Password protection

[immortality]

Hi guys,

What are people using for password protection etc?

Recommendations?

[vlad01]

ummm? a password?

I don't get the question really as a password is password protection.

[immortality]

password protection/management.

I don't know how many passwords I have but certainly can't remember then all. I only remember the critical ones. Some websites I use I employ a one time password system. Simply put, I enter a totally random password and don't bother to remember it and if I re-visit the website just have to go through the forgotten password protocol.

[vlad01]

No idea. I just make random sentences for passwords which are very long and for critical sites I remember them, for shit sites that don't matter I just get the browser to remember them. Else I store them on file on a one of the random drives I have laying around in cupboard which last I checked was over 5 years ago.

[The1]

it's a hard track to manage, for most people i recommend having one good complex password that you will remember, not written down or stored and is harder to crack than having many passwords that people could easily crack or guess, i personally dont like password managers, if the site gets hacked or your master password gets leaked or found then all your passwords are no good. Where as if you remember your password even if it gets found out whoever knows it still needs to know more about you to find out what they can use it on. Personally i have many complex passwords and have gotten to remembering them, most i use on a daily basis though.

[immortality]

Yep, that's my thinking too. I'm not keen on trusting my info to a 3rd party who are likely to be the target of hackers.

[psyolent]

ha. once a security guy, always a .... you get the idea.
password managers :
1password
keepass
run locally not in the cloud.
DO NOT PUT PASSWORDS in the cloud anywhere. ever. unless its an .exe or .dmg that installs locally, forget it.

now. password types.
sentences. sayings. obscure letters with digits and alpha numerics, numbers, 16 characters.
run two password types.
remember anything with HTTP --> is wide open. keep these complex and different from other sites which are HTTPS. don't share - they will be hacked and on pastebin, posties etc.
HTTPS is better but not infallable. but better. hence one of the reasons i asked this get changed to HTTPS. greater good.

up to you if you change often. alot of work though.

[MAGP]

Password managers are not a great idea.

A list of Don'ts.
Don't ever use a password on more than 1 site, or login (e.g. PC).
Don't be obvious, i.e. post a picture of your dog called Boris and then use 80r1$ for a password.
Don't write them down.
Don't save them in a file.
Don't keep screen shots of them.
Don't use birthdays, names, anniversaries etc etc etc.
Don't every tell anyone else what they are.

The greatest personal security risk is the information people post about themselves. If you use Facebook or any other such social media site don't let every tom dick or harriet see it cause they'll will figure you out eventually.

Do use your noggin. Pass phrases are a good idea, the longer, more complex, less obvious, totally random they are the better. I'm starting to think the idea of a pgp key is the safest bet but even then you would need to follow the list of don'ts to have maximum security.

The NSW DEC requires passwords get changed every 8-10 weeks but I have seen teachers share them so security is out the window when that happens.

[antus]

Keepass is good for a local password manager. My employer uses keepassx which works on windows, mac, linux, and probably phones though I havnt checked. You have 1 strong password to remember which encrypts all your passwords in a file you can copy around. Ive heard some dodgy things about keepass2, but im not sure if thats still current. I'd suggest googling that subject before using it.

SSL/TLS security depends on many factors. SSL is deprecated but TLS is still strong, when configured to not use weak or null encryption, not to allow cypher downgrade after the initial handshake and to use Diffie–Hellman key exchange. There is more to it than that, there are some descriptions of how to get it right if you google the subject. You can test the strength of a sites https with qualys ssllabs.com https://www.ssllabs.com/ssltest/analyze ... net&latest This is useful tool, especially the browser compatibility section. Now that the bad old days are mostly gone with no expectation the most broken and incompatible browsers will still be used we can turn the crypto up a level.