[cryptome] Re: Off-topic password tips

  • From: <militarywritersassociation@xxxxxxxxx>
  • To: <cryptome@xxxxxxxxxxxxx>
  • Date: Sat, 31 Aug 2013 20:48:58 -0400

Al, Thanks for the information, much appreciated.

Best regards,
Ed Schroeder


Military Intelligence Daily
http://militarywritersassociation.wordpress.com


From: Al Mac Wow 
Sent: Saturday, August 31, 2013 7:04 PM
To: cryptome@xxxxxxxxxxxxx 
Subject: [cryptome] Off-topic password tips

In partial answer to BZ.

 

I work in the IT world … not PCs but OS (operating system) of IBM computers 
which corporations use for back office stuff.

There have been times that I needed to keep track of over 100 passwords at one 
time, for work & for personal use.  So I have developed, and refined, SYSTEMS, 
to hopefully provide good security, while not relying on the system which 
involves stuff falling out of my brain, when I don’t use certain portions of my 
brain often enough.  At the same time, I do not have post-it notes with 
passwords easy for other people to find.

 

At work, it used to be my job to issue passwords to the employees.

That meant I was like Ed Snowden, knowing how to get into anyone’s account.

The volume of stuff is so astronomical, that being able to get into anything is 
of little value.

 

Using the keyboard, and number pad, I figured out how a person could have a 
password such that while keying, their fingers would rapidly cover up what they 
were doing, so it would be darn impossible for someone watching someone else, 
to figure out their password.  Well that only works if someone is typing like I 
type.  I quit doing that after I saw practically all co-workers engaged in hunt 
and peck.

 

Back in the 1960’s when I was in college, I took a class in touch typing, 
because I saw a future in keyboarding being part of my preferred profession of 
computer programming.  I never got as fast as the professional secretaries, but 
I can type without looking at the keyboard … I look at the screen, occasionally 
fix typing errors.  The vast majority of co-workers are hunt and peck.  In 
time, most offices will have you talk, it types, but we are not there yet.  The 
technology for that is good, but corporate managers do not yet see the 
productivity and profitability benefits of migrating from hunt and peck 
generations.

 

I got permission from management to change the rules for passwords at the 
office.

If someone forgets their password, I will force change their password to some 
WORD that I tell them what it is, and at the same time force the password to be 
EXPIRED.

So when they sign on with the WORD, the system will mandate that they change 
the password to something only they know.  There are password rules.  If their 
password does not match the rules, they will get a message with details, and 
may retry.

I check back with them after a few days, to make sure THEY got in Ok to THEIR 
account.

 

Now I only need to keep track of MY passwords at the office, for each of my 
accounts, and the passwords associated with IBM OS functions, like SYSTEM 
ADMINISTRATOR, MASTER SECURITY OFFICER, SYSTEM OPERATOR and about ½ a dozen 
more like that.  There are about ½ a dozen co-workers who need access to some 
of these, such as to do backups, hooking up new connections to the network, 
etc.  From time to time we declare “it is about time we changed these again” 
typically when one of our number is no longer with the firm.  

 

I had the master list, on my person, in a place I had VERBALLY told my IT 
co-workers, and my boss.  Then I said “let’s do a test, let’s assume I get hit 
by a bus, and now you need into the system.  Can you figure it out?”  I was 
told that if I was run over by a bus, then the paper hidden on my person, would 
be too blood soaked to do the little puzzle I had provided, to translate what 
was on the paper, to get the corresponding passwords.  The reason for the 
puzzle was if the paper fell into the wrong hands, there would not be enough 
info there to actually translate into the passwords.

 

So the new system is that when we change these passwords, I give the boss an 
envelope, containing a list of what needs an IT password, and what it is.  I 
ask that this envelope be placed in a safe place, where you can find it, should 
I ever part company for whatever reason.

 

It still is part of my job to setup security access for new employees, but I 
don’t have to remember their passwords any more.  Also there is a security aid 
in IBM OS.  When we sign onto our account, there is a message line telling us 
the last time we signed on, and how many failed password attempts there have 
been on our account since then.  If that info does not jive with what’s in our 
brain memory, that is a clue something is amiss.  Also I periodically check a 
log of failed access attempts.

 

There are certain kinds of consumer devices where you can press some key 
combination, and it will spout out account name and password.  Since we have a 
lot of these devices, such as laptops, walking in and out of the office on a 
regular basis, I have had conversations with the operators of them, and with 
management.  “What if one of these devices gets stolen?  The crook can then 
easily get into our systems, and we would not know it until the normal user 
informs us about the problem.  Is that risk Ok with Y”all?”  Well, maybe 
because of my conversations, or maybe because of some other problems, we are 
now using SONIC WALL for our VPN (VPN is an encrypted tunnel thru the Internet, 
which lets different business systems talk to each other, with decent security, 
and on the cheap).  It won’t let you pour in a pre-recorded user-id and 
password.  It HAS to be keyed at time of opening the communications session.

 

 

Al Mac = Alister William Macintyre

-----Original Message-----
From: cryptome-bounce@xxxxxxxxxxxxx [mailto:cryptome-bounce@xxxxxxxxxxxxx] On 
Behalf Of bz
Sent: Saturday, August 31, 2013 1:35 PM
To: cryptome@xxxxxxxxxxxxx
Subject: [cryptome] Re: Exemplary Greenwald-Poitras Opsec Op-Ed

 

If you read this:

https://pressfreedomfoundation.org/encryption-works

carefully, it may explain what was Miranda doing in London. It wasn't

about sharing docs, but rather setting up Tail, I would think. Any docs

he had on him were rather there only to misguide.

 

I am rubish with IT myself and only recenly, due to the necessity, have

started learning all this & have been trying to change the ways I

communicate and although every day I feel I begin to understand it, I

still confuse things with keys, certificates and, if I be am honest am

not sure whether people are recieveing my mail when I manage to encrypt it.

 

Also, i dunno why, but I assumed that it will be safer if record all

passwords on a paper... There is too many passwords to be able to

remember all of them. How can you handle it?

 

Personally, I think I need proper help with all this as it starts to

really frustrate me or simly stop using internet as I am not sure

whether I protect myself the right way or whether it works like it

should and wird things began to happen both with my laptop and in my life.

 

Other related posts: