|
Posted by Unruh on October 20, 2007, 2:51 pm
If you were Registered and logged in, you could reply and use other advanced thread options
>Andy Fish wrote:
>> I just got a nice email from fasthosts - a UK ISP - saying that
>> they have had a security breach and have lost security details
>> including my password IN PLAIN TEXT !!
>>
>> because I use the same password for different online systems, this
>> means someone who found out my email address (the real one - not
>> the one I'm using to post this) and fasthosts password could
>> potentially log on as me to many different sites.
>>
>> fortunately I use several different passwords including a separate
>> one for sites who I think might store it in plain text.
>> unfortunately I didn't think for a minute that an ISP would do
>> this, so I used a relatively secure password for them.
You can always tell if they told you to put in a phrase only you know or
something like that, or say they can recover your password for you.
They cannot do that if they do not have your cleartext password on file.
>>
>> if I can't trust anyone to encrypt my password, it seems that the
>> only way to be secure is to use a different password for every
>> system and then write them all down somewhere.
>>
>> I am an IT professional and I get the impression that most people
>> currently take a similar approach to me. If not, what's the best
>> way to manage so many passwords?
>Shenan Stanley wrote:
>> Search using Google!
>> http://www.google.com/
>> (How-to: http://www.google.com/intl/en/help/basics.html )
>>
>> Normal blurb from me:
>>
>> Understanding what a good password might be is vital to your
>> personal and system security. You may think you do not need to
>> password your home computer, as you may have it in a locked area
>> (your home) where no one else has access to it. Remember, however,
>> you aren't always "in that locked area" when using your computer
>> online - meaning you likely have usernames and passwords associated
>> with web sites and the likes that you would prefer other people do
>> not discover/use. This is why you should understand and utilize
>> good passwords.
>>
>> Good passwords are those that meet these general rules
>> (mileage may vary):
>>
>> Passwords should contain at least six characters, and the character
>> string should contain at least three of these four character types:
>> - uppercase letters
>> - lowercase letters
>> - numerals
>> - nonalphanumeric characters (e.g., *, %, &, !, :)
>>
>> Passwords should not contain your name/username.
>> Passwords should be unique to you and easy to remember.
>>
>> One method many people are using today is to make up a phrase that
>> describes a point in their life and then turning that phrase into
>> their password by using only certain letters out of each word in
>> that phrase. It's much better than using your birthday month/year
>> or your anniversary in a pure sense. For example, let's say my
>> phrase is: 'Great new job in November 2006'
>> I could come up with this password from that:
>> 'Gr8n3wj0bNOV2006'
>>
>> I highly recommend you periodically change your passwords.
>> The suggested time varies, but I will throw out a 'once in
>> every 3 to 6 months for every account you have.'
>>
>> Also - many people complain that they just cannot remember the
>> passwords for all the sites they have - so they choose one password
>> and use it for everything. Not a good idea. A much better method
>> would be to use a Password Management tool - so you only have to
>> remember one password, but it opens an application that stores
>> your username/passwords for everything else - plus other valuable
>> information. One that I can recommend:
>>
>> KeePass Password Safe
>> http://keepass.sourceforge.net/
>>
>> It can even generate passwords for you.
><inline below here...>
>Todd H. wrote:
>> Advising someone to trust whatever comes up in google to manage all
>> his passwords without asking other humans for opinions? Are you
>> nuggin futs?
>Cutting off the meat of the post, who's 'nuggin futs'?
>No worries - I put it back.
>You should also know your audience when giving advice...
>From the original postting:
>'I am an IT professional ...'
>You'd think they might be able to figure out the false from the true when it
>comes to software - or at least know how to test that safely...
>> The issue is that you can't swing a dead cat on google without
>> receiving adwords or "legit" results that may include spyware
>> including keyloggers.
>Yes - common sense is required for using Google...
>For example - you have to learn to use Google (thus my link) and I would not
>search for "Password Manager" and expect much, but, if you simply add a few
>things...
>"Password Manager" freeware review rank
>http://www.google.com/search?q=%22Password+Manager%22+freeware+review+rank
>You get some decent hits, like...
>http://www.snapfiles.com/get/keepass.html
>Which can lead you to more ranked Password Managers:
>http://www.snapfiles.com/Freeware/security/fwpass.html
>And more...
>Yes - you have to sift and test - but once you lock onto a single product
>you like the looks of - research it... Use Google to search for reviews on
>the product..
>http://www.download.com/KeePass-Password-Safe/3640-2092_4-10615419.html?sb=1&v=0
>http://www.snapfiles.com/opinions/KeePass_Password_Safe/KeePass_Password_Safe.html
>So, yeah - in order to do the first part - and only the first part - of my
>response - you have to have a bit of common sense.
>> Password Safe http://passwordsafe.sourceforge.net/ however is an
>> open source, free, peer reviewed and rather trusted solution to this
>> problem of managing a bashitload of passwords.
>One of many - just like the one I gave...
>I used it once - switched to KeePass.
>Giving the OP more options is what this is all about.
>Having a ranking system would be good too.
>http://fileforum.betanews.com/browse/Security/PasswordManagers?start=0&sortby=rating
>*note - I don't recommend necessarily using the BETAS and ALPHA versions of
>software - but you can get an idea here of what they are doing in their next
>version and how well they are doing it and then visit the main site and get
>their full release product.
>> Your situation points out the problem with using a single password
>> at different sites and never changing it--because there are so few
>> sites out there that are actually rather secure and who've never
>> ever had a data breach.
>...
>--
>Shenan Stanley
> MS-MVP
>--
>How To Ask Questions The Smart Way
>http://www.catb.org/~esr/faqs/smart-questions.html
| 
XML site map