LISTSERV - HP3000-L Archives

HP3000-L Archives

April 2014, Week 2

HP3000-L@RAVEN.UTC.EDU

	LISTSERV Archives
	HP3000-L Home
	HP3000-L April 2014, Week 2

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Monospaced Font Show Text Part by Default Show All Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Subject:	Re: OT OpenSSL-1.0.1 Heartbeat exploit named heartbleed
From:	"Bahrs, Art" <[log in to unmask]>
Reply To:	Bahrs, Art
Date:	Mon, 14 Apr 2014 15:43:19 +0000
Content-Type:	text/plain
Parts/Attachments:	text/plain (80 lines)

Hi Stan and All :)
    Stan is ABSOLUTELY correct on this one!

   Pick your "password vault" program/app of choice... but NEVER EVER NOT EVEN ONCE (did I mention never?) use a service that stores your password for you!!!

   These are services ... and they are run by humans... the same species as the ones who are stealing identities.... So, they may or may not be honest... they may or may not decide to take a look at what you store with them.... Google is under lawsuit for "data mining" student emails in an educational environment they were hosting... (see URL below)  Also, remember .... Security types like me at a lot of companies block password services from working!  LastPass is deliberately blocked at our sites.

   Some things to look for in selecting how to secure your passwords and such:
      - Solid encryption (at least AES-256)
      - Allow you to use a passphrase with special characters to secure the data (ie password you enter to open the app)
      - Does NOT autocorrect your spelling on the password fields (some do :( )
      - Allows for some method of securely backing up your data (ie passwords)

   Some things that are niceties:
      - Allows for hard copy print out
         - You need to have a copy of all passwords in your safety deposit box for your estate to make use of after your end...
      - Allow for migration/porting to a new device
      - Multi-platform support
         - So when you switch from iPhone to Android to Windows to ?? you don't have to re-enter things...

   Also, Remember, to come up with a way to remember the password you set up for this password vault app!!! (forgetting it is a real bummer, hehehe)

   The only control of your data is when it is physically under your physical control.

   Please note that even paper in your home is not totally secure... Some identity thieves do burglary as well...

    http://www.theguardian.com/technology/2014/mar/19/google-lawsuit-email-scanning-student-data-apps-education

Art "maybe quill and ink wasn't so bad after all?" Bahrs

Art Bahrs, CISSP
Security Engineer (Oregon Region)
(971) 282-0927

-----Original Message-----
From: HP-3000 Systems Discussion [mailto:[log in to unmask]] On Behalf Of Stan Sieler
Sent: Sunday, April 13, 2014 12:40 PM
To: [log in to unmask]
Subject: Re: OT OpenSSL-1.0.1 Heartbeat exploit named heartbleed

Re:
> Lastpass.com
>
> You have one master password and it will generate high entropy passwords.
> They are encrypted locally and stored at lastpass.com.

I don't want *any* computer outside my control to have my passwords,encrypted or not!

That's why I was a happy SplashID user for years (Palm, iOS, Mac, Windows, Android, and others) ...
I could share my password locker (database) between my devices, and there was absolutely *NO* moving of my data to a server in the cloud (or anywhere else outside my control).

Then they went and screwed it up with their version 7, which unconditionally loads stuff to the cloud.  I'm on version 6.2, and have to constantly tell my iPhone and iPad "no, don't do an 'update all'", and manually update my other iOS apps.  At least on Android, I can install what I want *and* I can turn off auto-update for selected apps.

Other options:

   1password

      Although it allows for syncing via the cloud, it also supports local-only sync,
      so you can keep your data private.

   keepass

      No cloud, no worry.
      And, it's open source!

Both support iOS, Mac, Windows, and Android.  (keepass supports a few more)

Stan

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *


________________________________

This message is intended for the sole use of the addressee, and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If you are not the addressee you are hereby notified that you may not use, copy, disclose, or distribute to anyone the message or any information contained in the message. If you have received this message in error, please immediately advise the sender by reply email and delete this message.

* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *

ATOM RSS1 RSS2

RAVEN.UTC.EDU