GlockTalk.com
Home Forums Classifieds Blogs Today's Posts Search Social Groups



  
SIGN-UP
Notices

Glock Talk
Welcome To The Glock Talk Forums.

 
  
Reply
 
Thread Tools Display Modes
Old 09-13-2012, 18:01   #1
RWBlue
CLM Number 120
Mr. CISSP, CISA
 
RWBlue's Avatar
 
Join Date: Jan 2004
Posts: 28,585
multiple account and multiple passwords

Do you use the same password for multiple accounts inside the company and out side the company?

My guess is you are like most people and don't realize the security issues you have by doing such a thing. Or to put it a different way, If one account gets compromised all accounts are compromised.

But on the flip side you end up with 12 accounts and 12 password and you are always getting your password reset because you can not remember which password is for which account.

So here is my question for the group, how can you securely keep track of 12 or more accounts inside and outside your corporation when they all have unique passwords?
__________________
One day, I shall come back. Yes, I shall come back. Until then, there must be no regrets, no tears, no anxieties. Just go forward in all your beliefs and prove to me that I am not mistaken in mine.
RWBlue is offline   Reply With Quote
Old 09-13-2012, 18:54   #2
Bushflyr
ʇno uıƃuɐɥ ʇsnɾ
 
Bushflyr's Avatar
 
Join Date: Mar 1999
Location: Western WA
Posts: 4,465
12? LOL try adding a zero to that.

I'm slowly transitioning to Keepass. Very slowly. It's painful.
__________________
...the secret is to bang the rocks together, guys.

That which does not kill you has made a tactical error. --Tayler
Bushflyr is offline   Reply With Quote
Old 09-13-2012, 18:59   #3
fgutie35
Senior Member
 
fgutie35's Avatar
 
Join Date: Jul 2007
Location: deep southeast Texas
Posts: 2,689
Easy, make a super secure password. You would never guess or hack mine, because is in an ancient language and it is hexadecimal in nature, so in digital language, it could be seen as raw data and not a specific incription.
__________________
A good firearm, is the one that puts food on the table.
fgutie35 is offline   Reply With Quote
Old 09-13-2012, 19:28   #4
UtahIrishman
BLR
 
UtahIrishman's Avatar
 
Join Date: Nov 2001
Location: Utah
Posts: 6,446


I memorize my key passwords. The rest are kept in a paper notebook stored in an unknown location.

You can make up memorable passwords that are secure by using mnemonic devices or simple substitution. For example: Password becomes P@$$W0rd.

If you want to memorize a series of passwords, use this approach and then create a mnemonic series based on the first letter of the passwords, such as Every Good Boy Does Fine where EGBDF stand for E@ch, G0od0ne, B0xer, D0gm@, F1e$ty, etc. You get the idea.



I've known some to use patterns on the keyboard. Just don't make it too simple a pattern or it will be compromised in no time.
__________________
Quis custodiet ipsos custodes? - Juvenal

----
UtahIrishman is offline   Reply With Quote
Old 09-13-2012, 19:45   #5
sappy13
Senior Member
 
sappy13's Avatar
 
Join Date: Sep 2007
Location: Bremen, GA
Posts: 2,744
My only suggestion would be to make very long and secure passwords, swapping out numbers for letters and symbols. Also dont use passwords that have any personal meaning to you. I have a ton of passwords, so i use keepass to keep up with them. Just get it, put the db in your dropbox, and you will always have access to them.
sappy13 is offline   Reply With Quote
Old 09-13-2012, 19:57   #6
fx77
CLM Number 232
Charter Lifetime Member
 
Join Date: Nov 2008
Posts: 1,879
Gee
I have 5 typed pages of single spaced 12 point font of passwords..
Just shoot me!
fx77 is offline   Reply With Quote
Old 09-14-2012, 04:58   #7
gwalchmai
Lucky Member
 
gwalchmai's Avatar
 
Join Date: Jan 2002
Location: Outside the perimeter
Posts: 45,963


I use Password Safe.
gwalchmai is offline   Reply With Quote
Old 09-14-2012, 06:32   #8
FL Airedale
Dog Breath
 
FL Airedale's Avatar
 
Join Date: May 2011
Location: In the sticks
Posts: 1,986
I've got more than 100 passwords. I use EWallet. It installs on my phone and computer. Plug the phone into the computer and they synch. Of course if you forget the master password to EWallet, you are in big trouble!

www.iliumsoft.com/ewallet

__________________
Life Member - NRA, GOA,
To view links or images in signatures your post count must be 10 or greater. You currently have 0 signatures.
.
I used to be a people person but people ruined that for me.
FL Airedale is offline   Reply With Quote
Old 09-14-2012, 07:58   #9
RWBlue
CLM Number 120
Mr. CISSP, CISA
 
RWBlue's Avatar
 
Join Date: Jan 2004
Posts: 28,585
Quote:
Originally Posted by fgutie35 View Post
Easy, make a super secure password. You would never guess or hack mine, because is in an ancient language and it is hexadecimal in nature, so in digital language, it could be seen as raw data and not a specific incription.
Understand I am in IT Security.

No password is unbreakable (It just takes time and desire).

Many computer systems store end user passwords in clear text.

Worst case senario if the password database is encrypted and I can get it I could use a rainbow table to break the hash and gain access. (This was part of the RSA attack.)

Having one password for everything is a VERY VERY BAD IDEA.
__________________
One day, I shall come back. Yes, I shall come back. Until then, there must be no regrets, no tears, no anxieties. Just go forward in all your beliefs and prove to me that I am not mistaken in mine.
RWBlue is offline   Reply With Quote
Old 09-14-2012, 08:47   #10
Chesafreak
Senior Member
 
Chesafreak's Avatar
 
Join Date: Nov 2011
Location: Chesapeake, VA
Posts: 1,844
I have used keepass on an IronKey USB thumb drive for a few years now.

I have worked in information security and I came up with a way to make complex passwords by using patterns on the keyboard. If you were to ask me my master password, I couldn't tell it to you without sitting down at a keyboard to type it out. It's very complex, no words involved, and I only memorize the pattern not the characters so its easy to change my password when it expires without having to memorize another one. I simply move the pattern up/down/sideways when I change it. That also does make it difficult to enter when using a tablet or phone keypad while connecting with Citrix Receiver to work. I also use different passwords for each service. I keep those in keypass on my encrypted IronKey which will wipe itself after too many failed password attempts.

Last edited by Chesafreak; 09-14-2012 at 08:49..
Chesafreak is offline   Reply With Quote
Old 09-14-2012, 12:02   #11
Pierre!
NRA Life Member
 
Pierre!'s Avatar
 
Join Date: Jun 2003
Location: Lovin Sparks Nv!
Posts: 4,191
LastPass *ROCKS*

I am a very happy LastPass user.

It's easy to let LastPass generate the *cryptic* passwords for you, but you have access to edit those passwords if you desire.

LastPass easily captures most changed passwords as well. Some membership sites are getting "clever" and adding odd login screens that are not part of the webpage, but it's easy to manually add passwords for tracking/reminder purposes.

LastPass is easy to use from their website and last time I checked it would not leave any password residue on Kiosks... which are still risky due to keystroke loggers... so use the mouse to activate the onscreen keyboard in these situations!

It's been a couple years now, and I don't see a reason to change.

Hope That Helps
Patrick
__________________

To view links or images in signatures your post count must be 10 or greater. You currently have 0 signatures.


Download YOUR copy of
To view links or images in signatures your post count must be 10 or greater. You currently have 0 signatures.

My Gift to You, AND it's >FREE<
Pierre! is offline   Reply With Quote
Old 09-14-2012, 12:42   #12
harrygunner
Senior Member
 
Join Date: Sep 2010
Posts: 470
Bruce Schneier's 'Password Safe' has been made open source. One can download a .exe or Linux binary files. Can also compile it from source. (I haven't used it yet. I made my own years ago.)

http://sourceforge.net/projects/passwordsafe/

Bruce Schneier is active in the security arena and has designed several algorithms that have been well received by the security community.

I use 'mkpasswd' on Linux to generate user IDs, passwords and answers to "forgot your password?" questions. All random and unrelated to all aspects of my life.

BTW, rainbow tables won't help with encrypted files. They provide some assistance with unsalted hashed passwords. And hashing a password does not encrypt the password.
__________________
People who've had to deal with their karma are more interesting to talk to.
harrygunner is offline   Reply With Quote
Old 09-14-2012, 14:30   #13
RWBlue
CLM Number 120
Mr. CISSP, CISA
 
RWBlue's Avatar
 
Join Date: Jan 2004
Posts: 28,585
Quote:
Originally Posted by harrygunner View Post
BTW, rainbow tables won't help with encrypted files. They provide some assistance with unsalted hashed passwords. And hashing a password does not encrypt the password.
There are several ways I could argue this point, but I have decided not to as it doesn't resolve my original query.
__________________
One day, I shall come back. Yes, I shall come back. Until then, there must be no regrets, no tears, no anxieties. Just go forward in all your beliefs and prove to me that I am not mistaken in mine.
RWBlue is offline   Reply With Quote
Old 09-14-2012, 15:24   #14
RWBlue
CLM Number 120
Mr. CISSP, CISA
 
RWBlue's Avatar
 
Join Date: Jan 2004
Posts: 28,585
At this point, I am thinking I want to have an Android enabled app. It is the only thing that is consistent between home, work, other environments. The idea of having my passwords in the cloud just doesn't thrill me.
__________________
One day, I shall come back. Yes, I shall come back. Until then, there must be no regrets, no tears, no anxieties. Just go forward in all your beliefs and prove to me that I am not mistaken in mine.
RWBlue is offline   Reply With Quote
Old 09-14-2012, 15:26   #15
Chesafreak
Senior Member
 
Chesafreak's Avatar
 
Join Date: Nov 2011
Location: Chesapeake, VA
Posts: 1,844
Quote:
Originally Posted by RWBlue View Post
At this point, I am thinking I want to have an Android enabled app. It is the only thing that is consistent between home, work, other environments. The idea of having my passwords in the cloud just doesn't thrill me.
Good point about the cloud, however Android apps and platform aren't really all that secure are they?
Chesafreak is offline   Reply With Quote
Old 09-14-2012, 15:46   #16
RWBlue
CLM Number 120
Mr. CISSP, CISA
 
RWBlue's Avatar
 
Join Date: Jan 2004
Posts: 28,585
Quote:
Originally Posted by Chesafreak View Post
Good point about the cloud, however Android apps and platform aren't really all that secure are they?
The problem I have with any Android app is you really don't know what it is doing unless you have access to the source code and even then there are always updates.

On the flip side, I could just have an excel file on the phone. It is protected by a swip code and then you would have to know what file to go after. As long as I didn't keep the file on the removable chip,....?

The problem is most of my passwords do not translate very well to the phone. They are not words. I am somewhat of a touch typist. On a regular keyboard I type my password and can retype my password, but typing it on a phone is hit or miss, I will actually have to memorize a password because letting the fingures type what they want will not work.
__________________
One day, I shall come back. Yes, I shall come back. Until then, there must be no regrets, no tears, no anxieties. Just go forward in all your beliefs and prove to me that I am not mistaken in mine.
RWBlue is offline   Reply With Quote
Old 09-15-2012, 23:14   #17
c6601a
Senior Member
 
Join Date: Jan 2001
Location: The Most Beautiful Part Of The USA
Posts: 3,427
There is a very simple process.

Think of a person, a place or an event. Think of something you associate with that. For example, what you remember most about your ex Jen is: "Jen and I made out in the back of the car" The password become jaimoitbotc. You can embellish that by throwing in numbers and capitalization based on some formula. Maybe every 2nd, 4th, 8th and 16th letter is capitalized. Every vowel is replaced by a number, like a=1, e=2, i=3, o=4,u=5.

The password now becomes: j13M43tB4tc

The best part is that you can put a sticky on your monitor reminding you that the password is Jen and the password is still safe.
c6601a is offline   Reply With Quote
Old 09-15-2012, 23:15   #18
c6601a
Senior Member
 
Join Date: Jan 2001
Location: The Most Beautiful Part Of The USA
Posts: 3,427
Quote:
Originally Posted by FL Airedale View Post
Of course if you forget the master password to EWallet, you are in big trouble!
Of when someone manages to crack your master password, they get all your passwords.
c6601a is offline   Reply With Quote
Old 09-16-2012, 17:38   #19
RWBlue
CLM Number 120
Mr. CISSP, CISA
 
RWBlue's Avatar
 
Join Date: Jan 2004
Posts: 28,585
Quote:
Originally Posted by c6601a View Post
There is a very simple process.

Think of a person, a place or an event. Think of something you associate with that. For example, what you remember most about your ex Jen is: "Jen and I made out in the back of the car" The password become jaimoitbotc. You can embellish that by throwing in numbers and capitalization based on some formula. Maybe every 2nd, 4th, 8th and 16th letter is capitalized. Every vowel is replaced by a number, like a=1, e=2, i=3, o=4,u=5.

The password now becomes: j13M43tB4tc

The best part is that you can put a sticky on your monitor reminding you that the password is Jen and the password is still safe.
Doesn't solve the problem of multiple passwords on multiple machines. Some will get changed ever 60 days other 90 days, others once a year.
__________________
One day, I shall come back. Yes, I shall come back. Until then, there must be no regrets, no tears, no anxieties. Just go forward in all your beliefs and prove to me that I am not mistaken in mine.
RWBlue is offline   Reply With Quote
Old 09-16-2012, 17:41   #20
RWBlue
CLM Number 120
Mr. CISSP, CISA
 
RWBlue's Avatar
 
Join Date: Jan 2004
Posts: 28,585
Quote:
Originally Posted by c6601a View Post
Of when someone manages to crack your master password, they get all your passwords.
Make it good change it often.
__________________
One day, I shall come back. Yes, I shall come back. Until then, there must be no regrets, no tears, no anxieties. Just go forward in all your beliefs and prove to me that I am not mistaken in mine.
RWBlue is offline   Reply With Quote

 
  
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump




All times are GMT -6. The time now is 05:22.




Homepage
FAQ
Forums
Calendar
Advertise
Gallery
GT Wiki
GT Blogs
Social Groups
Classifieds


Users Currently Online: 730
223 Members
507 Guests

Most users ever online: 2,672
Aug 11, 2014 at 2:31