Donate to Remove ads

Got a credit card? use our Credit Card & Finance Calculators

Thanks to johnstevens77,Bhoddhisatva,scotia,Anonymous,Cornytiv34, for Donating to support the site

Passwords..UGH!

Seek assistance with all types of tech. - computer, phone, TV, heating controls etc.
UncleEbenezer
The full Lemon
Posts: 10691
Joined: November 4th, 2016, 8:17 pm
Has thanked: 1459 times
Been thanked: 2965 times

Re: Passwords..UGH!

#426094

Postby UncleEbenezer » July 9th, 2021, 10:22 am

simoan wrote:I keep my passwords in a notebook. It's simple and not resident on any of the computers I use them on. I then have a method for translating the written password into the real password using a non-trivial character replacement method known only to me, so even if someone steals the notebook they do not have my real passwords.

Works for me! Si

That sort of scenario is where your value as a target is critical!

Bletchley park - or today GCHQ - could easily break that if you were a high-value target. Most of us aren't.

Infrasonic
Lemon Quarter
Posts: 4479
Joined: November 4th, 2016, 2:25 pm
Has thanked: 644 times
Been thanked: 1260 times

Re: Passwords..UGH!

#426097

Postby Infrasonic » July 9th, 2021, 10:24 am

Arborbridge wrote:
Infrasonic wrote:One of the reasons to keep secure boot enabled and things like TPM modules switched on if you have them is it can help prevent rootkit infections, key loggers etc.

You don't have to use passwords - hardware key solutions like USB/NFC U2F are available across many OS platforms now and the list of services that implement them is growing all the time.


Well, there's the rub. I (and no doubt others) haven't a clue what you are talking about :)


The world is complicated unfortunately - with security stuff it's an escalating arms race.

I remember when email was dead simple but because of spoofing, mass spamming, malware, ransomware et al it's now become ridiculously complicated just to consistently send and receive genuine email to an inbox rather than getting dumped in a spam/junk folder.

Arborbridge
The full Lemon
Posts: 10369
Joined: November 4th, 2016, 9:33 am
Has thanked: 3601 times
Been thanked: 5227 times

Re: Passwords..UGH!

#426099

Postby Arborbridge » July 9th, 2021, 10:30 am

XFool wrote:
Arborbridge wrote:It's been said that the chance of having a "codebook" stolen by a burglar is much less than the chance of having passwords stolen from your computer. Therefore, I have a number of passwords in cryptic form in a codebook. The passwords also have numbers or characters (not written in the codebook) which are changed regularly. Those elements are written down elsewhere.

For ultra secure things I've been experimenting with passwordcard https://www.passwordcard.org/en

It seems pretty clever, but not terribly convenient.

Ingenious. Rather reminds me of the older bank etc. log on security cards, all gone now. I used to like those, simple and straightforward. I suppose their theoretical weakness nowadays is the ubiquity of mobile phone cameras, allowing them to be 'stolen' without needing to remove them. (Same issue with the above?)

Arborbridge wrote:I am still not at the stage where I feel I can trust any third party system such as those discussed here in case there's a back door entry system. No passwords of any importance are stored on my computer or phone...

Same here, no third party involved, I just write them all down. I must have been using Internet banking for years now. Best security: a long enough password.


Interestingly, one can generate as many personal cards as you want, each with a reference number so you could regenerate them. As I say, it seems quite sound, but also quite inconvenient. There's no way you could remember how to log in to your email account when out and about.

XFool
The full Lemon
Posts: 12636
Joined: November 8th, 2016, 7:21 pm
Been thanked: 2608 times

Re: Passwords..UGH!

#426103

Postby XFool » July 9th, 2021, 10:42 am

Arborbridge wrote:Interestingly, one can generate as many personal cards as you want, each with a reference number so you could regenerate them. As I say, it seems quite sound, but also quite inconvenient. There's no way you could remember how to log in to your email account when out and about.

You could perhaps even design your own card! With a grid reference using all letters:

b A : Bank Account
e M: Email account
l F: Lemon Fool
s D : Share Dealing account
etc.

Along with some random, meaningless entries (including numeral indices) as noise. But, would have to be a big card these days. :lol:
Last edited by XFool on July 9th, 2021, 10:46 am, edited 3 times in total.

UncleEbenezer
The full Lemon
Posts: 10691
Joined: November 4th, 2016, 8:17 pm
Has thanked: 1459 times
Been thanked: 2965 times

Re: Passwords..UGH!

#426105

Postby UncleEbenezer » July 9th, 2021, 10:43 am

GeoffF100 wrote:Passwords are only part of the problem. I find memorable answers even more of a problem. I have seen password managers, but I am yet to find a memorable answer manager. I write clues on a piece of paper that I hide. I also have the clues on a cloud account - a different cloud account to the one that stores my account numbers.


Those "memorable answers" are wrong on so many levels! What do you mean, you can't remember who you signed up with sometime last century, and what questions you gave them? Let alone know whether they were subsequently borged by the bigco when the billion-users leak hits the headlines!

simoan
Lemon Quarter
Posts: 2092
Joined: November 5th, 2016, 9:37 am
Has thanked: 463 times
Been thanked: 1457 times

Re: Passwords..UGH!

#426109

Postby simoan » July 9th, 2021, 10:56 am

UncleEbenezer wrote:
simoan wrote:I keep my passwords in a notebook. It's simple and not resident on any of the computers I use them on. I then have a method for translating the written password into the real password using a non-trivial character replacement method known only to me, so even if someone steals the notebook they do not have my real passwords.

Works for me! Si

That sort of scenario is where your value as a target is critical!

Bletchley park - or today GCHQ - could easily break that if you were a high-value target. Most of us aren't.

How would they crack it though? Most websites and devices that need password credentials would ony allow a very limited number of tries before you would need to use another form of authentication e.g. phone your bank.

And any attacker would assume that the "plaintext" written password and real password had the same number of characters, which my scheme does not. Although I admit they could intercept passcodes used for two-factor authentication it would be far easier just to get malware onto any target device undetected. BTW I've worked in data security fot the past 25 years, including spooks as clients!

All the best, Si

88V8
Lemon Half
Posts: 5769
Joined: November 4th, 2016, 11:22 am
Has thanked: 4098 times
Been thanked: 2560 times

Re: Passwords..UGH!

#426110

Postby 88V8 » July 9th, 2021, 10:58 am

penym wrote:...changing ones used too many times.

I never reuse passwords.

They're written down in a somewhat tortuous form.

Lemons back up their computers of course and I suppose that some back up their phones but I bet many don't.... but those of use who write things, on paper, need to think what would happen if the house burned, in the same way they need to think about their backups being right there next to the computer.

Memorable answers.... a blast from the past... also written down.

V8

Infrasonic
Lemon Quarter
Posts: 4479
Joined: November 4th, 2016, 2:25 pm
Has thanked: 644 times
Been thanked: 1260 times

Re: Passwords..UGH!

#426119

Postby Infrasonic » July 9th, 2021, 11:19 am

simoan wrote:I keep my passwords in a notebook. It's simple and not resident on any of the computers I use them on. I then have a method for translating the written password into the real password using a non-trivial character replacement method known only to me, so even if someone steals the notebook they do not have my real passwords.

Works for me! Si


What do you do about redundancy then, if you have a fire say?

Could you not use E2EE zero knowledge fragmented cloud (like Internxt) via a zero logs fully audited WireGuard VPN as an offsite backup?

simoan
Lemon Quarter
Posts: 2092
Joined: November 5th, 2016, 9:37 am
Has thanked: 463 times
Been thanked: 1457 times

Re: Passwords..UGH!

#426122

Postby simoan » July 9th, 2021, 11:29 am

Infrasonic wrote:
simoan wrote:I keep my passwords in a notebook. It's simple and not resident on any of the computers I use them on. I then have a method for translating the written password into the real password using a non-trivial character replacement method known only to me, so even if someone steals the notebook they do not have my real passwords.

Works for me! Si


What do you do about redundancy then, if you have a fire say?

Could you not use E2EE zero knowledge fragmented cloud (like Internxt) via a zero logs fully audited WireGuard VPN as an offsite backup?

I would never store passwords anywhere accessible from the internet, even using XTS mode encryption. Why do you need redundancy in case of fire? Important financial passwords I can remember as I use them all the time. For others you just start again and set up a new password or if they're non-critical (like TLF) just let your browser store them. Is that too simple? When it comes to security, simple is good I find.

All the best, Si

Infrasonic
Lemon Quarter
Posts: 4479
Joined: November 4th, 2016, 2:25 pm
Has thanked: 644 times
Been thanked: 1260 times

Re: Passwords..UGH!

#426127

Postby Infrasonic » July 9th, 2021, 11:39 am

simoan wrote:
Infrasonic wrote:
simoan wrote:I keep my passwords in a notebook. It's simple and not resident on any of the computers I use them on. I then have a method for translating the written password into the real password using a non-trivial character replacement method known only to me, so even if someone steals the notebook they do not have my real passwords.

Works for me! Si


What do you do about redundancy then, if you have a fire say?

Could you not use E2EE zero knowledge fragmented cloud (like Internxt) via a zero logs fully audited WireGuard VPN as an offsite backup?

I would never store passwords anywhere accessible from the internet, even using XTS mode encryption. Why do you need redundancy in case of fire? Important financial passwords I can remember as I use them all the time. For others you just start again and set up a new password. Is that too simple? When it comes to security, simple is good I find.

All the best, Si


So if you are involved in a car crash, fall over, or get ill and lose your memory?

If a fire takes out all your passwords / I.D paperwork how are you going to prove who you are to get new bank accounts or access to the old ones quickly?

I control my mums estate through a power of attorney and even with all the relevant photo ID, third party authorisation paperwork etc it's a complete PITA to do anything new... :D

Arborbridge
The full Lemon
Posts: 10369
Joined: November 4th, 2016, 9:33 am
Has thanked: 3601 times
Been thanked: 5227 times

Re: Passwords..UGH!

#426138

Postby Arborbridge » July 9th, 2021, 11:54 am

simoan wrote:What do you do about redundancy then, if you have a fire say?

Could you not use E2EE zero knowledge fragmented cloud (like Internxt) via a zero logs fully audited WireGuard VPN as an offsite backup?

I would never store passwords anywhere accessible from the internet, even using XTS mode encryption. Why do you need redundancy in case of fire? Important financial passwords I can remember as I use them all the time. For others you just start again and set up a new password or if they're non-critical (like TLF) just let your browser store them. Is that too simple? When it comes to security, simple is good I find.

All the best, Si[/quote]

Important passwords I c an only remember part of, because the parts I change regularly. These are stored on paper somewhere, so vulnerable to a fire.

Everything has risks, but the risk of fire? - I won't tempt fate!

simoan
Lemon Quarter
Posts: 2092
Joined: November 5th, 2016, 9:37 am
Has thanked: 463 times
Been thanked: 1457 times

Re: Passwords..UGH!

#426140

Postby simoan » July 9th, 2021, 11:56 am

Infrasonic wrote:
simoan wrote:
Infrasonic wrote:
What do you do about redundancy then, if you have a fire say?

Could you not use E2EE zero knowledge fragmented cloud (like Internxt) via a zero logs fully audited WireGuard VPN as an offsite backup?

I would never store passwords anywhere accessible from the internet, even using XTS mode encryption. Why do you need redundancy in case of fire? Important financial passwords I can remember as I use them all the time. For others you just start again and set up a new password. Is that too simple? When it comes to security, simple is good I find.

All the best, Si


So if you are involved in a car crash, fall over, or get ill and lose your memory?

If a fire takes out all your passwords / I.D paperwork how are you going to prove who you are to get new bank accounts or access to the old ones quickly?

I control my mums estate through a power of attorney and even with all the relevant photo ID, third party authorisation paperwork etc it's a complete PITA to do anything new... :D

Yes, it will be a pain in the [expletive deleted], should that happen. But convenience is the enemy of good security - I call that the first Law of Security. If it's convenient for you, then it's convenient for a would be attacker. You'll be telling me you have keyless entry in your car next :) Complexity is also bad as it leaves holes that attackers can find and utilise.

All the best, Si
Last edited by simoan on July 9th, 2021, 11:56 am, edited 1 time in total.

AF62
Lemon Quarter
Posts: 3499
Joined: November 27th, 2016, 8:45 am
Has thanked: 131 times
Been thanked: 1277 times

Re: Passwords..UGH!

#426142

Postby AF62 » July 9th, 2021, 11:56 am

penym wrote:Being a bit non zealous in thinking g of new passwords on so many sites I visit, I am sick of Apple chiding me and telling me to change passwords and have spent my morning changing ones used too many times. It may be time when I must invest in a decent keeper of Passwords! I expect I will have to pay for a decent one that is easy to use and manage but before I decide I would welcome the advice of experts here. Help!


Since you mention Apple then you obviously use Apple products, so why not simply use iCloud Keychain - https://support.apple.com/en-gb/HT204085

XFool
The full Lemon
Posts: 12636
Joined: November 8th, 2016, 7:21 pm
Been thanked: 2608 times

Re: Passwords..UGH!

#426144

Postby XFool » July 9th, 2021, 11:59 am

simoan wrote:I would never store passwords anywhere accessible from the internet, even using XTS mode encryption. Why do you need redundancy in case of fire? Important financial passwords I can remember as I use them all the time. For others you just start again and set up a new password or if they're non-critical (like TLF) just let your browser store them. Is that too simple? When it comes to security, simple is good I find.

I agree. Apart from the idea of "non-critical" passwords. I think it best to treat them all as equally critical, as critical information could still possibly be gleaned from a "non-critical" site.

simoan
Lemon Quarter
Posts: 2092
Joined: November 5th, 2016, 9:37 am
Has thanked: 463 times
Been thanked: 1457 times

Re: Passwords..UGH!

#426149

Postby simoan » July 9th, 2021, 12:09 pm

XFool wrote:
simoan wrote:I would never store passwords anywhere accessible from the internet, even using XTS mode encryption. Why do you need redundancy in case of fire? Important financial passwords I can remember as I use them all the time. For others you just start again and set up a new password or if they're non-critical (like TLF) just let your browser store them. Is that too simple? When it comes to security, simple is good I find.

I agree. Apart from the idea of "non-critical" passwords. I think it best to treat them all as equally critical, as critical information could still possibly be gleaned from a "non-critical" site.

I don't agree. What critical information do websites like TLF have about me, or you for that matter? The only useful information is in my posts and they are visible on the internet anyway. I don't even use my real name and address on most websites! So OK, they have my IP number, but so what?

All the best, Si

UncleEbenezer
The full Lemon
Posts: 10691
Joined: November 4th, 2016, 8:17 pm
Has thanked: 1459 times
Been thanked: 2965 times

Re: Passwords..UGH!

#426152

Postby UncleEbenezer » July 9th, 2021, 12:12 pm

XFool wrote:
simoan wrote:I would never store passwords anywhere accessible from the internet, even using XTS mode encryption. Why do you need redundancy in case of fire? Important financial passwords I can remember as I use them all the time. For others you just start again and set up a new password or if they're non-critical (like TLF) just let your browser store them. Is that too simple? When it comes to security, simple is good I find.

I agree. Apart from the idea of "non-critical" passwords. I think it best to treat them all as equally critical, as critical information could still possibly be gleaned from a "non-critical" site.

Sites that have access to my money are security-critical to me.

Sites where I merely discuss it aren't. The information anyone could glean about me from Lemonfool is absolutely not critical.

XFool
The full Lemon
Posts: 12636
Joined: November 8th, 2016, 7:21 pm
Been thanked: 2608 times

Re: Passwords..UGH!

#426153

Postby XFool » July 9th, 2021, 12:14 pm

simoan wrote:
XFool wrote:I agree. Apart from the idea of "non-critical" passwords. I think it best to treat them all as equally critical, as critical information could still possibly be gleaned from a "non-critical" site.

I don't agree. What critical information do websites like TLF have about me, or you for that matter? The only useful information is in my posts and they are visible on the internet anyway.

It likely varies, site to site: real name, DOB, address, phone number, email address?

xeny
Lemon Slice
Posts: 450
Joined: April 13th, 2017, 11:37 am
Has thanked: 233 times
Been thanked: 154 times

Re: Passwords..UGH!

#426165

Postby xeny » July 9th, 2021, 12:38 pm

Arborbridge wrote:True. Indeed with possible leakyness and the potential for hacking or spy software/data logging being placed on one's own computer, I sometimes wonder what the point is of changing passwords frequently or indeed having complex ones. Well, of course it cuts down risk, but if a hacker can see exactly what one is doing we're dooomed.



There's precious little point to changing passwords frequently. Look about 2/3 of the way down https://www.ncsc.gov.uk/collection/pass ... r-approach .

Complex passwords are utterly worthwhile. Service providers don't store your password, they store an encrypted version of it.

It's not unknown for those encrypted passwords to be stolen, but unless the attacker can use them to work out what the original passwords were, they're essentially useless.

The longer/more complex (and for humans it is generally easier to add length than complexity)the original password was the longer it will take to do that, until it becomes uneconomic as there are better things the attacker can do with their time.

onthemove
Lemon Slice
Posts: 540
Joined: June 24th, 2017, 4:03 pm
Has thanked: 722 times
Been thanked: 471 times

Re: Passwords..UGH!

#426469

Postby onthemove » July 10th, 2021, 3:12 pm

xeny wrote:Service providers don't store your password, they store an encrypted version of it.


Don't bank on it!

A few years ago I had need to ring VirginMedia, my ISP at the time, though definitely no more! Would not recommend them to anyone except my worst enemy.

I can't remember exactly how the exchange went, but while going through the security part, the call centre operator said something, I forget exactly what, that immediately rung alarm bells with me ... so much so, that I asked them directly right at the moment "can you see my password on your screen?"... to which the operator replied "yes" :shock: .

I was rather taken aback by that. I'd setup my password online, and had assumed, like you, that it would be hashed (standard practice with electronic passwords), and only the hash would be used to confirm if I've entered my password correctly. I though it was for my email, etc, and I'd presumed it was an 'online' password .. I hadn't realised it would also be used for phone security checks.

And anyway, I had assumed that whatever I tell the operator, they would key it in, and the computer would just say "yes" or "no", rather than let the operator see my password... so I was rather taken aback that the operator said they could see my password on their screen before I'd given it to them.

The operator just asked for a subset of individual characters from my password, so that in itself confirmed to me that they weren't using a cryptographic hash, and indeed my clear text password must at least be in the system somewhere.

I still find it hard to believe that the operator genuinely had visibility of my clear text password on their screen (usually asking for a subset is so that the operator doesn't get to know your full password), but that is what they told me, and like I say, the initial exchange I had with the operator gave me enough cause for concern to directly put the question to them.

[I can't remember the details, but it was possibly something like me not expecting they were using my online password for their phone security check, so I didn't believe I had a phone security password, and possibly the operator confirmed to me that the password they were looking for looked like random characters, or something along those lines.. because I had indeed used a set of random characters for my online password.. or it was something along those lines, but whatever it was exactly, it definitely led me think ... "erm hang on.. you can see my password!?!?!?!?" ... with enough concern to ask them directly as much]


Return to “Technology - Computers, TV, Phones etc.”

Who is online

Users browsing this forum: No registered users and 8 guests