<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#ffffff">
Hi all,<br>
<br>
As a result of this fiasco, I decided to change some of my passwords
for sensitive sites to the max # of random alphanumeric characters that
they allow.<br>
<br>
I thought I'd pass along my hall of fame / hall of shame results for
the ones I tinkered with. I have many more sites in my password
database that I didn't bother. Most of the less sensitive ones have a
15 character random alphanumeric password. Some of the sites that
should have the best passwords are only mediocre or bad.<br>
<br>
In the case of Lastpass, it tries to recognize when you change a
website password. It doesn't always work. It saves a record in the
database under "generated password for ...". Make sure you don't
delete this until you've verified that you can still log into the
site. Sometimes you have to copy the generated password from the
"generated" entry in the database to the "site" entry.<br>
<br>
Hall of Fame:<br>
<br>
These sites allowed me to use 64 character passwords. I didn't try
anything larger.<br>
<br>
1and1 (ISP) - 64 char, no maximum specified<br>
Amazon - 64 char, no maximum specified<br>
Bank of the Ozarks - 64 character, no maximum specified<br>
Evernote - 64 char max<br>
<br>
Hall of OK but probably good enough:<br>
<br>
TurboTax - 32 char max<br>
Paypal - 20 char max plus 2nd factor authentication "football" token<br>
Suntrust Bank - 20 char max<br>
<br>
Hall of Shame:<br>
<br>
Home Depot - 12 char max<br>
Walmart - 11 char max<br>
web portal of a major government lab - 8 CHAR MAX !!!<br>
<br>
By the way, does anyone know of a 2nd factor authentication gadget that
will work for almost all sites, or do I have to have a separate
"factor" gadget for every one?<br>
<br>
Sincerely,<br>
<br>
Ron<br>
<br>
<br>
On 3/4/2013 1:33 PM, Richard Bronosky wrote:
<blockquote
cite="mid:CAAjbB_5Bzr0bQK2NBz81cBjshidKBmSbxRfb6pKQuggV6d47ug@mail.gmail.com"
type="cite">
<div dir="ltr">I use XKCD passwords <a moz-do-not-send="true"
href="http://xkcd.com/936/">http://xkcd.com/936/</a>
<div><br>
</div>
<div style="">I've been pleasantly surprised to find most of the
services I care about don't complain about my 30+ character passwords.
I really wish they would be smarter about entropy measurement rather
than just insisting on some stupid rules be satisfied.</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Mar 4, 2013 at 12:58 PM, Michael H.
Warfield <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:mhw@wittsend.com" target="_blank">mhw@wittsend.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div class="im">On Mon, 2013-03-04 at 12:38 -0500, Ron Frazier
(ALE) wrote:<br>
><br>
> "Michael H. Warfield" <a class="moz-txt-link-rfc2396E" href="mailto:mhw@WittsEnd.com"><mhw@WittsEnd.com></a> wrote:<br>
><br>
> >On Mon, 2013-03-04 at 09:35 -0500, Ron Frazier (ALE) wrote:<br>
> >> Hi all,<br>
> ><br>
> >> I first saw the link to this article on the dc404 mailing
list. If<br>
> >you're an evernote user, you need to know about this.<br>
> ><br>
> >> <a moz-do-not-send="true"
href="http://www.theverge.com/2013/3/2/4056704/evernote-password-reset"
target="_blank">http://www.theverge.com/2013/3/2/4056704/evernote-password-reset</a><br>
> ><br>
> >If you are an Evernote user, you need to change your password.
The<br>
> >attackers had access to user-id's and password hashes. The
passwords<br>
> >where hashed and salted but simple passwords are still subject
to<br>
> >off-line brute force and rainbow table attacks. Change your
password<br>
> >to<br>
> >a good, high complexity, password or passphrase.<br>
> ><br>
<br>
> Do you think a 15 character random alphanumeric generated by
Lastpass is good enough? Or, should you go longer if the site will let
you?<br>
<br>
</div>
That's probably reasonable although my personal preference is for pass<br>
phrases. I take several words (jaberwocky style) and mix in some<br>
numbers and punctuation. Much easier to remember and type (especially<br>
on a smart phone) and very much easier to remember.<br>
<br>
I run into more dain-bramaged sites that don't allow punctuation than<br>
really limit the length but there are some still out there that haven't<br>
gotten the memo and restrict your length to negligently short lengths.<br>
<div class="HOEnZb">
<div class="h5"><br>
> >MOST IMPORTANT! This is NOT mentioned in the article quoted,
but...<br>
> >If<br>
> >you used the same user id (E-Mail address) or similar and the
same<br>
> >password on other sites, change all of them and use different
passwords<br>
> >on each. It is not uncommon for someone to use the same
password and<br>
> >id<br>
> >on different sites. It is equally not uncommon for attackers
to KNOW<br>
> >THIS and, once they break your password on one site, to use a
common,<br>
> >broken, password to attack other sites. That includes sites
with other<br>
> >common variations on your user id.<br>
> ><br>
><br>
> I've known this for some time, but only recently went to the
trouble to do it, after Linkedin had their break in. I'm now using
Lastpass, which is a good way to keep track of many different passwords
for different sites. (I know there are other solutions too.) It was a
major pain to go to every site I had and go through the password change
procedure, especially because, for the ones that were already
different, I had to look them up. However, every one is now different
and random. Every time I generate a new password for a new site, or
change one on an old site, I let Lastpass handle it. The password
vault is secured by a master password that you don't give out online.
If anyone is interested, I can post my recommended settings for
Lastpass preferences. You can use the service for free on PC's, but
have to pay a modest fee for Premium service to use on mobile devices.
I pay the fee, and am glad to support their continued development.<br>
><br>
> >> Sincerely,<br>
> ><br>
> >> Ron<br>
> ><br>
> >Regards,<br>
> >Mike<br>
> ><br>
> ><br>
> >--<br>
> >Michael H. Warfield (AI4NB) | <a moz-do-not-send="true"
href="tel:%28770%29%20985-6132" value="+17709856132">(770) 985-6132</a>
| <a class="moz-txt-link-abbreviated" href="mailto:mhw@WittsEnd.com">mhw@WittsEnd.com</a><br>
> >/\/\|=mhw=|\/\/ | <a moz-do-not-send="true"
href="tel:%28678%29%20463-0932" value="+16784630932">(678) 463-0932</a>
|<br>
> ><a moz-do-not-send="true" href="http://www.wittsend.com/mhw/"
target="_blank">http://www.wittsend.com/mhw/</a><br>
> >NIC whois: MHW9 | An optimist believes we live in the
best of<br>
> >all<br>
> >PGP Key: 0x674627FF | possible worlds. A pessimist is
sure of<br>
> >it!<br>
> ><br>
> ><br>
> ><br>
><br>
> --<br>
><br>
> Sent from my Android Acer A500 tablet with bluetooth keyboard and
K-9 Mail.<br>
> Please excuse my potential brevity if I'm typing on the touch
screen.<br>
><br>
> (PS - If you email me and don't get a quick response, you might
want to<br>
> call on the phone. I get about 300 emails per day from alternate
energy<br>
> mailing lists and such. I don't always see new email messages
very quickly.)<br>
><br>
> Ron Frazier<br>
> <a moz-do-not-send="true" href="tel:770-205-9422"
value="+17702059422">770-205-9422</a> (O) Leave a message.<br>
> linuxdude AT <a moz-do-not-send="true"
href="http://techstarship.com" target="_blank">techstarship.com</a><br>
><br>
><br>
<br>
--<br>
Michael H. Warfield (AI4NB) | <a moz-do-not-send="true"
href="tel:%28770%29%20985-6132" value="+17709856132">(770) 985-6132</a>
| <a class="moz-txt-link-abbreviated" href="mailto:mhw@WittsEnd.com">mhw@WittsEnd.com</a><br>
/\/\|=mhw=|\/\/ | <a moz-do-not-send="true"
href="tel:%28678%29%20463-0932" value="+16784630932">(678) 463-0932</a>
| <a moz-do-not-send="true" href="http://www.wittsend.com/mhw/"
target="_blank">http://www.wittsend.com/mhw/</a><br>
NIC whois: MHW9 | An optimist believes we live in the best
of all<br>
PGP Key: 0x674627FF | possible worlds. A pessimist is sure of
it!<br>
</div>
</div>
<br>
_______________________________________________<br>
Ale mailing list<br>
<a moz-do-not-send="true" href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a moz-do-not-send="true"
href="http://mail.ale.org/mailman/listinfo/ale" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a moz-do-not-send="true"
href="http://mail.ale.org/mailman/listinfo" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
.!# RichardBronosky #!.
</div>
</blockquote>
<br>
<pre class="moz-signature" cols="72">--
(PS - If you email me and don't get a quick response, you might want to
call on the phone. I get about 300 emails per day from alternate energy
mailing lists and such. I don't always see new email messages very quickly.)
Ron Frazier
770-205-9422 (O) Leave a message.
linuxdude AT techstarship.com
</pre>
</body>
</html>