Change Your Linkedin Passwords

[Slim]

The sooner people swallow their pride and use a password manager, the more secure the net will be

 

It's not always that easy though. EG, they don't work so well on ipads.

[HeliX]

Not tried on iPad myself, but afaik 1Password should work well (but of course isn't free for the trouble!). All my devices are Android so I use KeePassDroid + Dropbox.

[Slim]

Not tried on iPad myself, but afaik 1Password should work well (but of course isn't free for the trouble!). All my devices are Android so I use KeePassDroid + Dropbox.

 

With apps and things it's not always easy to switch out and copy and paste etc, and of course autofill stuff simply doesn't work. Part of what's ace about a tablet is the 'instant on', fire it up touch and app and you're away. If you've got to enter a 15 word passcode on unlock and then the same for your app it can get a bit tedious.

[HeliX]

Not tried on iPad myself, but afaik 1Password should work well (but of course isn't free for the trouble!). All my devices are Android so I use KeePassDroid + Dropbox.

 

With apps and things it's not always easy to switch out and copy and paste etc, and of course autofill stuff simply doesn't work. Part of what's ace about a tablet is the 'instant on', fire it up touch and app and you're away. If you've got to enter a 15 word passcode on unlock and then the same for your app it can get a bit tedious.

 

Does the iPad not copy paste nicely? Not had a problem with my stuff. Though I know iOS can get a bit arsey about switching between stuff and the clipboard.

Passes save the first time I use them for apps, is it not the same in iOS world? Sorry for my ignorance, just never used an iPad for more than about 20minutes!

[pongo]

If you enforce a long passcode (required to unlock your iOS device)

& have it set to erase all data after 10 failed attempts

& have it set to auto-lock after a minimal period

Then I cannot see any reason not to keep the passwords in an unencrypted Pages document for copying and pasting. i.e. no need for an additional password manager.

 

That's what I do. It's not as if these things can be trivially read from another device. And the apps are sandboxed. The iOS devices seem to be fairly secure which is why the highest prices are apparently offered for iOS exploits according to Forbes.

[Slim]

Helix, yeah the cut n paste works on and off, but not universally. It just makes things a bit of a faff vs the instant nature of tablets.

 

Then I cannot see any reason not to keep the passwords in an unencrypted Pages document for copying and pasting. i.e. no need for an additional password manager.

 

Crap idea. How do you know the pages data isn't synced to the cloud because you've enabled that feature globally and is sitting there unencrypted? You should never keep passwords in plain text.

[pongo]

 

Crap idea. How do you know the pages data isn't synced to the cloud because you've enabled that feature globally and is sitting there unencrypted?

 

How do I know ? Because iCloud syncing for documents and data is switched of in the settings of all my iOS and OS X devices. I transferred the file from where I normally keep it in Truecrypt via iTunes (using a cable not wifi).

 

So give me another reason why it's a crap idea.

 

(incidentally iCloud doesn't have global setting anyhow - it's per device).

[P.K.]

The strongest passwords are those chosen at random and of a reasonable length - say 15 numbers/chars/symbols. The difficulty then is remembering them!

 

Not necessarily.

 

My strongest passwords are nonsense sentences that are relatively easy to remember. For example: "My dog and cat are both fond of my blue whale but neither likes my pet grandfather clock." No need for any kind of special characters or strange punctuation at all and it is quite easy to remember.

 

How do you know they are your strongest passwords?

 

I disagree with you. The examples you have quoted are not random at all. The words are all English and in zillions of available electronic dictionaries so the elements can be matched electronically. The strength of a random set of alphanumerics comes from the fact there is no point of reference, unlike English words.

[Slim]

How do I know ? Because iCloud syncing for documents and data is switched of in the settings of all my iOS and OS X devices. I transferred the file from where I normally keep it in Truecrypt via iTunes (using a cable not wifi).

 

So give me another reason why it's a crap idea.

 

(incidentally iCloud doesn't have global setting anyhow - it's per device).

 

I mean global accross all apps on the device.

 

It's still a crap idea in case you enable something that syncs it in future. Why not just encrypt it, and save yourself the risk? Passwords shouldn't be in plain text. A password manager will allow you to copy it without seeing the password too.

[Bobbie Bobster]

So does KeepAss work by doing a manual copy and paste each time you encounter a login form?Are there automated "single sign on" type solutions available for the non-corporate market?

[pongo]

It's still a crap idea in case you enable something that syncs it in future

 

Nothing else is going to enable syncing in Pages - Pages has its own setting for whether or not you want that specific app to use iCloud. I don't have Pages synced and I am not going to.

 

Why not just encrypt it, and save yourself the risk? Passwords shouldn't be in plain text. A password manager will allow you to copy it without seeing the password too.

 

The device itself is an encrypted volume. To further encrypt would be like keeping a Truecrypt volume inside a Truecrypt volume. The device is password protected using a long password. It cannot (trivially) be read externally. It erases itself (by deleting the file system encryption key) if the password is entered wrong 10 times.

 

Okay. Someone could read it over my shoulder Bourne style.

[HeliX]

So does KeepAss work by doing a manual copy and paste each time you encounter a login form?Are there automated "single sign on" type solutions available for the non-corporate market?

 

You can open up KeePass and hit "Perform Auto-Type" and it'll fill in your username and pass for you.

[Slim]

Pongo: like I said, you don't know for sure that it'll never sync. There's also been bugs in the ios lock screen, bugs in USB folder access that have bipassed encryption, etc. Or Install an OS update that leaves cloudsync on by default, and you've lost all your passwords. I'd encrypt it personally, silly to leave passies in plain text. But you know best eh?

 

So does KeepAss work by doing a manual copy and paste each time you encounter a login form?Are there automated "single sign on" type solutions available for the non-corporate market?

 

Can do both as Helix says, but you can also add a chrome plugin that automates further and retrieves the password from your keypass store and fills it in automatically. I think there's a firefox equiv but I've not used it.

 

It's a bit of a faff to set up though, and like I said, makes accessing those sites on IOS a right pain in the chuff.

 

This stuff should really be in the OS these days. Think apple do a keychain thing that's similar?

 

Chrome will sync your passwords to your google drive on multiple devices, but there's no Chrome for IOS (yet?)

[The Old Git]

Lastpass for iOS will copy a username of password to the clipboard but what I usually do is launch the site in Lastpasses built in browser.

 

iPassword will also launch the site in its own browser

[eric76]

The strongest passwords are those chosen at random and of a reasonable length - say 15 numbers/chars/symbols. The difficulty then is remembering them!

 

Not necessarily.

 

My strongest passwords are nonsense sentences that are relatively easy to remember. For example: "My dog and cat are both fond of my blue whale but neither likes my pet grandfather clock." No need for any kind of special characters or strange punctuation at all and it is quite easy to remember.

 

How do you know they are your strongest passwords?

 

I disagree with you. The examples you have quoted are not random at all. The words are all English and in zillions of available electronic dictionaries so the elements can be matched electronically. The strength of a random set of alphanumerics comes from the fact there is no point of reference, unlike English words.

 

I didn't claim the examples were random.

 

The first example was "My dog and cat are both fond of my blue whale but neither likes my pet grandfather clock."

 

That's 18 words. If your dictionary is only 1,000 words, then you would have 1000 ^ 18 possibilities if chosen completely at random from that dictionary. That is 1,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 different random 18 word groups chosen from the 1,000 word dictionary.

 

But the sentence is not random -- there are clearly far fewer 18 word sentences that could be constructed with those words. To test all possible 18 word sentences constructed with that 1,000 word dictionary, it would not be sufficient to just go through the collected works from mankind and try every 18 word sentence you find. That particular sentence is unlikely to have ever been used in any of those works.

 

There are some possible attacks. One would be to sit down and start trying every 18 word nonsensical sentence you could think of. Welcome to it. Invite your closest billion friends to help out. The odds of finding it before you all die is going to be close to zero.

 

Another attack would be just brute force it. How long will it take the fastest computers to try 10^54 different passwords?

 

You could try writing a password cracking system that attempts to determine nonsense sentences and try them. Have at it.

 

Probably one of the best approaches if you absolutely had to break in within the next hundred years would be to write a program that first analyzes all known English works to create Markov chains that can be used to construct sentences. Basically, it would look at every set of three words in existence and store them using the first two as a non-unique key and the third as the data. For example, starting out with this sentence you would have "Probably one - of", "one of - the", "of the - best", .... So when you see the words "Probably one", you would look up in your database what words are known to have used for the next word and choose one of them. You would then look up to see what you find with the second and third words to find a fourth. Through this process, it would be possible to build up an amazing collection of nonsense sentences.

 

There are suggestions to use something like this to generate automatic passwords. In their case, instead of words, they use the last two letters to find a third and then repeat. Take a look at http://ben.akrin.com/?p=779.

 

Bear in mind that if you are just attacking passwords from a password file, you probably aren't directing the attack at me at all. The odds are overwhelming that my password will survive those puny attempts.

 

Suppose that you are attacking my passwords by choice. There are a number of different attacks that would likely work far better that could be done in hours or days instead of centuries. You might, for example, try to break into other accounts on the computer, gain root access, change my password to one of your choosing, log in, get what you need, and then change the password back (just save it from the master.passwd file and restore it when done). Or you might break into the building where the computer is stored and get direct access to the computer.

 

Probably the fastest attack would be to take me hostage and threaten to torture and kill me if I don't give up the password.

 

On second thought, perhaps it might be better if I just change my password to "secret" so that nobody needs to take me hostage to get my password.

 

By the way, for connecting between computers, I usually use 4096 bit RSA keys with SSH. My primary use of four or five word nonsense phrases are to encrypt those keys. On occasion, I use one time passwords using skey, http://www.openbsd.o...=skey&sektion=1 instead. And normally only specific accounts are enabled ("AllowUsers=user1 user2" in /etc/ssh/sshd_config) for remote access and the root account is only enabled for use with RSA keys, ("PermitRootLogin=without-password" in /etc/ssh/sshd_config).