DrakeAnubis

Rolodex full of passwords

23 posts in this topic

I bough this rolodex at a thrift store (for 99 cents) and the previous owner wrote down all his login credential inside. Theres a bunch of shots on my blog (Drake Anubis' Blog) but these are a couple really good ones.

You know, I contacted the guy too, and he --rather his assistant-- completely shrugged me off.

P1195396.jpg

P1195394.jpg

P1195395.jpg

Edited by Drake Anubis
0

Share this post


Link to post
Share on other sites
I bough this rolodex at a thrift store (for 99 cents) and the previous owner wrote down all his login credential inside. Theres a bunch of shots on my blog (Drake Anubis' Blog) but these are the really good cards.

You know, I contacted the guy too, and he --rather his assistant-- completely shrugged me off.

Try to talk to the person who that information belongs to (not just the sectary) I sure he will not shrug it off.

Edited by biosphear
0

Share this post


Link to post
Share on other sites
Try to talk to the person who that information belongs to (not just the sectary) I sure he will not shrug it off.

Ehh, I lost interest. I'm only nice to a point. :P

By the way, you should follow me on twitter (I'm pimping twitter like crazy lately... idk why)

Edited by Drake Anubis
0

Share this post


Link to post
Share on other sites

This is one of the reasons you're not supposed to write down your passwords. Everyone does it anyway, though.

I remember being in the data center of some random company that i won't name and the door to the telephone room had one of those 4-digit password doorknobs. One of my co-workers asked if was told the code. I wasn't but I guessed that the code was written down somewhere, probably near the door. So we went over there and looked around... sure enough I saw 4 numbers written in marker on the side of a shelf near the door. I punched it in and the door opened. My co-worker looked at me like I was a fucking magician.

Edited by decoder
0

Share this post


Link to post
Share on other sites

People just don't care. Whenever I'm helping or fixing and I'm at the keyboard and get to a login screen, they'll just blurt out their password. I'm obviously not going to do anything evil with that, am I? And surely you don't use the same password everywhere, do you?! Of course you do, you probably just gave me your paypal, bank account, email account, etc, but you just don't care! Don't even bother trying to contact them. If they're stupid enough to keep the passwords like this, and stupid enough to not to shred them when they chucked the rolodex, they really just don't care.

0

Share this post


Link to post
Share on other sites
Whenever I'm helping or fixing and I'm at the keyboard and get to a login screen, they'll just blurt out their password.

That happens to me all the time, and it always rubs me the wrong way.

0

Share this post


Link to post
Share on other sites
This is one of the reasons you're not supposed to write down your passwords. Everyone does it anyway, though.

I remember being in the data center of some random company that i won't name and the door to the telephone room had one of those 4-digit password doorknobs. One of my co-workers asked if was told the code. I wasn't but I guessed that the code was written down somewhere, probably near the door. So we went over there and looked around... sure enough I saw 4 numbers written in marker on the side of a shelf near the door. I punched it in and the door opened. My co-worker looked at me like I was a fucking magician.

Speaking of door codes, you wouldn't believe the number of places where it's either 1234, the address of the place or the buttons are so gunked up/worn down that its obvious to tell which numbers are in the code.

This whole thread also reminds of the time I checked a book out from the library, and found someone's passwords in there (I returned them.) The guy had like seven logins, all writen on post-it-notes, stashed in this book. :P

0

Share this post


Link to post
Share on other sites
you wouldn't believe the number of places where it's either 1234

Most of this guys passwords where 123NONE... I'd believe it

0

Share this post


Link to post
Share on other sites
Speaking of door codes, you wouldn't believe the number of places where it's either 1234, the address of the place or the buttons are so gunked up/worn down that its obvious to tell which numbers are in the code.

Not to derail the topic or anything, but are you talking about those mechanical punch locks with the metal buttons? I think the factory default for those is 2 and 4 at the same time, then three. I've found that a lot of places don't bother to change it.

0

Share this post


Link to post
Share on other sites
Speaking of door codes, you wouldn't believe the number of places where it's either 1234, the address of the place or the buttons are so gunked up/worn down that its obvious to tell which numbers are in the code.

Not to derail the topic or anything, but are you talking about those mechanical punch locks with the metal buttons? I think the factory default for those is 2 and 4 at the same time, then three. I've found that a lot of places don't bother to change it.

Yeah, thanks for the default! :D

This one wasn't default because it was a 4-digit code. Aren't there some with 4 buttons and some with 5?

Edited by decoder
0

Share this post


Link to post
Share on other sites

I don't think writing down passwords is necessarily such a bad idea, as long as you keep them in a safe place and don't give them away to Goodwill.

0

Share this post


Link to post
Share on other sites
I don't think writing down passwords is necessarily such a bad idea, as long as you keep them in a safe place and don't give them away to Goodwill.

Lots of people I know* have a set of "base passwords" on which all their other passwords are based. For example: someone who remembers hsw4e5 as a base password will then use things like HSW4E5, hsw4e5123, and hsw4e5!@# as passwords in other places. Sometimes they even string multiple base-passwords together!

I've devised my own way of obfuscating passwords that I save somewhere: I simply write only the first and last characters of the base password extension, followed by the first and last letters of the base password itself. The secrets out! Though these always inside an encrypted file with a master password :PSteganos Locknote is awesome (and open source!).

* Don't ask me how I know so many peoples' passwords

0

Share this post


Link to post
Share on other sites
Steganos Locknote is awesome (and open source!).

Sweet, I am checking that out!

0

Share this post


Link to post
Share on other sites

Unfortunately for me its either write them down or forget them. I only ever tend to login to confidential stuff from home and i dont think i have to worry about my family stealing my notepad.

0

Share this post


Link to post
Share on other sites
Unfortunately for me its either write them down or forget them. I only ever tend to login to confidential stuff from home and i dont think i have to worry about my family stealing my notepad.

Bruce "the closest thing the security industry has to a rock star" (and author of Password Safe) Schneirer has actually made the recommendation of writing down passwords in his blog at least partially for that reason..

0

Share this post


Link to post
Share on other sites
Unfortunately for me its either write them down or forget them. I only ever tend to login to confidential stuff from home and i dont think i have to worry about my family stealing my notepad.

Bruce "the closest thing the security industry has to a rock star" Schneirer

:lol:

Edit: Oh fantastic, now im gonna spend the next hour reading Bruce Schneier facts <_<

Bruce Schneier's anti-virus is so good he hasn't had a cold since he was 12.
Edited by phr34kc0der
0

Share this post


Link to post
Share on other sites
Whenever I'm helping or fixing and I'm at the keyboard and get to a login screen, they'll just blurt out their password.

I ask them to enter their password before they have the chance to blurt it out.

0

Share this post


Link to post
Share on other sites
Unfortunately for me its either write them down or forget them. I only ever tend to login to confidential stuff from home and i dont think i have to worry about my family stealing my notepad.

Bruce "the closest thing the security industry has to a rock star" (and author of Password Safe) Schneirer has actually made the recommendation of writing down passwords in his blog at least partially for that reason..

A strong password ought to be something you're never going to remember anyway, right? Well, I sometimes use the method of composing a string consisting of the first letter of each word of a song or poem that I've already memorized. For example:

Beware the Jabberwock, my son!

The jaws that bite, the claws that catch!

Beware the Jubjub bird, and shun

The frumious Bandersnatch

Would result in this password:

BtJmsTjtbtctcBtJbasTfB

If the login allows special characters, I toss in some "1337-speak" for uncapitalized nouns, like so:

BtJm$T]tbt(tcBtJbasTfB

The problem with this approach is, you still have to remember which poem you've selected for which password (and remember it verbatim), and then there's the problem of having to change passwords and remember which poem you've changed it to.

I think the best approach is to use a password keyring utility like Keepass (Windows) or Kwallet (KDE), plus the password management features of applications like Firefox for storing all your online passwords. That way you only need to memorize one extremely secure password to gain instant access to all your passwords, which can also be extremely secure. Another option would be to store them on a USB key, in an encrypted text file keyed with a secure password.

Edit: Oh fantastic, now im gonna spend the next hour reading Bruce Schneier facts <_<

You've never seen those before? Those jokes have only been around for like 3 years.

That's like, 100 Internet-years!

Edited by Colonel Panic
0

Share this post


Link to post
Share on other sites
A strong password ought to be something you're never going to remember anyway, right? Well, I sometimes use the method of composing a string consisting of the first letter of each word of a song or poem that I've already memorized. For example:

The problem with this approach is, you still have to remember which poem you've selected for which password (and remember it verbatim), and then there's the problem of having to change passwords and remember which poem you've changed it to.

I think the best approach is to use a password keyring utility like Keepass or Kwallet in KDE, plus the password management features of applications like Firefox for storing all your online passwords. That way you only need to memorize one extremely secure password to gain instant access to all your passwords, which can also be extremely secure. Another option would be to store them on a USB key, in an encrypted text file keyed with a secure password.

Edit: Oh fantastic, now im gonna spend the next hour reading Bruce Schneier facts <_<

You've never seen those before? Those jokes have only been around for like 3 years.

That's like, 100 Internet-years!

I used to use the poem/sentence approach too but it was still too hard to remember. It worked fine with passwords i used often tho. Now i tend to use online password generators but then the question becomes how secure are those passsords. They could be sniffed on the way to me or the site could log 'em, but then again im not that paranoid (always).

And yes, Colonel Panic. I've seen them before, just not in a long time. Its one of the perks of having a bad memory. Things always seem new to you.

0

Share this post


Link to post
Share on other sites

i once worked at a convenience store that used the street address as the code. It is sad but true.

0

Share this post


Link to post
Share on other sites
i once worked at a convenience store that used the street address as the code. It is sad but true.

yeah, i forgot about this... it was posted above also.

Any code on a building is - more often than not - going to be the street address. I worked for a few places where this was the case. They always asked me who gave me the code. Then I point out it was the street address. They felt owned, and thus, they ph33red.

0

Share this post


Link to post
Share on other sites

as for my passwords, I use a few, and they all have the base password in common. I figure the worst I should expect are brute-force attacks, so I make the passwords appropriately long. for example, my router's passphrase is over 26 characters long. My idea is that you can pick a phrase or saying as your password. If whatever you're logging into is designed properly in the first place, password length shouldn't be an issue since they're salting and hashing it anyways, and a phrase is a million times easier for us humans to memorize than even a short jumble of random characters. easy to remember, and able to get veeeeeery long, I'd call that pretty secure.

0

Share this post


Link to post
Share on other sites
I don't think writing down passwords is necessarily such a bad idea, as long as you keep them in a safe place and don't give them away to Goodwill.

Lots of people I know* have a set of "base passwords" on which all their other passwords are based. For example: someone who remembers hsw4e5 as a base password will then use things like HSW4E5, hsw4e5123, and hsw4e5!@# as passwords in other places. Sometimes they even string multiple base-passwords together!

I've devised my own way of obfuscating passwords that I save somewhere: I simply write only the first and last characters of the base password extension, followed by the first and last letters of the base password itself. The secrets out! Though these always inside an encrypted file with a master password :PSteganos Locknote is awesome (and open source!).

* Don't ask me how I know so many peoples' passwords

Yeah, I admit to using base passwords. I will often combine a base password with part (or all) of the site name, then some very small site-specific secret. This is easy to remember, but immune to dictionary attacks and brute forcing. Only thing I worry about is keyloggers. Shoulder surfers wouldn't get much from watching my fingers fly over random letters, although I've devised other tricks for dealing with them.

Over the past year, though, I use a password generator approach. It's the human version of making strong passwords without aid of software. I start with a simple passphrase, no more than eight words long. Then, I use one or more "rules." Examples of rules: '%' replaces all spaces; first and last caps; reverse order of words; half-lower and half-caps. I usually do some kind of swapping and something with spaces, to say the least. The result is a very strong password, although its not hard to remember. If I'm using this for encryption keys, I follow it up with SHA-256. That's how I generate TrueCrypt passwords: they are SHA-2 hashes of strong passwords generated on the spot like I've described.

I'm still concerned about keyloggers and such, though. So, I'm working on a key exchange system for TrueCrypt where it generates a random priv/pub key pair, I enter public key and volume password on a PDA/smartphone, type the result into truecrypt, and it decrypts it into the password. As far as I'm aware, malware would need access to the memory of the truecrypt process to defeat this approach, so long as key pairs are generated appropriately. Aside from falling to a kernel exploit, this technique should work for high security situations. A trusted path would rid us of the need for all of this, and some microkernels provide this: LynxSecure, Integrity PC, and to a degree OKL4 (esp. seL4). Until I can safely integrate that into a Windows or Linux box, I'm going to have to stick with the other stuff.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now