tag:blogger.com,1999:blog-13756280.post7189584938009041836..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Password Managers, is this the best option user’s have?Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger15125tag:blogger.com,1999:blog-13756280.post-46976816533960540802014-06-06T05:06:15.898-07:002014-06-06T05:06:15.898-07:00The details about the best password management sof...The details about the <a href="http://www.ilantusexpress.com/passwordexpress.html" rel="nofollow">best password management software</a> can be understood clearly on reading this post. Keep updating the blog regularly.Anonymoushttps://www.blogger.com/profile/09274422711326388797noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-90671760324088443592010-08-31T10:43:08.383-07:002010-08-31T10:43:08.383-07:00Hey guys,
I think that the best option is indeed ...Hey guys,<br /><br />I think that the best option is indeed use a password manager since it is most important to change passwords frequently.<br /><br />If you really want to use a highly secured manager, try Passter:<br />www.passter.comPasster.comhttps://www.blogger.com/profile/07731251962810514760noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-60774224963092586612010-03-26T11:27:30.773-07:002010-03-26T11:27:30.773-07:00My organization forbids both writing passwords dow...My organization forbids both writing passwords down and using password managers (without approval, which you can't get).<br /><br />Two factor authentication using smart card PKI certificates (where it's available) solve a lot of these issues.Waynenoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-65606818535151237802010-03-18T08:28:01.841-07:002010-03-18T08:28:01.841-07:00Try Sticky Password
http://www.stickypassword.com...Try Sticky Password<br /><br />http://www.stickypassword.comAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-60406626565795823122010-03-17T12:58:08.442-07:002010-03-17T12:58:08.442-07:00Nice article. Bard's suggestion looks the stro...Nice article. Bard's suggestion looks the strongest and has the added advantage of protecting against Phishing attacks as well. Though not perfect, it does have a nice combination of usability and security for common non-security folks.<br /><br />I would like to point out one additional attack vector that would be of interest, Browser Phishing. It's been a part of karmetasploit since 2008. I have implemented the same as one of the attacks in <a href="http://www.andlabs.org/tools.html#imposter" rel="nofollow">Imposter</a>, a browser phishing attack framework. Video available <a href="http://www.youtube.com/watch?v=HzxWYv69_Tw" rel="nofollow">here</a>lavahttp://www.andlabs.orgnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-59543140274237443162010-03-15T12:52:25.606-07:002010-03-15T12:52:25.606-07:00"By enlarge"? Don't you mean "..."By enlarge"? Don't you mean "By and large"? Try a Google search - seems to be an old sailing term.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-46117127188528016522010-03-14T11:47:19.504-07:002010-03-14T11:47:19.504-07:00@Teri, usability is hugely important. Thanks for t...@Teri, usability is hugely important. Thanks for the link to the paper. Still in theory, the concept of local password managers appears better and safer than the alternatives.<br /><br />@Brad, Nice link! Forgot about that one. Another version of a local password manager. Again, would be nice if something like this was on by default in the major browsers. Otherwise, it'll remain obscure and largely unused.<br /><br />@Collin, I operate under the assumption that local access = root. And I could be wrong, but local access isn't a major source of password loss like the others I outlines. Still, a screen saver password would be very helpful in these cases.<br /><br />@Claudiu, as you left it on the end, it would be nice to move away from passwords. But solutions available so far just aren't that attractive. Leaving password as the best option, for the moment.Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-9217280477292252732010-03-13T23:47:25.772-08:002010-03-13T23:47:25.772-08:00Having to move across many different computers, so...Having to move across many different computers, some of which are shared, I have replaced KeePass with LastPass for several reasons:<br />I don't have to store the password in the clipboard or type it into the browser.<br />I can use one-time passwords, so my master password is relatively safe when using shared computers.<br />It is very easy to replace passwords, in case I fear one or more of my stored passwords has been compromised.יונתן עמירhttps://www.blogger.com/profile/06841579940983997392noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-40350129726066396352010-03-13T23:34:21.428-08:002010-03-13T23:34:21.428-08:00As the last guy said splitting up accounts into tw...As the last guy said splitting up accounts into two or more groups is a good suggestion to users.<br /><br />I also suggest they come up with a password scheme, based on a single common password but with a 4 or more character variation formula based on the site/account they're logging into. That way they can remember one or two passwords and one or two formulas depending on their abilities.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-33084216124906882682010-03-13T11:39:42.364-08:002010-03-13T11:39:42.364-08:00I change my recommendations depending on who I'...I change my recommendations depending on who I'm talking to (and how much they know/care)<br />But I now advocate a simple three password approach:<br />1) Email password - this should be the hardest password to guess and should ONLY be used for email. My reason is that all your other passwords could be gleaned from your email ("forgot my password" links, etc)<br />2) financial password - hard to guess and used only for banks and other uber-important things<br />3) everything password - mid-hard to guess and use it for everything else. <br /><br />This isn't the /best/ system but is very usable.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-62272875497011939562010-03-13T04:54:07.327-08:002010-03-13T04:54:07.327-08:00I did a follow-up on your story here:
http://claud...I did a follow-up on your story here:<br />http://claudiufrancu.blogspot.com/2010/03/usability-versus-security-or-how.html<br />Tell me what you think!Claudiu Francuhttps://www.blogger.com/profile/07806438391191720861noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-11808446338530919942010-03-13T03:14:01.474-08:002010-03-13T03:14:01.474-08:00This comment has been removed by the author.Claudiu Francuhttps://www.blogger.com/profile/07806438391191720861noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-18015441727944656452010-03-12T15:44:04.784-08:002010-03-12T15:44:04.784-08:00There's another threat you might want to consi...There's another threat you might want to consider, which is that someone has local access to your machine after you've used it, either temporarily (visitor who probably won't install malware) or permanently (thief). By avoiding a password manager you can make it harder for these local attackers to get your passwords.Collin Jacksohhttp://www.collinjackson.com/noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-24865789069165375332010-03-12T13:49:38.077-08:002010-03-12T13:49:38.077-08:00How about hash-generating extensions like PwdHash ...How about hash-generating extensions like PwdHash (http://crypto.stanford.edu/PwdHash/)?Brad Greenleehttps://www.blogger.com/profile/14559650107423638180noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-85287345466186193602010-03-12T12:23:53.364-08:002010-03-12T12:23:53.364-08:00One thing you didn't mention is that there are...One thing you didn't mention is that there are some severe usability issues in password managers. Sonia Chiasson did a very interesting study on a couple of the (supposed) best-of-breed password managers a couple of years ago:<br /><br /><a href="http://www.ccsl.carleton.ca/paper-archive/chiasson-usenix-06.pdf" rel="nofollow">http://www.ccsl.carleton.ca/paper-archive/chiasson-usenix-06.pdf</a><br /><br />The short version is that the usability of these programs was so terrible that users wound up accidentally exposing themselves to more risk, and often totally missed that they had done so.<br /><br />After hearing her talk about this work, I'm not sure I could ever recommend a password manager with a clear conscience... and that's before hearing about today's clever little exploit to gain access to the passwords!Terrihttp://webinsecurity.netnoreply@blogger.com