Page 2 of 2 FirstFirst 12
Results 21 to 33 of 33
  1. #21
    Secondary Hivemind Nexus Kelron's Avatar
    Join Date
    Jun 2011
    Posts
    2,025
    I prefer to keep my passwords in my head, although I have a single physical reminder for the most important ones (that shouldn't be decipherable for anyone who stumbled across it somehow). For low security stuff I have 3 passwords that I cycle through, sometimes I throw in a different number or capital letters if I want a bit of extra security.

    For my email and bank accounts, I find a good way to remember multiple complex passwords is to think of a phrase or a rhyme and use bits of that (with some extra characters, not just the words of course). That way I can have long and different passwords for each account, but not struggle to remember them.

  2. #22
    Lesser Hivemind Node DigitalSignalX's Avatar
    Join Date
    Jun 2011
    Location
    USA, Missouri.
    Posts
    934
    Some nice options out now for physical authentication - Lastpass sesame and Yubikey come to mind.
    All times I have enjoyed greatly, have suffered greatly, both with those that loved me, and alone.

  3. #23
    Network Hub
    Join Date
    Jun 2011
    Posts
    128
    Quote Originally Posted by Cooper View Post
    I've been meaning to overhaul my password system ever since the spate of attacks earlier in the year. And considered a manager -BUT- don;t like the idea of having my passwords stuck 'in the cloud' like LastPass.

    Thinking of using KeePass
    http://keepass.info/
    And putting it on a portable (tough) USB.

    Any experience for anyone using something like KeePass which encrypts and stores the passwords locally?
    I've used keepass before, but haven't extensively used the browser integration (which is usable, but not great). You can combine any of the encrypted "local" solutions with something like Dropbox to get something more highly-available.

    At the moment, I just use Firefox's built-in password manager (with a master password) and their Sync utility to keep it across multiple devices.

  4. #24
    Lesser Hivemind Node Juan Carlo's Avatar
    Join Date
    Sep 2011
    Posts
    665
    It's really not worth it to bother with password security on forums and stuff. I just use one simple password for all the forums I use. I just make sure that they all tie back to a dummy e-mail account that I just use for forums and which has no information about me. It's way simpler doing that than remembering 1,000 passwords as forum security gets hacked all the time--so why waste the effort?

    As for my bank and steam and other stores I use alot, I do have more complex passwords that I memorize. I have an easy system to remember them, but it'd kind of defeat the purpose if I told you it.

  5. #25
    Secondary Hivemind Nexus Vexing Vision's Avatar
    Join Date
    Jun 2011
    Location
    Düsseldorf
    Posts
    1,778
    My gaming-related email-address is a pure forewarding address to my "real" address. It is completely inaccessible from the outside for anyone without the forewarding address. The emails are not even remotely connected and cannot be guessed.

    I'm a follower of the XCKD password strength method. I generate a few random words and line them up. They mostly have do to something with the game or forum they're related to.


    It did take me around 20 minutes until I figured out how to change my Steam password without installing the Steam-client. What a fucked up, useless website...
    NETWORKING 101 SIGNATURE INCOMING
    Playing games with each other makes for the best business contacts, so feel free to add me on LinkedIn.
    You should also follow me on Twitter.

  6. #26
    Quote Originally Posted by Vexing Vision View Post
    It did take me around 20 minutes until I figured out how to change my Steam password without installing the Steam-client. What a fucked up, useless website...
    You are a better person than me. I had a look this morning, failed to work out how and assumed that I couldn't and would have to wait until this evening when I got home.

  7. #27
    Secondary Hivemind Nexus Vexing Vision's Avatar
    Join Date
    Jun 2011
    Location
    Düsseldorf
    Posts
    1,778
    Quote Originally Posted by amusingthebrood View Post
    You are a better person than me. I had a look this morning, failed to work out how and assumed that I couldn't and would have to wait until this evening when I got home.
    It's well hidden.

    Click on "Support", select "Billing, Account, etc" issues (after logging in), then click on the tiny hidden "edit account" link on the top right above the "search for topic" field.

    There MUST be an easier way to do that, but that's the only thing I could find.
    NETWORKING 101 SIGNATURE INCOMING
    Playing games with each other makes for the best business contacts, so feel free to add me on LinkedIn.
    You should also follow me on Twitter.

  8. #28
    Network Hub Megagun's Avatar
    Join Date
    Jun 2011
    Posts
    254
    Quote Originally Posted by Vexing Vision View Post
    It's well hidden.

    Click on "Support", select "Billing, Account, etc" issues (after logging in), then click on the tiny hidden "edit account" link on the top right above the "search for topic" field.

    There MUST be an easier way to do that, but that's the only thing I could find.
    That's for the Steam Support Account, which is different (or so I gather) from your regular Steam Account. I don't see the "edit account" link there; I see a "create Steam Support account" link there, instead...


    As far as the topic goes: KeePass. I prefer to manage my passwords myself, rather than letting some third-party web-based tool do it for me. I also keep all my game and software CD/License keys in there, which is great for those MSDNAA-supplied license keys that like to disappear on the MSDNAA 'store'...

  9. #29
    Network Hub gundrea's Avatar
    Join Date
    Aug 2011
    Location
    Ireland
    Posts
    137
    Quote Originally Posted by Vexing Vision View Post

    I'm a follower of the XCKD password strength method. I generate a few random words and line them up. They mostly have do to something with the game or forum they're related to.
    While Randall Munroe may or may not be an excellent programmer an excellent cryptographer he is not.
    His approach does increase brute force complexity by suggesting lengthening the password but reduces complexity by saying you should limit your range of characters to letters.

    Much more worringly his approach is open to a dictionary attack. There are maybe 250,000 words in the English Language and if you are using four straight this will require less time to compute than a string of 11 ascii characters. Also because you are using full words their length will not increase the complexity so words like loquacious will be as easy to crack as dog.
    "A victory so bitter it would be better we had not won," --General Transh

    The Devpit: For all your literature, gaming, IT and defenestration needs.

  10. #30
    Lesser Hivemind Node
    Join Date
    Jul 2011
    Posts
    958
    I'm also a bit stuck on this.

    Like many here I use 3 levels of passwords - Banks& Stuff, Secure Stuff (inc steam), and general rubbish (like forums).

    But the problem is that over the years the number of sites has increased a lot... so the steam password/email is in use in a number of places. (sometimes with different gmail dot-hack addresses, and with different site-specific prefixes (but those are easy to guess, i now realise).

    I've kind of decided to move over to Keepass. I keep looking longingly at LastPass, but I can't bring myself to trust it. They may only store hashed info, but that's all most sites do... doesn't mean it can't be un-hashed. It would be the most user-friendly option.

    Keepass works pretty well on ONE pc. I've set it up to open minimised and locked, and then when I need to enter details I just CTRL-ALT-A and it usually inserts them correctly. But it's still a hassle... if i change a password on a site it doesn't automatically update on Keepass for example.

    The problem is that, for some sites, I need to be able to remember the passwords... I use them on my cellphone and need to be able to type them in without it taking 6 hours (Ie: short and basic). I also need access at work sites on non-windows pcs, and I just got an android phone... keepassdroid is hardly quick and user-friendly.
    Also, syncing involves dropbox, and you have to remember to keep a copy of keepass online, because if you lose your local copy you'd be screwed.

    What I'm saying is I haven't worked out a great solution.... and the fact I have lots of legacy simple passwords from old sites and safer times doesn't help the matter.

  11. #31
    Moderator QuantaCat's Avatar
    Join Date
    Jun 2011
    Location
    Vienna, Austria
    Posts
    6,481
    www.ccc.de

    you probably only "know" the "bad" hackers.

    Also, yesterday, AnonAustria got the Wolo prize for anti-internet behaviour, because they released a bunch of private phonenumbers and adresses of police officers in austria. Which is in direct "violation" of hacker rule #8, as set out by the ccc.

    So basically, all of "antisec" is bad hackery.
    Last edited by QuantaCat; 11-11-2011 at 03:59 PM.
    - Tom De Roeck.

    verse publications

    "Quantacat's name is still recognised even if he watches on with detached eyes like Peter Molyneux over a cube in 3D space, staring at it with tears in his eyes, softly whispering... Someday they'll get it."

    "It's frankly embarrassing. The mods on here are woeful."

    "I wrinkled my nose at QC being a mod."

    "At least he has some personality."

  12. #32
    Activated Node
    Join Date
    Jun 2011
    Location
    Don't even ask...
    Posts
    78
    Quote Originally Posted by gundrea View Post
    While Randall Munroe may or may not be an excellent programmer an excellent cryptographer he is not.
    His approach does increase brute force complexity by suggesting lengthening the password but reduces complexity by saying you should limit your range of characters to letters.

    Much more worringly his approach is open to a dictionary attack. There are maybe 250,000 words in the English Language and if you are using four straight this will require less time to compute than a string of 11 ascii characters. Also because you are using full words their length will not increase the complexity so words like loquacious will be as easy to crack as dog.
    I've found a good way to circumvent this (that unfortunately will require a lot of effort for you English-only types). You see, my keyboard has letters in other language on each key in addition to English, so i just input proper words in that language while having the typing language set to English, resulting in a string of random characters that is nontheless easily remembered. Presto!

  13. #33
    Network Hub
    Join Date
    Jun 2011
    Posts
    267
    Quote Originally Posted by gundrea View Post
    Much more worringly his approach is open to a dictionary attack. There are maybe 250,000 words in the English Language and if you are using four straight this will require less time to compute than a string of 11 ascii characters. Also because you are using full words their length will not increase the complexity so words like loquacious will be as easy to crack as dog.
    250.000^4 = 3906250000000000000000 (that's 3.9 * 10^21)
    11 ascii chars including non-printing: 128^11 ~ 1.5 * 10^23
    11 ascii chars including only those in regular use: 94^11 ~ 5*10^21

    So four words in a small dictionary ignoring other languages or different spelling is about as good as 11 ascii chars including punctuation.
    Even pretending you have a small cluster, you won't generate enough hashes to crack that easily, especially not with properly salted hashes going through 1k or more rounds of hashing the resulting hash with itself, creating a huge amount of overhead to sift through.
    Dictionary attacks are incredibly unhelpful with such a high entropy. It's probably easier to find a hash collision...
    And that's assuming the hash is exposed. Usually, it isn't.
    Last edited by Batolemaeus; 11-11-2011 at 04:39 PM.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •