Comments on: Protecting Your Passwords and Confidential Information

By: Emmanuel Carabott

Emmanuel Carabott — Wed, 16 Dec 2009 09:37:09 +0000

Ah I was missing that detail didn’t know PPP is a two factor authentication system. Yes in that case it’s pretty robust and quite an elegant solution too!

Glad you’re finding this useful, this is exactly was I hoping for too; that the articles generate discussion and ideas

By: Leandro Amore

Leandro Amore — Tue, 15 Dec 2009 16:02:16 +0000

The PPP is a two factor authentication, so you need something you know (your everyday password) and something you have (the paper with the second password). So in case that the users lost list list the attacker still needs the password for the account.

It’s great to interact with you guys, it always make me think about new ideas for my every day job

By: Emmanuel Carabott

Emmanuel Carabott — Fri, 11 Dec 2009 09:22:32 +0000

Virtual Keyboard is actually a brilliant idea, Thanks Leandro. Two Factor authentication using tokens is also a good option against key loggers, provided that whatever you do after logging in will not be confidential since a key logger will log anything that one types and not just the password.

Correct me if I am wrong but the perfect paper passwords is an implementation of the One Time Password (OTP) concept right? Where you have a number of passwords printed out and you use them sequentially? While it’s great against key loggers it might be a small security risk if someone gets access to that list. Maybe a more secure way to do it could be by simply phoning the administrator for a One Time Password whenever one needs to log on from an Internet cafe or other unsecured terminals. Still I guess if the user takes adequate precautions such as ensuring that no one is shoulder surfing him/her or that s/he is not being watched by some camera, it should be safe enough.

Again thanks for the Virtual Keyboard option, it’s actually a great idea!

By: Leandro Amore

Leandro Amore — Thu, 10 Dec 2009 22:47:42 +0000

I totally agree with you guys, some ideas to sum up to your thoughts. It’s always best to use secure connections as HTTPS and virtual keyboards when the application allows them (to prevent key logging).
If you can choose the auth method for your application there is always a good idea to use a 2 factor authentication like RSA or Tokens. There is an excellent method by Steve Wibson called PPP (Perfect Paper Passwords) which is completely free and as secure as many of the commercial solutions.

Best regards

Leandro

By: Emmanuel Carabott

Emmanuel Carabott — Thu, 10 Dec 2009 10:40:58 +0000

I completely agree with John, VPN Tunnel is a great way to mitigate the risks when connecting through a wireless connection from your own laptop while at the airport or at a hotel or any other place really. However you still need to ensure that there are no key loggers, although using your own hardware, if it’s adequately protected, the risk should be minimal.

By: John Mello

John Mello — Mon, 07 Dec 2009 15:57:18 +0000

Users concerned with security away from the home and office might want to consider using a VPN service to protect their information, including their passwords. These services offer a secure Internet connection from wherever they’re used. Encryption in VPN tunnel can vary from as low as 128 bits to as high as 2048 bits. Users should understand, though, that the higher the bit rate, the slower the connection will behave. Since these services open up the entire Internet to its clients, network administrators should carefully review any service chosen to insure that employees won’t use it to circumvent corporate policies governing Internet usage. For example, blocked sites will no longer be blocked using these services. In addition, some services offer USB thumb drive versions of their wares, which may allow some travelers to leave their laptops at home where they may be less likely to be stolen. Pricing for the services varies from $100 a year to $15 a month to $4 or $5 for shorter periods of time. Of course, if a computer is infected with keyboard logger or other such pest, not even a VPN is going to keep a user’s passwords safe.