[Macworld]

Post your comments for When password security questions aren't secure here

[lkrndu]

These recent articles about account security and passwords have all be informative and thought-provoking.

So there is one thought that seems missing, although a version of this did appear in one or more of the same articles. That is, to store long, strong passwords in an encrypted file on an (encrypted) USB drive you carry with you . . . like one more house or vehicle key.

The password for THAT encrypted file might be written down and carried with the same care as house keys and credit cards, or might not.

The thought comes to mind, suppose that encryption key were something odd, brief, and readily memorable for you. Not un-hackable but enough to at least slow down a malefactor who found your lost USB key; you'd have time to change the passwords on your affected accounts. Might even keep a spare set of keys -- USB drives -- somewhere safe, too.

So there's an idea I haven't seen brought up as much as it might merit.

And one question, what's the take on keeping a copy of the password file, strongly encrypted, in cloud storage where you could retrieve it in case of need?

[spanky]

A program like 1password really makes answering these questions secure. You can have it generate passwords like n$F^O>=g|07-62q^#X as the answer to your mother's maiden name. When people put the real answers in, it detracts from the ability to keep information secure.

[TeaEarleGreyHot]

Something I'd like to see addressed more thoroughly is the frequency with which some institutions require you to change your password. My bank used to require it quarterly, and I guess I wasn't the only customer who threatened to close their account because of that nonsense. My employer requires me to change the password every eight weeks--even more foolish--and won't let me use a password that has been used in the last 18 changes.

[bastion]

TeaEarleGreyHot, on 29 November 2012 - 08:15 AM, said:

Something I'd like to see addressed more thoroughly is the frequency with which some institutions require you to change your password. My bank used to require it quarterly, and I guess I wasn't the only customer who threatened to close their account because of that nonsense. My employer requires me to change the password every eight weeks--even more foolish--and won't let me use a password that has been used in the last 18 changes.

Security and convenience are almost necessarily at odds.

[macsrwe]

Quote

Security and convenience are almost necessarily at odds.

Any security that rejects the true owner more often than the potential burglar is over-engineered. The "lost password dance" is an inherently insecure interlude, and forcing a true owner to perform it several times a year not only reduces his account security, but helps mask attempts by potential burglars by allowing them to hide in the noise. I don't know anybody who changes their physical door locks even annually.

[PwdRsch]

Quote

My employer requires me to change the password every eight weeks--even more foolish--and won't let me use a password that has been used in the last 18 changes.

How often to change passwords is certainly debatable, but why are you complaining that you can't use one of your previous 18 passwords? Maybe you weren't happy about the forced password change, but surely you can see the danger in using a password over again?

[PwdRsch]

Quote

Security and convenience are almost necessarily at odds. Any security that rejects the true owner more often than the potential burglar is over-engineered.

As a general rule that sounds nice, but in practice it isn't true at all. A legitimate user might experience authentication problems (password typos) several times a week. We don't throw in the towel and say we're getting rid of passwords because an attacker can make educated guesses and impersonate that user with fewer failures.

Quote

The "lost password dance" is an inherently insecure interlude, and forcing a true owner to perform it several times a year not only reduces his account security, but helps mask attempts by potential burglars by allowing them to hide in the noise. I don't know anybody who changes their physical door locks even annually.

This analogy would make sense if everyone around the globe had access to your door and could attempt to pick the lock while drawing little attention to themselves.

How do you see user-triggered password recovery as an 'inherently insecure interlude'? If the password recovery function is insecure then that is true whether the user makes use of it or not. Most of the time an attacker will attack it directly rather than waiting for a user to forget their password.

[alanskyone]

Personally, I think that I am more likely to be hit by a falling asteroid than to have my personal accounts hacked. Why would anyone with the necessary skills bother to hack a single user account when they can hack databases containing longin info for millions of accounts? It seems to me that the latter scenario is much more likely. If BofA's database is hacked and I have a BofA online account, my BofA login is compromised no matter what else I might have done to make it secure. If I have used the same password for other online accounts, then all of those accounts are also compromised.

[Deandre012]

I personally use SplashData's SplashID Safe to generate strong passwords. In this case, I don't need to devise any scheme to remember my passwords. The application's unlock password or pattern is the only thing to remember. Try it. Highly recommended.

[TeaEarleGreyHot]

Deandre012, on 29 November 2012 - 02:41 PM, said:

I personally use SplashData's SplashID Safe to generate strong passwords. In this case, I don't need to devise any scheme to remember my passwords. The application's unlock password or pattern is the only thing to remember. Try it. Highly recommended.

That's great if you're always using your own laptop for passwords. But I have to use multiple computers, multiple devices. I can't even update the OS X on my work Mac without having an AppleID, password, and my personal credit card registered! It seems to me that power is being taken out of the user's hands and being put back into the "IT Support" hands, very clearly. My employer might give a credit card number to the IT guy, but certainly not to the thousands of employees. Apple has made everything much more difficult in the past 2 years... for me at least.

But some of us travel, use public computers or friend's computers or have multiple work locations. We can't keep all our passwords on one machine. It just doesn't work.

This post has been edited by TeaEarleGreyHot: 29 November 2012 - 03:30 PM

[GeorgeBridges]

The only problem with all this advice is that those of us who are getting older are having significant memory problems and we don't always have helpful friends or family members who can help. Sometimes simplicity is our only option.

[compudude]

Quote

Deandre012 said
I personally use SplashData's SplashID Safe to generate strong passwords. In this case, I don't need to devise any scheme to remember my passwords. The application's unlock password or pattern is the only thing to remember. Try it. Highly recommended. That's great if you're always using your own laptop for passwords. But I have to use multiple computers, multiple devices. I can't even update the OS X on my work Mac without having an AppleID, password, and my personal credit card registered! It seems to me that power is being taken out of the user's hands and being put back into the "IT Support" hands, very clearly. My employer might give a credit card number to the IT guy, but certainly not to the thousands of employees. Apple has made everything much more difficult in the past 2 years... for me at least. But some of us travel, use public computers or friend's computers or have multiple work locations. We can't keep all our passwords on one machine. It just doesn't work.

You don't need to, with a product like 1password. It has versions that run on Mac, Windows, iPhones, iPads, and Android... and it stores it's super-encrypted password database on DropBox, so all of those devices are kept in sync. It's not the cheapest solution out there, but it's the most flexible and most powerful I've seen by far.

[jimcintosh]

Rather than go through the bother of inventing a fake past history or saying that your mother's maiden name was E27jrdU!8, just use the real answer and append a digit or number to the end of it. If you append a "5" or "X" to every answer, you'll remember it and no hacker will guess it. Smithz is just as secure as the unmemorizable E27jrdU!8.