|
Posted by on February 18, 2008, 8:46 am
If you were Registered and logged in, you could reply and use other advanced thread options
Content-Transfer-Encoding: 8Bit
(Two posts answered in one reply post)
Kristian Gjøsteen wrote:
>
>
>>My purpose is to have hard-to-guess and unique passwords on
>>all of the different systems in life that ask for passwords.
>
>For each site, choose a random password (your system has a random
>number generator, use it). Save these in an encrypted file. Done.
>
>>Here is my plan: I propose going to these webpages to get
>>somewhat randomish data:
>
>> https://www.fourmilab.ch/hotbits/secure_generate.html
>> https://www.random.org/integers/
>> https://www.grc.com/passwords.htm
>
>This "randomish data" is more predictable for an attacker than
>the output of your system's random number generator.
I am really unskilled at computers. Is this somethng that I could
hire a service tech from the Geek Squad to do for me? I run WinXP
and I don't see anything resembling a "random number generator"
on the menu.
If there is a program that I can download I can usually figure
out how to run it by reading the manual, but I am a bit paranoid
and only download well-known commercial programs or Open Source
programs that I get from a link on Source Forge.
MisterE wrote:
>> https://www.fourmilab.ch/hotbits/secure_generate.html
>> https://www.random.org/integers/
>> https://www.grc.com/passwords.htm
>
>> Am I right in thinking that this is the most secure way of
>> dealing with multiple passwords?
>I don't know if you know how to program or not, but its quite
>simple to do alot of these things yourself if you want to be
>that much more secure.
WAY beyond my ability. I envy you folks who can do that, but
I am just a clueless noob. You might as well ask me to fly.
>The two problems with what you are doing.
>
>Firstly, grc.com or the other sites know what they have given out. Some of
>these sites only dish out a few thousand strings per day. If someone gets
>their IV's and base counters, and they know you have a password from them,
>they will only need to try a few thousand/million keys and they will have
>you.
That makes sense. How about if I make up my randomish data by getting
characters 1,4,7,10... from one site, 2,5,8,11... from another, and
3,5,8,12... from the third? I can do that with a column mode text
editor. It's not like I am hiding from the FBI or CIA; I just want
to make it so that some hacker going after a website will have a hard
time guessing my password, and I want to make it so that if he does get
it some other way, it will tell him nothing about the passwords I use
on other web sites. And, of course, I don't plan on telling anyone
who I am, so an attacker would have to guess that I did the above.
I am not trying to be difficult; I am just trying to follow your
advice within the limitations of my skills.
>Personally I implemented the grc.com/password things myself with my own
>program. I can give you a copy if you want. It uses AES cipher to generate
>random numbers based on a base key and initialisation vector and start
>counter value. This is the exact same cipher setup as the grc.com one.
Please don't be insulted by this, and I appreciate the offer, but I
only download well-known commercial programs or Open Source programs
that I get from a link on Source Forge. I have had a couple of
computer wizards tell me that programs that come in emails, are
posted to newsgroups, or are on websites I never heard of can really
hurt Windows XP bad.
>The other much bigger problem is the program you use to encode your password
>file. If at any point the unencoded file is written to a disk, you are
>completely brocken. AFAIK axecrypt just encodes and decodes file, this is
>very bad. You don't want an unencoded password file to exist at anytime on
>magnetic media. Just because you encode a file doesn't mean its was
>overwritten. Especially when files are fragmented the operating system and
>disk can move a file even when its size does not change. Meaning when its
>wrote back, an old copy exists on the magnetic media.
>
>You need a program that reads encrypted files, displays them unencrypted on
>screen in memory only and allows you to edit/update and writes back
>encrypted data. Again I ended up writing my own because I couldn't find that
>one that allowed the editing I wanted. You can download the source code of
>common text editors and put encryption on the load and save file parts.
Axecrypt ( sourceforge.net/projects/axcrypt/
& http://www.axantum.com/AxCrypt/ ) claims to open and display
encrypted documents with "Secure memory handling - no keys or
data in the paging file" and "Shredding of all temporary and
encrypted plaintext files" (don't know exactly what all that
means, but it sounds cool) and also says this:
Do you have many PIN's for your credit and ATM cards to
remember? Dozens of web-sites with different passwords?
There are many special purpose password managers out there,
some really good, but why bother? Use a regular text file
with notepad. Encrypt the file with AxCrypt.
You can then store your passwords conveniently and safely.
Notepad does not create any temporary files and AxCrypt
will properly wipe its traces, so this is every bit as
secure as most password managers. Some managers will
attempt to lock memory, or encrypt the data in memory,
to keep it out of the paging file, which is even better
of course. If this is a concern or not depends on your
level of paranoia.
From my perspective, my problem is that there are many, many
programs that claim to be able to hide my password text file,
and I am more likely to be Obama's VP than I am to figure out
who is teling the truth. So I tried the ten most promising
and then picked Axecrypt because it is really easy to use.
BTW, I really appreciate you folks taking time to give me
advice. Thanks!
| 
XML site map