Home PageFacebookRSS News Feed
PocketGPS
Web
SatNav,GPS,Navigation
Pocket GPS World - SatNavs | GPS | Speed Cameras: Forums

Pocket GPS World :: View topic - Important Customer Security Announcement
 Forum FAQForum FAQ   SearchSearch   UsergroupsUsergroups   ProfileProfile   Log in for private messagesLog in for private messages   Log inLog in 

Important Customer Security Announcement
Goto page Previous  1, 2, 3, 4
 
Post new topic   Reply to topic    Pocket GPS World Forum Index -> News And Latest Information
View previous topic :: View next topic  
Author Message
253
Lifetime Member


Joined: Mar 05, 2007
Posts: 1058
Location: The green bit between the M40, M4 and M25.

PostPosted: Fri Nov 22, 2013 9:09 am    Post subject: Reply with quote

Paul, where have you been all these years?

You should have a regular spot discussing Internet security and the options available.
Having said that, you probably already have your hands full Smile
_________________
Triumph Tbird 1700. And now a Bonnie T100.
Back to top
View user's profile Send private message
PaulMoore2013
Occasional Visitor


Joined: Nov 06, 2013
Posts: 12
Location: 1

PostPosted: Fri Nov 22, 2013 7:21 pm    Post subject: Reply with quote

Smile Thanks

The blog is my outlet for this type of discussion really... but I am starting interactive meetings soon. Cool
_________________
1
Back to top
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger
DennisN
Tired Old Man
Tired Old Man


Joined: Feb 27, 2006
Posts: 14901
Location: Keynsham

PostPosted: Fri Nov 22, 2013 8:57 pm    Post subject: Reply with quote

OK. I've reached Step 1. Bouncing I have a good password on my WI-FI router - a phrase 48 characters long, garbled by a mis-spelled word, a grammatical error and six uppercase letters. For 1password, I'd only use it with the misspelling and stick with all lowercase - I think 48 characters should be enough and I think I was rather over-enthusiastic with the other customisations! (and I can never remember which are the uppercase letters - guess what? I of course have it written down on a piece of paper tucked away in a drawer!!).

So, when I want to use 1password, do I have to type that in every time?

So, having arrived at step 2, do I buy a copy of 1password for every device (I'm going to abandon the Win laptop and the older MacBook Pro, leaving me with only desktop iMac, MacBook Pro, iPad and iPhone) do I buy 4 copies of 1password? Or just one to cover all 4 iOS devices?

When I've done step 2, I'll come back to ask about step 3, which is so far as clear as mud. Confused
_________________
Dennis

If it tastes good - it's fattening.

Two of them are obesiting!!
Back to top
View user's profile Send private message
PaulMoore2013
Occasional Visitor


Joined: Nov 06, 2013
Posts: 12
Location: 1

PostPosted: Fri Nov 22, 2013 11:39 pm    Post subject: Reply with quote

Sorry Dennis, just realised you'd replied.

The fact you've used the password on another device is reason enough to change it completely, especially when the original is a WiFi router... which frequently store them in plain text.

Don't get too caught up with length; concentrate on entropy (randomness) first. For example, a password of "ihatechoosingpasswords" is longer than "iH8Ch0os1ngP.w0rds" but considerably weaker.

You not only need a mixture of upper & lower case alphanumerics, special chars and numbers, but it must also be long enough (8-12 minimum) to sufficiently slow attempts to break it. Writing it down isn't ideal either Razz

How often you need to type your 1Password master password depends on your usage. I typically login twice a day... once when I arrive at work and once after lunch. While the machine is active, 1Password keeps you logged in unless you specifically logout (if you leave your desk for example). Logging in to sites throughout the day is simply a case of hitting the CTRL + \ shortcut.

1Password's licenses are on a per user, per platform basis. So if there's only you, and you only use Mac/iOS... you only need to buy 1 license.

Step 3...

1Password will work perfectly well on a single device (single silo). If you work from several devices, the chances are you're going to want to use your 1Password data elsewhere (multi silo) To do so, you can sync your data manually using a USB stick, or automatically using one of the many cloud storage services (Dropbox, Google Drive etc). If you intend to use Dropbox, install that first. During 1Password setup, it'll ask you if you want to use Dropbox to store your data. It takes care of the rest.

When you come to install Dropbox on your other devices, 1Password detects the existence of a 1Password keychain in Dropbox and uses it automatically.

Speak again at #6 ;)
_________________
1
Back to top
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger
M8TJT
The Other Tired Old Man
The Other Tired Old Man


Joined: Apr 04, 2006
Posts: 10118
Location: Bexhill, South Sussex, UK

PostPosted: Fri Nov 22, 2013 11:51 pm    Post subject: Reply with quote

DennisN wrote:
So, when I want to use 1password, do I have to type that in every time?
Only if you use your ridiculously long password that you have on your router as your master password on your password manager.

I use RoboForm and on that you can chose whether to master password your passwords. For instance I can logon to PGPSW without entering my master password by the merest click of a button when the logon screen appears, but have to enter my master password when logging on to my bank etc. Once you have logged into RF, it stays logged in for a user definable time, so you don't have to keep entering the master password.

RoboForm does work on Android devices but not as transparently as on my Windows machines. If you go for RoboForm Anywhere, you can have as many copies of RF as you have devices, and sync them all to your master password repository held on the RF secure server that you need to enter your master password to access. All your passwords are kept and used locally on your device and synced to the master database as and when necessary.

@PaulMoore Any thoughts of the pros and conns of RF v 1Password?
Back to top
View user's profile Send private message
PaulMoore2013
Occasional Visitor


Joined: Nov 06, 2013
Posts: 12
Location: 1

PostPosted: Sat Nov 23, 2013 12:24 am    Post subject: Reply with quote

That's a topic in itself M8TJT Smile

Long story short though...

RoboForm isn't bad, but it can't be compared with 1Password (AgileBits should really be paying me to promote them this much! Laughing )

1. They actively use the term "military grade encryption" - which makes me cringe. The military spend billions on encryption & enterprise-grade security. The suggestion that a cheap, consumer-grade app affords you similar protection is misleading... not to mention dangerous. The same applies to 1Password too, which is why they do not mention military grade in the marketing literature.

2. Both apps use PBKDF2, a key stretching process which bolsters security of even short & weak keys. Back in 2000 when PBKDF2 was released, the recommended MINIMUM was 1000 iterations (loops through the process). Moore's law (PC's double their computational power every 2 years) and countless other risks mean today, PBKDF2 now needs at least 8,000-10,000 iterations to offer a similar level of protection as 1000 iterations in year 2000. 1Password uses 10,000. Roboform still uses 1000.

3. Roboform (similar to LastPass in this respect) also claims not to be able to access your data under any circumstances, because they don't store your master password.

Whilst that's true, the authentication process is handled by the same domain where your data resides. That worries me. If they're hacked, or even have a rogue employee, a single snippet of javascript placed on the login page would very easily allow the master password to be intercepted. 1Password wins here too, as you control the storage silo's... not a 3rd-party. Even if you decide to use Dropbox to store your 1Password keychain, the authentication process is handled offline... massively reducing the risk. Forget comparing 1Password to Roboform for a moment... encrypted data is at it's safest when its furthest away from the key required to decrypt it. Putting them both in the same location is simply asking for trouble.

4. The "secure" web site isn't as secure as you'd hope. I can't go into specifics, but I wouldn't trust it.

Not exactly a short answer, but it's a difficult topic ;)
_________________
1
Back to top
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger
M8TJT
The Other Tired Old Man
The Other Tired Old Man


Joined: Apr 04, 2006
Posts: 10118
Location: Bexhill, South Sussex, UK

PostPosted: Sun Nov 24, 2013 12:32 pm    Post subject: Reply with quote

Thanks for that Paul. Sorry about the delay in responding. Most interesting.
I am having a bit of a problem understanding this
Quote:
1. 1Password wins here too, as you control the storage silo's... not a 3rd-party.

2. Even if you decide to use Dropbox to store your 1Password keychain, the authentication process is handled offline... massively reducing the risk. Forget comparing 1Password to Roboform for a moment... encrypted data is at it's safest when its furthest away from the key required to decrypt it. Putting them both in the same location is simply asking for trouble.
1. Presumably 'storage silo' means where your encrypted data is located. In the case of RF, it's on their server but in the case of 1P it's wherever you want it to be, possibly dropbox?

2. '1Password keychain?
Once you have access to the data location, presumably via your master password, where is the actual de-cryption of the data done? How does that work?
Thanks for your time.
Back to top
View user's profile Send private message
PaulMoore2013
Occasional Visitor


Joined: Nov 06, 2013
Posts: 12
Location: 1

PostPosted: Sun Nov 24, 2013 1:55 pm    Post subject: Reply with quote

Sorry, I haven't explained that very well.

1Password, regardless of where you choose to sync your data (storage silos), always handles decryption offline... ie the master key never leaves your PC in any format (plain, encrypted, hashed or otherwise).

It doesn't matter if you run a single silo on your own PC or choose to sync with Dropbox, the data resides on and is processed by your PC/device.

In theory, the encrypted keychain can be stored anywhere quite safely... as it can only be decrypted with the master key.

Reading Roboform's FAQs...

"your encrypted Passcard will be downloaded in encrypted form to your computer and decryption will be performed on your computer."

They, like LastPass, say that because the process is handled offline (it's actually done in the browser), not even RoboForm/LastPass can access your data. That's true for 1Password, as the entire application resides on your PC, and is therefore covered by local permissions, firewalls etc. Roboform Everywhere/LastPass on the other hand, it's not quite that simple.

Once you're in a browser environment, you're instantly at greater risk. As I mentioned earlier, RoboForm doesn't collect/store the master key because it was designed that way. If it can be designed not to collect it, it can just as easily be re-designed/re-written TO collect it. A single line of javascript injected by a careless developer, a rogue employee or a hacker means the next time you enter your master key, it can be collected and stored elsewhere.

As I mentioned in the article... the key, on its own, is useless. The encrypted data, on its own, is useless. Put the two together and it's as safe as plain text.
_________________
1
Back to top
View user's profile Send private message Send e-mail AIM Address Yahoo Messenger MSN Messenger







Posted: Today    Post subject: Pocket GPS Advertising

Back to top
Display posts from previous:   
Post new topic   Reply to topic    Pocket GPS World Forum Index -> News And Latest Information All times are GMT + 1 Hour
Goto page Previous  1, 2, 3, 4
Page 4 of 4

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Make a Donation



CamerAlert Database

Click here for the PocketGPSWorld.com Speed Camera Database

Download Speed Camera Database
22.111 (06 Nov 24)



WORLDWIDE SPEED CAMERA SPOTTERS WANTED!

Click here to submit camera positions to the PocketGPSWorld.com Speed Camera Database


12mth Subscriber memberships awarded every week for verified new camera reports!

Submit Speed Camera Locations Now


CamerAlert Apps



iOS QR Code






Android QR Code







© Terms & Privacy


GPS Shopping