My small company is providing a web service for another organisation. One single username/password combo will be used to access the system. Either -- how should we distribute this combo to the 5,000 tech-illiterate members of the other organisation? Or -- what's a better solution? [more inside]
(Keeping this anonymous because I'm worried my security's compromised and don't want to make it worse.) So for about the past six weeks, the log-in process on the Bank of America site has been behaving strangely for me. When I go to the BOA site I see my online userID in the normal way and click on it. That then takes me to the sitekey confirmation page where --weirdly-- my password is now showing up in plaintext on the login page, above the sitekey image. The first time this happened it was displaying my then-current password, which I immediately logged in with and changed. Since then, every time I go to log in I see the old password in plaintext, above the sitekey. When I enter either my then-current or my actually-current password it's rejected and I need to go through the reset process before I can successfully log in. I'm not freaking out, because there's no strange activity in my accounts. But still, it's unnerving. So..... what might be going on here, and what should I do about it? [more inside]
If one wanted to be paranoid about protecting access to critical accounts (bank accounts and the like) what are some steps that you can take short of building your own machine and never using it for any transactions at all other than those to the secure sites? I have used lAstpass and 1 Password for years but frankly all of the recent revelations of security breaches and key loggers and the like make me wonder if I should consider other options for critical accounts (wondering out loud: is it not likely that the password app manufacturers were not NSA's first targets?) Some accounts do not allow two step authentication.
My "throw-away" password is in the list of those compromised by the Adobe hack. It's a common dictionary word that I use for sites that I really don't care about security on: things that I don't even understand why they should be password protected, "test-driving" sites or products where I don't intend to keep using them, and an old email account that was for a blog that I haven't updated in about four years. (And I don't use the account any more). I'm pretty unconcerned about it being compromised. Is there any reason I should worry? And if I do want to change it, is there any way to find out what all the sites are that I have used it on in the past? [more inside]
Does anyone have a simple method of coming up with a excellent new passwords for every website that you can nevertheless easily remember? I'm thinking some combination of a master password combined with the website url or something like that, but the underlying rule should not be easily guessable by others even if they have a few examples in front of them. Any ideas?
Instead of the usual "username/password" challenge, some bank websites ask you for a username, and then for some letters from your password -- e.g. 'Type letters 1, 4 and 7 of your password'. I understand that the advantage of this is that you never enter your whole password, thereby making life difficult for keyloggers. But I don't see how it's possible to implement such a system without (effectively) storing the password in plain text on the server, which surely not a good idea. What is this practice called? Do security experts consider it good practice? Can you point me to a paper that explains how it is implemented securely?
What's a better-security alternative to Spam Arrest for challenge-response email? I received a password reminder email from Spam Arrest today. It included my full password in cleartext, and when I went to change my password to a long semi-random string of hashed characters I discovered that they silently truncate entries to 20 characters, which would have locked me out if they didn't keep everything in the clear to remind me. Frightening. Is there anyone out there who offer C/R email and knows how to store passwords?
Please help me find the password management solution I'm hoping exists: the ability to automatically, dynamically sync a specific folder of passwords between accounts w/o involving Dropbox. [more inside]
Need some guidance on message-digest based password generation algorithms. [more inside]
What simple, secure, portable password and secure data management systems do you use? [more inside]
What damage control measures can I do for selling my PC on eBay which was only partially wiped? Yes, I know how stupid this was. [more inside]
Help me design a secure method of keeping my passwords both safe and available. [more inside]
Gmail security: Someone keeps trying to recover, or change, the password for my gmail account. I'd previously set my gmail recovery option to send me an SMS, and I'm getting a lot of SMSes saying, "Your Google Account recovery code is: ... If you did not request this code, you can safely ignore this message". I've already changed my secret question to be really obscure, but what else should I do to protect my account? Every couple of weeks, I get bombarded with SMSes because someone is trying to access my account. Can I temporarily disable the recovery option? I'm just worried that someone might guess the answer to my secret question by brute force or some other means.
SSHFilter: I'm trying to disable authentication by password for SSH users accessing a server from a remote location. By everything I've read it seems like I've done exactly that, but I can still log in from a remote machine using a password only. Help me get that to stop. [more inside]
What are the legal implications of subpoenaing or obtaining a warrant for digital papers (such as a Gmail or Google Apps account) and finding a password? Could the prosecutor use the password to obtain more information from another digital source, such as another email account or a Facebook account? [more inside]
is there a way to make it look like the harddrive on my osx mac book pro isn't working? [more inside]
I need a utility or small program to demonstrate password cracking. [more inside]
Online Security Filter: Welcome email contained plain text password. Specific examples of why this is bad needed. [more inside]
How can I keep PointSec from switching my screen saver preference? [more inside]
How does my online banking fob work? Does it get numbers over-the-air or does it generate the according to some math I don't understand? Background: to access my bank account on the web, I need to use the little electronic fob CitiBank sent me when I registered for online banking. The device generates a six-digit number every minute or so. But where does that number come from? Is the fob generating or receiving it?
Would I need an anti-keylogger for Vista? [more inside]
I have noticed that there seems to be a split between some banks/financial institutions who maintain complex security around their on-line account access and others who seem to have actively migrated towards a much simpler approach. Is there any evidence that the "simple" approach is either more or less secure than the "complex" one? [more inside]
I'm going to be doing some pretty extensive travelling next year, and I want to keep my family and friends up to date on my experiences. However, I want to do this in a way that doesn't inform general randoms about my movements... in other words, do password-protected blogs exist? [more inside]
I believe the mail server associated with my domain name is acting as an open relay. Hosting company claims everything's good. How can I double-check? [more inside]
I can't figure out how to password-protect my wireless internet connection. [more inside]
Why are many financial institutions moving to a two-step login process, where you enter your username on one page and then your password on the next? For instance, Vanguard and ING. Their rationale is just that it's "more secure", but that's not much of a reason.
I have a desktop that is located in a semi-public place. I have a bios password and a windows password on it. Sometimes I leave it logged out of windows so that I can leave in the middle of a project without restarting everything again. I was wondering how hard it would be to get my data? Short of stealing the actual hardware, is there a way to get past a bios password and access my data without me knowing? (From what I understand, resetting the cmos would clear the password so I would know if someone got in.) Also, is it possible to get in if I leave it logged out of windows with a password? How safe is my data?
How do I password protect a specific app in OS X? [more inside]
Is there an "industry standard" for password expiration periods? [more inside]
How safe is it for me to store passwords in Firefox? [more inside]