Thread: EVERNOTE passwords were hacked
View Single Post
Old 03-11-2013, 06:49 AM   #26
JoeD
Guru
JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.JoeD ought to be getting tired of karma fortunes by now.
 
Posts: 895
Karma: 4383958
Join Date: Nov 2007
Device: na
Quote:
Originally Posted by sadievan View Post
If you get an email or text telling you which code is used, isn't that password being transmitted? I'm confused.

Carol
If a code is used as a password to gain entry to a system, there should be no way the system should ever email out or text the code, it shouldn't have any idea what the code is. Although things may work differently for physical entry systems to computers, because with computers the username is the "code" and the password is a secret. In access system the two are rolled into one.

For physical access systems that are just a single code based one, there's no alternative but to provide lots of different codes to identify different people. The reduction is strength of the system due to many codes been valid is worth it in exchange for knowing who/when has accessed it.

What you would normally do for audit logs with a computer login though is have users login with user/pass, generate a hash from their password, compare that hash+salt to the stored hash to see if they match. If they do, allow the user in and log success/failure (or rather a % of failures if there's a surge to avoid dos). In addition to that, success attempts could trigger an email/sms to say user X logged in.

X could be a real username or another identifier that IDs a user.

Either way, the system doesn't know (and shouldn't know) the real password so cannot nor should it be able to email it.

Regarding passwords stored electronically/written down or in your head. Well that's the real problem that password safes were created to try to solve.

In order for people to use strong passwords and a unique one for each site they use, there's no way to remember them all unless you only use a single bank and a handful of sites. Just an average internet user will end up with banks, forums, shopping sites, kindles, computers, email... iow tons of passwords to remember.

The options are, either hope you're going to remember them, write them down or use a password safe.

Jury may be out, but in some ways writing them down may be more secure than a password safe because the chances of your home been burgled may be less than the chance of you PC been hacked. Hacked PC + key logger that logs the master password and copies the DB gives access to every pass you have ever made.

However, if your password safe is on a offline device such as an old mobile phoneor pda or laptop (none of which you use online/on a network), then you get the security level of a password safe if you are burgled but also remove the risk of hacking getting your DB or master pass.

Remembering passwords is the most secure (but also problematic for large numbers of secure passwords). Writing it down vs Pass Safe really depends on the environment you use computers in and/or where your pass safe is stored.

Any of those three though are better than compromising the strength of passwords hoping to remember them all. Brute force login attempts are much more likely to occur than someone hacking your PC.

As it happens, if you use a set of sites/devices frequently enough you'll eventually remember even a random password. But the safe remains a memory failsafe
JoeD is offline   Reply With Quote