-
February 27th, 2017, 20:12 #41
We had a Security Officer coming down for a meeting one day, so I made sure to write a fake sticky note with a bunch of fake passwords all scratched out except the last one and stuck it on my monitor. Unfortunately, I don't think he even noticed even though he was in my office at one point to say "hello".
The fake ones I chose were really good.
Prior to this, I did software development and consulting and it wasn't uncommon to get access to some online store's website database to do a job, only to find that the previous developer had learned on the job and stored all the passwords in the database as plain text. Jesus and the local sports teams were very popular in the region, along with the names of children.
-
February 28th, 2017, 02:20 #42
The most amusing thing is, is that the whole "change your passwords every 30, 60, 90, or 120 days (or whatever) and make it at least 10 characters long", etc, is a MYTH - its one of the great ICT Security Myths that even most ICT Security people don't know is a myth (like this picture), and just repeat it over and over as if it was the "TRUTH" (see the 5 Monkeys Experiment).
Let me explain - back in the 1970s someone once asked one of the leading Computer Science researchers (I can't remember which one) about how long to crack a password using the technology of the time (IBM 330, DECs, etc). Using the back of an envelope (I'm not kidding) the Computer Scientist calculated that a password of 7 characters would be sufficient to withstand a brute-force attack using the technology of the time, and besides, the Unix crypt() function truncated passwords to 8 characters anyway, so that was all good.
So, imagine how much more more powerful today's computers are and consider if 8, 10 or even 16 characters might be strong enough (actually, 16 probably is in 2017 - maybe).
No, if you want to be secure then the best couple of things you can do are:
- Make your passwords llllooooooooooooonnnnnggggg - "A sausage-roll at the corner shop costs $4.50 on Wednesdays." is a way better password (pass-phrase) than "P@55w0rd123", obeys all the common complexity rules (Capital and lowercase, digit and punctuation/speical characters), is 60-characters as opposed to 11-characters, and is easier to remember.
- Use a Password Manager - I use KeePass (free, multi-platform, etc)
- If you use a Password Manager, use a different random password for every website, etc, because a Password Manager makes it easy. I always use 64-character random passwords (unless the website, etc, doesn't allow passwords that long).
I hope that all of this helps
CheersLast edited by dulux-oz; February 28th, 2017 at 02:43.
Dulux-Oz
√(-1) 2^3 Σ Π
...And it was Delicious!
Alpha-Geek
ICT Professional
GMing Since 1982
NSW, Australia, UTC +10
LinkedIn Profile: www.linkedin.com/in/mjblack
Watch our games on Twitch: www.twitch.tv/dulux_oz
Support Me on Patreon: www.patreon.com/duluxoz
Past Games, etc, on my YouTube Channel: www.youtube.com/c/duluxoz
-
February 28th, 2017, 02:29 #43
My take on password rotation/change is driven by two things, let me know what you think;
1) Because if a website is hacked, it is unlikely you will be informed of the breach in a timely manner. If you change them regularly, it would be less likely you would be compromised as part of a secondary data user (i.e. someone who buys the breached data after the original user has done what they intend with it).
2) If you don't use unique passwords (which is a bad habit, but one I suspect a vast majority of people do), then when #1 happens, you are exponentially exposed (and not ina good "kilt" kind of way!)
Problems? See; How to Report Issues, Bugs & Problems
On Licensing & Distributing Community Content
Community Contributions: Gemstones, 5E Quick Ref Decal, Adventure Module Creation, Dungeon Trinkets, Balance Disturbed, Dungeon Room Descriptions
Note, I am not a SmiteWorks employee or representative, I'm just a user like you.
-
February 28th, 2017, 02:43 #44Patrick
Ultimate License Holder
Currently Running (rotating home campaigns): Hobgoblins, Orcs, and Kobolds, Oh My! (5E), The Enemy Within (WFRP)
Currently Playing: Castle Zagyg (Labyrinth Lord), The Forgotten Temple of Tharizdun (AD&D)
-
February 28th, 2017, 02:53 #45
Rotating passwords on websites is not a bad idea - but a better one is to use unique, looonnnggg, random passwords on each website - the longer the password, the harder it is to brute-force, and if it's random, hackers can't dictionary attack it (ie guess) and if its unique it won't matter (much) if it is compromised because you only use it in that one place. But in an office situation forcing the end-users to rotate their passwords is often counter-productive (as some of the posts here have shown) - it leads to things like "passowrd1", "password2", "password3", etc with the number corresponding to the month of the year (for eg).
But quite frankly, I wouldn't bother with rotating passwords on a website - if its hacked, then I'm way more worried about my other personal details (name, DOB, social security number, etc) being stolen than a one-site-use, loooonnnngggg, hard to guess/break password - I know which is more valuable (and which isn't normally stored securely/encrypted)
Depressing, isn't itDulux-Oz
√(-1) 2^3 Σ Π
...And it was Delicious!
Alpha-Geek
ICT Professional
GMing Since 1982
NSW, Australia, UTC +10
LinkedIn Profile: www.linkedin.com/in/mjblack
Watch our games on Twitch: www.twitch.tv/dulux_oz
Support Me on Patreon: www.patreon.com/duluxoz
Past Games, etc, on my YouTube Channel: www.youtube.com/c/duluxoz
-
February 28th, 2017, 05:09 #46
- Join Date
- Jan 2017
- Location
- Tacoma (UTC -7)
- Posts
- 73
As a manager at a pizza place, I had to change my password every two weeks and could never reuse a password, even years later. It was ridiculous. I also had to enter them every few minutes (approving discounts, sending drivers out, practically everything needed a manager password), so the goal was to make them fast and easy. The result was that I just used two or three keys so I could enter it in less than a second. poipoi changed to popopo, then oiuoiu, and so on. My favorite thing about transferring stores was that I could start the cycle over and use numbers again. Thankfully, I'm done dealing with that.
-
February 28th, 2017, 06:45 #47
Just curious, because I have never used a password manager, but couldn't someone just hack your password manager and get everything they need all in one handy place?
I honestly would like to know...
-
February 28th, 2017, 07:01 #48
I use two-factor auth (pw + yubi key) on my LastPass account. Anywhere you can possibly use two-factor auth, you should. Most email services have two-factor options, as does DropBox, Facebook, etc.
-
February 28th, 2017, 07:23 #49
-
February 28th, 2017, 09:18 #50
As damned said, yes, it is possible. And what he suggests is also the best way to do things.
But the idea behind a Password Manager is that the only place where you use the über-long Pass-Phrase needed to unlock the "password safe" is on a computer you "own" (ie you trust) and that it never gets sent "over the wire" - so for someone to break it they would have to access you PC (or mobile phone, or whatever) and then steal the password-safe, and then perform a brute-force attack on the über-long password and the encryption used to encrypt all the passwords stored within.
This is the electronic-equivalent of raiding your house to steal the wall safe out of the wall and then breaking open the safe - and notwithstanding the movie Fast & Furious Five, that's not easy to do.
It all comes down to "is it worth it" - is it worth a hacker to spend all that time and energy breaking into your "safe" for what's inside - and the answer is almost certainly "No".
Oh sure, if the American NSA wanted in they might - that's might - be able to crack it - although looking at all the reports about the police not being able to get into a iPhone (and the encryption on a Password Manager is often more secure than the encryption on an iPhone) I'm not so sure - but what are the chances of the NSA wanting to steal your passwords from you when they can steal them from a website and get oh-so-many more.
Most hackers (well over 90%) are little more than Script-Kiddies who don't really know what they're doing but who use a bunch of programs written by others to do their hacks. Its a bit like the difference between a punk gang-member, a trained soldier, and a special-ops member - all of them can use a gun but I know which order I'd put them in in terms of lethalityDulux-Oz
√(-1) 2^3 Σ Π
...And it was Delicious!
Alpha-Geek
ICT Professional
GMing Since 1982
NSW, Australia, UTC +10
LinkedIn Profile: www.linkedin.com/in/mjblack
Watch our games on Twitch: www.twitch.tv/dulux_oz
Support Me on Patreon: www.patreon.com/duluxoz
Past Games, etc, on my YouTube Channel: www.youtube.com/c/duluxoz
Thread Information
Users Browsing this Thread
There are currently 1 users browsing this thread. (0 members and 1 guests)
Bookmarks