; TOT; Piggin passwords

On Wednesday, 10 February 2016 17:26:14 UTC, Blanco wrote:

yeah sure, what sort of arse hole would admit on-line to taking money from anothers account ? yes the sort that's clueless.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 10/02/2016 11:45, whisky-dave wrote:

Paranoia all of it. The whole world can have access to anything of mine apart from bank stuff, .....and the pin-ups.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Only a fool would do that.

Useless when they don't have the master password which is only in your head.

You get the encrypted passwords from the backup.

Makes a lot more sense to use a proper password manager and have your passwords available on any device you use.

Doesn't work for passwords.

Makes a lot more sense to use a proper password manager and have your passwords available on any device you use. And to have it fill out any forms you ever need to fill out with your data you only ever enter into the form filler once.

Makes a lot more sense to use a proper password manager and have your passwords available on any device you use. And to have it fill out any forms you ever need to fill out with your data you only ever enter into the form filler once.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Wednesday, 10 February 2016 17:01:42 UTC, Rod Speed wrote:

n
There's plenty out there, those that give passwords over the phoine on buse s or shops, they give all sorts of details out because they don't believe a nyone is listening. Only those that aren't good at remmebering and asiging passwords use password managers.

ad.
Most people that use password managers tend to write down their passwords a nd use managers because they can't remmeber passwords. Soem are better at i t than others.

and we all know how many have such backups don't we, but if the computers been stolen what's stopping someone from using it ?

Not to me it doesn't I only do my banking on one device, I certainmly would to it on internet ca fe machines, I don't even do it on my work computer.

it does.

not for me.

and anyone can log on a use my forms is that it.

But I don;t need my password availbel on every computer in teh country . My email is differnt, thats handy to check anywhere. But while I'm having a crap I don;t feel the need to get to my bank account details.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload


None of those that do that with their password manager master password. They don't even know that password managers exist.

Even sillier than you usually manage. I've always been very good at doing both and use a password manager anyway, essentially because it makes sense to use a different password every time one is required so you don't even have to fart around at all if one does escape when some operation is so stupid that it keeps them in plain text on their system.

Wrong, as always.

No one can remember hundreds of passwords, particularly with the systems that force you to keep changing them so you can't even use some system that includes the site name etc.

Trivially easy to automate that to the net now with something that small.

The requirement to enter the master password to the password manager, stupid.

More fool you.

More fool you.

I do it on two, so I can do it when not at home.

Nope.

Yes, you are that stupid. It makes a lot more sense to use a well designed one where you click on a single entry in the list and have that go to the right part of the site, pull up the sign in part of the site, fill in what needs to be supplied, everything done with just one click.

Nope, no one can.

It isnt every computer in the country, just those you choose to use or need to use.

And handy to be able to sign in anywhere too.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Thursday, 11 February 2016 19:53:55 UTC, Rod Speed wrote:

They don't need to password managers can't AFAIK be used over the phone.

all you have to do is say you've forgotten your password they wonlt ask if you use a password manager, they'll then ask you a list of questions that m ost give out over the phone such as mothers madian name, address, and vari oius others bit's on info like account number.

why would you need to get sonething to manage your passwords ? because yuo can;t do it yourself obviously.

what do you mean by being good at using a password manager is it realyl tha t difficult do you need to practice or doa certain excersise or stand on on e foot while brinking a beer ?

I managaed that without a password manager.

I"m better there are such peole those that can remmebr pi to X number of di gits.

Depends on you're methods. supose you have a paswrod for IBM it could be H AL you know that connection surely don't you ?

only to those that know how to, but there;s plenty of apps avaiable for kee ping passwords.

?

Which gets repeatdley typed as it's the only password you use. It'll be 'secure' of course that yuo can remmebr it and type it in regulaly and quickly.

Yep.
If I get an RS account. http://uk.rs-online.com/web/
RS = Rod Speed so my password might be sh33Pshagg3R where all e's are actually 3s and I only use upper case for the last character of every word.
So when I need to logon to RS for me it's easy same intials as you and how I see you is a sheep shagger. So there you are I:"ve created a password that I'm unlikely to forget. Of course I already have two accounts with RS so don't need to use the abov e, but if I wanted a 3rd account......

on how many computers ?

.
ed

You mean the one at home, or the one at work or when I'm on a friends compu ter .
I know my amazon password too, so I can order from anywhere, I don;t have t o wait until I'm sitting at my home computer.

which I can because I can remmeber both my username and password. Which I can do anywhrer in teh world unlike someone that relies on their pa sswo rd manager to check emails.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Because you have enough of a clue to have a different one for each place that uses one, so if one site is compromised, that is a complete yawn, stupid.

Nothing to do with your original terminal stupidity about remembering.

<all your terminally silly shit flushed where it belongs>

Nowhere near as conveniently as when using the best of the password managers that not only manages your passwords, it also minimises what you need to do to get to the site that uses the password, does what is required to log on for you, and what you tell it to do after you have logged on, and fills in any form that ever needs to be filled in with your personal details, with just a click or two any time you need to use it.

Pity about the passwords that keep changing because the site requires a monthly change with no reuse, ever etc.

Nope.

Not even possible for most of the hundreds of sites most use.

Trivial to find that out.

Which are useless if the device dies or is stolen etc.

Trivial with just one password. And it doesn't have to be a password, it can be something trivially easy to use repeatedly like a fingerprint or other biodata that no one else can provide.

Not even possible with the absolute vast bulk of the sites most have a password for.
And a hell of a lot simpler to use a proper password manager that not only manages your passwords, it also minimises what you need to do to get to the site that uses the password, does what is required to log on for you, and what you tell it to do after you have logged on, and fills in any form that ever needs to be filled in with your personal details, with just a click or two any time you need to use it.

And you'd still have a problem working out which account that silly stuff is used for.

How ever many you use that ever uses a password.

Whatever you do. Most of us to all of those at some time or another.

Most of us who even have half of a clue find it handy to be able to do anything we normally at home or at work on any system we happen to use, even if that is just because someone has asked us to fix a problem its currently having and we need to use something to resolve the problem or to order a part for them that will fix the problem or will do what they want to do that they asked about etc.

Pity about the hundreds of others.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Saturday, 13 February 2016 02:22:21 UTC, Rod Speed wrote:

Which is what I do anyway. I do NOT need someone to manage my keys either. I can manage myself. I do realise some opeolpe need to run their life by lists. Such as wake up, have a shit, have a shave leave for office. Some even employ a secretary for such things.

I can remmeber most passwords that are important to me.

and which is the best password manager would from your POV. ?

wow it's a short cut to a URL how ammazing. What will they think of next.
you know I've just done that for half a dozen sites so the studetns can lin k to them so they know where we order from can see teh delievery times etc. all I need to do is train them how to read them.

great for the person that has access to your computer.

f

the only one I know of is here at work, and do recycle passwords. Also I don't want my work and home passwords mixed up.

why is moving a character back one so impossible .... I becomes H B becomes A M becomes L just move one character back it even works in swedish !

exactly you've fallen in that trap.
How will you get access.... I can go to almost any device in the world adn type my know password into t hat. As you say wothout your working password manager you're well fucked. How do you access info without your password manager ?

that's the problem just the same password.

that's what I use on my ipad, I don;t need a seprate password manager.

Which don't use password managers.

Ive managed it for most I need day to day.

so another security risk.
http://www.cbsnews.com/news/in-wake-of-lastpass-hack-how-safe-are-password- managers/
Such a nightmare scenario was brought to mind recently when popular passwor d manager LastPass was hacked last week. In the wake of suspicious activity on its servers, LastPass said that email addresses, password reminders and other security information was exposed.

I still manage that without a password manager.

I don't need 100s of others.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

But don't have anything like as many as quite a few have.

And plenty have enough of a clue to use a well designed password manager/form filler that not only looks after all the passwords, makes the access to anything you have a password for just a click or two, and which fills out any form you ever need to fill out with just a single click too.

Makes a lot more sense to have a system go to where it needs to be entered, enter it, and do whatever else you always do just after you enter the password etc and do all that with just a couple of clicks at most instead of farting around entering the password and other stuff.

I prefer Roboform, because its not only one of the best password managers, it also fills out any form you tell it to with your details that you only ever enter into the system the once.

Doesn't do it for all the stuff they have to supply a password to.
And doesn't list the most frequently used ones separately either.
And doesn't automatically keep track of what site you are currently looking at so that the password for that site is available with a single click in the toolbar whenever that site asks for your passwords, etc etc etc.

They don't get to do any of that because they can't supply it with the master password.

Then you need to get out more.

More fool you lot.

Any decent password manage keeps them separate completely automatically.

Lot more farting around that using a decent password manager.

Nope, the password manager works on all the devices I have so it's a complete yawn if any device dies or is stolen, you just replace it and carry on regardless with complete certainty that the thief can never use it.

Go to any device you like, can borrow or use and use the password manager on that to do whatever you like.

Just as true of the password manager.

You are never without it.

You use the password manager which is available anywhere.

Nope.

Nope.

But you cant use your fingerprint for everything.

So is useless when you have to supply a password.

Only because you do fuck all day to day.

Nope, perfectly possible to avoid any security risk.

Perfectly possible to use a password manager that has no security risk whatever.

Not even possible with a password manager that has no central database.

Because it was always fucked by design.

More fool you. Plenty dinosaur along without the net too.

Yes, you're just another dinosaur.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On Monday, 15 February 2016 18:51:32 UTC, Rod Speed wrote:

I have a list of ~45 at home, password for various things including computer passwords some nothing to do with being on-line.
I have about a dozen at work but at least two of us need to know the password so might as well use one we both know and can rememeber.

That can be done anyway not that I use that option. I can remmeber where I live , and I seem to be able to remmebr where I worked and even my parents and friends address without havign to have a 'manager' do it for me.

Yes well that's what I have I can check my bank statement from work or an internet cafe if I really wanted too, haven;t felt the need yet though.

No problem for me. I've never found it a problem if or when I do I'll change. As with keys two serts are with other people, so if I lose my keys I don;t need to break into my own home. I could pay for a safety deposit box, or bury a set in teh garden but in the last 25 years I've only had to retrieve a key once. I could have paid for a box for the past 25 years but I haven't.

I'll stick to my version thanks
http://thehackernews.com/2014/07/critical-vulnerability-and-privacy.html
he vulnerability disclosed by Paul Moore in the security of RoboForm affects its Android and iOS app users, which could allow anyone to bypass RoboForm's PIN Protection in order to access users' sensitive data.
RoboForm mobile apps offer a PIN protection which only protects the app interface from unauthorized access, just like Android's popular 'AppLock' application.

I haven't found a need for that function.

My bank hasn't asked me to change passwords.

only for the system at work which requires a new password every month or so.

I too can do that.

and you can't use a passwrod manager for everything.
When I wanted to transfer money to my solicitor I couldn't do it on-line I had to go into a branch with my passport and two other forms of ID which included my home address.

yeah sure, dream on.

that was the theory of bitcoin wasn't it.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 09/02/2016 22:40, David Lang wrote:

The danger is, that should it be compromised through no fault of your own, then the attacker is now able to access *all* of your online accounts. Having a unique password per site limits the damage greatly.

By making passwords harder to guess by brute force, or by dictionary attack.
A brute force attack will typically have an attacker (aided by a computer doing the donkey work) attempting to guess passwords .
If you are limiting your password to lower case letters only, then there are 26 possible values per character. Allow upper case and there are 52, with digits 62, and so on. When you scale up the number of legal combinations, a few extra allowable characters makes the number of unique passwords possible a vast number of orders of magnitude more difficult to guess.
A dictionary attack works well when an attacker has managed to lift a copy of the password database from an insecure web server etc. That may give them a big list of encrypted passwords. They may not be able to decrypt them directly, but they can throw a whole dictionary through the same encryption process and see which of the encrypted passwords they have generated match the stolen ones.
Much depends on how clueless the writer of the software was:

https://www.youtube.com/watch?v=8ZtInClXe1Q


The problem is, that if you use a weak password, then it lets the bad guys into bits of web sites they might not otherwise get into - that in itself is not really much of a problem. More significantly thought it may let them into several accounts you own on different sites. Being able to get at several sites creates weaknesses that can be exploited by trading one off against another. For example:
https://medium.com/@N/how-i-lost-my-50-000-twitter-username-24eb09e026dd#.5aijst8u6
--
Cheers,

John.
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
John Rumm wrote:

But we're not talking about making extra characters allowable. AFAIK in most cases it's "always" been possible for me to include digits, mixed case, and punctuation if I want.

What we're talking about is them disallowing some combinations of the same characters that have been available all along, and therefore *reducing* the number of legal combinations that have to be tested.
But actually things are rather more complicated than simply "guessing", with rainbow tables and the like.
--
Mike Barnes
Cheshire, England
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

Yes, but they are now forcing people to use the stuff that most of them wouldn’t bother using.

No they aren't. Most never allowed all the odd special characters.

Nope.

Sure, bit it does make sense to for the more stupid to use more than just the letters in a particular case.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 10/02/2016 08:01, Blanco wrote:

I keep the more sensitive passwords in an obscure text file on an external hard drive, but I suppose it's possible to list the most frequently accessed files? An expert house breaker who's also a computer whizz is the stuff of nightmares :-)
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload


Yep.

Not if you encrypt that file.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 10/02/16 08:50, stuart noble wrote:

http://uk.pcmag.com/password-managers-products/39332/guide/the-best-free-password-managers-for-2015
Just use a password manager.
I remember the passwords I use a lot - but the ones to give a meter reading to the electricity company? No way.
When I set up accounts, I add the name and password to the password manager.
--
You can get much farther with a kind word and a gun than you can with a
kind word alone.
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 10/02/2016 07:40, Mike Barnes wrote:

That rather depends on the site...
By precluding use of say an all lower case password, you thwart any attack that will only search the (much smaller) "lower case only" search space.
(think about how tools like L0phtCrack etc work - they try all lower case before they try the larger search spaces, since in many cases that will crack a substantial number of accounts)

I don't think that statement can be supported with maths ;-)

Indeed, but that seems rather more information than the OP needs.
(and if password hashes are properly "salted", then you can mitigate the advantage of rainbow table attacks)
--
Cheers,

John.
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
John Rumm wrote:

I think it can. If "password" is a legal password, the bad guy has to take the (admittedly small) time taken to test for it. If it's not legal, he doesn't have to test for it.
--
Mike Barnes
Cheshire, England
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
On 10/02/2016 16:51, Mike Barnes wrote:

Go on then ;-)
To be fair, I see what you are getting at, but the purpose of the exercise is to force users to use more of the available "combination space", even if that is at the cost of a small reduction in the total number of legal passwords available.
So without the policy, a very fast crack attempt with all the dictionary words in all lower case, would get you into a percentage of accounts. With the policy, it will fail every time.

but now he does have to test Password, pAssword, paSsword, pasSword, passWord, passwOrd, passwOrd, passwoRd, passworD,
and
PAssword, PaSsword.... PASSwORD.... PASSWORd
and so on.
--
Cheers,

John.
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload
John Rumm wrote:

He'd have to test those anyway.
But I take your point about altering user behaviour, I just don't think that brute force is a polite way to do it. There are plenty of password systems which rank your password strength but leave the final choice up to you. To my mind those are far preferable to systems which force people to use passwords that they wouldn't otherwise use, and therefore might feel compelled to write down.
--
Mike Barnes
Cheshire, England
  Click to see the full signature.
Add pictures here
<% if( /^image/.test(type) ){ %>
<% } %>
<%-name%>
Add image file
Upload

HomeOwnersHub.com is a website for homeowners and building and maintenance pros. It is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.