Previous posts
Using Other Methods for Recovering Lost PasswordsUsing a Password Reset Disk
Recovering a Lost Password
Establishing and Enforcing Password Policies
Generate strong passwords automatically
Windows Creating Strong Passwords
Windows Using Passwords Effectively
saved passwords and form data in Internet Explorer
Advanced Security Options
Create a Backup
Friends
mercredi 30 janvier 2008
Managing Passwords
Our discussion so far has focused specifically on Windows logon passwords. Indeed, a user's logon password is one of the most important to protect because with it comes access to all the user's certificates, network resources, and Internet passwords as well as access to a local computer and its resources. In other words, if your logon password is compromised, a malicious user instantly has access to virtually all the same resources that are normally yours alone.
However, passwords (sometimes in combination with a user name, sometimes not) are also used to control access to all kinds of information: network resources, Web sites, online accounts, subscription-based data. The list goes on and on.
The cardinal rules of effective passwords—use a strong password and change it frequently—make entering and keeping track of your password for each account hard enough. But another commonly espoused rule—use a different password for each account—exponentially compounds the difficulty of managing passwords. The reason for this rule, of course, is simple: If you use the same password for all your accounts and it is compromised, the person who has your password has access to all your protected information. Rather than advocating strict adherence to this rule, however, we suggest a more manageable three-level approach:
Use a secure password for your Windows logon and for any Web site or account that stores valuable financial or personal information. This would include bank and brokerage accounts, for example. These passwords should follow all the rules for strong passwords detailed earlier in this chapter. Use a separate secure password for each account.
Use a private password for accounts on sites where you shop or have a paid subscription. This password should be relatively strong, but because your personal financial well-being and privacy are not at risk if it's cracked, you don't need to go overboard. (The worst that can happen? Someone sees your shopping history or freeloads off your paid subscription.) You can reuse this password on any site that uses a secure server.
Use a throwaway password for any of the numerous sites that force you to register and log on but retain no personally identifiable or valuable information. Reuse this password for all such sites.
This approach still forces you to keep track of a whole collection of passwords. Avoid the temptation to write them all down and stick them to your monitor! You should also avoid keeping the passwords in an unencrypted file of any type. If someone manages to find the file on your computer (or finds the floppy disk with the file's backup copy), you're in trouble.
A no-cost solution is to keep a master list of all your passwords in a text file (or other document type if you prefer) and encrypt the file. Keep a copy of the file in a secure location away from your computer. (If you use the built-in Encrypting File System to encrypt the file, remember that the file is automatically decrypted when you—but not another user who finds the file on your hard drive—copy the file to a floppy disk. Therefore, if you use a floppy disk or other removable medium to store the backup copy, keep it under lock and key.) A better solution is to use one of the many free or low-cost password-management programs. For example, with Password Corral, a terrific free program from Cygnus Productions, you store a list of user name/password combinations along with descriptive notes, and it scrambles the list using 128-bit encryption. You unlock the list with a master password of your choosing. (You definitely want a strong one here.) As shown in Figure 3-12, this program optionally encrypts the on-screen display to prevent passersby from stealing your passwords.
TIP
--------------------------------------------------------------------------------
Use Stored User Names And Passwords in Windows XP Professional
Windows XP has a feature called Stored User Names And Passwords that helps to manage logon credentials for various resources, such as a shared folder in an untrusted domain or a Web site that requires a password or certificate. When you attempt to connect to such a resource, Windows offers the logon credentials for that resource as saved in Stored User Names And Passwords. Only if that fails (either because the credentials are invalid or because you haven't previously saved credentials for the resource) does Windows prompt you to enter your user name and password. For this reason, users of computers running Windows XP face far fewer logon prompts than users of Windows 2000, which does not have a comparable credentials manager. By safely storing as part of a user profile the logon credentials for other domains, Web sites, and workgroup computers, Windows XP users approach the goal of a single sign-on experience.
Note that Stored User Names And Passwords offers logon credentials only to target computers that use an integrated authentication package, such as NTLM, Kerberos, or Secure Sockets Layer (SSL). Therefore, it works with Web sites that use SSL, but not with sites that require you to enter a credential through other means. Stored User Names And Passwords also works with Passport.
You can save credentials in Stored User Names And Passwords in either of two ways: Select the Remember My Password check box in the logon dialog box, or enter credentials manually into Stored User Names And Passwords.
To manage your stored credentials, open Stored User Names And Passwords, as follows: If your computer is not joined to a domain, in Control Panel open User Accounts, select your account, and then click Manage My Network Passwords (in the task pane). If your computer is joined to a domain, in Control Panel open User Accounts, click the Advanced tab, and click Manage Passwords. In the Stored User Names And Passwords dialog box, you can add, delete, or review credentials for various resources.
If you use Windows XP Home Edition, you can't add credentials (you can only delete or review credentials that Windows has added automatically) or store logon credentials for domain resources; the primary use of Stored User Names And Passwords in Home Edition is for Passport credentials.
Figure 3-12. Password Corral optionally encrypts the on-screen display of user names and passwords so they can't be gleaned by passersby.
A Web search for "password management" turns up a number of good programs. Here are two that we've tried and recommend:
Password Corral, from Cygnus Productions (http://www.cygnusproductions.com/freeware/pc.asp)
Passphrase Keeper, by Boris Zibrat (http://www.passphrasekeeper.com/)
Our discussion so far has focused specifically on Windows logon passwords. Indeed, a user's logon password is one of the most important to protect because with it comes access to all the user's certificates, network resources, and Internet passwords as well as access to a local computer and its resources. In other words, if your logon password is compromised, a malicious user instantly has access to virtually all the same resources that are normally yours alone.
However, passwords (sometimes in combination with a user name, sometimes not) are also used to control access to all kinds of information: network resources, Web sites, online accounts, subscription-based data. The list goes on and on.
The cardinal rules of effective passwords—use a strong password and change it frequently—make entering and keeping track of your password for each account hard enough. But another commonly espoused rule—use a different password for each account—exponentially compounds the difficulty of managing passwords. The reason for this rule, of course, is simple: If you use the same password for all your accounts and it is compromised, the person who has your password has access to all your protected information. Rather than advocating strict adherence to this rule, however, we suggest a more manageable three-level approach:
Use a secure password for your Windows logon and for any Web site or account that stores valuable financial or personal information. This would include bank and brokerage accounts, for example. These passwords should follow all the rules for strong passwords detailed earlier in this chapter. Use a separate secure password for each account.
Use a private password for accounts on sites where you shop or have a paid subscription. This password should be relatively strong, but because your personal financial well-being and privacy are not at risk if it's cracked, you don't need to go overboard. (The worst that can happen? Someone sees your shopping history or freeloads off your paid subscription.) You can reuse this password on any site that uses a secure server.
Use a throwaway password for any of the numerous sites that force you to register and log on but retain no personally identifiable or valuable information. Reuse this password for all such sites.
This approach still forces you to keep track of a whole collection of passwords. Avoid the temptation to write them all down and stick them to your monitor! You should also avoid keeping the passwords in an unencrypted file of any type. If someone manages to find the file on your computer (or finds the floppy disk with the file's backup copy), you're in trouble.
A no-cost solution is to keep a master list of all your passwords in a text file (or other document type if you prefer) and encrypt the file. Keep a copy of the file in a secure location away from your computer. (If you use the built-in Encrypting File System to encrypt the file, remember that the file is automatically decrypted when you—but not another user who finds the file on your hard drive—copy the file to a floppy disk. Therefore, if you use a floppy disk or other removable medium to store the backup copy, keep it under lock and key.) A better solution is to use one of the many free or low-cost password-management programs. For example, with Password Corral, a terrific free program from Cygnus Productions, you store a list of user name/password combinations along with descriptive notes, and it scrambles the list using 128-bit encryption. You unlock the list with a master password of your choosing. (You definitely want a strong one here.) As shown in Figure 3-12, this program optionally encrypts the on-screen display to prevent passersby from stealing your passwords.
TIP
--------------------------------------------------------------------------------
Use Stored User Names And Passwords in Windows XP Professional
Windows XP has a feature called Stored User Names And Passwords that helps to manage logon credentials for various resources, such as a shared folder in an untrusted domain or a Web site that requires a password or certificate. When you attempt to connect to such a resource, Windows offers the logon credentials for that resource as saved in Stored User Names And Passwords. Only if that fails (either because the credentials are invalid or because you haven't previously saved credentials for the resource) does Windows prompt you to enter your user name and password. For this reason, users of computers running Windows XP face far fewer logon prompts than users of Windows 2000, which does not have a comparable credentials manager. By safely storing as part of a user profile the logon credentials for other domains, Web sites, and workgroup computers, Windows XP users approach the goal of a single sign-on experience.
Note that Stored User Names And Passwords offers logon credentials only to target computers that use an integrated authentication package, such as NTLM, Kerberos, or Secure Sockets Layer (SSL). Therefore, it works with Web sites that use SSL, but not with sites that require you to enter a credential through other means. Stored User Names And Passwords also works with Passport.
You can save credentials in Stored User Names And Passwords in either of two ways: Select the Remember My Password check box in the logon dialog box, or enter credentials manually into Stored User Names And Passwords.
To manage your stored credentials, open Stored User Names And Passwords, as follows: If your computer is not joined to a domain, in Control Panel open User Accounts, select your account, and then click Manage My Network Passwords (in the task pane). If your computer is joined to a domain, in Control Panel open User Accounts, click the Advanced tab, and click Manage Passwords. In the Stored User Names And Passwords dialog box, you can add, delete, or review credentials for various resources.
If you use Windows XP Home Edition, you can't add credentials (you can only delete or review credentials that Windows has added automatically) or store logon credentials for domain resources; the primary use of Stored User Names And Passwords in Home Edition is for Passport credentials.
Figure 3-12. Password Corral optionally encrypts the on-screen display of user names and passwords so they can't be gleaned by passersby.
A Web search for "password management" turns up a number of good programs. Here are two that we've tried and recommend:
Password Corral, from Cygnus Productions (http://www.cygnusproductions.com/freeware/pc.asp)
Passphrase Keeper, by Boris Zibrat (http://www.passphrasekeeper.com/)
0 Comments:
Funny Blogs
Blogger Roll
Free Software
