Jump to content


Photo
- - - - -

Take control of your passwords


  • Please log in to reply
20 replies to this topic

#1 Ohm

Ohm

    I could have written a book with all of these posts

  • Members
  • 3,209 posts
  • Gender:Male
  • Location:Maine, USA

Posted 23 August 2009 - 02:01 AM

I don't know how many accounts I have across the net. There are a lot, to say the least. But I do know one thing: how many passwords I had. Two. That's right, I had two passwords. One "low level" password I used everywhere, and one "high level" password I used only on a few select sites. They were strong passwords, random numbers and letters and 10 characters long. But there were only two of them.

And then a certain site got compromised. Though I'm not very worried that my password will be revealed as the hashing method they use both prevents rainbow tables and slows down brute force attacks, it's safer to assume they did compromise my password. That one compromise put most of my accounts at risk. It was a mad dash to discover them all and change the passwords. Not that it did me any good, I changed them all to a new password, but that password was the same across all the sites.

So how to fix this problem? Use a password manager. A password manager stores all your passwords in a strongly encrypted database. It lets you organize them, search for them, make notes about them, set password expiration dates, and helps you enter them into websites. It makes handling passwords a lot easier. Everything is encrypted with a single master password as well. There's no need to remember any more than one password.

The password manager I'm using is called KeePassX. It's free, it's cross-platform (written in Qt), and it works well. If you're only using Windows, there's a better version called KeePass. There are also many other password managers out there, but this one suits my needs. To handle keeping passwords in sync across multiple machines, I've stored my password database in my dropbox. This is a bit risky, the file could be stolen from there. But, since the database is encrypted, I'm not too worried about that.

One useful feature is to set password expiration dates. This is just a reminder to change your password after it's expired. All important sites now have expiring passwords.

One dangerous feature of KeePass (but not KeePassX) is the Auto-Fill feature. Auto-fill will automatically fill out your username and password in the form and submit it. Really useful for logging into site. However, it's not very smart. It's just a macro program. It does the equivalent of alt-tab, enter the username, tab, enter the password, enter. You can also configure this to enter different things for different passwords. For example, I had it configured to do the entire nickserv command for my IRC client. The problem here is that it's not that smart. It's not smart at all, actually. If you mess up your alt-tabbings, you could send that username and password to whoever you're talking to on google talk. It'll enter it into whatever window is next in the alt-tab cycle. This is quite dangerous, I don't think people should use this feature.

But this is only part of the problem. I'd had my browser store all my passwords. It was handy. I liked that feature. I turned it off. All my web browsers are now configured never to remember any passwords. Well, first I opened the database and had a look at it. It pointed me to a lot of accounts I forgot about. You can look at this database in the options of your web browser. Both Chrome and Firefox had a similar interface for this. Then delete all these passwords. This database shouldn't exist. I think Firefox allowed you to set a master password, but with all the browser attacks out there, there's still a chance it could be stolen. I don't trust a database within the web browser.

There is a big downside to using a password manager with random and unique passwords though. If I ever need to log into any site when I'm not at home or don't have my laptop, I just can't do that. I don't know the passwords for any of these sites. They're random and much too long. Though, for me, this isn't a big downside.

So what password managers are you guys using? What are your password habits?

#2 mangospork

mangospork

    0mg h4x

  • Members
  • 126 posts
  • Country:
  • Gender:Male
  • Location:~/

Posted 23 August 2009 - 02:18 AM

I just recently saw this on an episode from Hak5.org, good find. (KeePass, that is.) I've been using it for about 2 weeks, good stuff. :lol:

#3 mangospork

mangospork

    0mg h4x

  • Members
  • 126 posts
  • Country:
  • Gender:Male
  • Location:~/

Posted 23 August 2009 - 02:30 AM

I just recently saw this on an episode from Hak5.org, good find. (KeePass, that is.) I've been using it for about 2 weeks, good stuff. :lol:


Oh, and not trying to double post it wouldn't lemme' edit my post. But, I was going to say. I also just use a-z A-Z 0-9 long passwords, for all the websites I'm on. And it's a pain when I'm anywhere else, for instance. I was at Well's Fargo setting up a bank account, and they said they'd make a money order for me, and all this stuff to purchase something off newegg (My credit card wasn't working, but I had the money) Long story short, I look like an ass-hat because I don't know my newegg password after all the work they did for me. :angry: (I just made another account at the bank, fyi. Lol)

#4 lattera

lattera

    Underground Shizzleness

  • Members
  • 511 posts
  • Gender:Male

Posted 23 August 2009 - 11:40 AM

I've been using PasswordSafe, written by Bruce Schneier. I think I'm gonna take a look at KeePass[X] and see if that fits me better.

#5 WaMu

WaMu

    HACK THE PLANET!

  • Members
  • 64 posts
  • Gender:Male

Posted 23 August 2009 - 12:15 PM

I never use the same password on any two sites (no matter how "low level" the site is). I also don't use a password manager.

What I do, is use a common password pattern. For example, at binrev.com:

the first three characters will be the first part of the url: "bin"
the next bit will be one of my many significant numbers, lets say I used my year of birth, now I have: "bin1981"
then I come up with a phrase and use appropriate punctuation, leaving me with: "bin1981ILoveOhm!"

Or something similar.

Personally, I like to use short phrases as password, like: "ThisSiteFUCKINGsucks123". Or, think of a long phrase and use the first letter, "Tsfs123" It's alot easier to remember a bunch of different passwords than most people think; and if you don't, recovering your password shouldn't be an issue. That being said, your e-mail should have the most secure password, because all of your accounts are linked to it.

#6 Phail_Saph

Phail_Saph

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 323 posts
  • Country:
  • Gender:Male
  • Location:Philly

Posted 23 August 2009 - 12:19 PM

Ohm...I follow the same habit that you did. I have two passwords, one easy and one difficult. The easy one I use for sites like this or sites that require you to generate an account before you do something like download a file, post, etc. and my difficult or 'real' password I use for my banking, stock trading account, etc.

Because I'm generally all over the place, I travel a lot, I need more portability than security. If my weak password is broken...so what? is my mentality. If someone wants to deface me on BinRev or AtariAge...OK...it doesn't somehow affect my rhythm or idenity on the web. It just requires some clean-up time. Yes, an inconvience but a one or rare time event whose wasted time is greatly made up by being able to log in very quickly wherever I'm at, whenever. Also, unless an attacker is a stalker or knows you fairly well they don't know what sites you visit. So even if they crack my BinRev account they don't know that I frequent site x let alone site y. In fact if all your weak password sites have been penetrated you KNOW it was your best friend!

It does seem like a lot of hackers here use a password manager. Maybe I'll check one out, but some people were mentioning portability as a problem. All hackers are carrying around their jump drive with a bootable copy of Linux and tools for penetration testing, right? Why not backup a copy onto your jump drive for when you do travel? Even if lost, it doesn't matter since the encryption on those guys is insanely high. If someone can break the encryption I don't think there is much you can do to stop a hacker like that who has it out for you.


#7 Zapperlink

Zapperlink

    "I Hack, therefore, I am"

  • Agents of the Revolution
  • 951 posts
  • Country:
  • Gender:Not Telling

Posted 23 August 2009 - 04:05 PM

Ohm...I follow the same habit that you did. I have two passwords, one easy and one difficult. The easy one I use for sites like this or sites that require you to generate an account before you do something like download a file, post, etc. and my difficult or 'real' password I use for my banking, stock trading account, etc.

Because I'm generally all over the place, I travel a lot, I need more portability than security. If my weak password is broken...so what? is my mentality. If someone wants to deface me on BinRev or AtariAge...OK...it doesn't somehow affect my rhythm or idenity on the web. It just requires some clean-up time. Yes, an inconvience but a one or rare time event whose wasted time is greatly made up by being able to log in very quickly wherever I'm at, whenever. Also, unless an attacker is a stalker or knows you fairly well they don't know what sites you visit. So even if they crack my BinRev account they don't know that I frequent site x let alone site y. In fact if all your weak password sites have been penetrated you KNOW it was your best friend!

It does seem like a lot of hackers here use a password manager. Maybe I'll check one out, but some people were mentioning portability as a problem. All hackers are carrying around their jump drive with a bootable copy of Linux and tools for penetration testing, right? Why not backup a copy onto your jump drive for when you do travel? Even if lost, it doesn't matter since the encryption on those guys is insanely high. If someone can break the encryption I don't think there is much you can do to stop a hacker like that who has it out for you.


I haven't used password managers in a LONG time. I generally have a algorithm for how I create my passwords using a single identifier to start it off. Then I split that into two categories. My hardcore passwords (protecting secure accounts: Billing information, personal information) and your simple passwords (forums, fansites, blogs) I rotate these on a set length of time so that expiring it out will force someone who "guessed" my password one month and sat on it, will fail in the near future.

However in the end, what has been said is right, Its about the value of the access to the data they have gained. If someone broke into binrev and posted for me, no big, most people would be able to recognize the difference right away.

#8 chaostic

chaostic

    rekcah-rebÜ

  • Members
  • 724 posts

Posted 23 August 2009 - 05:08 PM

Wouldn't three passwords be better?

1- Low Level Throw Away Web passwords
2- High Level Web passwords (banking)
3- Local passwords (Computer logins)

Any network password can be found out, leaving your local computers at risk. Three passwords would prevent that.

A further step would include a high level password for local encrypted files/access.

#9 Ohm

Ohm

    I could have written a book with all of these posts

  • Members
  • 3,209 posts
  • Gender:Male
  • Location:Maine, USA

Posted 23 August 2009 - 05:12 PM

As for portability, you can put your password database and KeePass or KeePassX on the drive. KeePass is .net, so it should run on all Windows machines that have been updated regularly. KeePassX is written in C++ with Qt, so you'll need to carry around Linux, Windows and OSX builds, but that shouldn't be a problem. The question then becomes how much you trust the machines you're using the password manager on. If you think there's a keylogger, simply change your master password when you get home. Other than that, unless there's a very targeted attack against your specific password manager, it'll be quite difficult to steal passwords from the encrypted database. Even in memory, the passwords are only decrypted when necessary, and erased when they're finished. If you copy a password to the clipboard, it'll clear the clipboard in a few seconds. Overall, I think you might be OK taking the password database with you. I might make a second database for the really important stuff (banking, paypal, etc) that you don't take with you though.

Edit: Oh yeah, KeePass works with Mono. Barely.

#10 zandi

zandi

    SUP3R 31337 P1MP

  • Members
  • 263 posts
  • Location:michigan

Posted 24 August 2009 - 12:06 AM

though i've heard of password managers, I haven't really bothered to use any. it might just be irrational paranoia, but I use the tiered password strength technique so I only have 3 or 4 passwords to remember.

#11 Zapperlink

Zapperlink

    "I Hack, therefore, I am"

  • Agents of the Revolution
  • 951 posts
  • Country:
  • Gender:Not Telling

Posted 24 August 2009 - 01:24 AM

So far just reviewing the KeyPass it seems very interesting however within the first hour I can tell it really doesn't like Windows 7 Ultimate 64bit, poor thing crashes at the first sign of hesitation. My question goes out though is why do you use password managers to begin with? Are you typically forgetting a password? Is it for ease of use? I am curious as to why people would use them in general. I personally have opt-out of them in the past as I would rather remember my password over forgetting it and having some program do that for me.

#12 Ohm

Ohm

    I could have written a book with all of these posts

  • Members
  • 3,209 posts
  • Gender:Male
  • Location:Maine, USA

Posted 24 August 2009 - 02:00 AM

I'm running it on the same OS. The problem is certainly not KeePass, it's something on your machine.

As for the reasons... did you actually read the first post, or did you tl;dr? Because I thought I explained why you would want to use one quite well.

#13 Zapperlink

Zapperlink

    "I Hack, therefore, I am"

  • Agents of the Revolution
  • 951 posts
  • Country:
  • Gender:Not Telling

Posted 24 August 2009 - 02:21 AM

I'm running it on the same OS. The problem is certainly not KeePass, it's something on your machine.

As for the reasons... did you actually read the first post, or did you tl;dr? Because I thought I explained why you would want to use one quite well.


Yeah I read your reasons, which would be a fair enough reason for me, the question was an open one for others as to why they would.


As far as the software, I am still looking at it. It seems every time I reopen it, the original database goes missing. Works great on my linux though :)

#14 Ohm

Ohm

    I could have written a book with all of these posts

  • Members
  • 3,209 posts
  • Gender:Male
  • Location:Maine, USA

Posted 24 August 2009 - 10:49 AM

KeePass is working great on Linux? Or KeePassX? I can KeePass on Linux, but it was unusable. It couldn't access the clipboard, so you had to open up each password manually, unmask the password, copy it and paste it into Chromium. Quite cumbersome. I blame mono though, because it's easy to blame :P

I had no problems with KeePassX though. The problem is KeePassX can't open KeePass' .kdbx files. I think I'm going to just keep 2 databases. A .kdbx for use with KeePass on Windows (I like the extra features), and every time I make changes, I'll export a .kdb for use with KeePass on Linux. Not ideal, but it works.

#15 Zapperlink

Zapperlink

    "I Hack, therefore, I am"

  • Agents of the Revolution
  • 951 posts
  • Country:
  • Gender:Not Telling

Posted 24 August 2009 - 12:58 PM

KeePass is working great on Linux? Or KeePassX? I can KeePass on Linux, but it was unusable. It couldn't access the clipboard, so you had to open up each password manually, unmask the password, copy it and paste it into Chromium. Quite cumbersome. I blame mono though, because it's easy to blame :P

I had no problems with KeePassX though. The problem is KeePassX can't open KeePass' .kdbx files. I think I'm going to just keep 2 databases. A .kdbx for use with KeePass on Windows (I like the extra features), and every time I make changes, I'll export a .kdb for use with KeePass on Linux. Not ideal, but it works.


Heh sorry my poor clarification has struck again. KeePassX works fine in linux, however KeePass in Win7u 64bit still randomly crashes out. I am wondering it its POSSIBLE it may be conflicting with some of my ajax apps as it seems to really happen right after I interact with one. Overall so far I see it a great tool to have crazy random passwords for each independent site and easily manage that randomness.

#16 Ohm

Ohm

    I could have written a book with all of these posts

  • Members
  • 3,209 posts
  • Gender:Male
  • Location:Maine, USA

Posted 24 August 2009 - 01:01 PM

That's strange. KeePass works fine for me on Windows. Try upgrading your .net runtime or something.

How well does KeePassX work on Linux? I think I mentioned before, I can't get it to copy passwords to the clipboard at all. It just won't work for me.

#17 StankDawg

StankDawg

    same old Dawg, no new tricks

  • Moderating Team
  • 8,073 posts
  • Country:
  • Gender:Male

Posted 24 August 2009 - 01:07 PM

I just recently saw this on an episode from Hak5.org, good find. (KeePass, that is.) I've been using it for about 2 weeks, good stuff. :lol:


How recently...was it after this episode of HPR?

#18 lattera

lattera

    Underground Shizzleness

  • Members
  • 511 posts
  • Gender:Male

Posted 24 August 2009 - 01:17 PM

I'm gonna try getting KeePassX to run on OpenSolaris. If it works, I'll learn how to make an OpenSolaris .ipkg and submit it to SourceJuicer.

#19 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,102 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 24 August 2009 - 01:42 PM

I got something similar: a secure db app for my phone. It doesn't automatically enter credentials, but it's always with me at work etc....

#20 Ohm

Ohm

    I could have written a book with all of these posts

  • Members
  • 3,209 posts
  • Gender:Male
  • Location:Maine, USA

Posted 24 August 2009 - 03:10 PM

I got something similar: a secure db app for my phone. It doesn't automatically enter credentials, but it's always with me at work etc....


That's a good advantage. But another of the advantages of a password manager is to have large, incomprehensible passwords that are utterly immune to dictionary and brute force attacks. These are... difficult to type.




BinRev is hosted by the great people at Lunarpages!