April 29, 2009 at 12:31 pm
Keep in mind that there's another school of thought, that passwords are like underwear. You should have them, they shouldn't be visible nor hidden under your keyboard, definitely shouldn't be stuck to the side of your desk or cubicle or computer, they should be secure, and you should change them frequently.
I disagree with it, as do many others, but it's an ongoing conflict, not a won war.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
April 29, 2009 at 12:47 pm
GSquared: I appreciate your balanced cautionary post. Probably taking the analogy too far, your post sparked these thoughts in me (meant to be somewhat funny):
But if there is an emergency, someone will need to be able to get under my underwear. My undergarments need to be breach-able by someone who doesn't have the key to my belt and pants. I'd rather have the rare, accidental peep show than have the underwear be an impediment in an emergency.
And if I'm going to change my underwear often, the underwear needs to be easily accessible. If I have to go through too much effort to make the change, I may just elect to skip the underwear all together. Let's just not go there.
And I'm on a budget. I can only afford so many pairs of underwear made of the strong cloth. You know, the ones that are uniquely made for each person and sold one at a time with all those insurance/administrative costs. The ugly ones that are so embarrassing that I'd hesitate to use them on a daily basis for my normal work-a-day.
And let's face it, there's a whole lot more of me that needs protecting than what is covered by my underwear.
Etc. (I know you weren't agreeing with the underwear analogy. I just wanted to have some fun with it.)
April 29, 2009 at 1:07 pm
That's why I prefer tokens as a security measure over passwords.
Another weakness of passwords is (to stretch the underwear till it's worn out), your doctor needs to be able to bypass them if you're unconscious.
A real-life situation that I read about: A guy was an avid World of Warcraft player, very active in his guild, and was the admin of the guild web page (if I remember correctly). One day, there was a bit of an argument in the guild chat channel, right at the end of the day, and they never saw him sign on again. They couldn't get into their web page to administer it. His friends were, understandably, upset with him, and thought he was being childish about the minor argument.
A few weeks later, his adult daughter was finally able to hack the account (I can't remember if Blizzard customer service helped with this or was unhelpful), and let them know that the guy had died in his sleep the night after the argument. Natural causes and all that, as apparently he was old or unhealthy or some such.
The fact that he had a strong password, didn't write it down, didn't let family know what it was, etc., made the account "too secure" in some ways.
If his daughter had been able to access a security token, instead of having to guess/find out a password, she'd have been able to log in and tell his friends, and some anguish would have been avoided. (Imagine how they felt about all their complaining after they found out what really happened.)
Same sort of thing has caused problems with getting important information out of family e-mail accounts, in similar cases.
With so many relationships online these days, the ability to hand account access down to a family lawyer, family member, or someone of a similar nature, matters.
If you change passwords regularly, and that's your primary security measure, you can't just put that kind of data into a will and keep that locked in a bank box or secured with a law firm. By the time it's needed, it won't be valid (one can hope it's not needed immediately, anyway). An algorith that's completely dependend on time could be recorded in a will, but would reduce the effectiveness of changing passwords regularly anyway.
On the other hand, writing it down at all and letting other people have access to it, nearly eliminates its usefulness as a security measure in the first place.
Perfect solution to that kind of situation? I don't know. But some sort of solution is definitely needful, and tokens would be better than passwords for all of these situations.
- Gus "GSquared", RSVP, OODA, MAP, NMVP, FAQ, SAT, SQL, DNA, RNA, UOI, IOU, AM, PM, AD, BC, BCE, USA, UN, CF, ROFL, LOL, ETC
Property of The Thread
"Nobody knows the age of the human race, but everyone agrees it's old enough to know better." - Anon
April 29, 2009 at 1:40 pm
What a story!
April 29, 2009 at 1:53 pm
GSquared (4/29/2009)
There is no perfect solution.(snipped some)
...routinely changing passwords causes a net reduction in security over time, because of the very factors you're dealing with here. The "change your password every X days" rules create the illusion of security while reducing its actuality.
True. There are many metaphors that fit this analogy. Security keeps honest people honest. Weak link is usually at the data usage end when it is being flung around in CSV and Excel files and such.
Some measure of security is in order, but 30 days is just overkill. Mandates be shunned.
June 18, 2009 at 8:52 am
I like the idea of keeping passwords, keys, etc. in an encrypted file or database. There are many variations of this, and some have been mentioned already.
I already use the commercial software RoboForm to store web site passwords, and it includes a "SafeNotes" facility to store arbitrary text in the encrypted form. As long as there aren't too many of these bits of information, that seems a reasonable solution.
Many other such software systems exist, including the open source KeePass. Of course Windows can encrypt the files in a designated folder also.
Viewing 6 posts - 16 through 20 (of 20 total)
You must be logged in to reply to this topic. Login to reply