Password management (not just here)

[Clarity]

2011 has been a hostile year here on the net. More so than any before it, as far as I'm concerned. Spammers and scammers started focusing on fora far more than they ever had before, exploitation of holes in common blogging software packages were regularly abused. We suffered injection attacks from November through March here (it was a frustrating and demoralizing issue to deal with), we saw sites like MGoBlog and ScoutingOhio get hit with malware and viral infestations as the result of attacks. Another site upstream of us is getting hit with a denial of service attack as I type this, resulting in some little hiccups for us. Sony was famously hacked. PBS and others as well. It seems every week brings a new email from a large company apologizing for unauthorized access to passwords, email addresses, and other personal information -- even OSU itself had to acknowledge as much recently.

While I don't want to get into a philosophical discussion about all of that, I do want to take a moment and reinforce how important and effective it is to have unique and complex passwords at every site you visit. This is even more important anywhere money is even tangentially involved. Wherever and whenever possible, your passwords should be at least 14 characters long, and a mix of uppercase letters, lowercase letters, numbers, and special characters (!@#$%^&*+'). Obviously that's far less convenient than just using the same thing over and over again (for years in the distant past I just used my Parris Island rifle number everywhere, for example), but it will make a huge difference if and when your information is exposed somewhere -- and that can happen anywhere. If 2011 has proven anything, security and true privacy is a myth.

I use, personally, and *highly* recommend KeePass as a password management and generation solution. It is free, open-source, has a long and celebrated history, and has a number of branches that offer mobile solutions as well (can't speak to those, since I'm not particularly mobile). It's available at http://www.keepass.info

There are other (perhaps better) solutions, and I invite people to post their own suggestions here. It's well established that I am in no way a 'tech' type, and perhaps our tech/security-minded folk have some good ideas about how to really protect yourself and your information online.

Use strong passwords, change them periodically, and make them unique at each location. That's a definite start.

 

[AuTX Buckeye]

2011 has been a hostile year here on the net. More so than any before it, as far as I'm concerned. Spammers and scammers started focusing on fora far more than they ever had before, exploitation of holes in common blogging software packages were regularly abused. We suffered injection attacks from November through March here (it was a frustrating and demoralizing issue to deal with), we saw sites like MGoBlog and ScoutingOhio get hit with malware and viral infestations as the result of attacks. Another site upstream of us is getting hit with a denial of service attack as I type this, resulting in some little hiccups for us. Sony was famously hacked. PBS and others as well. It seems every week brings a new email from a large company apologizing for unauthorized access to passwords, email addresses, and other personal information -- even OSU itself had to acknowledge as much recently.

While I don't want to get into a philosophical discussion about all of that, I do want to take a moment and reinforce how important and effective it is to have unique and complex passwords at every site you visit. This is even more important anywhere money is even tangentially involved. Wherever and whenever possible, your passwords should be at least 14 characters long, and a mix of uppercase letters, lowercase letters, numbers, and special characters (!@#$%^&*+'). Obviously that's far less convenient than just using the same thing over and over again (for years in the distant past I just used my Parris Island rifle number everywhere, for example), but it will make a huge difference if and when your information is exposed somewhere. And it can happen anywhere. If 2011 has proven anything, security and true privacy is a myth.

I use, personally, and *highly* recommend KeePass as a password management and generation solution. It is free, open-source, has a long and celebrated history, and has a number of branches that offer mobile solutions as well (can't speak to those, since I'm not particularly mobile). It's available at http://www.keepass.info

There are other (perhaps better) solutions, and I invite people to post their own suggestions here. It's well established that I am in no way a 'tech' type, and perhaps our tech/security-minded folk have some good ideas about how to really protect yourself and your information online.

Use strong passwords, change them periodically, and make them unique at each location. That's a definite start.

I've talked to other people in the security industry. Their suggestion... Pen and paper, split it down the middle and hide both halves in different places. Also might want to use this Keepass in conjunction with True Crypt (http://www.truecrypt.org/), free open source encryption.

Internet is a scary place and honestly at this point its really about limiting the amount of information out on the net. Thinking you can keep everything on lockdown is a joke.

 

[Clarity]

I've talked to other people in the security industry. Their suggestion... Pen and paper, split it down the middle and hide both halves in different places. Also might want to use this Keepass in conjunction with True Crypt (http://www.truecrypt.org/), free open source encryption.

Internet is a scary place and honestly at this point its really about limiting the amount of information out on the net. Thinking you can keep everything on lockdown is a joke.

Indeed, no such thing as being locked down. My suggestion speaks to limiting low hanging fruit. If your information at SiteA is the same as SiteB, and SiteA is compromised -- then you're in trouble both places. Unique passwords at each location will at least compartmentalize the potential damage.

KeePass has its own layered encryption and protection functionality, but putting it inside truecrypt certainly wouldn't hurt if portability isn't an issue (even it it were you could mount it all on a USB key, but we're outside of the scope of my intent and capacity here).

 

[AuTX Buckeye]

Indeed, no such thing as being locked down. My suggestion speaks to limiting low hanging fruit. If your information at SiteA is the same as SiteB, and SiteA is compromised -- then you're in trouble both places. Unique passwords at each location will at least compartmentalize the potential damage.

KeePass has its own layered encryption and protection functionality, but putting it inside truecrypt certainly wouldn't hurt if portability isn't an issue (even it it were you could mount it all on a USB key, but we're outside of the scope of my intent and capacity here).

Agreed:) my intent was to offer an old school alternative :) Appreciate the info about keepass, i'd never heard of it until now.

 

[Clarity]

Agreed:) my intent was to offer an old school alternative :) Appreciate the info about keepass, i'd never heard of it until now.

We combine old and 'new' school ourselves, although only for the sake of redundancy and loss prevention. Every month or so we print out a hard copy of the current shared KeePass database and shred the one it's replacing. In case we ever lose or lose access to the actual data, we're still going to easily access any/all of the access and account information.

In a perfect world I'd dedicate a single computer as the only point of access to sites with sensitive transactions, and allow it to do no other browsing, emailing, or really any other tasks no matter how benign. While KeePass is also designed to defeat the efforts of keyloggers, if you're sitting at an open access point (such as a coffee shop) and not working over https, there are simple and openly available Firefox extensions that can have people capturing your access data while you work.

Anyway, if you try KeePass, I hope you'll find it as invaluable as we have.

 

[AuTX Buckeye]

We combine old and 'new' school ourselves, although only for the sake of redundancy and loss prevention. Every month or so we print out a hard copy of the current shared KeePass database and shred the one it's replacing. In case we ever lose or lose access to the actual data, we're still going to easily access any/all of the access and account information.

In a perfect world I'd dedicate a single computer as the only point of access to sites with sensitive transactions, and allow it to do no other browsing, emailing, or really any other tasks no matter how benign. While KeePass is also designed to defeat the efforts of keyloggers, if you're sitting at an open access point (such as a coffee shop) and not working over https, there are simple and openly available Firefox extensions that can have people capturing your access data while you work.

Anyway, if you try KeePass, I hope you'll find it as invaluable as we have.

I'll definitely check it out.. thanks for the info.

 

[FrancisSoyer]

I keep all of my passwords in one password-protected MS Word file. I store that in an encrypted disc image that is located in my Home folder. The home folder is protected using Filevault via 256 bit AES encryption. Can't be too thorough I guess.

 

[Dryden]

[ame="http://www.youtube.com/watch?v=a6iW-8xPw3k"]YouTube - ‪Spaceballs 12345‬‏[/ame]

 

[OCBucksFan]

I use 1Password, very similiar to Keepass but with more functionality.

Beyond that, I use PGP full disc encryption on my laptop, so if I lose it odds are no one is getting any of my data and I use truecrypt for my dropbox, so that if dropbox does something stupid, like, I don't know, leaves their network unlocked for a day, then I am less vulnerable. PGP is a slightly expensive product, but for all it does, mail, disc, file shredding, etc... it's well worth it, and as an added bonus, you can use it to encrypt your flash drives.

As Clarity pointed out, it's been the year where computer security has come to light, and the worst thing you can do is have the same password everywhere. For a simple admin of something like this, there's so many security concerns. From the board admins, to the software, to the addons, then the web server software and all it's addons, then the operating system. Every day there's researchers working on every single aspect, finding exploits, some of them are good guys but most of them aren't.

I could lay out a ton of tips as part of what I do is penetration testing for my network, but I think I'll leave that for a better time.

 

[Deety]

I use 1Password, very similiar to Keepass but with more functionality.

Beyond that, I use PGP full disc encryption on my laptop, so if I lose it odds are no one is getting any of my data and I use truecrypt for my dropbox, so that if dropbox does something stupid, like, I don't know, leaves their network unlocked for a day, then I am less vulnerable. PGP is a slightly expensive product, but for all it does, mail, disc, file shredding, etc... it's well worth it, and as an added bonus, you can use it to encrypt your flash drives.

As Clarity pointed out, it's been the year where computer security has come to light, and the worst thing you can do is have the same password everywhere. For a simple admin of something like this, there's so many security concerns. From the board admins, to the software, to the addons, then the web server software and all it's addons, then the operating system. Every day there's researchers working on every single aspect, finding exploits, some of them are good guys but most of them aren't.

I could lay out a ton of tips as part of what I do is penetration testing for my network, but I think I'll leave that for a better time.

If you encrypt your full hard drive, do you run into issues running anything? Do you log in once and then it all runs as it normally would? I'd like to do everything rather than just bits and pieces, but have nightmares about programs going kablooie when they can't read their data. (NOOB alert, eh?)

 

[AuTX Buckeye]

If you encrypt your full hard drive, do you run into issues running anything? Do you log in once and then it all runs as it normally would? I'd like to do everything rather than just bits and pieces, but have nightmares about programs going kablooie when they can't read their data. (NOOB alert, eh?)

Your HD will operate as normal when you encrypt it (atleast it will with the ones on my company laptops). The major issue is you need to keep it backed up and possible encrypted it something different. If your HD crashes... its likely all data will be lost (again this is what has happened with our company laptops)

 

[OCBucksFan]

If you encrypt your full hard drive, do you run into issues running anything? Do you log in once and then it all runs as it normally would? I'd like to do everything rather than just bits and pieces, but have nightmares about programs going kablooie when they can't read their data. (NOOB alert, eh?)

When I boot up the system the first thing I see is the request for the PGP WDE password, once the system is booted everything operates as normal, with a little more memory usage, though not really enough for me to matter.

Your HD will operate as normal when you encrypt it (atleast it will with the ones on my company laptops). The major issue is you need to keep it backed up and possible encrypted it something different. If your HD crashes... its likely all data will be lost (again this is what has happened with our company laptops)

Have not had this problem since the files copied off the system to the network are decrypted on the fly, about the only time I have seen issues with this are systems that use whole disk backups like ghost, but for file backups I have had no problems with any of my users nor on my work machine or the Mac I use at home.