Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Willfor]

In an alternate timeline, this is the post that Muz would have posted:

Ok fine. I caved. I hacked this guy's password three years ago because it was just "password". He PMed me the next day and told me that I earned this account because he didn't deserve it. You've been talking to a fake Muz all these years.

[IcyTea31]

In all seriousness and honesty, it's a good idea to change your passwords every so often, even if there isn't a massive security breach.

[Vector]

Frankly, there's just too freaking many, though. . . I'm going to have to start keeping a piece of paper in my purse or something, because I definitely can't remember a different password for so many different places : /

[MorleyDev]

There are secure password ring services like LastPass, and there's ways to build your own on a USB stick. Also LastPass has a security check that points out if you've been exposed to any known breaches, so you can change the password. And apparently the design of LastPass made it so no important information could be leaked by Heartbleed anyway. Also makes changing passwords easier when they're all in one place.

[Frumple]

... doesn't that, like, defeat the purpose of having a password? Since you're kinda' giving them to an unaffiliated third party? Or writing it down... on paper or digital doesn't really matter. Either way you're creating something physical you can misplace or have stolen that instantly cracks everything you've put down...

[MorleyDev]

LastPass is one of the better third parties, just by design. It's more like renting some encrypted data storage from them. They don't actually have the means to decrypt the data on their end (though cracking is always an option). It's the slightly less secure, more likely to get handed to the NSA option (though the NSA will still need to break the encryption on the data), but still a decent option and for the average joe it's probably enough.

For the more security/privacy minded, the USB stick is also an option. The idea with creating a USB key is that you encrypt it with a very secure password you can remember, and then that password is all you ever need to remember. It's like putting the combination to your safe inside another safe.

Not as secure as keeping 50 different 128-bit UUIDs in your head, true. But a lot easier.

http://keepass.info/ is a good place to start with the USB stick option.

[Strife26]

I just put all my passwords through a cypher and keep them in plaintext in my notebook. Little bit of work if I need to get at one, but I doubt that anyone is going to go through my stuff, find my notebook, and go through the trouble of hand decoding stuff

[ArchAIngel]

Or just make a fuckhuge password. Mine is exactly 69 characters. My keyboard does 94 different symbols, so 94 power 69 is probably a safely large amount of stuff to crack.

[MorleyDev]

A big password still doesn't solve the problem of password re-use, and password re-use is a much bigger security vulnerability than password leaks. It's a big, wide open single point of failure where any single failure can compromise the entire system.

Services like LastPass or programs like KeePass remove password re-use, and also if a keylogger or something does find it's way onto your machine then it can't actually get at your other passwords, only your KeePass or LastPass password. For LastPass, still a problem. But for KeePass, not as much since they still need access to your KeePass data store. And if that's only stored on your PC or a USB stick (with regular, encrypted backups) then they still need physical access to your machine.

KeePass and LastPass still represent single points of failure, but it's a lot more difficult to get them to fail in comparison. It's not about having perfect security, that's impossible, it's about making as many hurdles as you can for them to jump through. I tend to keep the 'unimportant' things in LastPass, forum passwords and the like, and the 'important' things in KeePass and regularly backed up to encrypted storage. But that's probably a bit paranoid.

[palsch]

Also worth noting that KeyPass has very basic two-factor authorisation built in. You can generate a key file that needs to be present (or rather, accessible by the vault program) to unlock the vault. So if you have the vault stored on a computer you can require a second file saved to a USB key to access it, limiting even physical access attacks where they know your password.

LastPass offers some two-factor techniques but they all involve third party tools.


I'd also note that KeyPass might be better for gamers who might not have a browser open when logging onto games, and so trend towards less secure or repeat passwords for MMOs and similar.

[Levi]

I've been (slowly) migrating to using KeyPass lately as well.  Seems to work pretty good, and you can sync it via FTP, which is convenient for me.

[Bauglir]

Yeah, I guess this is as good a reason as any to start using KeePass's password generation feature instead of reusing the same passwords. Farewell, System Shock 2 references!

[kaijyuu]

* kaijyuu still uses the same randomized password he got like, 13 years ago from an online game's default password generator.

[Culise]

* kaijyuu still uses the same randomized password he got like, 13 years ago from an online game's default password generator.

Oh, thank heavens, I'm not the only one.  Though mine was another online forum. ^_^

[MorleyDev]

You can sync it via FTP.

sync it via FTP

via FTP.

FTP.

I trust you mean SFTP? FTP is as insecure as a....really really insecure thing. You send all your credentials and the files completely naked and visible to anybody in-between you and the server.