Blog: password

I was helping out with a customer’s Active Directory migration and a different IT support group used a profile migration tool to help “ease” the transition between domains. But soon after the users started complaining that IE was not allowing them to save passwords. They would get prompted to store the credentials for a website and click yes, but as soon as they closed and reopened IE their stored credentials would disappear. Our suspicion was that the profile migration tool had corrupted the credential store in the registry.

I started a remote session with one of the users, checked the IE password store in the registry (HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2), and saw several of the user’s old entries. In order to allow the user to store passwords again, I had to delete this registry key, reopen IE, and save credentials for a website. Once I clicked “yes” to the prompt to save credentials, the registry key was automatically recreated and the credentials got stored.

A review of more than 200,000 4-digit PINs used on mobile phones revealed the following as the most common (in order):

1. 1234 (used by more than 4% of the sample group)<
2. 0000
3. 2580 (straight down the middle of the keypad)<
4. 1111
5. 5555
6. 5683 (spells LOVE)
7. 0852 (straight up the middle of the keypad)
8. 2222
9. 1212
10. 1998

The 10 most frequently used PINs represent more than 14% of the total sampled.  Thus, with this distribution of PINs, you have a 1 in 7 chance of guessing the correct one in 10 tries. [more]

Years are always popular when coming up with a 4-digit PIN (see number 10 above).  So, birth year, graduation year, etc. would also be a good guess if these are known

Regardless, it's a very good idea to recommend people NOT use these particular PINs (at least the first 9 plus predictable years).

We probably all have many accounts set up on many web sites.  Since it is a very bad practice to use the same password on more that one site,  I have used Password Safe for years for keeping up with accounts and passwords.  I have recently switched to using Lastpass.  Lastpass has a very long list of features.  Here are a few of the features:

• Automatic form filling, like Roboform
• One click login - click on the site, it brings it up and logs on for you
• Synchronizes everywhere - Windows, Mac, Linux, IE, Firefox, Chrome, Safari, iPhone, iPad, Android, Blackberry, Windows Mobile, even Symbian and Palm
• Generates strong, secure passwords
• Stores miscellaneous notes

Another great feature is a program called pocket.  This stand alone program will download your entire database and save it locally.  It will also decrypt it and export it to a CSV file.  This means if Lastpass ever goes away, you still have all your data which can be accessed or imported into another password manager.

The best feature is how it stores your data.  Everything is encrypted and decrypted locally and the Lastpass servers never have your key or unencrypted data.  The encryption part of the software is very simple.  It just uses a SHA256 hash of your email address (account) and master password for the encryption key. [more]

This is all free, except the mobile versions require a premium account which costs $12 per year.  There is a 14 day free trial of the mobile versions.

In an attempt to be fair, here are some other password managers.  You may prefer one of these over LastPass, which is what I use and recommend.  I used Password Safe for many years, but it is not multi-platform and there is no synchronization between machines.  KeePass is another nice one, but I have never used it.  Both of these are open source on sourceforge.

Here is a list of some online password managers, with some brief comments about why I did not choose each one (except for the AGPL license).  My "online only" comment means you must access the web site in order to use the passwords stored there.

• www.agatra.com (no longer supported)
• www.needmypassword.com (web site out of date, misspellings and grammatical errors, online only)
• www.passlet.com (cert expired, beta software, online only)
• www.passpack.com (designed for sharing passwords, subscription priced on number of passwords and shared users, online only)
• www.spyshakers.com (mainly designed for privacy, requires more setup, online only)
• www.shibbo.com (either online only or purchase a portable app, does not seem to be maintained - web site from May 2007 said software on usb pendrive "soon available!" and it still says that today, based in Spain, web site not tls encrypted)
• www.clipperz.com (online only, seems to beta, main web site not tls encrypted, most of the source is AGPL v3)

We've had issues with cached credentials not updating when a user’s password expires while he or she is away from the office. The only connection into the network is through terminal services (non-VPN) and the password is changed on the terminal server.  The problem is that the cached credentials on the user’s laptop are not updated, even after the user connects via VPN for a while.  Here is the easiest way I've found to force cached credentials to update to the new password.  While connected via VPN, have the user lock their laptop (Win+L) and then unlock the laptop using the new password. This procedure forces the laptop to check in with the domain controller and authenticate using the new password.

Thousands of Windows Live accounts have been compromised with their passwords posted online.  This information was posted on the Windows Live blog at http://windowslivewire.spaces.live.com/blog/cns!2F7EB29B42641D59!41528.entry.  This is unfortunate, but is another example of why one should not use the same password in more than one place.

The blog post states that these were compromised by phishing attempts.  Microsoft has taken measures to block access to all of the accounts that were exposed. However, if you have an account, I would suggest you change the password and secret answer right away just to be safe.

Cisco devices will ignore leading spaces when entering passwords, but spaces after the first text character are considered valid.  This includes trailing spaces, so if you have a device that will no longer accept your login after changing the password, try adding a space at the end.