Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Please do not change your password
Old 04-15-2010, 08:09 AM   #1
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
RonBoyd's Avatar
 
Join Date: Dec 2007
Location: Denver, Colorado
Posts: 5,280
Please do not change your password

Please do not change your password - The Boston Globe

Quote:
You were right: It’s a waste of your time. A study says much computer security advice is not worth following.
Quote:
Particularly dubious are the standard rules for creating and protecting website passwords, Herley found. For example, users are admonished to change passwords regularly, but redoing them is not an effective preventive step against online infiltration unless the cyber attacker (or evil colleague) who steals your sign-in sequence waits to employ it until after you’ve switched to a new one, Herley wrote. That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door.
Quote:
So which security measures offer a reasonable return on time and effort? ... he is big on one-time measures that offer ongoing benefits, like installing the latest software to shield against viruses and spyware (set it to automatically update). ... The company also recommends activating a firewall, which “functions like a moat around a castle.” ... offer insulation from what is perhaps the biggest security menace of all: users.
__________________

__________________
"It's tough to make predictions, especially when it involves the future." ~Attributed to many
"In theory, there is no difference between theory and practice. But, in practice, there is." ~(perhaps by) Yogi Berra
"Those who have knowledge, don't predict. Those who predict, don't have knowledge."~ Lau tzu
RonBoyd is offline   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 04-15-2010, 10:03 AM   #2
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Sep 2005
Location: Northern IL
Posts: 18,281
Quote:
Particularly dubious are the standard rules for creating and protecting website passwords, Herley found. For example, users are admonished to change passwords regularly, but redoing them is not an effective preventive step against online infiltration unless the cyber attacker (or evil colleague) who steals your sign-in sequence waits to employ it until after you’ve switched to a new one, Herley wrote. That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door.
Thanks, now I feel much better about not changing my passwords. Procrastination often has rewards!

Seriously though, this has given me one more kick-in-the-butt that I need to get a real PW system set up. I don't want to do that if I have to change them too. I know you should have longer more complex PWs for the stuff you care about. I know there are many ways to do this and still make it easy to remember for the user. Like if you turn 60 today, maybe you include the string 'A15NtFt' which you recall as April 15, 1950, plus something unique to the site that you can remember. I just need a real system for this. Procrastination often has risks!

The mnemonic thing seems best. When I switched from TurboTax to TaxAct, after being aggravated with TT, but unsure that TA was better, my PW included something like (but not this of course) Gosh, I Sure Hope This Is Better Than Turbo Tax, so the mnemonic is GISHTIBTTT_A15NtFt

So even if you have that written down somewhere (like in your wallet, on your cell phone), a thief probably won't figure out the mnemonic (you could even throw in a word or two that you know you don't use to throw that off. Plus, don't write down the A15NtFt, just write _BD, and you know to add that. So they never have the whole thing. I'd even use some reminder for what web-site it is rather than write down "Vanguard, multi-billion dollar accounts'.

Maybe someday I'll actually do this, but it is 70F and sunny and will be 80F later, not today after our long winter.

-ERD50
__________________

__________________
ERD50 is offline   Reply With Quote
Old 04-15-2010, 10:17 AM   #3
Thinks s/he gets paid by the post
IndependentlyPoor's Avatar
 
Join Date: Jul 2009
Location: Austin
Posts: 1,142
Quote:
Originally Posted by ERD50 View Post
Maybe someday I'll actually do this, but it is 70F and sunny and will be 80F later, not today after our long winter.
I believe you have a Mac, so you might consider using the built-in Keychain Access application. The system uses it to manage security certificates, email passwords, and Safari might use it to remember passwords to websites. (I use Firefox, so not up on Safari).
Anyway, Keychain Access also has a Secure Note feature. I use it to store passwords, and other important stuff like credit card numbers. Keychain Access has spotlight feature, so it is easy to find what you want, even if you many stored notes.
When you try to open a note, it prompts you for your login password. Actually, several levels of security are possible, IIRC.
I've been using it for years, and am very pleased with it. However, paranoia prevents me from recording my bank or investment account passwords, in secure notes or otherwise.
__________________
Start by admitting
from cradle to tomb
it isn't that long a stay.
IndependentlyPoor is offline   Reply With Quote
Old 04-15-2010, 10:31 AM   #4
Thinks s/he gets paid by the post
Leonidas's Avatar
 
Join Date: May 2006
Location: Where the stars at night are big and bright
Posts: 2,847
Quote:
Originally Posted by ERD50 View Post
Like if you turn 60 today, maybe you include the string 'A15NtFt' which you recall as April 15, 1950, plus something unique to the site that you can remember.
The only problem with using passwords that have similarities like that is that once a bad dude hacks into one of the easy sites that have poor security, it's a lot easier to backwards engineer that to access the more secure sites. If you used A15NtFtFacebook, I could figure out A15NtFtFidelity, or A15NtFtUSBank, etc.

But, low hanging fruit is always easiest to pluck, and there are too many people who still use "Password", "Secret", or A15NtFt for everything.

The only place I ever sign on to anything is at home, so I feel okay about keeping my passwords written down. I let Firefox remember some of them, but anything financial is always entered manually. For a few sites I have allowed them to install cookies so they can recognize the computer as one I am associated with, I still log in using a password - it just doesn't ask me the security questions I set up. If I were ever to sign on using a different computer, it would ask me what was my first car, the name of my dog, etc., after I entered the pword.

I'm behind a NAT server with firewall, and my browser and Windows7 are set to automatically update. I feel pretty safe, as long as I'm careful and don't click on the wrong link or install some crapware.

For anything really sensitive, I use passwords that are at least 8-10 characters long, and have a mixture of upper and lower case letters in random order, interspersed with numbers and symbols. Brute force hacking to find "A8)p-3Lg*4Q" would take a zillion years to hack.
__________________
There is no pleasure in having nothing to do; the fun is having lots to do and not doing it. - Andrew Jackson
Leonidas is offline   Reply With Quote
Old 04-15-2010, 11:17 AM   #5
Moderator
ziggy29's Avatar
 
Join Date: Oct 2005
Location: Texas
Posts: 15,612
You don't change passwords to deter determined, expert hackers. You change passwords to eliminate "crimes of opportunity" by low-grade punks looking to pick the easy, low-hanging fruit.
__________________
"Hey, for every ten dollars, that's another hour that I have to be in the work place. That's an hour of my life. And my life is a very finite thing. I have only 'x' number of hours left before I'm dead. So how do I want to use these hours of my life? Do I want to use them just spending it on more crap and more stuff, or do I want to start getting a handle on it and using my life more intelligently?" -- Joe Dominguez (1938 - 1997)

RIP to Reemy, my avatar dog (2003 - 9/16/2017)
ziggy29 is offline   Reply With Quote
Old 04-15-2010, 12:15 PM   #6
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
RonBoyd's Avatar
 
Join Date: Dec 2007
Location: Denver, Colorado
Posts: 5,280
Quote:
Originally Posted by ziggy29 View Post
You don't change passwords to deter determined, expert hackers. You change passwords to eliminate "crimes of opportunity" by low-grade punks looking to pick the easy, low-hanging fruit.
Out of curiosity, how, exactly, would the new password be "better" than the old one simply through change in 0's & 1's?... in detering non-determined, non-expert hackers?
__________________
"It's tough to make predictions, especially when it involves the future." ~Attributed to many
"In theory, there is no difference between theory and practice. But, in practice, there is." ~(perhaps by) Yogi Berra
"Those who have knowledge, don't predict. Those who predict, don't have knowledge."~ Lau tzu
RonBoyd is offline   Reply With Quote
Old 04-15-2010, 12:23 PM   #7
Moderator
ziggy29's Avatar
 
Join Date: Oct 2005
Location: Texas
Posts: 15,612
Quote:
Originally Posted by RonBoyd View Post
Out of curiosity, how, exactly, would the new password be "better" than the old one simply through change in 0's & 1's?... in detering non-determined, non-expert hackers?
They may not have sophisticated techniques to try a huge number of "easy" passwords in a short period of time.

When I was a Unix system administrator, we had a program called "crack" which tried millions of times to guess passwords of users by repeatedly trying common words phrases -- and close variants of common words and phrases. Some of these could be cracked in seconds, whereas some of the more "random" passwords with upper case, lower case, digits and special characters couldn't be cracked at all.

Now a high-level sophisticated user targeting an individual (or an individual server) might be able to take billions of "cracks" at a single login. This is why most consumer-grade "password security" is really only trying to stop the ability to crack "easy" or "intuitive" passwords. And it's why if someone with sufficient skill and determination *really* wants in, they'll get in unless they are caught before finishing the deed.

Also, a low-quality casual "hacker" may know enough about an individual that if they choose something that's identifiable to themselves, it doesn't take too many guesses to get in. (This is also why some applications lock out a user login for a period of time after X failed logins.)
__________________
"Hey, for every ten dollars, that's another hour that I have to be in the work place. That's an hour of my life. And my life is a very finite thing. I have only 'x' number of hours left before I'm dead. So how do I want to use these hours of my life? Do I want to use them just spending it on more crap and more stuff, or do I want to start getting a handle on it and using my life more intelligently?" -- Joe Dominguez (1938 - 1997)

RIP to Reemy, my avatar dog (2003 - 9/16/2017)
ziggy29 is offline   Reply With Quote
Old 04-15-2010, 12:39 PM   #8
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
RonBoyd's Avatar
 
Join Date: Dec 2007
Location: Denver, Colorado
Posts: 5,280
Quote:
Originally Posted by ziggy29 View Post
They may not have sophisticated techniques to try a huge number of "easy" passwords in a short period of time.
Okay, that was my mistake. I was assuming that the old password was as "sophisticated" as the new one would be. So my question should have been: If you have a strong (secure as can be) password, what advantage is there to replacing it with another of equal value? Seems to me (and the point of the article) that is merely a waste of time.
__________________
"It's tough to make predictions, especially when it involves the future." ~Attributed to many
"In theory, there is no difference between theory and practice. But, in practice, there is." ~(perhaps by) Yogi Berra
"Those who have knowledge, don't predict. Those who predict, don't have knowledge."~ Lau tzu
RonBoyd is offline   Reply With Quote
Old 04-15-2010, 12:47 PM   #9
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Sep 2005
Location: Northern IL
Posts: 18,281
Quote:
Originally Posted by IndependentlyPoor View Post
I believe you have a Mac, so you might consider using the built-in Keychain Access application.
Thanks, maybe I should look into that, but I actually lean towards super-low-tech solutions for things like this. Kind of like using speed dial all the time, if I'm away from my phone, I can't remember the number. And I do spend time on my linux netbook, or occasionally log in from different places (generally unimportant sites). I also get concerned that these get broken during a system upgrade or something, so I need a backup plan anyhow (though that can be stored away from the computer).

My low tech paper back up for DW is three separate sheets of paper with url, login and PW on separate sheets. And they are offset, but there is one (obvious to us) phony one in there, and that is the key to line them up.

I use my ATM card so rarely, I have the PIN buried in the phone number of a fictitious Aunt in my phone list. Easy for me to find, no one else would know.



Quote:
Originally Posted by Leonidas View Post
The only problem with using passwords that have similarities like that is that once a bad dude hacks into one of the easy sites that have poor security, it's a lot easier to backwards engineer that to access the more secure sites. If you used A15NtFtFacebook, I could figure out A15NtFtFidelity, or A15NtFtUSBank, etc.

But, low hanging fruit is always easiest to pluck, and there are too many people who still use "Password", "Secret", or A15NtFt for everything.
Agreed, and my plan is to have a reasonably secure PW to start with (not 'Facebook', etc), and then append that A15NtFt just to add complexity to it. So even if a bad guy got that key, he'd have to figure out the other part. And like you say, there is lower hanging fruit in most cases.

-ERD50
__________________
ERD50 is offline   Reply With Quote
Old 04-15-2010, 01:14 PM   #10
Moderator
Alan's Avatar
 
Join Date: Jul 2005
Location: Eee Bah Gum
Posts: 21,100
The article didn't mention "social engineering" to get past the security questions such as when Sarah Palin's e-mail was hacked. User names are often easier to guess so you say you have lost your password and if you are lucky get a security question or two that you have researched such as mother's maiden name, or name of place you went to High School etc.

I'm not sure if banks and the like have tougher restrictions if you forget your password than relying just on the answers to security questions.

Two of the financial sites that I use have passwords that are a little out of the normal type. Treasury Direct uses a "virtual keyboard" to fool keyboard loggers, plus a variable code you enter from a card you were issued with.

With my HSBC UK bank I had to pick an 8 digit number and each time I log in I have to enter my date of birth (UK date style) and then I get asked for 3 of the 8 digits such as "Enter the 2nd, 4th and next to last numbers". In the early days of this I got it wrong 3 times and locked the account and had to speak with a security person who asked a bunch of questions, and then said my new, temporary password would be mailed to the physical address on record. A real PITA, as then I had to wait for overseas mail but I haven't accidentally locked the account since
__________________
Retired in Jan, 2010 at 55, moved to England in May 2016
Now it's adventure before dementia
Alan is offline   Reply With Quote
Old 04-15-2010, 01:20 PM   #11
Moderator Emeritus
Bestwifeever's Avatar
 
Join Date: Sep 2007
Posts: 16,375
The most common password is 123456. Second most common is 12345. Some creative minds at work there!
__________________
“Would you like an adventure now, or would you like to have your tea first?” J.M. Barrie, Peter Pan
Bestwifeever is offline   Reply With Quote
Old 04-15-2010, 01:37 PM   #12
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
RonBoyd's Avatar
 
Join Date: Dec 2007
Location: Denver, Colorado
Posts: 5,280
Quote:
Originally Posted by Bestwifeever View Post
The most common password is 123456. Second most common is 12345. Some creative minds at work there!
So they must work (provide sufficient security)... otherwise the "Darwin" principle would have forced them down the list.
__________________
"It's tough to make predictions, especially when it involves the future." ~Attributed to many
"In theory, there is no difference between theory and practice. But, in practice, there is." ~(perhaps by) Yogi Berra
"Those who have knowledge, don't predict. Those who predict, don't have knowledge."~ Lau tzu
RonBoyd is offline   Reply With Quote
Old 04-15-2010, 02:33 PM   #13
Full time employment: Posting here.
 
Join Date: Sep 2004
Posts: 607
Quote:
Originally Posted by ERD50 View Post
Thanks, maybe I should look into that, but I actually lean towards super-low-tech solutions for things like this. Kind of like using speed dial all the time, if I'm away from my phone, I can't remember the number. And I do spend time on my linux netbook, or occasionally log in from different places (generally unimportant sites). I also get concerned that these get broken during a system upgrade or something, so I need a backup plan anyhow (though that can be stored away from the computer).
We switched to KeePass a year or so ago and it's been working great: KeePass Password Safe | Get KeePass Password Safe at SourceForge.net

The database is encrypted with a single password and when you want to login to a site, you can perform an 'auto-type' where it will type in the username and password into your browser window. You can also copy the username/pass into your clipboard which will then be cleared out after a certain period of time.

Keepass can also generate strong passwords which you don't have to worry about remembering since you can auto-type or cut and paste it.

Best of all, it's DW approved! DW would use 'the' as a password if she could.
__________________
WanderALot is offline   Reply With Quote
Old 04-15-2010, 04:47 PM   #14
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
donheff's Avatar
 
Join Date: Feb 2006
Location: Washington, DC
Posts: 8,643
Quote:
Originally Posted by Leonidas View Post
The only problem with using passwords that have similarities like that is that once a bad dude hacks into one of the easy sites that have poor security, it's a lot easier to backwards engineer that to access the more secure sites. If you used A15NtFtFacebook, I could figure out A15NtFtFidelity, or A15NtFtUSBank, etc.
I use an approach somewhat like what ERD mentions and I think it is fairly secure. When someone breaks into a site they don't get clear text passwords. They get an encrypted password file. They run cracker software against it and break the easy passwords though dictionary programs and brute force. It is unlikely that the complex password would get decrypted. I suppose some sites may use ridiculously weak encryption and pose a bigger risk. But sites that matter like banks, brokerage houses, etc are not in that category. Use a simple PW at routine websites and ERD type passwords at critical sites. For the most part I don't think of online shopping sites as falling in the critical category. Crackers tend to grab customer names and credit card numbers from them, not passwords. I just chalk up a CC compromise to the cost of living. It is a minor hassle but no cost to me. If you worry about CC numbers you can always use something like one time numbers.
__________________
Every man is, or hopes to be, an Idler. -- Samuel Johnson
donheff is offline   Reply With Quote
Old 04-15-2010, 04:56 PM   #15
Thinks s/he gets paid by the post
Rustic23's Avatar
 
Join Date: Dec 2005
Location: Lake Livingston, Tx
Posts: 3,624
When I create a password, I email it to myself at my gmail account, then put it in a folder that is labeled Keep. Ok, someone could hack my email account and get my password. If the figured out fireuhabales23$tpjdiel@3dk08 then they may be able to figure out how to log onto this site and leave some really nasty threads. So if you see any from me, remember someone hacked my gmail account.
__________________
If it is after 5:00 when I post I reserve the right to disavow anything I posted.
Rustic23 is offline   Reply With Quote
Old 04-15-2010, 05:06 PM   #16
Thinks s/he gets paid by the post
Leonidas's Avatar
 
Join Date: May 2006
Location: Where the stars at night are big and bright
Posts: 2,847
Quote:
Originally Posted by donheff View Post
When someone breaks into a site they don't get clear text passwords. They get an encrypted password file.
I always thought that was the case until I watched a documentary on cyber crime and they explained how there are some sites out there that have almost no security at all, and that hackers would steal names and passwords there, and then go try the same name and password on more secure sites. Some people just use the same info for every website.
__________________
There is no pleasure in having nothing to do; the fun is having lots to do and not doing it. - Andrew Jackson
Leonidas is offline   Reply With Quote
Old 04-15-2010, 05:16 PM   #17
Recycles dryer sheets
 
Join Date: Sep 2009
Posts: 353
While programs buy you convenience, I don't really want to trust them with most important passwords (imagine some virus hacking into them). I like the low-tech approach where I have a simple encoding / decoding scheme I can do in my head and use it to record passwords on a piece of paper. Another part of the password I memorize (or you can think of it as part of the encoding scheme). So, even if some super-hacker finds the piece of paper (how likely is that?!), it would be pretty meaningless to them since at least part of the password is in my head... and I have a good encoding scheme too

One remaining piece: some way to fight the keyloggers, rootkits, and any other spyware...
__________________
smjsl is offline   Reply With Quote
Old 04-15-2010, 06:51 PM   #18
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
donheff's Avatar
 
Join Date: Feb 2006
Location: Washington, DC
Posts: 8,643
Quote:
Originally Posted by Leonidas View Post
I always thought that was the case until I watched a documentary on cyber crime and they explained how there are some sites out there that have almost no security at all, and that hackers would steal names and passwords there, and then go try the same name and password on more secure sites. Some people just use the same info for every website.
Good point and a real danger. That's why I distinguish between what I described as "critical" sites that actually have control over my money or other things of importance to me and everything else. It is important to use strong passwords at critical sites and to protect those passwords. It is also important not to use those crtical passwords routinely.
__________________
Every man is, or hopes to be, an Idler. -- Samuel Johnson
donheff is offline   Reply With Quote
Old 04-15-2010, 07:11 PM   #19
Moderator
Alan's Avatar
 
Join Date: Jul 2005
Location: Eee Bah Gum
Posts: 21,100
Quote:
Originally Posted by Leonidas View Post
I always thought that was the case until I watched a documentary on cyber crime and they explained how there are some sites out there that have almost no security at all, and that hackers would steal names and passwords there, and then go try the same name and password on more secure sites. Some people just use the same info for every website.
Absolutely correct which is why I have different passwords on my financial sites. If a company can tell you what your password or PIN is then they have an unencrypted password file, or their administrators / helpdesk folk have the encryption key to the password file. A helpdesk should be able to set a new password on your account, not tell you what your current password is.
__________________
Retired in Jan, 2010 at 55, moved to England in May 2016
Now it's adventure before dementia
Alan is offline   Reply With Quote
Old 04-15-2010, 07:32 PM   #20
Thinks s/he gets paid by the post
Rustward's Avatar
 
Join Date: Apr 2006
Posts: 1,572
Quote:
Originally Posted by Alan View Post
A helpdesk should be able to set a new password on your account, not tell you what your current password is.
Absolutely right. If a helpdesk can tell you your password or PIN you should probably not be doing business with them.

Had to reset my (online bank) password yesterday. They require you to speak with an agent after you enter your new password to authenticate you. The first thing the agent told me is "do not tell me your old password or your new password.".

Then he proceeded to ask me 5 or 6 questions that only the account holder would know -- where did you open the account, how do you move money in and out, SSN, a couple of secret question/answer things I entered when opening the account.

Now, the phone call was setup by some kind of third party thingy that you click on in their web site. It called me and told me it was connecting me with an agent. Then it occurred to me that I could have been phished. I explained to the agent that I just gave out a lot of my account information to someone I was not absolutely certain was an (insert name of online bank) agent. So I asked him to tell me the account balance and the last two transactions. He passed my little authentication test.

Sorry for drifting a little.
__________________

__________________
Rustward is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Email/Password Change--Help! Orchidflower Forum Admin 3 04-10-2010 04:51 PM
Password Management Martha Other topics 31 02-08-2007 12:12 AM
Double entry of password theloneranger FIRECalc support 0 02-02-2007 11:29 AM
WEP Password TromboneAl Other topics 6 07-31-2006 12:31 PM

 

 
All times are GMT -6. The time now is 10:54 PM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.