Well, I have a 50k ascii file with all my passwords and "security questions" in it. It's ~800 lines long, but that doesn't mean 800 accounts, since some accounts require lots of security questions. Plus, I keep track of some old passwords after I change them and such. I keep this file encrypted with GPG. I shred <http://www.gnu.org/software/coreutils/manual/html_node/shred-invocation.html#shred-invocation> the unencrypted file each time I edit it... but it's not clear to me whether an unencrypted copy hangs around for awhile or not... plus, one of my machines uses SSD, which presents some issues <http://static.usenix.org/events/fast11/tech/full_papers/Wei.pdf> of its own.
But in the wake of this story <http://www.troyhunt.com/2013/12/introducing-have-i-been-pwned.html> and the Pony story <http://blog.spiderlabs.com/2013/12/look-what-i-found-moar-pony.html>, I decided to change a bunch of my passwords today. Does anyone have the data for the SSH credentials that were compromised? I can't imagine mine would be in there. But it did remind me that I don't have a practical policy for updating those. On 12/05/2013 11:08 AM, Owen Densmore wrote: > On Thu, Dec 5, 2013 at 11:20 AM, Steve Smith <[email protected]> wrote: > >> 150, 240, 900 !? >> >> ?!What!? are you guys addicted to? Including PINs for bank-cards (not >> used online) I can't estimate over a dozen or two myself. >> > > Exactly! But you do have > 100 and you know it! How many on-line gifts? > How many forums, even for trivial use? How many mail lists? How many bank, > credit card, paypal logins? Amazon? Google? Moocs? Travel related? > Airlines? NetFlix/Hulu/iTunes? Gmail? Dropbox? GitHub? Clothing? Shopping > in general? NYTimes and other news sources? LinkedIn, Facebook, Twitter, > G+, ... > > I could go on but dozens. I seriously, Seriously doubt it. > > >> OK maybe hundreds over decades, but ... current? >> > > Not so fast, mister! They're still there and very hackable. > > >> Admittedly, I have probably cranked through a similar number of >> "throwaways" where I've signed up for something (because that is the only >> way to sample/test) and then let the login die or go fallow (and my >> hashword) with it. But hundreds? Really? I'm worried about you guys! >> They have groups and 12 step programs for things like this! >> > > Login die? You sure? And indeed, how many folks can "delete" an account? > Most don't have an obvious way do do so. > > >> As for mnemonics or mental-hash-generators (hashwords?)... my decades of >> high security environments where writing my password down anywhere >> (including or especially electronically) or sharing it with anyone (e.g. >> speaking it aloud) was a felony or low treason or something, I just can't >> stand to see a password in clear text... it makes me cringe... so a whole >> spreadsheet of my family jewels... I just couldn't... >> >> I only wish there were a 2-factor system for the masses that isn't >> spoofable (the ones that use your Mac address of your device are better >> than nothing but not unspoofable by far). >> >> - Steve >> > > I am so worried about you guy who don't know just how many logins you have! > :) > > -- Owen > > > > On Thu, Dec 5, 2013 at 11:20 AM, Steve Smith <[email protected] > <mailto:[email protected]>>wrote: > > 150, 240, 900 !? > > ?!What!? are you guys addicted to? Including PINs for bank-cards > (not used online) I can't estimate over a dozen or two myself. > > > Exactly! But you do have > 100 and you know it! How many on-line > gifts? How many forums, even for trivial use? How many mail lists? How > many bank, credit card, paypal logins? Amazon? Google? Moocs? Travel > related? Airlines? NetFlix/Hulu/iTunes? Gmail? Dropbox? GitHub? > Clothing? Shopping in general? NYTimes and other news sources? LinkedIn, > Facebook, Twitter, G+, ... > > I could go on but dozens. I seriously, Seriously doubt it. > > OK maybe hundreds over decades, but ... current? > > > Not so fast, mister! They're still there and very hackable. > > Admittedly, I have probably cranked through a similar number of > "throwaways" where I've signed up for something (because that is the > only way to sample/test) and then let the login die or go fallow > (and my hashword) with it. But hundreds? Really? I'm worried > about you guys! They have groups and 12 step programs for things > like this! > > > Login die? You sure? And indeed, how many folks can "delete" an > account? Most don't have an obvious way do do so. > > As for mnemonics or mental-hash-generators (hashwords?)... my > decades of high security environments where writing my password down > anywhere (including or especially electronically) or sharing it with > anyone (e.g. speaking it aloud) was a felony or low treason or > something, I just can't stand to see a password in clear text... it > makes me cringe... so a whole spreadsheet of my family jewels... I > just couldn't... > > I only wish there were a 2-factor system for the masses that isn't > spoofable (the ones that use your Mac address of your device are > better than nothing but not unspoofable by far). > > - Steve > > > I am so worried about you guy who don't know just how many logins you > have! :) > > -- Owen > > > > ============================================================ > FRIAM Applied Complexity Group listserv > Meets Fridays 9a-11:30 at cafe at St. John's College > to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com > -- glen ep ropella -- 971-255-2847 ============================================================ FRIAM Applied Complexity Group listserv Meets Fridays 9a-11:30 at cafe at St. John's College to unsubscribe http://redfish.com/mailman/listinfo/friam_redfish.com
