| WIKI | FAQ | Tech FAQ | |
 http://csua.com/feed/ | |
| ||||||
| 5/23 |
| 2006/6/13-15 [Computer/SW/Security] UID:43377 Activity:nil |
6/13 ok, memorizing all these passwords is driving me insane. I
know this has been asked before but I cant find it: whats the
best way to keep a password-protected file of very sensitive
information? in this case, all my other passwords. thanks
\_ I use http://www.bugmenot.com
\_ Whatever happened to this single login thing called the
MS Passport or something?
\_ I just use a yellow sticky note on my monitor. Works like a charm.
\_ I use a Palm Pilot that is password protected. I then have a
Crypto program on it (also requires a password).
\_ the second part is very important, cause even if you password
protect the file using Palm's native password protection, the
document is downloaded in unencrypted format when you sync to
your computer. I use Keyring for encryption:
http://gnukeyring.sourceforge.net
\_ I pgp encrypt this password excel file. You should have
some password level as well:
- password to this excel file
- password for financial sites
- password for secure e-commerce sites
- password for other non secure sites
A secure password can be the initial of your favorite
phrase. I consider sites that emails back your password in
plaintext as non-secure site. Good sites should reset your
password to a random one in the worst case.
\_ For passwords I don't get to choose, I use this:
http://www.schneier.com/passsafe.html on PocketPC
For passwords tied to domains, I use a command line version of this:
http://bushong.net/dave/webpasswd
(generates a reproducible hex hash) --dbushong
\_ http://keepass.sourceforge.net
Also, in the same vein as generating passwords from hashes,
here's a Firefox extension to make it more convenient:
http://www.xs4all.nl/~jlpoutre/BoT/Javascript/PasswordComposer
\_ Ooh. Great minds think alike. This one looks more secure than
mine (uses a Base64 variant encoding rather than Hex). Alas,
I can't switch now or I'd have to check 2 of them :-) --dbushong
\_ this program is really old but it's simple and works (for windows
users): http://www.passkeeper.com |
| 5/23 |
|
| gnukeyring.sourceforge.net We know that someone has to write software to defend privacy, and since we can't get privacy unless we all do, we're going to write it. We publish our code so that our fellow Cypherpunks may practice and play with it. We don't much care if you don't approve of the software we write. We know that software can't be destroyed and that a widely dispersed system can't be shut down. The Cypherpunk Manifesto introduction Keyring for PalmOS lets you securely store secret information on your PalmOS (PalmPilot, Visor, WorkPad) handheld computer. PalmOS, though a fine technical achievement, is not free. As a result, this application has changed its name to Keyring for PalmOS to make this clearer. security information Keyring for PalmOS encrypts all data except when it is actually being edited. It uses 3-DES for encryption, the key is generated from a MD5 hash of your master password. Instead, an MD5 hash of the password and a random 32-bit salt is stored and checked against entered values. A strong random number generator gathering event entropy is used to generate random passwords. known weaknesses If it is possible for an attacker to get the encrypted database he can try a brute-force attack to find the correct password. Keyring for PalmOS provides 112 bits encryption, but that doesn't help if you have a weak master password. An attacker may try all passwords from a dictionary or short letter/digit combinations. With a 12 GHz PC he can check roughly 15 Million passwords per second. A good password uses at least 8 random letters, digits and punctuation characters. Keyring for PalmOS supports passwords of up to 40 characters. I use a 10 character random password including letters, digits, punctuation and accentuated characters. This makes it possible to browse the key database without entering the password. You should be careful not to put sensible information in the key name. PalmOS does not have memory protection between applications: a hostile application or PC-based conduit could read information from inside the Keyring for PalmOS database. Keeping records encrypted provides some protection but a trojan palm application may, for example, record all graffiti strokes to steal your password. Keyring for PalmOS uses ECB so every 8 byte block is encrypted the same way. This way an attacker can see from the encrypted database which blocks have the same contents. He cannot, however, guess the encryption key from a known plaintext/encrypted pair. There was a serious bug in version 10 that Keyring never removed the cached database key, even when the timeout was long over. It even stored it in a database so it is possible that it was backed up to your PC. It is also a good idea to change your password, if you have used it under Keyring 10 before. It would be possible to (for example) put a program on the PC that grabbed the handheld's memory image, or that installed a trojan onto the handheld. |
| www.schneier.com/passsafe.html Contact Information Password Safe The security of Blowfish in a password database Support Password Safe is now an open source project. A beta version 30 was recently released, while the most recent full release is 216. Many computer users today have to keep track of dozens of passwords: for network accounts, online services, premium web sites. Some write their passwords on a piece of paper, leaving their accounts vulnerable to thieves or in-house snoops. Others choose the same password for different applications, which makes life easy for intruders of all kinds. With Password Safe, a free Windows utility designed by Bruce Schneier, users can keep their passwords securely encrypted on their computers. A single Safe Combination--just one thing to remember--unlocks them all. Password Safe protects passwords with the Blowfish encryption algorithm, a fast, free alternative to DES. The program's security has been thoroughly verified by Counterpane Labs under the supervision of Bruce Schneier, author of Applied Cryptography and creator of the Blowfish algorithm. Password Safe features a simple, intuitive interface that lets users set up their password database in minutes. You can copy a password just by double-clicking, and paste it directly into your application. Best of all, Password Safe is completely free: no license requirements, shareware fees, or other strings attached. |
| bushong.net/dave/webpasswd -> bushong.net/dave/webpasswd/ JavaScript on. |
| keepass.sourceforge.net You need a password for the Windows network logon, your e-mail account, your homepage's ftp password, online passwords (like CodeProject member account), etc. Also, you should use different passwords for each account. Because if you use only one password everywhere and someone gets this password you have a problem... The thief would have access to your e-mail account, homepage, etc. KeePass is a free/open-source password manager or safe which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key-disk. So you only have to remember one single master password or insert the key-disk to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). Yes, KeePass is really free, and more than that: it is open-source (OSI certified). You can have a look at its full source and for example check if the encryption algorithms are implemented correctly. Perhaps you wonder why I decided to make it open-source. The answer is relatively simple: in my opinion all software that has something to do with security should be open-source. Here's a quote of Bruce Schneier that sums it up pretty good: As a cryptography and computer security expert, I have never understood the current fuss about the open source software movement. In the cryptography world, we consider open source necessary for good security; Public security is always more secure than proprietary security. It's true for cryptographic algorithms, security protocols, and security source code. |
| www.xs4all.nl/~jlpoutre/BoT/Javascript/PasswordComposer -> www.xs4all.nl/~jlpoutre/BoT/Javascript/PasswordComposer/ FOAF Password Composer Summary Generate a different, safe password for every site you register with. You only need to invent and remember one strong Master Password. Static Web Form version (if you can't use one of the above) Introduction - the problem Once every while, you encounter a website, which has interesting stuff available to you as a registered user only. No big deal, you just create an account and there you go. However, over time, the many, many user accounts with their passwords become hard to remember. You'll just forget the cleverly crafted variation eventually, to find you struggeling again with yet another "forgot password" service variation. A common solution is to have just one password for all of those sites, which are considered of low to medium risk if broken into. The problem with this is, that a rogue site owner might go out and impersonate as you, once they find out about other sites you may hang out with the same account. A little "social engineering", and you can be in big trouble. The solution Now there is nothing wrong with a single, strong password, as long as it is not used literally. Enter the concept of a Master Password that generates a strong password, unique for every web site where it is used. Generate Password by Nic Wolff, this bookmarklet generates an unique password per site. The password is based on a md5 hash of your single master password and the site's host name. The advantage of this version - apart from the nifty panel rather than a bland Javascript popup - is that your master password is not exposed in clear text. Picture this: you are in a seedy Internet Cafe somewhere downtown, and that suspicious guy is looking over your shoulder while you happen to need to login your account... Simple Single Sign On, you should really look at this to get the idea. How it works The password generator bookmarklet displays a little panel with a an empty password field for your Master Password and an "OK" button. Just before the password field is an icon, which lets you change the password fields on the original form into plain text. Just below the password field, the effective domain name for generating a password is displayed. When you click the OK button, the current page is searched for input fields that look like a password field, and these fields are pre-filled with the customized password for the current website. Just fill out your user name where needed and login - there you are, no need to remember more than one "semi secure" password. Still, a rogue site-owner is not able to login to any other of your accounts, because the generated password will always be different for different web sites (well, the host name part of the URL to be precise - you can tweak this manually). Demo Form Use this form to try the script/bookmarklet/extension after you installed one of these. CAPTION: Password Composer Demo Account name (unaffected): Password field^*: Password (plain text): *) If you see a little red icon here, you have the greasemonkey script correctly installed. |
| www.passkeeper.com I developed PassKeeper in order to keep track of the many different "accounts" I have across the Net. Many services on the Web, for example, require you to register and give out a username and password, which you are often allowed to pick out yourself, but not always. You can now only enter account names that begin with an alphanumeric character. This is to avoid a strange bug that appears if you enter an account name that starts with certain non-alphanumeric characters. It now checks for duplicate account names when you add or edit an account. |
| www.bugmenot.com BugMeNot.com Bypass Compulsory Web Registration URL of site: eg http://www.nytimes.com Show Logins * faq * bookmarklet * firefox extension * 3604 sites liberated * add another * Firefox logo |