Thanks forcing us to get new and better passwords!
Thread poster: Vito Smolej

Vito Smolej
Germany
Local time: 01:50
Member (2004)
English to Slovenian
+ ...
Jul 24, 2009

I saw this coming for some time and can just say thank you - it is a normal procedure in any environment, concerned about security of its members.

I would suggest actually, that members be required to change their pwds on a regular basis. That would keep it all desinfected and clean and out of reach for all kinds of jerks looking for fast and easy kills (let me just say "No pasaran!").

Regards and, dear staff, thanks for taking care of us

Vito


Direct link Reply with quote
 

Samuel Murray  Identity Verified
Netherlands
Local time: 01:50
Member (2006)
English to Afrikaans
+ ...
How to deal with passwords Jul 24, 2009

Vito Smolej wrote:
I would suggest actually, that members be required to change their pwds on a regular basis.


I find it counter productive to meddle with people's password habits. If you force password habits onto people, you often only force them to save it in text files on their desktops. So there's actually less security in the end. I'd rather have a system that respects my password habit than one that forces me to deal with passwords in a way that I can't remember and have to write down.


Direct link Reply with quote
 
Aniello Scognamiglio  Identity Verified
Germany
Local time: 01:50
English to German
+ ...
Ten Password Myths Jul 24, 2009

Myth #1: My Password Hashes Are Safe When Using NTLMv2
Myth #2. Dj#wP3M$c is a Great Password
Myth #3. 14 Characters is the Optimal Password Length
Myth #4. J0hn99 is a Good Password
Myth #5. Eventually Any Password Can Be Cracked
Myth #6. Passwords Should be Changed Every 30 Days
Myth #7. You Should Never Write Down Your Password
Myth #8: Passwords Cannot Include Spaces
Myth #9: Always Use Passfilt.dll
Myth #10: Use ALT+255 for the Strongest Possible Password

http://www.securityfocus.com/infocus/1554


Direct link Reply with quote
 

Katalin Horváth McClure  Identity Verified
United States
Local time: 19:50
Member (2002)
English to Hungarian
+ ...
Writing down passwords - not a major problem Jul 24, 2009

It seems that there is a general belief that writing down passwords are dangerous for some reason and are a no-no.
(EDIT: I wrote this before Aniello posted his Myth List.)
I agree, there are situations, such as if you are the systems admin in a company, then it may not be smart to write your main password on a piece of paper and leave it on your desk, but for us, most of the time there is nothing wrong with writing down passwords.
(You can lock your desk drawer if you want, that keeps nosy kids away.)
I am not talking about writing your on-line banking password on your ATM/credit card, that would be stupid. Equally stupid is to store your passwords in a Word document on your computer - and of course, call it "Passwords.doc".

The risk of passwords being stolen is not posed by people coming to my office and search for that piece of paper, but rather hackers on-line trying to capture or guess my password. So, I, for one, would rather have a strong password and several layers of security, even if it means more complicated passwords that are hard to remember (meaning: I have to make a note of them somewhere).

Two of my banks now require two different ways of authentication for login - one of them is using a password then an image key, the other uses two different passwords, one must be typed on the PC keyboard, the other is entered using the mouse on a virtual keyboard. My husband has an account with yet another financial institution where they use a similar login procedure, except that the virtual keyboard is random (the order of the keys). That may be taking it a little too far, but I guess you get the point.

I am not saying ProZ should apply security measures like the banks, but it would be good to take it up a notch. Login and registration procedures could be updated, more effective spam monitoring, etc. I am sure most of these things are on the "to do list", and I hope they will be implemented.

Thank you for requiring better passwords.
Katalin

[Edited at 2009-07-24 20:11 GMT]


Direct link Reply with quote
 

Tina Vonhof  Identity Verified
Canada
Local time: 17:50
Member (2006)
Dutch to English
+ ...
Mercy Jul 24, 2009

Have mercy on us golden oldies - I can only remember one password at a time! The only way I can handle more is by translating into another language.

Direct link Reply with quote
 

Neil Coffey  Identity Verified
United Kingdom
Local time: 00:50
French to English
+ ...
Store passwords in an *encrypted* file Jul 24, 2009

In general, if you can easily remember your password, it's probably not secure enough.

A good compromise is to:
(a) save your user names/passwords in a text file
(b) put that text file inside an "encrypted volume", encrypted with one single fairly secure password that you DO remember.

What's an "encrypted volume"? There are various programs (Google for something called "TrueCrypt", for example) that essentially allow you to create an ecnrypted file that can then act as a mini "disk drive": you can save files to it, edit files on it, copy them to/from it etc.

I've just said that if you can remember your password it's not secure enough, and then said you need one single, memorable password. Well, one solution to this is to make your one memorable password a fairly long pass PHRASE. For example, make up some sentence of English (or whatever language) that is reasonably easy to remember because it sounds ridiculous. The more unusual sequences of letters the password has, the better. Throwing in unusual symbols can help, but to some extent can be compensated for with a longer pass phrase (rough guide: 1 unusual symbol = 3 letters).

If your pass phrase consists literally of words of a natural language, then it should ideally be as close to 50 characters long as possible (I won't bore people with the maths, but with current technology, that is reckoned to protect your data for about 30 years). If you make your pass phrase 25 characters long, it is currently "just out of reach" of somebody prepared to spend a modest amount of money to crack your password. A pass phrase 10 characters long would typically be crackable in a few seconds/minutes on any modern laptop.


Direct link Reply with quote
 

Claudia Alvis  Identity Verified
Peru
Local time: 19:50
Member
Spanish
+ ...
Myths that I believed! Jul 24, 2009

Aniello Scognamiglio wrote:

Myth #1: My Password Hashes Are Safe When Using NTLMv2
Myth #2. Dj#wP3M$c is a Great Password
Myth #3. 14 Characters is the Optimal Password Length
Myth #4. J0hn99 is a Good Password
Myth #5. Eventually Any Password Can Be Cracked
Myth #6. Passwords Should be Changed Every 30 Days
Myth #7. You Should Never Write Down Your Password
Myth #8: Passwords Cannot Include Spaces
Myth #9: Always Use Passfilt.dll
Myth #10: Use ALT+255 for the Strongest Possible Password

http://www.securityfocus.com/infocus/1554


Thank you for the link Aniello, I firmly believed in many of those myths and the ones I didn't believed in I just don't understand (what is NTLMv2 anyway?).


Direct link Reply with quote
 

Samuel Murray  Identity Verified
Netherlands
Local time: 01:50
Member (2006)
English to Afrikaans
+ ...
Not a myth anymore Jul 25, 2009

Aniello Scognamiglio wrote:
Myth #7. You Should Never Write Down Your Password


I think this rule applies to offices with chained down computers. Laptops are more popular among thieves and you're also more likely to lose it.


Direct link Reply with quote
 

Heinrich Pesch  Identity Verified
Finland
Local time: 02:50
Member (2003)
Finnish to German
+ ...
Why password security? Jul 25, 2009

On most locations I use one and only password since ages. I really don't mind if someone would crack it and start writing on my behalf in these fora or somewhere else. It has never happened so far.
Where money is involved, I use the identification system of my bank.
So why passwords are so important?

Regards
Heinrich


Direct link Reply with quote
 

Vito Smolej
Germany
Local time: 01:50
Member (2004)
English to Slovenian
+ ...
TOPIC STARTER
that's what I have been doing for some time now Jul 25, 2009


(a) save your user names/passwords in a text file
(b) put that text file inside an "encrypted volume", encrypted with one single fairly secure password that you DO remember.

What's an "encrypted volume"? There are various programs (Google for something called "TrueCrypt", for example) that essentially allow you to create an ecnrypted file that can then act as a mini "disk drive": you can save files to it, edit files on it, copy them


A trueCrypt drive plus Keypass (instead of a) residing in the truecrypt drive.

I have been feeling reasonably safe(r) since and on top of it, if anything happens, I can prove due-dilligence (same as ProZ due to the action I have applauded).

[Edited at 2009-07-25 11:20 GMT]


Direct link Reply with quote
 

Neil Coffey  Identity Verified
United Kingdom
Local time: 00:50
French to English
+ ...
You have to find the balance Jul 25, 2009

Heinrich --

In general every security measure makes it more difficult for you to do your job. Using the password "football" for every single web site you register with would make your life much much much easier on a day to day basis, and it's quite possible that you are lucky and nobody ever targets any of your accounts and guesses this password. And even if they did, it may be that the criminal has a look through your e-mails, sees no credit card numbers or other interesting information to them, and simply goes away without doing any tangible damage.

So you need to assess what degree of risk you're prepared to tolerate in exchange for making your day-to-day life easier. If you're informed of the dangers and still, on reflection, decide to just keep a single, simple password for all your accounts, then you're free to make that choice. Only you can decide where the risk/usability tradeoff lies for you.

There are also some security risks that you simply can't fix. For example, if you have an e-mail account with a public provider such as gmail, hotmail etc, you accept the risk that there are employees at those organisations who, if they so wished, could read any e-mail of any user at any time. If you have your medical records stored in a centralised computers system, you accept the risk that there are people who could read any person's medical records at any time they wished. If you have a bank account, you accept that there are bank employees who could read the details of any customer's bank account at any time they wished. Overall, we accept this risk because the convenience of having a gmail account or bank account, or the possibility of a doctor saving your life one day, outweighs the risks associated with access to your data by the occasional rogue employee.

Neil


Direct link Reply with quote
 

Jack Doughty  Identity Verified
United Kingdom
Local time: 00:50
Member (2000)
Russian to English
+ ...
Forcing us to use new passwords? Jul 25, 2009

How does this manifest itself? No-one has tried to make me change my password yet.
Generally speaking, I would never thank anyone for forcing me to do anything.


Direct link Reply with quote
 

Ralf Lemster  Identity Verified
Germany
Local time: 01:50
English to German
+ ...
Process not working properly Jul 26, 2009

As far as I can see, you're forced to set up a new password if you were logged out in between. Trouble is, the system fails to recognise whether you changed your password recently - as a result, all those who heeded Henry's advice to change their password are now forced to do it again (thanks, folkZ!).

Adding a further twist, the system then sends a confirmation e-mail with a link requesting to confirm the password - which then triggers an error message ("There is no record of a New Password Request with that ID.").

Sounds like another development that wasn't properly tested, I'm afraid. I'm not impressed.

Ralf


Direct link Reply with quote
 


To report site rules violations or get help, contact a site moderator:


You can also contact site staff by submitting a support request »

Thanks forcing us to get new and better passwords!

Advanced search






TM-Town
Manage your TMs and Terms ... and boost your translation business

Are you ready for something fresh in the industry? TM-Town is a unique new site for you -- the freelance translator -- to store, manage and share translation memories (TMs) and glossaries...and potentially meet new clients on the basis of your prior work.

More info »
SDL Trados Studio 2017 Freelance
The leading translation software used by over 250,000 translators.

SDL Trados Studio 2017 helps translators increase translation productivity whilst ensuring quality. Combining translation memory, terminology management and machine translation in one simple and easy-to-use environment.

More info »



Forums
  • All of ProZ.com
  • Term search
  • Jobs
  • Forums
  • Multiple search