InfoSec Favorites

« Securing Mobile: When a Phone is as Powerful as a Laptop | Main | The Trusted Insider »

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Robert Yanus

I couldn't disagree more with this suggestion. With the sophistication of t0odays hackers and ID theives this would be solved in no time at all. The idea of a password list alone is a bad idea, then to store it on the PC is just inviting trouble. As an information security trainer NEVER would I recommend this. My suggestion is just the opposite, no list on a PC and if you have a list, store it someplace very secure. Many people have minimal security protection on their PC's

Diane Booth

Great advice! Now I won't dread changing my password as I will have a "plan". Thanks!

Jacob Harris

Robert

Thank you for your comment. You bring up a really good point - many people do not have the best security installed on their PCs. We have written about this on the blog before, and I think this is a good topic for us to revisit soon. Can you share your thoughts on how to have secure passwords without a list? I know many people who use the same password on every website so they can remember it, which isn't good either. I think your thoughts will be helpful to our readers.

Thanks again!

Risktical

Hi Jacob! Are you related to Jake Harris from “Deadliest Catch”? Ok, so much for humor – a few thoughts…

1. I think it is awesome that your employer is allowing your IT Security / Risk Management function to publicly blog.

2. Regarding your password list recommendation, what you have suggested could be practical for consumers depending on other security controls that prevent direct / in-direct access to the password list.

a. We also have to keep in mind the capabilities of the “bad guys”. The approach you have outlined will probably stop an opportunistic script-kiddie or lesser skilled attacker (assuming they can get access to the file in the first place). This approach will not prevent higher skilled “bad guys” from being able to programmatically perform password guessing and just appending or pre-pending the values from the list to each guess.

b. To further build upon what you have suggested, I would submit that the “known” (not on the list) password needs to be complex as this would significantly strengthen resistance from password guessing attacks – should the list be compromised.

c. Ensure that OS patching and malware updates are regularly performed. These controls contribute to reducing the frequency of indirect access to the password list by bad guys or malware.

Of course – there even additional steps we can take, but at the end of the day – and if we take a risk based approach to security – it comes down to layers of security that are hopefully low cost, practical, and addresses the majority of the bad scenarios.

Jon Bettinger

I would suggest an application created just for this problem. Stores all your passwords encrypted with a master password for access. http://keepass.info/ or http://agilewebsolutions.com/onepassword

Darrick

For those that use Outlook for e-mail, i have ended up saving all my log-in/password information in "notes" in Outlook. It keeps them in alphabtical order and is very convenient... But now i wonder if there are security concerns with this?

Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Your Information

(Name is required. Email address will not be displayed with the comment.)