Remembering login names and passwords; is it dementia?

**Pondlife** · 15 December 2010, 14:08

This is just silly.

Why doesn't everyone just email me their usernames and passwords. If you forget them you know you can get them from your reliable mate pondlife.

I suggest we start with bank codes. Who wants to go first?

**meridian** · 15 December 2010, 14:19

Makes it easier for the crackers, I guess....

Coding Horror: The Dirty Truth About Web Passwords

Gawker Hack Release Notes - Coding Horror

**Mich the Tester** · 15 December 2010, 14:29

Originally posted by Platypus View Post

Yep. Same here.

On ClientCo's laptop, which is forever forcing me to change passwords for intranet, email, etc, I have a file called Passwords.txt where I keep 'em all. And a Post-It stuck to the laptop with the Windows password on.

If they make it too hard to remember and make you change it so often, what do they expect?

Good idea; CUK always provides the answers!

**Mich the Tester** · 15 December 2010, 14:30

Originally posted by KentPhilip View Post

What I've done is to write down the passwords into a single file using an alias in the form PA-xxx like:

www.hsbc .co.uk
phil1234
PA-sba

www.ebay .co.uk
philip1234
PA-sbb

Server: Finance1
(192.168.3.56 windows logon)
admin
PA-sbc

Server: Finance5
(192.168.3.56 ftp access)
ftuser
PA-sbd

Then use Password Manager XP to encrypt and store these aliases and their corresponding passwords. $30 shareware.

And I've added other data in the same way, with the data being the password, such as:

Company number
VAT number
Lost credit card phone number
Long credit card number
wireless LAN security codes
Mobile phone unlock code
porn site accounts
National Insurance number
Passport number
Driving licence number

Allows you to keep both work and personal passwords in one place.
Have got 192 items in total, so it does add up...

www.contractoruk .com
(sockpuppet 1)
sasguru
PA-sjd

www.contractoruk .com
(sockpuppet 2)
dodgyagent
PA-sje

www.contractoruk .com
(sockpuppet 3)
zeitghost
PA-sjf

...

www.contractoruk .com
(sockpuppet 100)
kentphilip
PA-slz

Wow, nice idea, but I'm a tester and you're obviously a brainy person. I need quick and easy solutions for thickos.

**xoggoth** · 15 December 2010, 15:06

have a word document on my desktop, with every single code on it, bank cards, game codes etc
I have encrypted it by calling it shoppinglist.doc

Similar, but mine are in Excel and named after a cartoon character although it is also encrypted with a proper encrypty code thing and password protected.

**Sysman** · 15 December 2010, 15:13

Originally posted by meridian View Post

Makes it easier for the crackers, I guess....

Coding Horror: The Dirty Truth About Web Passwords

Gawker Hack Release Notes - Coding Horror

Going slightly off tangent, what encryption scheme do these web sites use?

How To Safely Store A Password

A modern server can calculate the MD5 hash of about 330MB every second. If your users have passwords which are lowercase, alphanumeric, and 6 characters long, you can try every single possible password of that size in around 40 seconds.

And that’s without investing anything.

If you’re willing to spend about 2,000 USD and a week or two picking up CUDA, you can put together your own little supercomputer cluster which will let you try around 700,000,000 passwords a second. And that rate you’ll be cracking those passwords at the rate of more than one per second.

Salts Will Not Help You

It’s important to note that salts are useless for preventing dictionary attacks or brute force attacks. You can use huge salts or many salts or hand-harvested, shade-grown, organic Himalayan pink salt. It doesn’t affect how fast an attacker can try a candidate password, given the hash and the salt from your database.

Salt or no, if you’re using a general-purpose hash function designed for speed you’re well and truly effed.

I got this list in no more than 5 minutes Googling:

Wordpress: MD5
Drupal: MD5
vBulletin: password_hash = md5(md5($password_text) . $user_salt);
Joomla: MD5
Serendipity: MD5

**Mr.Whippy** · 15 December 2010, 15:18

Keepass all the way......... stores passwords securely, with AES & Twofish and they also do apps for iphone/android/blackberry/pocketPC and portableapps etc...

So you can keep it handy at all times.

**Paddy** · 15 December 2010, 15:21

Originally posted by Mich the Tester View Post

I have to remember an ever increasing number of login names, passwords, pin codes, etc etc forall the apps and networks at clientco, my bank cards, and 2 months ago my bank replaced my dial-in account with internet banking, and even though I've used the thing several times I can't remember the bloody login details; it's as if the part of my brain that stores login details has simply filled up and cannot store anything more. I've got paper lying around with all sorts of codes but can't find the one with the bloody details for the internet banking. Last week I stood in a shop trying to remember the pin code for a bank card I use every bloody day, and just couldn't remember it, so I used Lady Tester's card instead; then I got home and she told me my pin.

Now the bloody Dutch government are changing the login details for all the government business departments, so even more bloody codes are coming my way.

It's all too much. Am I alone in this?

PIN numbers are easy if you convert them to words as per you phone keypad eg: 7448 = S H I T

**Sysman** · 15 December 2010, 15:23

Originally posted by xoggoth View Post

Similar, but mine are in Excel and named after a cartoon character although it is also encrypted with a proper encrypty code thing and password protected.

I used to do similar, but on a Psion, and I used a power on password as well. The advantage of that was that no other bugger could read the thing due to the (not cheap) flash disks which wouldn't fit on anything else.

**OwlHoot** · 15 December 2010, 15:31

If an externally-visible HTTP web server runs on a PC you control exclusively, you could knock up a simple web app that regurgitates host-specific web app passwords.

To use this scheme you would open a new browser tab or instance, and in this run your app via its URL such as https://www.myhost.co.uk:8090 (a non-standard port, for some slight extra obfuscation)

This would initially serve a simple form, into which you would first paste the URL of the target site requesting the password, from which your app would extract the host name to identify the password to use for that site.

Your app input form would also include a field(s) for a master password, or answers to a procedural question (anything ranging from clicking on the two of 20 columns containing the second letter of your pet's name to a Verified by VISA style array, whatever you feel comfortable with and are content is secure - It's your app remember).

Once the input was submitted, and validated by your app, this would then serve and run some Javascript to run client-side ("onload") and copy the target web app's password into the Copy buffer, from where you could paste it into the target web app's password field.

Remembering login names and passwords; is it dementia?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Partners

Advertisers

Contractor Services

CUK News

Remembering login names and passwords; is it dementia?

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Partners

Advertisers

Contractor Services

CUK News

Tag Cloud