Sanding our assholes with 150 grit.

Unprotected passwords in databases

I wonder how many companies keep user's passwords in an un-encrypted state in thier databases. MarkTAW said in another post that Trillian does. Earthlink does also. I called their tech support, and a friendly guy in India told me what my password is.

I guess that proves you should never reuse a password on any important system. I sure hope no one ever looks under my keyboard...
Permalink XYZZY 
January 17th, 2006
Heh, reminds me ... we had mandatory log-in to all machines at one time (you had to know the password at the machine you were using there weren't any user dialogues ... still do but it's changed because of this), we all hated it. Everyone had a mouse pad from one tech company or another and the rule of thumb was the log-in password was whatever was on the mouse pad. Admin went ballistic when they found out ... everybody else knew :)
Permalink PNII 
January 18th, 2006
I use random passwords for everything now. Heck, I use random usernames and email addresses too.
Permalink MarkTAW 
January 18th, 2006
MarkTAW, what are you using to keep track of them ... seems to me I've seen a recommendation for something on your site ... maybe not.
Permalink PNII 
January 18th, 2006
Tranglos Keynote.
Permalink MarkTAW 
January 18th, 2006
I have four passwords...

A 4 digit password for voice mail and PIN on debit cards.

A low-security password used for Slashdot and all other websites.

A medium-security password used for my email, server logins (except root), etc.

A high-security password used for banking.
Permalink Almost H. Anonymous 
January 18th, 2006
And I generate them here:

http://www.winguides.com/security/password.php

Depending on whether or not I actually care about the future of what I'm registering, I'll create a random email address and stick @dodgeit.com after the random string.
Permalink MarkTAW 
January 18th, 2006
For really throw away stuff, I just use bug-me-not.
Permalink Almost H. Anonymous 
January 18th, 2006
I couldn't tell you what any of my passwords are.
Permalink MarkTAW 
January 18th, 2006
Tranglos Keynote
News: 20 Oct 2005: All projects are closed down
http://www.tranglos.com/free/keynote.html
Permalink PNII 
January 18th, 2006
"couldn't tell you what any of my passwords are."

Then... ummm.. how do you use them?
Permalink Almost H. Anonymous 
January 18th, 2006
I've been doing this for years:

http://www.schneier.com/blog/archives/2005/06/write_down_your.html

And since Schneier agrees with me, it must be the right thing to do...

I generate pseudo-random letter and number passwords for critical things, have another less random but obscure one for web sites and I mostly memorize them, but carry around a small printout of them.
Permalink Ward Bush 
January 18th, 2006
They're kept in an encrypted database, I copy/paste where necessary, and let FireFox remember the rest. The file is kept in 3 locations - on my hard drive, on a USB thumb drive, and in a hidden/password protected directory on my server, so I can access it from anywhere I need to.
Permalink MarkTAW 
January 18th, 2006
Ugh. My MS password is 17 characters - mixed case letters and numbers. Not as bad as the last one - a record at [counting] heh, cool - 42!

Philo
Permalink Philo 
January 18th, 2006
Citibank made us change our password every 60 days, and it checked to make sure there were no two consecutive identical letters, and it wasn't just a variation on the lats password.

Just about everyone called the information security department for a reset once or twice a year.
Permalink MarkTAW 
January 18th, 2006
MS' Speech Server is one of those things that drives the "If you want your account balance, say 'balance'" things.

The folks that sell it have multiple TCO studies that show that if a company sets it up for automated password resets it pays for itself in months.

Philo
Permalink Philo 
January 18th, 2006
Philo:

You had 42! characters in your password? Thats way paranoid :)
Permalink Not Waving But Drowning 
January 18th, 2006
It's probably a passphrase of some sort.
Permalink MarkTAW 
January 18th, 2006
It was a maths joke Mark. 42! is 42 factorial :)
Permalink Andy 
January 18th, 2006
The last company I worked for was just starting to migrate to encrypted passwords. Each site had its own salt, and the encryption was sha, done in javascript at the client, so a clear-text pwd never crossed the wire. As sites were converted to new technology (ok, asp-classic to asp.net 1.1), they'd also get converted to the new login/pwd scheme. Since that made the passwords one-way, the "help I fell off my barstool and forgot my password" page would send an email with a guid, and that link would be usuable for a short period (hour?)

In the early years of evercrack, many people were wondering why so many accounts were getting "hacked." What transpired was that many players used the same login/pwd for their game account that they used for accessing forums/websites. Hack some of the forums, or set up your own honeypot, and you would be able to harvest a surprisingly large number of EQ accounts (to me, more than zero is a surprise, and numbers I heard were something like 5% of a forum's users would be using the same login/pwd). I'd like to pretend that folks who are this kind of naive have long since quit the game, but I think there are going to be more where they came from.

Alas, when McKinstry's wet dream of webcams everywhere and 24/7/365 surveilance becomes the norm, snooping bastards will be watching your webcam when you turn the keyboard over to "recover" your passwords. Of course, then we'll really discover that the internet was invented for porn judging by the number of wankings.

http://video.google.com/videoplay?docid=-4446981554735098778
Permalink Peter 
January 18th, 2006
Oh, that link *is* safe for work, it is just the laughter that will get you in trouble.
Permalink Peter 
January 18th, 2006

This topic was orginally posted to the off-topic forum of the
Joel on Software discussion board.

Other topics: January, 2006 Other topics: January, 2006 Recent topics Recent topics