Passwords make me cry

24 posts / 0 new
Last post
Catchfire Catchfire's picture
Passwords make me cry

 

Google Chrome’s Insanely Open Password Security Strategy

See that “show” button? It does what you think it does.

There’s no master password, no security, not even a prompt that “these passwords are visible”. Visit chrome://settings/passwords in Chrome if you don’t believe me....

In a world where Google promotes its browser on YouTube, in cinema pre-rolls, and on billboards, the clear audience is not developers. It’s the mass market - the users. The overwhelming majority. They don’t know it works like this. They don’t expect it to be this easy to see their passwords. Every day, millions of normal, every-day users are saving their passwords in Chrome. This is not okay.

 

And the customary word from xkcd:

Unionist

Never use your browser to save your passwords. Turn that thingy off right now.

If you must use anything, use [url=http://www.lastpass.com]Lastpass[/url].

And I love xkcd.

Catchfire Catchfire's picture

Yes, I meant to add a plug for Lastpass (or 1Pass) -- although apparently that only adds a thin veneer of "security" (sic) to the whole "passwords-authenticating-identity" fetish of late capitalism.

Unionist

Thin veneers are good. Easier to remove with varsol.

The new spelling is sicurity.

And the moral of the story: Given the state of NSA technology, never have a thought you wouldn't want made public.

 

Sineed

An IT-savvy friend suggested to me years ago that the safest way to remember your passwords is by writing them on a piece of paper and putting it in your desk. Unless they physically break into your house, they won't find them.

Thoughts? Suggestions?

Catchfire Catchfire's picture

I had a response written down to that but I forgot where I put it.

Sineed

Catchfire wrote:

I had a response written down to that but I forgot where I put it.

Laughing

To be clear, I don't do that, instead changing and remembering passwords with a system I keep in my brain. 

jas

Sineed wrote:

An IT-savvy friend suggested to me years ago that the safest way to remember your passwords is by writing them on a piece of paper and putting it in your desk. Unless they physically break into your house, they won't find them.

Thoughts? Suggestions?

And hopefully no one will ever physically break into your house.

Maysie Maysie's picture

Unionist wrote:
 

never have a thought you wouldn't want made public.

 

I love you, Unionist!!

Oops.

RevolutionPlease RevolutionPlease's picture

Why think it if you wouldn't share it?

Unionist

Maysie wrote:
I love you, Unionist!!

Oh great, just great, now that true confession will inhabit social media forever.

Anyway, I hope that's the [url=http://lastpass.com]last pass[/url] you make at me in this thread!

 

Catchfire Catchfire's picture

I alternate my passwords between "Maysierulez" and "Unionistsux" on odd and even days. So far it's never been hacked.

Maysie Maysie's picture

Eye L0v3 uu [email protected]

Hee hee nobody will know what that means.

DaveW

I use the same password everywhere: * * * * * * * *

Catchfire Catchfire's picture

lulz at Maysie and DaveW

Francesca Allan

Besides the danger that, if it is discovered, then access to all your data is available, is there any downside to using the same password for every site you access? I'm concerned about the post above (somewhere) saying it's dangerous to have your browser save your passwords. I do note that some of my sites (banking, school and a few others) don't let you save your password; you have to enter it every time. I wouldn't mind doing that for all of them if I could use the same password.

Unionist

Francesca, it's a really bad idea to use the same password for all your sites. The simple solution is (to repeat myself) a service like Lastpass. It will allow you to pick one single master password to access all your sites - including banking, school, etc. which are now not saveable for you - but each individual site will have its own unique password which you don't need to remember.

 

Noops

Unionist wrote:

... The simple solution is (to repeat myself) a service like Lastpass. It will allow you to pick one single master password to access all your sites - including banking, school, etc. which are now not saveable for you - but each individual site will have its own unique password which you don't need to remember.

 

I had never heard of Lastpass before reading this thread now.
So I hopped over to their site and watched a few videos on what it is and does.

I won't be using Lastpass anytime soon and I DON'T recommend anyone here to use it either.

What Unionist hasn't said is that Lastpass stores all of your passwords (and presumably millions of other people's passwords) on their website.

Now if you feel safe with this scenario, then by all means go ahead and use the software.

I would rather have all of my passwords stored on my computer rather than on a company's website.
I trust myself over the company's employees and potential cyber hackers.

If you were a cyber hacker and had a choice of targets to hack, would you concentrate your efforts to hack into:

A) an individual's personal computer
B) a company that does nothing but store millions and millions of passwords?

Unionist

Noops - everyone should use passwords in a way that makes them feel comfortable. I kinda figured that with millions and millions of passwords on their site, the chances of a Lastpass hacker emptying my (already empty) bank account would be - well, you do the math. On the other hand, the chances of me forgetting my passwords (or, to avoid that, using stupidly repetitve and simple ones) are, shall we say, good. But that's just me.

By the way, I used credit cards to order stuff on the internet back in 1996 or so. I know people who wouldn't do so for years after that, for reasons I never fathomed. Today, I don't know anyone like that. Probably because they don't call me any more...

 

lombar

 

 

Keepass2 stores your passwords in an encrypted file on your computer. Lastpass sends your passwords to their server but not in the open, they encrypt on your computer first. I prefer this Keepass2 but I only store my bank card number in there without the password, I just remember that. (and its written down) Everything else I keep in there, email, websites.

 

http://keepass.info/

"KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). For more information, see the features page. "

kropotkin1951

I doubt if it matters to either NSA or CSIS which one you use.

Cool

Noops

Unionist wrote:

Noops - everyone should use passwords in a way that makes them feel comfortable....

By the way, I used credit cards to order stuff on the internet back in 1996 or so. I know people who wouldn't do so for years after that, for reasons I never fathomed. Today, I don't know anyone like that. Probably because they don't call me any more...

 

I agree that everyone should be comfortable with the way they use passwords. I just thought I would point out to those who read your posts above that your passwords would be stored on a company's server.

I too was a pioneer with credit card payments. I started making mine in the 90's as well.  :)

Noops

lombar wrote:

 

http://keepass.info/

"KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). For more information, see the features page. "

Thanks lombar.

I've been using Password Safe to manage my passwords for more than 15 years.

http://passwordsafe.sourceforge.net/

Noops

kropotkin1951 wrote:

I doubt if it matters to either NSA or CSIS which one you use.

Cool

 

I can't argue with that. Wink