Language:
switch to room list switch to menu My folders
Go to page: [1] 2 3
↑↑↑ Old messages ↑↑↑            ↓↓↓ New messages ↓↓↓
[#] Thu Jan 01 2015 13:57:41 EST from Sig

[Reply] [ReplyQuoted] [Headers] [Print]

Has anyone experience or thoughts on various password manager schemes and/or hardware tokens? Specifically, I am looking into a Yubikey NEO, possibly in conjunction with LastPass premium (at $12/year). Password managers kind of give me the willies, but right now I have a disturbing amount of my life tied to two Google accounts and I'd like to diversify and further enable meaningful 2-factor authentication. I have it enabled now on web accounts that allow it (Google, Twitter, etc.), but I'd like to go farther. I've read enough tech docs and forum posts on the YubiKey device to believe that people are actually able to implement its use for things like PGP, SSH keys, and local system logins. (The advantage of the NEO over the cheaper models is the NFC capability, which would let me use it to secure my Android-based Nexus 7 tablet.)

[#] Thu Jan 01 2015 16:25:44 EST from Sig

[Reply] [ReplyQuoted] [Headers] [Print]

Eh, I ordered one. I'll let you know.

[#] Fri Jan 02 2015 18:37:01 EST from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

How do Google and Twitter tie into third party auth tokens?

[#] Sat Jan 03 2015 00:08:52 EST from ax25

[Reply] [ReplyQuoted] [Headers] [Print]

I still kick it old school with Bruce Schneier and his Password Safe:

https://www.schneier.com/passsafe.html

Ports for non Windows / Linux exist, but Bruce says about auditing other code-bases... "Ain't nobody got time for that.".

 



[#] Sat Jan 03 2015 04:29:06 EST from zooer

[Reply] [ReplyQuoted] [Headers] [Print]

I thought the standard was Keepass

[#] Sun Jan 04 2015 15:30:00 EST from nristen

[Reply] [ReplyQuoted] [Headers] [Print]

I have the original yubikey which I like a lot. It took some work to incorporate into my existing server logins though. A lot of public services don't work with yubikey unless you take advantage of the static password option which allows for a constant (long) password to be inputed (both static and OTP options can be used). My wife uses and likes LastPass a lot for her business. I agree the newer NFC model of yubi key would add some flexibility although I have been able to use the yubi key with my android phone by connecting the yubi key to a USB to Go adapter which was connected to my phone (galaxy 3).

[#] Sun Jan 04 2015 15:33:50 EST from nristen

[Reply] [ReplyQuoted] [Headers] [Print]

I have tried KeePass a couple of times but had difficulty using on multiple system (syncronizing) - at the time, I read about using dropbox but I don't really care for dropbox. Currently, I have a gpg encrypted file that I store on a git server which I can pull from for any of the computers that I need to access it from.

[#] Tue Jan 06 2015 23:56:00 EST from ax25

[Reply] [ReplyQuoted] [Headers] [Print]

nristen,

I have a gpg file as well for my home stuff, but will probably switch to Password Safe for that as I use it at work and it will let you do safe imports from someone else's password file and merge changes.  It gets rid of all that who changed what and when stuff by letting you decide what to delete.  Kind of a pain to have to manually decide, but when dealing with others on shared account info, I think it will work out for the best :-)



[#] Sun Jan 11 2015 07:30:06 EST from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

When are web sites going to start letting us authenticate with a public key?!

[#] Sun Jan 11 2015 16:21:27 EST from zooer

[Reply] [ReplyQuoted] [Headers] [Print]

When the government figures out how to decrypt it.

[#] Sun Jan 11 2015 18:18:41 EST from nristen

[Reply] [ReplyQuoted] [Headers] [Print]

I am really excited to see where SQRL (https://www.grc.com/sqrl/sqrl.htm) authentication ends up. I have listened to several of Steve Gibson's podcasts about SQRL with Leo Leporte and really hope that it turns into a good solution.

[#] Fri Feb 13 2015 11:01:42 EST from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

Well, after all, We Must Protect Our Children From Terrorists.

So yeah, eavesdropping everywhere, but only for the well-connected.  Yeah.  That's it.



[#] Sat Apr 25 2015 21:39:41 EDT from Sig

[Reply] [ReplyQuoted] [Headers] [Print]

I haven't actually done much with the YubiKey aside from use it to prove I'm me before I can access the LastPass on a given system. I am a pretty big fan of LastPass; my wife has also started using it. Paying the 12/year for the premium version lets me use it with my tablet also, and that's how I interact with the rest of the world a good deal of the time. Worthwhile for me.

[#] Fri May 15 2015 14:55:59 EDT from Animal

[Reply] [ReplyQuoted] [Headers] [Print]

Electronic billboard in Atlanta hacked. Goatse displayed.

[#] Tue May 26 2015 09:14:38 EDT from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

An electronic billboard has not lived up to its full potential until it displays Goatse.

[#] Mon Jun 01 2015 16:12:22 EDT from Sig

[Reply] [ReplyQuoted] [Headers] [Print]

I was interested to learn that the (sadly now defunct) Orion Incident Response Live CD, geared at blue team collaboration in a compromised environment, used Citadel for team communication. A SANS white paper from 2010:
http://www.sans.org/reading-room/whitepapers/incident/orion-incident-response-live-cd-33368

[#] Tue Jun 02 2015 11:35:41 EDT from IGnatius T Foobar

[Reply] [ReplyQuoted] [Headers] [Print]

That is huge! How did I not know about that!

[#] Tue Jun 02 2015 21:47:26 EDT from wizard of aahz

[Reply] [ReplyQuoted] [Headers] [Print]

IG - Reading through that I'm like "DAYUMMM!!!!" Is very neat.

[#] Thu Jun 04 2015 11:23:17 EDT from Sig

[Reply] [ReplyQuoted] [Headers] [Print]

I took an online training module in the Protected Critical Infrastructure Information (PCII) program a few weeks ago. It was mostly pretty common-sense stuff about protecting information in the program, but had some really stupidly bad advice sprinkled in here and there. For example, when talking about how to send PCII over e-mail, if that becomes necessary, the slides instructed you to do the following (copied from a screen shot):

-Ensure the PCII document password is NOT included in the e-mail you've attached the PCII to

-Send the email

-Send the password to the protected PCII document in a separate email that uses a different subject line