Password Security

Status
Not open for further replies.
Penguin

Penguin

Suave
Aug 3, 2006
312
19
0
Minnesota, USA
So yesterday I went through all my ad networks and affiliate programs and with the help of KeePass (http://keepass.sourceforge.net/) I was able to generate extremely secure and unique passwords for each different program so it'd be extremely difficult for a hacker to gain access to my accounts.

Before I had one very secure password for all of them, which was entirely stupid because if someone got ahold of it I would of been screwed.

With this program you type randomly and move around your mouse on this image and with that data it generates an unlimited number of highly secure passwords based on your chosen options. In addition your passwords are stored in an extremely secure encrypted database file. You simply need to remember one master password to gain access to all your other passwords.

Now I feel much safer than I did before with all my accounts. Do many other people here do such a thing?
 


Good info. However, to be honest what does it matter if your passwords are kept in a "extremely encrypted database file." The fact of the matter is another place keeps a hold of your passwords as well. This place is very easy to gain access to. This place I speak of is the computer you are typing on right now.

Windows logs all types of things that you wouldnt think it does. It is very easy for hackers to gain a hold of these logs files kept on your comp. I am not going to say where they are some people dont get any bright ideas. Google the things if you want but anyways.

I used to do information hacking and things of the sort. Just make sure you have some numerics thrown in there. As well as a nondictronary word and that is about the best you can do with apssword security.
 
I'm not saying it's impossible, it's just a lot more challenging to hack into. Obviously if they're really out to get me they still can, but it's definitely a deterrent.

dxearner: What do you do then to keep your accounts safe?

What really creeps me out is that if you don't set a master password in FireFox anyone that goes on your computer can easily find every single password you ever typed into FireFox!
 
They would have to get the password for the password software. Either by bruteforcing or finding it in a log or so. The later I don't think it's possible or the software would be kinda crappy.
 
if it's one-way encyrption (sha or md5) then it should be impossible to break into that database, but I doubt it's one way

I remember a while back I was coding a login system for a web host, and got to play around with encryption. I had a 32bit string converted into md5 and passed as a hash through a php session, on the server side it combined the hash with the password, md5's both of them, then compared that md5 to the stored md5 in the database. fun stuff.
 
Highly encrypted databases
  • KeePass supports the Advanced Encryption Standard (AES) and the Twofish algorithms to encrypt its password databases.
  • Both ciphers are regarded as very secure by the cryptography community. Banks are using these algorithms, too.
  • Even if you would use all computers in the world to attack one database, decrypting it would take longer than the age of the universe.
  • Even quantum computers won't help that much. The algorithms are symmetric so its complexity would be reduced a bit, anyway, the sun will go nova before you have decrypted the database.
  • The complete database is encrypted, not only the password fields. So your usernames, notes, etc. are hidden, too.
  • SHA-256 is used as password hash. SHA-256 is a 256-bit cryptographically secure one-way hash function. Your master password is hashed using this algorithm and its output is used as key for the encryption algorithms (AES and Twofish).
  • In contrast to many other hashing algorithms, no attacks are known yet against SHA-256.
  • In-memory passwords protection: your passwords are encrypted while KeePass is running, so even if Windows caches the KeePass process to disk, this wouldn't reveal your passwords anyway.
  • Security-enhanced password edit controls: KeePass is the first password safe that has security-enhanced password edit controls. None of the available password edit control spies work against the controls used in KeePass. The passwords entered in those controls aren't even visible in the process memory of KeePass.
 
Juicify said:
I use http://sourceforge.net/project/screenshots.php?group_id=41019
But I have some passwords I use all over the place.

If you use firefox I doubt that the passwords for websites are stored anywhere if you havent chosen to save them in firefox, which I do :S
Click to expand...

Wow, that is the kind of attitude that gets people thinking there shit cant get hacked and then you boot up and you say, "What happened?"

I am not saying that your stuff is going to get hacked the fact of the matter is if someone is bored/determined enough. They will get your info. It really isnt that hard boxes checked or not. There are things you cannot control about your machine for IT and windows builtin features. The real only way to be closer to absolute security is to run linux. Even then there are some way to get into the box but it is highly unlikely. Few personal linux boxes are hacked because most legit hackers run linux. It is like stealing from your own neighborhood. Linux is much safer because the architecture of the OS is much different and it doesnt use the same file types and portage that windows does. Anyways enough of that. Just do the best you can and use common sense on the internet. Dont go to shady places and you will be fine. Dont be ignorant and think that norton antivirus and firefox has your back 100% and you are safe from anybody.
 
Penguin said:
Highly encrypted databases
  • KeePass supports the Advanced Encryption Standard (AES) and the Twofish algorithms to encrypt its password databases.
  • Both ciphers are regarded as very secure by the cryptography community. Banks are using these algorithms, too.
  • Even if you would use all computers in the world to attack one database, decrypting it would take longer than the age of the universe.
  • Even quantum computers won't help that much. The algorithms are symmetric so its complexity would be reduced a bit, anyway, the sun will go nova before you have decrypted the database.
  • The complete database is encrypted, not only the password fields. So your usernames, notes, etc. are hidden, too.
  • SHA-256 is used as password hash. SHA-256 is a 256-bit cryptographically secure one-way hash function. Your master password is hashed using this algorithm and its output is used as key for the encryption algorithms (AES and Twofish).
  • In contrast to many other hashing algorithms, no attacks are known yet against SHA-256.
  • In-memory passwords protection: your passwords are encrypted while KeePass is running, so even if Windows caches the KeePass process to disk, this wouldn't reveal your passwords anyway.
  • Security-enhanced password edit controls: KeePass is the first password safe that has security-enhanced password edit controls. None of the available password edit control spies work against the controls used in KeePass. The passwords entered in those controls aren't even visible in the process memory of KeePass.
Click to expand...

Again you are missing the point of my post. It doesnt matter how safe your passords are kept there are two other vaibles to think about. The webiste where your password is vaild at first off, and what happens if you enter the password on a different computer? Regardless I am sure this is a good safegaurd but dont make the mistake of thinking man my shit is fort knox.
 
All I'm saying is that it's much closer to Fort Knox than it was before I did this.

Just don't enter your password on a different computer, you won't be able to anyway because there's no way you could remember any of these passwords I've made, too fucking long.

If it's the web site's problem then all their accounts are gonna get hacked not just mine, so the problem wouldn't be as severe.

But I'm still curious dxearner, how do you safeguard your important info?
 
Maybe I am miss understanding what you are talking about but......

If you have an account on a website that they ahve a password they have to vaildate then first off A) they have a record of your account. B) If there website is compromised then so will the facts of all there customers/clients etc.... Which correct me if I am wrong would be you. Also, length has really little to do in the grand scheme of things we are talking about a time difference in most cases of 10 minutes between a 6-20 character passwords with most brute force programs. I gave this stuff up a while ago so this stuff might be faster now.

In your referrence to all the banks using this stuff you are correct they all do. In addition, if you listen to the news most of these big banks also suffer a big security breach and information of 50000 members accounts info gets "lost". I am an advocate of using as much protection as you want just have the education to go with it and dont just listen to some bs product description.

As for what precautions I take. I just makes sure I throw in some nondictonary word on things that really matter with some numerics. Sure I might gain some extra protection using a "random" generator but there is always a pattern with those as well there is always a pattern in computing(something else to think about). I also for the most part worked behind a linux box. My distro gentoo does not log things like windows and the architecture of the OS is completely custom(stage one install). I am currently on windows till I get a second hard drive so I can go back to linux and still have some financial programs I use on my windows box.The fact of the matter is eduction is the best defense. Just applying a account password on your windows machine will distract a great number of serious attacks. The fact of matter is you are very unlikley to come under attack if you are wise in your internet journeys. That is all I am going to speak on this matter because it really does no more benefit. Be sure and educate yourself and the internet will profit you.
 
DanNicol said:
i just use password1234 for everything is that wrong????
Click to expand...

Yea I am curious about this also. I just use 12345.

"So the combination is one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!"
 
I am not trying to be an asshole I would like the state for the record just trying to offer up some information. I dont mean to piss anyone off just want you guys to be informed. That is all
 
I'm by no means pissed off.

So essentially, keep your shit as secure as possible, make as little enemies as possible, and be smart about your internet journeys.
 
dxearner said:
Wow, that is the kind of attitude that gets people thinking there shit cant get hacked and then you boot up and you say, "What happened?"

I am not saying that your stuff is going to get hacked the fact of the matter is if someone is bored/determined enough. They will get your info. It really isnt that hard boxes checked or not. There are things you cannot control about your machine for IT and windows builtin features. The real only way to be closer to absolute security is to run linux. Even then there are some way to get into the box but it is highly unlikely. Few personal linux boxes are hacked because most legit hackers run linux. It is like stealing from your own neighborhood. Linux is much safer because the architecture of the OS is much different and it doesnt use the same file types and portage that windows does. Anyways enough of that. Just do the best you can and use common sense on the internet. Dont go to shady places and you will be fine. Dont be ignorant and think that norton antivirus and firefox has your back 100% and you are safe from anybody.
Click to expand...

Hell ye I know firefox doesn't make me safe. I just ment that I doubt that passwords entered in firefox when you log in on a website is stored in a log file on your computer, but it sure can be as you say, and of course network traffic can be sniffed etc.
 
I was an asshole in the previous posts and I would like the apologize dont know what I was thinking. I dont understand the last post. I wish I could help on that one, but yea you have it right penguin. Just treat the internet like a city. There are parts of town you dont want or need to go so dont. Get a deadbolt and security system for your front door and that is about all you can do.
 
Status
Not open for further replies.
Top Bottom