password security [Archive] - Glock Talk

PDA

View Full Version : password security


wallyglock
10-16-2008, 05:45
i am only an occassional computer user and am not at all big into computers.

a friend got me to thinking........he says it is possible to get anyones password and tap into their mail. i have no idea if this is true or not, and i am not sure if he has ever done this.
he does know his way around a computer very well.

maybe their IS a way to accomplish this, but i would think this should be protected somehow !:dunno:

any opinions ?

gdvan01
10-16-2008, 06:06
It is possible to get anyone's password...how long that would take is the question. Simple passwords are easier to crack with freely available programs. Complex passwords, especially those that are longer and don't use common words, will take longer.

Using passwords that contain upper and lower case letters, numbers and special characters is the better way to go. Don't make your passwords something that can be easily identifiable to you: your dogs name, type of car you drive etc...

sdsnet
10-16-2008, 06:45
One way to add complexity to your passwords is to take a word you can remember and substitue zero's for O's, 3's for E's, ones for L's etc. w1nt3r instead of winter for example.

Sgt. Schultz
10-16-2008, 07:16
If your e-mail program is Windows based then it so simple to get your password that it’s scary. There are several programs available that will display the actual password by moving your mouse pointer over the “hidden” password. Windows shows them as asterisks but the passwords are not really hidden and these fields can be queried for the text inside it.

Green_Manelishi
10-16-2008, 08:09
i am only an occassional computer user and am not at all big into computers.

a friend got me to thinking........he says it is possible to get anyones password and tap into their mail. i have no idea if this is true or not, and i am not sure if he has ever done this.
he does know his way around a computer very well.

maybe their IS a way to accomplish this, but i would think this should be protected somehow !:dunno:

any opinions ?

"Getting" a password is one thing; guessing a password, or the answer to a security question is completely different.

It's true there is software available for almost any purpose, nefarious or otherwise, but in most cases it's not necessary to get the p-word, only SWAG your way into the account.Too many people use their name, DOB, relative name, etc. for security. They also use the same password for every account they might need to access.

They do a similar thing with a security question such as "What's your mother's maiden name?" They supply the actual maiden name rather than make up a non-sense answer.

I once had a boss, the CIO/CTO no less, who sent an email to the entire company regarding passwords. This is almost verbatim what he stated:

If you are like me you suffer from information overload. Going forward we will be requiring regularly scheduled password changes to all of the accounts you access, so I suggest you make it simple on yourself and use the same password for all accounts.

My suggestion is a password that includes mixed case, numbers as well as letters, and at least one special character. Do not use the same pword for all of your accounts unless you do not care if someone accesses the account. Finally, make up a "password" for all security questions.

E.g. "What's your mother's maiden name?"
Answer: ScREaming0YellowZonKer$

Rémy
10-16-2008, 08:45
Depends what mail connection you use.
If it's a secure connection it's pretty complex... if it's a normal connection then some experienced guys can read your mails.

But you know what?
Guys who can do this aren't interested in your or my mails :).

If you use a Mac then there's a built in password generator and a special and secure place to store your passwords (complex is good for safety but bad to remember :) ).

ax157
10-17-2008, 04:02
i am only an occassional computer user and am not at all big into computers.

a friend got me to thinking........he says it is possible to get anyones password and tap into their mail. i have no idea if this is true or not, and i am not sure if he has ever done this.
he does know his way around a computer very well.

maybe their IS a way to accomplish this, but i would think this should be protected somehow !:dunno:

any opinions ?

It is possible in the sense that if all that's protecting you is a password, it's always "possible" to get that password. He could point a gun at your head and try and force you to give up the password. So what we're really talking about is security from a technical side.

From a technical point of view, it is NOT true that you can break into anybodies account/get anybodies password. It is all a matter of circumstance and opportunity.

If the mail provider you have is secure, and your password can not be easily guessed, and is not simple in nature (for example, you may not guess the password "2342", but it's possible given the right situation for a computer to guess that password by random trial and error), and the line or contents of communication between your computer and your mail provider is secure, and your computer itself is secure. Then it will be virtually impossible for someone to get access too your mail.

You seem to be asking that if it's possible to get anyones or most peoples password or e-mail then why isn't it more protected. The truth is that generally, it is protected. It's just that the vast majority of the time when someone gets their computer or e-mail "hacked". The problem was in their actions or choices.

Take the recent hacking of Sarah Palins E-mail. That wasn't all that technical a feet, I believe someone just knew the answer to her password recovery question.

Hope that gives you a better understanding.

noway
10-17-2008, 09:28
My thoughts on this coming from a unix background and admin for over 12 years;

1: passwords should be changed regulary like every month to each quarter. The reason why if somebody did get your encrypted password and you changed it every month or sooner for example, by they time they cracked it ( if it was strong password to begin with ) , the password would be of no good.

And just like mention above don't use the same password for all accounts. I worked in security groups where you sniff out a person "at work" password and the figure out their hotmail or ebay/paypal account and after a few trial-errors with their login name, you now have access to these other accounts.

If I was internet god and master admin, your login wouldn't even be in any relationship to your name ( i.e msmith@yourcompany.com would now be
m3456thyjk1l )


2: Passwords should be 8-10 characters with at least one special char ( i.e ^$#@ ) two is better, and at least one upper case and numbers , two is better.

3: don't use anything that send credentials in the clear, ( telnet, POP,imap ) , in stead opt for services that supports encryption ( ssh, imap-ssl,etc...)

4: Any website that takes personal/privacy information need to be https: vrs http:

5: remote access should be thru some type of vpn ( pptp/ipsec/open-vpn, ssl-vpn )

6: opt for security token/cards with rotating keys and a 4 digit PIN or one time use passwords.

fwiw:
You deploy that or uses services like that and you would be 100% safe.


note:

As a Solaris and Linux admin, I used to grab password files off these systems and even windows and run various cracking tools against users to see what password they where using or to see if they could be cracked with easy wordbased attacks. You would be surprise to see what people uses ;)

nursetim
10-17-2008, 10:30
Is there technology out there that fits this description? 1) external thumb drive 2) for every site that requires a password it automatically changes it every visit 3) randomly generates new password and remembers it for next visit then changes the password again?

IWUprof
10-17-2008, 12:22
Try using Password Safe. I have used it for a number of years and am very satisfied with it. You can change passwords easily and use the program to generate them on a random basis using your parameters; e.g. special characters, caps, number of characters, etc. You can also use the program on different computers using a jump drive. Address is http://passwordsafe.sourceforge.net

cnutco
10-17-2008, 13:06
Not my thread, but wanted to thank all for the info and the advise!

noway
10-17-2008, 18:45
Is there technology out there that fits this description? 1) external thumb drive 2) for every site that requires a password it automatically changes it every visit 3) randomly generates new password and remembers it for next visit then changes the password again?

None that of aware of. It would then require you to "secure" the thumbdrive.


If you wanted todo all of that, you should have some type of intergration with biometric like a "fingerprint" reader, than when you access the site, it will authenicate once you print is scan and verified.

nursetim
10-17-2008, 20:34
noway, Okay, sounds good sign me up.
IWUprof, That looks like what I'm looking for, but I'm looking for plug in hardware like device.

IWUprof
10-18-2008, 07:17
Check out the web site again. You can use the program on a jump drive that you plug into whichever computer you are using. I don't use it in that manner but the feature is listed as available.