dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
11987
share rss forum feed


angussf
Premium
join:2002-01-11
Tucson, AZ
kudos:4
reply to caffeinator

Re: Stupid User Tricks: Password Selection - "WORD1"

said by caffeinator:

I have a textfile for the really long ones like banking and Paypal.
IIWY I would get some sort of encrypted password store instead of a text file. I use a Palm device, so I use YAPS with the YAPSviewer program on my desktop that allows me to cut-and-paste from the datastore. There are other packages, including OSS ones like KeePass Password Safe
»keepass.info/ so cost shouldn't be a concern here. That way you memorize ONE long complex password (to the password database) and look up all the rest, yet if someone steals your computer / laptop / PIM device, you haven't lost anything.


technick
Premium
join:2000-12-16
Wheat Ridge, CO
kudos:1
reply to Doctor Four

said by Doctor Four:

The MySpace crowd aren't really all that security savvy
to begin with. So encountering this is not surprising
in the least.
Well yea, you didn't get the memo? Facebook is where the smart people hang out at...
--
"Our greatest glory consists not in never falling, but in rising everytime we fall." - Confucius

Bellsouth Free Since 10/05 - To Hell With Bellsouth
Advocatus Diaboli


Streamfire.net


technick
Premium
join:2000-12-16
Wheat Ridge, CO
kudos:1
reply to David

said by David:

Well if I may offer this little diblet this is the best password generator I have seen and seems to work rather well.

»www.pctools.com/guides/password/

Now there is no excuse as to why the myspace croud can't create a more complex password.
I use this on the fly for my users, works well and most of them are easy enough to remember.

At one point a few years ago before I found the above website, I used a program called pwgen, I believe it was in the debian apt repos.
--
"Our greatest glory consists not in never falling, but in rising everytime we fall." - Confucius

Bellsouth Free Since 10/05 - To Hell With Bellsouth
Advocatus Diaboli


Streamfire.net


technick
Premium
join:2000-12-16
Wheat Ridge, CO
kudos:1
reply to NetWatchMan

said by NetWatchMan:

*I* was not running a phishing site...the malware, the botnet, and the miscreant were...I only allowed it to be active for a short period of time....the only reason I let it run for 12 hours was I thought it wasn't doing anything.

My goals are not "research" oriented...unfortunately, I can't elaborate on that point.

I agree that these tactics push the envelope but believe they are essential to countering cybercrime.
I couldn't agree more, the only way to be secure is to know all the possible angles of attack and how to counter them efficiently while moving forward.
--
"Our greatest glory consists not in never falling, but in rising everytime we fall." - Confucius

Bellsouth Free Since 10/05 - To Hell With Bellsouth
Advocatus Diaboli


Streamfire.net


caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
WA, USA
kudos:4
reply to angussf

said by angussf:

IIWY I would get some sort of encrypted password store instead of a text file. I use a Palm device, so I use YAPS with the YAPSviewer program on my desktop that allows me to cut-and-paste from the datastore. There are other packages, including OSS ones like KeePass Password Safe
»keepass.info/ so cost shouldn't be a concern here. That way you memorize ONE long complex password (to the password database) and look up all the rest, yet if someone steals your computer / laptop / PIM device, you haven't lost anything.
Yeah, that's true..I should try that at some time.

In my situation, it's not much of a risk, as nobody else is ever here, and it's only a couple passwords. Also, they're not easily identified as such, just a couple lines amongst 100's of lines of other text.

I know what line it is, but others wouldn't.

Most all of my website passwords are kept in Opera's Wand.

(yeah, I know it's only MD5 hashed and can be recovered easy enough, but the chance of anyone getting to my computer three flights up in a locked security building is slim.)

Could my system be penetrated?
Maybe, but it hasn't happened yet in 15 years.

Besides, I have no money in the bank to take, no CC's, no credit, Nada. GL with stealing my identity..it'd be of no use to anyone. The only time I ever worried was when I got my wallet stolen awhile ago...much more bothersome than worrying over computer passwords IMO.

Simply put, I don't live like "normal" folks, so a lot of those rules aren't needed for me.

Thanks for mentioning it though.

-CaFF
--
"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former." - A. Einstein

Need an Avatar? Check out Wafen's Avatar Pages


ZOverLord
Premium
join:2003-10-20
Minneapolis, MN
reply to NetWatchMan

If everyone ran a bot for research, would there be any hackers?

Be careful, there are laws that say what your did was illegal, depending on where you were located, and a "Paris Hilton" defense these days, won't help much, and you did get real logons and passwords
--
Black, Grey and White Hats Unite here -> »testing.OnlyTheRightAnswers.com



Drunkula
Premium
join:2000-06-12
Denton, TX
Reviews:
·Verizon FiOS
reply to EGeezer

ROT-13? ROT-26? Not very secure at all! Actually I never heard of ROT-26 but wouldn't that be the same as not encoding it at all? If there are 26 characters in the English alphabet and you 'rotate' to the character 26 ahead don't you end back right where you started from (it is a rotate and not a shift)?
--
Go away or I will replace you with a very small shell script.



caffeinator
Coming soon to a cup near you..
Premium
join:2005-01-16
WA, USA
kudos:4

1 edit

said by EGeezer:

I'm thinking about using dictionary passwords, but encrypted in ROT-26. Twice as secure as ROT-13 ...
Oh, JFYI, here's an online tool to encrypt/decrypt a piece of text according to the algorithms ROT5, ROT13, ROT18 or ROT47

»netzreport.googlepages.com/onlin···_47.html

-CaFF


Krispy1
Premium
join:2001-12-11
the stix
kudos:1
reply to ZOverLord

said by ZOverLord:

If everyone ran a bot for research, would there be any hackers?

Be careful, there are laws that say what your did was illegal, depending on where you were located, and a "Paris Hilton" defense these days, won't help much, and you did get real logons and passwords
I wouldn't worry about NetWatchMan, he knows what he's doing and what legalities are involved.
--
you can lead a horse to the water but you cannot make him drink...you can put a man through school but you cannot make him think --ben harper


av8r7
I'd Rather Be Flying
Premium
join:2002-06-14
Boca Raton, FL
reply to Drunkula

said by Drunkula:

Actually I never heard of ROT-26 but wouldn't that be the same as not encoding it at all?
Sorry - neglected the [sarcasm] tags
--
If I am not for myself, Who will be for me? If I am only for myself, What am I? If not now, When? -- Hillel


exocet_cm
Free at last, free at last
Premium
join:2003-03-23
New Orleans, LA
kudos:3
reply to Doctor Four

said by Doctor Four:

The MySpace crowd aren't really all that security savvy
to begin with.
I concur
--
"I have measured out my life with coffee spoons..." - T.S Eliot
Ma Blog »www.johndball.com


Mr Anon

@k12.il.us
reply to NetWatchMan

Myspace has a password policy, it only specifies that you must use unmbers and letters for a password, therefore if you have an all alphabetic passwrod you'll have to add at least one number.

This is just a case of people having bad passwords but being forced to include something else on it. I'm not down playing its badness, just putting in my info.



AB
Premium
join:2006-04-04
Leesburg, VA
kudos:3
reply to Mele20

said by Mele20:

The problem with long passwords, and especially all those numbers, is that you can't see what you are typing. Way too easy to transpose numbers. I'd probably type that a dozen times and never get it right and some sites only allow three attempts. I only use complex passwords for banking sites and didn't do it for them until recently.

There is no reason to x out passwords on the screen if the user isn't somewhere that others look over his shoulder or take photos from a distance. I always have wondered why that is done. That should be something that a user turns on if they need it otherwise what you are typing should show up on the screen. I'm always mistyping a password, even one that is not complicated and that I have typed many times, and it irritates me that I can't tell what I am typing.
Sounds like a PEBKAC issue.


Lanik
Lab-nik
Premium,ExMod 2002-03
join:2001-06-25
San Francisco, CA
reply to NetWatchMan

A place I used to work at had Passw0rd as their admin password on all the Windows machines that was always fun and to make things more secure it also matched everyones' initial password when they joined the company. I often wondered who thought that one up.
--
"If it ain't broke don't fix it."


Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5
reply to AB

What's "PBEKAC"?



AB
Premium
join:2006-04-04
Leesburg, VA
kudos:3

1 recommendation

said by Mele20:

What's "PBEKAC"?
Is that what I said? I thought I said "PEBKAC".

Google is your friend (well, my friend anyway.)

»en.wikipedia.org/wiki/PEBKAC

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

I transposed the letters as quite a few folks do all the time..I don't do it often thank goodness. I do it with numbers a great deal though.

If you are into playing games instead of answering my question...obviously it is irrelevant what it is. If I had wanted to use Scroogle to figure it out, I would have done so instead of politely asking you what you meant when the correct thing would have been for you to state what you meant in the first place. I asked for a fix for the stupid xxxx that one sees when typing a password. You gave me an acronym instead of a fix. Telling folks here who ask for help to use Google ...gee, why do we have these forums then? Everyone should just use a search engine if they need help.
--
"The same ferocity that our founders devoted to protect the freedom and independence of the press is now appropriate for our defense of the freedom of the internet. The stakes are the same: the survival of our Republic". Al Gore, The Assault on Reason

Expand your moderator at work


Grail Knight

Premium
join:2003-05-31
Valhalla
kudos:6
Reviews:
·Verizon Online DSL
·Time Warner Cable

1 edit
reply to Mele20

Re: Stupid User Tricks: Password Selection - "WORD1"

Searching for an answer before asking a question is the norm as many times the question has already been asked and answered.

PEBKAC: »/nsearch?q=PEBKAC&cat=

Here is one tool that will reveal passwords which I found through a search engine. There are many others if you look for them. This one is freeware and no I have not used it as the asterisks are a security measure no matter where you are inputting the password. Just because a person is inside their home does not mean that someone is not peaking over your shoulder.

AsterWin
--

Edit* Corrected last sentence.



Portmonkey
My watch stopped
Premium
join:2004-04-09
Southern IL
reply to NetWatchMan

For those who don't like to memorize long passwords, the use of a device like a fingerprint scanner could be beneficial. Create long complex passwords for each site that requires a login and enter them into the scanner. Now each site the user visits has its own strong password, and there's no longer a need to have them all memorized or written down on a piece of paper for viewing each time the user needs to login. You'd want to change the passwords every so often and have them written down and tucked away in a safe place where they won't be lost. Some if not all fingerprint scanners allow you to make a backup password in case the device fails, but this reduces the level of security. I would guess that fingerprint scanners introduce their own set of security risks, but for the average user who is dead set in creating simple passwords such as Rover1, then a fingerprint scanner is likely a step up in security.

I hope that with future improvements in such technology and price drops, we'll see an increase in these devices and practicality for the lazy password creators.
--
Eating a steady diet of government cheese and livin in a van down by the river.



youveshutmedown

@sbcglobal.net
reply to NetWatchMan

said by NetWatchMan:

said by C DM:

So is it considered OK to run phishing sites and/or use botnets (even if they are for "research" purposes)?
*I* was not running a phishing site...the malware, the botnet, and the miscreant were...I only allowed it to be active for a short period of time....the only reason I let it run for 12 hours was I thought it wasn't doing anything.

My goals are not "research" oriented...unfortunately, I can't elaborate on that point.

I agree that these tactics push the envelope but believe they are essential to countering cybercrime.
Let me guess...related to this story?

»blog.washingtonpost.com/securityfix/

Nicely done. This appears to be ramping up to be an interesting summer, and year.


Thug21
Just Chillin'
Premium
join:2005-08-21
kudos:1

3 edits
reply to alanhdsl

For medium security, I come up with a long phrase that is easy to remember and then use the first letter of each word. It might not be totally random but it's better than a lot of things.



pog4
Premium
join:2004-06-03
Kihei, HI

1 edit

I often just use old street names and dead phone numbers from my relatives' pasts.

For eg, sesame18085551212 ...long, no trouble remembering, very easy to type into a masked field. I can also write these down in part (ie, just the person's name) without risking much if someone "bad" finds the list...

My bank password is similarly structured using my grandmother's info from 1972.
--
My Site