Managing Usernames & Pass-Phrases

This topic contains 21 replies, has 13 voices, and was last updated by  Sergtalk 6 years, 6 months ago.

  • Author
    Posts
  • #8410
     TomTees 
    Participant

    How do you manage all of your Usernames and Pass-Phrases?

    In the past, I just had to worry about a not so great log in credential (e.g. TomTees/MyFavoritePassword)

    But now that I am adding FDE, a Personal VPN, and a Hotspot things just got much more complicated!!

    Others have recommend using one of those “digital keychains”, but I believe they are stored in RAM, and so if someone ever attacked my laptop’s memory (e.g. when I go to the restroom at McDonalds) then I’d really be screwed!!!

    I am trying to be smarter about this topic, but it has been hard enough for me to remember one new “Pass-Phrase”, let alone new Usernames and Pass-Phrases for 4 or more accounts…

    Tom

  • #52815
     Jamie.R 
    Participant

    I sometimes use password safe.

  • #52816
     UKSecurityGuy 
    Participant

    Nice and simple answer:

    http://keepass.info/

  • #52817
     superkojiman 
    Participant

    I use 1Password for most of my accounts.

  • #52818
     cd1zz 
    Participant

    Keepass

  • #52819
     hayabusa 
    Participant

    Password Corral, for most of my day-to-day stuff…  High security stuff, I have my own method for creating and remembering them…

  • #52820
     dynamik 
    Participant

    +1 for 1Password. It’s synchronized across all my systems and devices.

  • #52821
     m0wgli 
    Participant

    I’ve no experience of 1Password, so was interested to see what it offered. Whilst looking into it I came across this article: http://arstechnica.com/security/2013/04/yes-design-flaw-in-1password-is-a-problem-just-not-for-end-users/

    In summary, if use 1Password with a strong master password you’ll be ok.

    Based on what I’ve read so far I’d still use it, just thought the article might be of interest to some others.

  • #52822
     Triban 
    Participant

    PW Safe, I like having the mobile version as well. 

  • #52823
     @ the Hun 
    Participant

    LastPass Firefox extension for my web accounts, and KeePass for everything else, including my LastPass master password.

  • #52824
     TomTees 
    Participant

    Thanks for the flurry of responses, but I don’t feel like you guys answered the fundamental questions that I had/have…

    1.) Where are you supposed to store they keychains or whatever they are called?

    2.) If you store them on your computer, like I said in my OP, I was under the impression that they were stored in RAM and thus were easily hackable?

    3.) I’m unclear what the “workflow” is for how you’d use any of the products mentioned above?

    4.) Should a person choose different and “strong” Usernames for every account along with Passwords? 

    Tom

  • #52825
     dynamik 
    Participant

    Keeping things out of RAM is not going to leave you with a very usable system 😉

    If someone has that kind of access to your system, you’re pretty much hosed anyway. Who cares about scraping RAM for the encryption key when they can just wait and key-log you?

    If you want to completely separate it, store it on something like your smartphone. There are tons of apps like 1Password. I sync for convenience, but you could leave it only on your mobile device, assuming you’re comfortable with the level of authentication for that device.

    For #3 you’re just going to have to get demos, experiment, and see what works for you.

    I use a few different usernames (i.e. financial institutions are different than forums), but I don’t do anything stupid like choose a username of d23aXalx. You need to find a balance between security and usability, and most people can’t keep up with passwords, let alone what would effectively be doubling that effort.

    You should go through a resource like this and develop a decent foundation; you really just seem to be cherry-picking random items to “secure” and not focusing on a comprehensive approach to security: http://www.amazon.com/Network-Security-Bible-Eric-Cole/dp/0470502495/ref=sr_1_1?ie=UTF8&qid=1366937898&sr=8-1&keywords=network+security+bible

  • #52826
     TomTees 
    Participant

    @ajohnson wrote:

    Keeping things out of RAM is not going to leave you with a very usable system 😉

    You think?! Ha ha.

    @ajohnson wrote:

    If someone has that kind of access to your system, you’re pretty much hosed anyway. Who cares about scraping RAM for the encryption key when they can just wait and key-log you?

    I suppose.

    @ajohnson wrote:

    If you want to completely separate it, store it on something like your smartphone. There are tons of apps like 1Password. I sync for convenience, but you could leave it only on your mobile device, assuming you’re comfortable with the level of authentication for that device.

    I guess my point was “committing things to human memory” vs. “relying on technology to help you remember things”

    @ajohnson wrote:

    I use a few different usernames (i.e. financial institutions are different than forums), but I don’t do anything stupid like choose a username of d23aXalx.

    You lost me there on d23aXalx…

    So it sounds like you have maybe two sets of Usernames: Important ones and Casual Ones?

    But is it a sin to re-use Usernames between Accounts?

    For example, could I have the same Username for my MacBook and WiTopia log-ins?

    (BTW, I assume using your E-mail or LastName-FirstInitial for a username isn’t such a good idea, right?)

    @ajohnson wrote:

    You need to find a balance between security and usability, and most people can’t keep up with passwords, let alone what would effectively be doubling that effort.

    True.

    @ajohnson wrote:

    You should go through a resource like this and develop a decent foundation; you really just seem to be cherry-picking random items to “secure” and not focusing on a comprehensive approach to security: http://www.amazon.com/Network-Security-Bible-Eric-Cole/dp/0470502495/ref=sr_1_1?ie=UTF8&qid=1366937898&sr=8-1&keywords=network+security+bible

    Hey, I know next to nothing about computer networking or security?!

    I’m just going on what I read and others say is important, and then coming to places like here, and asking experts how to do various things.

    I would love to learn about Security in a more structured way, but my #1 goal right now is *securing* the new laptop I hope to buy soon…

    Tom

  • #52827
     dynamik 
    Participant

    @tomtees wrote:

    Hey, I know next to nothing about computer networking or security?!

    I’m just going on what I read and others say is important, and then coming to places like here, and asking experts how to do various things.

    I would love to learn about Security in a more structured way, but my #1 goal right now is *securing* the new laptop I hope to buy soon…

    Please don’t take this the wrong way, but to be completely candid: if you really cared, you’d spend ~$30 on a book and at least skim it and/or use it as a reference for specific topics.

    My exact point is that you’re not going to properly secure anything, including your laptop, unless you take the time to learn what common threats are on how to mitigate them. I’m using arbitrary numbers here, but doing really well in three areas and neglecting twelve others isn’t going to do you much good overall. “Security” means different things to different people, and unless you take the time to figure out what it means to you, you’re not going to go about it in an efficient or effective manner.

  • #52828
     TomTees 
    Participant

    @ajohnson wrote:

    Please don’t take this the wrong way, but to be completely candid: if you really cared, you’d spend ~$30 on a book and at least skim it and/or use it as a reference for specific topics.

    Hey, I never said I wouldn’t do that.

    My exact point is that you’re not going to properly secure anything, including your laptop, unless you take the time to learn what common threats are on how to mitigate them. I’m using arbitrary numbers here, but doing really well in three areas and neglecting twelve others isn’t going to do you much good overall. “Security” means different things to different people, and unless you take the time to figure out what it means to you, you’re not going to go about it in an efficient or effective manner.

    I appreciate your candor, but let me counter…

    I will be getting a new laptop in the next week and will start using it.

    There is no way I can buy, read, and apply a 400 page+ book in that time.

    So I am trying to secure things which I know are needed and important up front (e.g. FDE and strong Pass-Phrases).

    I realize that in an ideal world I’d go off to the mountain top, study up on everything for a month or two, and then come back and apply everything.  But like people in most situations, that isn’t an option.

    Like most things, my suspicion is that the 80/20 rule applies here…  80% of the security can likely be covered in 20% of the things.

    In the past few weeks I have learned about and will be applying…

    1.) Strong Pass-Phrases
    2.) Secure Hotspot
    3.) FDE
    4.) Private VPN
    5.) EFI Password
    6.) Stop using Free Wi-Fi

    Is that not a good start while I’m possibly reading the book you mentioned?

    And what would be the next things I’d want to do as far as “priorities”?

    I’m all for learning, but I can’t wait to get where you guys are at before I start using it…

    Tom

  • #52829
     Questionable 
    Participant

    I’m all for learning, but I can’t wait to get where you guys are at before I start using it…

    It’s good that you’re all for learning, I don’t get what you mean by using “it” but if you want to become a security expert you’re in for a long an frustrating journey. You should attempt to incorporate the things you learn in real practice, in labs, in your day job, and applications in general. Expect to spend your time reading books, blogs, watching videos and listening to fantastic podcasts.

    People have created tools to help you, but you should also know how these tools work. I’d recommend getting a book towards the basics of the things you want to learn, that book AJ has suggested looks like it’d set you up for an awesome read and some insightful information.

    When it comes to passwords I remember everything in my head, but you should try to not use the same password, tools like 1Password are great, because you can have it with you on the go, but if the device you’re storing it on is compromised then you’re in for a world of hurt. On that note, I will start using 1Password because I have locked myself out a few times because I can’t remember which specific password I have used for things like twitter/work

  • #52830
     TomTees 
    Participant

    @questionable wrote:

    I’m all for learning, but I can’t wait to get where you guys are at before I start using it…

    It’s good that you’re all for learning, I don’t get what you mean by using “it”

    Um, my new MacBook…

    but if you want to become a security expert you’re in for a long an frustrating journey. You should attempt to incorporate the things you learn in real practice, in labs, in your day job, and applications in general. Expect to spend your time reading books, blogs, watching videos and listening to fantastic podcasts.

    My goal is not to become a security expert by living.

    My goal was (and still is) trying to have better security and privacy for my personal laptop and this new MacBook I am buying to manage my website.  (There’s a difference between that and what you are saying…)

    People have created tools to help you, but you should also know how these tools work. I’d recommend getting a book towards the basics of the things you want to learn, that book AJ has suggested looks like it’d set you up for an awesome read and some insightful information.

    And I would like to read such a book, and maybe someday even become a seasoned security expert like many of you.

    But my immediate need is learn *enough* to have a reasonably secure setup for managing my website while I am traveling, and then to get my damn website finished!!! 

    (I won’t need ANY security if I never buy a new MacBook and never have a website up on the Internet to conduct business?!  That comes before the book…)

    Trust me, I’d love to go off and spend 6-12 months reading and testing, but I have limited resources, i.e. only one of me and way behind schedule, so I am trying to do the best I can.

    When it comes to passwords I remember everything in my head, but you should try to not use the same password, tools like 1Password are great, because you can have it with you on the go, but if the device you’re storing it on is compromised then you’re in for a world of hurt. On that note, I will start using 1Password because I have locked myself out a few times because I can’t remember which specific password I have used for things like twitter/work

    Is it a sin to use the same Username across accounts?

    For example, if I used the same username for my Mac’s FDE and say WiTopia, would that be a sin?

    And how “strong” must a Username be?

    Can it be as simple as “TomTees” and then I invest the effort in a long and complex Pass-Phrase?

    And how fancy do I have to get with my WiTopia account?

    They require an Account Username/Password, plus a WiTopia Client Username/Password, and I think they encourage people to just use their e-mail…

    Here is a good example of where I’m unsure of what to do?

    Do I just use my Email for both?

    Do I come up with something basic like “TomTees” for each?

    Must they be different?

    And to be blunt, how crazy do I have to get with WiTopia?  (I mean, do I have to secure it as much as say my FDE?)

    I’m trying to create a *balance* on this topic, but not sure where that might be…

    Tom

  • #52831
     ziggy_567 
    Participant

    (BTW, I assume using your E-mail or LastName-FirstInitial for a username isn’t such a good idea, right?)

    I find it ironic that you reply to ‘ajohnson’ about username choices and mention that its a bad idea use initials and names in username creation.  ;D ;D ;D

    For example, could I have the same Username for my MacBook and WiTopia log-ins?

    Honestly, although the username is part of the authentication, they are usually publicly (or somewhat publicly) available. I’m not sure there’s such a thing as a “secure” username.

  • #52832
     UKSecurityGuy 
    Participant

    The main threat from a consistent username across multiple services is that a determined attacker can build up a profile on you and your habits.

    For example – if you used “TomTees” as your handle for everything I might be able to locate your facebook profile, this profile, etc.

    Now if you’ve set one or more of your passwords based on your hobby, pet name, likes, dislikes, etc, I have a reasonable chance of breaking into one of your many accounts from the information I’ve gathered from the profile I built up.

    So the solution is – choose a separate secure password for each of your locations you use your TomTees username in, and make sure none of them are based upon easily guessable things

  • #52833
     Sergtalk 
    Participant

    I use random passwords with different symbols , and store that passwords in my phone . I think it is the most secure way .

  • #52834
     Questionable 
    Participant

    @sergtalk wrote:

    I use random passwords with different symbols , and store that passwords in my phone . I think it is the most secure way .

    Was the most secure way, now we all know 😉

  • #52835
     Sergtalk 
    Participant

    You all know , but you can’t get my  phone .

You must be logged in to reply to this topic.

Copyright ©2019 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?