Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase 12»»

How Many Passwords? Expand / Collapse
Author
Message
Posted Saturday, March 15, 2014 11:30 AM


SSC-Dedicated

SSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-DedicatedSSC-Dedicated

Group: Administrators
Last Login: Today @ 3:38 PM
Points: 31,354, Visits: 15,818
Comments posted to this topic are about the item How Many Passwords?






Follow me on Twitter: @way0utwest

Forum Etiquette: How to post data/code on a forum to get the best help
Post #1551507
Posted Monday, March 17, 2014 3:43 AM


SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: 2 days ago @ 11:18 PM
Points: 111, Visits: 836
I have a number of safeguards on my passwords.

I think I am safe.

I find the security services look good but I don't like the way they put a massive target on themselves. They must have so many people wanting to break their systems.

I therefore go for obscurity.
Own simple program held in a random obscure location.

The only problem with that is that if I don't remember my key password it will wipe the whole thing. I have wiped the thing a few times.

It is recoverable and consider it the price to pay for good security.
I am however in the lap of the companies for whom I am registered with....
.... fingers crossed they know what they are doing.

Password count 144 at 17/3/14
Post #1551671
Posted Monday, March 17, 2014 3:58 AM
SSCrazy

SSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazySSCrazy

Group: General Forum Members
Last Login: Monday, July 21, 2014 2:56 AM
Points: 2,603, Visits: 2,061
I am having around 75!

---------------------------------------------------
"Thare are only 10 types of people in the world:
Those who understand binary, and those who don't."
Post #1551674
Posted Monday, March 17, 2014 4:18 AM
SSC Rookie

SSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC RookieSSC Rookie

Group: General Forum Members
Last Login: Today @ 5:50 AM
Points: 25, Visits: 139
I'd really like a log created of every time a log in is attempted to any service that has a password. At least you would have a concrete place to start if any of your services were hacked.
Post #1551679
Posted Monday, March 17, 2014 5:15 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Today @ 1:45 AM
Points: 5,813, Visits: 3,734
The harder and more onerous the process is the more likely users will circumvent security through poor practices. There is much work to be done on this and we, as an industry, desperately need a solution that ANYONE can use from ANYWHERE that allows this.

The biggest issue that I see is access to stored passwords from remote locations (considering that mobiles are not always allowed or often some websites cannot be accessed too). Not everyone works from the same office, home or even devices. Ideally, what we are looking for is the equivalent to Single Sign On for the web.

I thought that the federation described (i.e. Microsoft Live accounts, Google accounts and OpenID) might resolve it but we are not quite there yet.

BTW I am not documenting my security measures here


Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Post #1551683
Posted Monday, March 17, 2014 6:33 AM


SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: 2 days ago @ 6:52 AM
Points: 141, Visits: 642
http://xkcd.com/936/
Post #1551703
Posted Monday, March 17, 2014 7:03 AM
SSChasing Mays

SSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing MaysSSChasing Mays

Group: General Forum Members
Last Login: Friday, December 12, 2014 1:54 PM
Points: 641, Visits: 2,149
Passwords are and will continue to be a nightmare.

Worse yet, they are a bit of a catch-22. Steps you take towards making them more secure (different passwords for everything, passwords that are hard to guess) tend to also make them harder to remember. Which of course leads to password tools, passwords on sticky notes, etc etc, making the people the biggest security vulnerability.

As for the open ID stuff, which could have helped significantly, there are problems. First, just like having one really good password and using it everywhere, its a single point of vulnerability. Not quite as bad, as they have a bit more authentication, but still a risk.

But even worse, with most of those companies you get a lot more than just authentication even if that's all you want. Its not just 'confirm I am who I say I am'. Its also pushing details about you to the site you registered and pulling usage data back.
Post #1551710
Posted Monday, March 17, 2014 9:12 AM
SSC Eights!

SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!SSC Eights!

Group: General Forum Members
Last Login: Today @ 8:00 AM
Points: 892, Visits: 2,473
I've got some hundreds of passwords total, mostly in http://keepass.info/ after going into File, Database Settings, Security, hitting the "1 second delay" option under "Number of key transformation rounds", and then multiplying that by a small number so it takes 2-12 seconds to process the password each time (more if using KeePassDroid or other mobile device ports), which adds quite a few bits of security. 40 million rounds is about 12 and a half bits more security than the default 6 thousand round, for example.

Most of these are passwords with over 128 bits of entropy - 100% random passwords of length 20 to length 128 with as large a character set as the application allows. While it's probably overkill at length 128, since:

01110101000010011000111101001110110110000010101111011000000111101101001111001100001010110111110011101001111110100101110110100101

is a 128 bit password, and thus is more or less equivalent to 128 bit symmetric ciphers in terms of security, but if you use LastPass or KeePass or any other tool, creating a password generation profile or five is trivial. Any cryptographically random password with a keyspace of 2^128 (3.4E38) or greater is going to meet current security standards about as long as 128 bit symmetric encryption does.

That's a cryptographically random
128 character binary password
39 character numeric only password
28 character all lower case password
25 character lower + numeric password
23 character lower case + upper case
22 character lower + upper + numeric password
21 character lower + upper + numeric + symbols over numeric password
20 character lower + upper + numeric + 32 symbols password
18 character lower + upper + numeric + 32 symbols + 81 high ASCII character password

Biometrics are interesting, but what do you do after someone steals them? Get new fingerprints/retinas? Passwords, at least, you can change.

RSA and other TOTP tokens are a good idea, but they can be compromised at the root, so the onus is still on users to have solid passwords.

The only answer I have right now is a password manager with a truly strong cryptographically random password (just start using it regularly; your fingers will remember after a few painful weeks).

Be aware, if you ever type that password manager password in to some other site, then anyone who's ever taken a copy of it and gets that password can open it up.

Note also that pieces of paper in your wallet/purse aren't that bad an idea - paper out of the open isn't subject to bulk collection/data breaches, and most of us are reasonably good at protecting our wallets/purses most of the time, assuming low level adversaries.

P.S. If you want a less secure but still reasonable 96 bit (7.9E28) password:
That's a cryptographically random
96 character binary password
29 character numeric only password
21 character all lower case password
19 character lower + numeric password
17 character lower case + upper case
17 character lower + upper + numeric password
16 character lower + upper + numeric + symbols over numeric password
15 character lower + upper + numeric + 32 symbols password
13 character lower + upper + numeric + 32 symbols + 81 high ASCII character password

P.P.S. If you want a borderline/not strong 80 bit (1.2E24) password:
That's a cryptographically random
80 character binary password
25 character numeric only password
17 character all lower case password
16 character lower + numeric password
14 character lower case + upper case
14 character lower + upper + numeric password
13 character lower + upper + numeric + symbols over numeric password
13 character lower + upper + numeric + 32 symbols password
11 character lower + upper + numeric + 32 symbols + 81 high ASCII character password
Post #1551791
Posted Monday, March 17, 2014 9:49 AM
SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Yesterday @ 7:10 AM
Points: 178, Visits: 1,891
We don't drive around in tanks to protect ourselves from stray bullets. There is a cost tradeoff here that we are not looking at, or at least don't have the data to discuss intelligently.
Post #1551816
Posted Monday, March 17, 2014 9:54 AM


SSC Veteran

SSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC VeteranSSC Veteran

Group: General Forum Members
Last Login: Tuesday, December 9, 2014 8:52 AM
Points: 272, Visits: 1,392
I have lots of passwords. :)

Pet peeve: when a website has password limitations. Password must be less than 10 characters, or must be alphanumeric only (no symbols) - that's a common one. Hrumpf.

I usually avoid Google/Microsoft/Facebook/Twitter SSO in favour of creating unique usernames/passwords on each site. Also, I use Google services less simply because I don't like my username.


Leonard
Madison, WI
Post #1551819
« Prev Topic | Next Topic »

Add to briefcase 12»»

Permissions Expand / Collapse