Page 1 of 3 123 LastLast
Results 1 to 15 of 31
  1. #1
    5 Star Lounger
    Join Date
    Jan 2011
    Location
    Seattle, WA
    Posts
    1,070
    Thanks
    42
    Thanked 132 Times in 86 Posts

    Lessons learned from the Stratfor files




    IN THE WILD

    Lessons learned from the Stratfor files

    By Robert Vamosi

    Creating truly secure passwords can be difficult at least for some security professionals, it seems.

    A recent data breach at the private intelligence firm Stratfor revealed some all-too-common password weaknesses. Here's how to strengthen your own.

    The full text of this column is posted at WindowsSecrets.com/in-the-wild/lessons-learned-from-the-Stratfor-files (paid content, opens in a new window/tab).

    Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.

  2. #2
    New Lounger
    Join Date
    Aug 2010
    Location
    Georgia, USA
    Posts
    4
    Thanks
    0
    Thanked 0 Times in 0 Posts
    You should include LastPass in your list of password managers. It's a great product and is free.

  3. #3
    Lounger
    Join Date
    Dec 2009
    Location
    North Eastern Arizona, USA
    Posts
    35
    Thanks
    4
    Thanked 2 Times in 2 Posts

    How Safe Is the Password

    Typically, we enter a password and it's then converted. But then the password it's self and the converted are in memory. Can't a clever hacker pick that out of memory?

    If we have a password manager open and presumably in memory, what keeps a hacker from picking all your passwords out of memory?

    And a password manager is pretty easy for the programmers/analysts/managers who wrote the password manager to break into? Disgruntled ex employes from a password manager would seem to be a threat also?

  4. #4
    New Lounger
    Join Date
    Jan 2012
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    Gee, how can mention password managers and not have RoboForm there at the top? It's secure, inexpensive, multi-platform, and WORKS!

  5. #5
    Lounge VIP bobprimak's Avatar
    Join Date
    Feb 2009
    Location
    Hinsdale, IL, USA
    Posts
    2,483
    Thanks
    176
    Thanked 152 Times in 129 Posts
    Quote Originally Posted by partner View Post
    Typically, we enter a password and it's then converted. But then the password it's self and the converted are in memory. Can't a clever hacker pick that out of memory?

    If we have a password manager open and presumably in memory, what keeps a hacker from picking all your passwords out of memory?

    And a password manager is pretty easy for the programmers/analysts/managers who wrote the password manager to break into? Disgruntled ex employes from a password manager would seem to be a threat also?
    Technically, that would be incredibly difficult. The hacker would have to be sitting right there at the computer, and even then, it would not be easy. And transmission over the network or the Internet is encrypted end to end, so that is a minimal risk as well.

    Update: I was wrong about Internet transmissions of passwords. By default, they are NOT encrypted nor hashed. This should be remembered by all Internet users. The only exceptions are the secure logins at bank sites and financial web sites, among a very few others. Something to remember whenever we go to web sites which do not use secure logins.
    Last edited by bobprimak; 2012-02-08 at 12:28. Reason: New information (to me).
    -- Bob Primak --

  6. #6
    New Lounger tvalley's Avatar
    Join Date
    Jan 2012
    Location
    Temecula, CA
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I would be interested to know the authors opinion of Roboform. I've been using it for years & really like it & now have the newer "Roboform Everywhere" version. But are there any issues to be aware of?
    Thanks in advance,
    Alan Salls
    Temecula, CA

  7. #7
    New Lounger
    Join Date
    Dec 2009
    Location
    California, USA
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I have a couple of passwords for important sites with readme files that give the password, albeit in a form that only my wife might know. It uses information that only we remember. For example, the readme file might say, "Harry's youngest child+Joe's birthday+Anne's middle name+address number in Chicago."

    This would give the password to me, which might be "charles072391sally40811". So there is no need to remember the password itself.

    John Porter
    Newark, CA

  8. #8
    New Lounger
    Join Date
    Dec 2009
    Location
    Toronto, ON, Canada
    Posts
    8
    Thanks
    0
    Thanked 0 Times in 0 Posts
    I know this is just a comic,
    http://xkcd.com/936/
    but the guy who drew it apparently knows what he's talking about --
    http://www.zdnet.com/blog/networking...y-experts/1340
    He also clarifies a few things in a reply to many posters, about 1/2 way down this forum,
    http://ask.metafilter.com/193052/Oh-...confound-me-so

    st00b!ed00d

  9. #9
    2 Star Lounger
    Join Date
    Dec 2009
    Location
    Sacramento, CA, USA
    Posts
    116
    Thanks
    7
    Thanked 4 Times in 4 Posts

  10. #10
    New Lounger
    Join Date
    Dec 2009
    Location
    Pineville, LA
    Posts
    16
    Thanks
    0
    Thanked 0 Times in 0 Posts
    First of all let me state that I do believe in good passwords with different ones for different logins. What has always bothered me though is how password crackers work since most systems that I have used lock you out after 3 to 5 wrong tries and you don't need that secure of a password to be safe for only 5 tries. What am I missing?

  11. #11
    New Lounger
    Join Date
    Jan 2012
    Posts
    15
    Thanks
    4
    Thanked 0 Times in 0 Posts

    Comparison of password tools

    I've become convinced that I need unique passwords at each important site, and that means I need a tool to track them for me -- my memory is not good enough to deal with five complex passwords, never mind the fifty or so I actually need. Two questions:

    1. There seem to be at least three tools for remembering passwords and filling it other form information: Roboform, 1Password, and Lastpass. I'd be very interested in a comparison between them, both for convenience and for security. What risks am I exposed to if *they* have a security breach? What platforms do they support well? (For example, I'm currently a RoboHelp user -- reasonably satisfied, but unsure as to the actual security it provides -- but it is really pretty useless on an iPad, since it can't integrate with the browser.)

    2. A related question: What is good practice with password-recovery questions, "Name of 1st school", etc. It seems to me that going without them means a significant risk of losing control of a login if you forget the password, but aren't these questions, in effect, extra passwords that are particularly easily guessed?

  12. #12
    Super Moderator
    Join Date
    Jun 2011
    Location
    New England
    Posts
    4,756
    Thanks
    171
    Thanked 653 Times in 576 Posts
    Quote Originally Posted by bobprimak View Post
    And transmission over the network or the Internet is encrypted end to end, so that is a minimal risk as well.
    Are you referring here only to banking/credit sites with secure login pages using https? Not sites like this one which do not have end to end encryption for passwords?

    Bruce

  13. #13
    New Lounger
    Join Date
    Dec 2009
    Location
    Salem, NH
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts
    So the first element listed by Microsoft for passwords was length, but then that wasn't really explained. In research I've done before supposedly of the "known" password cracking software programs that are out there, ALL will crash when getting up to around 14-15 characters is exceeded. So if I use a pass phrase with say 20- 25 characters (or 26 in the case of my Windows password), they then should be uncrackable? This seems to be true when trying that length of password on one of several password strength testing sites, therefore can those sites really be trusted as being a true test of password strength?

  14. #14
    New Lounger
    Join Date
    Dec 2009
    Location
    Scotland
    Posts
    1
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Question How safe are the password managers?

    I've always wondered how you know if your password managing software is, or is not, sending all the info you enter into it off to destinations unknown!

  15. #15
    New Lounger
    Join Date
    Apr 2010
    Location
    Ottawa, Canada
    Posts
    2
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Unhappy Even banks allow crappy passwords

    I wrote a blog post about how poor the password requirements were for banking and e-commerce sites in March 2010. http://neil.eton.ca/blog/?p=187 As far as I can tell, nothing has changed since then. It is no wonder that users feel that weak passwords are adequate.

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •