare PasswordSafe and LastPass directly - my description was really meant to distinguish LastPass's model from other online providers, for example Dropbox.

Dropbox manages your encryption keys, so they can decrypt your data. Contrast that with LastPass - or SpiderOak would be a great comparison. SpiderOak is an online storage / syncing provider just like Dropbox. LastPass and SpiderOak do not have your encryption keys - they can not decrypt your data.

Of course, you could put a PasswordSafe or TrueCrypt file in Dropbox and they couldn't read it, but that's you working around Dropbox's inherent insecurity by encrypting your data locally. I'm not suggesting there's anything wrong with this approach, I just think it is important folks distinguish between what Dropbox does versus what companies like LastPass and SpiderOak do.


that makes sense. For a minute you had me worried. :)







Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1475646
Posted Monday, July 22, 2013 9:10 PM
Grasshopper

GrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopperGrasshopper

Group: General Forum Members
Last Login: Thursday, March 20, 2014 5:16 PM
Points: 12, Visits: 92
I've used passwordsafe previously and I'm currently using the portable version of KeePass Password Safe.
However for my work network login I have my password list printed out in 18 pt and stuck up alongside my monitor.

I have been harrassed by security for this and point out that they can try to hack my password. I'll even tell them which one I'm using.

The password list contains makes and models the cars I've owned, the password is the registration number, possibly with a shifted number suffix to give enough characters.

And if anyone knows the registration number of the Vauxhall Victor I owned in 1972 then they can have my account.
Post #1476332
Posted Wednesday, July 24, 2013 2:20 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Tuesday, April 15, 2014 8:03 AM
Points: 825, Visits: 319
Rod at work (7/18/2013)
This topic brings to me an incident I saw at a state agency I used to work at, so please indulge me as a relate this war story. This is some years ago, but still the whole issue of passwords and maintaining secure passwords has been around for quite some time. While I was there, the state capital IT sent out a message to all state agencies warning everyone that no one should write their password on a sticky note and put it on the monitor or anywhere else near the computer. Failure to comply with this would result in severe discipline, up to and including termination. At this particular state agency where I worked, there were certain areas (labs and such) where many people shared a common PC. The edict from the state IT was something everyone took seriously, but I also witnessed how ingenious people can be, in finding ways to comply to the letter of the law, but still break the spirit of the law. This was back when Windows had a screensaver option to allow you to write a text message, as the screen saver. So what they did was write the text, "The password is " followed by what the password was.

I had to laugh.


If I used text speak, I'd write LOL, but I don't so I won't. Still, it did raise a chuckle.
Post #1476918
Posted Wednesday, July 24, 2013 2:30 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Tuesday, April 15, 2014 8:03 AM
Points: 825, Visits: 319
steve.alston (7/22/2013)
And if anyone knows the registration number of the Vauxhall Victor I owned in 1972 then they can have my account.


Well, if it was a 1972 model, I'd know it ends in K or L, that it's three letters, one, two or three numbers, then the K or L, none of the first three letters is a Z and there's an S, or there isn't an S, depending on whether the car came from Scotland or not. Even with the number/letter transformations, that's not that many combinations.
Post #1476923
Posted Wednesday, July 24, 2013 7:36 AM


SSChampion

SSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampionSSChampion

Group: General Forum Members
Last Login: Today @ 3:41 PM
Points: 13,315, Visits: 12,182
marlon.seton (7/24/2013)
[quote]
If I used text speak, I'd write LOL, but I don't so I won't.


But you did write it.


_______________________________________________________________

Need help? Help us help you.

Read the article at http://www.sqlservercentral.com/articles/Best+Practices/61537/ for best practices on asking questions.

Need to split a string? Try Jeff Moden's splitter.

Cross Tabs and Pivots, Part 1 – Converting Rows to Columns
Cross Tabs and Pivots, Part 2 - Dynamic Cross Tabs
Understanding and Using APPLY (Part 1)
Understanding and Using APPLY (Part 2)
Post #1477058
Posted Wednesday, July 24, 2013 8:55 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Tuesday, April 15, 2014 8:03 AM
Points: 825, Visits: 319
Sean Lange (7/24/2013)
marlon.seton (7/24/2013)
[quote]
If I used text speak, I'd write LOL, but I don't so I won't.


But you did write it.

True, but I couldn't really write "If I used text speak, I'd write , but I don't so I won't", could I?
Post #1477112
Posted Thursday, July 25, 2013 7:15 PM


SSC-Insane

SSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-InsaneSSC-Insane

Group: General Forum Members
Last Login: Today @ 6:02 PM
Points: 21,657, Visits: 15,326
I have used PasswordSafe, Keepass and LastPass.

I prefer PasswordSafe of the three but all are just fine.




Jason AKA CirqueDeSQLeil
I have given a name to my pain...
MCM SQL Server


SQL RNNR

Posting Performance Based Questions - Gail Shaw
Posting Data Etiquette - Jeff Moden
Hidden RBAR - Jeff Moden
VLFs and the Tran Log - Kimberly Tripp
Post #1477823
Posted Friday, July 26, 2013 7:01 AM


SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Today @ 1:50 PM
Points: 1,652, Visits: 4,713
My Lenovo laptop came bundled with something called VeriFace, which can substitute facial recognition for login password. It also appears to encrypt files and folders using using facial recognition. However, I've never used it.
Post #1477982
« Prev Topic | Next Topic »

Add to briefcase ««123»»

Permissions Expand / Collapse