[cryptome] Off-topic password tips

• From: "Al Mac Wow" <macwheel99@xxxxxxxxxx>
• To: <cryptome@xxxxxxxxxxxxx>
• Date: Sat, 31 Aug 2013 18:04:03 -0500

In partial answer to BZ.

 

I work in the IT world … not PCs but OS (operating system) of IBM computers
which corporations use for back office stuff.

There have been times that I needed to keep track of over 100 passwords at
one time, for work & for personal use.  So I have developed, and refined,
SYSTEMS, to hopefully provide good security, while not relying on the system
which involves stuff falling out of my brain, when I don’t use certain
portions of my brain often enough.  At the same time, I do not have post-it
notes with passwords easy for other people to find.

 

At work, it used to be my job to issue passwords to the employees.

That meant I was like Ed Snowden, knowing how to get into anyone’s account.

The volume of stuff is so astronomical, that being able to get into anything
is of little value.

 

Using the keyboard, and number pad, I figured out how a person could have a
password such that while keying, their fingers would rapidly cover up what
they were doing, so it would be darn impossible for someone watching someone
else, to figure out their password.  Well that only works if someone is
typing like I type.  I quit doing that after I saw practically all
co-workers engaged in hunt and peck.

 

Back in the 1960’s when I was in college, I took a class in touch typing,
because I saw a future in keyboarding being part of my preferred profession
of computer programming.  I never got as fast as the professional
secretaries, but I can type without looking at the keyboard … I look at the
screen, occasionally fix typing errors.  The vast majority of co-workers are
hunt and peck.  In time, most offices will have you talk, it types, but we
are not there yet.  The technology for that is good, but corporate managers
do not yet see the productivity and profitability benefits of migrating from
hunt and peck generations.

 

I got permission from management to change the rules for passwords at the
office.

If someone forgets their password, I will force change their password to
some WORD that I tell them what it is, and at the same time force the
password to be EXPIRED.

So when they sign on with the WORD, the system will mandate that they change
the password to something only they know.  There are password rules.  If
their password does not match the rules, they will get a message with
details, and may retry.

I check back with them after a few days, to make sure THEY got in Ok to
THEIR account.

 

Now I only need to keep track of MY passwords at the office, for each of my
accounts, and the passwords associated with IBM OS functions, like SYSTEM
ADMINISTRATOR, MASTER SECURITY OFFICER, SYSTEM OPERATOR and about ½ a dozen
more like that.  There are about ½ a dozen co-workers who need access to
some of these, such as to do backups, hooking up new connections to the
network, etc.  From time to time we declare “it is about time we changed
these again” typically when one of our number is no longer with the firm.  

 

I had the master list, on my person, in a place I had VERBALLY told my IT
co-workers, and my boss.  Then I said “let’s do a test, let’s assume I get
hit by a bus, and now you need into the system.  Can you figure it out?”  I
was told that if I was run over by a bus, then the paper hidden on my
person, would be too blood soaked to do the little puzzle I had provided, to
translate what was on the paper, to get the corresponding passwords.  The
reason for the puzzle was if the paper fell into the wrong hands, there
would not be enough info there to actually translate into the passwords.

 

So the new system is that when we change these passwords, I give the boss an
envelope, containing a list of what needs an IT password, and what it is.  I
ask that this envelope be placed in a safe place, where you can find it,
should I ever part company for whatever reason.

 

It still is part of my job to setup security access for new employees, but I
don’t have to remember their passwords any more.  Also there is a security
aid in IBM OS.  When we sign onto our account, there is a message line
telling us the last time we signed on, and how many failed password attempts
there have been on our account since then.  If that info does not jive with
what’s in our brain memory, that is a clue something is amiss.  Also I
periodically check a log of failed access attempts.

 

There are certain kinds of consumer devices where you can press some key
combination, and it will spout out account name and password.  Since we have
a lot of these devices, such as laptops, walking in and out of the office on
a regular basis, I have had conversations with the operators of them, and
with management.  “What if one of these devices gets stolen?  The crook can
then easily get into our systems, and we would not know it until the normal
user informs us about the problem.  Is that risk Ok with Y”all?”  Well,
maybe because of my conversations, or maybe because of some other problems,
we are now using SONIC WALL for our VPN (VPN is an encrypted tunnel thru the
Internet, which lets different business systems talk to each other, with
decent security, and on the cheap).  It won’t let you pour in a pre-recorded
user-id and password.  It HAS to be keyed at time of opening the
communications session.

 

 

Al Mac = Alister William Macintyre

-----Original Message-----
From: cryptome-bounce@xxxxxxxxxxxxx [mailto:cryptome-bounce@xxxxxxxxxxxxx]
On Behalf Of bz
Sent: Saturday, August 31, 2013 1:35 PM
To: cryptome@xxxxxxxxxxxxx
Subject: [cryptome] Re: Exemplary Greenwald-Poitras Opsec Op-Ed

 

If you read this:

https://pressfreedomfoundation.org/encryption-works

carefully, it may explain what was Miranda doing in London. It wasn't

about sharing docs, but rather setting up Tail, I would think. Any docs

he had on him were rather there only to misguide.

 

I am rubish with IT myself and only recenly, due to the necessity, have

started learning all this & have been trying to change the ways I

communicate and although every day I feel I begin to understand it, I

still confuse things with keys, certificates and, if I be am honest am

not sure whether people are recieveing my mail when I manage to encrypt it.

 

Also, i dunno why, but I assumed that it will be safer if record all

passwords on a paper... There is too many passwords to be able to

remember all of them. How can you handle it?

 

Personally, I think I need proper help with all this as it starts to

really frustrate me or simly stop using internet as I am not sure

whether I protect myself the right way or whether it works like it

should and wird things began to happen both with my laptop and in my life.

 

• Follow-Ups:
  • [cryptome] Re: Off-topic password tips
    • From: militarywritersassociation

• References:
  • [cryptome] Re: Exemplary Greenwald-Poitras Opsec Op-Ed
    • From: Shelley
  • [cryptome] Re: Exemplary Greenwald-Poitras Opsec Op-Ed
    • From: bz

Other related posts:

• » [cryptome] Off-topic password tips - Al Mac Wow
• » [cryptome] Re: Off-topic password tips- militarywritersassociation

1. Home
2. cryptome
3. Archive
4. 08-2013

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---