passwords

[Ari]

On Fri, 26 Oct 2007 02:45:45 -0700, Steve Riley [MSFT] wrote:

> Several colleagues use their wallets to protect their pieces of paper.
>
> I use my smart phone because I'm often having to use many different
> computers. My choice to use my smart phone is purely out of convenience. I'm
> not opposed to the category of products that KeePass represents.
>
> --
> Steve Riley
> steve.riley@microsoft.com
> http://blogs.technet.com/steriley
> http://www.protectyourwindowsnetwork.com

Thx, appreciate the response.

Wallets? lol
--
"You can't trust code that you did not totally create yourself"
Ken Thompson "Reflections on Trusting Trust"
http://www.acm.org/classics/sep95/

 

[AnthonyM]

On Oct 24, 4:11 pm, "Sebastian G." <se...@seppig.de> wrote:
> AnthonyM wrote:
> > I use a modified approach to all the solutions mentioned above. Truly
> > it doesn't matter if you keep them in an excel file. If they are
> > stored somewhere, there is a potential vulnerability. So I use
> > different passwords for every site, and I do store 1/2 of the password
> > in a system (I won't endorse a particular one, but I've used several
> > methods, Excel, RoboForm, Keepass, UltraSafe). So I put 1/2 of the
> > password in the system. I usually do a random generated 8-10
> > character key. Then, I memorize a 2nd 1/2 that is a keyphrase. This
> > helps me feel secure that even if my method of storing passwords is
> > comprimized, they still have to come up with the 2nd half of the
> > password that is memorized.
>
> Or written in another way: If one of your passwords gets compromised
> externally, half of each of your other passwords is also compromised.
> Very very very stupid idea!
>
> > Systems Engineer, MCSE + Security
>
> ~~~~
>
> Oh well, you're a Minesweeper Consultant and Solitaire Expert?
>
> >http://www.phonefactor.net- Strong Authentication
>
> Nah... that's too easy...

I will happily respond to an intelligent, even sort of thought through
opinion. What I can't respond to is an infantile attack on my
credentials and my idea without any supporting information. Do you
really think that having half of a 25 character password of an
unknown number of passwords to an unknown number of sources is
meaningful in any way other than being proud of it? What about if
someone releases the sourcecode to keepass or roboform etc? Perhaps
you can easily memorize 40 25 character passwords every 30 days, but I
can't. So rather than recording all 40 passwords in some hopefully
secure manner, I store half of them. I read several of your other
posts, it seems you are intelligent. Couldn't you be more helpful
rather than sarcastic and condescending? Thanks Sebastian, for making
one of my first attempts at responding in a newsgroup so pleasant.

 

[Sebastian G.]

AnthonyM wrote:

> Do you really think that having half of a 25 character password of an
> unknown number of passwords to an unknown number of sources is
> meaningful in any way other than being proud of it?


Yes. Not just that you assume the number of passwords and the corresponding
sources to the attackers to be known, you should also understand what
entropy means and how it turns the remaining 12 characters into a feasible
dictionary attack.

> What about if someone releases the sourcecode to keepass or roboform etc?


Aside from the fact that keepass already is open source, why should this be
any problem at all? Quite the contrary holds: Roboform is unacceptable
because it's not open source.
Even if you trust the vendor to not send out your passwords in a covert
channel, you cannot trust them about the crypto implementation. How sure are
you that the entropy collection does a proper job and not just takes some
well guessable or even highly choosable input? How sure are you that they
properly protect the memory region where the cryptographic key is stored
from being paged out to disc? Without the source code, you can assure that
their programmers didn't fall into at least one of the common pitfalls,
which is very likely.

> Perhaps you can easily memorize 40 25 character passwords every 30 days,

> but I can't.

Sure you can, it's very easy: It's called a "pass phrase" for a reason.
BTW, just exactly this sentence gives you an easily memorizable, fastly
typeable pass phrase with sufficient entropy.

And with using a password manager, you need to memorize only exactly *one*
pass phrase.

 

[Alun Jones]

"Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
news:eFKW9U7FIHA.4808@TK2MSFTNGP05.phx.gbl...
> Several colleagues use their wallets to protect their pieces of paper.

What a strange idea, using a device whose very purpose is to collect small
pieces of paper and prevent them from falling into other people's hands!

Alun.
~~~~

 

[Steve Riley [MSFT]]

Yeah, the utility of the idea is shocking, indeed.

--
Steve Riley
steve.riley@microsoft.com
http://blogs.technet.com/steriley
http://www.protectyourwindowsnetwork.com


"Alun Jones" <alun@texis.invalid> wrote in message
news:OmW98FXHIHA.4880@TK2MSFTNGP03.phx.gbl...
> "Steve Riley [MSFT]" <steve.riley@microsoft.com> wrote in message
> news:eFKW9U7FIHA.4808@TK2MSFTNGP05.phx.gbl...
>> Several colleagues use their wallets to protect their pieces of paper.
>
> What a strange idea, using a device whose very purpose is to collect small
> pieces of paper and prevent them from falling into other people's hands!
>
> Alun.
> ~~~~
>