How often do you change your password and do you have multiple passwords in use

bpb101

How often do you change your password and do you have multiple passwords in use

edit : Online passwords were talking about also when i say 1 password, this includes variety on passwords like adding 123

Boskowski

What password are we talking about?

My laptop? Work laptop? Internet banking? Ebay? Boards?

bpb101

Boskowski wrote: »

What password are we talking about?

My laptop? Work laptop? Internet banking? Ebay? Boards?

online passwords . Sorry should have said that

Boskowski

bpb101 wrote: »

online passwords . Sorry should have said that

No worries didn't mean to be pedantic but it obviously makes a difference.

Internet banking maybe every 6 months or so but there is more security than just the password.

Ebay and anything linked to potential money loss (paypal etc) the same. 6 months but not religiously, more like on a 'oh I haven't changed that for ages' basis.

Boards and other stuff probably never really.

Edit I do use strong passwords which I trust my laptops password keeper app (Mac Keychain) with. I make exceptions, Internet banking and Paypal etc are not in Keychain. And I forgot the second part of your question, yes I use different passwords. Unless for stupid stuff like fantasy football etc, all the same password for those.

bpb101

Boskowski wrote: »

Unless for stupid stuff like fantasy football etc, all the same password for those.

what im trying to do now is have a password for sites like ff and others like that or sites i dont really care if people get into . im trying to have different passwords for sites like email ,facebook , paypal and other highvalue sites (not that im worried if i get frapped , but the spam and access to address book in email)

syklops

I have a core string which is the basis for many of my passwords. I then add a context to the string so for example if my core string was mylittlepony, then my facebook password would be facebookmylittlepony, then if a website requires a number and a symbol, I add the number and symbol to the end. I don't think they add much security wise to be honest.

My core string is 16 characters, the application name is usually 6-8 so the password length is 22-24 characters in length.

I change the core string regularly, and I have a few throw away passwords for one off accounts.

Rucking_Fetard

syklops wrote: »

I have a core string which is the basis for many of my passwords. I then add a context to the string so for example if my core string was mylittlepony, then my facebook password would be facebookmylittlepony, then if a website requires a number and a symbol, I add the number and symbol to the end. I don't think they add much security wise to be honest.

I use to do the same but if someone copped you do it then they're all gone and it's not that far out there that someone could.

Also, do you like mylittlepony?

Rucking_Fetard

Rucking_Fetard wrote: »

I use to do the same but if someone copped you do it then they're all gone and it's not that far out there that someone could.

Also, do you like mylittlepony?

Speak of the devil

1. Don’t Reuse Passwords

If they get you, this is how you’ll get got. Password reuse is a huge problem. That’s because when one service has a breach (say, LinkedIn or Adobe), people rush to try the exposed passwords on other sites—especially email, social media, and banking. If you use the same password multiple places, it makes you only as secure as the most vulnerable target. The same thing goes for your clever password schemes, too. If a human being can’t figure out the slight variations you’ve set up to track your Gmail, Facebook, and Wells Fargo passwords, a machine will.

http://www.wired.com/2014/09/dont-get-hacked/#disqus_thread


I'm not fond of password managers either.



https://www.grc.com/sqrl/sqrl.htm

Recondite49

Rucking_Fetard wrote: »

Speak of the devil



http://www.wired.com/2014/09/dont-get-hacked/#disqus_thread


I'm not fond of password managers either.



https://www.grc.com/sqrl/sqrl.htm

RF,

Thank you for bringing this up as I've been wondering about this myself. After getting my shiny new Yubikey I did see that it's possible upon payment of a small fee to subscribe to Lastpass, which as I understand it is an online password manager.

You log in with two factor authentication i.e a one time code generated by the Yubikey which is validated by their server, and a password of your choosing.

What makes me nervous about this is that although your data is probably secure against online attacks, what would happen if Lastpass were subpoenaed? Worse still what if it happened secretly, so that every time you added a new password, whichever government agency could then do the same thing?

How do you feel though about offline password managers like Keepass? I am still reluctant as of course all it would take then is to compromise one password and that's your lot.

Recondite49

Incidentally I am more than happy to share the system I use, which I think is fairly robust although of late I have been working on ways to improve this.

Firstly, I like to use a system similar to that already described by Sykops and have a 'core' pass phrase of around 16 characters:

e.g I love Boston Legal!

This is fairly robust in itself (It'd take a desktop PC around 3 sextillion years to crack this according to howsecureismypassword.net), however as you all know this would be fairly easy to crack with a dictionary attack and also if someone were familiar with your interests. (Incidentally Boston Legal is hilarious, I strongly recommend it!).

Next I use a line from a book. My favourite types are old directories and alamanacs as it would be difficult for anyone else to get hold of a copy but they're also laid out in such a way that it's easy to navigate lists.

By way of example I'll demonstrate with a book I used from July-August last year, the 1965 edition of Whitaker's Almanack, which I picked up for all of 2 Euro in a second hand book shop. A bit of judicious googling will show that this particular book is available on Amazon, eBay and Abe Books but there aren't many copies. This is all to the good if you ever need to leave in a hurry and can't take your books with you ; you can buy another copy at your leisure.

Next I'll simply flick through the book at random and choose a line of text. My favourites are names and addresses as they're likely to contain words that aren't in the dictionary. In June of last year, I was using the 9th line on page 534, which happens to be a section listing Theological colleges of the time, this read:

KELHAM (House of the Sacred Mission) (80).- Warden, Rev. P. S. Mein

As passwords go, this is excellent. It does have some dictionary words like 'sacred mission' but it also has words that wouldn't appear there e.g 'kelham'. There's also plenty of symbols and mixed case.

Placing a space after this and combining this with my 'stock' passphrase, we have a password that would take 10,000+ Centuries for the Conficker Botnet to crack according to the Kaspersky Password Checker.

This is not an ideal system as you of course do need to have the book to hand to enter your password each time, so I tend to reserve it for the actual password to decrypt my drive and the 'master password' I have for Mozilla Firefox which protects the more usual website passwords.

In order to maintain strong security you need to vary both the line you use and the book on a regular basis. The part I like about though is that you don't need to remember the entire contents of the line, just the number, in this case 5349. In other words if you can remember the PIN to your ATM card, you can use this system.

The usual warnings that the key strength of your password is no defence against evil maid attacks, hardware keyloggers, van eck phreaking, rubber hose and black box cryptography and so on...

It also helps enormously if you have a large book collection - I'm fortunate enough to have a book shelf sufficiently stocked with exotic tomes that it would take the government grunts some time to work out which one I had been using but you might give the game away if you a) don't have many books to begin with or b) have a single volume on a subject which you know little or nothing about - I got rid of a Bird Watching Annual a few years back for that very reason!

syklops

Rucking_Fetard wrote: »

I use to do the same but if someone copped you do it then they're all gone and it's not that far out there that someone could.

Also, do you like mylittlepony?

Aside from shoulder surfing and / or a keylogger how could someone cop that? With a keylogger, everything is gone anyway, which is why I love SSH keys for logging into critical systems, but there is no perfect system. Yubikeys are great but what happens if/when I lose it?

bpb101

Recondite49 wrote: »

Incidentally I am more than happy to share the system I use, which I think is fairly robust although of late I have been working on ways to improve this.

Firstly, I like to use a system similar to that already described by Sykops and have a 'core' pass phrase of around 16 characters:

e.g I love Boston Legal!

This is fairly robust in itself (It'd take a desktop PC around 3 sextillion years to crack this according to howsecureismypassword.net), however as you all know this would be fairly easy to crack with a dictionary attack and also if someone were familiar with your interests. (Incidentally Boston Legal is hilarious, I strongly recommend it!).

Next I use a line from a book. My favourite types are old directories and alamanacs as it would be difficult for anyone else to get hold of a copy but they're also laid out in such a way that it's easy to navigate lists.

By way of example I'll demonstrate with a book I used from July-August last year, the 1965 edition of Whitaker's Almanack, which I picked up for all of 2 Euro in a second hand book shop. A bit of judicious googling will show that this particular book is available on Amazon, eBay and Abe Books but there aren't many copies. This is all to the good if you ever need to leave in a hurry and can't take your books with you ; you can buy another copy at your leisure.

Next I'll simply flick through the book at random and choose a line of text. My favourites are names and addresses as they're likely to contain words that aren't in the dictionary. In June of last year, I was using the 9th line on page 534, which happens to be a section listing Theological colleges of the time, this read:

KELHAM (House of the Sacred Mission) (80).- Warden, Rev. P. S. Mein

As passwords go, this is excellent. It does have some dictionary words like 'sacred mission' but it also has words that wouldn't appear there e.g 'kelham'. There's also plenty of symbols and mixed case.

Placing a space after this and combining this with my 'stock' passphrase, we have a password that would take 10,000+ Centuries for the Conficker Botnet to crack according to the Kaspersky Password Checker.

This is not an ideal system as you of course do need to have the book to hand to enter your password each time, so I tend to reserve it for the actual password to decrypt my drive and the 'master password' I have for Mozilla Firefox which protects the more usual website passwords.

In order to maintain strong security you need to vary both the line you use and the book on a regular basis. The part I like about though is that you don't need to remember the entire contents of the line, just the number, in this case 5349. In other words if you can remember the PIN to your ATM card, you can use this system.

The usual warnings that the key strength of your password is no defence against evil maid attacks, hardware keyloggers, van eck phreaking, rubber hose and black box cryptography and so on...

It also helps enormously if you have a large book collection - I'm fortunate enough to have a book shelf sufficiently stocked with exotic tomes that it would take the government grunts some time to work out which one I had been using but you might give the game away if you a) don't have many books to begin with or b) have a single volume on a subject which you know little or nothing about - I got rid of a Bird Watching Annual a few years back for that very reason!

I might get a chance to check out Boston leagal. Thanks. But with the base pass phrase if it is compromised not because of brute force but of a system hack , then you would be compromised. By having several passwords conplely different and different topics eg mylittlepony and maybe 123fakestreet there is no relation therefore ungussable if you already know one

Recondite49

syklops wrote: »

Aside from shoulder surfing and / or a keylogger how could someone cop that? With a keylogger, everything is gone anyway, which is why I love SSH keys for logging into critical systems, but there is no perfect system. Yubikeys are great but what happens if/when I lose it?

Hi Syklops,

That's an excellent question, and one I want to raise when I post a mini review of the Yubikey later today.

The short answer is that at least when you're generating a static password with a Yubikey, it is possible to write down a short string of Hex symbols by way of a backup.

Alternatively you can set up the same password on another key and give it to a trusted friend or relative (this is the system I want to use).

It is possible to use your Yubikey to secure your SSH sessions (excellent guide to this here). When you set this up initially you are given a few one time use codes in case the key is lost.

While we're on the subject, for SSH I am currently using google-authenticator along with the Android app FreeOTP which as I'm sure you already know allows you to generate time based one time passwords to log in to your server over SSH.

There's no requirement for your Android phone to be connected to the internet and if you ever lose it, you can use one of your 'emergency' codes to log in to the server and set up the two factor authentication again.

I think you're right in saying that a password on its own won't be enough these days, two factor seems to be the way forward be it a keyfile or hardware token.

Recondite49

bpb101 wrote: »

I might get a chance to check out Boston leagal. Thanks. But with the base pass phrase if it is compromised not because of brute force but of a system hack , then you would be compromised. By having several passwords conplely different and different topics eg mylittlepony and maybe 123fakestreet there is no relation therefore ungussable if you already know one

Hi bpb101,

Many thanks for your reply and please accept my apologies for not making myself clearer. The basic password I use only exists in two places at a time - in the password used to decrypt the actual hard drive and within Mozilla Firefox as a master password to protect passwords used to access individual websites.

Each time I change the line from the book I use, I change the basic password. It's also worth bearing in mind that you can only get to the point where it's possible to enter the Firefox password once you've actually broken into the system itself, so I feel reasonably safe.

Of course there's no requirement for anyone to do as I did, you could have I love Boston Legal! as the first part of the password for unlocking your HDD and Do you hate Marmite? as part of the password for Mozilla Firefox.

I should also make it clear I don't use the same line from the same book more than once, so even the first part of the password is the same, then the second part most definitely isn't.

I would encourage anyone who reads what I've done though to by all means take it a step further - you could for example choose to use alternating letters from two different lines of text, or every third character on an entire page.

What's important is that you have a password with a high degree of entropy, that's also easy for you to remember.

oscarBravo

Recondite49 wrote: »

...what would happen if Lastpass were subpoenaed?

According to them, all they store server-side is the encrypted password data, which they have no way of decrypting.

Recondite49

oscarBravo wrote: »

According to them, all they store server-side is the encrypted password data, which they have no way of decrypting.

We can only hope that's true!

hooplah

I use Keepass. It generates random passwords set to different criteria, at the moment strings like V2bc78u9\O&,mKYsOJ0t but you can change the settings for sites which have maximum lengths, don't allow certain characters.

My keypass db is stored on dropbox so its accessible via different computers, my phone etc and is unlocked with a 12 character password.

oscarBravo

hooplah wrote: »

My keypass db is stored on dropbox so its accessible via different computers, my phone etc and is unlocked with a 12 character password.

Only 12?

Recondite49

hooplah wrote: »

I use Keepass. It generates random passwords set to differetn criteria, at the moment strings like V2bc78u9\O&,mKYsOJ0t but you can change the settings for sites whihc have maximum lengths, don't allow certain characters.

My keypass db is stored on dropbox so its accessible via different computers, my phone etc and is unlocked with a 12 character password.

Hi hooplah,

Thanks for telling us about this. I had a gander at the Keepass website as I used to use it myself and see the database is encrypted with either 256 Bit AES or Twofish.

I like the idea of you storing it in the cloud. Provided the password is long enough it should be reasonably safe - can you tell us anything about how you go about choosing a strong password for the database?

I used to keep my database in a folder synced using SpiderOak which operates like DropBox except files are encrypted before uploading (or so they claim!).

I tried to mitigate the risk a little by also using a keyfile to protect the database which worked in tandem with the password. Do you do this too?

hooplah

Recondite49 wrote: »

I like the idea of you storing it in the cloud. Provided the password is long enough it should be reasonably safe - can you tell us anything about how you go about choosing a strong password for the database?

I tried to mitigate the risk a little by also using a keyfile to protect the database which worked in tandem with the password. Do you do this too?

The password is a combination of letters and numbers which is easy for me to remember but which I don't think would be easy to predict or come up with via dictionary type automated attacks.

No I don't use a keyfile.

Recondite49

hooplah wrote: »

The password is a combination of letters and numbers which is easy for me to remember but which I don't think would be easy to predict or come up with via dictionary type automated attacks.

No I don't use a keyfile.

Good man, I'm pleased you're doing things the sensible way. I store mine inside Firefox encrypted with a master password but am not sure it's very secure storing them inside a browser!

the world wonders

oscarBravo wrote: »

Only 12?

Keepass lets you set the number of key encryption rounds so that it takes longer to verify the passphrase, therefore making it more resistant to dictionary attacks. (The default is only 6000 though and my elderly laptop can do ~11 million rounds per second, so it's probably a good idea to increase this)


http://keepass.info/help/base/security.html#secdictprotect

Recondite49

the world wonders wrote: »

Keepass lets you set the number of key encryption rounds so that it takes longer to verify the passphrase, therefore making it more resistant to dictionary attacks. (The default is only 6000 though and my elderly laptop can do ~11 million rounds per second, so it's probably a good idea to increase this)


http://keepass.info/help/base/security.html#secdictprotect

Sounds very promising! It also reassures me as I am a bit leery about the idea of trusting every single one of my passwords to a single one.

Shame the Linux version doesn't support this feature though.

Rucking_Fetard

Predictable Password Topology

How Two Men Unlocked Modern Encryption

Recondite49

Rucking_Fetard wrote: »

Predictable Password Topology

How Two Men Unlocked Modern Encryption

Very much enjoyed the second article, thanks RF.

Diffie and Hellman's meeting and the slow and erratic development of public key cryptography is detailed in Simon Singh's The Code Book as is the unsung mathematician Clifford Cocks who developed the idea at GCHQ but sadly long before computers were fast enough to be able to encrypt/decrypt at an acceptable speed.