Passwords

[opusman]

Issue with the password managers is they don't work with a number of Australian bank sites from what I have seen

You just copy and paste...

 

[marki]

I often use web site name followed by "MalcolmT2015" as my password. Not been cracked yet!

T for Terminator ?

 

[opusman]

T for Terminator ?

Turncoat apparently!

 

[Buzzard]

Issue with the password managers is they don't work with a number of Australian bank sites from what I have seen

Mine works with all my banks except HSBC where I use a log in device.
Even works with St George and Bank SA where both require 3 separate fields to be filled in.

 

[moa999]

Mine works with all my banks except HSBC where I use a log in device.
Even works with St George and Bank SA where both require 3 separate fields to be filled in.

What do you use. Lastpass struggles with StGeorge

 

[Buzzard]

I use Lastpass, log onto St George at least once a day Mon-Fri with no problem. I'll PM you what I do.

 

[JohnK]

I did not think all the passwords on that list were simple.

I cannot remember all my passwords. I have 4 or 5 formats for my password that I use with the various website requirements. Most are in my head. Some I have in a notepad document with the format encrypted in a such a way that I even struggle to decrypt sometimes.

So far so good.

 

[harvyk]

That I understand but my concern is how hard is it for someone to hack into it? Happy for an IT person to give their perspective.

A well designed password safe, designed by someone whom truely understands encryption, and secured with a strong master password which is the salted, hashed and then forms part of the encryption key and properly using an IV - virtually impossible, provided there is no key logger installed on the machine.

A badly designed password or very weak master password - very easy to crack.

Don't assume the just because something "looks encrypted" that it actually is encrypted. Some of the favourite "encryption" methods chosen by ppl is things like Base64 encoding. I can identify Base64 encoding and have run it through a Base64 decoder in about 10 seconds flat.

 

[Freq Flier 2013]

A well designed password safe, designed by someone whom truely understands encryption, and secured with a strong master password which is the salted, hashed and then forms part of the encryption key and properly using an IV - virtually impossible, provided there is no key logger installed on the machine.

A badly designed password or very weak master password - very easy to crack.

Don't assume the just because something "looks encrypted" that it actually is encrypted. Some of the favourite "encryption" methods chosen by ppl is things like Base64 encoding. I can identify Base64 encoding and have run it through a Base64 decoder in about 10 seconds flat.

Is there a password program you recommend?

 

[Buzzard]

Is there a password program you recommend?

I use Last Pass.
Even if I try to log in from a computer that it does not recognise I need to respond to an email sent to my registered email address for authentication.
Other users may have a different opinion re this program but I am very happy with it.

 

[quokka77]

KeePass... So far so good. Open source, free, has a good android application. Master file stored in the cloud, accessible from anywhere.

 

[harvyk]

That I understand but my concern is how hard is it for someone to hack into it? Happy for an IT person to give their perspective.

Is there a password program you recommend?

I use Password Safe. It uses some pretty decent encryption (if anyone wants I can go into the technicals as to why it's strong), it's not cloud based and it's open source which means any code weakness (such as a dial home) would be visible to all.

 

[Freq Flier 2013]

With open source doesn't it mean that everyone has access to the code. So easier to hack? Or it gets fixed quicker?

 

[quokka77]

Open source is considered superior.

More transparent, security flaws can be identified and fixed much more easily. harveyk seems to know a lot more about this than I do so I will defer to his expertise, but from my limited research KeePass was highly rated by a number of tech review sites. Once you have it synched via Dropbox / Google drive etc you can use it across multiple devices and not worry about backups.

 

[OzEire]

I use Password Safe. It uses some pretty decent encryption (if anyone wants I can go into the technicals as to why it's strong), it's not cloud based and it's open source which means any code weakness (such as a dial home) would be visible to all.

+1 for strong encryption, non-cloud and pw generating option.

 

[Major]

It makes you wonder if anyone has 1234 as their Qantas password

 

[harvyk]

With open source doesn't it mean that everyone has access to the code. So easier to hack? Or it gets fixed quicker?

First of all, it's highly unlikely that you would ever get a true consensus on this question. Every week without fail I read an article on why open source is the greatest thing since sliced bread, following (sometimes even in the same publication) why open source is the devils on work. So the following is my personal belief (as someone whom uses and modifies open source software in my day job)

The first thing is that the terms "free software movement" and open source often gets interchangeably used. Don't assume that because software is open source that it is not also a commercial venture, or at least been used by business and therefore maintained by business. Yes at one extreme you have GNU GPL software which is free, and ideally no one makes any money off, at the other end you have the open source software sold by large companies for profit.

So this means that problems and bugs in open source software is fixed at roughly the same rate as in the closed source world. Sometimes very quickly if it's well supported, sometimes never if it's effectively one step up from abandon ware.

In terms of security, well firstly you can take comfort in knowing that a good amount of your personal data is been kept on open source systems. Banks, financial providers, government, other large companies all use some degree of open source software. Having the software as open source makes it easier to confirm a potential attack, but does not make them easier to find. Could you imagine looking through 500,000 lines of code to try and find the 1 line of code where a squiggly bracket was missing {}. The apple iOS attack of a couple of years ago was because they forgot to put two lines of code inside two of these squiggly brackets, and this was code which had been reviewed by many talented developers. Typically if you are doing an attack, you have already used conventional attack methods to determine where a weakness might be, open source just makes it easier to confirm an attack as successful.

Furthermore since all code merges typically have some sort of public review process, plus placing in overt dial home code is difficult, you can almost take more comfort in open source software not having malware embedded in it over a piece of closed source software release by a relatively unknown developer.

Just my 2c

 

[Winston1]

I've been using keychain. Not sure how good or secure it is, but I guess it's better than having the same password for all my web sites?

 

[harvyk]

I've been using keychain. Not sure how good or secure it is, but I guess it's better than having the same password for all my web sites?

You probably don't want to read any of these then.

Attacks accessing Mac keychain without permission date back to 2011 | Ars Technica
Serious OS X and iOS flaws let hackers steal keychain, 1Password contents | Ars Technica
Sneaky adware caught accessing users’ Mac Keychain without permission | Ars Technica
0-day bug in fully patched OS X comes under active exploit to bypass password protection | Ars Technica


Just to follow on from that, the important thing here is that you need to keep your computers fully patched, yes it was a zero day exploit, and Apple tend to follow a head in the sand approach to security, however if a security weakness does get exposure they do tend to fix it and release patches for it.

Also Ars technica tends to be my go to resource for security related stuff. It does tend to get a bit technical (obviously by the name), however they also tend to provide enough information about the exploit that you know it's more than a no news scare.