The new password craze...

[Red Squirrel]

I don't know if I would trust cloud based password databases though...

 

[pyonir]

Y6OSe9y2W5T8JvKnlee&AuV8t5GD$gnH%eA%m*5gQkSn1cTheY*LibcLoVy22*ZGa@0t*0FR2@!i0ttWgKIxhDndEFLsw3vV5XD

God Dammit. Now I have to change my password....AGAIN.

THANKS.

 

[l0cke]

My school used to required password changes every 6 weeks, with the usual set of requirements for each password. Now they've made it changes every year but extended the required length.

Personally, I use Lastpass for everything. The problem with school computers is I have to type the password on some strange PC, which means it has to be simple enough for me to type quickly.

 

[BladeVenom]

lulz NSA was able to monitor communication of the whole country of France for a month. I doubt any password we use is safe.

Speaking of that, have you seen the White House propaganda version of what was said between Obama and French President Hollande?

The Obama version of what Hollande said, "The United States and France are allies and friends, and share a close working relationship on a wide range of issues, including security and intelligence."

The French version of what was said,"The Head of State shared his deep disapproval regarding these practices, which are unacceptable between allies and friends, because they violate the privacy of French citizens."

http://www.usatoday.com/story/theov...ited-states-national-security-agency/3151797/

 

[Doppel]

I'm sick of this shit to an extent. I can tell you with confidence that the vast majority of corporate users who are made to change their passwords regularly make the new one the same as the old but iterate up a single digit. I know this because I've asked people and they've told me. The thing is if you have my password you have it, it's not like it matters if I change it every 90 days.

I'm actually pretty confident my amazon password would not be allowed today. I made it many years ago and it's very very simple, but since Amazon doesn't store them in plain text it probably has no idea that it isn't compliant.

 

[lothar]

so many of these coming out. i just discovered 2 in this thread.

LastPass is the best I've encountered, but it's used @ the browser level. There is another that is used @ the OS level.... keepass I think. That could be interpreted differently.... :biggrin:

Safe In Cloud is the highest rated password manager there is on the Google Play store.
https://play.google.com/store/apps/details?id=com.safeincloud

It has a standalone Windows app, and you can use Firefox and Chrome browser extensions if you want.
And unlike LastPass, it's a one time $2 fee and doesn't require any subscription.

 

[OutHouse]

I agree with the op.
There are some iT people that are totally anal when it comes to password security.
I have one financial site that requires a password change weekly.
Now THAT is just anal.

Blame SOX and a retard admin for being a dick.

 

[cavemanmoron]

Waah.

I agree, but how about the Yahoo Mail crap that is happening now, they want everyone to go to AOL I think.

 

[Red Squirrel]

Safe In Cloud is the highest rated password manager there is on the Google Play store.
https://play.google.com/store/apps/details?id=com.safeincloud

It has a standalone Windows app, and you can use Firefox and Chrome browser extensions if you want.
And unlike LastPass, it's a one time $2 fee and doesn't require any subscription.

That sounds really smart, not only putting the password on the cloud but on google cloud. May as well just send an email to the NSA directly and skip the middle man. :awe:

 

[lothar]

That sounds really smart, not only putting the password on the cloud but on google cloud. May as well just send an email to the NSA directly and skip the middle man. :awe:

Well, that's better than writing your passwords down on a piece of paper and stuffing it in your wallet. It's also better than using "correct horse battery staple" and words in the dictionary that are subject to attack. It's also convenient if you have one of those accounts that require you to change your password every few weeks.

You don't have to use Google cloud.
Safe In Cloud also works with DropBox, Sky Drive, and Box.

 

[HeXen]

I feel the pain. However what many forget is that most pass's get taken because they hack the servers. No matter what you change your info too, if they get into the servers then they can get your stuff...don't depend on them to encrypt all your data but even that is hackable most of the time.

My gmail accounts kept getting taken but it was due to them getting into Googles servers. Millions of people all over the world get their data stolen from all sorts of servers everday....remember when Valve had to issue emails for everyone to change their passwords as a safeguard cause their servers were hacked?

 

[NikolaeVarius]

I feel the pain. However what many forget is that most pass's get taken because they hack the servers. No matter what you change your info too, if they get into the servers then they can get your stuff...don't depend on them to encrypt all your data but even that is hackable most of the time.

My gmail accounts kept getting taken but it was due to them getting into Googles servers. Millions of people all over the world get their data stolen from all sorts of servers everday....remember when Valve had to issue emails for everyone to change their passwords as a safeguard cause their servers were hacked?

If those passwords are properly hashed and slated, really shouldn't be an issue.

 

[HeXen]

If those passwords are properly hashed and slated, really shouldn't be an issue.

But stuff like this happens more often than the media leads on. This is an old, quick example but servers get hacked a lot around the world.
http://www.csmonitor.com/Innovation...teals-400-000-passwords.-Is-yours-on-the-list
http://hackersnewsbulletin.com/2013...many-servers-steals-data-2-million-users.html

 

[shortylickens]

Use fucking umlauts, the'll never get it.

 

[IEC]

oclHashcat-plus on multiple Radeon GPUs... mmmm

 

[l0cke]

Safe In Cloud is the highest rated password manager there is on the Google Play store.
https://play.google.com/store/apps/details?id=com.safeincloud

It has a standalone Windows app, and you can use Firefox and Chrome browser extensions if you want.
And unlike LastPass, it's a one time $2 fee and doesn't require any subscription.

Lastpass is free, the premium requires $12 a year. It's got things like phone support etc. The android app is pretty dated though, it still works.

 

[lothar]

Lastpass is free, the premium requires $12 a year. It's got things like phone support etc. The android app is pretty dated though, it still works.

Eeew....They still haven't adopted Holo yet. That Gingerbread UI design needs to die a horrible death.

Mobile version of the award-winning LastPass password manager. Fast, easy and simple; securely syncs your passwords across all your browsers and devices.
Key Features:
- Built-in browser that will automatically fill your login information for each of your saved LastPass sites.
- Automatically fill forms on all sites.
- Secure Password Generator.
- Add, update, and delete Secure Notes and Sites.
- Add images and audio recordings to Secure Notes as attachments. This requires us to request camera and audio permissions.
* 14-day free trial, requires $1/month LastPass Premium subscription afterwards.
Note: Due to the way Android implements input methods, if you would like to use LastPass for Android's input method to fill into apps, you must not move the app to the SD card. It will be disabled upon each reboot if you do so.

https://play.google.com/store/apps/details?id=com.lastpass.lpandroid
I don't see a "*" anywhere else in their description.
That tells me that the whole app itself is a subscription, disguised as a free app.

 

[lxskllr]

I use Keypass portable. It's libre software, and runs in Windows, and through Wine on GNU/Linux. KeypassDroid can use the same database on Android, so it covers every system I'd possibly use. I backup the whole folder to SpiderOak so I can use it out if I don't have one of my machines.

 

[l0cke]

Eeew....They still haven't adopted Holo yet. That Gingerbread UI design needs to die a horrible death.


https://play.google.com/store/apps/details?id=com.lastpass.lpandroid
I don't see a "*" anywhere else in their description.
That tells me that the whole app itself is a subscription, disguised as a free app.

Yeah, the app requires premium. Desktop is free though.

 

[Red Squirrel]

Is there any php/mysql web based systems out there? I coded my own a while back as I could not find any, but I'm wondering if I should consider polishing it up and releasing it to public.

 

[Train]

Is there any php/mysql web based systems out there? I coded my own a while back as I could not find any, but I'm wondering if I should consider polishing it up and releasing it to public.

Check Github, filter by PHP

 

[Jeff7]

http://arstechnica.com/security/201...eling-the-next-frontier-of-password-cracking/

passwords are quickly becoming damn near useless

Fun.

For his part, Chrysanthou said the biggest challenge is the work required to update and hone his phrase lists and rule sets to ensure that they can be processed quickly on his computer, which uses an Intel Dual Xeon CPU, a single AMD Radeon 5870 video card, and a traditional hard disk.

....huh.
And imagine what you could do with a supercomputer, built on a bloated military budget.

Well, that's mostly an MD5 problem, but worth noting nonetheless.

Hope so.

How many "secure" systems out there are still using MD5 though?


"But upgrading will cost an amount that is more than $0.00000. And it's just software anyway. Ok, here, cheap fix: Increase the password length requirement by 5 characters, and make them change it weekly. Also check each new password to make sure it's not already in our billion-passphrase dictionary."

Everyone should read this article. Correct battery horse staple will go down quite quickly under these methods. Sure, it will take a long time to brute force, but these attacks don't use brute force. Dictionaries with substitution rules, password lists, etc all cut down the time it takes dramatically.

To the poster who uses the 4-letter algorithm, I do something similar but it won't really help either. Basically, the article states that if the algorithm is simple enough for you to remember, then it exists as a rule in some password cracking algorithm somewhere, and a computer can run it faster than you can.

With security/recovery questions being the stupidly easy way to get passwords nowadays, I am basically resigned to the notion that my passwords exist just to keep out accidental logins and people trying 5 times to guess my password via birthday and name combinations.

The plain text password dumps are the scary ones. Now you have a big batch of real passwords to analyze, and find the patterns. Even if you can "only" crack 30% of the password hashes obtained from a break-in....that's not a secure system.

Another trend I hate is secret questions. those actually reduce security because someone can just find out the answer through social engineering. I would not considered my mother's maiden name or the school I went to to be a closely guarded secret. I usually put BS in there because they've always been used only if you forget your password (which is where the security issue is) but I see a lot of places that will randomly ask these questions after you put in your password. That forces you to put something you can remember, but that someone wont be able to find out in case someone tries to use the lost password feature. Oddly enough it seems to be banks that do this more than anything.

What is your place of birth?
A giant sack of potatoes.

What is your mother's maiden name?
I like turtles, but not tortoises.

What is your favorite food?
I already told you, I like turtles, but not tortoises.

What is your favorite TV star?
Grandma Potatohead.


I don't know that you're under any obligation to give good answers to those questions.

"I forgot my password. Could you please hire a private investigator to research the answers to the questions, so that you can verify that I really am who I said I am?"

 

[Ichinisan]

This is why secure and accurate biometric authentication is needed. Very hard to hack (provided the templates are secure), and is based on user friendly 1 factor authentication.

Note that I am not talking about the fiasco that is the fingerprint scanner on the iphone 5s, which was apparently hacked in just a few days.

Even the most secure biometric fingerprint locks were easily defeated. You watch that episode of Mythbusters? They used a photocopied fingerprint.

1-factor biometric isn't good enough for real security.

 

[Ichinisan]

You should not allow Chrome to store your passwords:
http://www.wired.com/threatlevel/2013/08/chrome-password-manager/

With a few keystrokes, I can make IE reveal your auto-completed password. The same thing works for Chrome, but it's not really necessary since Chrome allows you to view them anyway.

 

[KMFJD]

complex passwords lead to password files or hand written password

Don't believe me? Hack my Google Docs or my Outlook.

I have 50+ personal passwords to maintain every month at work, you're damn sure i have an excel file with them all because that is too many to remember.