Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[pwagland]

On Wednesday, December 19, 2012 4:16:43 AM UTC+1, Ryan Schipper wrote:
>
> That said, I would advise against using Password Maker. 
>
> I've just had a quick browse of the source and the software uses your 
> master password as direct key material for their HMAC algorithms. This is a 
> direct violation of HMACs security assumptions (specifically, that the key 
> derivation function is a pseudo-random function). These sorts of errors 
> make me nervous regarding the general security posture of the application.  
>

Security software is rife with issues. Read this paper for more scary 
stuff: http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf

That is why I don't disagree with Fabrizio for being unduly cautious, 
despite the fact that I do store my passwords using 1Password.

As with all things, it is a tradeoff between security and convenience, and 
I think that 1Password gives me much better security than "one password", 
and most of the convenience of that.

Cheers,
Paul

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/javaposse/-/CvwHje_JU50J.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[clay]

It sounds like you are in favor of the general strategy of automatically 
hash generate individual passwords based on a single master password.

IMO, this general strategy seems superior to the store-on-a-server 
strategy. Sure, you can change/tweak the hash algorithm and settings and 
even write your own implementation of these things.

If the URL changes: change your password, or manually remember the old URL.

If an individual password is compromised: no big deal. You have to use a 
modifier text string, such as an incremental number which is concatenated 
to the string that generates the final hash -> password. You have to do 
this for sites that require you to routinely change your password as well.

If your master password is compromised: you're screwed. Every system has to 
have an ultimate weak point.


On Tuesday, December 18, 2012 9:16:43 PM UTC-6, Ryan Schipper wrote:
>
> Password Maker supports both of those scenarios. Check out their FAQ.
>
> That said, I would advise against using Password Maker. 
>
> I've just had a quick browse of the source and the software uses your 
> master password as direct key material for their HMAC algorithms. This is a 
> direct violation of HMACs security assumptions (specifically, that the key 
> derivation function is a pseudo-random function). These sorts of errors 
> make me nervous regarding the general security posture of the application. 
>
> If you're still thinking about PasswordMaker (or already using it), the 
> default settings are quite weak (
> http://passwordmaker.sourceforge.net/help/account-settings.xhtml).
>
> I would advise altering these settings to the following:
>   - use the SHA256 algorithm
>   - increase the default generated password length to at least 12, if not 
> 16
>   - update the default character set to include symbols
>
> This will decrease the chance that a vulnerable service (eg facebook) is 
> retaining a stored hash which can be trivially brute forced using 
> oclhashcat and 8 GPUs. 
>
> -- Ryan Schipper
>
> On 19 December 2012 10:22, Fabrizio Giudici 
> 
> > wrote:
>
>> On Tue, 18 Dec 2012 23:30:30 +0100, clay > 
>> wrote:
>>
>>  Every recommendation is a system based on some secure server storing
>>> passwords.
>>>
>>> How about hash systems? I use http://passwordmaker.org/
>>>
>>> You only need to remember one password, the hash system generates new
>>> passwords for every new site, and there is no server-storage involved.
>>> Nothing to hack, protect, or lose access to.
>>>
>>
>> I didn't know passwordmaker and I'll have a deeper look at it in the next 
>> days. In the past I've thought of a similar approach, but with some doubts:
>>
>> 1. In case one password is compromised (e.g. by eavesdropping) you have 
>> to change the password and give up with this approach, at least for the 
>> compromised site.
>> 2. Sometimes the URL might change. For instance, one of my banks 
>> introduced a redesigned website. The original URL was www.bank.it, for 
>> some time it redirected to new.bank.it (transitory period in which the 
>> original website was still available). This would have caused at least some 
>> annoyance (forced to change the password) at least temporarily.
>>
>> Still, it is of some interest.
>>
>>
>> -- 
>> Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
>> "We make Java work. Everywhere."
>> http://tidalwave.it/fabrizio/**blog - 
>> fabrizio...@tidalwave.it 
>>
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Java Posse" group.
>> To post to this group, send email to java...@googlegroups.com
>> .
>> To unsubscribe from this group, send email to javaposse+...@**
>> googlegroups.com .
>> For more options, visit this group at http://groups.google.com/**
>> group/javaposse?hl=en .
>>
>>
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/javaposse/-/meCN3em3GXAJ.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Ryan Schipper]

Password Maker supports both of those scenarios. Check out their FAQ.

That said, I would advise against using Password Maker.

I've just had a quick browse of the source and the software uses your
master password as direct key material for their HMAC algorithms. This is a
direct violation of HMACs security assumptions (specifically, that the key
derivation function is a pseudo-random function). These sorts of errors
make me nervous regarding the general security posture of the application.

If you're still thinking about PasswordMaker (or already using it), the
default settings are quite weak (
http://passwordmaker.sourceforge.net/help/account-settings.xhtml).

I would advise altering these settings to the following:
  - use the SHA256 algorithm
  - increase the default generated password length to at least 12, if not 16
  - update the default character set to include symbols

This will decrease the chance that a vulnerable service (eg facebook) is
retaining a stored hash which can be trivially brute forced using
oclhashcat and 8 GPUs.

-- Ryan Schipper

On 19 December 2012 10:22, Fabrizio Giudici
wrote:

> On Tue, 18 Dec 2012 23:30:30 +0100, clay  wrote:
>
>  Every recommendation is a system based on some secure server storing
>> passwords.
>>
>> How about hash systems? I use http://passwordmaker.org/
>>
>> You only need to remember one password, the hash system generates new
>> passwords for every new site, and there is no server-storage involved.
>> Nothing to hack, protect, or lose access to.
>>
>
> I didn't know passwordmaker and I'll have a deeper look at it in the next
> days. In the past I've thought of a similar approach, but with some doubts:
>
> 1. In case one password is compromised (e.g. by eavesdropping) you have to
> change the password and give up with this approach, at least for the
> compromised site.
> 2. Sometimes the URL might change. For instance, one of my banks
> introduced a redesigned website. The original URL was www.bank.it, for
> some time it redirected to new.bank.it (transitory period in which the
> original website was still available). This would have caused at least some
> annoyance (forced to change the password) at least temporarily.
>
> Still, it is of some interest.
>
>
> --
> Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
> "We make Java work. Everywhere."
> http://tidalwave.it/fabrizio/**blog  -
> fabrizio.giud...@tidalwave.it
>
> --
> You received this message because you are subscribed to the Google Groups
> "Java Posse" group.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to javaposse+unsubscribe@**
> googlegroups.com .
> For more options, visit this group at http://groups.google.com/**
> group/javaposse?hl=en .
>
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Fabrizio Giudici]

On Tue, 18 Dec 2012 23:30:30 +0100, clay  wrote:


Every recommendation is a system based on some secure server storing
passwords.

How about hash systems? I use http://passwordmaker.org/

You only need to remember one password, the hash system generates new
passwords for every new site, and there is no server-storage involved.
Nothing to hack, protect, or lose access to.


I didn't know passwordmaker and I'll have a deeper look at it in the next  
days. In the past I've thought of a similar approach, but with some doubts:


1. In case one password is compromised (e.g. by eavesdropping) you have to  
change the password and give up with this approach, at least for the  
compromised site.
2. Sometimes the URL might change. For instance, one of my banks  
introduced a redesigned website. The original URL was www.bank.it, for  
some time it redirected to new.bank.it (transitory period in which the  
original website was still available). This would have caused at least  
some annoyance (forced to change the password) at least temporarily.


Still, it is of some interest.

--
Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
"We make Java work. Everywhere."
http://tidalwave.it/fabrizio/blog - fabrizio.giud...@tidalwave.it

--
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Kirk Pepperdine]

> 
> Your single point of failure is your email account, period. Once a hacker 
> gets access to your email, they can reset pretty much every single other 
> account that you own, regardless of how many different passwords you use for 
> those.

A link that I've broken for important accounts. It's still not 100% but if the 
email address you need to get to doesn't exist anymore

-- Kirk

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Dominic Mitchell]

On Tue, Dec 18, 2012 at 4:40 PM, Cédric Beust ♔  wrote:

> On Tue, Dec 18, 2012 at 7:44 AM, Casper Bang wrote:
>
>> I should specify; "limiting the damage" means, among other things, not to
>> allow one compromised account to escalate by i.e. using unique passwords
>> (or password layers), unique email addresses (or aliases), two-factor auth
>> etc.
>
>
> This is another aspect of security that very few people realize: using
> different passwords on different sites don't make you as safe as you think.
>
> Your single point of failure is your email account, period. Once a hacker
> gets access to your email, they can reset pretty much every single other
> account that you own, regardless of how many different passwords you use
> for those.
>

If you're using gmail, you should enable two-factor auth, in order to help
prevent this.

http://support.google.com/accounts/bin/answer.py?hl=en&answer=180744

It's a significant step towards securing your account.

-Dom

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Casper Bang]

> This is another aspect of security that very few people realize: using 
> different passwords on different sites don't make you as safe as you think.
>
> Your single point of failure is your email account, period. Once a hacker 
> gets access to your email, they can reset pretty much every single other 
> account that you own, regardless of how many different passwords you use 
> for those.
>
>  
Sure, which is why your email account would qualify as belonging to the 
maximum security tier - similar to root level. A good practice is to have 
an automatic forwarding rule, which sends everything you receive to a 
special "shadow slave account", so that you may always retrieve reset 
emails to your compromised master account. Google also offers nonce codes 
as a recovery mechanism.

All I am trying to say is that there is no silver bullet, but there are 
pragmatic damage control and recovery strategies.

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/javaposse/-/MkpGKh_pDSkJ.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Fabrizio Giudici]

On Tue, 18 Dec 2012 17:40:24 +0100, Cédric Beust ♔   
wrote:



This is another aspect of security that very few people realize: using
different passwords on different sites don't make you as safe as you  
think.


Your single point of failure is your email account, period. Once a hacker
gets access to your email, they can reset pretty much every single other
account that you own, regardless of how many different passwords you use
for those.


True. But e.g. the procedure for resetting the password to my banks aren't  
as easy - they also require some other proof, such as other "secret  
information" that has been previously shared, and they involve some phone  
call. Still, this can be hacked. The think that people should do (and I've  
only partially done, but I'll fill the gap ASAP) is to have a short  
security assessment of the accounts and their recovery procedures. Then  
you can try to compare it with e.g. the breach reported by Wired. BTW, if  
I remember well, Apple was doing something very stupid in the reset  
procedure, and that's why no major corporate will ever have my primary  
credit card numbers (for them I use a PayPal card with a very tight credit  
cap).


It isn't particularly hard, I think that you need just to classify two  
levels: one for the bank accounts and all the thing that can cause serious  
damage, and the other for all the rest. Then use separate emails. I'm  
considering to use, for the first class, the "certified email" that has  
become obligatory by law in many countries. Not only the provider  
guarantees signing, timestamping and archival (which means it would be  
easy to reconstruct an incident, and even proof it), but it's used very  
seldom, just for some perodic communications with state agencies and such  
(at least in my case). For instance, this means that I don't have  
configured my smartphone to connect with it.


I was going to add that some well designed reset procedures make use of  
SMS notifications (e.g. banks), but in this case the smartphone can be  
again a single point of failure and some malicious app could hack them.


--
Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
"We make Java work. Everywhere."
http://tidalwave.it/fabrizio/blog - fabrizio.giud...@tidalwave.it

--
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Fabrizio Giudici]

On Tue, 18 Dec 2012 16:44:18 +0100, Casper Bang   
wrote:







Exactly. To invoke the insurance metaphor as a simple
cost/benefit analysis; a determined thief WILL succeed in breaking into
your house, regardless of how many locks and security cameras you have  
- so
the best strategy is to limit the damage. There might be a  
cultural/social

issue buried here though, as my bank is obliged to cover
(non-social-engeneered) fraud and in case of bankruptcy  my
government guarantees for whatever money I have in the bank.



I should specify; "limiting the damage" means, among other things, not to
allow one compromised account to escalate by i.e. using unique passwords
(or password layers), unique email addresses (or aliases), two-factor  
auth

etc. It's the escalation aspect that frightens me the most with the SSO
login aggregation solutions discussed in this thread.

Which reminds me, does any of these support security layers or rings?  
That
is, one layer for non-important stuff (i.e. google groups), one for  
medium

important stuff (say amazon) and of for very important stuff (email,
banking) in order to minimize exposure?


Government guarantees. LOL. We all have it in Europe. This is specifically  
one of the things that makes me cautious. In fact, the problem is that in  
my country never happened a case in recent times. You know "not tested? it  
doesn't work!". I think it applies not only to software. The theory is  
that a state agency will refund you (under a reasonable threshold that is  
about 100k€) in 45 days max (or such). Now, the past summer it happened  
for an italian bank. Indeed, several months passed before the authorities  
approved the procedure, and the 45 days count started from there. In the  
end, people were stuck with their accounts locked for at least six months,  
more or less. This episode made me think a lot, that I don't feel  
guaranteed until I see a test case that was handled positively.


As a side note: the government guarantee won't work in many countries if  
multiple banks fail at the same time as a domino effect, because there  
won't be money for everybody.

But this is OT with respect to computer security.

Back to the topic, the escalation worries me too. That's why I have  
multiple bank accounts, as I said. But having all the passwords managed by  
the same device would jeopardize this strategy.
And yes, one of the banks relies on a dongle for one-time passwords. I'm  
still unsure if I had to move away from the other bank, that doesn't use  
it. Probably it's ok as is now. In this way I can adopt the policy of  
always keeping the dongle at home (more secure, even though losing it  
would be just an annoyance of getting another, in fact the bank requires  
the one-time password AND a fixed password plus the account name) even  
though this prevents me from operating when I'm not at home. But in case  
of urgent need, I have the other bank account.


--
Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
"We make Java work. Everywhere."
http://tidalwave.it/fabrizio/blog - fabrizio.giud...@tidalwave.it

--
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Cédric Beust ♔]

On Tue, Dec 18, 2012 at 7:44 AM, Casper Bang  wrote:

> I should specify; "limiting the damage" means, among other things, not to
> allow one compromised account to escalate by i.e. using unique passwords
> (or password layers), unique email addresses (or aliases), two-factor auth
> etc.


This is another aspect of security that very few people realize: using
different passwords on different sites don't make you as safe as you think.

Your single point of failure is your email account, period. Once a hacker
gets access to your email, they can reset pretty much every single other
account that you own, regardless of how many different passwords you use
for those.

-- 
Cédric

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[jon.kipar...@gmail.com]

I have a day to day account, which I use for bills and expenses. That account 
never has more than a month's expenses in it, unless there's a major purchase 
to be made.
I have a separate staging account at an unrelated bank, where I keep an 
accessible reserve. That account has never been used for any electronic 
transaction, and on fact there is not even a bank card issued on it. 
It's possible that someone could duo me some nuisance, but in order to do that 
they'd have to forge a check (there are good procedures for dealing with  
physical forgery, you can generally recover losses) or else they'd have too 
convince my bank to grant them electronic access, which would put the bank 
rather on the hook.

So I'm not too worried about my bank passwords, personally. I take reasonable 
care, but I'm tolerably well insulated against long-term harm.

Sent from my mobile. 
(Typos courtesy of swype)

- Reply message -
From: "Fabrizio Giudici" 
Date: Tue, Dec 18, 2012 10:06 am
Subject: [The Java Posse] Re: Keeping Track of Multiple Passwords
To: , "rakesh mailgroups" 


On Tue, 18 Dec 2012 15:33:29 +0100, rakesh mailgroups
 wrote:

> Hi Fabrizio,
>
> i think you are being unrealistic.
>
> I'm all for doing due diligence when choosing important software like  
> this
> (I use 1Password + dropbox btw) but you need to realise their are NO 100%
> guarantees.
>
> Look what happened to Sony, hackers get hold of government data and post  
> it.
>
> What I think you should be asking yourself is, will I be able to get any
> money back if I should be hacked? The answer is invariably yes as you are
> already part of the minority who understands technology and isn't stupid  
> to
> use guessable passwords or the same one across multiple sites.

That's precisely my problem, and I think I wouldn't get the money back -
in the most optimistic case, I'd have to fight with lawyers spending lots
of time (thus money). Please note that we're not talking of a problem of
the bank, but of a problem of me, the customer. I bet the bank would say:
blame your password manager provider. I think we all learned in those
years how banks are able to blame others for *their own* errors, so figure
out when the error is not theirs. And then I suppose that in the fine
prints 1Password, KeyPass etc deny all relevant liability. Not counting
that they refer to courts abroad from my point of view, which would only
increase the troubles. And in any case it would require time, and in the
meantime? How do you live without money?

> LastPass, KeyPass, 1Password all have a lot to lose if their software is  
> not good enough.

True. Even Tepco had a lot to lose if their estimate about the maximum  
height of tsunami waves was wrong. In fact they lost a lot.

> As someone pointed out, you have to trust someone somewhere in order to  
> do
> anything.

... and for my banking account I trust on me, myself and I :-) Should
something tragic happen without any possibility of recovery, at least I'd
blame myself. If I can't recover, I prefer to have troubles caused by me
than a third party who escapes its responsibility. This helps in keeping
my blood pressure low.

> Lifes too short, move on.

Yep. If it's short and moneyless is even worse. :-)

-- 
Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
"We make Java work. Everywhere."
http://tidalwave.it/fabrizio/blog - fabrizio.giud...@tidalwave.it

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Casper Bang]

>
>
> Exactly. To invoke the insurance metaphor as a simple 
> cost/benefit analysis; a determined thief WILL succeed in breaking into 
> your house, regardless of how many locks and security cameras you have - so 
> the best strategy is to limit the damage. There might be a cultural/social 
> issue buried here though, as my bank is obliged to cover 
> (non-social-engeneered) fraud and in case of bankruptcy  my 
> government guarantees for whatever money I have in the bank.
>

I should specify; "limiting the damage" means, among other things, not to 
allow one compromised account to escalate by i.e. using unique passwords 
(or password layers), unique email addresses (or aliases), two-factor auth 
etc. It's the escalation aspect that frightens me the most with the SSO 
login aggregation solutions discussed in this thread.

Which reminds me, does any of these support security layers or rings? That 
is, one layer for non-important stuff (i.e. google groups), one for medium 
important stuff (say amazon) and of for very important stuff (email, 
banking) in order to minimize exposure?

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/javaposse/-/JtShAZL88hoJ.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Casper Bang]

>
> Right, but I think the pendulum has swung far enough on the "secure 
> password storage" side while it has barely moved on the "social engineering 
> break in" aspect. If you're worried about the safety of your private 
> information, 
>

Exactly. To invoke the insurance metaphor as a simple 
cost/benefit analysis; a determined thief WILL succeed in breaking into 
your house, regardless of how many locks and security cameras you have - so 
the best strategy is to limit the damage. There might be a cultural/social 
issue buried here though, as my bank is obliged to cover 
(non-social-engeneered) fraud and in case of bankruptcy  my 
government guarantees for whatever money I have in the bank.

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/javaposse/-/F5UBpUYZVkgJ.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Fabrizio Giudici]

On Tue, 18 Dec 2012 16:13:43 +0100, Cédric Beust ♔   
wrote:




Wired published a very enlightening article on this very
topiclast
month, I highly recommend it.


Absolutely correct and I do agree. I do know the case of the guy quoted by  
Wired, as I discussed in another community months ago.

Indeed, unfortunately, correctly dealing with security is a hard task.


--
Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
"We make Java work. Everywhere."
http://tidalwave.it/fabrizio/blog - fabrizio.giud...@tidalwave.it

--
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Cédric Beust ♔]

On Tue, Dec 18, 2012 at 7:08 AM, Fabrizio Giudici <
fabrizio.giud...@tidalwave.it> wrote:

>
> This is an additional risk that is not alternative to the other. Thus, we
> have to deal with both.


Right, but I think the pendulum has swung far enough on the "secure
password storage" side while it has barely moved on the "social engineering
break in" aspect. If you're worried about the safety of your private
information, I think your time will be better spent making sure that the
companies you entrust have safe "reset" procedures than asking to see the
source code of their encryption back end.

Wired published a very enlightening article on this very
topiclast
month, I highly recommend it.

-- 
Cedric

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Fabrizio Giudici]

On Tue, 18 Dec 2012 15:46:07 +0100, Cédric Beust ♔   
wrote:



Agreed.

Personally, I worry a lot more about someone being able to use social
engineering to have one my passwords reset than someone breaking one of  
my

passwords.


This is an additional risk that is not alternative to the other. Thus, we  
have to deal with both.



--
Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
"We make Java work. Everywhere."
http://tidalwave.it/fabrizio/blog - fabrizio.giud...@tidalwave.it

--
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Fabrizio Giudici]

On Tue, 18 Dec 2012 15:33:29 +0100, rakesh mailgroups
 wrote:


Hi Fabrizio,

i think you are being unrealistic.

I'm all for doing due diligence when choosing important software like  
this

(I use 1Password + dropbox btw) but you need to realise their are NO 100%
guarantees.

Look what happened to Sony, hackers get hold of government data and post  
it.


What I think you should be asking yourself is, will I be able to get any
money back if I should be hacked? The answer is invariably yes as you are
already part of the minority who understands technology and isn't stupid  
to

use guessable passwords or the same one across multiple sites.


That's precisely my problem, and I think I wouldn't get the money back -
in the most optimistic case, I'd have to fight with lawyers spending lots
of time (thus money). Please note that we're not talking of a problem of
the bank, but of a problem of me, the customer. I bet the bank would say:
blame your password manager provider. I think we all learned in those
years how banks are able to blame others for *their own* errors, so figure
out when the error is not theirs. And then I suppose that in the fine
prints 1Password, KeyPass etc deny all relevant liability. Not counting
that they refer to courts abroad from my point of view, which would only
increase the troubles. And in any case it would require time, and in the
meantime? How do you live without money?

LastPass, KeyPass, 1Password all have a lot to lose if their software is  
not good enough.


True. Even Tepco had a lot to lose if their estimate about the maximum  
height of tsunami waves was wrong. In fact they lost a lot.


As someone pointed out, you have to trust someone somewhere in order to  
do

anything.


... and for my banking account I trust on me, myself and I :-) Should
something tragic happen without any possibility of recovery, at least I'd
blame myself. If I can't recover, I prefer to have troubles caused by me
than a third party who escapes its responsibility. This helps in keeping
my blood pressure low.


Lifes too short, move on.


Yep. If it's short and moneyless is even worse. :-)

--
Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
"We make Java work. Everywhere."
http://tidalwave.it/fabrizio/blog - fabrizio.giud...@tidalwave.it

--
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Kevin Wright]

+1

On 18 December 2012 14:46, Cédric Beust ♔  wrote:

> Agreed.
>
> Personally, I worry a lot more about someone being able to use social
> engineering to have one my passwords reset than someone breaking one of my
> passwords.
>
> --
> Cedric
>
>
> --
> Cédric
>
>
>
>
> On Tue, Dec 18, 2012 at 6:33 AM, rakesh mailgroups <
> rakesh.mailgro...@gmail.com> wrote:
>
>> Hi Fabrizio,
>>
>> i think you are being unrealistic.
>>
>> I'm all for doing due diligence when choosing important software like
>> this (I use 1Password + dropbox btw) but you need to realise their are NO
>> 100% guarantees.
>>
>> Look what happened to Sony, hackers get hold of government data and post
>> it.
>>
>> What I think you should be asking yourself is, will I be able to get any
>> money back if I should be hacked? The answer is invariably yes as you are
>> already part of the minority who understands technology and isn't stupid to
>> use guessable passwords or the same one across multiple sites.
>>
>> As someone pointed out, you have to trust someone somewhere in order to
>> do anything. LastPass, KeyPass, 1Password all have a lot to lose if their
>> software is not good enough. Personally, thats good enough for me. They
>> should have the smart people staying on top of this situation for me.
>>
>> Lifes too short, move on.
>>
>> Rakesh
>>
>>
>> On Tue, Dec 18, 2012 at 12:42 PM, Fabrizio Giudici <
>> fabrizio.giud...@tidalwave.it> wrote:
>>
>>> On Tue, 18 Dec 2012 11:27:20 +0100, Casper Bang 
>>> wrote:
>>>
>>>
>>>  However, taking the tin-foil hat off for a moment, it's probably safe
 enough for most people to go with the big players like LastPass etc.

>>>
>>> I don't want to scare people, of course. But "it's probably safe enough"
>>> is what I often think, when I'm particularly annoyed of my manual
>>> procedure. Then I say: what does enough means? It depends on what you're
>>> protecting. For many things, it's probably enough: you risk some major
>>> annoyance in some public forums if some joker spreads some spam, or you
>>> risk your websites to be defaced. If you have the proper counter-measures
>>> (e.g. a backup to quickly restore a defaced site, etc...), it's ok. Perhaps
>>> I could actually use one of the proposed open source solutions for my
>>> passwords with a low criticality (but I don't see any advantage in just
>>> having them managed by Opera).
>>>
>>> For my banking accounts, not. Once the money has gone, has gone.
>>>
>>>
>>>
>>>
>>> --
>>> Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
>>> "We make Java work. Everywhere."
>>> http://tidalwave.it/fabrizio/**blog -
>>> fabrizio.giud...@tidalwave.it
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Java Posse" group.
>>> To post to this group, send email to javaposse@googlegroups.com.
>>> To unsubscribe from this group, send email to javaposse+unsubscribe@**
>>> googlegroups.com .
>>> For more options, visit this group at http://groups.google.com/**
>>> group/javaposse?hl=en .
>>>
>>>
>>  --
>> You received this message because you are subscribed to the Google Groups
>> "Java Posse" group.
>> To post to this group, send email to javaposse@googlegroups.com.
>> To unsubscribe from this group, send email to
>> javaposse+unsubscr...@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/javaposse?hl=en.
>>
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Java Posse" group.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to
> javaposse+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/javaposse?hl=en.
>



-- 
Kevin Wright
mail: kevin.wri...@scalatechnology.com
gtalk / msn : kev.lee.wri...@gmail.com
quora: http://www.quora.com/Kevin-Wright
google+: http://gplus.to/thecoda

twitter: @thecoda
vibe / skype: kev.lee.wright
steam: kev_lee_wright

"My point today is that, if we wish to count lines of code, we should not
regard them as "lines produced" but as "lines spent": the current
conventional wisdom is so foolish as to book that count on the wrong side
of the ledger" ~ Dijkstra

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Cédric Beust ♔]

Agreed.

Personally, I worry a lot more about someone being able to use social
engineering to have one my passwords reset than someone breaking one of my
passwords.

-- 
Cedric


-- 
Cédric




On Tue, Dec 18, 2012 at 6:33 AM, rakesh mailgroups <
rakesh.mailgro...@gmail.com> wrote:

> Hi Fabrizio,
>
> i think you are being unrealistic.
>
> I'm all for doing due diligence when choosing important software like this
> (I use 1Password + dropbox btw) but you need to realise their are NO 100%
> guarantees.
>
> Look what happened to Sony, hackers get hold of government data and post
> it.
>
> What I think you should be asking yourself is, will I be able to get any
> money back if I should be hacked? The answer is invariably yes as you are
> already part of the minority who understands technology and isn't stupid to
> use guessable passwords or the same one across multiple sites.
>
> As someone pointed out, you have to trust someone somewhere in order to do
> anything. LastPass, KeyPass, 1Password all have a lot to lose if their
> software is not good enough. Personally, thats good enough for me. They
> should have the smart people staying on top of this situation for me.
>
> Lifes too short, move on.
>
> Rakesh
>
>
> On Tue, Dec 18, 2012 at 12:42 PM, Fabrizio Giudici <
> fabrizio.giud...@tidalwave.it> wrote:
>
>> On Tue, 18 Dec 2012 11:27:20 +0100, Casper Bang 
>> wrote:
>>
>>
>>  However, taking the tin-foil hat off for a moment, it's probably safe
>>> enough for most people to go with the big players like LastPass etc.
>>>
>>
>> I don't want to scare people, of course. But "it's probably safe enough"
>> is what I often think, when I'm particularly annoyed of my manual
>> procedure. Then I say: what does enough means? It depends on what you're
>> protecting. For many things, it's probably enough: you risk some major
>> annoyance in some public forums if some joker spreads some spam, or you
>> risk your websites to be defaced. If you have the proper counter-measures
>> (e.g. a backup to quickly restore a defaced site, etc...), it's ok. Perhaps
>> I could actually use one of the proposed open source solutions for my
>> passwords with a low criticality (but I don't see any advantage in just
>> having them managed by Opera).
>>
>> For my banking accounts, not. Once the money has gone, has gone.
>>
>>
>>
>>
>> --
>> Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
>> "We make Java work. Everywhere."
>> http://tidalwave.it/fabrizio/**blog -
>> fabrizio.giud...@tidalwave.it
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Java Posse" group.
>> To post to this group, send email to javaposse@googlegroups.com.
>> To unsubscribe from this group, send email to javaposse+unsubscribe@**
>> googlegroups.com .
>> For more options, visit this group at http://groups.google.com/**
>> group/javaposse?hl=en .
>>
>>
>  --
> You received this message because you are subscribed to the Google Groups
> "Java Posse" group.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to
> javaposse+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/javaposse?hl=en.
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[rakesh mailgroups]

Hi Fabrizio,

i think you are being unrealistic.

I'm all for doing due diligence when choosing important software like this
(I use 1Password + dropbox btw) but you need to realise their are NO 100%
guarantees.

Look what happened to Sony, hackers get hold of government data and post it.

What I think you should be asking yourself is, will I be able to get any
money back if I should be hacked? The answer is invariably yes as you are
already part of the minority who understands technology and isn't stupid to
use guessable passwords or the same one across multiple sites.

As someone pointed out, you have to trust someone somewhere in order to do
anything. LastPass, KeyPass, 1Password all have a lot to lose if their
software is not good enough. Personally, thats good enough for me. They
should have the smart people staying on top of this situation for me.

Lifes too short, move on.

Rakesh


On Tue, Dec 18, 2012 at 12:42 PM, Fabrizio Giudici <
fabrizio.giud...@tidalwave.it> wrote:

> On Tue, 18 Dec 2012 11:27:20 +0100, Casper Bang 
> wrote:
>
>
>  However, taking the tin-foil hat off for a moment, it's probably safe
>> enough for most people to go with the big players like LastPass etc.
>>
>
> I don't want to scare people, of course. But "it's probably safe enough"
> is what I often think, when I'm particularly annoyed of my manual
> procedure. Then I say: what does enough means? It depends on what you're
> protecting. For many things, it's probably enough: you risk some major
> annoyance in some public forums if some joker spreads some spam, or you
> risk your websites to be defaced. If you have the proper counter-measures
> (e.g. a backup to quickly restore a defaced site, etc...), it's ok. Perhaps
> I could actually use one of the proposed open source solutions for my
> passwords with a low criticality (but I don't see any advantage in just
> having them managed by Opera).
>
> For my banking accounts, not. Once the money has gone, has gone.
>
>
>
>
> --
> Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
> "We make Java work. Everywhere."
> http://tidalwave.it/fabrizio/**blog  -
> fabrizio.giud...@tidalwave.it
>
> --
> You received this message because you are subscribed to the Google Groups
> "Java Posse" group.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to javaposse+unsubscribe@**
> googlegroups.com .
> For more options, visit this group at http://groups.google.com/**
> group/javaposse?hl=en .
>
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Fabrizio Giudici]

On Tue, 18 Dec 2012 11:27:20 +0100, Casper Bang   
wrote:




However, taking the tin-foil hat off for a moment, it's probably safe
enough for most people to go with the big players like LastPass etc.


I don't want to scare people, of course. But "it's probably safe enough"  
is what I often think, when I'm particularly annoyed of my manual  
procedure. Then I say: what does enough means? It depends on what you're  
protecting. For many things, it's probably enough: you risk some major  
annoyance in some public forums if some joker spreads some spam, or you  
risk your websites to be defaced. If you have the proper counter-measures  
(e.g. a backup to quickly restore a defaced site, etc...), it's ok.  
Perhaps I could actually use one of the proposed open source solutions for  
my passwords with a low criticality (but I don't see any advantage in just  
having them managed by Opera).


For my banking accounts, not. Once the money has gone, has gone.



--
Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
"We make Java work. Everywhere."
http://tidalwave.it/fabrizio/blog - fabrizio.giud...@tidalwave.it

--
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Casper Bang]

> Bruce Schneier said more than ten years ago that in his view open source   
> was not just a business model, but the only way to properly engineer a   
> security system. 
>

That probably because Bruce has seen his share of security by 
obscurity. You are right of course, a properly designed system, would not 
need to hide behind closed code.

However, taking the tin-foil hat off for a moment, it's probably safe 
enough for most people to go with the big players like LastPass etc. As 
with many things, there's some comfort and safety in hiding in a crowd 
which have been under scrutiny from actual experts, and where an actual 
business would in jeopardy.

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/javaposse/-/ty1LA2qXohgJ.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Jan Goyvaerts]

On Tue, Dec 18, 2012 at 11:05 AM, Vince O'Sullivan wrote:

> Thanks for all the responses.  Notwithstanding the hypothetical issues
> raised, I've decided to give LastPass a go.  The first immediate benefit
> was being able to open up our company intranet without having to log in to
> it firat (previously only possible if using IE), which was nice.


It appears LastPass works offline also; when their servers are down. The
locally stored account data still is available. Never tried that though...

The account data can be exported & imported. So even the angle of
LastPass disappearing is covered. :-)

I particularly appreciate it perceives you registering for a web site - and
proposes to generate a password for you.


>
>
> On Monday, 17 December 2012 07:39:04 UTC, vjosullivan wrote:
>>
>> Has anyone found a reasonably accessible (yet secure) way of keeping
>> track of multiple password across different systems, retrievable from
>> various locations (e.g. at home, work or on the road)?
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Java Posse" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/javaposse/-/RutxuGp4fFEJ.
>
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to
> javaposse+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/javaposse?hl=en.
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Fabrizio Giudici]

On Mon, 17 Dec 2012 17:31:12 +0100, Marc  wrote:


Another +1 for LastPass. You can read more about it at
https://lastpass.com/enterprise_technology.php but LastPass doesn't know
anything about your password/passwords. It just stores your encrypted
password vault.  For example, if you forget your LastPass master  
password,

then you are out of luck, they can't possibly recover it for you.  All
decryption happens locally.


Marc, the problem is that this is what LastPass declares to do. Did you  
see the code? What guarantees you that in a couple of years LastPass will  
silently change the approach? What about bugs, that is the involuntary  
leak of information? What about details: is LastPass careful in wiping  
temporarily unencrypted passwords in memory as soon as they are no more  
needed? Yesterday I read of an Android bug in Samsung implementation that  
would allow to some crafted apps to bypass the memory sandbox and access  
the memory of other apps.


Bruce Schneier said more than ten years ago that in his view open source  
was not just a business model, but the only way to properly engineer a  
security system.




--
Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
"We make Java work. Everywhere."
http://tidalwave.it/fabrizio/blog - fabrizio.giud...@tidalwave.it

--
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Marc]

On Monday, December 17, 2012 5:55:35 AM UTC-5, fabrizio.giudici wrote:
>
> On Mon, 17 Dec 2012 09:48:35 +0100, Jan Goyvaerts 
> > 
>   
> wrote: 
>
> > I'm using Lastpass  - it logs in for you,   
> > generates 
> > impossible passwords, has a plugin for many browsers, seems to have 
> > integration with Linux systems too. It has an ios app, but never used   
> > that. 
> > 
> > I don't even know the passwords of the sites any more. I just know it's 
>   
> > all 
> > different 20+ characters random crap. I only know the master password.   
> > :-) 
>
> It's what I'd like to do - but who guarantees that Lastpass is secure?   
> That it stores passwords correctly encrypted? That it doesn't leak them in 
>   
> memory? That it doesn't send them to a server? 
>
> Another +1 for LastPass. You can read more about it at 
https://lastpass.com/enterprise_technology.php but LastPass doesn't know 
anything about your password/passwords. It just stores your encrypted 
password vault.  For example, if you forget your LastPass master password, 
then you are out of luck, they can't possibly recover it for you.  All 
decryption happens locally.

I now have distinct passwords on most of my online accounts because 
LastPass makes it so easier. This severely limits my exposure should a 
website get hacked that I have an account on.  To me that's the main 
security benefit of LastPass.

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To view this discussion on the web visit 
https://groups.google.com/d/msg/javaposse/-/jenZnqW6ZXoJ.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Fabrizio Giudici]

On Mon, 17 Dec 2012 12:17:24 +0100, Kevin Wright  
 wrote:


At this point, you're probably being over-paraniod in the wrong  
direction!


So far as I'm aware, you're at higher risk of having your card cloned  
from
a cardholder-not-present transaction over the phone, or from day-0  
exploit

that logs your keyboard/clipboard, or from a remote website being hacked,
or from a cashpoint that's been exploited.


Each risk breach has got its cost. If my card is cloned (it's difficult  
nowadays, since they are all microchipped) I'd get in any case immediate  
notification of transactions by means of SMS messaging and I'd block the  
card. Usually the card company doesn't have problems in refunding the  
transaction. For the most precious asset, my banking accounts, I have  
three (since the past years, also to minimize financial risks of banks),  
and I distribute money among them. If somebody steals one of the  
passwords, it could drain one of my accounts. If all my passwords are at  
LastPass and it's breached, the bad guy could access immediately all my  
accounts (well, only two of them: the third also requires one-time  
passwords generated by a dongle; this makes LastPass useless for this  
account).




Can you convince me that it's safer to type in your password each time,  
or

to copy/paste than it is to allow a dedicated application to autofill web
forms for you?


Having a keyboard sniffer on my Mac sound pretty much as the same risk of  
having LastPass breached. This means that LastPass doesn't add any further  
security, still it's one more system to take care of...



So far, the most interesting solution was the one advised by Casper quite  
a few time ago (the topic was already debated), since I think he made some  
analysis on the code... but I'm not convinced yet even of it.



--
Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
"We make Java work. Everywhere."
http://tidalwave.it/fabrizio/blog - fabrizio.giud...@tidalwave.it

--
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Paulo "JCranky" Siqueira]

+1 for lastpass

[]s,

Paulo "JCranky" Siqueira
http://jcranky.com
http://lojinha.paulosiqueira.com.br
Em 17/12/2012 09:29, "Casper Bang"  escreveu:

> I use Pocket (formerly SecureWallet, by Tim Clark) for Android, which uses
> Dropbox as backing store:
> https://play.google.com/store/search?q=pname:com.citc.wallet
>
> There likely are similar and better alternatives, but Wallet works as a
> mini-wiki too, and is the only one I've reverse-engineered to verify
> security aspects of (should other people be interested in seeing how Wallet
> works, I threw up some code on GitHub under a BSD license:
> https://github.com/casperbang/open-pocket)
>
> Interesting topic for sure.
> /Casper
>
> On Monday, December 17, 2012 8:39:04 AM UTC+1, vjosullivan wrote:
>>
>> Has anyone found a reasonably accessible (yet secure) way of keeping
>> track of multiple password across different systems, retrievable from
>> various locations (e.g. at home, work or on the road)?
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Java Posse" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/javaposse/-/bn8Uq5it8CUJ.
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to
> javaposse+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/javaposse?hl=en.
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Fabrizio Giudici]

What backup plan do you have in case you lose the usb stick, erase it by
accident, ... ? :-)


The stick is cloned onto another truecrypt disk (this time, it's stored in  
a file) on my NAS.



--
Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
"We make Java work. Everywhere."
http://tidalwave.it/fabrizio/blog - fabrizio.giud...@tidalwave.it

--
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Kevin Wright]

At this point, you're probably being over-paraniod in the wrong direction!

So far as I'm aware, you're at higher risk of having your card cloned from
a cardholder-not-present transaction over the phone, or from day-0 exploit
that logs your keyboard/clipboard, or from a remote website being hacked,
or from a cashpoint that's been exploited.

Can you convince me that it's safer to type in your password each time, or
to copy/paste than it is to allow a dedicated application to autofill web
forms for you?


On 17 December 2012 10:55, Fabrizio Giudici
wrote:

> On Mon, 17 Dec 2012 09:48:35 +0100, Jan Goyvaerts 
> wrote:
>
>  I'm using Lastpass  - it logs in for you,
>> generates
>>
>> impossible passwords, has a plugin for many browsers, seems to have
>> integration with Linux systems too. It has an ios app, but never used
>> that.
>>
>> I don't even know the passwords of the sites any more. I just know it's
>> all
>> different 20+ characters random crap. I only know the master password. :-)
>>
>
> It's what I'd like to do - but who guarantees that Lastpass is secure?
> That it stores passwords correctly encrypted? That it doesn't leak them in
> memory? That it doesn't send them to a server?
>
> Until somebody convinces me of the safety of these tools (*) I keep the
> non-critical passwords (e.g. forums) stored in my browser, and the critical
> ones (e.g. money-related, etc...) in a plain text file stored in a USB key
> encrypted with Truecrypt, that I only mount when needed. This involves that
> I don't do anything critical with my Android phone.
>
>
> (*) Honestly, I think it's very hard to do. It would involve at least:
> that the tool is open source, that it has been reviewed by some experts and
> that I can install the application from a build I do by myself.
>
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Jan Goyvaerts]

On Mon, Dec 17, 2012 at 11:55 AM, Fabrizio Giudici <
fabrizio.giud...@tidalwave.it> wrote:

> On Mon, 17 Dec 2012 09:48:35 +0100, Jan Goyvaerts 
> wrote:
>
>  I'm using Lastpass  - it logs in for you,
>> generates
>>
>> impossible passwords, has a plugin for many browsers, seems to have
>> integration with Linux systems too. It has an ios app, but never used
>> that.
>>
>> I don't even know the passwords of the sites any more. I just know it's
>> all
>> different 20+ characters random crap. I only know the master password. :-)
>>
>
> It's what I'd like to do - but who guarantees that Lastpass is secure?
> That it stores passwords correctly encrypted? That it doesn't leak them in
> memory? That it doesn't send them to a server?
>

You have to take the word of the owner's of Lastpass of course... And when
THEY get hacked you're in deep  As everything in security it's all
about who trusts who. Personally, I'd think LastPass is safe.

What I'd appreciate is that they would also know how to handle password
changes. That I can reset all my passwords in batch. :-)


>
> Until somebody convinces me of the safety of these tools (*) I keep the
> non-critical passwords (e.g. forums) stored in my browser, and the critical
> ones (e.g. money-related, etc...) in a plain text file stored in a USB key
> encrypted with Truecrypt, that I only mount when needed. This involves that
> I don't do anything critical with my Android phone.
>

What backup plan do you have in case you lose the usb stick, erase it by
accident, ... ? :-)


>
>
> (*) Honestly, I think it's very hard to do. It would involve at least:
> that the tool is open source, that it has been reviewed by some experts and
> that I can install the application from a build I do by myself.
>
> --
> Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
> "We make Java work. Everywhere."
> http://tidalwave.it/fabrizio/**blog  -
> fabrizio.giud...@tidalwave.it
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Fabrizio Giudici]

On Mon, 17 Dec 2012 09:48:35 +0100, Jan Goyvaerts   
wrote:


I'm using Lastpass  - it logs in for you,  
generates

impossible passwords, has a plugin for many browsers, seems to have
integration with Linux systems too. It has an ios app, but never used  
that.


I don't even know the passwords of the sites any more. I just know it's  
all
different 20+ characters random crap. I only know the master password.  
:-)


It's what I'd like to do - but who guarantees that Lastpass is secure?  
That it stores passwords correctly encrypted? That it doesn't leak them in  
memory? That it doesn't send them to a server?


Until somebody convinces me of the safety of these tools (*) I keep the  
non-critical passwords (e.g. forums) stored in my browser, and the  
critical ones (e.g. money-related, etc...) in a plain text file stored in  
a USB key encrypted with Truecrypt, that I only mount when needed. This  
involves that I don't do anything critical with my Android phone.



(*) Honestly, I think it's very hard to do. It would involve at least:  
that the tool is open source, that it has been reviewed by some experts  
and that I can install the application from a build I do by myself.


--
Fabrizio Giudici - Java Architect @ Tidalwave s.a.s.
"We make Java work. Everywhere."
http://tidalwave.it/fabrizio/blog - fabrizio.giud...@tidalwave.it

--
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.

Re: [The Java Posse] Re: Keeping Track of Multiple Passwords

[Jan Goyvaerts]

I'm using Lastpass  - it logs in for you, generates
impossible passwords, has a plugin for many browsers, seems to have
integration with Linux systems too. It has an ios app, but never used that.

I don't even know the passwords of the sites any more. I just know it's all
different 20+ characters random crap. I only know the master password. :-)

On Mon, Dec 17, 2012 at 9:13 AM, Matthew Farwell
wrote:

> Personally, I use a combination of Password 
> Safe and
> Dropbox. I store the password file in the dropbox folder and it gets synced
> automatically.
> I only use the windows version of password safe, I'm not sure about the
> linux version of it.
>
> Matthew Farwell.
>
>
> On Monday, 17 December 2012 08:39:04 UTC+1, vjosullivan wrote:
>>
>> Has anyone found a reasonably accessible (yet secure) way of keeping
>> track of multiple password across different systems, retrievable from
>> various locations (e.g. at home, work or on the road)?
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Java Posse" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/javaposse/-/qyrKu_kOKVMJ.
>
> To post to this group, send email to javaposse@googlegroups.com.
> To unsubscribe from this group, send email to
> javaposse+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/javaposse?hl=en.
>

-- 
You received this message because you are subscribed to the Google Groups "Java 
Posse" group.
To post to this group, send email to javaposse@googlegroups.com.
To unsubscribe from this group, send email to 
javaposse+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/javaposse?hl=en.