password management

[Russ Crawford]

What standards do you have for strong passwords?

What have you considered as a password management process/program?

What password manager do you use?
--
Russ Crawford
615/506-4070

[Raymond Beaudoin]

This may be of interest to some: http://makemeapassword.com/

Even if you don't use the specific phrases they list, you can use their template and come up with memorable, but secure, passwords. 

-- 
Raymond Beaudoin

--
You received this message because you are subscribed to the Google Groups "NLUG" group.
To post to this group, send email to nlug...@googlegroups.com
To unsubscribe from this group, send email to nlug-talk+...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en

[Sabuj Pattanayek]

On Tue, Apr 26, 2011 at 9:29 AM, Russ Crawford
<russ.m....@gmail.com> wrote:

> What standards do you have for strong passwords?

* 8 - 16 chars
* The password must contain characters from ALL of the following character sets:

1. abcdefghijklmnopqrstuvwxyz
2. ABCDEFGHIJKLMNOPQRSTUVWXYZ
3. 0123456789
4. ~!@#$%^&*()_+-=;./[]{}><,./?

* must change the password every 365 days
* If you already have a password, when you go to change it, it cannot
match any of your 10 previous passwords
* password cannot contain 3 consecutive letters from your login
* password cannot contain your login in reverse

>
> What have you considered as a password management process/program?

gpg symmetrically encrypted file with a really long passphrase >= 20 chars.

[Alex Smith (K4RNT)]

Yikes! I'd forget three days after I made the password if I made it to
those criteria! :(

> --
> You received this message because you are subscribed to the Google Groups "NLUG" group.
> To post to this group, send email to nlug...@googlegroups.com
> To unsubscribe from this group, send email to nlug-talk+...@googlegroups.com
> For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en
>

--
" ' With the first link, the chain is forged. The first speech
censured, the first thought forbidden, the first freedom denied,
chains us all irrevocably.' Those words were uttered by Judge Aaron
Satie as wisdom and warning... The first time any man's freedom is
trodden on we’re all damaged." - Jean-Luc Picard, quoting Judge Aaron
Satie, Star Trek: TNG episode "The Drumhead"
- Alex Smith (K4RNT)
- Sterling, Virginia USA

[Kent Perrier]

On Tue, Apr 26, 2011 at 9:29 AM, Russ Crawford <russ.m....@gmail.com> wrote:

What password manager do you use?

I use lastpass https://lastpass.com/

Kent

[Jack Coats]

Back in the dark days when Sun was our perferred option, the we set up
profiles for users with a questionaire and wrote a filter that didn't
allow use of any name (including pets, and nicknames), phrase,
hometown, birthplace, that was on the questionnaire.

We required 10 to 20 character names with at least one upper case, and
lower case, one number, and one special symbol. We also used the
online system spell check dictionary to make sure no direct dictionary
attack would work.

We also didn't allow 'keyboard strings' like asdf or poiu and
recognized them as 'words'.

But we also had LOTS of complaints from customers. =;0) [yes, we had
to loosen up once management made it a requirement and we made our
point about them not wanting security... some of us never stop tilting
at windmills...]

For reasonable passwords, I normally suggest as minimums, one upper,
one lower, one number and least 7 characters long, and allow non-space
special characters.

The password checker we used was effectively a bourne shell with using
grep where we checked the paswords before sending them to crypt to
turn them into passwords.
I am sure that is NOT how things are done today, but then again
dinosaur's roamed the halls of data centers 'back when'.

><> ... Jack
Whatever you do, work at it with all your heart... Colossians 3:23

On Tue, Apr 26, 2011 at 9:29 AM, Russ Crawford
<russ.m....@gmail.com> wrote:

[Jack Coats]

On one set of mainframes, we had system wide passwords for reading,
writing, and 'multi-write' to disks. (IBMs VM).

Our systems group had 3 people in it, so we used our license tags.
After a few years none of us had those car tags anymore, but we kept
the passwords. Only 6 characters of 3 numbers and 3 upper case
characters each. But we never had a breach. :)

My was 182AWQ (read), others were SGN905 (write)

[Curt Lundgren]

Our password security requirements, since we're dealing with students, faculty and administration folks:

Must contain at least one upper case, lower case and number

Must be at least 6 characters in length.

It doesn't sound all that impressive, but I can recount the tale of a former highly placed administrative person who, until the imposition of new password security measures, used the password "blouse".  Jack the Ripper would simply yawn.

Our passwords must be changed approximately twice a year, and the change system automatically rejects unacceptable passwords, including checking for similarity to first name, last name, user name and the most recent password.  Passwords may not be reused for at least a year.

Curt

--

[Nathanael Ries]

I always use password safe.

http://passwordsafe.sourceforge.net

I have used it for 5 years now and have even put the encrypted password file in my dropbox so I can use it with the passwdsafe android app on my phone as well, being able to access it no matter where I go has been very useful.  There are also compatible ports for many Linux distros too.

On Apr 26, 2011 9:29 AM, "Russ Crawford" <russ.m....@gmail.com> wrote:

[Paul Boniol]

On Tue, Apr 26, 2011 at 4:42 PM, Curt Lundgren <veri...@gmail.com> wrote:

Our password security requirements, since we're dealing with students, faculty and administration folks:

Must contain at least one upper case, lower case and number

Must be at least 6 characters in length.

It doesn't sound all that impressive, but I can recount the tale of a former highly placed administrative person who, until the imposition of new password security measures, used the password "blouse".  Jack the Ripper would simply yawn.

Our passwords must be changed approximately twice a year, and the change system automatically rejects unacceptable passwords, including checking for similarity to first name, last name, user name and the most recent password.  Passwords may not be reused for at least a year.

Curt

Vanderbilt e-password (used by many services):

8-16 characters

Must contain characters from at least three:

1. lowercase letters

2. uppercase letters

3. numbers

4. ~!@#$%^&*()_+-=;./[]{}><,./? 

Different from current

Cannot match 10 previous

Cannot match any other current network password you may have (whatever that means?)

Cannot contain 3 characters from login name

Cannot contain login name in reverse

Now personal home boxes, and boxes I administer (with no password access via network) are a different matter.

Paul Boniol

[Sabuj Pattanayek]

> Vanderbilt e-password (used by many services):
> 8-16 characters
> Must contain characters from at least three:
> 1. lowercase letters
> 2. uppercase letters
> 3. numbers
> 4. ~!@#$%^&*()_+-=;./[]{}><,./?
> Different from current
> Cannot match 10 previous
> Cannot match any other current network password you may have (whatever that
> means?)
> Cannot contain 3 characters from login name
> Cannot contain login name in reverse

that's the one I posted earlier, the difference I added that I would
use would be to require all 4 classes of characters rather than three.

[Russ Crawford]

OK, I was not clear.

Like pretty much all of you, I have a scadgillion
accounts/usernames/passwords. Well, maybe not quite that many.

NOTE: scadgillion is greater than the US national debt times the number
of stars in the Milky Way. Yes, I made that up.

I should have asked what software to use to track and maintain accounts
and their associated usernames and passwords.

Or is a web-based solution your preferred approach?

Obviously I want an open-source solution that can be used on a Linux
computer. Cross-platform would be real nice.

I hope that is a better specification of what I seek.
--
Russ Crawford
615/506-4070

[Chris McQuistion]

For what you're asking for, I highly recommend (and use) LastPass.

Chris

> --
> You received this message because you are subscribed to the Google Groups "NLUG" group.
> To post to this group, send email to nlug...@googlegroups.com
> To unsubscribe from this group, send email to nlug-talk+...@googlegroups.com
> For more options, visit this group at http://groups.google.com/group/nlug-talk?hl=en
>

--
Chris

[James Sizemore]

These rules would almost definitely cause more break-ins, then "Must contain characters from at least two". The reason being, most break-ins are inside jobs, and these rules are complex enough that I bet more then half of the students write down there passwords, making the inside job much more likely.

Password rules are a balance in trying to be complex enough to challenge automated password breakers, but not so complex as to require the end use to write it down, simply to remember it.

But hey to each there own.

[Russ Crawford]

I kept searching and found this:

http://www.webupd8.org/2010/07/best-linux-password-manager.html

Comments, analyses or critiques?
--
Russ Crawford
615/506-4070

[Chris McQuistion]

I prefer LastPass because they work everywhere and have clients for
almost everything (smartphones, etc).

Chris

Sent from my iPhone

[Richard Thomas]

It's about time we ended having strong passwords be a requirement for
access to stuff. Two-part token/password authentication is the way to
go. I'm also fed up with all the passwords required for websites,
needing to sign up just to make a one-shot comment on something that is
only to the benefit of others means I often don't bother. I would have
thought Google or Yahoo (or some consortium) would have been able to get
openid moving but it looks like Facebook is the one managing to make
inroads into shared authentication and that's a trifle worrying.

Rich

[Michael Chaney]

On Wed, Apr 27, 2011 at 1:20 AM, James Sizemore <yam...@gmail.com> wrote:
> These rules would almost definitely cause more break-ins, then "Must contain characters from at least two". The reason being, most break-ins are inside jobs, and these rules are complex enough that I bet more then half of the students write down there passwords, making the inside job much more likely.
>
> Password rules are a balance in trying to be complex enough to challenge automated password breakers, but not so complex as to require the end use to write it down, simply to remember it.

I second this. Actual security will rise along with password
complexity to a certain point, after which security drops off
precipitously as complexity rises. That drop off point corresponds to
the place where people start leaving the password on a sticky note
attached to their monitor.

People who use the very complex password schemes mistakenly think that
their only enemy is someone with a password cracking program, when in
fact the vast majority of intrusions are social in nature.

Michael
--
Michael Darrin Chaney, Sr.
mdch...@michaelchaney.com
http://www.michaelchaney.com/

[Tilghman Lesher]

On Tuesday 26 April 2011 16:42:47 Curt Lundgren wrote:
> Our passwords must be changed approximately twice a year, and the change
> system automatically rejects unacceptable passwords, including checking
> for similarity to first name, last name, user name and the most recent
> password. Passwords may not be reused for at least a year.

This part doesn't make sense any more. Time limits were originally
instituted at a time when password hashing was not nearly as advanced,
and the time limit was half of the time that it would take to brute force a
password. Now that a brute force attack will require decades for MD5-based
hashes, and millennia for SHA-based hashes, a password time limit simply
isn't an effective means to security. The only time when you should force a
change to a password is when you suspect it may have been compromised.

--
Tilghman

[Timothy Ball]

i use http://keepass.info/

there's an osx version too:

http://www.keepassx.org/

features : never talks on the network . there's even a mobile version .
and you can aes encrypt the db file on disk . builtin passwd generator .

--timball

--
GPG key available on pgpkeys.mit.edu
pub 1024D/511FBD54 2001-07-23 Timothy Lu Hu Ball <tim...@tux.org>
Key fingerprint = B579 29B0 F6C8 C7AA 3840 E053 FE02 BB97 511F BD54

[Richard Thomas]

But if ever there was a URL that was at risk of being blocked by web
filters... :)

[Nathanael Ries]

I think this is why the OP asked about encrypted password managers such as keepass and password safe.  These programs allow you to use very complex passwords by maintaining an encrypted datanbase that only you have access to.  In all truthfullness, even writing down passwords on paper is far more secure than using a "secure" password like "*Koobface01" on your Facebook account what with the GPU password cracking techniques out there... IF you can keep the paper physically secure.

[Chris McQuistion]

I agree that time limits don't help with brute force password cracking but I think implementing time limits actually helps mitigate two other problems.  

First, people sometimes tell other people their passwords.  They don't think anything about sharing their password with their co-worker but six months later when that co-worker is fired, they can use the password that they're co-worker told them to access the company's network.  By implementing time limits on passwords, people's bad behavior is at least constrained to a particular window of time.

Secondly, people use the same passwords for multiple services.  They shouldn't.  We tell them not to, but they do it anyway.  That means that when their online-store or social-network-of-choice is compromised and their password is compromised, that may be the same password that they use for their company email account and VPN access!  By making them change their company password occasionally, there is a good likelyhook that their company password will end up being different from the password they use for other services, if not immediately, at least eventually.

I've had this bite me, personally.  I had an online store that I shopped at and their authentication system was compromised.  I didn't use that same password for very much but I did use it for my iTunes account.  $90+ of iTunes charges later, I learned my lesson (which ironically, was to practice what I preach.)  Make a different password for every service!  Many of the password manager systems (like LastPass) will help you do this and some can even generate very-random passwords for you and store them so you don't have to remember them.

Chris 

[df9]

I use my Mac so with OSX there is address book.
I export the V cards and keep them in a password protected DMG.
After they are stored I delete them from address book and the desktop.
I started doing this years ago.
Dan

[Michael Chaney]

On Wed, Apr 27, 2011 at 7:18 PM, df9 <df9...@gmail.com> wrote:
> I use my Mac so with OSX there is address book.
> I export the V cards and keep them in a password protected DMG.
> After they are stored I delete them from address book and the desktop.
> I started doing this years ago.

If you're using Mac OS X, you can use the keychain to do this well
(Keychain Access in Utilities).

[Jack Coats]

http://www.howtogeek.com/60921/ask-the-readers-how-do-you-keep-track-of-your-passwords/?utm_source=newsletter&utm_medium=email&utm_campaign=280411

howtogeek posted and article today that is basically the same question! ...

And they came up with basically the same answers. ... Imagine that.

><> ... Jack
Whatever you do, work at it with all your heart... Colossians 3:23

"You don't manage people; you manage things. You lead people."
"It’s easier to ask forgiveness than it is to get permission" — Grace
Hopper, US Navy Admiral

[Andrew Farnsworth]

Today's Dilbert is right on topic...

http://www.dilbert.com/

Andy

[df9]

No if it is in the keychain it is not as secure.

On Apr 27, 9:21 pm, Michael Chaney <mdcha...@michaelchaney.com> wrote:
> On Wed, Apr 27, 2011 at 7:18 PM, df9 <df9...@gmail.com> wrote:
> > I use my Mac so with OSX there is address book.
> > I export the V cards and keep them in a password protected DMG.
> > After they are stored I delete them from address book and the desktop.
> > I started doing this years ago.
>
> If you're using Mac OS X, you can use the keychain to do this well
> (Keychain Access in Utilities).
>
> Michael
> --
> Michael Darrin Chaney, Sr.

> mdcha...@michaelchaney.comhttp://www.michaelchaney.com/

[JMJ]

On 04/28/2011 06:51 PM, df9 wrote:
> No if it is in the keychain it is not as secure.

... because.... ???

:-)

JMJ

[Curt Lundgren]

Don't know about how anyone else feels, but kudos to Russ for starting this thread.  IMHO it's been a treasure of great information from everyone, and miraculously, hasn't been hijacked.

From my perspective, I've learned a lot.  Thanks, everyone for every well-thought-out post.

Curt

[Tilghman Lesher]

Well, the default setup for Keychain Access doesn't force you to reenter
the keychain password on a regular basis, but that default can be modified.
Another possible problem is that Keychain Access uses 3DES as its
encryption algorithm, which, at 112-bit strength, isn't as secure as other
algorithms available today. Of course, if your passphrase protecting the
keychain is less than 16 characters long, it's likely that it's even less
secure.

Of course, the other side of security is how willing you are to give up
your password to a big guy with a cigar cutter threatening to cut off your
fingers (or worse). All the strength of an algorithm doesn't amount to a
hill of beans if you can be convinced to give up your password.

--
Tilghman

[df9]

We are talking about a lot of passwords.
Also they need to be changed on a regular basis.
Add to that the fact that I am not always at home
When I need to use them. What makes you think the keychain is secure?

[Michael Chaney]

On Fri, Apr 29, 2011 at 11:34 PM, df9 <df9...@gmail.com> wrote:
> We are talking about a lot of passwords.
> Also they need to be changed on a regular basis.
> Add to that the fact that I am not always at home
> When I need to use them. What makes you think the keychain is secure?

The fact that it's encrypted with fairly strong encryption. But,
frankly, you're the one who made the simple unsubstantiated claim that
it's "insecure", so the burden of proof is on you to show us why it's
insecure. Good luck.

Michael
--
Michael Darrin Chaney, Sr.

mdch...@michaelchaney.com
http://www.michaelchaney.com/

[JMJ]

On 04/29/2011 11:34 PM, df9 wrote:
> What makes you think the keychain is secure?

I have no experience with the keychain on ANY OS. I was neither
agreeing nor disagreeing with you. My intention was to provide you with
an opportunity to explain why you feel that it is insecure.

JMJ

[df9]

OK

[Kent Perrier]

In case anyone made the jump to lastpass, you will want to read this blog.

http://blog.lastpass.com/2011/05/lastpass-security-notification.html

I have not been able to log in to change my password yet, due to the load on their servers. The good news, imo, is that they are upfront about this and making everyone change their master password.

Kent

[Timothy Ball]

hahahahaha

yeah keepassx FTW !!!

[xor]

IMHO, If you have a Mac 1Password is the best. Its not free, but
sometimes they offer it at a discount on MacUpdate. I think there is
a Windows version too. I like the fact that it can be sync'd with an
iPhone/iPod Touch/Android.

http://agilebits.com/products/1Password

http://www.mupromo.com/

John

[xor]

Interesting story on Lastpass.

http://it.slashdot.org/story/11/05/05/1831217/LastPass-Password-Service-Hacked?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+Slashdot%2Fslashdot+%28Slashdot%29

https://threatpost.com/en_us/blogs/lastpass-asks-users-change-password-after-probable-breach-050511


On Apr 26, 9:55 am, Kent Perrier <kent.perr...@gmail.com> wrote:

> On Tue, Apr 26, 2011 at 9:29 AM, Russ Crawford <russ.m.crawf...@gmail.com>wrote:
>
>
>
> > What password manager do you use?
>

> I use lastpasshttps://lastpass.com/
>
> Kent

[Nathanael Ries]

Lol this is why I will stick with dropbox and passwordsafe!