Dear Users... (A thread for Sysadmin, Technical Support, and Help Desk people)

[arthwollipot]

KeePass is your friend.

That's not on the Approved Software List and is therefore not possible to install on Australian Government computers.

Sadly, we're moving to Thycotic Secret Server.

We have some staff using that. Our Password Reset Self-Service facility is Thycotic.

 

[Blue Mountain]

That's not on the Approved Software List and is therefore not possible to install on Australian Government computers.

We have some staff using that. Our Password Reset Self-Service facility is Thycotic.

Perhapth that explainth why people have trouble uthing it.

 

[xterra]

[KeePass is} not on the Approved Software List and is therefore not possible to install on Australian Government computers.

You could install it on your mobile phone. While you would have to manually type the password on your government computer, at least you wouldn't have to remember it.

I have about 120 entries in my KeePass database. Some of them take the form of, say, 15 characters, only seven of which are normal alphanumeric. There is no way I am going t remember them, especially for sites that require changing a password every three months.

 

[lauwersw]

I use Password Safe, https://pwsafe.org/, because it's recommend by our corporate security guru AND by Bruce Schneier. It only works locally and not with a cloud service, which is one more reason to trust it.

 

[Hellbound]

Ascendo DataVault is the one I use. It also can work locally, although you can have it keep an encrypted backup on your iCloud or Dropbox. You can synchronize between different devices (say, phone and desktop) via wireless or the aforementioned cloud storage as well. Very configurable, and by default it has Categories for business vs personal, and a lot of pre-made templates for things.


Sent from my iPhone using Tapatalk

 

[grmcdorman]

I use Password Safe, https://pwsafe.org/, because it's recommend by our corporate security guru AND by Bruce Schneier. It only works locally and not with a cloud service, which is one more reason to trust it.

There are also Linux, Android, and I believe iOS ports. The Android version has a companion app that will sync the password file to common cloud services like Google Drive (yes, that does introduce a cloud feature, but a] it's not dependant on it and b] since it's not the cloud service providing the password app, it should be safer).

 

[Wudang]

There are also Linux, Android, and I believe iOS ports. The Android version has a companion app that will sync the password file to common cloud services like Google Drive (yes, that does introduce a cloud feature, but a] it's not dependant on it and b] since it's not the cloud service providing the password app, it should be safer).

Yes, yes and yes. I just keep my password file in Dropbox. I don't keep whole passwords in it. Just 2-3 letters that indicate which mispelled obscure word is the base and then more chars indicating the individual permutation. And the key to vault is yet another mispelled word that I heard a few times before I saw it written. That and the robustness of the PasswordSafe app is good enough for me.

 

[alfaniner]

Yes, yes and yes. I just keep my password file in Dropbox. I don't keep whole passwords in it. Just 2-3 letters that indicate which mispelled obscure word is the base and then more chars indicating the individual permutation. And the key to vault is yet another mispelled word that I heard a few times before I saw it written. That and the robustness of the PasswordSafe app is good enough for me.

I have all my passwords in my Bookmarks. Well, clues to them, actually. That helps when I find I've had an account for years that I haven't touched, and suddenly they send me an email with a new policy or something. Just happened with Shutterfly. Of course, it's a hassle to try to find out how to close your account.

 

[CORed]

They still haven't noticed a similar mistake for Revelations.

How would you tell? I only ever read Revelations once, and all I got from it is that I want to avoid at all costs eating whatever kind of mushrooms the author ate before he wrote it.

 

[Blue Mountain]

Bruce Schneier released the first version of Password Safe in January 2002, but it was a Windows-only application for years.

In December 2002, due to a dearth of passwords managers for Linux, I wrote my own using a text file encrypted using GPG (Gnu Privacy Guard) and managed with a Bash shell script. I may have looked at Password Safe at the time, but if I did I would have passed it over because it was Windows-only.

KeePass was released 11 months later in November 2003, but again was a Windows only program; KeePassX didn't happen for another 13 years, in October 2016.

From a security point of view, my password manager is, to put it politely, deficient. It decrypts the password file to plain text on a RAM drive and edits it using vim. Although the file's permissions don't allow other users to read the file, any program that can scan memory would likely be able to see the vim buffer. I use copy and paste to transfer passwords from the vim file to (typically) the web browser, which uses the X clipboard. Although I haven't investigated it, my understanding is the X clipboard is terribly insecure.

I haven't bothered migrating to KeePassX because what I'm using for now is good enough.

 

[grmcdorman]

I'm not aware of the X clipboard specifics, other than - like the Windows clipboard - it's readable by any application. In the X Window System, in particular, any application that can connect to the display can get the clipboard, including remote applications if you've enabled network display connections. Most modern systems disable that, though, and even when enabled there is a security handshake. That said, I don't think the X communication protocol is encrypted in any way.

On Windows and Android, Pwsafe, and I believe most other password managers, will "type" your password for you (virtual keystrokes). I'm not sure if the Linux ones can do that; some applications reject generated keystrokes on Linux for security.

 

[novaphile]

Note that KeePass doesn't need to be installed to run, it can be used in portable mode. Even with the entire thing on a thumb drive...

(And if you prefer, it can be run from an encrypted thumb drive like an 'iron key')

 

[Wudang]

From a security point of view, my password manager is, to put it politely, deficient. It decrypts the password file to plain text on a RAM drive and edits it using vim. Although the file's permissions don't allow other users to read the file, any program that can scan memory would likely be able to see the vim buffer. I use copy and paste to transfer passwords from the vim file to (typically) the web browser, which uses the X clipboard. Although I haven't investigated it, my understanding is the X clipboard is terribly insecure.

I haven't bothered migrating to KeePassX because what I'm using for now is good enough.

Sometimes you just reckon something's working well enough and move on. There was a rumour at a place I worked that the ops automation team could only implement the designated crap software by leaving all kinds of security holes* because IT security were largely arrogant knobheads. Worse than IBM corporate audit who were IT illiterate accountants.


*I am unaware of any such activity or loophole, nor would I be disposed to discuss such a loophole if it did in fact exist.

 

[Darat]

Sometimes you just reckon something's working well enough and move on. There was a rumour at a place I worked that the ops automation team could only implement the designated crap software by leaving all kinds of security holes* because IT security were largely arrogant knobheads. Worse than IBM corporate audit who were IT illiterate accountants.


*I am unaware of any such activity or loophole, nor would I be disposed to discuss such a loophole if it did in fact exist.

There used to be such a weakness in one of the old and now retired Home Office systems that collated reports from the then state of the art police database system, which logged users, time of log in, what was queried and so on. Really good audit logs. However the only way they could "share" data was to emulate a terminal and "type" in a query, this was done via a hardcoded telephone number (with a dialup modem.....) one side of the emulated terminal was always logged in. If you knew the telephone number you could dial in from anywhere and run any query you wanted and nothing was logged. We found this out when we were trying to test some queries but didn't have enough test data and found that one of the original team had left instructions on how to login in.. I.e. power up your modem dial the number and low and behold you had access.

Security by obscurity.

We assumed at the time that this would have been one those cases when the proper solution I.e. they couldn't connect was unacceptable to those who wanted it.

 

[JoeMorgue]

There used to be such a weakness in one of the old and now retired Home Office systems that collated reports from the then state of the art police database system, which logged users, time of log in, what was queried and so on. Really good audit logs. However the only way they could "share" data was to emulate a terminal and "type" in a query, this was done via a hardcoded telephone number (with a dialup modem.....) one side of the emulated terminal was always logged in. If you knew the telephone number you could dial in from anywhere and run any query you wanted and nothing was logged. We found this out when we were trying to test some queries but didn't have enough test data and found that one of the original team had left instructions on how to login in.. I.e. power up your modem dial the number and low and behold you had access.

Security by obscurity.

We assumed at the time that this would have been one those cases when the proper solution I.e. they couldn't connect was unacceptable to those who wanted it.

//Total Hijack//

McLaren, the British Supercar maker, still has to maintain an ancient, early-90s Compaq LTE 5280 laptop specifically for remote support on its legendary McLaren F1 supercar. When the car (which seriously is one of the most legendary cars ever made) was produced McLaren knew they couldn't hope to have a McLaren mechanic physically available at a convenient location for all their buyers, so installed (for the time) fairly advanced diagnostic software and a modem in the car should owners could have issues remotely diagnosed and even fixed in some cases.

Jalaponik Article: https://jalopnik.com/this-ancient-laptop-is-the-only-key-to-the-most-valuabl-1773662267

Doug Demuro review of Jay Leno's F1 (modem is shown at the 7 minute mark if the timestamp doesn't work: https://youtu.be/EkYVXIWAPnc?t=419

 

[arthwollipot]

We go through the discussion about password managers in this thread on a semi-regular basis. I think by now we all understand that pretty much everyone in the discussion uses a password manager. I use Lastpass myself. But password managers are not part of the standard operating environment for government computers, because the people who make security decisions in government do not understand security.

 

[JoeMorgue]

- I use Bitwarden myself

- My user base would sit in the corner crying and banging their head against the wall if I tried to introduce something as complex as a password manager. They don't do change. They don't do change on a level I honestly can't even exaggerate for comedic effect. They write down all their passwords in a little notebook they keep in their desk drawer and that's just the way it is. Telling them to stop doing it that way is like telling the tide to stop coming in and out.

Password manager software is across the board incredible if you choose to and want to use. Forcing it on users who don't want it is a massive security problem waiting to happen.

 

[arthwollipot]

- I use Bitwarden myself
- My user base would sit in the corner crying and banging their head against the wall if I tried to introduce something as complex as a password manager. They don't do change. They write down all their passwords and that's just the way it is. Telling them to stop doing it that way is like telling the tide to stop coming in and out.

My octogenarian dad has all his passwords written down, but at least he recognised the need for them to be written down in code.

 

[TragicMonkey]

My octogenarian dad has all his passwords written down, but at least he recognised the need for them to be written down in code.

My septuagenarian mother writes all her passwords down in plain text...but on multiple notecards, notebooks, loose papers, post-it notes, etc. She'll have the same account listed with eight different passwords because she never crosses out an old one, or indicates when one has been changed. She actually got scammed two weeks ago but the guy phishing her on the phone lost patience and gave up because she couldn't get into her own account to give him control of it. (She actually did have the correct password written down, but didn't realize it was case sensitive because she'd never consider the need to write a note to that effect. And when I got her to add ! as the required "special character" to the end of passwords she wrote it down dutifully but then ignored it because she thought her past self was just being emphatic about what the password was, not that the punctuation was part of it.)

She's following a family tradition of elderliness: her own father was so confused and so hard of hearing that scam artists calling him up would give up in frustration. He had a very thick accent that died out decades earlier so few people could understand him, and with his hearing he couldn't understand anybody else, so it was quite a wild ride to watch him answer a phone call. "What? What? What? The bank? No, this isn't the bank, you have the wrong number! What? What? What? Oh, you're the bank? What? Why didn't you give me that boat loan in 1939? What? Hello? Hello? They hung up!" *hanging up on someone literally screaming*

 

[arthwollipot]

Fun fact: We use Jabra-brand headsets, and we have Cisco Jabber installed to handle phone traffic.

This has caused confusion.