Re: Correct horse battery staple

1

In deference to the post author I will merely allude rather than link to the xkcd on this exact topic.


Posted by: teofilo | Link to this comment | 08-13-12 9:01 PM
horizontal rule
2

I tried using a passphrase recently and promptly forgot both the phrase and for which site I used it.
Has anyone tried this password aggregator site I heard about, Lastpa/ss?
Government sites are the worst, they make you change ~ every 30 days and your new one can't be too similar to your old one (no going from password1 to password2 to password3 each month.) They're just begging for you to write down your password on a piece of paper you leave on your desk.


Posted by: SP | Link to this comment | 08-13-12 9:05 PM
horizontal rule
3

In deference to the post author I will merely allude rather than link to the xkcd on this exact topic.

Don't remember it very well, do you?


Posted by: nosflow | Link to this comment | 08-13-12 9:06 PM
horizontal rule
4

Kaiser's website is fascinatingly terrible.


Posted by: nosflow | Link to this comment | 08-13-12 9:09 PM
horizontal rule
5

I believe I remember it well enough.


Posted by: teofilo | Link to this comment | 08-13-12 9:09 PM
horizontal rule
6

You can never know Kaiser's website well enough.


Posted by: Moby Hick | Link to this comment | 08-13-12 9:11 PM
horizontal rule
7

I believe I remember it well enough.

Well enough to recall that the post author already alluded to it, in the post title?


Posted by: nosflow | Link to this comment | 08-13-12 9:11 PM
horizontal rule
8

The powerball FAQ site is pretty funny.


Posted by: SP | Link to this comment | 08-13-12 9:12 PM
horizontal rule
9

Government sites are the worst, they make you change ~ every 30 days and your new one can't be too similar to your old one (no going from password1 to password2 to password3 each month.) They're just begging for you to write down your password on a piece of paper you leave on your desk.

God, this is so true, and annoying. As a government employee every one of the several different internal systems for which you need a username and password has different requirements for password composition and a different schedule for how often you need to reset it.


Posted by: teofilo | Link to this comment | 08-13-12 9:12 PM
horizontal rule
10

2: And every system has its own account and password.


Posted by: Moby Hick | Link to this comment | 08-13-12 9:12 PM
horizontal rule
11

Well enough to recall that the post author already alluded to it, in the post title?

Apparently not. Well played.


Posted by: teofilo | Link to this comment | 08-13-12 9:13 PM
horizontal rule
12

Or what Teo said.


Posted by: Moby Hick | Link to this comment | 08-13-12 9:13 PM
horizontal rule
13

Anyway, if you* have a system I need to use twice a year and you require a new password every three months, you better just figure I'm going to not even pretend to try to remember my password. I just have some guy reset it every time I log in.

*As a US citizen, you do.


Posted by: Moby Hick | Link to this comment | 08-13-12 9:20 PM
horizontal rule
14

I just have some guy reset it every time I log in.

Yeah, that's one of two options realistically available for systems like that, the other being writing down the password.


Posted by: teofilo | Link to this comment | 08-13-12 9:22 PM
horizontal rule
15

Writing down the password is against the rules unless you have a locked storage place. I have one, but I lost the key.


Posted by: Moby Hick | Link to this comment | 08-13-12 9:23 PM
horizontal rule
16

You should have had a combination lock on it instead.


Posted by: SP | Link to this comment | 08-13-12 9:25 PM
horizontal rule
17

Those aren't allowed. Nor are desk top decorative fountains, lest you think I don't admire some of the rules.


Posted by: Moby Hick | Link to this comment | 08-13-12 9:27 PM
horizontal rule
18

Moby's workplace sounds significantly more totalitarian than mine.


Posted by: teofilo | Link to this comment | 08-13-12 9:45 PM
horizontal rule
19

Cracking passwords of the form used in their 'better' example is trivial with JtR. IIRC, someone blogged about running JtR on the leaked linkedin password hashes, and it cracked something like half the passwords after a pass or two, and almost all of them after five or six passes.

Please don't use any word you can find in a dictionary or any simple permutation of such a word with special character substitutions. Concatenations of only two or three such terms are still not good. xkcd!


Posted by: sral | Link to this comment | 08-13-12 9:48 PM
horizontal rule
20

Kinda nitpicking, but "I went to San Francisco last summer!" has "one number or special character (!, @, #, etc.)." It has an exclamation point.

So it's perfectly valid under those rules.


Posted by: Trickster Paean | Link to this comment | 08-13-12 10:00 PM
horizontal rule
21

Using randomly generated 8 character strings for most passwords, with iw2SFlS!-type passphrases for those I actually need to use frequently and remember, and keeping all of them in a KeePass database that's in my Dropbox account, itself secured by a long passphrase--reasonably good practices, or am I doing something wrong?


Posted by: x.trapnel | Link to this comment | 08-13-12 10:25 PM
horizontal rule
22

I do something similar, except with SpiderOak instead of Dropbox. I guess since KeePass is encrypted, you don't have to worry so much about that database being on Dropbox. I generally try to keep anything I want secure away from Dropbox.


Posted by: fake accent | Link to this comment | 08-13-12 10:32 PM
horizontal rule
23

Oh, and speaking of vaguely computery-related stuff, I just discovered that apparently one has to have resided in CA for two years, not one, to have residency for the purposes of in-state City College of SF tuition--although only one year for SF State, oddly enough. So much for that idea, grr. I guess I'll go back to my plan of not being motivated enough to finish free online CS classes.


Posted by: x.trapnel | Link to this comment | 08-13-12 10:34 PM
horizontal rule
24

So much for that idea, grr. I guess I'll go back to my plan of not being motivated enough to finish free online CS classes.

SF State doesn't have CS classes?


Posted by: teofilo | Link to this comment | 08-13-12 10:37 PM
horizontal rule
25

It does, although even the in-state non-degree fees there ($320/unit) are still more than the out-of-state CCSF fees ($233/u), which is much more than in-state ($46/u). SFSU also doesn't seem to have much in the way of evening classes. Something to consider, though. SFSU semester begins in two weeks, whereas CCSF registration deadline was today, with classes starting on Wednesday.


Posted by: x.trapnel | Link to this comment | 08-13-12 10:47 PM
horizontal rule
26

On reflection, I suppose it's not that surprising that different public schools in a state would have different residency standards, although I don't think I've heard of it before. But then, most states don't have as many different public institutions of higher education as California.


Posted by: teofilo | Link to this comment | 08-13-12 10:52 PM
horizontal rule
27

Eh, I should have just read more closely. I saw that you needed to have been here a year before the residency date, but somehow missed the the residency date itself was a year and a day before the start of classes.

Things will seem less bleak in the morning, most likely.


Posted by: x.trapnel | Link to this comment | 08-13-12 10:56 PM
horizontal rule
28

Most likely.


Posted by: teofilo | Link to this comment | 08-13-12 11:08 PM
horizontal rule
29

They mostly come at night ... mostly.


Posted by: x.trapnel | Link to this comment | 08-13-12 11:18 PM
horizontal rule
30

my plan of not being motivated enough to finish free online CS classes

Hey, do you want to form some kind of non-study group? ["IYKWIM" ommitted]. That is, not really a study group, but a peer-pressure-to-finish-classes kind of thing? I've finished a couple basic free online programming classes, but I'm taking more and I'm not moving as quickly through them as I should be.


Posted by: fake accent | Link to this comment | 08-13-12 11:23 PM
horizontal rule
31

"I went to San Francisco last summer!" has seven numbers or special characters: one shriek and six spaces. Spaces are special characters for purposes of password nerdery.


Posted by: chris y | Link to this comment | 08-14-12 1:51 AM
horizontal rule
32

Programming is one of the few things that lends itself to learning online, because the actual practice of programming -- sitting at a computer typing stuff plus endless procrastination -- so closely resembles the act of doing an online class.


Posted by: Walt Someguy | Link to this comment | 08-14-12 3:06 AM
horizontal rule
33

x: that sounds as good a security plan as anyone who isn't Bruce Schneier is likely to have and to actually put in effect.

Cambridge Computer Lab's security group recently did a big literature review of alternative password schemes and their conclusion was that the best solution was to generate long random passwords and stick them in the Mozilla password manager, with Mozilla Sync if you wanted cross-device support, although that was partly because their methodology preferred open-source where available.

it's a pity W3C never standardised a password manager API so web sites could automate the process of creating a pwd and storing it in the browser vault. if you look at some of their WGs, it's astonishing the nonsense they've gone after before tackling pwds.


Posted by: Alex | Link to this comment | 08-14-12 3:53 AM
horizontal rule
34

I use the first letters of lines from German lit, which has the advantage of the nouns being capitalized. So knowing the first lines of Werther gets me Wfbi,diwb!BF,widHdM! If the password requires a number, I can tack on the year of publication to the end.


Posted by: Blume | Link to this comment | 08-14-12 4:05 AM
horizontal rule
35

I tend to use phrases, of the 'I went to San Francisco lat summer!' variety, although I usually use quotes from texts that are then modified with in-jokes or words translated into other languages. More to make them memorable to me than to prevent cracking. I use a password manager for work passwords, as they are generally of the impossible to memorise lengthy random string of numbers and characters variety. There was one my predecessor set [a woman] for one of our servers [prior to random assignment] which, once I'd worked out her own personal 'l33t' encoding scheme was absolutely filthy.


Posted by: nattarGcM ttaM | Link to this comment | 08-14-12 4:20 AM
horizontal rule
36

I have a copy of the password file for my own personal password manager sitting on a dropbox, as per x.trapnel, with a difficult pass phrase.


Posted by: nattarGcM ttaM | Link to this comment | 08-14-12 4:21 AM
horizontal rule
37

I've used modified Diceware http://world.std.com/~reinhold/diceware.html pass phrases in the past.

There was one my predecessor set [a woman] for one of our servers [prior to random assignment] which, once I'd worked out her own personal 'l33t' encoding scheme was absolutely filthy.

Do tell.


Posted by: Barry Freed | Link to this comment | 08-14-12 4:32 AM
horizontal rule
38

re Diceware, the title of this post is exactly the kind of pass phrase generated by that method. It's a simple matter to modify the words using 1337 type substitutions.


Posted by: Barry Freed | Link to this comment | 08-14-12 4:35 AM
horizontal rule
39

re: 37

I can't actually remember what the exact password was, but it was a reference to certain pornographic practices associated with Japan.


Posted by: nattarGcM ttaM | Link to this comment | 08-14-12 4:42 AM
horizontal rule
40

I mostly use opera arias that I then meddle with in various ways. Sometimes lines from Greek tragedy.


Posted by: oudemia | Link to this comment | 08-14-12 4:50 AM
horizontal rule
41

I really should find out how to change my office computer password. I have had the same password since 1991, when there was no network and nothing worth securing. it is my wife's first name.

Maybe next week.


Posted by: George hw bush | Link to this comment | 08-14-12 5:00 AM
horizontal rule
42

Speaking of computer security this article was kind of scary. Having a good password doesn't help much if someone can call Apple technical support and get them to reset it.


Posted by: James B. Shearer | Link to this comment | 08-14-12 5:04 AM
horizontal rule
43

I has two artists that I used because of their family connections, so then I started using the names of other artists. I should smush them together somehow, because that sounds like a really easily cracked password.


Posted by: Bostoniangirl | Link to this comment | 08-14-12 5:08 AM
horizontal rule
44

The relevant SMBC:

http://www.smbc-comics.com/index.php?db=comics&id=2526#comic

A human is not a secure system.


Posted by: Benquo | Link to this comment | 08-14-12 5:12 AM
horizontal rule
45

Lastpass is pretty good; I use it with a Diceware-style master password, and I like the auto-fill and random password generation.

And if you have a mobile phone and can reasonably afford some text messages (or have a smartphone that can run authenticator apps), for the love of God set up two-factor authentication on anything that supports it - gmail and facebook, for starters.


Posted by: Nathan Williams | Link to this comment | 08-14-12 5:23 AM
horizontal rule
46

45: I do the text message thing for my bank, but I don't log in to that account as often as I log in to my e-mail.


Posted by: Bostoniangirl | Link to this comment | 08-14-12 5:30 AM
horizontal rule
47

21 and similar plans are just fine. They're what I do and they're light years beyond what most users do. Tools such as KeePass can also be used to generate complex passwords and have browser plugins to auto-populate login pages if you want to make it really easy on yourself.

I'm of the slightly aberrant opinion (given that I work in the security industry) that the best one can hope for is that one's own account is not the one used to compromise the whole site and thus users should only be bothered to be meaningfully better than the lowest-hanging fruit and no more. The sort of attack prevented by a strong password is often an attack of opportunity; defensive success is simply being not the easiest site to attack. If a given attacker is just looking for somewhere s/he can take a few machines for a joyride, they'll go elsewhere. If s/he is targeting that company or institution or user in specific the password policy is not all that's needed to defend against that targeted attack or clean up after its eventual success.

There's been some recent research showing that frequent password changes push users into cycles of passwords based on obvious permutations (password1, password2, etc.), which we all already know, and further that this makes it demonstrably easier to discover and predict the simplest passwords that are otherwise acceptable under a given set of requirements. As a result, the university where I work is building towards going from a 90-day password cycle to a 365-day password cycle with extremely stringent requirements. Our users already don't have their accounts compromised by someone trying a million different passwords against their username anyway. We see them stolen via phishing, as that's much easier and faster.

On the accounts I consider most "me" in that they've got the most personal history accumulated in their directory structures I've used only two or three passwords and changed them only every few years for nearly two decades. Could they be cracked? Gods yes; every account can be. Mine haven't been because they haven't been the easiest and apparently I'm insufficiently special to be hated that much.

In a setting where there are thirty different applications and thirty different logins, that's a failure of management to listen to IT. In a setting with ~80,000 active users at any given time we have centralized identities that give us one account useful across all applications and environments. We don't do it to be fancy; we do it to make it possible for the IT folks to go about their lives rather than spending all day resetting thirty passwords for one user.


Posted by: Robust McManlyPants | Link to this comment | 08-14-12 5:33 AM
horizontal rule
48

There is no way that any normal person is doing anything like 19, 21, or 45 without a gun to their heads, so computer security people need to come up with some better idea than "make people remember impossible to remember And constantly resetting strings of charactersand numbers for personally important tasks, to avoid a relatively low risk (not technological, but practical -- most people don't care about you) of having your password hacked.


Posted by: Robert Halford | Link to this comment | 08-14-12 5:38 AM
horizontal rule
49

Another vote for two-factor auth as suggested by Nathan. Sysadmins are required to use it at my workplace and it's tied into the same identity management regime as everything else. We support hardware tokens as well as a vendor-supplied smartphone software token app and folks just have to remember when they connect to certain systems or use certain applications that they login with their normal username and the token code rather than their password. Easy-peasy.


Posted by: Robust McManlyPants | Link to this comment | 08-14-12 5:38 AM
horizontal rule
50

apparently I'm insufficiently special to be hated that much.

Yeah, everyone offered advice after the Wired guy got hacked, but I thought the takeaway from his story was "don't present an attractive target to hackers."


Posted by: politicalfootball | Link to this comment | 08-14-12 5:42 AM
horizontal rule
51

a relatively low risk (not technological, but practical -- most people don't care about you)

This is based on a misconception, I think. It is certainly true that anybody who would crack your password isn't likely to care about you, personally. What a cracked password file gets you is login credentials that get you inside the firewall (or whatever) on a system. From there you can run things on the network or look for privilege elevation attacks or whatever, and after that you can do basically anything you want. If you're trying to own systems outright regular-user credentials are an important first step. And of course bank and email logins have (small, often, but real) value to honest-to-god profit-motivated criminal types.


Posted by: Sifu Tweety | Link to this comment | 08-14-12 5:45 AM
horizontal rule
52

Oh, pwned by the pants, it turns out.


Posted by: Sifu Tweety | Link to this comment | 08-14-12 5:46 AM
horizontal rule
53

I've been using the same six-digit no-numbers-or-special-characters ordinary-dictionary-word password for my online password at any website that will let me* since roughly 1996. This includes sites like amazon, ebay, yahoo, etc. Never bothered to change it; never had a problem.

* There are a number of websites these days that require 8 digits or special characters (or both!), or other nonsense. For those, I either email the password to myself and then search my email every time I need to log in, or I use Moby's approach in 13 of just having it reset every time. Either way is annoying.

I do use the two-factor authentication on gmail. That's pretty painless, because it doesn't require me to remember anything, and I only have to mess with it once a month. I'd be willing to use that on any other sites that offered it.


Posted by: urple | Link to this comment | 08-14-12 6:00 AM
horizontal rule
54

51 makes sense. I mostly just meant that easy passwords are super common, and devastating attacks do not seem to be particularly common, so based on perceived risk an ordinary user doesn't have much of an incentive to come up with a difficult password scheme that imposes a real life burden, I would shoot someone if I have to wait for a text message with a special log in before logging on to my work network every morning.


Posted by: Robert Halford | Link to this comment | 08-14-12 6:01 AM
horizontal rule
55

This reminds me of the time I phoned up the support desk of *******, the major ******** security provider, trying to trace an important ******, that had got stuck in the ****, and got them to grep a queue containing the ***************'s ******, and only afterwards realised I'd committed a crime.

*s because I'm still leery of posting too much about the story on the www.


Posted by: Alex | Link to this comment | 08-14-12 6:01 AM
horizontal rule
56

urple's password!


Posted by: Sifu Tweety | Link to this comment | 08-14-12 6:04 AM
horizontal rule
57

I've been using Lastpass for about a month now, and don't have any complaints.


Posted by: apostropher | Link to this comment | 08-14-12 6:05 AM
horizontal rule
58

I was going to write that this topic depresses me, but then Sifu would know that my computers are not very secure and hack my stuff.


Posted by: will | Link to this comment | 08-14-12 6:06 AM
horizontal rule
59

56 did, in fact, guess correctly. What happens now?


Posted by: urple | Link to this comment | 08-14-12 6:08 AM
horizontal rule
60

urple's password!

"sesame"


Posted by: essear | Link to this comment | 08-14-12 6:08 AM
horizontal rule
61

Now you're making me worried I should change my password.


Posted by: urple | Link to this comment | 08-14-12 6:09 AM
horizontal rule
62

55: Oooh! I haven't played Mad Libs in forever!

1. Academi*
2. government contractor
3. mercenary
4. Iraqi desert
5. Barack Obama's
6. nuclear football password

Am I close?

*I didn't realize that Blackwater had changed its name yet again.


Posted by: politicalfootball | Link to this comment | 08-14-12 6:12 AM
horizontal rule
63

I should point out that I haven't counted the *s. But you're closer than you may think.


Posted by: Alex | Link to this comment | 08-14-12 6:21 AM
horizontal rule
64

I use 2-factor auth for google accts -- after my gmail account was hacked by spammers a few years ago, I also got very aggressive about deleting all but about 30 contacts from my "contacts" file. (Go do it now!) There was one day when I was working in the university library basement and needed to access a spreadsheet on google docs to do a mildly time-sensitive thing, but my login had expired. I ended up running up and down the stairs and from one end of the library to another, laptop in one hand and phone in the other, trying to get a strong enough signal to get the SMS message. It took twenty minutes and made me comically livid with rage. (I never received the original message, in fact; it turned out that I had to log in again and get a new one sent. I don't know if delivery attempts time out immediately if the phone is out of range, or if they try it three times, or what.) I think it's worth the hassle, but I'm not sure how I could have avoided that particular irritation except by never working in the library.


Posted by: lurid keyaki | Link to this comment | 08-14-12 6:29 AM
horizontal rule
65

I don't think we can reject the hypothesis that this thread is neb doing some social engineering.


Posted by: Moby Hick | Link to this comment | 08-14-12 6:31 AM
horizontal rule
66

30: Which classes are you taking? I'm currently stalled on a couple from Udacity (Programming Languages and Design of Computer Programs). I did the intro course just fine but then they switched to letting people do it at their own pace and it turns out mine is snail-like. Job search stress isn't exactly helping.


Posted by: togolosh | Link to this comment | 08-14-12 6:34 AM
horizontal rule
67

50

Yeah, everyone offered advice after the Wired guy got hacked, but I thought the takeaway from his story was "don't present an attractive target to hackers."

Not sure what you think Honan did wrong other than having weak security. If his hackers are to be believed they didn't have anything against him personally, they just wanted to hack his twitter account because they thought he had a neat user name. Everything else was just collateral damage.


Posted by: James B. Shearer | Link to this comment | 08-14-12 6:39 AM
horizontal rule
68

Hey, do you want to form some kind of non-study group?

If you're interested in doing this for this database class, let me know:

http://www.db-class.org/course/auth/welcome


Posted by: Criminally Bulgur | Link to this comment | 08-14-12 6:46 AM
horizontal rule
69

I tried Lastpass and promptly forgot my master password. Luckily I hadn't yet changed any of my other passwords to random strings. Fundamentally, though, even ignoring my stupidity, it's not a solution, as no Lastpass-esque solution is going to work across all devices and be accessible in all situations. So, since everybody in the whole world requires you to provide a username and password these days, there's always going to be weak links.

There's been some recent research showing that frequent password changes push users into cycles of passwords based on obvious permutations (password1, password2, etc.), which we all already know, and further that this makes it demonstrably easier to discover and predict the simplest passwords that are otherwise acceptable under a given set of requirements.

I'm kind of amazed this is "recent" research, given how mindblowingly obvious it is. Guess what, sysadmins, when you force people to change their password constantly and prevent them from re-using old ones, they're going to make them as easy as possible to remember, and consequently as easy as possible to predict.


Posted by: Ginger Yellow | Link to this comment | 08-14-12 6:53 AM
horizontal rule
70

I want to push back against Halford in 48. The Diceware part of my master password is probably overkill, but aside from that, I think Lastpass and its kin make things easier, not harder. It really does cut down on the amount you have to remember and remember to write down, and there's no complicated password policy on the thing itself (though really, if you haven't tried the diceware/xkcd passphrase style, it's much easier to have a good and memorable password than you might think). Was this website the one that required a number and a letter, or two numbers and a symbol, or a capital and a lowercase letter? I don't have to keep track of that, and try to remember which permutation of my "usual" password I should use any more, and the browser plugin for auto-fill means that the online world is a quite a bit closer to "I'm signed in everywhere at once".

(When I change something important like my email login password or the LastPass master password, I write it down and keep it in my wallet until I've used it a lot and am sure I remember it - a few weeks or so. As has been mentioned, the usual threat isn't being targeted directly, and most of the compromises happen electronically rather than in person. Frankly, very few organizations would be harmed by allowing people to keep passwords on sticky notes in their desk drawers)


Posted by: Nathan Williams | Link to this comment | 08-14-12 7:16 AM
horizontal rule
71

I hadn't heard of Lastpass before. Maybe it's OK.


Posted by: Robert Halford | Link to this comment | 08-14-12 7:23 AM
horizontal rule
72

I'm with 70 - using LastPass or something similar and having to remember "Janet Smith was the hottest girl in 11th grade." as your master password is vastly simpler than remembering a good password for every site that deserves one, and only marginally harder than just using "gocowboys1" universally for Gmail, your bank, etc.


Posted by: snarkout | Link to this comment | 08-14-12 7:27 AM
horizontal rule
73

I'm just not big on remembering lots of random numbers/phrases. I've also had people tell me I shouldn't write my pin # on my bank atm card with a sharpie, but the extra security is just not worth it to me. Maybe something like that Lastpass thing would be worthwhile. Doesn't apple have something similar built into iOS?


Posted by: urple | Link to this comment | 08-14-12 7:37 AM
horizontal rule
74

When does retina scanning go mainstream? That seems like a much simpler/better solution to this whole problem.


Posted by: urple | Link to this comment | 08-14-12 7:38 AM
horizontal rule
75

You should just use 1234 as a PIN.


Posted by: Moby Hick | Link to this comment | 08-14-12 7:39 AM
horizontal rule
76

How does LastPass work if you've got eight different devices that you might be using to log into your bank account? What about when my phone and work computer get hopelessly out of date? I'm wary of systems that aren't completely under my control.


Posted by: heebie-geebie | Link to this comment | 08-14-12 7:41 AM
horizontal rule
77

I've also had people tell me I shouldn't write my pin # on my bank atm card with a sharpie

There are degrees and degrees of extra security. This is one degree above withdrawing your worldly wealth in used $5 bills and standing on the corner giving handfuls to passers by. And I speak as one who is extremely poor at online security by the standards exemplified here.


Posted by: chris y | Link to this comment | 08-14-12 7:42 AM
horizontal rule
78

75. This would actually be better, yes.


Posted by: chris y | Link to this comment | 08-14-12 7:43 AM
horizontal rule
79

How does LastPass work if you've got eight different devices that you might be using to log into your bank account?

This. LastPass, is great when you can use it, but there are loads of use-cases where it's impossible (eg phone PIN) or inconvenient enough that I'll just use a weaker password (eg Playstation network) . Great, I can use it on my home PC and, if I pay, on my phone, but what if work doesn't let me install it? What about my eighteen other devices?


Posted by: Ginger Yellow | Link to this comment | 08-14-12 7:50 AM
horizontal rule
80

38 uberpwned by OP I'd completely forgotten about that xkcd cartoon.


Posted by: Barry Freed | Link to this comment | 08-14-12 7:52 AM
horizontal rule
81

urple!

How did the visit with the rural counsel go?


Posted by: Bostoniangirl | Link to this comment | 08-14-12 7:53 AM
horizontal rule
82

81 No doubt it was all a ruse to get urple to divulge his master password.


Posted by: Barry Freed | Link to this comment | 08-14-12 7:55 AM
horizontal rule
83

LastPass syncs its little database of passwords to their server storage, with a copy on each of your machines that you install it on (all encrypted with your password, so fairly safe). That part's been pleasantly seamless. At this point I also use it as the place where I write down the few passwords I need to remember occasionally but can't use it for directly. If you can't install it... well, then I guess it's back to the sticky notes.

Passwords I deliberately don't keep in LastPass:
- work password, by policy
- personal email password
- personal computer login password


Posted by: Nathan Williams | Link to this comment | 08-14-12 7:58 AM
horizontal rule
84

73, if true, is truly frightening.


Posted by: Bostoniangirl | Link to this comment | 08-14-12 8:01 AM
horizontal rule
85

This is the right thread to pose some questions that has arisen: I have a domain name for my business, and an email address that will receive not only correctly addressed mail, but anything with the correct domain (and it gets something important about twice a month this way -- people leave out, or add, a letter to the name part). Anyway, this account's spam folder is filling with system undeliverable messages -- showing that someone or some thing is sending out emails using as a return address what seem to be random strings of letters/numbers, at my domain, and for some reason, wherever they send it can't accept it.

What is going on, should I care, how much should I care, what should I do about it?


Posted by: CharleyCarp | Link to this comment | 08-14-12 8:09 AM
horizontal rule
86

How does LastPass work if you've got eight different devices that you might be using to log into your bank account? What about when my phone and work computer get hopelessly out of date? I'm wary of systems that aren't completely under my control?

Pwned a bit on preview by 83, but KeePass is also good on this (and open-source, so you needn't worry so much about obsolescence). If you have the program on your smartphone, and you have your encrypted database on Dropbox, you should be fine. And you can always redownload the "portable" (doesn't need installing) version of Keepass from the web & your database from dropbox's web interface, should you be at a strange computer without your smartphone.


Posted by: x.trapnel | Link to this comment | 08-14-12 8:14 AM
horizontal rule
87

after my gmail account was hacked by spammers a few years ago, I also got very aggressive about deleting all but about 30 contacts from my "contacts" file. (Go do it now!)

Wait, what, why? Just to save my contacts--or rather, all but the 30 folks I actually care most about--from being spammed, on the off-chance my most important cloud account, on which there's doubtless enough sensitive data to really and truly fuck me over, gets hacked? But I like never having to remember contact info. And it's useful with Android, too (directions to X person's house, rather than remembering address). Is there something I'm missing?


Posted by: x.trapnel | Link to this comment | 08-14-12 8:17 AM
horizontal rule
88

73 is true, although I don't actually do it anymore, but I only stopped because my atm pin, which is unchanged in 20 years, is now permanently etched into my brain.

My thought was always just that if I ever lost my wallet I was fucked anyway, so what difference did it make? I have cards in my wallet with my bank account numbers written on them, and obviously all my credit cards and my driver's license are in there. I think I also have my SSN in there. What additional harm would an ATM pin cause? You can only withdraw a few hundred dollars from the ATM per day. You could do a lot more damage than that at the mall with my VISA.


Posted by: urple | Link to this comment | 08-14-12 8:18 AM
horizontal rule
89

88 to 84.


Posted by: urple | Link to this comment | 08-14-12 8:19 AM
horizontal rule
90

Hey, do you want to form some kind of non-study group? ... Which classes are you taking? ... If you're interested in doing this for this database class, let me know:

Yeah, I stalled out on the first unit of cs212, design of computer programs. But sure! I'd be up for the database thing, too, why not.


Posted by: x.trapnel | Link to this comment | 08-14-12 8:22 AM
horizontal rule
91

85 - Someone is using your domain as a return address and spamming people. If your email server isn't actually being used to deliver the spam, there's very little you can do about it other than be irritated and get yelled at by people who think you spammed them, but it might be worth checking to make sure you don't e.g. have a hackable "contact me" form.

88 - Your credit card company is obligated to make up the money in case of fraud, but your ATM card carries no such obligation.


Posted by: snarkout | Link to this comment | 08-14-12 8:29 AM
horizontal rule
92

I got through a whole machine-learning online course, and started one on cryptography, but got distracted by real work and fell hopelessly behind. One nice thing about these courses is they keep you moving at a slow, but nonzero, pace. But then they have absolute deadlines on the assignments, so once you fall behind a bit, they sort of make you feel like you've failed and should quit. I think it's purely psychological, since the grade doesn't matter and you could always come back to it later, but once derailed I never went back.


Posted by: essear | Link to this comment | 08-14-12 8:47 AM
horizontal rule
93

I just noticed coursera has a quantum computing course taught by Umesh Vazirani, which started last month. I might try to catch up on that, since quantum computation is something I always want to know more about but never get around to learning.


Posted by: essear | Link to this comment | 08-14-12 8:49 AM
horizontal rule
94

Why on earth is your SSN (at first I thought you meant your Social Security card; now that would be nuts) in your wallet?


Posted by: nosflow | Link to this comment | 08-14-12 9:04 AM
horizontal rule
95

Thanks. No one has yelled yet.


Posted by: CharleyCarp | Link to this comment | 08-14-12 9:17 AM
horizontal rule
96

87: at the time of the hack, it wasn't possible to disable "auto-save to contacts," but now it is. Because I archive most significant messages from individuals, I can always search the inbox for addresses, and I think most other contact info tends to appear in the body of a message somewhere too. I figured that, if I ever got hacked again, at least only 30 people I know reasonably well would get spammed, rather than everyone I'd emailed over the course of two years or so. I had to send a ton of apologies, and got a lot of "hey, how have you been?" in reply. It was mortifying. And yes, it's a low-probability event, but I'm neurotic.


Posted by: lurid keyaki | Link to this comment | 08-14-12 10:00 AM
horizontal rule
97

I can imagine that I might be mortified if spam emails came from my account, but as a recipient I don't think twice about it. I usually send a short 'hey, your email's been hacked, change your password' message and then don't think of it again.

A mild-mannered librarian I'm friends with had her FB hacked recently. Her account posted a link as a comment to one of my old photos and wrote that I should check it out because "It's totally loco!" She was embarrassed, but I was cracking up imagining that sentence ever coming out of her mouth.


Posted by: Blume | Link to this comment | 08-14-12 10:10 AM
horizontal rule
98

90: I have done exactly the same. I am trying to push forward on CS262 but can't manage to get my ass in gear.


Posted by: togolosh | Link to this comment | 08-14-12 10:33 AM
horizontal rule
99

I can imagine that I might be mortified if spam emails came from my account

When this happened to me last month, that's exactly how I felt, both because I'm pretty security-conscious and because I had/have several people in my contacts I don't ever want to talk to again (and who feel the same way about me).

I'm also still mystified as to how my account was compromised; my best guess is that it had nothing to do with the actual security of my password, which is simultaneously reassuring and intensely frustrating.


Posted by: Josh | Link to this comment | 08-14-12 10:42 AM
horizontal rule
100

I am not mortified if a spam email appears to come from 'Wolfsonsmotherwearsarmyboots@charleysdomain.com' where there is no such address. The reasoning behind doing such a thing isn't obvious to me either.


Posted by: CharleyCarp | Link to this comment | 08-14-12 11:00 AM
horizontal rule
101

|| I don't usually read the NYT, but Stockman's takedown of Ryan is quite something. |>


Posted by: CharleyCarp | Link to this comment | 08-14-12 11:02 AM
horizontal rule
102

Link?


Posted by: Blume | Link to this comment | 08-14-12 11:08 AM
horizontal rule
103

100: To get past spam filters and/or induce a reader to open/read the email.


Posted by: JP Stormcrow | Link to this comment | 08-14-12 11:08 AM
horizontal rule
104

99.2: I'm assuming you verified that they actually came from your account rather than merely being spoofed though some open SMTP relay or similar to appear as if they came from it.


Posted by: JP Stormcrow | Link to this comment | 08-14-12 11:11 AM
horizontal rule
105

102: Here.


Posted by: Josh | Link to this comment | 08-14-12 11:12 AM
horizontal rule
106

I haven't done it, but I think you can make KeePass a portable app and then it would be possible to carry your passwords on a usb drive. It doesn't seem all that convenient, though, and you'd still need to have access to a computer that lets you read the usb drive, which might mean you'd already need the password you're trying not to have to remember just to be able to use your password manager.


Posted by: fake accent | Link to this comment | 08-14-12 11:18 AM
horizontal rule
107

104: Yeah. The weird thing is that while the messages originated from foreign IPs, and the connections were via HTTP not SMTP, Yahoo! didn't show any logins from anywhere other than my home state. (And the messages were sent to the contacts in my online address book.) Which suggests to me either that Yahoo!'s servers had a vulnerability, or that someone managed to get a hold of one of my cookies and used that.


Posted by: Josh | Link to this comment | 08-14-12 11:19 AM
horizontal rule
108

106: yes, there's no way around memorizing at least one password, the one that unlocks the password database. And really, you should probably memorize three: that one, your email account, and your dropbox account (or whatever syncing solution you use). Maybe four or five--logins for your computer, or for a work computer. But if you use passphrases, that's not really so bad.


Posted by: x.trapnel | Link to this comment | 08-14-12 11:24 AM
horizontal rule
109

101: Yes, pretty unsparing. It is tangential to his main thrust, but this was aptly said: By contrast, the Romney-Ryan version of shrinking Big Government is to increase our already outlandish warfare-state budget and risk even more spending by saber-rattling at a benighted but irrelevant Iran.

But no one has really cared what David Stockman has had to say since his "education".


Posted by: JP Stormcrow | Link to this comment | 08-14-12 11:29 AM
horizontal rule
110

You know what's really crazy? Here in MN, your login to the state unemployment system MUST be your SSN. And they only allow 6 characters, alphanumeric only, for your password. Unbelievable. We practically fucking invented the internet here, ferchrissakes!


Posted by: Natilo Paennim | Link to this comment | 08-14-12 11:30 AM
horizontal rule
111

Why on earth is your SSN (at first I thought you meant your Social Security card; now that would be nuts) in your wallet?

Yes, my social security card is in my wallet. I've been asked to show it as identification on more than one occasion. It's not that often, granted, so I could probably do without it, now that I think about it.


Posted by: urple | Link to this comment | 08-14-12 11:36 AM
horizontal rule
112

109.2 -- It may well work on the Saletans. If the biggest danger from Ryan is that the Village gets too enamored, this is exactly the sort of thing that has to appear, repeatedly, and has to appear from the ever shrinking population of Republicans (a) with at least two brain cells to rub together, and (b) for whom winning is not the only thing.


Posted by: CharleyCarp | Link to this comment | 08-14-12 11:39 AM
horizontal rule
113

I'm going to run rob you now. Too profitable not to.


Posted by: Moby Hick | Link to this comment | 08-14-12 11:40 AM
horizontal rule
114

113 to 111.


Posted by: Moby Hick | Link to this comment | 08-14-12 11:41 AM
horizontal rule
115

110: Here in your fellow invented-the-internet state Massachusetts, the state unemployment site login has those exact same parameters. It also only allows you to do your weekly certification that you're still unemployed and have looked for a job that week during regular business hours. That wasn't a problem, but the idiocy made me insane. It's the internet! It doesn't close!


Posted by: Blume | Link to this comment | 08-14-12 11:42 AM
horizontal rule
116

When I went to get a passport, the lady yelled at me for having my SS card in my wallet. I only had it because I'd needed it for some other ID situation. Also, they yell at you if you get it laminated.


Posted by: Natilo Paennim | Link to this comment | 08-14-12 11:43 AM
horizontal rule
117

- run


Posted by: Moby Hick | Link to this comment | 08-14-12 11:43 AM
horizontal rule
118

DMC


Posted by: Natilo Paennim | Link to this comment | 08-14-12 11:43 AM
horizontal rule
119

When my NYS ID was stolen while I was in Atlanta, I was glad I had my SS card in my wallet. Got me through security.


Posted by: AWB | Link to this comment | 08-14-12 11:49 AM
horizontal rule
120

112: OK yeah, that makes sense. I was thinking how his being viewed as having ratted out Ronnie*, has limited his appeal among his former brethren.

*Ratting Out Ronnie--not good enough for a band name, but maybe OK for a side project.


Posted by: JP Stormcrow | Link to this comment | 08-14-12 11:54 AM
horizontal rule
121

That wasn't a problem, but the idiocy made me insane. It's the internet! It doesn't close!

The hamsters have to sleep some time.


Posted by: Ginger Yellow | Link to this comment | 08-14-12 11:56 AM
horizontal rule
122

I had a comment about online courses, but I guess it never posted (my tablet has wifi problems).

Anyway, I'm actually partway through the database course mentioned above - it seems good, but pretty dry - and I'm also in Udacity's web application engineering (253?). I'd be farther along on that one but the lack of teaching stuff that really seems like it should be taught is driving me crazy. It's really annoying to see solutions that depend on stuff that has not been mentioned until the solution.

I'm "in" a bunch of coursera courses but I have the same problem as essear. I fall behind and then get put off by the prospect of automatically downgraded homeworks. Also, there are hard deadlines eventually so if you don't make it to the end by then, I don't think you can still do the homework. But I've given up before then, so I don't know. I download all the coursera course materials, but I suppose I'm as likely to go through some of that as I am to read every book on my bookshelves.


Posted by: fake accent | Link to this comment | 08-14-12 12:10 PM
horizontal rule
123

The U.S. education loan website is just a 4 digit pin, SSN, and a couple letters from your last name. Maybe a birthdate too. But I don't know why anyone would want to steal my debt, so I guess the 4 digit pin is ok.


Posted by: fake accent | Link to this comment | 08-14-12 12:13 PM
horizontal rule
124

The reasoning behind doing such a thing isn't obvious to me either.

If they spoof a bunch of real-ish email addresses from random other domains then they don't have to pay the bandwidth on all the bounce-backs from bogus recipient addresses; their lists are often inaccurate or entirely randomly generated. Yahoo did have a recent major credential leak but spammers are not in the business of having finely refined lists of recipients. They use water cannons, not lasers. Sometimes - and I'm not saying this is true in your case, but it's what we sometimes see in our tiny slice of the Internet - all of one's friends receive a copy because the spammers have taken common logins {X, Y, Z} and spoofed emails from each of them @majoremailprovider.com then used those to send spam to all of those same accounts on the theory that enough of them will be valid to be worth the effort and the provider's spam filter will more readily trust emails from its own domain than from another. Thus, X@yahoo will get to Y@yahoo when X@randomdomain.countrycode would not.

I think the main reasons they spoof emails are so that they don't have to pay for the bandwidth on all the bounce-backs and they don't lower the reputations of their own domains.

Another reason is that often they are using compromised home computers - grandma and grandpa's XP machine that has never been updated and is always on - to send their mail and they're harvesting from address books in local clients while they're at it.

There are a lot of ways, basically, that it can happen and just seeing some bounce-backs show back up in your inbox doesn't necessarily indicate your account has been compromised but it certainly doesn't hurt to change your password when it happens in a large and noticeable way.

None of this is what I actually do in security, but it's a set of impressions I've picked up in the course of handing various things to other people on my team when I realize something is not what I in fact do.


Posted by: Robust McManlyPants | Link to this comment | 08-14-12 12:32 PM
horizontal rule
125

They use water cannons, not lasers.

Or sometimes they combine them into laser-powered water cannons, or WASERS.


Posted by: Sifu Tweety | Link to this comment | 08-14-12 12:34 PM
horizontal rule
126

I use two different phrases with numbers in place of vowels, or special characters if required, but the numbers and vowels change from site to site. (So, my e-mail's password would be "commonphr4se," my bank's password would be "0therphras3," and so on.) It would be impossible to remember which combination went with which Web site, so I keep a document on my computer with the master key to them all. The recent news about computer insecurity has me thinking twice about how dumb that is, so I've started changing the computer file from the passwords themselves to descriptions of them (so the computer file now reads something like "e-mail: the first phrase, with a four in the last position," or something). I had thought about one of those password aggregator sites, but considering how much I do at work, I'd still need to write some of them down.

Re: spoofing someone's e-mail, I think I've seen a lot of it happening to people in family lately. E-mails with my dad's name and no text except for a suspect link caught by my junk mail folder. An e-mail from my aunt asking me about an e-mail apparently from me. Either it's a fad among spammers or someone in my family is compromised.


Posted by: Cyrus | Link to this comment | 08-14-12 2:24 PM
horizontal rule
127

I keep a "keys to the kingdom" paper copy of all of my bank account & credit card numbers, passwords, etc. in the event I'm incapacitated/dead. It's locked and hidden and only my partner knows the location & location of the key. I write it up on a computer for printing but never save the file itself, and when I update it I burn the old copy in the sink.
I guess if there were a keystroke logger on my computer when I'm writing it up I'd be fucked.


Posted by: Abraham Lincoln | Link to this comment | 08-14-12 2:40 PM
horizontal rule
128

I hope your kingdom doesn't have drapes by the sink.


Posted by: Moby Hick | Link to this comment | 08-14-12 2:46 PM
horizontal rule
129

Does anyone have an opinion on Password Safe vs. KeePass? I started using pwsf when it was the only game in town (I believe it was 1999). Nowadays, I never hear about it, so I assume that it's been superseded, but the only comparisons I've seen are at least half a decade old.


Posted by: sral | Link to this comment | 08-14-12 2:55 PM
horizontal rule
130

128: sic semper velis tryannus


Posted by: Sifu Tweety | Link to this comment | 08-14-12 3:01 PM
horizontal rule
131

velo?


Posted by: Sifu Tweety | Link to this comment | 08-14-12 3:02 PM
horizontal rule
132

Daylight come and Tweety want to ride home.


Posted by: JP Stormcrow | Link to this comment | 08-14-12 3:10 PM
horizontal rule
133

126: I'm sure others have told you this, but you should really check out lastpass/keepass/&c., which seems to be basically the same as what you're doing, except better in every way--more secure and more user-friendly. It's not just that then the master list is encrypted; the browser/copy-paste integration mean you *don't* actually have to type the stupid things in each time, which is very helpful if, as you seem to be saying, you have a lot of them and have to type them in quite often.


Posted by: x.trapnel | Link to this comment | 08-14-12 4:03 PM
horizontal rule
134

127: If you really want to pursue paranoia, write it out by hand rather than typing and printing. I say this not in fear of keyloggers but due to the temporary files every word processor leaves hanging around. You stand good odds of having a copy on your hard disk even if you think you don't.

It's not a totally crazy approach. I've worked in places where various disaster recovery plans included a safe containing the information needed to get into our resources in the event of catastrophe. I've always thought it slightly silly but I bet that would change the day after a catastrophe.

For the record, I make backups of everything, use a password vault, all that good stuff, and if I get hit by a bus tomorrow then everyone will just have to figure that shit out for themselves, or not.


Posted by: Robust McManlyPants | Link to this comment | 08-14-12 9:39 PM
horizontal rule
135

re: 134

We [the small department I work in] have a secured paper copy of all of our key passwords, along with shorter versions of any documentation needed to get any key services up and running in the event of a serious problem. We've had to use it at least once, so it's not completely redundant, either. I'd guess that's a common 'backup' measure.


Posted by: nattarGcM ttaM | Link to this comment | 08-14-12 11:58 PM
horizontal rule
136

73 (including unstated apology for the implied mockery of 75): I wasn't looking for it, but I just found my ATM card's PIN on a small slip of paper in my wallet. Apparently, I just started worrying about security at some point in the past two years.


Posted by: Moby Hick | Link to this comment | 08-15-12 3:13 PM
horizontal rule