passwords

[Andy Fish]

Hi,

I just got a nice email from fasthosts - a UK ISP - saying that they have
had a security breach and have lost security details including my password
IN PLAIN TEXT !!

because I use the same password for different online systems, this means
someone who found out my email address (the real one - not the one I'm using
to post this) and fasthosts password could potentially log on as me to many
different sites.

fortunately I use several different passwords including a separate one for
sites who I think might store it in plain text. unfortunately I didn't think
for a minute that an ISP would do this, so I used a relatively secure
password for them.

if I can't trust anyone to encrypt my password, it seems that the only way
to be secure is to use a different password for every system and then write
them all down somewhere.

I am an IT professional and I get the impression that most people currently
take a similar approach to me. If not, what's the best way to manage so many
passwords?

Andy

 

[Sebastian G.]

Andy Fish wrote:


> I am an IT professional and I get the impression that most people currently
> take a similar approach to me. If not, what's the best way to manage so many
> passwords?

Very simple thing: Use a password manager. It allows you to use and create a
lot of long and strong passwords that you don't even need to remember, and
encrypt them with one master password. Even further, such a tools allows you
to enter a password via copy'n'paste or auto-typing, thus also deflects
over-the-shoulder-looking.

 

[Shenan Stanley]

Andy Fish wrote:
> I just got a nice email from fasthosts - a UK ISP - saying that
> they have had a security breach and have lost security details
> including my password IN PLAIN TEXT !!
>
> because I use the same password for different online systems, this
> means someone who found out my email address (the real one - not
> the one I'm using to post this) and fasthosts password could
> potentially log on as me to many different sites.
>
> fortunately I use several different passwords including a separate
> one for sites who I think might store it in plain text.
> unfortunately I didn't think for a minute that an ISP would do
> this, so I used a relatively secure password for them.
>
> if I can't trust anyone to encrypt my password, it seems that the
> only way to be secure is to use a different password for every
> system and then write them all down somewhere.
>
> I am an IT professional and I get the impression that most people
> currently take a similar approach to me. If not, what's the best
> way to manage so many passwords?

Search using Google!
http://www.google.com/
(How-to: http://www.google.com/intl/en/help/basics.html )

Normal blurb from me:

Understanding what a good password might be is vital to your
personal and system security. You may think you do not need to password
your home computer, as you may have it in a locked area (your home) where
no one else has access to it. Remember, however, you aren't always
"in that locked area" when using your computer online - meaning you likely
have usernames and passwords associated with web sites and the likes that
you would prefer other people do not discover/use. This is why you should
understand and utilize good passwords.

Good passwords are those that meet these general rules
(mileage may vary):

Passwords should contain at least six characters, and the character
string should contain at least three of these four character types:
- uppercase letters
- lowercase letters
- numerals
- nonalphanumeric characters (e.g., *, %, &, !,

Passwords should not contain your name/username.
Passwords should be unique to you and easy to remember.

One method many people are using today is to make up a phrase that
describes a point in their life and then turning that phrase into their
password by using only certain letters out of each word in that phrase.
It's much better than using your birthday month/year or your anniversary
in a pure sense. For example, let's say my phrase is:
'Great new job in November 2006'
I could come up with this password from that:
'Gr8n3wj0bNOV2006'

I highly recommend you periodically change your passwords.
The suggested time varies, but I will throw out a 'once in
every 3 to 6 months for every account you have.'

Also - many people complain that they just cannot remember the passwords
for all the sites they have - so they choose one password and use it for
everything. Not a good idea. A much better method would be to use a
Password Management tool - so you only have to remember one password,
but it opens an application that stores your username/passwords for
everything else - plus other valuable information. One that I can
recommend:

KeePass Password Safe
http://keepass.sourceforge.net/

It can even generate passwords for you.

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

 

[Mark Trimble]

Quoting Andy Fish on Fri, 19 Oct 2007 15:42:01 +0000:

> Hi,
>
> I just got a nice email from fasthosts - a UK ISP - saying that they
> have had a security breach and have lost security details including my
> password IN PLAIN TEXT !!...
>
> Andy

Never heard of a notice like that coming by e-mail. Looks to me like
someone's bucking for their advanced credentials in social engineering
(read: phishing). Proceed with caution.

 

[Todd H.]

"Shenan Stanley" <newshelper@gmail.com> writes:

> Andy Fish wrote:
> > I just got a nice email from fasthosts - a UK ISP - saying that
> > they have had a security breach and have lost security details
> > including my password IN PLAIN TEXT !!
> >
> > because I use the same password for different online systems, this
> > means someone who found out my email address (the real one - not
> > the one I'm using to post this) and fasthosts password could
> > potentially log on as me to many different sites.
> >
> > fortunately I use several different passwords including a separate
> > one for sites who I think might store it in plain text.
> > unfortunately I didn't think for a minute that an ISP would do
> > this, so I used a relatively secure password for them.
> >
> > if I can't trust anyone to encrypt my password, it seems that the
> > only way to be secure is to use a different password for every
> > system and then write them all down somewhere.
> >
> > I am an IT professional and I get the impression that most people
> > currently take a similar approach to me. If not, what's the best
> > way to manage so many passwords?
>
> Search using Google!
> http://www.google.com/
> (How-to: http://www.google.com/intl/en/help/basics.html )

Advising someone to trust whatever comes up in google to manage all
his passwords without asking other humans for opinions? Are you
nuggin futs?

The issue is that you can't swing a dead cat on google without
receiving adwords or "legit" results that may include spyware
including keyloggers.


Password Safe http://passwordsafe.sourceforge.net/ however is an
open source, free, peer reviewed and rather trusted solution to this
problem of managing a bashitload of passwords.

Your situation points out the problem with using a single password at
different sites and never changing it--because there are so few sites
out there that are actually rather secure and who've never ever had a
data breach.

Best Regards,
--
Todd H.
http://www.toddh.net/

 

[Shenan Stanley]

Andy Fish wrote:
> I just got a nice email from fasthosts - a UK ISP - saying that
> they have had a security breach and have lost security details
> including my password IN PLAIN TEXT !!
>
> because I use the same password for different online systems, this
> means someone who found out my email address (the real one - not
> the one I'm using to post this) and fasthosts password could
> potentially log on as me to many different sites.
>
> fortunately I use several different passwords including a separate
> one for sites who I think might store it in plain text.
> unfortunately I didn't think for a minute that an ISP would do
> this, so I used a relatively secure password for them.
>
> if I can't trust anyone to encrypt my password, it seems that the
> only way to be secure is to use a different password for every
> system and then write them all down somewhere.
>
> I am an IT professional and I get the impression that most people
> currently take a similar approach to me. If not, what's the best
> way to manage so many passwords?

Shenan Stanley wrote:
> Search using Google!
> http://www.google.com/
> (How-to: http://www.google.com/intl/en/help/basics.html )
>
> Normal blurb from me:
>
> Understanding what a good password might be is vital to your
> personal and system security. You may think you do not need to
> password your home computer, as you may have it in a locked area
> (your home) where no one else has access to it. Remember, however,
> you aren't always "in that locked area" when using your computer
> online - meaning you likely have usernames and passwords associated
> with web sites and the likes that you would prefer other people do
> not discover/use. This is why you should understand and utilize
> good passwords.
>
> Good passwords are those that meet these general rules
> (mileage may vary):
>
> Passwords should contain at least six characters, and the character
> string should contain at least three of these four character types:
> - uppercase letters
> - lowercase letters
> - numerals
> - nonalphanumeric characters (e.g., *, %, &, !,
>
> Passwords should not contain your name/username.
> Passwords should be unique to you and easy to remember.
>
> One method many people are using today is to make up a phrase that
> describes a point in their life and then turning that phrase into
> their password by using only certain letters out of each word in
> that phrase. It's much better than using your birthday month/year
> or your anniversary in a pure sense. For example, let's say my
> phrase is: 'Great new job in November 2006'
> I could come up with this password from that:
> 'Gr8n3wj0bNOV2006'
>
> I highly recommend you periodically change your passwords.
> The suggested time varies, but I will throw out a 'once in
> every 3 to 6 months for every account you have.'
>
> Also - many people complain that they just cannot remember the
> passwords for all the sites they have - so they choose one password
> and use it for everything. Not a good idea. A much better method
> would be to use a Password Management tool - so you only have to
> remember one password, but it opens an application that stores
> your username/passwords for everything else - plus other valuable
> information. One that I can recommend:
>
> KeePass Password Safe
> http://keepass.sourceforge.net/
>
> It can even generate passwords for you.

<inline below here...>

Todd H. wrote:
> Advising someone to trust whatever comes up in google to manage all
> his passwords without asking other humans for opinions? Are you
> nuggin futs?

Cutting off the meat of the post, who's 'nuggin futs'?
No worries - I put it back.

You should also know your audience when giving advice...
From the original postting:
'I am an IT professional ...'

You'd think they might be able to figure out the false from the true when it
comes to software - or at least know how to test that safely...

> The issue is that you can't swing a dead cat on google without
> receiving adwords or "legit" results that may include spyware
> including keyloggers.

Yes - common sense is required for using Google...

For example - you have to learn to use Google (thus my link) and I would not
search for "Password Manager" and expect much, but, if you simply add a few
things...

"Password Manager" freeware review rank
http://www.google.com/search?q="Password+Manager"+freeware+review+rank

You get some decent hits, like...
http://www.snapfiles.com/get/keepass.html
Which can lead you to more ranked Password Managers:
http://www.snapfiles.com/Freeware/security/fwpass.html

And more...

Yes - you have to sift and test - but once you lock onto a single product
you like the looks of - research it... Use Google to search for reviews on
the product..

http://www.download.com/KeePass-Password-Safe/3640-2092_4-10615419.html?sb=1&v=0
http://www.snapfiles.com/opinions/KeePass_Password_Safe/KeePass_Password_Safe.html

So, yeah - in order to do the first part - and only the first part - of my
response - you have to have a bit of common sense.

> Password Safe http://passwordsafe.sourceforge.net/ however is an
> open source, free, peer reviewed and rather trusted solution to this
> problem of managing a bashitload of passwords.

One of many - just like the one I gave...
I used it once - switched to KeePass.

Giving the OP more options is what this is all about.
Having a ranking system would be good too.

http://fileforum.betanews.com/browse/Security/PasswordManagers?start=0&sortby=rating
*note - I don't recommend necessarily using the BETAS and ALPHA versions of
software - but you can get an idea here of what they are doing in their next
version and how well they are doing it and then visit the main site and get
their full release product.

> Your situation points out the problem with using a single password
> at different sites and never changing it--because there are so few
> sites out there that are actually rather secure and who've never
> ever had a data breach.

....

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

 

[Todd H.]

"Shenan Stanley" <newshelper@gmail.com> writes:

> Cutting off the meat of the post, who's 'nuggin futs'?
> No worries - I put it back.

Oh goody! I have a live one it seems.

> You should also know your audience when giving advice...
> From the original postting:
> 'I am an IT professional ...'

Likewise, consider that your audience for this post (me) is literate
and read that line too.

> You'd think they might be able to figure out the false from the true
> when it comes to software - or at least know how to test that
> safely...

You came out of the gate with the eye rolling "Search using Google!"
line of advice that's so condescending to begin with, and furthermore,
is rather ill advised when searching for things where strong trust is
involved it makes me want to puke. Call it a pet peeve.

Now, you eventually got around to some specific advice that he
wouldn't get of google, so kudos on eventually getting that right.

If you think every IT professional is capable of, has the knowledge of
the virtualization tools to, and has the time to reverse engineer
binaries or audit source code to make a judgement of "safety" of the
things that often come from a google search, then you you know a
different subset of the folks who call themselves "IT professionals"
than I have experienced. I'd say it's a far safer bet that every IT
professional knows how to enter search terms in Google and generally
will before asking a question of their peers in a forum like this. So
do you know your audience?

It's just highly annoying when someone opens with the "Search using
Google!" advice quite condescendingly when someone is asking a
question that is best answered from the experience and interactive
advice from fleshy humans, and not just text matches from a
programatic search engine. You might reconsider that opening--that's
all I'm sayin.


Best Regards,
--
Todd H.
http://www.toddh.net/

 

[Shenan Stanley]

Todd H. wrote:
> "Shenan Stanley" <newshelper@gmail.com> writes:
>
>> Cutting off the meat of the post, who's 'nuggin futs'?
>> No worries - I put it back.
>
> Oh goody! I have a live one it seems.
>
>> You should also know your audience when giving advice...
>> From the original postting:
>> 'I am an IT professional ...'
>
> Likewise, consider that your audience for this post (me) is
> literate and read that line too.
>
>> You'd think they might be able to figure out the false from the
>> true when it comes to software - or at least know how to test that
>> safely...
>
> You came out of the gate with the eye rolling "Search using Google!"
> line of advice that's so condescending to begin with, and
> furthermore, is rather ill advised when searching for things where
> strong trust is involved it makes me want to puke. Call it a pet
> peeve.
>
> Now, you eventually got around to some specific advice that he
> wouldn't get of google, so kudos on eventually getting that right.
>
> If you think every IT professional is capable of, has the knowledge
> of the virtualization tools to, and has the time to reverse engineer
> binaries or audit source code to make a judgement of "safety" of the
> things that often come from a google search, then you you know a
> different subset of the folks who call themselves "IT professionals"
> than I have experienced. I'd say it's a far safer bet that every IT
> professional knows how to enter search terms in Google and generally
> will before asking a question of their peers in a forum like this.
> So do you know your audience?
>
> It's just highly annoying when someone opens with the "Search using
> Google!" advice quite condescendingly when someone is asking a
> question that is best answered from the experience and interactive
> advice from fleshy humans, and not just text matches from a
> programatic search engine. You might reconsider that
> opening--that's all I'm sayin.

You're welcomed to your opinion...
Perhaps you should take your own advice. -)

--
Shenan Stanley
MS-MVP
--
How To Ask Questions The Smart Way
http://www.catb.org/~esr/faqs/smart-questions.html

 

[Andy Fish]

http://www.theregister.co.uk/2007/10/18/fasthost_police_hack_investigation/

this is a very well regarded tech news site in the UK

BTW I have decided to go with RoboForm which seems to be well reviewed.

One interesting point that occurred to me though. say my fasthosts password
was the same as my paypal password, then someone who had got the password
from fasthosts made a fraudulent paypal payment.

would I have a claim against ukreg for not protecting my private details, or
would paypal claim that I was negligent for using the same password for 2
online services?


"Mark Trimble" <user@127.0.0.1> wrote in message
newsan.2007.10.20.01.13.19@127.0.0.1...
> Quoting Andy Fish on Fri, 19 Oct 2007 15:42:01 +0000:
>
>> Hi,
>>
>> I just got a nice email from fasthosts - a UK ISP - saying that they
>> have had a security breach and have lost security details including my
>> password IN PLAIN TEXT !!...
>>
>> Andy
>
> Never heard of a notice like that coming by e-mail. Looks to me like
> someone's bucking for their advanced credentials in social engineering
> (read: phishing). Proceed with caution.

 

[Unruh]

"Shenan Stanley" <newshelper@gmail.com> writes:

>Andy Fish wrote:
>> I just got a nice email from fasthosts - a UK ISP - saying that
>> they have had a security breach and have lost security details
>> including my password IN PLAIN TEXT !!
>>
>> because I use the same password for different online systems, this
>> means someone who found out my email address (the real one - not
>> the one I'm using to post this) and fasthosts password could
>> potentially log on as me to many different sites.
>>
>> fortunately I use several different passwords including a separate
>> one for sites who I think might store it in plain text.
>> unfortunately I didn't think for a minute that an ISP would do
>> this, so I used a relatively secure password for them.

You can always tell if they told you to put in a phrase only you know or
something like that, or say they can recover your password for you.
They cannot do that if they do not have your cleartext password on file.



>>
>> if I can't trust anyone to encrypt my password, it seems that the
>> only way to be secure is to use a different password for every
>> system and then write them all down somewhere.
>>
>> I am an IT professional and I get the impression that most people
>> currently take a similar approach to me. If not, what's the best
>> way to manage so many passwords?

>Shenan Stanley wrote:
>> Search using Google!
>> http://www.google.com/
>> (How-to: http://www.google.com/intl/en/help/basics.html )
>>
>> Normal blurb from me:
>>
>> Understanding what a good password might be is vital to your
>> personal and system security. You may think you do not need to
>> password your home computer, as you may have it in a locked area
>> (your home) where no one else has access to it. Remember, however,
>> you aren't always "in that locked area" when using your computer
>> online - meaning you likely have usernames and passwords associated
>> with web sites and the likes that you would prefer other people do
>> not discover/use. This is why you should understand and utilize
>> good passwords.
>>
>> Good passwords are those that meet these general rules
>> (mileage may vary):
>>
>> Passwords should contain at least six characters, and the character
>> string should contain at least three of these four character types:
>> - uppercase letters
>> - lowercase letters
>> - numerals
>> - nonalphanumeric characters (e.g., *, %, &, !,
>>
>> Passwords should not contain your name/username.
>> Passwords should be unique to you and easy to remember.
>>
>> One method many people are using today is to make up a phrase that
>> describes a point in their life and then turning that phrase into
>> their password by using only certain letters out of each word in
>> that phrase. It's much better than using your birthday month/year
>> or your anniversary in a pure sense. For example, let's say my
>> phrase is: 'Great new job in November 2006'
>> I could come up with this password from that:
>> 'Gr8n3wj0bNOV2006'
>>
>> I highly recommend you periodically change your passwords.
>> The suggested time varies, but I will throw out a 'once in
>> every 3 to 6 months for every account you have.'
>>
>> Also - many people complain that they just cannot remember the
>> passwords for all the sites they have - so they choose one password
>> and use it for everything. Not a good idea. A much better method
>> would be to use a Password Management tool - so you only have to
>> remember one password, but it opens an application that stores
>> your username/passwords for everything else - plus other valuable
>> information. One that I can recommend:
>>
>> KeePass Password Safe
>> http://keepass.sourceforge.net/
>>
>> It can even generate passwords for you.

><inline below here...>

>Todd H. wrote:
>> Advising someone to trust whatever comes up in google to manage all
>> his passwords without asking other humans for opinions? Are you
>> nuggin futs?

>Cutting off the meat of the post, who's 'nuggin futs'?
>No worries - I put it back.

>You should also know your audience when giving advice...
>From the original postting:
>'I am an IT professional ...'

>You'd think they might be able to figure out the false from the true when it
>comes to software - or at least know how to test that safely...

>> The issue is that you can't swing a dead cat on google without
>> receiving adwords or "legit" results that may include spyware
>> including keyloggers.

>Yes - common sense is required for using Google...

>For example - you have to learn to use Google (thus my link) and I would not
>search for "Password Manager" and expect much, but, if you simply add a few
>things...

>"Password Manager" freeware review rank
>http://www.google.com/search?q="Password+Manager"+freeware+review+rank

>You get some decent hits, like...
>http://www.snapfiles.com/get/keepass.html
>Which can lead you to more ranked Password Managers:
>http://www.snapfiles.com/Freeware/security/fwpass.html

>And more...

>Yes - you have to sift and test - but once you lock onto a single product
>you like the looks of - research it... Use Google to search for reviews on
>the product..

>http://www.download.com/KeePass-Password-Safe/3640-2092_4-10615419.html?sb=1&v=0
>http://www.snapfiles.com/opinions/KeePass_Password_Safe/KeePass_Password_Safe.html

>So, yeah - in order to do the first part - and only the first part - of my
>response - you have to have a bit of common sense.

>> Password Safe http://passwordsafe.sourceforge.net/ however is an
>> open source, free, peer reviewed and rather trusted solution to this
>> problem of managing a bashitload of passwords.

>One of many - just like the one I gave...
>I used it once - switched to KeePass.

>Giving the OP more options is what this is all about.
>Having a ranking system would be good too.

>http://fileforum.betanews.com/browse/Security/PasswordManagers?start=0&sortby=rating
>*note - I don't recommend necessarily using the BETAS and ALPHA versions of
>software - but you can get an idea here of what they are doing in their next
>version and how well they are doing it and then visit the main site and get
>their full release product.

>> Your situation points out the problem with using a single password
>> at different sites and never changing it--because there are so few
>> sites out there that are actually rather secure and who've never
>> ever had a data breach.

>...

>--
>Shenan Stanley
> MS-MVP
>--
>How To Ask Questions The Smart Way
>http://www.catb.org/~esr/faqs/smart-questions.html

 

[Mark Randall]

"Andy Fish" <ajfish@blueyonder.co.uk> wrote:
> would I have a claim against ukreg for not protecting my private details,
> or would paypal claim that I was negligent for using the same password for
> 2 online services?

You'd have a claim for them allowing personally identifiable material and
passwords to be revealed.

I and many others have been considering it also who are in the same
situation.

Regards,

Mark Randall

 

[Ari]

On Fri, 19 Oct 2007 15:42:01 GMT, Andy Fish wrote:

> if I can't trust anyone to encrypt my password, it seems that the only way
> to be secure is to use a different password for every system and then write
> them all down somewhere.
>
> I am an IT professional and I get the impression that most people currently
> take a similar approach to me. If not, what's the best way to manage so many
> passwords?
>
> Andy

KeePass
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

 

[AnthonyM]

On Oct 24, 12:42 pm, Ari <arisilverst...@yahoo.com> wrote:
> On Fri, 19 Oct 2007 15:42:01 GMT, Andy Fish wrote:
> > if I can't trust anyone to encrypt my password, it seems that the only way
> > to be secure is to use a different password for every system and then write
> > them all down somewhere.
>
> > I am an IT professional and I get the impression that most people currently
> > take a similar approach to me. If not, what's the best way to manage so many
> > passwords?
>
> > Andy
>
> KeePass
> --
> "You can't trust code that you did not totally create yourself"
> Ken Thompson "Reflections on Trusting Trust"http://www.acm.org/classics/sep95/

I use a modified approach to all the solutions mentioned above. Truly
it doesn't matter if you keep them in an excel file. If they are
stored somewhere, there is a potential vulnerability. So I use
different passwords for every site, and I do store 1/2 of the password
in a system (I won't endorse a particular one, but I've used several
methods, Excel, RoboForm, Keepass, UltraSafe). So I put 1/2 of the
password in the system. I usually do a random generated 8-10
character key. Then, I memorize a 2nd 1/2 that is a keyphrase. This
helps me feel secure that even if my method of storing passwords is
comprimized, they still have to come up with the 2nd half of the
password that is memorized.

Just a thought.

Anthony Maughan
Systems Engineer, MCSE + Security
Positive Networks
http://www.phonefactor.net - Strong Authentication

 

[Sebastian G.]

AnthonyM wrote:


> I use a modified approach to all the solutions mentioned above. Truly
> it doesn't matter if you keep them in an excel file. If they are
> stored somewhere, there is a potential vulnerability. So I use
> different passwords for every site, and I do store 1/2 of the password
> in a system (I won't endorse a particular one, but I've used several
> methods, Excel, RoboForm, Keepass, UltraSafe). So I put 1/2 of the
> password in the system. I usually do a random generated 8-10
> character key. Then, I memorize a 2nd 1/2 that is a keyphrase. This
> helps me feel secure that even if my method of storing passwords is
> comprimized, they still have to come up with the 2nd half of the
> password that is memorized.


Or written in another way: If one of your passwords gets compromised
externally, half of each of your other passwords is also compromised.
Very very very stupid idea!

> Systems Engineer, MCSE + Security

~~~~

Oh well, you're a Minesweeper Consultant and Solitaire Expert?

> http://www.phonefactor.net - Strong Authentication


Nah... that's too easy...

 

[Ari]

On Wed, 24 Oct 2007 18:54:08 -0000, AnthonyM wrote:

>>> I am an IT professional and I get the impression that most people currently
>>> take a similar approach to me. If not, what's the best way to manage so many
>>> passwords?
>>
>>> Andy
>>
>> KeePass
>> --
>> "You can't trust code that you did not totally create yourself"
>> Ken Thompson "Reflections on Trusting Trust"http://www.acm.org/classics/sep95/
>
> I use a modified approach to all the solutions mentioned above. Truly
> it doesn't matter if you keep them in an excel file. If they are
> stored somewhere, there is a potential vulnerability.

The level of vulnerability is the question. if you placed KeePass in a
truecrypted container, then placed fake passwords in an "open" Excel
file, you may have the best of the best.

> So I use
> different passwords for every site, and I do store 1/2 of the password
> in a system (I won't endorse a particular one, but I've used several
> methods, Excel, RoboForm, Keepass, UltraSafe). So I put 1/2 of the
> password in the system. I usually do a random generated 8-10
> character key. Then, I memorize a 2nd 1/2 that is a keyphrase. This
> helps me feel secure that even if my method of storing passwords is
> comprimized, they still have to come up with the 2nd half of the
> password that is memorized.
>
> Just a thought.
>
> Anthony Maughan

Depending on the password, that isn't hard to do.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

 

[Steve Riley [MSFT]]

Contrary to what a lot of others claim, it's even ok to write your passwords
down. Now, you just need to protect the piece of paper.

Your choice of password management tools is less important than your method
of protecting the storage.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Andy Fish" <ajfish@blueyonder.co.uk> wrote in message
news:df4Si.204905$BW4.136223@fe1.news.blueyonder.co.uk...
> Hi,
>
> I just got a nice email from fasthosts - a UK ISP - saying that they have
> had a security breach and have lost security details including my password
> IN PLAIN TEXT !!
>
> because I use the same password for different online systems, this means
> someone who found out my email address (the real one - not the one I'm
> using to post this) and fasthosts password could potentially log on as me
> to many different sites.
>
> fortunately I use several different passwords including a separate one for
> sites who I think might store it in plain text. unfortunately I didn't
> think for a minute that an ISP would do this, so I used a relatively
> secure password for them.
>
> if I can't trust anyone to encrypt my password, it seems that the only way
> to be secure is to use a different password for every system and then
> write them all down somewhere.
>
> I am an IT professional and I get the impression that most people
> currently take a similar approach to me. If not, what's the best way to
> manage so many passwords?
>
> Andy
>
>
>

 

[Ari]

On Wed, 24 Oct 2007 19:27:16 -0700, Steve Riley [MSFT] wrote:

> Contrary to what a lot of others claim, it's even ok to write your passwords
> down. Now, you just need to protect the piece of paper.
>
> Your choice of password management tools is less important than your method
> of protecting the storage.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com

Accessibility, functional use come into play. A piece of paper that you
have to hide in your butthole and pull out several times a day isn't
what I would call practical.

Keepass is.
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

 

[Steve Riley [MSFT]]

LOL. There would be moisture problems with that approach, as well.

Nevertheless, my point was the second paragraph. Personally, I prefer to
keep the passwords off the computer. For some folks, paper works fine. I use
a password-protected list application on my smart phone.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Ari" <arisilverstein@yahoo.com> wrote in message
news:s8a5gokzxxsu.v46tqbdpgycy.dlg@40tude.net...
> On Wed, 24 Oct 2007 19:27:16 -0700, Steve Riley [MSFT] wrote:
>
>> Contrary to what a lot of others claim, it's even ok to write your
>> passwords
>> down. Now, you just need to protect the piece of paper.
>>
>> Your choice of password management tools is less important than your
>> method
>> of protecting the storage.
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>
> Accessibility, functional use come into play. A piece of paper that you
> have to hide in your butthole and pull out several times a day isn't
> what I would call practical.
>
> Keepass is.
> --
> "You can't trust code that you did not totally create yourself"
> Ken Thompson "Reflections on Trusting Trust"
> http://www.acm.org/classics/sep95/

 

[Ari]

On Thu, 25 Oct 2007 00:06:20 -0700, Steve Riley [MSFT] wrote:

> Nevertheless, my point was the second paragraph. Personally, I prefer to
> keep the passwords off the computer. For some folks, paper works fine. I use
> a password-protected list application on my smart phone.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com

Steve, I'll take your word for it but I have never had one person who
used paper to be able to develop any scheme that was sufficiently safe.
The smart phone idea seems unneccesarily impractical in view of the
number of ways you can encrypt and launch URLs, etc from a program like
KeePass. Or a Cryptainer LE where you could keep a spreadsheet.

What is it, I'm curious, that keeps you distant from the use of these
alternatives?
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

 

[Steve Riley [MSFT]]

Several colleagues use their wallets to protect their pieces of paper.

I use my smart phone because I'm often having to use many different
computers. My choice to use my smart phone is purely out of convenience. I'm
not opposed to the category of products that KeePass represents.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Ari" <arisilverstein@yahoo.com> wrote in message
news:emrt6nz7cya7$.3o30xlxbsial.dlg@40tude.net...
> On Thu, 25 Oct 2007 00:06:20 -0700, Steve Riley [MSFT] wrote:
>
>> Nevertheless, my point was the second paragraph. Personally, I prefer to
>> keep the passwords off the computer. For some folks, paper works fine. I
>> use
>> a password-protected list application on my smart phone.
>>
>> --
>> Steve Riley
>> steve.riley@microsoft.com
>> http://blogs.technet.com/steriley
>> http://www.protectyourwindowsnetwork.com
>
> Steve, I'll take your word for it but I have never had one person who
> used paper to be able to develop any scheme that was sufficiently safe.
> The smart phone idea seems unneccesarily impractical in view of the
> number of ways you can encrypt and launch URLs, etc from a program like
> KeePass. Or a Cryptainer LE where you could keep a spreadsheet.
>
> What is it, I'm curious, that keeps you distant from the use of these
> alternatives?
> --
> "You can't trust code that you did not totally create yourself"
> Ken Thompson "Reflections on Trusting Trust"
> http://www.acm.org/classics/sep95/