Find Whirlpool Deals at Lowe’s
Community Newsletter: Q&A: 2/24/06 Questions about storing and managing passwords
- 2/23/06 3:46 PM
Passwords: Guess I'm not getting it
by katiebug57 - 2/24/06 6:19 AM In reply to: Honorable mentions by Marc Bennett
When I access my bank, the first window that pops up doesn't have the little padlock on the bottom. They require you to put your social security number in and then (the bank?) saves it somehow.
The spot where you put your SS# says "use saved online ID."
I'm assuming from the answers I've read so far, this is saved somewhere on my bank's site and NOT accessible to others?
The real problem I have is the possibility of identity theft.
The question is: when I first enter that social security number (and subsequently as well, I suppose), can someone else access it not just the first time, but other times as well, since it was entered on a non-secure web page?
Thanks,
Katiebug
Guess I'm not getting it
by jevenew - 2/24/06 6:53 AM In reply to: Passwords: Guess I'm not getting it by katiebug57I'm really having trouble with this one. Your bank should probably have a different way to login other than your SSN.
I have been using Online banking from the beginning, and have never been asked for SSN online.
As for the padlock, I believe you have to enter sites into the Trusted Zone in Internet Options for that to show.
Secure the website.
by jesusleon - 2/24/06 8:57 AM In reply to: Passwords: Guess I'm not getting it by katiebug57What i do when i enter my info into my bank account i add a ''S'' right after http and hit go and then i get the padlock and then i enter my information,try it, it works for me.I do this with I.E
It's a 2-part answer
by kschang - 2/24/06 10:25 AM In reply to: Passwords: Guess I'm not getting it by katiebug571) The padlock in the status bar means your browser is talking with the bank server in SSL, which encrypts the traffic in between, so even if somebody was able to intercept the traffic, they won't be able to understand it.
2) "Use saved ID", as I've explained, likely uses a special cookie with a number that is only assigned to you, and the bank will read that number back and figure out that it's you. Only the bank would know what that number/marker actually means. I seriously doubt they actually save your SSN as the marker. It's not that hard to check, actually.
If you use Internet Explorer on WinXP, the cookies are stored in
C:\Documents and Settings\(your username)\cookies
Substitute (your username) with your actual username.
See if you see your bank's cookie there, and open it in Notepad... You'll get some gobblygook (basically a VERY long number).
It is on the banls system
by Themisive - 2/24/06 11:25 AM In reply to: Passwords: Guess I'm not getting it by katiebug57But try to remember the nuimbers they give you, it's by far the best way of combatting identity theft.
Stop the Madness
by Big_Owl55 - 2/24/06 3:17 PM In reply to: Passwords: Guess I'm not getting it by katiebug57I have two concerns with the online banking that you have described. First, the lack of a padlock indicates that you are not secure. One respondent mentioned adding an s to http which would manually take you to an SSL secured site (if available), but that should not be required. Second, the use of a social security number as an identifier is an unacceptable risk, whether online, over the phone or in person.
I strongly recommend exchanging sensitive information only via SSL secured sites as indicated by the https instead of http and the padlock in the lower left. I also recommend questioning every request for your social security number. Many businesses are getting the message and providing an alternative to using your full social security number.
Regarding both concerns, you should not blindly trust the technology you use everyday. The same people that you entrust with your sensitive information brought you Y2K.
Even without the padlock the password may be sent encrypted
by rlively - 2/24/06 5:40 PM In reply to: Stop the Madness by Big_Owl55There is one other thing to be aware of about the issue of not seeing the secure padlock icon on the login page. It is generally true that if you don't see the icon then it is an indication that the site is not secure and your userid and password is sent in cleartext across the internet.
However, it is also possible to make the target of the login form on the web page point to a secure page from an insecure page. In that case, the originating page was not secured, but when you click the "Login" button the form is submitted to "https://..." (notice the "s" for secure) which would make the browser first request a secured connection BEFORE submitting your userid and password.
The problem comes in not knowing if this is the case or not for any given site. Browsers do not currently have any indication that a form on an insecure page will be submitted to a secure page. The only way to tell that I know of is to look at the HTML source of the site and find the "Login" form. If the ACTION is set to "https://...", then the form will post to a secure site and your userid and password should be safe to submit. e.g. on Bank of America's website home page, which is http://www.bankofamerica.com - not secured, the form is:
<form name="frmSignIn" action="https://onlineid.bankofamerica.com/cgi-bin/sso.login.controller?noscript=true"
The action of the SignIn form points to a secured page, so even though the current page is not secure (meaning that the contents of the home page were sent without encryption - not a big deal since there's no personally identifying information on the home page - the form's contents will be sent encrypted back to the Bank's website).
Hope this helps clear it up.
interesting problem
by tantitha - 2/24/06 5:37 PM In reply to: Passwords: Guess I'm not getting it by katiebug57this must be a problem in the US. I live in Canada where it became illegal for any company to use an SIN (our equivalent to the SSN), as a record key. We are also advised stronly never to give out our SIN to anyone except a government request such as for tax or passport reasons.
What I do
by BinaryLove - 2/28/06 6:24 AM In reply to: Honorable mentions by Marc Bennett
I found interesting every single post here. So I'll let my suggestion too. Better than saving or storing a password, is to consider how you create it. I share Dotan C Idea, in fact I usually use two words and 4 or 5 numbers to create my password, one more thing, I try to do so in a foreing but yet comprehensible language. I.E. I'm Spanish Speaker, but I can speak and understand english, too. So I always think about something in english, then add another object to that something and a number I can remember, so my password could be a "bird", then I think of "ice", and then the 4 last numbers of my mother's ID number, with that i create sort of a subject and an adjective: frozenbird1200. Is just an example, so hackers, don't think of it as a REAL password =p! Now I have my password I save it in my mobilephone's wallet, far away from my computer. That way I can have a save, easy to remember password, and I can carry it always with me =D. Of course, as Gary said, the risk is now of getting my phone lost or something. So I alway back my passwords up in a little notepad back home. And that's what I do =D.
Other suggestions from our members
by Marc Bennett - 2/23/06 1:23 PM
In reply to: 2/24/06 Questions about storing and managing passwords by Marc Bennett
Answer:
Most web sites are using cookies to store your passwords on the system you are using. There are other ways, but cookies are typically used on a lot of web sites. To test this, just store a password someplace, go back to the web site and see if the password is stored. Next delete your cookies and go to the site again. Chances are you will be prompted for your username and password. Cookies are commonly used to store information about a user preferences at a web site.
If you are curious as to what the information looks like, you can find most cookie files under \Documents and Settings\%username%\Cookies. You will find a number of text files that are cookies for the various web sites you have visited. If you open one of the files, you will more than likely find some readable information, such as espn.com, and a lot of a series of numbers separated by some type of delimiter. It is conceivable that this information could be used to determine username and password for a site.
A way to store passwords that is very safe is to use a Smart Card and a Smart Card Reader. You can use a free program called SmartCache found at http://www.smartcache.net. With this software you can read and write username and password information on smart cards. You just need to find a supported smart card reader, which SmartCache has listed on their web site, and a blank smart card, which can be purchased on many web sites. You can easily find supported readers on eBay for under $10 and the Smart Cards themselves can cost as little as $2 if you know where to look.
If you ever had one of those credit cards with the smart card chips on them and the credit card company provided you with a reader, you now have a reason to use the reader again. If you still have the old credit card, you can use the SmartCache software to read and store your passwords on the credit card, even if it is expired.
When you need to get a password, you just open the software and place the card in the reader connected to your PC via USB, Serial, or PCMCIA connection. The software will prompt for a password to retrieve the card information. The card will be read and your username and passwords will be revealed. You can even store the associated web URL to which the username and password is related to.
In addition, you can back up the usernames and passwords to an encrypted file that you can store on a floppy. You can place the floppy, or any removable media for that matter, in a safe place. So if the card is damaged or lost you can still get to your passwords using the backup file and the SmartCache software.
Now you never have to worry about your passwords being stored on your system. The only password you have to remember now is the one used to unlock your card.
Submitted by: Ralph D.
***********************************************************************
Answer:
Hey Gary,
When your computer system asks you to save your passwords in chat accounts and hotmail, it saves it to a temporary file known as TEMP. These passwords can be erased with a simple click. To erase them you open an Internet explorer page and click on TOOLS, CONTENT tab and then click AUTO COMPLETE under Personal Information. Then you have to click on CLEAR PASSWORDS under Clear Autocomplete History. If you want to stop Windows from asking you to save your password, you click on the box next to USER NAMES AND PASSWORD FORMS so that the green tick is not visible.
Storing and Saving a password is the same thing and I find it not needed to save passwords. It is not very secure to be saving passwords on a family computer/laptop as they can access it. But if it is your own laptop/computer you can save passwords as secure as possible. I agree, password managers actually send your passwords to other people as well so that is not good. The most easiest way to save your passwords are to write them down on a piece of paper or in a diary/note pad.
I hope this helps.
Submitted by: Joshua W.
***********************************************************************
Answer:
Storing or Saving Passwords:
In my opinion, the only “safe” place to store passwords is in your head. Never write them down. Never share them with anyone. Never use one that a friend or colleague can guess.
Create a password or passwords that mean something to you personally. Like something from your childhood. Never use pet names, family member names, license plate numbers or anything that someone can figure out. Make it cryptic by alternating between upper and lower case, or add numbers after a personal phrase.
After that, remember it! Then change it frequently and remember it. This is the best password protection policy on the planet. I would have to be tortured before I would reveal my password. You can’t find it under my keyboard, in my desk, taped to my printer or anywhere in sight, and I won’t reveal it to anyone. Even my mother who is 1,500 miles away. It is as valuable as your bank PIN number. Create it then remember it!
Submitted by: Bennie C.
***********************************************************************
Answer:
Unfortunately in my "young" computering days, I used a password manager - Gator - which ended up dumping all sorts of unsavory stuff in my computer, which took forever to get rid of. I have found the best was to store my passwords is an Excel spreadsheet, password protected (with a password I won't forget). I use the internet for paying bills, personal and business, business taxes etc. I feel fairly secure using the spreadsheet because no one can get to it but those on my computer and then it's password protected. This works great for me.
Submitted by: Bea
***********************************************************************
Answer:
My name is Elie and I am from Israel. I am using a very simple technique to keep my passwords. I use an Excel file which you can open only if you know the password for it. In this file I manage columns according to the name of the application for which I need the password, the user name for this application and the date when I changed the password. In the cell where I put the date I add a note (By clicking shift+F2) and I write there the password. I like it because you can see the password only if you stay with the pointer of the mouse on the cell, and you choose the one with the latest date. I use one row for each application.
Submitted by: Elie F. of Israel
***********************************************************************
Answer:
If you never store passwords anywhere, then you are pretty safe. However, asking the question does suggest you would like to. I think you should not worry about the technology and should follow basic rules:
• Use different passwords for trivial, moderately interesting and important sites like financial accounts.
• Allow windows, or the site, to store passwords to trivial sites which you really wouldn’t mind if someone else used your id. Lots of sites insist you register but really have no security implications.
• Only store access details to moderately interesting sites on a computer which is totally under your control and then only if you wouldn’t suffer serious loss by impersonation. (thefts do happen)
• Never store or record passwords to financial or any other sites where crooks could make of with your identity or your money.
• Even ‘trivial’ sites may contain name and address details and other clues to your identity in your ‘account details’ so be careful even with these.
Submitted by: Paul S.
***********************************************************************
Answer:
Gary,
I am a computer technician that goes to peoples homes and small business. My advice is NEVER store passwords on you local machine. I have a little utility that will tell me all the passwords that are kept one your local machine in less than 30 seconds. Any hacker, that gains access to your machine can do the same.
Antispyware and antivirus programs rely on "signature files" to detect malware. A lot of spyware made today is simply out to get passwords and user names to empty out bank accounts, and sell shares that don't belong to them, and is sponsored by criminal organizations.
Unfortunately when a new bit of nasty ware comes out the companies must get the nasty ware and analyze it then figure out a signature for it, incorporate in there definition files, and then the end user has to update those files. This can sometime take a few weeks for this whole process to be completed, during that time the end user is vulnerable.
As for passwords stored on the web pages server is no less secure. All anyone needs to do is find your user name for that web page and they have access to whatever you have stored there. User names are usually not usually encrypted.
Submitted by: Jim F.
***********************************************************************
Answer:
Gary,
It has been said that the easiest way to hide something is to leave it in plain sight. I don’t trust password managers or “wallets” either. My method is to carry a small Excel file in my PDA called “Logs”. This file contains three columns, Site, Log-In, and Password. The Site is self explanatory. The Log-in uses code phrases like “home email” or “work email” etc. The password column also uses code phrases, and while it does require the ability to memorize, your actual passwords are never written down anywhere except in your memory.
I have five passwords, with the code phrases, alpha, alpha-numeric, numeric, old phone, and first email. One of these passwords will fit the requirements of almost any site I have ever visited in terms of syntax. They are all completely random combinations of letters and or numbers, therefore very difficult to guess, no family names, pet names, or birthdays, etc. Using my file I don’t have to guess what I used for the log in or password to that site I visited a year ago. Hope this helps.
Submitted by: Dave M.
***********************************************************************
Answer:
That, I believe, is the wisest way to go - I don't trust password managers either. I write down on paper all the passwords I use, and never use any other form of storage for this type of data. I also have Auto complete facilities disabled. As a user of internet banking services I never store banking login pages in the Bookmarks facility of the Browser - just use Google to locate these pages every time I need to login.
All the best.
Submitted by: Frank M.
***********************************************************************
Answer:
Re password option
I NEVER let the web site save my password. If you do, you give away whatever modicum of protection against a fraud that you have. They get your e mail and your password at the same time if they snoop the web site.
Submitted by: Robert K.
***********************************************************************
Answer:
The way I understand it, passwords are stored by your browser in a special database. Are they safe? As safe as your browser!
For instance: I will not store any passwords on Internet Explorer. Rather, I use RoboForm on my PC, and store the data on a removable disk. At home however, I do store passwords on my iBook, running Safari. Somehow, I trust Apple more that I trust Microsoft.
When in doubt, keep your passwords elsewhere.
Submitted by: Hans W.
***********************************************************************
Answer:
Hi Gary,
I'm with you, I allow some sites to remember passwords, only those that have no further information about me usually. I know some web sites try to keep your info secure, but nothing is infallible.
You could keep a small book, or if you prefer, save them as an Archive on your mobile phone.
Hope that helps.
Submitted by: Deb of Australia
Use Keychain
by marquesalan - 2/24/06 3:27 AM In reply to: Other suggestions from our members by Marc Bennett
I have used Keychain to store all of my passwords for about 15 years with not trouble of hackers. I back up the file to a remote server so I have them all if I need to reinstall any of them or I forget what my login info was.
For more info about how cool and easy this interface is:
http://www.apple.com/macosx/features/security/
I use pass2go for PC's
by robertjvan - 2/24/06 6:31 AM In reply to: Use Keychain by marquesalanA simular product by Siber Systems http://www.roboform.com/
Passwords don't work
by johns123 - 2/24/06 10:44 AM In reply to: Other suggestions from our members by Marc Bennett
I have software that can crack or delete any
passwd. I do it all the time for users who
move to different computers, or users who have
simply forgotten their passwds. The original
intent of passwds was personal privacy. That is
long gone in the workplace, or on the net. Every
company is now snooping its employees, using
excuses like, "We own these computers." Passwds
are old Unix hack, and suggesting that they
provide any level of protection from a determined
criminal .. or boss .. is just naive. There are
much better ways, and they will gather "evidence"
that will warn you .. and that is real protection.
Here's a brief list:
Disk Imaging .. keep that computer plain vanilla.
Hibernate .. turn it off after 30 minutes.
Levels of filtering and firewalls .. on everything.
Proxy on Browser .. supported by remote company.
Personal Laptop .. with data transfer USB cable
.. that shares in and shuts down.
Thumb drives, USB drives .. keep your personal stuff.
Remote accounts .. have a valid remote account, and
enable it locally. Run Postini
on the remote account.
Passwds .. will keep your mother off 
I use a Winzip-encrypted text file
by charodon - 2/24/06 1:20 PM In reply to: Other suggestions from our members by Marc Bennett
I've tried dedicated password storage tools, but frankly I've found a simple solution to be the best: I keep my sensitive passwords in a plain vanilla text file, then I zip and encrypt it using Winzip. Whenever I can't remember a password I just open the file and look it up. Other password programs eat up memory, slow down startup, or interfere with browsing by popping up at annoying times.
Smart...
by firerant - 2/25/06 8:16 AM In reply to: I use a Winzip-encrypted text file by charodonI also use a zipped/passworded text file, its about the easiest way. You already have the text editor in Notepad, and most people will have Winzip or some other archiving tool capable of creating a passworded archive (or should).
In the text file I sometimes group similiar usernames & passwords, such as dicussion forum logins, but I mostly just pile 'em in there. I format a line:
|domain/forum name|<tab>|user name|<tab>|password|<return>
That way they line up nicely. Since they aren't in any particular order I usually do a Find <ctrl-F> and search on the domain or forum name to find the right entry. Simple.
I also have a shortcut to the zipped file in my tooltray, this is the fastest way to access it. One click on the shortcut, doubleclick on the text file name in Winzip, enter archive password, and Notepad appears with the password file displayed. No headaches. And a paper copy is just a copule clicks away if I want one.
Of course if you have Excel or some other spreadsheet you could use that instead of a text file, but Notepad is about the fastest application with the smallest footprint you could use.
| Forum legend: | |
 |
Locked thread |
 |
Moderator |
 |
CNET staff |
 |
Samsung staff |
 |
Norton Authorized Support team |
 |
AVG staff |
 |
Windows Outreach team |
 |
Dell staff |
 |
Intel staff |
