Related
Hi Everyone,
So Sony PSN join the ranks of Gizmod, Play.com, Facebook, Sky, Apple, AOL [there are many more] as leaker's of our information.
What are peoples thoughts on this?
It seems that more often than not our passwords and details are not safe with companies anymore, but how can we protect against this?
Although it is best practice to use different passwords for every site and to use secure passwords (i.e. mix of numbers and letters) surely this is not practical since our heads are only capable of remembering so much. I also try to avoid trying out multiple passwords when logins fail, afterall, what happens if that is logged!
What solutions exist to combat this issue? Are there any alternatives?
I think it is safe to say that if at least one of your passwords has not been leaked by now, then it is simply a matter of time. I just don't think passwords are good enough now, we need something better.
Do you mean the latest PSN Network problem? If you talking about that:
Sony will have to repay people for stolen account info such as credit card info! Its because sony security was so weak that this happened!!
Now i agree that passwords are not always the best protection for us. And never use public computers to check email and stuff since most have keyloggers!
For Password i use a real strong password using all sort of simbols and its meaning its not related to me nor family... Makes it hard to guess for people
xploz1on said:
Do you mean the latest PSN Network problem? If you talking about that:
Sony will have to repay people for stolen account info such as credit card info! Its because sony security was so weak that this happened!!
Now i agree that passwords are not always the best protection for us. And never use public computers to check email and stuff since most have keyloggers!
For Password i use a real strong password using all sort of simbols and its meaning its not related to me nor family... Makes it hard to guess for people
Click to expand...
Click to collapse
The problem is that not matter how strong the password is, once it is stolen it doesn't matter anymore unless you have strong passwords for each and every site and a Rain-Man brain to recall them all.
I agree about public computers, you can add to that Open Wifi connections and those people who think it is a great idea to keep their wifi unsecured!
I think as people have become aware of password security, they do use better passwords, but they still use them everywhere.
I know some people use apps to store their passwords, but not only is that inconvenient but what happens if you battery is flat?
For such a big problem, there must be some kind of answer.
Sony are a bit of a joke these days. To be fair, it's not definate that CC info was taken as they don't actually know, and to the best of my knowledge nobody has reported actually having been defrauded yet. Credit Cards are covered by fraud protection anyway so it would only be the inconvenience that it causes people rather than a loss of money.
PSN passwords and account info is another matter though. That should all be encrypted and if it's not they have a lot to answer for! Also, why did it take them a week to report this problem to the account holders?
Just read this: http://www.fudzilla.com/games/item/22562-sony-now-saying-there-was-no-leak
Hi! When I read about this Sony issue i shocked! I mean, if that happens to sony... i think i'm not buying anything else without a virtual credit card.
Regarding to the passwords... i found this article in a blog the other day that recommended to use long passwords, with different elements, one common and one specific for every site. For example:
p4ssw0rd_fBk for facebook, or p4ss_gM41L for gmail... i think thats an interesting idea!
neival said:
Hi! When I read about this Sony issue i shocked! I mean, if that happens to sony... i think i'm not buying anything else without a virtual credit card.
Regarding to the passwords... i found this article in a blog the other day that recommended to use long passwords, with different elements, one common and one specific for every site. For example:
p4ssw0rd_fBk for facebook, or p4ss_gM41L for gmail... i think thats an interesting idea!
Click to expand...
Click to collapse
yeah I was thinking of something along similar lines.
I guess you have to make it slightly more than a simple combo though or there is still a chance it could be used. It would stop most automated attacks though, which would be far better than using the same password.
A different take on using a combo of random letters/numbers is suggested here http://www.baekdal.com/tips/password-security-usability. Interesting that "It is 10 times more secure to use "this is fun" as your password, than "J4fS<2"" even though you are using common words and you are much more likely to remember it...makes sense I suppose, there are only 128 ascii chars but far more possible common words so even three is enough. It goes against what most password advice of using mixed case etc, but in fact it is right - although note that WAP2 talks about a pass-phrase rather than a password, you can see why now. Obviously unrelated words would be better, i.e. not using famous quotes etc , and you still have the problem of putting a unique bit in for the site itself which can't be used to access your other accounts, if they get your password from somewhere else.
I think if I did use such a system it would be worth keeping note of the codes you've used (somewhere nice and safe of course) or you could end up locking yourself out of a lot of places (or at least keep track of which places you've adopted the system on).
Could also having a system so you can change your passwords periodically but still remember them i.e. a year code or something, 1st letter of your car reg perhaps.
Another thing you could do is to protect your email address (since that is a prime target once your details have been lost...i.e. they now have a password (or variations to try) and related email account to try it on) is to use email aliases (like hotmail allows), so that the signed up email address does not even relate to an actual real account (hotmail just says the password is incorrect, even if you are using the correct one for the linked account!).
The only other issue is down to security questions and password reminders on sites, a password is useless if they just reset it due to a simple security question. (Does sony have that info as part of sign up or is it just your email address they use for reminders - I can't remember now).
After-all, if they just need you to supply your D-O-B or mothers maiden-name and it was stored on a site which has lost it's data, it is not something you can change (unless you lie of course from now on). What info would they use to verify you if you told them you've lost access to your email address, would that info also have been included in the "lost" data from these companies???
I'm thinking of buying password safe from the play store. But I wanna make sure its secure since i'll be entering my financial info in it. Is it worth getting?
By the looks of the permissions the app needs, it does not pose a big threat.
WRITE_EXTERNAL_STORAGE: For database storage.
BILLING: For In-App-Purchase of PasswordSafe Pro.
KILL_BACKGROUND_PROCESSES: Its needed to kill app after restoring database in order to apply security-patch from Google correctly.
SYSTEM_ALERT_WINDOW: This is needed to show floating window.
Click to expand...
Click to collapse
thanks fir the heads up
i dont trust password apps...
Keepass Droid is great, and multi platforms
... and it's opensource...
Sent from my ME173X using xda app-developers app
Agree with Keepass being the top choice. It's one of those must have apps for me, and it's free and open source. Store more than 50+ accounts on it, and haven't had a single problem so far.
Usually the app itself seems to be safe enough. But I'm much more worried about if the database of such app may be stolen or accidentally leak?
I got used to password keepers on PC because I understand (more or less) what is possible and what is not in PC OS. But I do not imagine the android OS internal mechanisms of encrypting, sharing etc, so I even can't think where the threat may come from... But, for example I'm always scared when google suggest me to synchronize passwords with account, cause I'm not sure one day my account will not be hacked (perhaps just for someone's fun).
The experience of android experts is highly appreciated here to understand how to protect your passwords being kept in one basket: what to worry about and what is not a reason for panic.
well, keepass offers a way to include a 'passfile'. means the actual place to store ya passwords won't open without the corresponding passfile.
Single point of failure
Perhaps the biggest problem with password keeper apps is that, if someone discovers your master password, it compromises all your accounts, even accounts that might have been unknown previously to an attacker.
Many websites now have two-factor authentication, which provides an additional layer of security, but some additional inconvenience.
KeeDroid does have the advantage that it is open source, so that it can be independently audited.
---------- Post added at 09:22 PM ---------- Previous post was at 09:12 PM ----------
BTW, Lifehacker has a number of articles on password security, reviews of password keepers and useful links, like how to enable two-factor authentication.
I always try to opt for open source software where I can, especially when it comes to security. You get more of a trust factor that there won't be anything malicious in their software. Even with all the NSA hype, they still contributed to SELinux back in the day, which is open source and trusted. I think most anti-virus are just closed source because they rely on that income to support the manpower and resources to keep track of all the latest threats. I know there's ClamAV, but it just sadly can't compete with Kaspersky or the like.
Keepass is my favorite password software anyway.
Tenterhook said:
Perhaps the biggest problem with password keeper apps is that, if someone discovers your master password, it compromises all your accounts, even accounts that might have been unknown previously to an attacker.
Click to expand...
Click to collapse
Yep, I'm at home here! I've been making that argument for years. For example, the desktop version of Keepass stores all the passwords in a nice little .kdbx file. If someone where to get infected with a thing that looks for that file extension, and then uploads it back to them... All they'd have to do is run a brute force on it, dictionary attack or the like, and all you could do is pray the password you set as your Keepass master password would hold up. It's a odd thing too. You have the Keepass to make managing very complex and long passwords (stuff like zlw'W6b`qhyu"l3,U\b?UvsB!vqS3Qhh ) easier and sane. Yet, I bet most people wouldn't want to type something like that for their Keepass master password each and every time they want to acess their other passwords. BUT if your system is comprised to that extent- you have bigger problems anyway!
Online sites like LastPass have been comprised too at certain points in the past, so I'd rather just take the chance of having all my passwords on me.
Veeshush said:
I always try to opt for open source software where I can, especially when it comes to security. You get more of a trust factor that there won't be anything malicious in their software. Even with all the NSA hype, they still contributed to SELinux back in the day, which is open source and trusted. I think most anti-virus are just closed source because they rely on that income to support the manpower and resources to keep track of all the latest threats. I know there's ClamAV, but it just sadly can't compete with Kaspersky or the like.
Keepass is my favorite password software anyway.
Yep, I'm at home here! I've been making that argument for years. For example, the desktop version of Keepass stores all the passwords in a nice little .kdbx file. If someone where to get infected with a thing that looks for that file extension, and then uploads it back to them... All they'd have to do is run a brute force on it, dictionary attack or the like, and all you could do is pray the password you set as your Keepass master password would hold up. It's a odd thing too. You have the Keepass to make managing very complex and long passwords (stuff like zlw'W6b`qhyu"l3,U\b?UvsB!vqS3Qhh ) easier and sane. Yet, I bet most people wouldn't want to type something like that for their Keepass master password each and every time they want to acess their other passwords. BUT if your system is comprised to that extent- you have bigger problems anyway!
Online sites like LastPass have been comprised too at certain points in the past, so I'd rather just take the chance of having all my passwords on me.
Click to expand...
Click to collapse
I agree with you
tyler0707 said:
I agree with you
Click to expand...
Click to collapse
Thanks. It's kind of a relief to come across other security interested people, though I'm only just a security hobbyist at best. Some sites I've been on the user base barely keep up with the security related updates.
one cannot maintain software security as long as their hardware security can be violated. there are ways to code your data but in the right hands, there's always a way to decode your data.
hey guys so i live in australia where the have just passed insane metadata laws so that all data is being recorded for two years.. needles to say im not ok with this...
so what are my best options to get around this..when it comes to my phones metadata, calls and txt where should i be looking to find out how to properly obscure/mask my "digital footprint" as much as possible.. theres a phone "crackberry" which is supposed to be the benchmark for mobile anonymity but how have they achieved this? i have a rooted s5 and am running
alliance rom atm, is there a rom more tweaked towards anonymity? if anyone could shed some light point me in the right direction id appreciate it a lot, not up to anything to sinister haha i just find the laws disgusting and as they say "If a law is unjust, a man is not only right to disobey it, he is obligated to do so."
also i have tor and orbot on my phone to spoof my data and im going to get a vpn so the data is relatively covered unless someone knows of a better way, the calls and texts i could use some advice on though,
thanks heaps
It doesn't work like that...
When texting or calling someone data is passing through telecom servers. They can capture it even if it is encrypted locally.
The best way to aviod this is to use end-to-end encryption. This means that you are sending an unreadable message that, when arrives at the person you sent it to can decrypt and read it. I know an app that does this : Telegram.
I can't confirm how secure it is but the claim it uses AES 256-bit encryption and to put that into perspective if a computer can check for 50 bilion bilion (yes two times) passwords per second it would take it about 36122309325124079509781952686314812514160097941930872097731852458341261780105924117378890514373779296875 years to crack.
I believe Telegram encrypts everything EXCEPT phone calls - the arena Apple and the Feds are fighting in.
Unfortunately, Apple's iOS built-in encryption is a light-year ahead of Android encryption. This is primarily because it is a completely closed system and Apple only has to improve encryption in iOS and all new iPhones get it intact.. With Android, Google has to build encryption into it's new Android update. Then it sends it out to all of the myriad android phone builders, who modify it for their specific phones, many designed to run on only a single provider's network. Then each phone builder has to send their new Android updates to every service provider. They, in turn, add their own service provider changes (like Verizon and AT&T, who add bootloader locking in a futile attempt to prevent their users from rooting their phones and putting in custom roms - search SafeStrap on this site for an app that provides a work-around for Verizon, AT&T, and even Amazon Fire). We need to pressure Google or one of the custom ROM developers to create voice encryption that is as unbreakable as Apple's and can be applied by anybody who roots his or her phone. C'mon developers. Here's a challenge. It's not even that hard to create an encryption routine that is, for all intents and purposes, unbreakable.
I created one years ago - designed for text only - that takes up a page and a half of either C or Java code. It can take anything from a blank password to the entire ASCII text of War and Peace. And, since it uses the password to advance a state machine before encryption begins and doesn't apply it to the cleartext, it can't be backed out of an encrypted message. Add a 64-bit configuration number and a 16-bit salt number (which increments on each character, but can be set to vary by a user-specified value every n characters) and then encrypt your cleartext using one set of pwd/numbers and re-encrypt the encrypted text using different parameters, and, with all the computers on earth working on it, it will still take far beyond the end of the universe to break by brute force. In fact, once I had used this in a client bank's system, I was required to give the NSA the source code to the algorithm (which, fortunately, will not give them ANY help on decrpytion {grin} ). The NSA will have to try more passes on the encrypted text than there are atoms in the universe.
You can store all of your passwords easily and safely.
Important note: All the passwords enter are recorded in the data base after being coded with the most widely known 256 bit AES algorithm by a main password you are going to determine. Hence, nobody can access your data unless he knows this password, even the person who coded the application.
- - - - - - - - -
End of the password forgetting. You can store all of your passwords easily and safely in the high security database. PassMax Pro price is much cheaper than the other similar applications in the world. Uses modiftying 256-bit AES algorithm and cracking is almost impossible.
Properties:
No subscription or registration fee. There are two versions of PassMax. Demo version is totally free but there is advertising and you can add maximum 7 records in the demo version. You can have lifetime Pro version for a very cheap price.
High security master password you set the initial start of the application database is created just for you.
Your master password not only opens the application but also can be used to encrypt all data in your database with a powerful algorithm. That way even if your phone is reachable for the database, your entries absolutely can not be read.
There are some options for forgotten main password. These are; password reminder, security question and answer. also you can change your main password, security question and answer afterwards.
Decoding encrypted information is almost impossible.
You can store all kinds of confidential data in your secure manner. In private database created by PassMax; there are categories; website membership, credit cards, bank accounts. Also you can create your categories and you can store all kinds of confidential data in a secure manner.
In the other password / data category, you can create a completely free way to record yourself, you can specify the data header.
Adding records you, record date and update date is updated automatically assigned and stored in the database. Thus, you can notice it from someone else's intervention as soon as possible.
PassMax is designed to run automatically in the language of your device's language. Otherwise language selection is available only in English and Turkish at the moment.
PassMax dos not send any data to cloud against vulnerability.
PassMax which is running very fast with optimized algorithm implementation; the source code for any test with 7,600-line as having been presented for your use.
Use smart code structure for user’s faults minimization.
If the main password is entered incorrectly three times in a row, by the option once forgot my password section and security questions here comes in. If the user does not give the right security answer, application closes itself. A similar process is in the stage in password change section.
One-touch locking option instead of turning off when not used is available.
and where, app?
glkty said:
and where, app?
Click to expand...
Click to collapse
play.google.com/store/apps/details?id=xmaxsoft.passmax
xmaxsoft,
so better:
https://play.google.com/store/apps/details?id=xmaxsoft.passmax
Please, add promo video on store page.
No download link, thread closed.
The Proposed software program would Root, Wipe, and Install Upon an older version android phone to create a,
Bitcoin - Hand Held Portable - Crypto Currency Address Generator and Offline Cold Wallet Storage Device
( Screen shot of goes here but new members under 10 posts cant post links )
The Crypto Currency Address Generator,
The proposed "Open Source" software project would "Root, Wipe, and Install its software on an older android phone. making a hand held portable simple offline device crippling the previous devices hardware so it is no longer capable of transmitting data except through screen display.
The User With this newly created device and programming now "generates offline BTC wallet addresses" complete with private keys. The user with previously acquired BTC, can then transfer their funds from an online exchange, website, ATM, personal one on one transaction, etc. into cold storage through the device onto small secure encrypted backup SD cards. The user can also quickly perform transfers to online exchanges from said sd card backups using said portable device as well, This device has been designed entirely for the end users security and privacy and ease of use in mind.
- The Open Source Software Description - User first generates random addresses with new totally offline cold storage device
( Screen shot of goes here but new members under 10 posts cant post links )
Created addresses are then stored in a hierarchical file system on an SD card, The Cold Storage Device on the left shows a list of generated Bitcoin addresses, The Generator on the right shows The filing system of folders they are stored in.
( Screen shot of goes here but new members under 10 posts cant post links )
Addresses after created offline can then be converted to paper wallet format later to be printed to offline printer if user so wishes via SD card file.
( Screen shot of goes here but new members under 10 posts cant post links )
Also user can take pictures with the pre existing devices offline camera for paper wallet Image and background creation, software for paper wallets could also include templates and themes.
Previous Personal Use and Further Description
In my Bitcoin adventures by using this device, I have never needed to use a PC or Laptop, to create or share any of my BTC or ETH addresses.
I have never used a PC or laptop to place Bitcoin in total offline cold storage. In my entire blockchain experience I have never had to find or use a PC or Laptop, This new device is totally hand held portable and stand alone when used in tandem with users cell phone.
Concerning security, In order to stop prior hardware data transmission of the original device, The software program proposed would be a simple first Linux based root access of the older android phone to erase its programming. Then A following basic install in which the final new software program has no awareness of the existing hardwares data transmitting capabilities. Open source is needed to protect this devices security in this manner.
Further description –
A simple very basic Linux GUI would also be necessary to help user for the best ease of use while the program manages file system and background processes such as spreadsheets for Book keeping, tax records, ledger books, on SD card if user so desired, If user does not need these applications they can opt out,
This GUI would be very simple and basic when compared to a full blown linux pc distro, and designed solely for crypto currency storage printing and online transfer from the proposed device
A product model has been built, used, and beta tested for over a month and a half now, Its progress has been recorded on the BTC and ETH blockchains themselves. It can securely generate and store BTC and ETH addresses offline flawlessly and securely so far to date without any need of a PC.
After generating and storing addresses, the device can easily access multiple online exchanges to transfer funds to and from cold storage SD cards via devices "airgapped" Camera/Scanner and QR screen display. it works cross platform with most exchanges in this matter without need for proprietary online software integration
If anyone in the open source community would like to take this project on and would like input from a beta user level, i would love to help out in a small way on this proposed project. I can see some details that would be nice in which I haven't mentioned. And some ideas that would help the user with security and ease of use. I do not code, but have been solely using Linux as a PC laptop operating system since 1998. And have somehow put this device together using android apps and open source software. And then used it extensively.
Why Linux
I'm not sure, but I heard Android phones have a Linux kernel and you can gain root access to its software. This is a great help in security, as Linux itself is known for user security.
Why open source
Because of the user confidence in knowing whats inside it for their personal security and privacy, Also So the individual user can modify its entire programming through innovation to suit their own personal needs for private portable offline storage,
( Screen shot of goes here but new members under 10 posts cant post links )
Brent L. McNealy, I am looking for a team of programmers and developers to help this become a reality, thank you
Thread Closed.
13. Advertising and Income Generation
Commercial advertising, advertising referral links, pay-per-click links, all forms of crypto-mining and other income generating methods are forbidden. Do not use XDA-Developers as a means to make money.
Click to expand...
Click to collapse
Thanks
SacredDeviL666
Forum Moderator.