The Technology Vent and Rant Thread

[ratinox]

Quote:

Originally Posted by jbjb

That's why I like my home-brew approach. I'm the only one who uses it, so it's not a high value target, is very unlikely to be vulnerable to any exploits of known commercial systems, and nothing is stored in the cloud.

You're hardly the only person who uses an encrypted file. And I wouldn't necessarily say it is harder to attack than something built into a browser, only that the attack vectors are different. For example, do you use a cloud backup solution like Backblaze, or a cloud sync solution like OneDrive or Dropbox?

It's things like these which are why I suggest and recommend paper.

[jbjb]

Quote:

Originally Posted by ratinox

You're hardly the only person who uses an encrypted file.

I didn't say I was. I am, however, the only person who uses a file encrypted in this particular way (that's home-brew as well), and uses this particular app to access it.

Not necessarily any more secure per-se than the commercial vaults (but probably no less so), but it's home-brew nature means that the miscreants won't be investing any time trying to crack it (if they even knew it existed).

It also means I don't have to trust the providers of the commercial vaults - what if one of their developers goes rogue and releases a dodgy update? Or even is just a bit sloppy.

Quote:

And I wouldn't necessarily say it is harder to attack than something built into a browser, only that the attack vectors are different. For example, do you use a cloud backup solution like Backblaze, or a cloud sync solution like OneDrive or Dropbox?

No - everything backed up locally (encrypted, of course), with backup disks kept in a fire safe.

Quote:

It's things like these which are why I suggest and recommend paper.

That wouldn't work for me - I'd just lose the paper! It would also mean I'd have to go find the paper whenever I needed a password.

I'd also worry about anyone who broke into my house and found it having access to my banking passwords etc.

[ratinox]

Quote:

Originally Posted by jbjb

I didn't say I was. I am, however, the only person who uses a file encrypted in this particular way (that's home-brew as well), and uses this particular app to access it.
[...]
It also means I don't have to trust the providers of the commercial vaults - what if one of their developers goes rogue and releases a dodgy update? Or even is just a bit sloppy.

But you do need to trust yourself not to make mistakes.

Quote:

That wouldn't work for me - I'd just lose the paper! It would also mean I'd have to go find the paper whenever I needed a password.

I'd also worry about anyone who broke into my house and found it having access to my banking passwords etc.

We have these things called wallets and purses, in their infinite variations, in which we keep small, important or valuable pieces of paper like money, ID cards, credit cards, passports, etc. If you have a reasonably secure place to keep these things then you already have a reasonably secure place to keep a password "vault".

[JSWolf]

Quote:

Originally Posted by ratinox

Funny thing about this is... if you need to write down the answers then you already have a reliable place to keep your passwords. No, seriously. Anyone who says "don't write down your passwords" is wrong. Do write them down. The "don't write down passwords" advice is in the context of insecure storage. Don't write your passwords on sticky notes tacked to your monitor. Do write them down in for example a small notebook which you keep with things like your driving license or passport.

Why would you keep a small notebook in your wallet with your driver's license?

The notebook should be kept in a secure easily accessible location.

[Karellen]

Quote:

Originally Posted by ratinox

Do write them down in for example a small notebook which you keep with things like your driving license or passport.

That is some pretty bad advice.
I keep my drivers licence in my wallet. My wallet gets stolen, and the thief does not have to be a genius to quickly figure out what those url's, site names and phrases mean. There goes all my security.
My passport is in a drawer in my office... ditto above.

[ratinox]

Quote:

Originally Posted by Karellen

That is some pretty bad advice.

No, it actually isn't. It's all about risk management. While there is a risk of your wallet being lost or stolen, that risk is extremely small, far far smaller than say the risk of the account database here at mobileread being compromised.

Security experts have been advocating it for decades. Just a few choice articles but you can easily find plenty more.

https://www.schneier.com/blog/archiv...down_your.html
https://www.personneltoday.com/hr/le...ecurity-chief/
https://blog.1password.com/safe-writ...our-passwords/

Edit:
I'm not suggesting that paper is the best way to manage passwords. Just that it is a very good one for many people when done with care.

[JSWolf]

Quote:

Originally Posted by ratinox

No, it actually isn't. It's all about risk management. While there is a risk of your wallet being lost or stolen, that risk is extremely small, far far smaller than say the risk of the account database here at mobileread being compromised.

Security experts have been advocating it for decades. Just a few choice articles but you can easily find plenty more.

https://www.schneier.com/blog/archiv...down_your.html
https://www.personneltoday.com/hr/le...ecurity-chief/
https://blog.1password.com/safe-writ...our-passwords/

You misunderstood. What was said to be the bad advice is your advice to keep your written password with your driver's license. That would be your wallet. And that is bad advise. The writing down your passwords was not the bad advise.

[Karellen]

Quote:

Originally Posted by ratinox

No, it actually isn't. It's all about risk management. While there is a risk of your wallet being lost or stolen, that risk is extremely small, far far smaller than say the risk of the account database here at mobileread being compromised.

Security experts have been advocating it for decades. Just a few choice articles but you can easily find plenty more.

https://www.schneier.com/blog/archiv...down_your.html
https://www.personneltoday.com/hr/le...ecurity-chief/
https://blog.1password.com/safe-writ...our-passwords/

Thanks for the links, but I have to say the first two links were completely underwhelming. A paragraph of text saying "writing down passwords is good"
The third link seemed to be exactly against writing down passwords, as you would expect from a site selling password manager software.

[BetterRed]

Quote:

Originally Posted by ratinox

No, it actually isn't. It's all about risk management. While there is a risk of your wallet being lost or stolen, that risk is extremely small…

I've 'lost' my wallet on several occasions, I've always got it back untouched:

In a document case at Crewkerne railway station (took it out of my overnight bag and forgot to put it back). BritRail held the Exeter express at Salisbury and made an unscheduled stop at Crewkerne so I could get it.

In a shoulder bag at a beach cafe in Crete. Returned 20 minutes later, it was still hanging on the back of the chair.

At Railway Square in Sydney. It was returned untouched in the mail.

On the street close to home. It was handed in to the police, who called to tell me they had it, they dropped it off a couple of hours later.

I also leave a big enough to crawl though single hung window open 365*24*7, alongside one of them hangs a spare set of keys.

The only time I lost anything of this ilk, was when the NSA shut down the Lavabit mail service because Edward Snowden used it. How did they know he used it, I suspect they already knew… but when the HRW Moscow agent posted his Lavabit address on Facebook asking "Anyone know if this is the real Edward Snowden?" and the UK Daily Telegraph and others reported her post the next day, they (Obama) had to be seen to be doing something.

BR

[Graham44]

Pen and paper for passwords - that way if someone wants to steal your passwords, they have to A) Find out where you live B) Break in C) Find out where you keep the notepad you write your passwords on D) then figure out what your email address is in order to log into accounts using your passwords and bonus E) If you want to make it extra secure write down your passwords in a list labelled a,b,c etc no website info then in a separate book write a = Goodreads b= Mint etc

Sometimes old school works

[ratinox]

Quote:

Originally Posted by JSWolf

You misunderstood. What was said to be the bad advice is your advice to keep your written password with your driver's license. That would be your wallet. And that is bad advise. The writing down your passwords was not the bad advise.

Then perhaps your wallet is bad advice for you. That does not make it bad advice for many others.

Quote:

Originally Posted by Karellen

Thanks for the links, but I have to say the first two links were completely underwhelming. A paragraph of text saying "writing down passwords is good"
The third link seemed to be exactly against writing down passwords, as you would expect from a site selling password manager software.

Perhaps, but in the cases of the authors of the first two articles, their reputations precede them in security circles. They don't need lengthy articles to support their assertions when they have published books and best practices whitepapers on the subject.

As for the 1password link, they don't say writing down passwords is bad. Quite the contrary: it does agree with other security experts that writing down passwords is good. But their solution is better, obviously, because they're selling software and services instead of notebooks .

Quote:

Originally Posted by Graham44

Sometimes old school works

As does "rubber hose cryptanalysis". You have to choose your threats and mitigate your risks. For some people? A piece of paper with important passwords stored in their wallet next to their license or other ID is a good idea. For some like journalists operating in countries under repressive regimes? Maybe not.

[Solitaire1]

Quote:

Originally Posted by Graham44

Pen and paper for passwords - that way if someone wants to steal your passwords, they have to A) Find out where you live B) Break in C) Find out where you keep the notepad you write your passwords on D) then figure out what your email address is in order to log into accounts using your passwords and bonus E) If you want to make it extra secure write down your passwords in a list labelled a,b,c etc no website info then in a separate book write a = Goodreads b= Mint etc

Sometimes old school works

Although it may sound silly, that's why Robin (Tim Drake) keeps all of his important/sensitive information written on paper. IIRC, he mentioned that if you put on a computer, it makes it easy for a smart guy like him to get it.

[Renate]

The biggest deal is of course to use different passwords for everything, including crappy accounts that you don't care about. Some websites forces you to make an account for a one-time purchase. Generate a new password.

Generating decent random passwords is not rocket science. But you certainly can't trust any password generator that someone posts online. Maybe it's reporting every password that it generates? Write your own that you can trust.

You could also use two six-sided dice for 36 possibilities, 26 letters and ten digits. And throw another die for upper/lower?

So keep your passwords long and random. That means you'll probably end up with a list of 200 or so untypeable passwords.

[pdurrant]

Quote:

Originally Posted by Renate

So keep your passwords long and random. That means you'll probably end up with a list of 200 or so untypeable passwords.

Or just pick four words. CorrectHorseBatteryStaple.

[Renate]

Quote:

Originally Posted by pdurrant

Or just pick four words. CorrectHorseBatteryStaple.

Mmm, with about 10^5 words that gives you about 66 bits of entropy.
You can do about as well as that with 14 lowercase letters or 11 letters/digits.

I guess that xkcd is thinking of a field of 2048 words when they say 44 bits.