Password managers

[j44ke]

Since nobody else has said I will:

If you talk to any serious industry information security expert they will tell you that the most secure password storage is pen and paper and then keep that list in your wallet because these days you are more likely to have your electronic password storage system compromised than be mugged and your physical wallet stolen.


This system assumes that you are already using strong passwords and/or passphrases.

Yes, this is what my friend told me. His password system is an address book with passwords recorded like contacts. He photocopies all the pages in the address book and puts the copy in a safe place. Then when he changes a password, he recopies that page and replaces it in the copy. No one pays attention to address books any longer, he said, because everyone is focused on what's in the computer. He is the only person I know who changes all his passwords twice a year.

Also - sites that require security questions do not check the truth of your answers. "What is your mother's maiden name?" can be answered by shakesp45re$s1monk3y or ilovetoanswerquestionslikethese and doesn't have to actually be your mother's maiden name. I've had a difficult time convincing several people of this.

[NYCfixie]

And whether or not someone uses a password manager (electronic or paper), your eMail password must be the strongest password you set because if someone hacks your email password/account they can go to any website, even most banks, and request a password reset/recovery be sent to your email account; then they can gain access to everything.

Yes, this is what my friend told me. His password system is an address book with passwords recorded like contacts. He photocopies all the pages in the address book and puts the copy in a safe place. Then when he changes a password, he recopies that page and replaces it in the copy. No one pays attention to address books any longer, he said, because everyone is focused on what's in the computer. He is the only person I know who changes all his passwords twice a year.

Also - sites that require security questions do not check the truth of your answers. "What is your mother's maiden name?" can be answered by shakesp45re$s1monk3y or ilovetoanswerquestionslikethese and doesn't have to actually be your mother's maiden name. I've had a difficult time convincing several people of this.

Since nobody else has said I will:

If you talk to any serious industry information security expert they will tell you that the most secure password storage is pen and paper and then keep that list in your wallet because these days you are more likely to have your electronic password storage system compromised than be mugged and your physical wallet stolen.


This system assumes that you are already using strong passwords and/or passphrases.

[xjoex]

Since nobody else has said I will:

If you talk to any serious industry information security expert they will tell you that the most secure password storage is pen and paper and then keep that list in your wallet

I know my way around info sec and have a different opinion.

I promote the use of a password stash, if you write down a password and have to type it in each time, the complexity and uniqueness will certainly diminish. It is just human nature.

But whatever you choose to do, make sure it is a unique password per site.

-Joe

[NYCfixie]

I understand and appreciate your perspective. My background is also in technology and has been moving more towards info sec the last few years.

The issue is end user adoption of password managers which is very low usually due to the complexity of using them and bad interface design. I am sure you know it is easier to get someone who asks you about "security" to use a password manager than it is to get the average user who has the same easy password set for everything; they should be the context for assessing how password managers are adopted.

As I am sure you also know, most info sec is a balancing act between controls (policy, technical, physical, etc.) and the human factor (understanding issues, educating end users, adoption) who can derail, undo, and make less secure the best info sec systems/plans/controls.

In a vacuum:
- password managers ensure more complex passwords and uniqueness
- pen and paper will always be more secure than anything electronic

But as we all know, we do not live in a vacuum so we come back to the balancing act of "secure-ness" and "adoption".

I know my way around info sec and have a different opinion.

I promote the use of a password stash, if you write down a password and have to type it in each time, the complexity and uniqueness will certainly diminish. It is just human nature.

But whatever you choose to do, make sure it is a unique password per site.

-Joe

[TTX1]

Anyone have a password manager for password managers? ;)

No, but let me know if you need an uninstaller remover - I've got a great one.

[Bob Ross]

we saw most malware came in two flavors: Stream fifa online for free or naked pics of asian celebrities.

potd!

[C.Dyer]

Although interestingly we saw most malware came in two flavors: Stream FIFA online for free or Naked pics of asian celebrities.

Streaming FIFA online is probably through more or less the same same avenues that some folks use to watch bike races, no? Like the links from cyclingfans or Steephill or whatnot.

[xjoex]

Streaming FIFA online is probably through more or less the same same avenues that some folks use to watch bike races, no? Like the links from cyclingfans or Steephill or whatnot.

These were Android apps installed to watch FIFA or nudie pics specifically. They were available outside the official app stores.

Back to the pros and cons of software or a piece of paper for password management. I think software will allow for more complex passwords. Given the choice most people will use the name of their favorite sports team "broncos! not something with significant randomness like "W*z(v7apowim=;v^Bh)3P=.&JQ[:Uf" . They will also reuse passwords as generating hundreds of additional passwords will not scale for the average user with and pen and paper.



Cheers,
-Joe

[TTX1]

I know this much:

I'm not going to post my password management techniques on a publicly accessible website.

Particularly one with a password login.

I'm only here to discuss l33t framebuilders...

[Bob Ross]

I think software will allow for more complex passwords. Given the choice most people will use the name of their favorite sports team "broncos! not something with significant randomness like "W*z(v7apowim=;v^Bh)3P=.&JQ[:Uf" . They will also reuse passwords as generating hundreds of additional passwords will not scale for the average user with and pen and paper.

I bookmarked this a year or so ago when I first came across it. Haven't put it into practice, but it did give me pause:

[sk_tle]

I bookmarked this a year or so ago when I first came across it. Haven't put it into practice, but it did give me pause:

ss

http://www.velocipedesalon.com/forum...tml#post837058

One thing to note : any password manager store the data in memory when you unlock it which means that if your computer is compromised, all your passwords are compromised. NYCFixie was spot on to say that an "unplugged" password manager was safer than any software based one.

There are a few printable password card generator availables :
Password generator
https://www.labnol.org/software/writ...n-paper/12972/
Custom Password Card - Flexible Password Card Generator

I contemplated the idea of generating one but using words instead of random characters. Sadly some websites/services are using some stupid limits on the passwords so there will always be exceptions and you need some way to store them.

Additionnaly the biggest issue with password is there is no easy way to change them all on a regular basis.

[Too Tall]

Thomas, FWIIW Lastpass can manage all that for you. Go ahead and commit to LP generating passwords for you and it has tools for refreshing stale passwords.

Now all YOU have to do is write down the master password on a sticky pad and paste it to your staple horse.

[NYCfixie]

Good stuff here from Thomas.

Password managers/generators are better than using the same password for everything.
Storing passwords on paper and pen is safer (assuming the same level of strong/unique password) than a electronic password manager
Longer passwords and/or passphrases are safer (most 10 character or less passwords can be cracked by a common computer in a few hours).
Change all your passwords frequently.

And, change your iPhone from 4 character pin to 6 character pin or use the fingerprint function.

And for those really interested, read up on rainbow tables so you know how easy it is to crack short passwords and those kept by systems in simple hash or plain text.

ss

http://www.velocipedesalon.com/forum...tml#post837058

One thing to note : any password manager store the data in memory when you unlock it which means that if your computer is compromised, all your passwords are compromised. NYCFixie was spot on to say that an "unplugged" password manager was safer than any software based one.

There are a few printable password card generator availables :
Password generator
https://www.labnol.org/software/writ...n-paper/12972/
Custom Password Card - Flexible Password Card Generator

I contemplated the idea of generating one but using words instead of random characters. Sadly some websites/services are using some stupid limits on the passwords so there will always be exceptions and you need some way to store them.

Additionnaly the biggest issue with password is there is no easy way to change them all on a regular basis.

[sk_tle]

Thomas, FWIIW Lastpass can manage all that for you. Go ahead and commit to LP generating passwords for you and it has tools for refreshing stale passwords.

Now all YOU have to do is write down the master password on a sticky pad and paste it to your staple horse.

The big issue is not generating password but to update the who knows how many services/apps/accounts you have already.

[sk_tle]

Good stuff here from Thomas.

Password managers/generators are better than using the same password for everything.
Storing passwords on paper and pen is safer (assuming the same level of strong/unique password) than a electronic password manager
Longer passwords and/or passphrases are safer (most 10 character or less passwords can be cracked by a common computer in a few hours).
Change all your passwords frequently.

And, change your iPhone from 4 character pin to 6 character pin or use the fingerprint function.

And for those really interested, read up on rainbow tables so you know how easy it is to crack short passwords and those kept by systems in simple hash or plain text.

It might look paranoïd but to increase security we should delete any email and unsubscribe to any newsletter linked to an account, at the very least from the email/imap servers (it might be ok to keep them on your computer if your drive is encrypted).

[xjoex]

Memory acquisition is difficult and often unsuccessful, I have done it many times for incident response on behalf of federal LEO. Any password stash will autolock after a period of inactivity, making memory acquisition fruitless. I also can't imagine a password stash that does not use a salt.

The human element of writing down and typing by hand hundreds of unique password is the weakness, not password stashes.

As for rainbow tables, they only work if there is no salt, and once again I know of no password stash that does not use a salt.

But for arguments sake let's say that a site or password stash uses a simple MD5 (one way hash) to store passwords and the database gets dumped. As humans you'll choose a weak password like "broncos!".

So if the site just stores MD5s lets see what happens.

$ echo -n broncos! | md5
c49728934b41c8f8ce932480d01a0ff0

We google that, it's found. LMGTFY

So if we use a password manager with a random password and it get's dumped, do we find it?
$ echo -n 'W*z(v7apowim=;v^Bh)3P=.&JQ[:Uf"' | md5
c20d5344fa641523b1bd4b1515b76c6f

No it is not found in rainbow tables. LMGTFY

So then let's play with using a password manager and a weak password. The password management will use a salt, so if the DB gets dumped can you find it?
$ export SALT="velocipede salon"
$ echo -n 'broncos!'$SALT | md5
21e852b94de31c78b172b0361ed44acd

No it is not found. LMGTFY

I argue the human element of creating, storing and entering unique password per site far outweighs the likelihood your PW stash will be compromised. I have been doing DFIR for 15 years now and never once have I been called in to help out when a password stash was compromised. I have been asked to help because of XSS, SQLi and phishing more than anything else. Unique passwords per site helps more in all the cases I have seen.


-Joe

[teleguy57]

Memory acquisition is difficult and often unsuccessful, I have done it many times for incident response on behalf of federal LEO. Any password stash will autolock after a period of inactivity, making memory acquisition fruitless. I also can't imagine a password stash that does not use a salt.

The human element of writing down and typing by hand hundreds of unique password is the weakness, not password stashes.

As for rainbow tables, they only work if there is no salt, and once again I know of no password stash that does not use a salt.

But for arguments sake let's say that a site or password stash uses a simple MD5 (one way hash) to store passwords and the database gets dumped. As humans you'll choose a weak password like "broncos!".

So if the site just stores MD5s lets see what happens.

$ echo -n broncos! | md5
c49728934b41c8f8ce932480d01a0ff0

We google that, it's found. LMGTFY

So if we use a password manager with a random password and it get's dumped, do we find it?
$ echo -n 'W*z(v7apowim=;v^Bh)3P=.&JQ[:Uf"' | md5
c20d5344fa641523b1bd4b1515b76c6f

No it is not found in rainbow tables. LMGTFY

So then let's play with using a password manager and a weak password. The password management will use a salt, so if the DB gets dumped can you find it?
$ export SALT="velocipede salon"
$ echo -n 'broncos!'$SALT | md5
21e852b94de31c78b172b0361ed44acd

No it is not found. LMGTFY

I argue the human element of creating, storing and entering unique password per site far outweighs the likelihood your PW stash will be compromised. I have been doing DFIR for 15 years now and never once have I been called in to help out when a password stash was compromised. I have been asked to help because of XSS, SQLi and phishing more than anything else. Unique passwords per site helps more in all the cases I have seen.


-Joe

I really respect your expertise in this domain on top of your cycling, other outdoor adventure and photography skills! We're blessed to have so many cool people here.

Now as to this post, I have mostly no idea about what your are speaking:) But keep educating us!

[KonaSS]

I really respect your expertise in this domain on top of your cycling, other outdoor adventure and photography skills! We're blessed to have so many cool people here.

Now as to this post, I have mostly no idea about what your are speaking:) But keep educating us!

100% agree. What are you recommending, a non-IT joe schmoe do as far as a password solution? Thanks!

[sk_tle]

The weak point is always between the chair and the keyboard. And it may not be only you.

[xjoex]

Just happy that someone wants to listen to my security nonsense who isn't one of my grad students! They don't have a choice.

KeePass or LastPass will be great easy to use password managers.

-Joe