Strong Passwords

Very random thought here, but I’m hoping great minds think alike and I’ve always gotten good help here :smiley:. Question: Is there a way to use a USB thumbdrive to autofill a password field in OS X? For example, I want to use a very strong (randomly generated 63 character rohos.com/products/rohos-logon-key-for-mac/) but this is different then what I’m asking; Rohos has the USB drive always connected and then when you remove it the computer goes into a password protected screensaver. Rohos can autofill the password field at the login screen, but I don’t want to have my USB drive sticking out like a sore thumb (pardon the pun). Plus Rohos is $30, cheap yes but I don’t think (correct me if I’m wrong) that I’m asking for much here, and Rohos is overfeatured for what I need. I just want to stick my drive in, have it fill in the password field, then pull the drive out and be done. Phew! Long winded argument! Hopefully someone might be able to help, and I’ll hear from you soon.

Sincerely,
Dan

That seems to be a lot of trouble to go through for something that can easily be defeated.

Given 2 minutes with your computer, a Tiger or Leopard disc. Start up using C and then choose CHANGE PASSWORD.

Also with a 63 letter password randomly generate what will you do if you do not have your disc handy (on a trip) and your thumb drive fails?

And every time you install something, make a change, or move something in certain locations of the OS you will need that password. Better to encrypt files or directories IMHO.

One simple method of making an easy remembered password is pick a word

I’ll pick Bob (Case sensitive). Now Bob is easy to remember but not very strong BUT if I use the OCT codes in a ASCI table for each letter asciitable.com/ I can make the password much stronger yet still easy to remember and then do a simple repeat.

In other words my password is BobBob The first Bob is standard letters, then I repeat it again in ASCI

B = 102
o = 157
b = 142

So my simple Bob password is now much stronger and looks like this

Bob102157142

This method makes passwords easy to at least remember the Word “bob” then if you forget the ASCI you can either keep a chart handy or always look it up online or in a book.

As to your original question I myself do not know but you could probably check here

securemac.com/

Holly smokes. 63 char? Octal? You and vic-k should sit down and share fantasies.

Let’s think of a better and more convenient method. Security is not associated with length but complexity. If we consider jaysenodell and d13d as examples it is obvious that jaysenodell is longer. Yet d13d is more complex. d13d is easy to remember because it is the word "died replacing vowels with relative numerical representation. Now d13d is not a good password as you do want some length and as much complexity as you can bear. So maybe something like K1ckTh3D0g! aka “kick the dog!” All you need to remember is vci-k and you can remember it.

Oh and it is considered secure by all standards short of high level NSA type junk.

Just a thought.

I recommend the diceware method for password generation. Use some dice (or another completely random generator—not computer dice!) and use a very long word list to create a phrase out of words you can recognise and remember. The diceware method also has rules for complicating the phrase slightly, but without sacrificing memorability.

You don’t need pure random at every character position to have a secure password.

This is a related point.
I have been told/read that many internet cafes have key loggers which can compromise your serious passwords and bank details.

To prevent having to key in letters and numbers if you use a thumb drive to copy and paste the content is not recorded. So far when I have travelled I have always had wifi and used cut and paste and not suffered any losses.

Obviously I do not have a file on the thumb drive saying secret passwords but a text file wherein the key words are located within a story.

Hope this helps someone.

Paul
Brevity is overrated if you get paid by the word

Software key loggers needn’t only track hardware input from the keyboard. It is absolutely trivial to track and record pasteboard information; I could write a little background script that does this in five minutes. Whenever the pasteboard gets updated, the background software could add the contents to its buffer and stores that file in a hidden place inaccessible to the guest user accounts. No problem.

If you must use public spaces such as Internet cafes, or unencrypted WiFi, or you suspect a paranoid system admin at your office, the security problem is simple: Don’t do anything requiring important passwords! That is the only security device strong enough to get around a system monitoring tool.

My post was in the interest of need to inform.
In Thailand there are many internet cafes with many farangs (foreigners) using them.
As farangs are regarded as rich any attempt to defraud them is laudable.

I agree a copy/paste buffer is logical and obvious but the internet cafes use standard issue Windows products. I don’t think Gai reading the childrens magazine writes code. The thumbdrive method is just a means of reducing the risk.

With the growth of internet banking and payment systems I would like to see an improved standard, a standard for human beings to use. I had to memorise a 16 number code followed by a 5 letter code with one bank for example.

This area needs improvement. A thumbdrive is just a quick fix or sticking plaster but better than nothing.

Paul

My point was, if I can write a program that monitors pasteboard data flow, the people who program key loggers can do likewise. I would imagine most key logging software has the capability of doing this, or at least it should be assumed that they do, and for the manager of the shop, it would simply be a matter of selecting an option to do so.

Raising awareness of privacy issues like this is good, especially if invasions of privacy are common-place in a certain region. Likewise, I think raising awareness of the fact that copy-paste isn’t going to circumvent anything but the most basic key loggers or hardware based key loggers.

You are right, it is better than typing them in by hand, but I still would not use any passwords at all in a place where I suspected system monitoring was taking place.

I have no experience of key logging software.
I have experience of Thailand and it is sensible to assume your output is monitored for various reasons.
As I speak English whatever I write will be more accessible than say Finnish or Greek. I am a target.

But I still have to pay bills when I am out there as do many others, Sending a cheque by post takes three weeks. I use wifi but the internet cafes are busy with people using the same password to access Hotmail and Yahoo as their banks and finance companies.

The problem is noted but no one seems to have any answers. A thumbdrive that checks the security of the link. Easily screwed. Paying extra to use the secure machine in the corner. Even easier. Perhaps a virtual machine that exists only in cyberspace so key logging is random mouse clicks on a floating keyboard. Maybe but all security gets compromised. Its a fact of life.

As key logging is a strong rumour I use wifi. My only instance of credit card fraud was from buying a book over the internet. The fraudster set up a porn site with licensed images on my card. Thankfully I was in midflight when all this happened so no cost and little embarassment. But if I was in a foreign country and stupid I could have been cleaned out with no defence.

This is a serious matter.

Paul

Maybe I missed something. Are you looking to use this thing on YOUR mac or a public system? If the former than you don’t need to worry about keyloggers, but sniffers. If the latter there is nothing you can really do other than frequent password changes. Think about it, they own the system, the number of ways to obtain your info is nearly limitless.

If we are talking about YOUR mac then all you need is to ensure that any sites you need to enter a password on use SSL encryption. Unless you install their software then they can’t log your keystrokes.

Again, I am likely missing something so feel free to call me an idiot. You wouldn’t be the first or last.

My Mac is safe till I get the screwdrivers out.
The problem is internet cafes could be corrupt. And they use Windows software. And the banks are not that bothered about fraud as ultimately we pay. Has your credit card interest gone down in the light of bank rates sinking ?

Its so easy to be bitter and twisted.
And its such fun.

Paul

There are options.

  1. USB based boot disks.
  2. USB based security distributions.
  3. Secure-id/grid card.

#1 is probably the best option for you. Think parallels on a stick. There is still some opportunity for logging, but it would need to be entirely hardware based and you can get around that with a portable USB keyboard and a second USB stick.

So the cafés don’t allow you to use your soon to be working g4 wifi?

The cafes charge for access to their machines,

The bars give you free access as long as you buy beer. Guess which one wins out.

If you Google Stickman Bangkok he has a list of Thai wifi nodes. With a Mac you can send live pictures of you drinking with young ladies whilst your contacts are getting up to go to work in the rain and cold. How cool is that ?

Paul
Life is sweet as long as you have style, poise, panache and load of money. And your name is Paul

I reckon we’re better off here in Xiamen, as virtually every coffee-shop has free Wifi. Basically I only use three, all owned by the same person, who I trust … and the staff are mostly my students!

On the other hand, see my recent posting on Applejack

:frowning:

Mark

Edit: Oh, and I don’t do online banking!

Myself I use Little Snitch
obdev.at/products/littlesnitch/index.html
With Network Monitor active (Little Snitch feature) I can tell when there is any activity either coming down or calling out, I can also detect most keyloggers if they try to call out or if any application for that matter tries to call out and I can block it (think of like a firewall but in reverse)

Also I NEVER do any banking, shopping, or any secure activities on an unsecure network or any public network.

Its not keyloggers I would worry about but Like Jaysen mentioned packet sniffers can pickup on passwords or other information sent in the clear.

To passwords like Jaysen pointed out old school leet (l337) lite (number substitution) works wonders
ih8windows98

but I don’t care what password you use, if I can get access to your actual computer and boot off a system disk I can change it to anything I like. :slight_smile:

The best security is just to use common sense and go from there.

Holy cow! I quake under the number of replies. Thanks for all the feedback, I can always trust that my vioce will be heard on LaL forums :smiley:. My original idea that I poorly expressed was to use a USB drive to enter long and complicated keys and to be honest, I have my own memorization technique for 8-10 character passwords that use different letter cases, numbers and some other characters, but those techniques suggested by Wock, Jaysen and AmberV are very good and might make me change my habits. I was really looking for something to distract me but I can see the inevitable headache with using an old USB drive as an actual key to my computer (it will break and when it does so will I) and I just wanted to know if this script was floating around the internet so that I could have something to play with for an hour or so. I appreciate the prompt replies though and if I ever do find a script fitting this description I’ll be sure to post it here.

Dan

In a previous post I mentioned I had to memorise a 16 digit numerical password.

This was easy for me as being a tedious boring person I learnt mnemonics.

In Edwardian England: 1904
They ran a 3000 metres steeplechase: 839 (a common time for a steeplechase when I ran)
Which is odd as in 1492 the didnt do foot races.

Obviously I have left stuff out but you get the message. Given a piece of paper, time and sobriety you could create a password that is easy to recall and a pisser to enter.

Story = pictures = easy to recall.

Paul

Then there are the “it must be a real word somewhere in some language” passwords.

uThei5ethIngXi
neMoth8QuenG
Goat9exDogies

Somewhere there are old cisco router circa 1998 that use those password for privilege. Coming up the with “words” is the fun part.

B4I4QURU18QTpie <—Naughty Numbers
OU812 <— Van Halen I think
MRDUCKSMRNOTCMWANGSYIBMRDUCKS <------ Easy to remember but clunky to enter.
UPDOWNUPDOWNLEFTRIGHTBASTART <---- Tribute to Nintendo
c00kied0ugh <------ Bakers Unite!
zer0theher0 <------ Black Sabbath tribute

:slight_smile:

Have you ever thought, instead of using a usb stick, you use your mobile phone and it’s bluetooth function? (If it has one that is) As soon as you move away from your computer it locks itself, on your return it automatically unlocks ready for your input. No putting in any codes, usb sticks and, hopefully, you’re less likely to mislay your phone. :slight_smile: