.

Managing Usernames & Pass-Phrases

<<

TomTees

User avatar

Newbie
Newbie

Posts: 45

Joined: Mon Apr 01, 2013 1:32 pm

Post Wed Apr 24, 2013 11:32 pm

Managing Usernames & Pass-Phrases

How do you manage all of your Usernames and Pass-Phrases?

In the past, I just had to worry about a not so great log in credential (e.g. TomTees/MyFavoritePassword)

But now that I am adding FDE, a Personal VPN, and a Hotspot things just got much more complicated!!

Others have recommend using one of those "digital keychains", but I believe they are stored in RAM, and so if someone ever attacked my laptop's memory (e.g. when I go to the restroom at McDonalds) then I'd really be screwed!!!

I am trying to be smarter about this topic, but it has been hard enough for me to remember one new "Pass-Phrase", let alone new Usernames and Pass-Phrases for 4 or more accounts...


Tom
<<

Jamie.R

User avatar

Sr. Member
Sr. Member

Posts: 435

Joined: Mon Aug 06, 2012 9:57 am

Location: UK

Post Thu Apr 25, 2013 1:59 am

Re: Managing Usernames & Pass-Phrases

I sometimes use password safe.
| OSWP | eCPPT Silver and Gold | eWPT |

I'm an InterN0T'er
<<

UKSecurityGuy

User avatar

Jr. Member
Jr. Member

Posts: 88

Joined: Wed Mar 27, 2013 10:51 am

Post Thu Apr 25, 2013 6:13 am

Re: Managing Usernames & Pass-Phrases

Nice and simple answer:

http://keepass.info/
<<

superkojiman

User avatar

Jr. Member
Jr. Member

Posts: 81

Joined: Thu Sep 20, 2012 9:42 pm

Post Thu Apr 25, 2013 7:48 am

Re: Managing Usernames & Pass-Phrases

I use 1Password for most of my accounts.
OSCP + OSCE
<<

cd1zz

User avatar

Recruiters
Recruiters

Posts: 566

Joined: Sun Oct 03, 2010 9:01 pm

Post Thu Apr 25, 2013 8:02 am

Re: Managing Usernames & Pass-Phrases

Keepass
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1661

Joined: Mon Jan 29, 2007 2:59 pm

Post Thu Apr 25, 2013 9:38 am

Re: Managing Usernames & Pass-Phrases

Password Corral, for most of my day-to-day stuff...  High security stuff, I have my own method for creating and remembering them...
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Apr 25, 2013 11:21 am

Re: Managing Usernames & Pass-Phrases

+1 for 1Password. It's synchronized across all my systems and devices.
The day you stop learning is the day you start becoming obsolete.
<<

m0wgli

User avatar

Sr. Member
Sr. Member

Posts: 308

Joined: Fri Jul 20, 2012 3:34 pm

Post Thu Apr 25, 2013 5:26 pm

Re: Managing Usernames & Pass-Phrases

I've no experience of 1Password, so was interested to see what it offered. Whilst looking into it I came across this article: http://arstechnica.com/security/2013/04 ... end-users/

In summary, if use 1Password with a strong master password you'll be ok.

Based on what I've read so far I'd still use it, just thought the article might be of interest to some others.
Security + | OSWP | eCPPT (Silver & Gold) | CSTA
<<

Triban

User avatar

Hero Member
Hero Member

Posts: 620

Joined: Fri Feb 19, 2010 4:17 pm

Post Thu Apr 25, 2013 5:31 pm

Re: Managing Usernames & Pass-Phrases

PW Safe, I like having the mobile version as well. 
Certs: GCWN
(@)Dewser
<<

@~ the Hun

Newbie
Newbie

Posts: 3

Joined: Fri Oct 28, 2011 6:48 pm

Post Thu Apr 25, 2013 7:19 pm

Re: Managing Usernames & Pass-Phrases

LastPass Firefox extension for my web accounts, and KeePass for everything else, including my LastPass master password.
<<

TomTees

User avatar

Newbie
Newbie

Posts: 45

Joined: Mon Apr 01, 2013 1:32 pm

Post Thu Apr 25, 2013 7:37 pm

Re: Managing Usernames & Pass-Phrases

Thanks for the flurry of responses, but I don't feel like you guys answered the fundamental questions that I had/have...

1.) Where are you supposed to store they keychains or whatever they are called?

2.) If you store them on your computer, like I said in my OP, I was under the impression that they were stored in RAM and thus were easily hackable?

3.) I'm unclear what the "workflow" is for how you'd use any of the products mentioned above?

4.) Should a person choose different and "strong" Usernames for every account along with Passwords? 


Tom
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Apr 25, 2013 8:05 pm

Re: Managing Usernames & Pass-Phrases

Keeping things out of RAM is not going to leave you with a very usable system ;)

If someone has that kind of access to your system, you're pretty much hosed anyway. Who cares about scraping RAM for the encryption key when they can just wait and key-log you?

If you want to completely separate it, store it on something like your smartphone. There are tons of apps like 1Password. I sync for convenience, but you could leave it only on your mobile device, assuming you're comfortable with the level of authentication for that device.

For #3 you're just going to have to get demos, experiment, and see what works for you.

I use a few different usernames (i.e. financial institutions are different than forums), but I don't do anything stupid like choose a username of d23aXalx. You need to find a balance between security and usability, and most people can't keep up with passwords, let alone what would effectively be doubling that effort.

You should go through a resource like this and develop a decent foundation; you really just seem to be cherry-picking random items to "secure" and not focusing on a comprehensive approach to security: http://www.amazon.com/Network-Security- ... rity+bible
The day you stop learning is the day you start becoming obsolete.
<<

TomTees

User avatar

Newbie
Newbie

Posts: 45

Joined: Mon Apr 01, 2013 1:32 pm

Post Thu Apr 25, 2013 9:09 pm

Re: Managing Usernames & Pass-Phrases

ajohnson wrote:Keeping things out of RAM is not going to leave you with a very usable system ;)


You think?! Ha ha.


ajohnson wrote:If someone has that kind of access to your system, you're pretty much hosed anyway. Who cares about scraping RAM for the encryption key when they can just wait and key-log you?


I suppose.


ajohnson wrote:If you want to completely separate it, store it on something like your smartphone. There are tons of apps like 1Password. I sync for convenience, but you could leave it only on your mobile device, assuming you're comfortable with the level of authentication for that device.


I guess my point was "committing things to human memory" vs. "relying on technology to help you remember things"


ajohnson wrote:I use a few different usernames (i.e. financial institutions are different than forums), but I don't do anything stupid like choose a username of d23aXalx.


You lost me there on d23aXalx...

So it sounds like you have maybe two sets of Usernames: Important ones and Casual Ones?

But is it a sin to re-use Usernames between Accounts?

For example, could I have the same Username for my MacBook and WiTopia log-ins?

(BTW, I assume using your E-mail or LastName-FirstInitial for a username isn't such a good idea, right?)


ajohnson wrote:You need to find a balance between security and usability, and most people can't keep up with passwords, let alone what would effectively be doubling that effort.


True.


ajohnson wrote:You should go through a resource like this and develop a decent foundation; you really just seem to be cherry-picking random items to "secure" and not focusing on a comprehensive approach to security: http://www.amazon.com/Network-Security- ... rity+bible


Hey, I know next to nothing about computer networking or security?!

I'm just going on what I read and others say is important, and then coming to places like here, and asking experts how to do various things.

I would love to learn about Security in a more structured way, but my #1 goal right now is *securing* the new laptop I hope to buy soon...


Tom
<<

dynamik

Recruiters
Recruiters

Posts: 1119

Joined: Sun Nov 09, 2008 11:00 am

Location: Mile High City

Post Thu Apr 25, 2013 10:16 pm

Re: Managing Usernames & Pass-Phrases

TomTees wrote:Hey, I know next to nothing about computer networking or security?!

I'm just going on what I read and others say is important, and then coming to places like here, and asking experts how to do various things.

I would love to learn about Security in a more structured way, but my #1 goal right now is *securing* the new laptop I hope to buy soon...


Please don't take this the wrong way, but to be completely candid: if you really cared, you'd spend ~$30 on a book and at least skim it and/or use it as a reference for specific topics.

My exact point is that you're not going to properly secure anything, including your laptop, unless you take the time to learn what common threats are on how to mitigate them. I'm using arbitrary numbers here, but doing really well in three areas and neglecting twelve others isn't going to do you much good overall. "Security" means different things to different people, and unless you take the time to figure out what it means to you, you're not going to go about it in an efficient or effective manner.
The day you stop learning is the day you start becoming obsolete.
<<

TomTees

User avatar

Newbie
Newbie

Posts: 45

Joined: Mon Apr 01, 2013 1:32 pm

Post Thu Apr 25, 2013 11:08 pm

Re: Managing Usernames & Pass-Phrases

ajohnson wrote:Please don't take this the wrong way, but to be completely candid: if you really cared, you'd spend ~$30 on a book and at least skim it and/or use it as a reference for specific topics.


Hey, I never said I wouldn't do that.


My exact point is that you're not going to properly secure anything, including your laptop, unless you take the time to learn what common threats are on how to mitigate them. I'm using arbitrary numbers here, but doing really well in three areas and neglecting twelve others isn't going to do you much good overall. "Security" means different things to different people, and unless you take the time to figure out what it means to you, you're not going to go about it in an efficient or effective manner.


I appreciate your candor, but let me counter...

I will be getting a new laptop in the next week and will start using it.

There is no way I can buy, read, and apply a 400 page+ book in that time.

So I am trying to secure things which I know are needed and important up front (e.g. FDE and strong Pass-Phrases).

I realize that in an ideal world I'd go off to the mountain top, study up on everything for a month or two, and then come back and apply everything.  But like people in most situations, that isn't an option.

Like most things, my suspicion is that the 80/20 rule applies here...  80% of the security can likely be covered in 20% of the things.

In the past few weeks I have learned about and will be applying...

1.) Strong Pass-Phrases
2.) Secure Hotspot
3.) FDE
4.) Private VPN
5.) EFI Password
6.) Stop using Free Wi-Fi


Is that not a good start while I'm possibly reading the book you mentioned?


And what would be the next things I'd want to do as far as "priorities"?

I'm all for learning, but I can't wait to get where you guys are at before I start using it...


Tom
Next

Return to Other

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software