|
raddevus wrote: Use a password manager I find it interesting that there are lots of people here on CP that are against using the cloud for security reasons but have no problem handing over every single password they have to a single source.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
011111100010 wrote: against using the cloud for security reasons but have no problem handing over every single password they have to a single source On a related thread, one of the professors I had a programming security course with in college advocated 25+ character passwords with the standard suggestions, unique for every site/system, change regularly, etc., plus didn't contain any complete or commonly used slang words*. This was over 10 years ago, so it should have been reasonably strong against systems of the time.
The final part of his advice was to write the password with the site, date created/changed, etc. in a spiral notebook, and NOT save it to a file on your PC. Then stick that notebook in a locked desk drawer.
His reasoning behind that was if someone had physical access to your PC, it was as good as compromised anyway. They could copy your hard drive and brute force it or any number of other attack types. It sounded** like good advice at the time, but it certainly didn't travel well.
* He never mentioned checking for non-English slang, I wonder if that would matter...
** Not saying it WAS good advice, just that it sounded that way to someone who was still learning security theories. Yes, keyloggers were still a weak point against this method.
|
|
|
|
|
I'll repeat what I said to OP about saving pwds in cloud:
raddevus: That's why my password manager (http://cyapass.com) does not save your passwords anywhere.
That is not hyperbole. With C'YaPass your password is generated every time from:
1. your site key
2. the pattern you draw
The final output is a SHA-256 hash which you use as your password (64 characters long).
And...the site keys you create to remember which site you use the password at are stored only on your machine and you can manage them yourself. Never stored in the cloud. You (the user) own everything and it is open source too.
|
|
|
|
|
011111100010 wrote: lots of people here on CP that are against using the cloud for security reasons but have no problem handing over every single password they have to a single source.
I do too.
That's why my password manager (http://cyapass.com) does not save your passwords anywhere.
That is not hyperbole. With C'YaPass your password is generated every time from:
1. your site key
2. the pattern you draw
The final output is a SHA-256 hash which you use as your password (64 characters long).
And...the site keys you create to remember which site you use the password at are stored only on your machine and you can manage them yourself. Never stored in the cloud. You (the user) own everything and it is open source too.
You are the perfect foil for my marketing message. Thanks!
|
|
|
|
|
raddevus wrote: it is open source too. Which makes it easy to figure out how to hack so once someone has access to your computer, whoops.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
|
I think you've missed the point.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|
|
011111100010 wrote: I think you've missed the point.
I often do.
But, it's just because I'm oblivious.
However, I am also obsequious, purple and clairvoyant.
modified 28-Sep-18 14:43pm.
|
|
|
|
|
I had written something similar several years ago and it worked great until one day:
My account was flagged for an insecure password due to only having HEX character set, never mind the length. This led me to deduce that the email server software we used encrypted the passwords as opposed to hashing them. The SysAdmin laughed when he saw my kilometer-lengthed password being flagged due to a lack of special characters
Director of Transmogrification Services
Shinobi of Query Language
Master of Yoda Conditional
|
|
|
|
|
Great story!
I always find it funny / frustrating too when they enforce special chars but then only allow 12 char length. The devs at the other end have no idea what they're doing.
|
|
|
|
|
raddevus wrote: Use a password manager (like cyapass.com) That site isn't https!!! How can I trust a password manager that doesn't even secure its own site!?
|
|
|
|
|
The only way to trust a password manager is to write it yourself. I've gotten to the point of paranoia when it comes to cyber security. Even using a VM to browse the internet leaving my my main development computer on Windows 7 not connected to the internet. Who needs security updates when it' not ever online.
When you are dead, you won't even know that you are dead. It's a pain only felt by others.
Same thing when you are stupid.
modified 19-Nov-21 21:01pm.
|
|
|
|
|
|
If it's the one with the unique connecting the dots for the password, I have and do. It's really good. That's why I made the point of writing it yourself. Using open source is a great way to make your own modifications and you know the source code.
When you are dead, you won't even know that you are dead. It's a pain only felt by others.
Same thing when you are stupid.
modified 19-Nov-21 21:01pm.
|
|
|
|
|
Donathan.Hutchings wrote: I have and do. It's really good
Thanks very much. Glad there are some people out there using it.
I use it numerous times every day and it works well for me.
|
|
|
|
|
RJOberg wrote: That site isn't https!!! How can I trust a password manager that doesn't even secure its own site!
That's funny and relevant.
However, you can download the apps (android), winform etc and run them from your machine.
Also, nothing (your site keys, passwords, etc) are never sent over HTTP.
However, again, you do make a great point.
I was just too lazy / cheap to make the site HTTPS, but I probably will soon, because I did it for my other site (https://newlibre.com -- still in development.)
Thanks for raising the issue.
BTW,
Here's a complete tech explanation of my project with all source etc.
Users Hate Passwords (We're All Users): Never Memorize a Password Again[^]
|
|
|
|
|
Was merely poking a bit of fun, hence the joke icon. I didn't see a place to sign up and have you store the resulting values, so I wasn't too concerned.
On a more serious note, I loved the idea! Going to give it a go and see if I can integrate it with a hobby side project I'm working on.
It does get you thinking though... just how predictable are humans with pattern generation? Are we as predictable in the patterns we draw as we are in the words we choose, like that Ars article linked on the page mentioned?
|
|
|
|
|
The new IoT security bill covers another of important areas. For example, for manufacturers, IoT devices will need to contain certain safety and security features That should solve all our problems
|
|
|
|
|
Reads like an invitation for money strapped municipalities to make a buck.
|
|
|
|
|
Quote: The preset password must be unique to each device that is manufactured.
The device must ask the user to generate a new authentication method before being able to use it for the first time.
Yeah, those are requirements which are very very hard to meet. I remember SCADA and Iran...
Then I understand why there are people opposing that law.
Oh sanctissimi Wilhelmus, Theodorus, et Fredericus!
|
|
|
|
|
"Around 2030 we expect to begin developing propellant and sending it to spacecraft." Just be careful of putting explosives on the far side of the moon
|
|
|
|
|
Didn't that already happen in 1999?
Freedom is the freedom to say that two plus two make four. If that is granted, all else follows.
-- 6079 Smith W.
|
|
|
|
|
It was a horrid event, yes. I miss the Moon.
(And I miss that show)
TTFN - Kent
|
|
|
|
|
So they're going to convert the attic into a spare bedroom and put a jerry-built conservatory on the back and stick a granny flat to the side?
That really is so 1999, it hurts.
Whenever you find yourself on the side of the majority, it is time to pause and reflect. - Mark Twain
|
|
|
|
|
It is a highly scalable and fault-tolerant distributed data store for sequential data. LogDevice comes with features such as high write availability, consistency guarantees, non-deterministic record placement, and a local log store. "The log driver's waltz pleases girls completely"
|
|
|
|