Remembering login names and passwords; is it dementia?

Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

RichardCranium replied

15 December 2010, 20:15
Originally posted by Mich the Tester View Post

Am I alone in this?

No.

I used to use a password-controlled PDA which was perfect for this use. Fast, cheap, light, 2 x AA batteries lasted months, proprietary encryption, no simple interface, could be backed up via a special cable to an encrypted file on a PC, and when that died asked for advice on here. For which I got abuse for not being able to remember passwords. <sigh>

That PDA had 229 small text files, one for each web site / service / function. So one text file would look like this:

BCS.txt

Code:

Richard Cranium MBCS CITP British Computer Society Membership no. 990000666 PIN: 1066 Joined 01/04/2011 Security question: Size of dick, answer: head Password: CumShot69 Email account: - UserID: ab12 - Password: piddlydiddly - Addresses: [email protected] & [email protected] - Forwards to: [email protected] Home email: [email protected] Work email: [email protected] Login: [email protected]

So there are multiple entries per text file.

One is called passwords.txt and that has details of all the little web sites that one logs in to such as Misco, Travelodge, Graze, Hornby ( ), etc. That has another 2 x A4 pages of web site address, username, password.

I must have thousands of discrete bits of information like that.

My solution now?

I don't have one because the cheap, usable, QWERTY-keyboard PDA market seems to have disappeared.e
Leave a comment:
Bunk replied

15 December 2010, 15:54
Originally posted by KentPhilip View Post

www.contractoruk .com
(sockpuppet 3)
zeitghost
PA-sjf

Zeity's password doesn't work

Wait a minute, is he real?
Leave a comment:
Sysman replied

15 December 2010, 15:48
Originally posted by Paddy View Post

I did the same and then the battery went flat, and the backup battery. Lost everything.

I had an external disk which was safe. Of course I couldn't read it on the next Psion I got, because they'd changed the size of the things. So it was just as effectively lost. I think I threw it on the fire one night, out of disgust.

Did you ever manage to find a mains adaptor for the thing? I had one on order for at least 6 months, but it never materialised. I never saw one in the shops either.
Leave a comment:
Paddy replied

15 December 2010, 15:34
Originally posted by Sysman View Post

I used to do similar, but on a Psion, and I used a power on password as well. The advantage of that was that no other bugger could read the thing due to the (not cheap) flash disks which wouldn't fit on anything else.

I did the same and then the battery went flat, and the backup battery. Lost everything.
Leave a comment:
OwlHoot replied

15 December 2010, 15:31
If an externally-visible HTTP web server runs on a PC you control exclusively, you could knock up a simple web app that regurgitates host-specific web app passwords.

To use this scheme you would open a new browser tab or instance, and in this run your app via its URL such as https://www.myhost.co.uk:8090 (a non-standard port, for some slight extra obfuscation)

This would initially serve a simple form, into which you would first paste the URL of the target site requesting the password, from which your app would extract the host name to identify the password to use for that site.

Your app input form would also include a field(s) for a master password, or answers to a procedural question (anything ranging from clicking on the two of 20 columns containing the second letter of your pet's name to a Verified by VISA style array, whatever you feel comfortable with and are content is secure - It's your app remember).

Once the input was submitted, and validated by your app, this would then serve and run some Javascript to run client-side ("onload") and copy the target web app's password into the Copy buffer, from where you could paste it into the target web app's password field.
Leave a comment:
Sysman replied

15 December 2010, 15:23
Originally posted by xoggoth View Post

Similar, but mine are in Excel and named after a cartoon character although it is also encrypted with a proper encrypty code thing and password protected.

I used to do similar, but on a Psion, and I used a power on password as well. The advantage of that was that no other bugger could read the thing due to the (not cheap) flash disks which wouldn't fit on anything else.
Leave a comment:
Paddy replied

15 December 2010, 15:21
Originally posted by Mich the Tester View Post

I have to remember an ever increasing number of login names, passwords, pin codes, etc etc forall the apps and networks at clientco, my bank cards, and 2 months ago my bank replaced my dial-in account with internet banking, and even though I've used the thing several times I can't remember the bloody login details; it's as if the part of my brain that stores login details has simply filled up and cannot store anything more. I've got paper lying around with all sorts of codes but can't find the one with the bloody details for the internet banking. Last week I stood in a shop trying to remember the pin code for a bank card I use every bloody day, and just couldn't remember it, so I used Lady Tester's card instead; then I got home and she told me my pin.

Now the bloody Dutch government are changing the login details for all the government business departments, so even more bloody codes are coming my way.

It's all too much. Am I alone in this?

PIN numbers are easy if you convert them to words as per you phone keypad eg: 7448 = S H I T
Leave a comment:
Mr.Whippy replied

15 December 2010, 15:18
Keepass all the way......... stores passwords securely, with AES & Twofish and they also do apps for iphone/android/blackberry/pocketPC and portableapps etc...

So you can keep it handy at all times.
Leave a comment:
Sysman replied

15 December 2010, 15:13
Originally posted by meridian View Post

Makes it easier for the crackers, I guess....

Coding Horror: The Dirty Truth About Web Passwords

Gawker Hack Release Notes - Coding Horror

Going slightly off tangent, what encryption scheme do these web sites use?

How To Safely Store A Password

A modern server can calculate the MD5 hash of about 330MB every second. If your users have passwords which are lowercase, alphanumeric, and 6 characters long, you can try every single possible password of that size in around 40 seconds.

And that’s without investing anything.

If you’re willing to spend about 2,000 USD and a week or two picking up CUDA, you can put together your own little supercomputer cluster which will let you try around 700,000,000 passwords a second. And that rate you’ll be cracking those passwords at the rate of more than one per second.

Salts Will Not Help You

It’s important to note that salts are useless for preventing dictionary attacks or brute force attacks. You can use huge salts or many salts or hand-harvested, shade-grown, organic Himalayan pink salt. It doesn’t affect how fast an attacker can try a candidate password, given the hash and the salt from your database.

Salt or no, if you’re using a general-purpose hash function designed for speed you’re well and truly effed.

I got this list in no more than 5 minutes Googling:

Wordpress: MD5
Drupal: MD5
vBulletin: password_hash = md5(md5($password_text) . $user_salt);
Joomla: MD5
Serendipity: MD5
Leave a comment:
xoggoth replied

15 December 2010, 15:06
have a word document on my desktop, with every single code on it, bank cards, game codes etc
I have encrypted it by calling it shoppinglist.doc

Similar, but mine are in Excel and named after a cartoon character although it is also encrypted with a proper encrypty code thing and password protected.
Leave a comment:
Mich the Tester replied

15 December 2010, 14:30
Originally posted by KentPhilip View Post

What I've done is to write down the passwords into a single file using an alias in the form PA-xxx like:

www.hsbc .co.uk
phil1234
PA-sba

www.ebay .co.uk
philip1234
PA-sbb

Server: Finance1
(192.168.3.56 windows logon)
admin
PA-sbc

Server: Finance5
(192.168.3.56 ftp access)
ftuser
PA-sbd

Then use Password Manager XP to encrypt and store these aliases and their corresponding passwords. $30 shareware.

And I've added other data in the same way, with the data being the password, such as:

Company number
VAT number
Lost credit card phone number
Long credit card number
wireless LAN security codes
Mobile phone unlock code
porn site accounts
National Insurance number
Passport number
Driving licence number

Allows you to keep both work and personal passwords in one place.
Have got 192 items in total, so it does add up...

www.contractoruk .com
(sockpuppet 1)
sasguru
PA-sjd

www.contractoruk .com
(sockpuppet 2)
dodgyagent
PA-sje

www.contractoruk .com
(sockpuppet 3)
zeitghost
PA-sjf

...

www.contractoruk .com
(sockpuppet 100)
kentphilip
PA-slz

Wow, nice idea, but I'm a tester and you're obviously a brainy person. I need quick and easy solutions for thickos.
Leave a comment:
Mich the Tester replied

15 December 2010, 14:29
Originally posted by Platypus View Post

Yep. Same here.

On ClientCo's laptop, which is forever forcing me to change passwords for intranet, email, etc, I have a file called Passwords.txt where I keep 'em all. And a Post-It stuck to the laptop with the Windows password on.

If they make it too hard to remember and make you change it so often, what do they expect?

Good idea; CUK always provides the answers!
Leave a comment:
meridian replied

15 December 2010, 14:19
Makes it easier for the crackers, I guess....

Coding Horror: The Dirty Truth About Web Passwords

Gawker Hack Release Notes - Coding Horror
Leave a comment:
Pondlife replied

15 December 2010, 14:08
This is just silly.

Why doesn't everyone just email me their usernames and passwords. If you forget them you know you can get them from your reliable mate pondlife.

I suggest we start with bank codes. Who wants to go first?
Leave a comment:
SupremeSpod replied

15 December 2010, 14:01
Originally posted by KentPhilip View Post

What I've done is to write down the passwords into a single file using an alias in the form PA-xxx like:

www.hsbc .co.uk
phil1234
PA-sba

www.ebay .co.uk
philip1234
PA-sbb

Server: Finance1
(192.168.3.56 windows logon)
admin
PA-sbc

Server: Finance5
(192.168.3.56 ftp access)
ftuser
PA-sbd

Then use Password Manager XP to encrypt and store these aliases and their corresponding passwords. $30 shareware.

And I've added other data in the same way, with the data being the password, such as:

Company number
VAT number
Lost credit card phone number
Long credit card number
wireless LAN security codes
Mobile phone unlock code
porn site accounts
National Insurance number
Passport number
Driving licence number

Allows you to keep both work and personal passwords in one place.
Have got 192 items in total, so it does add up...

www.contractoruk .com
(sockpuppet 1)
sasguru
PA-sjd

www.contractoruk .com
(sockpuppet 2)
dodgyagent
PA-sje

www.contractoruk .com
(sockpuppet 3)
zeitghost
PA-sjf

...

www.contractoruk .com
(sockpuppet 100)
kentphilip
PA-slz

You expect people who can't remember passwords and userids to use software like that?
Leave a comment: