|
I reject 99% of web sites requiring me to log in for obtaining information, in particular web shops that won't reveal their prices until I tell them my spambox address. Some go as far as to demand that I set up an order, tell them my phone number and street address, to give me a quotation; then I can cancel the order, but they know how to bug me later. Some even demand that I establish an account to show me their inventory!
If they don't want me as a customer (that is how I read it!), then they won't have me as a customer.
|
|
|
|
|
My phone number for sites that don't need it is 911-555-1212.
911 is the emergency number in North America (similar to 999 or 112)
and 555-1212 is Directory Assistance
Director of Transmogrification Services
Shinobi of Query Language
Master of Yoda Conditional
|
|
|
|
|
Kent Sharkey wrote: Two-thirds of people recycle the same password or use variations on the same basic one How is using a different password everywhere really that much better? You'll never remember them all if you use that approach so then you have to use a password manager and if you do, then ALL of your passwords are behind ONE SINGLE password. I don't see how that is better.
Social Media - A platform that makes it easier for the crazies to find each other.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
I certainly do not trust password managers never to be compromised. Especially Internet based ones.
So I use a three-part scheme: where - who - security.
'Where' is how I think of the service: The (short) name of the web site, the kind of service etc. Usually masked, like for access to the postal service, I use 'præ' rather than 'post'. 'Who' is my nick or login name, either at the service or locally. 'Security' has one of three values, one for services where a break-in doesn't hurt me (e.g. if they read the local newspaper using my account), one where would like to people not to steal my identity, and the last one is 'secure', e.g. for banking.
Some services require password change every x weeks. Then I append a serial number to the 'who' part.
So I end up with a long (typically 12-15 char) password not suitable for bruteforcing. The merging of three words into one long one prevents dictionary lookups - after my masking (with a strong preference for using our Norwegian vowels, æøå, wherever allowed) it looks like line noise that cannot easily be broken into separate words. I could for example use 'kPnørwaya1tø' for Code [=key] Project, the Norwegian guy, a1tø (a masking of 'alto'; I was singing in a mixed chorus for a many years, so I use vocal terms as tags). I doubt that you would be able to find 'kPnørwaya1tø' by a dictionary lookup. 12 chars is at least 96 bits; that is a little too heavy for brute force lookup. It is also so long that people looking over my shoulder will loose track.
I easily remember not to use 'Code' but 'Key' for CodeProject. I use only a handful nicks, and usually only three different tags. The only part that gives me trouble is the serial number required for sites who inisist on frequent change: For one of them, I recently had a wraparound from 9 to 0 ... but it wasn't accepted, "You have used that password before"! So I extended it to hexadecimal. But I guess that at the next update I will go to two-digit serial no.
If someone picks up my CP password in cleartext (if you consider 'kPnørwaya1tø' cleartext ), they will see my 'private level' tag - assuming that they know the 3-level structure of it - and could use that to try to break in on other accounts of mine. But they would have to know my masking rules and what I consider my identity at the other site, and it would only work for sites at the same security level.
I have been in the habit of using such passwords for years. Even if I have forgotten the password, I rarely have to make more than two or three guesses to hit the right one - when 'CPnørwaya1tø' fails, I easily remember that I had masked 'Code' as 'key'.
The only thing I fear is keyloggers. A couple of years ago, the Norwegian Department of Justice proposed a law change that would give the police the right to infect any PC connected to the Internet (in Norway) with a keylogger, for eavesdropping every single word written by the PCs owner. (I am dead serious now!) Officially, they would not make use of this facility except in criminal investigations, but history shows that they do not always stay within such restrictions. (For phone, they already have the right to eavesdrop not only suspects, but anyone phone that the suspects have been in contact with. They can not, legally, go one step further, bugging all phones that have been in contact with phones that have been in contact with a suspect - they wanted to, but it was rejected.) Fortunately, the parliament rejected the proposed law change.
Nevertheless: Police investigators do not always respect the law. Nor do criminals. Either could have put a keylogger into my PC. So when I open and edit confidential documents, I disconnect from the internet. When I write high-security passwords, I do not type them in one stretch, but take a brief visit to another window where I can type something else - the keylogger won't know which characters go into which window. I know that I am paranoid, but they still may be after me.
|
|
|
|
|
It's down to your threat model.
You seem to be worried about someone hacking your local PC and getting access to your password manager's database. But if that happens, you've got bigger problems to worry about. And any decent password manager will have encrypted the database using your master password, which shouldn't be stored anywhere on your computer.
Similarly with password managers which store or back-up the database to an online site: any decent tool will have encrypted the database, and the encryption key won't be stored on the server. If the server is breached, there wouldn't be any trivial way to retrieve your passwords.
Whereas if you reuse the same password across multiple sites, you're relying on the developers behind all of those sites to protect your data properly. You just need to spend five minutes in QA to see how unlikely that is! If even one site stores your password insecurely and suffers a data breach, your accounts on all of the other sites you've used the same password for are at risk.
Troy Hunt: The only secure password is the one you can’t remember[^]
Troy Hunt: Password managers don't have to be perfect, they just have to be better than not having one[^]
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Richard Deeming wrote: You seem to be worried about someone hacking your local PC No, LastPass for example, is online.
Social Media - A platform that makes it easier for the crazies to find each other.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
And, as I said, the database will be encrypted with a key which isn't stored on their server. If their server was breached, the attacker would still be a long way from having all of your passwords.
Whereas if you're reusing a single password across multiple sites, you only need one of those sites to be written by someone who doesn't know what they're doing to have your password stolen.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Richard Deeming wrote: the database will be encrypted with a key which isn't stored on their server. An assumption.
You seem to be assuming that something like LastPass will never be hacked but other websites could be hacked.
In your scenario you're hoping that one single point of failure never fails. Those very words should stand out. It also makes those single points of failures huge targets.
I'm not saying one way is better than the other, I just find it interesting that a bunch of developers would think trusting a single site is the only way to do it.
Social Media - A platform that makes it easier for the crazies to find each other.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
ZurdoDev wrote: An assumption.
No, a statement direct from the horse's mouth:
Security | LastPass[^]
What Happens if LastPass Gets Hacked | Our Security Model[^]
Also backed up by other sources - for example:
Is LastPass secure enough? | NordVPN[^]
Back in 2017, one user discovered that the URL of the site wasn't being encrypted, whilst everything else was:
PSA: LastPass Does Not Encrypt Everything In Your Vault | Hacker Noon[^]
It's up to you to decide whether that concerns you enough to avoid the product.
ZurdoDev wrote: You seem to be assuming that something like LastPass will never be hacked but other websites could be hacked.
Read my message again. I explicitly mentioned the possibility of their site being hacked.
The difference is that if it happened, the hackers would get a database containing encrypted data, and would have no access to the encryption key. They would not have your passwords.
Compare that to the level of code often seen in QA - passwords stored in plain text, or at best using unsalted MD5 hashes; SQL Injection vulnerabilities everywhere; I've even seen people trying to store your password in an unsecured cookie to implement a "remember me" feature!
ZurdoDev wrote: I just find it interesting that a bunch of developers would think trusting a single site is the only way to do it.
As I said, if you don't trust LastPass, use a different password manager. Use one that stores your passwords off-line if you prefer.
Unless you're in a shared workspace with people you don't trust, even a notebook with your passwords written in it would be better than remembering a single password and using it everywhere!
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
Richard Deeming wrote: No, a statement direct from the horse's mouth: Well that settles that.
Social Media - A platform that makes it easier for the crazies to find each other.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
The very idea of "You can tell us all your secrets - we promise not to tell them to anyone!" is, to me, outright repulsive! Disgusting!
I see way too many people showing an approach of "Well, if those guys kow all the details of my private life, it is OK - they are nice guys! They would never abuse that information!" 'Those guys' may be the police, social services, in the USA it might include FBI/CIA. Even today I do not trust any of those to always set my interests before their own. A future power slide over to less symphathetic forces could change that to the worse.
There is no reason to trust commercial service providers more that the authorities. They may be under a legal pressure to reveal information to "law enforcement", and the are by definition under a commercial pressure. Sending my passwords to them is way outside my trust zone.
Similarly with encryption certificates for email: Those providing such certificates will by default provide you with a public key and a private key. So they know my private key - they provided it! I made a request, who would allow me to generate a key pair myself, revealing the public key to them but keeping the private to myself, sending me a certificate encrypted with the public key. Those who didn't accept that but insisted on generating/knowing my private key, were rejected.
Be careful with who you trust!
|
|
|
|
|
Once again for those in the back:
For LastPass, as for any decent password manager, the database is encrypted locally before being uploaded. The encryption key is never uploaded. They do not have your passwords.
Unless you believe that they have some previously unknown means to crack AES-256, they literally cannot give your passwords to "the authorities", no matter how much pressure is applied.
If you don't trust them, and think that they might be coerced into inserting a back-door into the encryption to allow them to access your passwords, then use an off-line password manager. If you're completely paranoid and think that all off-line password managers are secretly uploading your passwords to their servers, then use pen and paper.
Whatever you do, just don't resort to reusing the same password on every site.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
There are other aspects to it as well, e.g. your dependency on an internet connection to the keystore. You may have keys for resources that do not necessarily have the same acessibility as you keystore, or rather the other way around: Your keystore access may be more limited. Say that you are running a lot of servers within a local network, requiring login. Then an excavator rips the fiber cable connecting you to the external internet. You can no longer authenticate yourself to local services.
If all your passwords can be accessed by specifying a single password - that to the keystore - then it really doesn't make much difference that after the keystore is opened you can select any key to get in anywhere. Only one key is needed for arbitrary access: That to the keystore. You get an illusion of security much higher than reality.
The fundamental problem is that we pass keys around for login. For thirty years we have had solutions like Kerberos[^], where no passwors need to be sent across the network. For some reason, it never caught on, as it really could deserve.
(Every time I mention Kerberos to someone who actually recognizes the name, I get an explanation of its failure to be accepted based on some nitty-gritty little detail that keeps if from being 100% perfect. So instead of getting someting that would be 99% perfect, we use something that is extremely far from any perfection, and we have to remedy the most serious problems with such tools as keystores. From a system architeture point of view, I find it disgusting )
|
|
|
|
|
Member 7989122 wrote: You can no longer authenticate yourself to local services.
With LastPass, if you've logged in at least once with an internet connection, you'll have a cached local copy of the encrypted keystore. So long as you don't clear the local cache, that copy will be used if your internet connection is unavailable.
There's also a separate app you can install for offline access.
Other password managers will probably offer something similar.
Member 7989122 wrote: Only one key is needed for arbitrary access: That to the keystore. You get an illusion of security much higher than reality.
At the very least that's no worse that reusing the same password across multiple sites.
The big difference is that you're not sharing your master key with lots of random sites thrown together by people who don't know what they're doing. You can be reasonably confident that it's not stored in plain text behind an application full of SQLi vulnerabilities.
Password managers don't have to be perfect; they just have to be better than not using a password manager.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
In any case, I consider password managers a clumsy and ugly workaroud. We have got far better solutions, e.g. in Kerberos. No matter how many times I hear "But we have a fix for that", it remains a messy way of doing it.
In my opinion, that is. Your Meanings May Vary.
|
|
|
|
|
I implement social distancing with my passwords. They used to be "password1", then "password2", then "password3". Now they are "password6", "password8", "password10"
|
|
|
|
|
You should use prime numbers, silly.
Social Media - A platform that makes it easier for the crazies to find each other.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
I only use perfect numbers.
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows.
-- 6079 Smith W.
|
|
|
|
|
The Inkscape project's version 1.0 of the free and open-source vector graphics editor is packed with new features. And it only took 16 years to get there!
I don't often need a vector graphics tool, but it's handier than Illustrator (cheaper as well)
|
|
|
|
|
Slower too, most notably on zooming, but a great tool.
"If you don't fail at least 90 percent of the time, you're not aiming high enough."
Alan Kay.
|
|
|
|
|
NASA is indeed working with actor Tom Cruise on a film to be shot in space — aboard the International Space Station (ISS), it turns out. Topmost Gun? Mission Astronomical?
|
|
|
|
|
The budget is going to be astronomical...
|
|
|
|
|
Cyril Diagne, a designer and programmer currently in residence at the Google Arts and Culture Lab in Paris, showed that as mundane an operation as cut-and-paste can be turbocharged in the era of augmented reality. "I reject your reality and substitute my own!"
Well, "Copy and Paste", but still kind of neat
|
|
|
|
|
Engineers at Stanford have demonstrated a new method of transmitting electricity wirelessly to multiple devices. Does it involve rubbing a lot of balloons against peoples' heads?
|
|
|
|
|
GoDaddy on Tuesday reported [PDF] an October data breach to Californian authorities, stating that an unauthorised individual was able to access SSH accounts used in its hosting environment. No, Daddy!
|
|
|
|
|