How Many Passwords?

  • Comments posted to this topic are about the item How Many Passwords?

  • I have a number of safeguards on my passwords.

    I think I am safe.

    I find the security services look good but I don't like the way they put a massive target on themselves. They must have so many people wanting to break their systems.

    I therefore go for obscurity.

    Own simple program held in a random obscure location.

    The only problem with that is that if I don't remember my key password it will wipe the whole thing. I have wiped the thing a few times.

    It is recoverable and consider it the price to pay for good security.

    I am however in the lap of the companies for whom I am registered with....

    .... fingers crossed they know what they are doing.

    Password count 144 at 17/3/14

  • I am having around 75!

    ---------------------------------------------------
    "Thare are only 10 types of people in the world:
    Those who understand binary, and those who don't."

  • I'd really like a log created of every time a log in is attempted to any service that has a password. At least you would have a concrete place to start if any of your services were hacked.

  • The harder and more onerous the process is the more likely users will circumvent security through poor practices. There is much work to be done on this and we, as an industry, desperately need a solution that ANYONE can use from ANYWHERE that allows this.

    The biggest issue that I see is access to stored passwords from remote locations (considering that mobiles are not always allowed or often some websites cannot be accessed too). Not everyone works from the same office, home or even devices. Ideally, what we are looking for is the equivalent to Single Sign On for the web.

    I thought that the federation described (i.e. Microsoft Live accounts, Google accounts and OpenID) might resolve it but we are not quite there yet.

    BTW I am not documenting my security measures here 😉

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • http://xkcd.com/936/

  • Passwords are and will continue to be a nightmare.

    Worse yet, they are a bit of a catch-22. Steps you take towards making them more secure (different passwords for everything, passwords that are hard to guess) tend to also make them harder to remember. Which of course leads to password tools, passwords on sticky notes, etc etc, making the people the biggest security vulnerability.

    As for the open ID stuff, which could have helped significantly, there are problems. First, just like having one really good password and using it everywhere, its a single point of vulnerability. Not quite as bad, as they have a bit more authentication, but still a risk.

    But even worse, with most of those companies you get a lot more than just authentication even if that's all you want. Its not just 'confirm I am who I say I am'. Its also pushing details about you to the site you registered and pulling usage data back.

  • I've got some hundreds of passwords total, mostly in http://keepass.info/ after going into File, Database Settings, Security, hitting the "1 second delay" option under "Number of key transformation rounds", and then multiplying that by a small number so it takes 2-12 seconds to process the password each time (more if using KeePassDroid[/url] or other mobile device ports), which adds quite a few bits of security. 40 million rounds is about 12 and a half bits more security than the default 6 thousand round, for example.

    Most of these are passwords with over 128 bits of entropy - 100% random passwords of length 20 to length 128 with as large a character set as the application allows. While it's probably overkill at length 128, since:

    01110101000010011000111101001110110110000010101111011000000111101101001111001100001010110111110011101001111110100101110110100101

    is a 128 bit password, and thus is more or less equivalent to 128 bit symmetric ciphers in terms of security, but if you use LastPass or KeePass or any other tool, creating a password generation profile or five is trivial. Any cryptographically random password with a keyspace of 2^128 (3.4E38) or greater is going to meet current security standards about as long as 128 bit symmetric encryption does.

    That's a cryptographically random

    128 character binary password

    39 character numeric only password

    28 character all lower case password

    25 character lower + numeric password

    23 character lower case + upper case

    22 character lower + upper + numeric password

    21 character lower + upper + numeric + symbols over numeric password

    20 character lower + upper + numeric + 32 symbols password

    18 character lower + upper + numeric + 32 symbols + 81 high ASCII character password

    Biometrics are interesting, but what do you do after someone steals them? Get new fingerprints/retinas? Passwords, at least, you can change.

    RSA and other TOTP tokens are a good idea, but they can be compromised at the root[/url], so the onus is still on users to have solid passwords.

    The only answer I have right now is a password manager with a truly strong cryptographically random password (just start using it regularly; your fingers will remember after a few painful weeks).

    Be aware, if you ever type that password manager password in to some other site, then anyone who's ever taken a copy of it and gets that password can open it up.

    Note also that pieces of paper in your wallet/purse aren't that bad an idea - paper out of the open isn't subject to bulk collection/data breaches, and most of us are reasonably good at protecting our wallets/purses most of the time, assuming low level adversaries.

    P.S. If you want a less secure but still reasonable 96 bit (7.9E28) password:

    That's a cryptographically random

    96 character binary password

    29 character numeric only password

    21 character all lower case password

    19 character lower + numeric password

    17 character lower case + upper case

    17 character lower + upper + numeric password

    16 character lower + upper + numeric + symbols over numeric password

    15 character lower + upper + numeric + 32 symbols password

    13 character lower + upper + numeric + 32 symbols + 81 high ASCII character password

    P.P.S. If you want a borderline/not strong 80 bit (1.2E24) password:

    That's a cryptographically random

    80 character binary password

    25 character numeric only password

    17 character all lower case password

    16 character lower + numeric password

    14 character lower case + upper case

    14 character lower + upper + numeric password

    13 character lower + upper + numeric + symbols over numeric password

    13 character lower + upper + numeric + 32 symbols password

    11 character lower + upper + numeric + 32 symbols + 81 high ASCII character password

  • We don't drive around in tanks to protect ourselves from stray bullets. There is a cost tradeoff here that we are not looking at, or at least don't have the data to discuss intelligently.

  • I have lots of passwords. 🙂

    Pet peeve: when a website has password limitations. Password must be less than 10 characters, or must be alphanumeric only (no symbols) - that's a common one. Hrumpf.

    I usually avoid Google/Microsoft/Facebook/Twitter SSO in favour of creating unique usernames/passwords on each site. Also, I use Google services less simply because I don't like my username.

    Leonard
    Madison, WI

  • phonetictalk (3/17/2014)


    ...

    Pet peeve: when a website has password limitations. Password must be less than 10 characters, or must be alphanumeric only (no symbols) - that's a common one. Hrumpf.

    ...

    Definitely.

    I also avoid the old Facebook hooks into everything malarkey. Twitter too. To be honest, I can't stand Facebook. I use Twitter. I also dislike the way social media sites want to permeate through my whole digital existence. No thanks!!!

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • Be aware, if you ever type that password manager password in to some other site, then anyone who's ever taken a copy of it and gets that password can open it up.

    Lol thats sort of a pet peeve of mine, folks at a few jobs of mine would go to a website that has NOTHING TO DO with our company, be presented with a login prompt, and proceed to type in their LOCAL credentials as if they were logging into windows first thing in the morning.

Viewing 12 posts - 1 through 11 (of 11 total)

You must be logged in to reply to this topic. Login to reply