Jump to content

Password Protection


nsa122

Recommended Posts

Hi everyone, wanted to get input on internet security.  I am reading recently that essentially all passwords are hackable given enough time and resources.  What is the best solution for an individual investor? Is anyone using 1Password or another similar service? Any computer security experts on the board have any advice or willing to share how they manage their online finance security?

Thanks!

Link to comment
Share on other sites

To be honest, I'd rather remember passwords myself, than trust some service to do it for me. I remember between 5 to 10 different passwords for different accounts (not just financial, includes email, forums, etc.). The best you can do is to not use plain dictionary words (e.g. 'llama'), dress it up if you want ('Llama7*'), or come up with something completely random. The longer the better.

 

Some interesting links:

 

http://xkcd.com/936/

 

http://people.scs.carleton.ca/~maheshwa/courses/4109/password.pdf

Link to comment
Share on other sites

I use PasswordSafe. It's free for pc's and a $5 app for mac's. I don't if it's the best but it works well for me. I hope it's safe. On a PC the file stores on your computer. On a mac it will store either on your computer or in the cloud. I have one very long random password I remember for the safe.

I read an article once by a security expert who said he keeps his passwords on a scrap of paper in his wallet.

Link to comment
Share on other sites

I personally have a different strong password for each and every account online.  Each passwork is 15+ characters long containing upper/lower case letters, numbers, symbols and spaces.  Some of them on accounts that I use often enough I remember, but I keep all usernames and passwords in a file that I have encrypted into a TrueCrypt partition. I store that partition as a file in google docs.  So if I'm at home or at work or anywhere else (you can carry truecrypt around with you on a usb stick or install it on a machine) I can download the file, decrypt it, open the partition and read the file containing my passwords.  The downside is that there is no way to decrypt it and view it from an iOS or Android device. Maybe it isn't the best solution, but it is secure. 

 

 

EDIT:  I should also mention that with this method I need to remember both my Google docs password and my TrueCrypt volume's password.  Otherwise I would not be able to download and decrypt the file.

Link to comment
Share on other sites

I personally have a different strong password for each and every account online.  Each passwork is 15+ characters long containing upper/lower case letters, numbers, symbols and spaces.  Some of them on accounts that I use often enough I remember, but I keep all usernames and passwords in a file that I have encrypted into a TrueCrypt partition. I store that partition as a file in google docs.  So if I'm at home or at work or anywhere else (you can carry truecrypt around with you on a usb stick or install it on a machine) I can download the file, decrypt it, open the partition and read the file containing my passwords.  The downside is that there is no way to decrypt it and view it from an iOS or Android device. Maybe it isn't the best solution, but it is secure. 

 

 

EDIT:  I should also mention that with this method I need to remember both my Google docs password and my TrueCrypt volume's password.  Otherwise I would not be able to download and decrypt the file.

 

I used to do the same thing but have since moved to using the freeware program KeePass to store the passwords rather than simply keeping them in a text file.  KeePass is available for every platform, it's free, it's lightweight & portable, and I find it a much nicer user experience then scrolling/searching through a text file. 

 

It creates a database of your passwords (in its own internal format) and then encrypts this file with AES-256 using a master password of your choosing.  Like you, I store that file on my Dropbox account, so it's available (and updated) everywhere I go. 

 

I should also note that the main takeaway from the KCD comic is that password length generally trumps complexit

Link to comment
Share on other sites

I used to do the same thing but have since moved to using the freeware program KeePass to store the passwords rather than simply keeping them in a text file.  KeePass is available for every platform, it's free, it's lightweight & portable, and I find it a much nicer user experience then scrolling/searching through a text file. 

 

It creates a database of your passwords (in its own internal format) and then encrypts this file with AES-256 using a master password of your choosing.  Like you, I store that file on my Dropbox account, so it's available (and updated) everywhere I go. 

 

I should also note that the main takeaway from the KCD comic is that password length generally trumps complexit

 

Interesting.  I'll have to look into that.  Can you store other info besides passwords?  I store a bunch of info right now in my text files besides username/passwords, such as: Account Name, Account Number, customer service tel#, URL of login page, account unlock questions/answers, etc...  I don't have just one big file to search through, because truecrypt creates an entire disk partition that is mounted to look like a disk to your OS, I have a directory with one file for each type of accounts. Bank Accounts, Credit Cards, Online Forums, Brokerage Accounts, Online Shopping, ...  I find the right file then it is easy to find the right account.  It really is a fairly quick process.  I'd say equal to keeping it in a scrap of paper in your wallet.  If I'm on Windows 7 I can usually find what I'm looking for with just the text file preview in explorer without even opening the file.  On linux it is just a few key strokes:

> xe ba<TAB><ENTER>

 

TAB key is autocomplete and only my bank_accounts.txt file begins with 'ba' and 'xe' is my alias for XEmacs.

 

But if KeePass works on iOS that might be reason enough to switch.

 

--Eric

 

Link to comment
Share on other sites

I love that KCD comic but I've been in a few conversations where it's clear that it's not being properly interpreted.  I'm sure this is obvious to most on here but I'll say it anyway:

 

The KCD comic just illustrates that, if your passwords follow a common pattern, then you don't gain strength by enlarging your alphabet using caps, numbers etc.  The example they give is a password of length 11 over an alphabet consisting of upper/lowercase letters, numbers, and a handful of special symbols.  A truly random such password will have entropy (ie. "bit-strength") of at least 67 bits, but their example has only 28 bits because it follows a pattern.

 

They compare this with a password composed of 4 random common words strung together, with a higher bit-strength of 44.  To many people the takeaway message is "longer passwords are better than complicated passwords".  But you have to be careful here.  In this case the password isn't very "long" at all -- in effect, it is only of length 4.  It is the alphabet that is very large, consisting of all common English words.  Since there are roughly 2000=2^11 common words, the password has a bit-strength of 4*11=44.

 

Note that you would need 6 random common words (a total of maybe 30-40 characters) to match the bit-strength of a random 11-character password using caps, numbers & special symbols.

 

In the end, it comes down to the fact that there are two ways to make a power A^B large:  One is to increase the base A (ie. enlarge the alphabet) and the other is to increase the exponent B (ie. lengthen the password).  Since it's much easier for many to remember short random strings over a large familiar alphabet than long random strings over a strange alphabet, the brain appreciates enlarging the base. But, either way, true randomness and unpredictability is the key to security. 

 

As an aside:  A 44-bit password (such as the 4 random common words) is only secure if there is a forced time delay between guesses.  It is very insecure otherwise and would be cracked very quickly by a dedicated password buster.  Remember that DES had a 56-bit keyspace, and it was replaced by AES because specialty hardware could brute-force it with relative ease.  I certainly wouldn't lose sleep over weak-ish passwords for most of the websites I visit, but for something like a "master password" one should be careful.  In general, it seems wise to make important passwords inherently secure, rather than relying on a webserver (or whatever) to force timeouts on a potential guesser.

 

 

 

Link to comment
Share on other sites

I used to do the same thing but have since moved to using the freeware program KeePass to store the passwords rather than simply keeping them in a text file.  KeePass is available for every platform, it's free, it's lightweight & portable, and I find it a much nicer user experience then scrolling/searching through a text file. 

 

It creates a database of your passwords (in its own internal format) and then encrypts this file with AES-256 using a master password of your choosing.  Like you, I store that file on my Dropbox account, so it's available (and updated) everywhere I go. 

 

I should also note that the main takeaway from the KCD comic is that password length generally trumps complexit

 

Interesting.  I'll have to look into that.  Can you store other info besides passwords?  I store a bunch of info right now in my text files besides username/passwords, such as: Account Name, Account Number, customer service tel#, URL of login page, account unlock questions/answers, etc...  I don't have just one big file to search through, because truecrypt creates an entire disk partition that is mounted to look like a disk to your OS, I have a directory with one file for each type of accounts. Bank Accounts, Credit Cards, Online Forums, Brokerage Accounts, Online Shopping, ...  I find the right file then it is easy to find the right account.  It really is a fairly quick process.  I'd say equal to keeping it in a scrap of paper in your wallet.  If I'm on Windows 7 I can usually find what I'm looking for with just the text file preview in explorer without even opening the file.  On linux it is just a few key strokes:

> xe ba<TAB><ENTER>

 

TAB key is autocomplete and only my bank_accounts.txt file begins with 'ba' and 'xe' is my alias for XEmacs.

 

But if KeePass works on iOS that might be reason enough to switch.

 

--Eric

 

Yes, you can store lots of additional info in KeePass, and I think you can even attach files to your passwords (if you so desire).

 

I'd suggest you take a few minutes to check it out.  You are currently doing precisely what I used to do -- keeping different files for different types of passwords.  In KeePass, you simply create groups (and subgroups) of passwords.  You then have tree-like navigation in a left-hand pane (think Windows explorer), and information in the right-hand pane.  Command keystrokes will copy your usernames & passwords to the clipboard so you don't even have to type them in.

 

You'll find that a number of programs take the cutting/pasting to clipboard one step further and enter your passwords to websites automatically.  The version of KeePass that I use does NOT do this, and frankly I prefer that behaviour.  However, I think KeePass 2 may have some of this functionality.  I didn't move to KeePass2 because I don't need the additional functionality and it wasn't readily available for one of my platforms (can't remember which - likely Linux?).  KeePass2 can read KeePass databases, but it doesn't work in the reverse, so I think you have to stick with one or the other.

 

 

Link to comment
Share on other sites

I used to do the same thing but have since moved to using the freeware program KeePass to store the passwords rather than simply keeping them in a text file.  KeePass is available for every platform, it's free, it's lightweight & portable, and I find it a much nicer user experience then scrolling/searching through a text file. 

 

It creates a database of your passwords (in its own internal format) and then encrypts this file with AES-256 using a master password of your choosing.  Like you, I store that file on my Dropbox account, so it's available (and updated) everywhere I go. 

 

I should also note that the main takeaway from the KCD comic is that password length generally trumps complexit

 

+1 for keepass in combination with dropbox.  Although, I'd add a suggestion to use multilevel authentication with both a master password and a keyfile.  Of course you should never have your key file in any public cloud type service.

 

Plus, be very careful about your email accounts (e.g., use the gmail authenticator).  A hacker won't need to guess or crack your passwords if they get control of your email account and can use it to request password changes to your other accounts.  A unique password change account in gmail that you don't use for anything but password change requests is something worth considering (although I haven't gone that far yet).

Link to comment
Share on other sites

Yes, you can store lots of additional info in KeePass, and I think you can even attach files to your passwords (if you so desire).

 

I'd suggest you take a few minutes to check it out.  You are currently doing precisely what I used to do -- keeping different files for different types of passwords.  In KeePass, you simply create groups (and subgroups) of passwords.  You then have tree-like navigation in a left-hand pane (think Windows explorer), and information in the right-hand pane.  Command keystrokes will copy your usernames & passwords to the clipboard so you don't even have to type them in.

 

You'll find that a number of programs take the cutting/pasting to clipboard one step further and enter your passwords to websites automatically.  The version of KeePass that I use does NOT do this, and frankly I prefer that behaviour.  However, I think KeePass 2 may have some of this functionality.  I didn't move to KeePass2 because I don't need the additional functionality and it wasn't readily available for one of my platforms (can't remember which - likely Linux?).  KeePass2 can read KeePass databases, but it doesn't work in the reverse, so I think you have to stick with one or the other.

 

 

Okay, sounds good.  What about the plausible deniability, that the truecrypt hidden volume provides.  Say someone does steal your file and tries to decrypt it, or puts a gun to your head and tells you to decrypt it?  If you have the non-hidden volume encrypted with a much easier to break password and contains nothing but a folder of porn pictures or something you can give them that password and say "OK, you got me" and look all embarrassed and no one will know the hidden volume exists with all your account info in it.  Or if they are tying to crack your password without your knowledge they will get the non-hidden volume first and not know the hidden one exists.  No I haven't gone this far yet.

 

Link to comment
Share on other sites

Okay, sounds good.  What about the plausible deniability, that the truecrypt hidden volume provides.  Say someone does steal your file and tries to decrypt it, or puts a gun to your head and tells you to decrypt it?  If you have the non-hidden volume encrypted with a much easier to break password and contains nothing but a folder of porn pictures or something you can give them that password and say "OK, you got me" and look all embarrassed and no one will know the hidden volume exists with all your account info in it.  Or if they are tying to crack your password without your knowledge they will get the non-hidden volume first and not know the hidden one exists.  No I haven't gone this far yet.

 

The Truecrypt solution offers a higher degree of security, from plausible deniability (as you describe) to the choice of the encryption algorithms themselves.  Truecrypt allows you to select the protocols and the number of rounds etc., whereas I recall KeePass has much more limited options. 

 

Ultimately you just have to decide for yourself what level of security makes you comfortable.  From your other comments today (on the shooting) I take it that you're far more untrusting of government than I am.  I'm happy to keep my passwords protected with the level of protection KeePass affords.  I'm not keeping any secrets that are worth protecting once someone has pulled out the gun.  Mostly I'd just be embarrassed for them to see my stock picking record from last year! :)

 

The biggest problem I see is that people are generally unaware of any security considerations and do silly things like choosing bad passwords,  or reusing passwords etc. 

Link to comment
Share on other sites

Okay, sounds good.  What about the plausible deniability, that the truecrypt hidden volume provides.  Say someone does steal your file and tries to decrypt it, or puts a gun to your head and tells you to decrypt it?  If you have the non-hidden volume encrypted with a much easier to break password and contains nothing but a folder of porn pictures or something you can give them that password and say "OK, you got me" and look all embarrassed and no one will know the hidden volume exists with all your account info in it.  Or if they are tying to crack your password without your knowledge they will get the non-hidden volume first and not know the hidden one exists.  No I haven't gone this far yet.

 

The Truecrypt solution offers a higher degree of security, from plausible deniability (as you describe) to the choice of the encryption algorithms themselves.  Truecrypt allows you to select the protocols and the number of rounds etc., whereas I recall KeePass has much more limited options. 

 

Ultimately you just have to decide for yourself what level of security makes you comfortable.  From your other comments today (on the shooting) I take it that you're far more untrusting of government than I am.  I'm happy to keep my passwords protected with the level of protection KeePass affords.  I'm not keeping any secrets that are worth protecting once someone has pulled out the gun.  Mostly I'd just be embarrassed for them to see my stock picking record from last year! :)

 

The biggest problem I see is that people are generally unaware of any security considerations and do silly things like choosing bad passwords,  or reusing passwords etc. 

 

I don't really think the government will bother pulling out the guns on me either.  If they want my bank account or my brokerage account they will simply ask my bank or broker for it.  Corporations do what they are told.    And I'm not  bury-gold-in-the-back-yard-paraniod.  If society ever degenerates to the point where we start wishing we had hoarded gold, food, and ammo, life is going to suck for everyone.  I'd like to live on the assumption that that isn't going to happen.  That said, I'd never feel very comfortable living in a city.  I'm in a fairly rural area with enough land to feed my family off of it if I had to.  I also have chickens and goats (and guns & ammo). So maybe I'm hedging my bets just a little, and you can't beat fresh eggs.  Anyway, for passwords I'm more concerned about identity theft and hackers.  With them I think making yourself a harder than average target is probably good enough.  Unless you are someone that is going to be specifically targeted for some reason, just pulling yourself up so that you are not among the low hanging fruit is going to be sufficient protection.

 

I setup keepass this weekend and got it running on my computer then my iPad using google docs.  It maybe a small step down in security, but it is definitely a step up in convenience.  There are always tradeoffs.

 

Thanks for the info.

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...