Internet Security Thread

10 posts


I have had in my mind for a while now the idea of writing up a simple "best practices" guide for people to protect themselves on the Internet from the turds who have nothing better to do but to try to pry into other people's forum accounts, email accounts, and the like. Towards this end, please contribute any ideas and suggestions that you think might be helpful to others.

Password Safes

To start with, people should learn how to use a password safe . There are several choices, but I recommend this application for generating and storing passwords:

Generate strong unique passwords like this easily:

This one is 20 characters, but in general passwords can be and increasingly should be longer, up to 40 or even 60 characters. You needn't memorize every password. Instead you open the password safe application (which has a single master password that you must memorize) and then use cut & paste to easily into the password field. The application automatically clears the clipboard after ten seconds.

Two things to keep in mind:
  1. There is an encrypted database file in which your passwords are stored. If you lose the file then you lose your passwords (you should keep a copy in more than one secure place).
  2. There is a master password to open the database file. If you forget the master password then you lose your passwords.

How well does this method work against say keyloggers and other similar programs?

Stored passwords bypass keyloggers when the user enters them using cut-&-paste. The master password can be entered securely on Windows:

The master password can be strengthened by requiring a key file to open the database. You can check out the documentation for more information on security.

Thanks for this thread. I've been wary of Keepass but it does seem that longer passwords are needed

Creating Strong Master Passwords

In the original post I recommended storing all your passwords in a password safe . Trouble is, you have to be logged into your computer's operating system (OS) user account before you can access your password safe. Thus you will need to memorize one or two "master" passwords for manual entry: First, the password to log on to your OS user account, and second the master password to the password safe.

I thought up a trick that I use in order to create to long hard-to-crack yet memorizable passwords. The basic idea is to memorize the "real estate" of the keyboard, not to memorize all the characters of the password. To illustrate, start with random diagonal sequences of keys on the keyboard like this:

2wsx bhu8 0p;/
I added spaces to show the three, four-key sequences. Notice that each four-character sequence is continuous diagonally on the keyboard. As sequences of physical keys, I find them much easier to memorize than randomly generated strings, yet the result seems to be practically just as strong. At the very least, it is much stronger than a simple word or word/digit combo.

Next, add one or more shift-key strokes somewhere to the sequence. For example, you could press the shift key for every first and third keys like this:

@wSx BhU8 )p:/
Or maybe just the last key in each row:

2wsX bhu* 0p;?
Naturally, there are limitless ways to vary the idea. You choose what keys to start from (they might signify something, but don't make it anything as obvious as your initials); you can vary the number of sequences; the sequences can run up or down; the sequences can lean left or right. You are not limited to rows; you can create sequences that make a V shape or other shape. the sequences should, however, include both letters and number keys. Don't forget to add at least one shift-key stroke to your password!

for fuck's sake, just write your passwords onto a piece of paper and put it into the drawer.

There, you are done.

This is not a good suggestion.

I disagree. The only "unhackable" solution is to:

1) come up with unique combinations of letters and numbers for every forum
2) not to store them in your email box or on your pc, store them offline in a safe or in a drawer

Passing your passwords to someone else's database to be stored is, I don't know, strange.

This solution put out by me makes it virtually impossible to get access to more than 1 account through a board hack
What exactly are you disagreeing with? The password safe application that I recommended features a utility that will generate a random password to your specifications for every forum, bank account, etc. You can specify character length, whether to include numbers, letters, punctuation marks, etc. These passwords are very hard to crack, which is helpful when some little shit acquires your MD5 hash code from a stolen database.


Writing down passwords is clumsy and error prone.

You're not going to want to go to your safe every time you log into some online account. If you put it in a drawer, you are vulnerable to losing it or getting it stolen by a burglar or juvenile-delinquent second-cousin-once-removed. You will then not have your passwords, but maybe someone else will. Good luck remembering and changing every password you use online when this happens.

Because of these inconveniences, and the fact no one except an idiot savant can memorize all the hard, unique passwords that are needed, your system makes it tempting to go back to simpler passwords, like "whatever1234".

Your scrap-of-paper solution requires the user to type in passwords which makes you vulnerable to key loggers and even people looking over your shoulder and to loss and theft of one valuable scrap of paper. It's an inadvisable stopgap for luddites.

OK, you could have a point there, mate. Didn't think about key loggers.

But anyway, something tells me - its easier to protect yourself from keyloggers than a meltdown/hack of some third party database with passwords.

PS: I followed your link - you still have to have a password you'll need to remember to log in the DB, so in essence if you have a keylogger spyware you are screwed one way or another.

Having an automatic program to store and generate passwords adds to simplicity but doesn't add an extra layer of security vs. my scrap-of-paper ludite solution heh heh