[Hidden-tech] Safari question

Chris Hoogendyk hoogendyk at bio.umass.edu
Fri Feb 15 15:18:23 EST 2008
Previous message: [Hidden-tech] Safari question
Next message: [Hidden-tech] Safari question
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Joe Edelman wrote:
> Surely you're aware the myriad of settings in 'Keychain Access' and the
> Security Control Panel that make password remembering on macs more
> secure.
>   

I don't recall if it was Mac OS X 10.3.9 or 10.4, but somewhere along 
there my keychain became corrupted. It caused no end of trouble with my 
Mac, and the only solution turned out to be trashing some cryptic files 
and reinitializing keychain. All the passwords that had been stored in 
it were gone. That happened more than once, and the reason I was able to 
solve it was because there were posts on the Mac forums describing the 
situation and explaining how to repair it.

They may have fixed all that, but there are more than one angle of 
fallout from it. It brought home the risk of trusting something that is 
essentially invisible (it's encrypted on the computer and you have to 
trust the software on the computer to work flawlessly). Well, computers 
just are not flawless. Disk drives can fail as well. So, backups. But in 
this kind of a situation, the best backup is, in my opinion, paper.

When the security forums start moving toward a consensus to trust 
keychain, I might re-evalute. It's certainly better than trusting a PC. 
But a lot of the risk warnings are still applicable.


> For instance, I have my "login" keychain (with all my web passwords) set
> to lock whenever I put the machine to sleep, or after 5 minutes of
> inactivity.  I know that my passwords are stored encrypted by my
> passphrase, which needs to be entered to unlock it.  It is unlikely that
> someone could steal my laptop without it having been put to sleep (by
> closing the lid) or having five minutes of inactivity.
>
> The most important advantage is that my web passwords are all different,
> and I don't have to use the mental space (or a text file) to remember
> them.  This, I believe, is more secure than what most people do, reusing
> passwords across sites, and giving their password thusly to every
> sysadmin and every dba at each of those sites.  Are your passwords all
> different?  How do you remember them without help?

I use mnemonics among other things. For example, I might make up a 
password based on the phrase "even Bill Gates indicated that vista was 
not ready for release." So, I start with eBGivNrr (capitalizing somewhat 
irregularly and dropping minor words to leave 8 characters). Then, 
keeping the typing easy, I might shift up to the numeric row for some 
keystrokes and add a non-alphanumeric at the end (or in the middle if 
appropriate). So I might end up with a password of eBG8vN44! -- which is 
a pretty secure password and relatively easy for me to remember. After 
typing it a few times, the mnemonic memory and tactile memory reinforce 
one another.

Now, unfortunately, I have dozens of such passwords. If I use them 
regularly, I remember them without too much trouble. If I have one that 
I don't use very often, I may have some trouble. And there are some 
credit card companies that lock your online login after 3 failed 
attempts to log in. Therefore, even if you have a pretty good idea what 
the password is, you can't risk trial and error. So I do have a piece of 
paper with all my passwords written on it. There is no indication of 
what the passwords apply to. I have to remember at least that much. I 
keep it in a physically secure place. If you don't have a safe, then 
dream up something weird, not just sticking it in your sock drawer, and 
especially not on the underside of your keyboard.

For stuff that doesn't have to be that secure (online forums and such 
where you're only saying "hey, it's me" and no money changes hands), 
then, yes, I do have a few simple passwords that I re-use for many of 
them. This is because they don't merit the effort. There are way too 
many of them, and some of them I don't visit very often.


---------------

Chris Hoogendyk

-
   O__  ---- Systems Administrator
  c/ /'_ --- Biology & Geology Departments
 (*) \(*) -- 140 Morrill Science Center
~~~~~~~~~~ - University of Massachusetts, Amherst 

<hoogendyk at bio.umass.edu>

--------------- 

Erdös 4




>> Color me paranoid, but one of my responsibilities is systems, network & 
>> internet security. I do use my home computer for online banking, bill 
>> paying, credit card management, online purchasing, etc. However, there are a 
>> couple of ground rules that I always follow.
>>
>> (1) I never, ever let my browser save personal information, usernames or 
>> passwords. I always type them in myself. If your machine is every 
>> compromised, or stolen, or just left alone so that someone can access it 
>> (say they broke into your house), it is just too easy to look at the 
>> bookmarks, see a bank or credit card link, go to it, and (oh joy, the magic) 
>> it remembers your login and password, and suddenly someone else is in your 
>> account shuffling stuff around.
>>
>> (2) I never, ever put any paper that has such private information in the 
>> trash without passing it through a good shredder. Identity theft has become 
>> all too common.
>>
>> (3) I never, ever click on a link from an email to do anything that involves 
>> personal data or that I expect to be secure. I always go to my bank, credit 
>> card, etc. from my own bookmark links or by typing in the URL directly. 
>> Spammers are very very good at making emails that look like the real thing, 
>> that have forged from addresses that look good, but that one critical link 
>> you have to click on to do whatever it is they want you to do has a hidden 
>> IP address underneath and goes to a fake website. That fake web site siphons 
>> off your personal information, account login, etc. and/or downloads a trojan 
>> to your computer.
>>
>> (4) I never, ever do anything online involving money that I expect to be 
>> secure on a Windows PC. There are just far too many compromises, viruses, 
>> trojans, keyloggers, etc. out there that hit PC's. I'm sure there are those 
>> who will be up in arms to defend PC's, but I don't really care. If you want 
>> to know why you get so much spam in your email (it now constitutes the 
>> majority of the mail on the internet), it's in significant part because 
>> there are huge armies of botnet PCs controlled by spammers, and the owners 
>> of those PCs have no clue they are owned. Even on a private network here at 
>> work, where PCs are not addressable or scannable from the internet, we 
>> periodically have to clean up compromised PCs.
>>
>> (5) My home computer is the latest Mac OS X, with the latest updates and 
>> patches, with all the security settings intact; but, nevertheless, it is on 
>> a private network behind a firewall and cannot be directly addressed from 
>> the internet.
>>
>> (6) If I had a laptop, I would never do any kind of online banking or 
>> financial transactions that I expected to be secure from any public wireless 
>> network. Even if you are using a secure connection, there is just too much 
>> hostile activity and probing going on on public wireless networks. If I had 
>> a laptop, I might even choose not to ever use that laptop for online banking 
>> even when I had returned it to home base and was on a private network behind 
>> a firewall. It's sort of like when you're giving blood and they ask all 
>> those questions -- have you ever . . . , in the last year have you . . . , 
>> etc. It doesn't mean you're infected. It just means there is a significant 
>> risk involved.
>>
>> OK, maybe all that was a bit overboard. But saving usernames and passwords 
>> for autofill for online banking just set me off like a blow torch to the 
>> fuel tank. Major, major security breach.
>>
>>
>>
>> ---------------
>>
>> Chris Hoogendyk
>>
>> -
>>   O__  ---- Systems Administrator
>>  c/ /'_ --- Biology & Geology Departments
>> (*) \(*) -- 140 Morrill Science Center
>> ~~~~~~~~~~ - University of Massachusetts, Amherst 
>> <hoogendyk at bio.umass.edu>
>>
>> --------------- 
>> Erdös 4
>>
>>
>>
>>
>> Annamarie Pluhar wrote:
>>     
>>> Hi Jeff, 
>>> I'm not sure if this is your answer but I don't have that problem. There is 
>>> a setting Safari/Preferences/Autofill  select User names and passwords.  I 
>>> think that should let you save it. 
>>> Related question: How does one "get" Keychain to save a password if you 
>>> changed your mind after you've told it never to save? 
>>>
>>>
>>> Annamarie Pluhar
>>>
>>> *Pluhar Consulting*
>>> Helping organizations live their values
>>> /
>>> /
>>> /http://www.pluharconsulting.com/ <http://www.pluharconsulting.com/>
>>> /s//trategic solutions/
>>> /f//acilitation /
>>> /t//raining/
>>> /instructional design/
>>>
>>> /802.451.1941/
>>> /802.579.5975 (cell)/
>>>
>>>
>>> On Feb 13, 2008, at 4:52 PM, Jeff Rutherford wrote:
>>>
>>>       
>>>> I have a Safari/Apple question that hopefully someone can answer. I do a 
>>>> lot of online banking and checking various credit card balances online, 
>>>> and I repeatedly get prompted with "This is a personal computer, please 
>>>> remember my info."
>>>>
>>>> However, no matter how many times, I choose that option, every time I 
>>>> revisit a site, I'm prompted yet again as if I've never visited the site 
>>>> before. When I used a PC, I never had this issue.
>>>>
>>>> Is there some Safari or Apple setting that I can change, so that my info 
>>>> for these various sites is remembered?
>>>>
>>>> Jeff
Previous message: [Hidden-tech] Safari question
Next message: [Hidden-tech] Safari question
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
More information about the Hidden-discuss mailing list