Re: [FRIAM] Password Change Requests
On Fri, Apr 18, 2014 at 8:34 PM, Barry MacKichan barry.mackic...@mackichan.com wrote: Since I use a password manager (1Password) there is very little cost in keeping a 20-character password (which I never type anyway) even for those sites with 2-factor authentication. Doesn't this make those accounts highly insecure with respect to actual physical theft of your laptop (which I'm guessing is more common than identity theft)? If someone steals your computer do they then have access to all the sites whose credentials you have stored in 1Password? I must admit, this is the one issue that has kept me from adopting 1Password, LastPass etc. I'm lazy and I just know that at some point I would hit the Save this password? button when prompted by my browser and bang, there goes my security. —Robert FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] Password Change Requests
I was always worried about that before I started LastPass, so I had already turned off the feature of saving passwords in my browsers, and cleared out already saved ones. That left me with having to remember passwords or writing them down somewhere, or equally bad, storing them in a file somewhere on the computer, or using the same password for many accounts. What I like about LastPass (and I assume the same applies to 1Password, DashLane, etc.) is that I only have to remember one pass phrase, and I make sure my setup does not store the pass phrase (it’s only in my head). Even LastPass doesn’t have it, as all the encryption/decryption is done locally. What is stored on their servers is my encrypted blob, which gets automatically synchronized to any browser that I have installed, even across machines. Perhaps it’s naive on my part, but I do trust that even if someone gets a hold of my encrypted blob, it is for all practical purposes just an impenetrable blob of random bits as long as nobody gets a hold of my pass phrase, which is stored nowhere but in my head. I went with LastPass mainly because they were the only company that I found that provided the “sync your encrypted blob to all your devices” for free. There was a way of doing so with 1Password to manually sync using DropBox, but I got lazy and went with the one that provided that feature for free. Of course, in all this, I’m talking about free as in beer, not free as in freedom. Gary On Apr 19, 2014, at 4:15 AM, Robert Holmes rob...@robertholmes.org wrote: On Fri, Apr 18, 2014 at 8:34 PM, Barry MacKichan barry.mackic...@mackichan.com wrote: Since I use a password manager (1Password) there is very little cost in keeping a 20-character password (which I never type anyway) even for those sites with 2-factor authentication. Doesn't this make those accounts highly insecure with respect to actual physical theft of your laptop (which I'm guessing is more common than identity theft)? If someone steals your computer do they then have access to all the sites whose credentials you have stored in 1Password? I must admit, this is the one issue that has kept me from adopting 1Password, LastPass etc. I'm lazy and I just know that at some point I would hit the Save this password? button when prompted by my browser and bang, there goes my security. —Robert FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] Password Change Requests
On Sat, Apr 19, 2014 at 3:15 AM, Robert Holmes rob...@robertholmes.orgwrote: snip I must admit, this is the one issue that has kept me from adopting 1Password, LastPass etc. I'm lazy and I just know that at some point I would hit the Save this password? button when prompted by my browser and bang, there goes my security. It doesn't work that way: the pw managers are extensions, thus the browser does not ask to save the super password, the one for 1P, LastPass etc. There's no way for it to be automatic. -- Owen FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] Password Change Requests
I'm not grokking something then... I thought Barry's setup was automatic, which is why he never had to enter his 20 character password? On Apr 19, 2014 4:26 PM, Owen Densmore o...@backspaces.net wrote: On Sat, Apr 19, 2014 at 3:15 AM, Robert Holmes rob...@robertholmes.orgwrote: snip I must admit, this is the one issue that has kept me from adopting 1Password, LastPass etc. I'm lazy and I just know that at some point I would hit the Save this password? button when prompted by my browser and bang, there goes my security. It doesn't work that way: the pw managers are extensions, thus the browser does not ask to save the super password, the one for 1P, LastPass etc. There's no way for it to be automatic. -- Owen FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] Password Change Requests
The pw manager extensions (1password, lastpass etc) require a master password to open them, the one password that rules them all. Once open, the pw manager has a list of sites. You click on the one you want. It goes to the appropriate URL and fills in the required fields to log you into that particular site. -- Owen On Sat, Apr 19, 2014 at 12:53 PM, Robert Holmes rob...@robertholmes.orgwrote: I'm not grokking something then... I thought Barry's setup was automatic, which is why he never had to enter his 20 character password? On Apr 19, 2014 4:26 PM, Owen Densmore o...@backspaces.net wrote: On Sat, Apr 19, 2014 at 3:15 AM, Robert Holmes rob...@robertholmes.orgwrote: snip I must admit, this is the one issue that has kept me from adopting 1Password, LastPass etc. I'm lazy and I just know that at some point I would hit the Save this password? button when prompted by my browser and bang, there goes my security. It doesn't work that way: the pw managers are extensions, thus the browser does not ask to save the super password, the one for 1P, LastPass etc. There's no way for it to be automatic. -- Owen FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] Password Change Requests
I *do* have to enter the master password for 1Password. From then on, for all my accounts, it is automatic or, at the worst, copy and paste. —Barry On 19 Apr 2014, at 14:20, Owen Densmore wrote: The pw manager extensions (1password, lastpass etc) require a master password to open them, the one password that rules them all. Once open, the pw manager has a list of sites. You click on the one you want. It goes to the appropriate URL and fills in the required fields to log you into that particular site. -- Owen On Sat, Apr 19, 2014 at 12:53 PM, Robert Holmes rob...@robertholmes.orgwrote: I'm not grokking something then... I thought Barry's setup was automatic, which is why he never had to enter his 20 character password? On Apr 19, 2014 4:26 PM, Owen Densmore o...@backspaces.net wrote: On Sat, Apr 19, 2014 at 3:15 AM, Robert Holmes rob...@robertholmes.orgwrote: snip I must admit, this is the one issue that has kept me from adopting 1Password, LastPass etc. I'm lazy and I just know that at some point I would hit the Save this password? button when prompted by my browser and bang, there goes my security. It doesn't work that way: the pw managers are extensions, thus the browser does not ask to save the super password, the one for 1P, LastPass etc. There's no way for it to be automatic. -- Owen FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] Password Change Requests
At least with LastPass (and presumably with 1Password as well), there's an option to save the master password in the browser extension so you don't have to type it in when you open the browser. That obviously reduces the security of it tremendously, but is a risk largely determined by the likelihood of that computer being taken and used by someone nefarious who can also get past the password on the computer. If you don't save the master password, then you do have about as secure a password system as possible, given that the computer is still connected to the Internet. Brent From: Owen Densmore o...@backspaces.net To: The Friday Morning Applied Complexity Coffee Group friam@redfish.com Sent: Saturday, April 19, 2014 4:20 PM Subject: Re: [FRIAM] Password Change Requests The pw manager extensions (1password, lastpass etc) require a master password to open them, the one password that rules them all. Once open, the pw manager has a list of sites. You click on the one you want. It goes to the appropriate URL and fills in the required fields to log you into that particular site. -- Owen On Sat, Apr 19, 2014 at 12:53 PM, Robert Holmes rob...@robertholmes.org wrote: I'm not grokking something then... I thought Barry's setup was automatic, which is why he never had to enter his 20 character password? On Apr 19, 2014 4:26 PM, Owen Densmore o...@backspaces.net wrote: On Sat, Apr 19, 2014 at 3:15 AM, Robert Holmes rob...@robertholmes.orgwrote: snip I must admit, this is the one issue that has kept me from adopting 1Password, LastPass etc. I'm lazy and I just know that at some point I would hit the Save this password? button when prompted by my browser and bang, there goes my security. It doesn't work that way: the pw managers are extensions, thus the browser does not ask to save the super password, the one for 1P, LastPass etc. There's no way for it to be automatic. -- Owen FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] Password Change Requests
On 04/18/2014 10:12 AM, Owen Densmore wrote: In addition, lots of sites let you login with Google, Facebook, Twitter and others. So if we have a small number of 2-factor providers, the hassle would be minimized. I reject the argument for centralization. It seems to me a decentralized approach will be more robust. Why would this be useful? You could use a small set of passwords for various 2-factor providers and attach your several hundred logins to them. You could also use much simpler passwords, because password vulnerability would no longer completely expose you to the bad guys, unless they steal you mobile devices (phone, tablet, etc) On the one hand, you're arguing for convenience and, on the other, security. This is akin to Franklin's accusation: “Those who would give up essential Liberty, to purchase a little temporary Safety, deserve neither Liberty nor Safety”. You're optimizing 2 conflicting constraints. That's OK. But it would be better to be excruciatingly clear what the two objectives really are. What are they? Google has the notion of trusted devices which reduces the PIN annoyance on your own devices: laptop, phone, tablet etc. It also has backup passwords for apps/devices which cannot manage the 2-factor login. Its been fine for me for over a year. Is it time to migrate to 2-factor as much as one can? My answer to this is absolutely! But not if it's going to encourage more sloppiness on the part of most people. If it encourages people to put all their faith in Google or Facebook, to centralize on them as a convenient service, then I'd argue it degrades security It would defeat the very purpose. I' rather argue that everyone implement and use their own 2-factor auth. Personally, I don't see what the problem is. Yeah, 100s of long non-mnemonic passwords is inconvenient... but so is driving, brushing your teeth, digging holes in your garden, etc. Unless your objective is to become a brain-in-a-vat, you either have to learn to love what you do or stop doing the things you don't love. Convenience is the _enemy_. -- ⇒⇐ glen FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] Password Change Requests
On Fri, 2014-04-18 at 10:45 -0700, glen wrote: Convenience is the _enemy_. Convenience has a cost. Pay it. If there is to be centralization, use economies of scale to detect and adapt to fraud rather try to prevent it. I agree these schemes to find a trustworthy agent are doomed to failure. It just changes the target and the nature of the attack. As we have seen, the NSA certainly has the means to correlate a few devices. Marcus FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] Password Change Requests
Convenience is the _enemy_. Convenience has a cost. Pay it. Integrity has a cost, pay it. If there is to be centralization, use economies of scale to detect and adapt to fraud rather try to prevent it. Very well stated. Evolved systems do precisely this (adapt and exploit economies of scale and other features). As individuals with enlightened self interest it would seem to be in our interest to understand how these things work and work *with* them rather than continue to try to brute-force *engineer* these things. Engineer in the small things (local), evolve in the larger things (global)? I agree these schemes to find a trustworthy agent are doomed to failure. It just changes the target and the nature of the attack. As we have seen, the NSA certainly has the means to correlate a few devices. Yes, like that. - Steve FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] Password Change Requests
I use 2-factor authentication on those sites that implement it, but I will not use a login from Google, for example, for anything besides logging into Google (which I never do anyway). I don't want Google to know every site I log into. I think it's creepy. Since I use a password manager (1Password) there is very little cost in keeping a 20-character password (which I never type anyway) even for those sites with 2-factor authentication. —Barry On 18 Apr 2014, at 11:12, Owen Densmore wrote: I've been getting a trickle of time to change your password emails due to Heartbleed. So once again, the issue of a good password strategy comes up. In the perfect world, I'd love the 2-factor approach: password + generated PIN. Especially if a single PIN generator could be used, like Google Authenticator. In addition, lots of sites let you login with Google, Facebook, Twitter and others. So if we have a small number of 2-factor providers, the hassle would be minimized. Why would this be useful? You could use a small set of passwords for various 2-factor providers and attach your several hundred logins to them. You could also use much simpler passwords, because password vulnerability would no longer completely expose you to the bad guys, unless they steal you mobile devices (phone, tablet, etc) Google has the notion of trusted devices which reduces the PIN annoyance on your own devices: laptop, phone, tablet etc. It also has backup passwords for apps/devices which cannot manage the 2-factor login. Its been fine for me for over a year. Is it time to migrate to 2-factor as much as one can? -- Owen FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] Password Change Requests
On Fri, 2014-04-18 at 13:08 -0600, Steve Smith wrote: As individuals with enlightened self interest it would seem to be in our interest to understand how these things work and work *with* them rather than continue to try to brute-force *engineer* these things. In the social context, it is not about engineering the systems. It's about perturbing them in big enough ways so that us humans can say, Yes, we have have turned that knob, and these were the consequences which we now incorporated in this somewhat more general mathematical model. In contrast to We imagine that the world involves these important features, and have built a mathematical model that predicts things about our imaginary world. The engineering is not to Make It Right, it is to pose a hypothesis and test it on ourselves using the force of government(s) to do the experiment. Turns out there are a lot of us and more coming all the time. No real danger of running out. Marcus FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] Password Change Requests
On 04/18/2014 12:34 PM, Barry MacKichan wrote: Since I use a password manager (1Password) there is very little cost in keeping a 20-character password (which I never type anyway) even for those sites with 2-factor authentication. Speaking of which, does anyone here have any opinions about Keepass vs KeepassX? http://sourceforge.net/p/keepass/code/HEAD/tree/ https://github.com/keepassx/keepassx Mono is a hefty commitment. But I usually end up having to keep it around for other packages anyway. -- ⇒⇐ glen FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] Password Change Requests
On Fri, Apr 18, 2014 at 1:34 PM, Barry MacKichan barry.mackic...@mackichan.com wrote: ... Since I use a password manager (1Password) there is very little cost in keeping a 20-character password (which I never type anyway) even for those sites with 2-factor authentication. —Barry I too use 1P but haven't taken the plunge for random, unknown to me, passwords. Has it caused you any problems? Or do you flinch at times, finding yourself w/o 1P and needing to login? Phone, Tablet, etc apps don't work with 1P .. you have to use cut/paste. In fact, neither Chrome or Safari are allowed plugins, making 1P treat web logins like app logins. One of the best uses 1P provides me is recalling how many sites I have logins with! I found the number alarmingly huge, well over 200. Most are forums and stores, but also include banks etc. FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
Re: [FRIAM] Password Change Requests
On Fri, Apr 18, 2014 at 05:34:43PM -0600, Owen Densmore wrote: On Fri, Apr 18, 2014 at 1:34 PM, Barry MacKichan barry.mackic...@mackichan.com wrote: ... Since I use a password manager (1Password) there is very little cost in keeping a 20-character password (which I never type anyway) even for those sites with 2-factor authentication. —Barry I too use 1P but haven't taken the plunge for random, unknown to me, passwords. Has it caused you any problems? Or do you flinch at times, finding yourself w/o 1P and needing to login? Not a problem if the websites in question allow password recovery via email, which most do. I was also in a position of having forgotten my lastpass login (or rather my browser forgetting, since I never usually have to enter the lastPass). I had a rather cryptic twice the usual as my mnemonic. About 24 hours elapsed before it occurred to me what that meant. Fortunately, the usual had not changed since I had set it :). -- Prof Russell Standish Phone 0425 253119 (mobile) Principal, High Performance Coders Visiting Professor of Mathematics hpco...@hpcoders.com.au University of New South Wales http://www.hpcoders.com.au Latest project: The Amoeba's Secret (http://www.hpcoders.com.au/AmoebasSecret.html) FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
