Page 8 of 8

Re: Welcome back to Stupid Guest Tricks!

Posted: Wed Nov 13, 2013 9:47 pm
by BRWombat
Big Wallaby wrote:
ktulu wrote:You going to write the code for that?
No.

Actually, let me rethink it.

No.

Another option for people who want a long, secure password, try out lastpass.com* or roboform*. I use LastPass for everything. I don't know most of my passwords, except for sites I may have to access quickly and away from my laptop (which is practically nailed to me), my iPad (for how often I have with with me, see my comments about my laptop) or iPhone (same, except that I have it at times when I don't have the other two with me). But I love LastPass.

* Those who know their way around security, let me know if this is a bad idea.
Now this is scary -- twice in one day we think alike. I've been using LastPass for ages and love it. I'm also curious what someone better versed in tech security (ktulu!) thinks of it.

Re: Welcome back to Stupid Guest Tricks!

Posted: Thu Nov 14, 2013 8:33 am
by ktulu
WEDFan wrote:The one I've seen that can actually decrease security is the requirement to change passwords monthly or quarterly. The studies I've seen on that basically indicate that frequently changing (and not allowing repeats) means more people write them down and tuck them somewhere around their workstation. As long as you have no reason to suspect a breach, and you vary your passwords by site, you are better off keeping the password you remember.
Quite a few of these policies started because strict password requirements were not enforced, and people were choosing poor passwords. Keep in mind that most of these polices are set because of the lowest common denominator in a company, such as Tammy from accounting, who can crunch numbers like there is no tomorrow, but will also open up every attachment sent to her, and visit every website that comes across her email. She also loves hockey, and decided that to fool hackers, her password would be hockey1. There is a bit of truth to this story, a friend asked me to look at something and gave me his password, which was hockey1...

Complex password requirements also come out of everyone's desire to have faster computers. Back in the "day", it could take days to crack a simple md5 hashed password. Now, those are cracked in seconds. Thus the need for more characters, and more randomness. The cracking programs start with dictionary words, and they even know about characters to replace letters! Which is why I said that p@55W0rd, which 8 characters and adhering to the requirements, it still not a good password.

Yes, you are always going to have people not recall their passwords. That could be true even if hockey1 was allowed. That's why there are great programs out there that people should use if they need to keep a list of passwords. Lastpass, 1password, iCloud Keychain. I keep a PGP encrypted file (2048 to 4096 length key should be chosen) on a secure device that has passwords I seldom use, or other important data that I need to secure. It's said that 1024 length keys have been cracked, but no one has demonstrated it, but out of paranoia, 2048 should be the minimum you choose. You'd need to be well funded to crack PGP, and if a Government is going to try and get your passwords, you either have a really cool job, or you have much bigger things to worry about :)

I actually use GPG, http://www.gnupg.org. There are good resources out there for Windows, Mac, and linux (BSD, etc) that won't cost you a dime, and will increase your security over a post-it :)
TiggerHappy wrote: I'd be more open to creating a pass phrase (without symbol requirements) rather than a complex password. I don't like being unable to remember a password to the point I write them down somewhere (on the computer or on a Post-It). I understand you want to help us all keep our accounts secure, but when there are other websites (like banking and loan sites) that require the same kind of password, the average person simply isn't able to remember all those complex passwords without writing them down somewhere. I'm fine with having letters and numbers in my passwords, but when you require symbols on top of that, that's when I resort to writing down the passwords because I cannot remember those kinds of passwords for the life of me.
Nothing is stopping you from making a passphrase! The maximum number of characters in your password is 100. You'll just need to add a symbol in there, maybe like "Damn you ktulu for making us more secure and maybe changing how we approach passwords in the future!"

BTW, that is 100 characters (without the quotes), please don't use it, it's been put in public and compromised ;)

I prefer a passphrase, they are way more secure, but is everyone going to use one? Nope. Most people will do the bare minimum (back to hockey1). Security is a balance of making it harder, not impossible, but harder for a hacker, while still trying to make sure that Tammy in accounting can do her job without a bunch of hoops to jump through. Now there are times when you have to go for impossible, but hackers are like street criminals, they want quick and quiet. You make it really hard on them, and they will move on. Unless there is a huge payoff, then they will find a way to cover up their activities.
BRWombat wrote: Now this is scary -- twice in one day we think alike. I've been using LastPass for ages and love it. I'm also curious what someone better versed in tech security (ktulu!) thinks of it.
Any service like this is going to have risk. They want to sell you this service. They are going to take great care in making sure that it works as advertised. However, nothing makes up the most secure storage facility available to you, your brain.

This xkcd sums up the state of passwords quite well. If I thought that I could get all ~1700 users of SGT to do this, I would. But, we want users from the computer newb to the kernel hacker. Thus, a balance must be struck.

Image

Re: Welcome back to Stupid Guest Tricks!

Posted: Thu Nov 14, 2013 7:02 pm
by EpcotFan
Great to see the site back! I just got back from my annual pilgrimage to WDW for the Food and Wine Festival, where I had the great pleasure to run into Zazu at not one but two events! I don't spend as much time on SGT as I used to, but I love dropping in from time to time to hear the fun stories of life at the parks.

Thanks to ktulu and all who helped make the new SGT a reality!

Cheers!
Barry

Re: Welcome back to Stupid Guest Tricks!

Posted: Thu Nov 14, 2013 7:28 pm
by hobie16
bookbabe wrote:Wow. Has his infamy really reached that far? :redface: :redface:
Jimmy Kimmel says Rob Ford is like a 400 pound Andy Dick.

Re: Welcome back to Stupid Guest Tricks!

Posted: Sat Nov 16, 2013 8:25 pm
by TiggerHappy
ktulu wrote:Nothing is stopping you from making a passphrase! The maximum number of characters in your password is 100. You'll just need to add a symbol in there, maybe like "Damn you ktulu for making us more secure and maybe changing how we approach passwords in the future!"

BTW, that is 100 characters (without the quotes), please don't use it, it's been put in public and compromised ;)

I prefer a passphrase, they are way more secure, but is everyone going to use one? Nope. Most people will do the bare minimum (back to hockey1). Security is a balance of making it harder, not impossible, but harder for a hacker, while still trying to make sure that Tammy in accounting can do her job without a bunch of hoops to jump through. Now there are times when you have to go for impossible, but hackers are like street criminals, they want quick and quiet. You make it really hard on them, and they will move on. Unless there is a huge payoff, then they will find a way to cover up their activities.
Fair enough. :) Guess I'll start trying to think of something witty and unique that no one else would say.

On that note, perhaps we should increase the character limit to 140 for better passphrases. (Totally not a reference to Twitter at all...) Do spaces factor in on the character limit or does it all have to be one long Mary-Poppins-ish word?

Re: Welcome back to Stupid Guest Tricks!

Posted: Sat Nov 16, 2013 9:26 pm
by ktulu
TiggerHappy wrote: On that note, perhaps we should increase the character limit to 140 for better passphrases. (Totally not a reference to Twitter at all...) Do spaces factor in on the character limit or does it all have to be one long Mary-Poppins-ish word?
Spaces count. I'll go 139 or 141 ;)