Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Don't Share Passwords Across Sites


Don't Share Passwords Across Sites

Author
Message
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36316 Visits: 18752
Comments posted to this topic are about the item Don't Share Passwords Across Sites

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
jmiller 72604
jmiller 72604
Grasshopper
Grasshopper (11 reputation)Grasshopper (11 reputation)Grasshopper (11 reputation)Grasshopper (11 reputation)Grasshopper (11 reputation)Grasshopper (11 reputation)Grasshopper (11 reputation)Grasshopper (11 reputation)

Group: General Forum Members
Points: 11 Visits: 80
Totally agree.

My own strategy rather than using a password safe is that I have a fixed random-looking collection of capitals, numbers and symbols (which is actually memorable to me) into which I then incorporate parts of the name of the site I'm logging in to (should that be "in to which I'm logging?").

Again, it may not be perfect, but it would be very difficult for a human to get from one of my passwords to the next, and even harder for a machine.
ldsudduth1
ldsudduth1
Grasshopper
Grasshopper (15 reputation)Grasshopper (15 reputation)Grasshopper (15 reputation)Grasshopper (15 reputation)Grasshopper (15 reputation)Grasshopper (15 reputation)Grasshopper (15 reputation)Grasshopper (15 reputation)

Group: General Forum Members
Points: 15 Visits: 15
Using a product to store passwordss for various sites is all well and good, but many of us have multiple devices (Laptop, desktop, smart phone, tablet). Our smart phone might be Android, or iOS based, our desktops and laptops could be Windows, linux (or both). There is no one tool that serves them all, unfortunately---except for writing them down (bad!!) or memory. This is why most of us use the same (or very similar) passwords on all of our sites; both secured and unsecured. It just really isn't practical for most of us to use the one-site/one-password rule. Until there is cross platform 'password storage' (which will probably require encrypted secure cloud storage--with a password to access), re-using passwords will, unfortunately, be the rule, rather than the exception.
eric.rini
eric.rini
Forum Newbie
Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)

Group: General Forum Members
Points: 6 Visits: 51
Everyone knows usename and password is not enough. Stop blaming users for your flawed security implementations.

How about we stop reinventing the wheel and come up with a SAFE, SECURE, REUSABLE online identity. Something tied to more than just a password. Oh wait, it's already done: http://openid.net/. Seriously, I am tired of hearing about every site needing a unique 12+ character mixed case letters, numbers, symbols password, that's ridiculous and works against rational user friendliness and usability design constraints.
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36316 Visits: 18752
ldsudduth1 (7/29/2012)
Using a product to store passwordss for various sites is all well and good, but many of us have multiple devices (Laptop, desktop, smart phone, tablet). Our smart phone might be Android, or iOS based, our desktops and laptops could be Windows, linux (or both). There is no one tool that serves them all, unfortunately...


Not true,

I used Password safe, with my safes synced by Dropbox. I have a Windows 7 desktop, an iOS phone, and a OSX Macbook, keeping my passwords synced across all of them. There are Android and *nix ports as well. I believe KeePass works the same way.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Steve Jones
Steve Jones
SSC-Dedicated
SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)SSC-Dedicated (36K reputation)

Group: Administrators
Points: 36316 Visits: 18752
eric.rini (7/29/2012)
Everyone knows usename and password is not enough. Stop blaming users for your flawed security implementations.

How about we stop reinventing the wheel and come up with a SAFE, SECURE, REUSABLE online identity. Something tied to more than just a password. Oh wait, it's already done: http://openid.net/. Seriously, I am tired of hearing about every site needing a unique 12+ character mixed case letters, numbers, symbols password, that's ridiculous and works against rational user friendliness and usability design constraints.


Yes and no. This isn't necessarily a bad solution, and may be the best one. But if someone cracks into your OpenID site, then they access all your information. There is some value to having different identities. I'm not sure I want my OpenID linked to my bank account.

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
eric.rini
eric.rini
Forum Newbie
Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)Forum Newbie (6 reputation)

Group: General Forum Members
Points: 6 Visits: 51
We all know username + password doesnt meet the basic requirement of "something you have and something you know"... its more "something you know and something you know". If more developers were using centralized identities, it becomes cost effective to secure these centralized accounts with physical security measures rather than passwords.

For example a physical authentication like linking an account to a mobile phone (it sends u a text with a unique key to login) or using a token like this - http://us.battle.net/support/en/article/battle-net-authenticator-faq simply cannot be cracked, no matter how irresponsible or uneducated the user is about security.

If you had a single online presence it could be linked to a physical form of authenitcation and the web becomes a much more secure place. You can't have this though until people stop doing two things.

- Stop blaming your users as if it is a solution to the problem.
- Stop re-inventing the wheel when designing login portals, its too complicated and the risk is too high.
ldsudduth1
ldsudduth1
Grasshopper
Grasshopper (15 reputation)Grasshopper (15 reputation)Grasshopper (15 reputation)Grasshopper (15 reputation)Grasshopper (15 reputation)Grasshopper (15 reputation)Grasshopper (15 reputation)Grasshopper (15 reputation)

Group: General Forum Members
Points: 15 Visits: 15
And if dropbox and other sites like that are blocked by policy.....then what?
umailedit
umailedit
SSC-Addicted
SSC-Addicted (411 reputation)SSC-Addicted (411 reputation)SSC-Addicted (411 reputation)SSC-Addicted (411 reputation)SSC-Addicted (411 reputation)SSC-Addicted (411 reputation)SSC-Addicted (411 reputation)SSC-Addicted (411 reputation)

Group: General Forum Members
Points: 411 Visits: 245
Actually it is the sites fault for not storing passwords as one way encrypted hashes. On my site I store all user passwords as twofish encrypted a hundred times by itself and the user name. No way you can get back the original password text from the hash even if I publish the user/password file. With the password file in hand you cant even log in to my site let alone other sites. I cant believe yahoo stored passwords in clear text.
jay-h
jay-h
SSC Eights!
SSC Eights! (933 reputation)SSC Eights! (933 reputation)SSC Eights! (933 reputation)SSC Eights! (933 reputation)SSC Eights! (933 reputation)SSC Eights! (933 reputation)SSC Eights! (933 reputation)SSC Eights! (933 reputation)

Group: General Forum Members
Points: 933 Visits: 2222
eric.rini (7/29/2012)
Everyone knows usename and password is not enough. Stop blaming users for your flawed security implementations.

How about we stop reinventing the wheel and come up with a SAFE, SECURE, REUSABLE online identity. Something tied to more than just a password. Oh wait, it's already done: http://openid.net/. Seriously, I am tired of hearing about every site needing a unique 12+ character mixed case letters, numbers, symbols password, that's ridiculous and works against rational user friendliness and usability design constraints.


I disagree. Having a single ID (this includes things like Facebook, Google+ etc) is essentially the same thing as having a single password. If that ID is compromised, everything is compromised, there is no 'firewall' between identities. Actually it's WORSE because there is a single dashboard with record of EVERY place you use it. The potential thief/snoop doesn't even have to go looking for where you were using your account... it's right there.

If you use that ID for posting on a lot of sites where your screen name is visible, it enables a lot of information to be extracted about you though a websearch (this is especially true if it's your real name) by potential employers, nosy or pissed off neighbors, stalkers etc.

The sad thing is, many websites are getting lazy and moving to this model, giving you a 'choice' of Facebook, Google, OpenID etc without even the option of establishing an unrelated account.

One more thing: if you look at the OpenID website, one of their 'advantages' is this little gem: Many OpenID providers collect and share a wide range of demographic information, including name, date of birth, location, gender and an email address. This data allows you to optimize your marketing efforts and tailor your website to better target the needs of your core audience.

...

-- FORTRAN manual for Xerox Computers --
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search