NikonGear'23
The NikonGear Office => Site Issues => Topic started by: Andrea B. on August 10, 2019, 17:27:23
-
Letting your browser save passwords is not considered secure.
Look for an app called a password safe, manager or vault. Install it, learn how to use it and keep your login passwords there.
For general info about storing passwords, read this: Password Manager (https://en.wikipedia.org/wiki/Password_manager).
As a particular example, you might want to read about 1Password (https://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=23&ved=2ahUKEwiPiIr7zPjjAhUBW60KHRB9DmwQFjAWegQIAxAB&url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2F1Password&usg=AOvVaw1H2Jcmpoy6GCMhN_9wIERI), a free version of which I use on my MacBook. [I have *no* affiliation with Agile Bits.]
There are lots more choices for this kind of app. List of Password Managers (https://en.wikipedia.org/wiki/List_of_password_managers). Use of a password manager also permits creation of complex, unhackable passwords.
I'll add this two bits, FWIW. It's probably best not to use a cloud based password manager. Clouds have been known to disappear. There are hacks everyday of online data banks. But on the matter of clouds, YMMV. ;)
Should I mention backups here? Nah!
I'm sure everyone would know that their password manager requires a backup.
8)
-
I use Apple Keychain. Are you aware of any issues with this?
-
I use Apple Keychain. Are you aware of any issues with this?
I've been using 1Password, the paid versions, for 12 years, and I highly recommend it over Apple Keychain.
https://www.macworld.com/article/3060630/why-not-pick-keychain-instead-of-1password-or-lastpass.html
-
Anthony, password security is not my area! So I don't know what password manager apps might be considered vulnerable, or not, across the various platforms. I only know about the particular one I happen to use. :)
-
Anthea, a timely reminder. Thanks.
Do you know off hand what the rules for the NG password are, including its minimum and maximum lengths, allowable characters, its UC and LC alpha requirements, and the minimum numbers of each character type that are required etc?
TIA.
EDIT:
I see that the NG site says:
Choose password
For best security, you should use eight or more characters with a combination of letters, numbers, and symbols.
New Question: is 8 characters on the short side and should there be rules about the minimum numbers of upper and lower case alphabetic characters and numbers of special characters?? Maybe also an enforced update period?
-
I've been using 1Password, the paid versions, for 12 years, and I highly recommend it over Apple Keychain.
https://www.macworld.com/article/3060630/why-not-pick-keychain-instead-of-1password-or-lastpass.html
Thanks for the comment and link. I seem to fit the profile for Keychain, so will continue to use it for the time being.
-
Keychain works well enough for me.
Actually I get fairly infuriated by the need for Passwords and ever-increasing "Security" requirements.
Luckily I live in a place where security doesn't seem to matter too much: I never lock my car; only lock my house if I am actually going to be away; and have friends in the area who tell me that they don't even know where their house key is!
-
Keychain works well enough for me.
Actually I get fairly infuriated by the need for Passwords and ever-increasing "Security" requirements.
Luckily I live in a place where security doesn't seem to matter too much: I never lock my car; only lock my house if I am actually going to be away; and have friends in the area who tell me that they don't even know where their house key is!
It's not likely that you get more agitated with the ever increasing security requirements than I do. One that really draws my ire is "Two Factor Authentication", YUK!
One might never draw the interest of some hacker, but, woe be to them if that happens and their password(s) are not up to the hacker's abilities. I'm not knocking Apple Keychain, I just prefer 1Password which also works across our iPhones and iPad. Of course it goes without saying, YMMV. ;)
It's great that you live in a safe area, but I'm not seeing the relevance of that WRT internet security, where your physical location is not a factor. Back when I was a kid, we lived in a safe area, now we live in a gated community, how times have changed.
-
I also do not look forward to being made to use two-stage authentication.
For that reason, I am deliberately one OS behind on my computers; and will only upgrade once the software which I use on a daily basis requires that I update my OS.
What becomes increasingly burdensome is maintaining parity of OS, Site access and Passwords between several different computers and a number of other devices.
-
The problem I have are 25 Billion accounts with 25 Billion Passwords all in my head. With a password manager I would create one single point of failiure and give all of my head free with only one Username / Password combination opening my Password manager. A password Manager is in my opinion a security risk I am not ready to take. Much better seems to me the two channel auth per site with different mobile numbers, Apps and Emailproviders having to be combined for ONE login.
-
I also do not look forward to being made to use two-stage authentication.
For that reason, I am deliberately one OS behind on my computers; and will only upgrade once the software which I use on a daily basis requires that I update my OS.
What becomes increasingly burdensome is maintaining parity of OS, Site access and Passwords between several different computers and a number of other devices.
And if that's not enough, some sites will accept your login info. then periodically hit you with a few security questions to be answered before you get to where you want to go. I just love to spend more time accessing a site than I do using it once I get by their idea of security!
-
New Question: is 8 characters on the short side and should there be rules about the minimum numbers of upper and lower case alphabetic characters and numbers of special characters?? Maybe also an enforced update period?
If we have transmission protected between your browser and the server and between the server and your browser, then I'm thinking that is enough. I don't see the need to *force* password complexity upon the Membership. But it is easy enough to do should the Membership eventually decide that they would like to have such a feature. :)
-
I am very happy with the way Passwords in NG work now Andrea — I don't need any further complexity in my life!
-
2 birds with one stone approach. This is a PNG test, plus, showing a screenshot of the 1password password generator window to show it's versatility for password creation. The green bar indicates the strength of the passwords as you generate them.
-
The complex, un-memorizable passwords created by password managers are useless if you are trying to access your account or website from someone else's computer....something that normally doesn't happen, but could very well happen in case of emergency---the house burns down, etc. All the websites I visit that have money involved have unique passwords that I made up and that I remember....or that I can look up on my handy small stack of 4x6" index cards which I try to leave on my desk at all times.
Yeah, those gimmicks like the "security questions" and the 'I Am Not A Robot' captchas are annoying. I'm confident that the various market research departments knows that we all hate them.
-
The complex, un-memorizable passwords created by password managers are useless if you are trying to access your account or website from someone else's computer....something that normally doesn't happen, but could very well happen in case of emergency---
And in the case of an emergency the last thing you need is to be locked out of your vital accounts.
My self generated passwords contain a code which is easy for me to memorise, yet individually remains reasonably complex which contains a unique pattern of upper and lower case characters, numbers and punctuation. Given nothing of great value is at stake that's good enough in my book, with uppercase, lowercase, numbers and punctuation the number of combinations must be quite large, even with *only* 8 characters, it's not going to be guessed manually and brute force seems unlikely to be used to access an individual's forum account. I use the Apple password management 'keychain' to store my passwords, which I believe involves automatically encrypting them while they are transmitted and stored, for convenience while accessing various websites and institutions. I believe that's 'good enough'.
Websites limiting the number of attempts to access an account, then locking access for that account might be a simple way to prevent some casual attempts to make unauthorised access.
I do have them backed up in a little black book and to some degree they are memorable, although the way my memory is deteriorating not for much longer!!! I think a card index wouldn't be ideal for me because individual cards might be lost or pilfered by small fingers, a small black book hidden away seems more secure.
I think we need to keep security below the level where it gets in the way of enjoying easy access, yet keep unintended, unwanted intruders at bay. While this forum and others are a valuable asset for us, I can't see criminals devoting serious time trying to break passwords simply in order to post here. They can after all read any item they wish for free and even make screenshots of as many images as they wish.
-
Using a unique password for each web site is not too hard, with the right method. If you’re an average individual user, not an employee of a well known organisation or a very visible individual, the same advice I’ve been giving for 30 years still apply.
Never use any existing word as password.
Use a unique password of at least 12 mixed characters, preferably 15 or 4 words chosen at random.
Unique password generation method:
- Choose a song whose lyrics are widely available on the web so that you can always easily retrieve them
- Choose your own personal combination of 3 special characters
- Choose your rule to identify each web site, usually the first or the last 2 or 3 letters of the name
- Take the first letter of each word in a line of the lyrics
- Add your 3 special characters combination always at the same place
- Add the web site identifier always at the same place
Using the first line of this song https://genius.com/Bob-dylan-the-times-they-are-a-changin-lyrics,
Come gather 'round people, wherever you roam,
:”{ in 5th position
2 capital letters web ID in the end
produces for NikonGear: Cg’rp:”{,wyrNI or for Ebay: Cg’rp:”{,wyrEB
Type it a few times, muscle memory kicks in and it becomes very easy.
To completely renew your passwords, take the next line in the lyrics.
To retrieve a forgotten password, you only need to remember which line of the lyrics, your unique 3 special characters and position, your rule for identifying the web site and position.
I’ve been using this for almost 30 years and can retrieve forgotten passwords with a few tries
-
The complex, un-memorizable passwords created by password managers are useless if you are trying to access your account or website from someone else's computer....something that normally doesn't happen, but could very well happen in case of emergency---the house burns down, etc. All the websites I visit that have money involved have unique passwords that I made up and that I remember....or that I can look up on my handy small stack of 4x6" index cards which I try to leave on my desk at all times.
Yeah, those gimmicks like the "security questions" and the 'I Am Not A Robot' captchas are annoying. I'm confident that the various market research departments knows that we all hate them.
Good points, Keith. However, the fact that 1Password (I have no experience with other 3rd party password managers, so I am not familiar with their capabilities) also works from phone or tablet helps a great deal. Throw in a VPN and you're pretty safe. Then there's the part where you can access your computer remotely, from someone else's computer, unless your computer has become inaccessible, house burns down, etc, thereby accessing your destination of choice from your own machine. Not to say all of that makes things perfect, but they offer greater flexibility than one has without them, unless, they have a reliable alternative, such as you mention. OTOH, your index cards would not be useful from a remote location, someone else's computer, etc.
Using your own password creations is great, if you can recall each and every one, each and every time, as needed. Of course, the simpler you make them for yourself, the easier they become for hackers. Without doubt, the more secure passwords that one can use are not memorize-able, at least not by me. Having said all of that, not any particular solution works for everyone.
I find the "I am not a robot" images too small for my AMD affected eyesight to deal with. Moreover, I'm sure that my explicit comments concerning that feature would not be acceptable on this site. ;)
-
I can't see criminals devoting serious time trying to break passwords simply in order to post here.
Password snoopers are not looking for your password in order to post here.
Hackers are looking for ways into websites in order to use the website's platform to spew clickable, money-generating spam, often porn. (This spam spewing thing happened to UVP in its early days.)
Hackers are looking for password patterns, such as the generating scheme mentioned above, which you might use on your other sites such as your bank account. Hackers are looking for passwords in order to plant ransomware by kidnapping your photos or personal health information or your financial information. Need I go on? No, you get the drift.
All those patterns and schemes you use to generate rememberable passwords? Hackers know those methods too and use them to crack your passwords with high speed computing which can generate literally gazillions of password hack attempts per second. It is probably not a good idea to use any schema or pattern to generate passwords. Cryptology tells us that randomly generated passwords making use of upper/lower case letters, digits and keyboard symbols are the way to go.Then send the password via HTTPS and transmitted over a VPN.
...gimmicks like the "security questions" and the 'I Am Not A Robot' captchas are annoying.
Those are not gimmicks used for your security. Those are used by a website to try to prevent bots from setting up false accounts. We have to remove fake bot accounts regularly even with security questions. Hackers use bots to set up a false account in order to look for any way into a website or into your accounts that they can find.
The complex, un-memorizable passwords created by password managers are useless if you are trying to access your account or website from someone else's computer.
If you are trying to access a financial account (for example) and are not using your home computer, then you *should* be blocked from access until you go through a two-party authentication. Financial institutions (banks, credit cards, brokers, etc) now keep track of where and how you log in so that they can look for suspicious logins. If you do not have a bank which offers two-party authentication, then get another bank! If a bank or a website offers to "remember" your computer, say NO.
It is not important to the bank or to marketing researchers whether or not you "like" two-party authentication because they are attempting to defeat fraud which costs them hundreds of millions of dollars a year. And besides, if some hacker finds a way into your financial accounts, then the bank knows you are going to raise holy hell and call a lawyer to go after them.
It is pretty bad out there in the Inter-Webs and Security is *not* a YMMV kind of thing. Make use of all the security you can set up when online -- strong random passwords, two-party authentication, browsers which support privacy, security questions, Capchas, password vaults, VPNs.
BTW, never, never, NEVER ever use your mother's maiden name in a security question.
They are all listed on Ancestry.com which is accessible by anybody for a mere $59/year. :D :D :D
That's all the advice I have for now. I'll be back in 2 or 3 months to check how things are going for Birna and the Crew. Adios!
-
I have just noticed the huge (30-fold!) increase in on-line visitors to NG in recent days.
I can't believe that this is a mere co-incidence but am fairly confident that it is probably the direct result of Andrea's hard work to get SSL Certification and make NG "Secure".
-
Thank you Andrea, for taking the time and trouble to correct my misconceptions and for the sage advice on passwords.
-
I have just noticed the huge (30-fold!) increase in on-line visitors to NG in recent days.
I can't believe that this is a mere co-incidence but am fairly confident that it is probably the direct result of Andrea's hard work to get SSL Certification and make NG "Secure".
One possibility, in addition to your theory is the titles of the threads. I have noticed on our modest DSLR site that certain thread titles attract disproportionately large viewing figures, way way greater than our membership, some of that was prior to upgrading to HTTPS.
-
strong password generator
https://passwordsgenerator.net
-
That password generator site also has a name generator.
My new name is Zyonna Hacksworth.