What´s your Password Policy?

Hi,

If you think about it, protecting your online accounts (online banking, email etc.) with just a username and password is not really a solid security measure, but of course, we have no choice most of the time. I have a couple of questions.

http://passwordmaker.org/
https://addons.mozilla.org/nl/firefox/addon/3282
http://www.amustsoft.com/1-login/
https://www.paypal.com/us/cgi-bin/webscr?cmd=xpt/cps/securitycenter/general/PPSecurityKey-outside
http://www.rsa.com/node.aspx?id=1159
http://www.passgo.com/news/DesktopToken.shtml

TIA

 

OK, I´m a bit surprised that most people don´t seem to care about this subject, or is there perhaps some other reason why no one has replied?

 

Passwords are quite boring I guess And if one uses tools like roboform you never have to think about them. Passwords becomes a non-issue
I hesitated to answer because I knew my post would be a ad for roboform. But since you asked for it

I have 15 digits passwords like: &zE8U@sv3oTgse^ and I let Roboform manage them. I probably will buy Roborform2go the day I need the passwords anywhere else than in my home computer.

Me neither, never used them. Roboform does the job.

I some times check my bank with my work computer. At home I use a card reader where I put my credit card with a chip (and a certificate from my bank installed) so I just have to enter my credit card pin code.

 

I looked into roboform it doesn't work with Opera (more on password managers later). I use letters uppercase and lowercase and numbers and whatever the website specifies or application specifies. I use passwords Between 15 to 64 characters long depending on what they protect. I use Opera Browser, it has it's own password manager. uses a master password to lockup the rest of the passwords and uses a wand to transfur the passwords to the webpage form Opera has 256 bit AES encryption on the password manager. I recently switched over to Keepass password safe waw.keepass.info/

I think it is much more secure

 

My answers:
1) No, no
2) Don't use them
3) Doesn't matter to me since the vendor controls that
4) Yes, I have done that many times

So far the fraud that I have come across are from non-online sources.

 

The type of password I use depends on how important what I'm protecting is. For forums, webmail accounts, etc, I use one or more uncommon words and let Sea Monkey store them encrypted. The master password is much longer.

Passwords I use for encrypted partitions and containers are much longer, 80-120 characters, with upper and lower case, numbers, punctuation, and symbols. They are not stored on the PC and I take all possible precautions to prevent their capture.

For sensitive sites and my primary e-mail, I copy and paste from one of several text files which were created with PGP by encrypting fairly large documents. The text files are all at least 300 lines long. These are lines from one of them.

Code:

qANQR1DBwU4DtYA9uTfuIakQB/9w54fY4UZlR1THoeim/U8lKNvXb3ol8iwQhsk3
SxT3zp61oqYgLOYxKE0pmmsNEfMFYqBvaBGA/WibVzBHJFYZQXYA8PD04fD8qLpp
OZMPZe+VQpc1HfeMM5aWHyrXaOa+nL1D0fCORs+7m8/kdjf1s5CY+3gfT3V/x0Jj
8MCZCk26vhil3N76i0ise9Ouzj9YBOJcUBjuHMmZ8v9MluOBP9EX+7jv04CyoGMC
FsnL8sxTudep8h1jN4QQoXu/mhFoFkHeSS7VA6j74bzTmo+thFuWeSXqZ1PtrV+S
B6fdOJIIiy1yy+QDu2TIEosqlduaevLE041a//B78Or4uKBbB/42ygrO9SNxRo4W
/fSTHZiJZZEXvm8bgvju4lfItKda5G/54h+itSwcJKs9PHb7SUC+oQkymwRTdZUP
eM0Ow+GPDoIjT2QswtX4gsGAeBJQ8y+7ZUS3Lp4MvbGwKu56VhQgpTGlGaQMLhVQ
xFrGw2aEEbTzMurC4KSoQRlojkRGMg+BAFmh15UnNDVfC6jls9KqPpgD+GarB+Pn
5EUKiOGFMdK06DCgZgD+zNcu2dnilm7OLpUmn5Ooz9dTWF7JYhUeM8ibn3j19slT
2Gax8zmbdBqqkhHbgwg39ppfEI7nC6HCu6xNdZah2I7v3YpOfcKjJn7i6bG1R1/T
zGoPgxqlyewacMyf1a0UxsnoKW99oYx2XVSPnLSaw3fYo0ctTzf1PuKTrxZ1lep+
uoZZzz9HO14d3aObb94U7Wc1ko9RlHZVFJXykRxKuzL+bnOyTV/6GCG4cRNYy61Z
9tjtYskabva0SlmgkrbAzWoxAeVpqDxeMmw7Evx0nw8xRXoMof8NFwC5qdJrkbad
6jHS31JD42MsEEE+O4KLN0lvNSXkQDEOUAadSVffU0C+a+jQOoBPEeqN4AL95+ni
m33gyZ8PKsQ/UBRst0EBpRPpHCDgJePLFgaIHfdnd2epI002FBv4UdmVS29GzYjb
eYa3vDiMMdukrBV7A/okbqylEkdQhbuLP7S4at3Gls15oYzDgV4c+GgNcN71X29M
aTH64LcJ4ssCD+sum7WIKoUlUuRuBOxWORkOytpdutK6NC7n1mBMIoeNPdZ0VTEP
3vSF5mhVtcBdFSqTB706Pc8kyvv/UObQFW1Bmpg3JHM8gU3ixNMmYSVD2XS0izr6
362bGimLkTWY9phwdAvp3m4YiC/NHcMK2cLCue/a1XlDUOBXTGeWSD0wM5ptm2CA

I use close to as many characters as the site/app will accept, copied from a randomly chosen location(s) in one of the text files. I have a little system to keep tract of where I started and ended the copying, which I won't describe. With several such files for source material, the number of possible combinations is huge and appears to be quite random. I don't have to worry about a flaw or vulnerability in a password program since there is no program to crack.
Rick

 

Hello,

- Do you use hard to guess passwords, and if so, how do you manage them, via the browser (or plugin) or some standalone passwordmanager?

I make my own passwords, are they hard to guess, yes.

- What do you think about password hashing tools like Password Hasher, PasswordMaker and AMUST 1-Login? I still don´t really understand what´s so special about them?

I don't find them intriguing.

- Do you think that sites should use hardware or software based tokens? For example PayPal is now offering "two-factor authentication", and most banks do too.

Why not.

- Would you login to your email or bankaccount on a PC not owned by you, so a friend´s computer, public computer.

No.

That's about it.

Mrk

 

IMO all online banking/shopping and webmail accounts should be protected by a "two-factor authentication" system. Of course this will make it difficult to login from any PC, but that´s not a good idea anyway. And about tools like Password Hasher, if I understood it correctly, the cool part about them is that you can login to any site with the same password, while your real passwords will never be visible.