SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


How Many Passwords?


How Many Passwords?

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (141K reputation)SSC Guru (141K reputation)SSC Guru (141K reputation)SSC Guru (141K reputation)SSC Guru (141K reputation)SSC Guru (141K reputation)SSC Guru (141K reputation)SSC Guru (141K reputation)

Group: Administrators
Points: 141578 Visits: 19417
Comments posted to this topic are about the item How Many Passwords?

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
Dalkeith
Dalkeith
Mr or Mrs. 500
Mr or Mrs. 500 (553 reputation)Mr or Mrs. 500 (553 reputation)Mr or Mrs. 500 (553 reputation)Mr or Mrs. 500 (553 reputation)Mr or Mrs. 500 (553 reputation)Mr or Mrs. 500 (553 reputation)Mr or Mrs. 500 (553 reputation)Mr or Mrs. 500 (553 reputation)

Group: General Forum Members
Points: 553 Visits: 1116
I have a number of safeguards on my passwords.

I think I am safe.

I find the security services look good but I don't like the way they put a massive target on themselves. They must have so many people wanting to break their systems.

I therefore go for obscurity.
Own simple program held in a random obscure location.

The only problem with that is that if I don't remember my key password it will wipe the whole thing. I have wiped the thing a few times.

It is recoverable and consider it the price to pay for good security.
I am however in the lap of the companies for whom I am registered with....
.... fingers crossed they know what they are doing.

Password count 144 at 17/3/14
free_mascot
free_mascot
SSCertifiable
SSCertifiable (7.3K reputation)SSCertifiable (7.3K reputation)SSCertifiable (7.3K reputation)SSCertifiable (7.3K reputation)SSCertifiable (7.3K reputation)SSCertifiable (7.3K reputation)SSCertifiable (7.3K reputation)SSCertifiable (7.3K reputation)

Group: General Forum Members
Points: 7263 Visits: 2250
I am having around 75!

---------------------------------------------------
"Thare are only 10 types of people in the world:
Those who understand binary, and those who don't."
Robert Sterbal-482516
Robert Sterbal-482516
Mr or Mrs. 500
Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)Mr or Mrs. 500 (593 reputation)

Group: General Forum Members
Points: 593 Visits: 285
I'd really like a log created of every time a log in is attempted to any service that has a password. At least you would have a concrete place to start if any of your services were hacked.
Gary Varga
Gary Varga
One Orange Chip
One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)One Orange Chip (26K reputation)

Group: General Forum Members
Points: 26665 Visits: 6542
The harder and more onerous the process is the more likely users will circumvent security through poor practices. There is much work to be done on this and we, as an industry, desperately need a solution that ANYONE can use from ANYWHERE that allows this.

The biggest issue that I see is access to stored passwords from remote locations (considering that mobiles are not always allowed or often some websites cannot be accessed too). Not everyone works from the same office, home or even devices. Ideally, what we are looking for is the equivalent to Single Sign On for the web.

I thought that the federation described (i.e. Microsoft Live accounts, Google accounts and OpenID) might resolve it but we are not quite there yet.

BTW I am not documenting my security measures here ;-)

Gaz

-- Stop your grinnin' and drop your linen...they're everywhere!!!
Your Name Here
Your Name Here
SSC-Addicted
SSC-Addicted (457 reputation)SSC-Addicted (457 reputation)SSC-Addicted (457 reputation)SSC-Addicted (457 reputation)SSC-Addicted (457 reputation)SSC-Addicted (457 reputation)SSC-Addicted (457 reputation)SSC-Addicted (457 reputation)

Group: General Forum Members
Points: 457 Visits: 829
http://xkcd.com/936/
Nevyn
Nevyn
Hall of Fame
Hall of Fame (3.4K reputation)Hall of Fame (3.4K reputation)Hall of Fame (3.4K reputation)Hall of Fame (3.4K reputation)Hall of Fame (3.4K reputation)Hall of Fame (3.4K reputation)Hall of Fame (3.4K reputation)Hall of Fame (3.4K reputation)

Group: General Forum Members
Points: 3360 Visits: 3149
Passwords are and will continue to be a nightmare.

Worse yet, they are a bit of a catch-22. Steps you take towards making them more secure (different passwords for everything, passwords that are hard to guess) tend to also make them harder to remember. Which of course leads to password tools, passwords on sticky notes, etc etc, making the people the biggest security vulnerability.

As for the open ID stuff, which could have helped significantly, there are problems. First, just like having one really good password and using it everywhere, its a single point of vulnerability. Not quite as bad, as they have a bit more authentication, but still a risk.

But even worse, with most of those companies you get a lot more than just authentication even if that's all you want. Its not just 'confirm I am who I say I am'. Its also pushing details about you to the site you registered and pulling usage data back.
Nadrek
Nadrek
SSCarpal Tunnel
SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)SSCarpal Tunnel (4.3K reputation)

Group: General Forum Members
Points: 4346 Visits: 2741
I've got some hundreds of passwords total, mostly in http://keepass.info/ after going into File, Database Settings, Security, hitting the "1 second delay" option under "Number of key transformation rounds", and then multiplying that by a small number so it takes 2-12 seconds to process the password each time (more if using KeePassDroid or other mobile device ports), which adds quite a few bits of security. 40 million rounds is about 12 and a half bits more security than the default 6 thousand round, for example.

Most of these are passwords with over 128 bits of entropy - 100% random passwords of length 20 to length 128 with as large a character set as the application allows. While it's probably overkill at length 128, since:

01110101000010011000111101001110110110000010101111011000000111101101001111001100001010110111110011101001111110100101110110100101

is a 128 bit password, and thus is more or less equivalent to 128 bit symmetric ciphers in terms of security, but if you use LastPass or KeePass or any other tool, creating a password generation profile or five is trivial. Any cryptographically random password with a keyspace of 2^128 (3.4E38) or greater is going to meet current security standards about as long as 128 bit symmetric encryption does.

That's a cryptographically random
128 character binary password
39 character numeric only password
28 character all lower case password
25 character lower + numeric password
23 character lower case + upper case
22 character lower + upper + numeric password
21 character lower + upper + numeric + symbols over numeric password
20 character lower + upper + numeric + 32 symbols password
18 character lower + upper + numeric + 32 symbols + 81 high ASCII character password

Biometrics are interesting, but what do you do after someone steals them? Get new fingerprints/retinas? Passwords, at least, you can change.

RSA and other TOTP tokens are a good idea, but they can be compromised at the root, so the onus is still on users to have solid passwords.

The only answer I have right now is a password manager with a truly strong cryptographically random password (just start using it regularly; your fingers will remember after a few painful weeks).

Be aware, if you ever type that password manager password in to some other site, then anyone who's ever taken a copy of it and gets that password can open it up.

Note also that pieces of paper in your wallet/purse aren't that bad an idea - paper out of the open isn't subject to bulk collection/data breaches, and most of us are reasonably good at protecting our wallets/purses most of the time, assuming low level adversaries.

P.S. If you want a less secure but still reasonable 96 bit (7.9E28) password:
That's a cryptographically random
96 character binary password
29 character numeric only password
21 character all lower case password
19 character lower + numeric password
17 character lower case + upper case
17 character lower + upper + numeric password
16 character lower + upper + numeric + symbols over numeric password
15 character lower + upper + numeric + 32 symbols password
13 character lower + upper + numeric + 32 symbols + 81 high ASCII character password

P.P.S. If you want a borderline/not strong 80 bit (1.2E24) password:
That's a cryptographically random
80 character binary password
25 character numeric only password
17 character all lower case password
16 character lower + numeric password
14 character lower case + upper case
14 character lower + upper + numeric password
13 character lower + upper + numeric + symbols over numeric password
13 character lower + upper + numeric + 32 symbols password
11 character lower + upper + numeric + 32 symbols + 81 high ASCII character password
Robert.Sterbal
Robert.Sterbal
SSChasing Mays
SSChasing Mays (645 reputation)SSChasing Mays (645 reputation)SSChasing Mays (645 reputation)SSChasing Mays (645 reputation)SSChasing Mays (645 reputation)SSChasing Mays (645 reputation)SSChasing Mays (645 reputation)SSChasing Mays (645 reputation)

Group: General Forum Members
Points: 645 Visits: 2000
We don't drive around in tanks to protect ourselves from stray bullets. There is a cost tradeoff here that we are not looking at, or at least don't have the data to discuss intelligently.
phonetictalk
phonetictalk
Ten Centuries
Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)Ten Centuries (1.1K reputation)

Group: General Forum Members
Points: 1106 Visits: 1747
I have lots of passwords. Smile

Pet peeve: when a website has password limitations. Password must be less than 10 characters, or must be alphanumeric only (no symbols) - that's a common one. Hrumpf.

I usually avoid Google/Microsoft/Facebook/Twitter SSO in favour of creating unique usernames/passwords on each site. Also, I use Google services less simply because I don't like my username.

Leonard
Madison, WI
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search