5E Product Walkthrough Playlist
Page 5 of 5 First ... 345
  1. #41
    ddavison's Avatar
    Join Date
    Sep 2008
    Posts
    6,122
    Blog Entries
    21
    We had a Security Officer coming down for a meeting one day, so I made sure to write a fake sticky note with a bunch of fake passwords all scratched out except the last one and stuck it on my monitor. Unfortunately, I don't think he even noticed even though he was in my office at one point to say "hello".

    The fake ones I chose were really good.


    Prior to this, I did software development and consulting and it wasn't uncommon to get access to some online store's website database to do a job, only to find that the previous developer had learned on the job and stored all the passwords in the database as plain text. Jesus and the local sports teams were very popular in the region, along with the names of children.

  2. #42
    The most amusing thing is, is that the whole "change your passwords every 30, 60, 90, or 120 days (or whatever) and make it at least 10 characters long", etc, is a MYTH - its one of the great ICT Security Myths that even most ICT Security people don't know is a myth (like this picture), and just repeat it over and over as if it was the "TRUTH" (see the 5 Monkeys Experiment).

    Let me explain - back in the 1970s someone once asked one of the leading Computer Science researchers (I can't remember which one) about how long to crack a password using the technology of the time (IBM 330, DECs, etc). Using the back of an envelope (I'm not kidding) the Computer Scientist calculated that a password of 7 characters would be sufficient to withstand a brute-force attack using the technology of the time, and besides, the Unix crypt() function truncated passwords to 8 characters anyway, so that was all good.

    So, imagine how much more more powerful today's computers are and consider if 8, 10 or even 16 characters might be strong enough (actually, 16 probably is in 2017 - maybe).

    No, if you want to be secure then the best couple of things you can do are:
    1. Make your passwords llllooooooooooooonnnnnggggg - "A sausage-roll at the corner shop costs $4.50 on Wednesdays." is a way better password (pass-phrase) than "P@55w0rd123", obeys all the common complexity rules (Capital and lowercase, digit and punctuation/speical characters), is 60-characters as opposed to 11-characters, and is easier to remember.
    2. Use a Password Manager - I use KeePass (free, multi-platform, etc)
    3. If you use a Password Manager, use a different random password for every website, etc, because a Password Manager makes it easy. I always use 64-character random passwords (unless the website, etc, doesn't allow passwords that long).


    I hope that all of this helps

    Cheers
    Last edited by dulux-oz; February 28th, 2017 at 02:43.
    Dulux-Oz

    √(-1) 2^3 Σ Π
    ...And it was Delicious!


    Alpha-Geek
    ICT Professional
    GMing Since 1982
    NSW, Australia, UTC +10
    LinkedIn Profile: www.linkedin.com/in/mjblack

    Watch our games on Twitch: www.twitch.tv/dulux_oz

    Support Me on Patreon: www.patreon.com/duluxoz

    Past Games, etc, on my YouTube Channel: www.youtube.com/c/duluxoz

  3. #43
    LordEntrails's Avatar
    Join Date
    May 2015
    Location
    -7 UTC
    Posts
    17,147
    Blog Entries
    9
    My take on password rotation/change is driven by two things, let me know what you think;

    1) Because if a website is hacked, it is unlikely you will be informed of the breach in a timely manner. If you change them regularly, it would be less likely you would be compromised as part of a secondary data user (i.e. someone who buys the breached data after the original user has done what they intend with it).

    2) If you don't use unique passwords (which is a bad habit, but one I suspect a vast majority of people do), then when #1 happens, you are exponentially exposed (and not ina good "kilt" kind of way!)

    Problems? See; How to Report Issues, Bugs & Problems
    On Licensing & Distributing Community Content
    Community Contributions: Gemstones, 5E Quick Ref Decal, Adventure Module Creation, Dungeon Trinkets, Balance Disturbed, Dungeon Room Descriptions
    Note, I am not a SmiteWorks employee or representative, I'm just a user like you.

  4. #44
    Quote Originally Posted by Andraax View Post
    Everyone should use a tool like LastPass. I have hundreds of passwords, all of them random strings, and forget none. :-)
    Yep, I use LastPass also. All of them at least 20 characters long and random and also never forget them either because I only have to remember one password.
    Patrick

    Ultimate License Holder
    Currently Running (rotating home campaigns): Hobgoblins, Orcs, and Kobolds, Oh My! (5E), The Enemy Within (WFRP)
    Currently Playing: Castle Zagyg (Labyrinth Lord), The Forgotten Temple of Tharizdun (AD&D)

  5. #45
    Quote Originally Posted by LordEntrails View Post
    My take on password rotation/change is driven by two things, let me know what you think;

    1) Because if a website is hacked, it is unlikely you will be informed of the breach in a timely manner. If you change them regularly, it would be less likely you would be compromised as part of a secondary data user (i.e. someone who buys the breached data after the original user has done what they intend with it).

    2) If you don't use unique passwords (which is a bad habit, but one I suspect a vast majority of people do), then when #1 happens, you are exponentially exposed (and not ina good "kilt" kind of way!)
    Rotating passwords on websites is not a bad idea - but a better one is to use unique, looonnnggg, random passwords on each website - the longer the password, the harder it is to brute-force, and if it's random, hackers can't dictionary attack it (ie guess) and if its unique it won't matter (much) if it is compromised because you only use it in that one place. But in an office situation forcing the end-users to rotate their passwords is often counter-productive (as some of the posts here have shown) - it leads to things like "passowrd1", "password2", "password3", etc with the number corresponding to the month of the year (for eg).

    But quite frankly, I wouldn't bother with rotating passwords on a website - if its hacked, then I'm way more worried about my other personal details (name, DOB, social security number, etc) being stolen than a one-site-use, loooonnnngggg, hard to guess/break password - I know which is more valuable (and which isn't normally stored securely/encrypted)

    Depressing, isn't it
    Dulux-Oz

    √(-1) 2^3 Σ Π
    ...And it was Delicious!


    Alpha-Geek
    ICT Professional
    GMing Since 1982
    NSW, Australia, UTC +10
    LinkedIn Profile: www.linkedin.com/in/mjblack

    Watch our games on Twitch: www.twitch.tv/dulux_oz

    Support Me on Patreon: www.patreon.com/duluxoz

    Past Games, etc, on my YouTube Channel: www.youtube.com/c/duluxoz

  6. #46
    As a manager at a pizza place, I had to change my password every two weeks and could never reuse a password, even years later. It was ridiculous. I also had to enter them every few minutes (approving discounts, sending drivers out, practically everything needed a manager password), so the goal was to make them fast and easy. The result was that I just used two or three keys so I could enter it in less than a second. poipoi changed to popopo, then oiuoiu, and so on. My favorite thing about transferring stores was that I could start the cycle over and use numbers again. Thankfully, I'm done dealing with that.

  7. #47
    LindseyFan's Avatar
    Join Date
    Nov 2016
    Location
    A skip, hop, and a jump away
    Posts
    284
    Blog Entries
    3
    Just curious, because I have never used a password manager, but couldn't someone just hack your password manager and get everything they need all in one handy place?
    I honestly would like to know...

  8. #48
    I use two-factor auth (pw + yubi key) on my LastPass account. Anywhere you can possibly use two-factor auth, you should. Most email services have two-factor options, as does DropBox, Facebook, etc.

  9. #49
    damned's Avatar
    Join Date
    Mar 2011
    Location
    Australia
    Posts
    26,649
    Blog Entries
    1
    Quote Originally Posted by LindseyFan View Post
    Just curious, because I have never used a password manager, but couldn't someone just hack your password manager and get everything they need all in one handy place?
    I honestly would like to know...
    Yes. It could happen. Make a long unique password and maybe for good measure type it twice making it twice as long. And use 2fa.

  10. #50
    Quote Originally Posted by LindseyFan View Post
    Just curious, because I have never used a password manager, but couldn't someone just hack your password manager and get everything they need all in one handy place?
    I honestly would like to know...
    As damned said, yes, it is possible. And what he suggests is also the best way to do things.

    But the idea behind a Password Manager is that the only place where you use the über-long Pass-Phrase needed to unlock the "password safe" is on a computer you "own" (ie you trust) and that it never gets sent "over the wire" - so for someone to break it they would have to access you PC (or mobile phone, or whatever) and then steal the password-safe, and then perform a brute-force attack on the über-long password and the encryption used to encrypt all the passwords stored within.

    This is the electronic-equivalent of raiding your house to steal the wall safe out of the wall and then breaking open the safe - and notwithstanding the movie Fast & Furious Five, that's not easy to do.

    It all comes down to "is it worth it" - is it worth a hacker to spend all that time and energy breaking into your "safe" for what's inside - and the answer is almost certainly "No".

    Oh sure, if the American NSA wanted in they might - that's might - be able to crack it - although looking at all the reports about the police not being able to get into a iPhone (and the encryption on a Password Manager is often more secure than the encryption on an iPhone) I'm not so sure - but what are the chances of the NSA wanting to steal your passwords from you when they can steal them from a website and get oh-so-many more.

    Most hackers (well over 90%) are little more than Script-Kiddies who don't really know what they're doing but who use a bunch of programs written by others to do their hacks. Its a bit like the difference between a punk gang-member, a trained soldier, and a special-ops member - all of them can use a gun but I know which order I'd put them in in terms of lethality
    Dulux-Oz

    √(-1) 2^3 Σ Π
    ...And it was Delicious!


    Alpha-Geek
    ICT Professional
    GMing Since 1982
    NSW, Australia, UTC +10
    LinkedIn Profile: www.linkedin.com/in/mjblack

    Watch our games on Twitch: www.twitch.tv/dulux_oz

    Support Me on Patreon: www.patreon.com/duluxoz

    Past Games, etc, on my YouTube Channel: www.youtube.com/c/duluxoz

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
DICE PACKS BUNDLE

Log in

Log in