Putting confidential data on web

Discussion in 'Computer Security' started by Piotr Makley, Apr 2, 2004.

  1. Piotr Makley

    Piotr Makley Guest

    I want to put my master password file (which is a Word document)
    onto my website.

    The idea is that I can pull this document down from any PC and then
    use the data.

    Of course I need this to be as secure as practicably possible.

    What is the best way of password protecting the files?

    I heard that the passwords used in some forms of Zip compression
    (eg. Winzip) can be extremely hard to crack if mixed case and
    special characters are used. Perhaps I could create a "password"
    using the opening sentence from a favorite novel or something like
    that?

    Thank you for any advice.
     
    Piotr Makley, Apr 2, 2004
    #1
    1. Advertising

  2. Piotr Makley

    Samjack Guest

    Don't put it on there unless you use something more concrete like PGP
    encrypting the file with a nice long passphrase.

    "Piotr Makley" <> wrote in message
    news:94BF893EA742E31E75@130.133.1.4...
    > I want to put my master password file (which is a Word document)
    > onto my website.
    >
    > The idea is that I can pull this document down from any PC and then
    > use the data.
    >
    > Of course I need this to be as secure as practicably possible.
    >
    > What is the best way of password protecting the files?
    >
    > I heard that the passwords used in some forms of Zip compression
    > (eg. Winzip) can be extremely hard to crack if mixed case and
    > special characters are used. Perhaps I could create a "password"
    > using the opening sentence from a favorite novel or something like
    > that?
    >
    > Thank you for any advice.
     
    Samjack, Apr 2, 2004
    #2
    1. Advertising

  3. Piotr Makley

    kulm_nd Guest

    I used to use a product that created password protected file with up to
    160-bit encryption (Blowfish?) but I would look for a product that uses
    256-bit encryption these days. Your password/phrase choice is the most
    important. Make sure you use at least the lowest password standard of 8
    characters with upper and lower case letters, a t least 1 number and at
    least 1 symbol (and not a real word found in the dictionary).
    --

    ************************************************

    g-w


    "Piotr Makley" <> wrote in message
    news:94BF893EA742E31E75@130.133.1.4...
    > I want to put my master password file (which is a Word document)
    > onto my website.
    >
    > The idea is that I can pull this document down from any PC and then
    > use the data.
    >
    > Of course I need this to be as secure as practicably possible.
    >
    > What is the best way of password protecting the files?
    >
    > I heard that the passwords used in some forms of Zip compression
    > (eg. Winzip) can be extremely hard to crack if mixed case and
    > special characters are used. Perhaps I could create a "password"
    > using the opening sentence from a favorite novel or something like
    > that?
    >
    > Thank you for any advice.
     
    kulm_nd, Apr 2, 2004
    #3
  4. In article <94BF893EA742E31E75@130.133.1.4>,
    Piotr Makley <> wrote:
    >I want to put my master password file (which is a Word document)
    >onto my website.

    ...
    >I heard that the passwords used in some forms of Zip compression
    >(eg. Winzip) can be extremely hard to crack if mixed case and
    >special characters are used. Perhaps I could create a "password"

    ...

    You heard wrong.

    You should at least password-protect the web site itself: that way, if
    someone doesn't have the right password, they can't even get the bits
    of the document to play with.

    And yes, they can attempt to guess the web site password, but they
    will leave log entries behind and it's slow: check with your web site
    manager, but most systems put a time delay in to reduce the attempt
    rate to a few per second.

    If they can download the file and play with it themselves, they can
    guess millions per second.

    Craig
     
    Craig A. Finseth, Apr 2, 2004
    #4
  5. "Piotr Makley" <> wrote in message
    news:94BF893EA742E31E75@130.133.1.4...
    > I want to put my master password file (which is a Word document)
    > onto my website.
    >
    > The idea is that I can pull this document down from any PC and then
    > use the data.
    >
    > Of course I need this to be as secure as practicably possible.
    >
    > What is the best way of password protecting the files?


    Ideally, by storing them on some password-protected device and keeping it in
    your pocket!

    An old Palm Pilot would do the trick. Or a USBkey if you can guarantee that
    a compatible machine will *always* be available. (Which you usually can't -
    everything will work just fine, until you *really* need that password ;o)

    Of course, I'm ignoring the whole argument as to why you should never, ever,
    have access to someone's password (except to blindly reset it)

    --

    Hairy One Kenobi

    Disclaimer: the opinions expressed in this opinion do not necessarily
    reflect the opinions of the highly-opinionated person expressing the opinion
    in the first place. So there!
     
    Hairy One Kenobi, Apr 2, 2004
    #5
  6. Piotr Makley

    Voyager Guest

    On Fri, 02 Apr 2004 13:29:30 +0100, Piotr Makley wrote:

    > I heard that the passwords used in some forms of Zip compression
    > (eg. Winzip) can be extremely hard to crack if mixed case and
    > special characters are used. Perhaps I could create a "password"
    > using the opening sentence from a favorite novel or something like
    > that?


    WinZip 9 introduced the use of 128 and 256-bit key AES encryption. Unless
    there is a flaw in the WinZip implementation, this should make WinZip 9
    encrypted archives effectively unbreakable.

    However -- if it were me -- I would use PGP.

    --
    Voyager
    Webmaster: http://www.hackfaq.org
     
    Voyager, Apr 2, 2004
    #6
  7. Piotr Makley

    johns Guest

    You've got to be kidding ? If you are the type who
    can't remember passwds, or keep a physical copy
    with you, then you will simply not take care with
    any encryption program either. And rather than take
    a chance that the janitor might "find" your dropped
    card and throw it away, you'd rather let 10 million
    computer guys have a crack at it ??? There is a web
    site where you can download a passwd cracker
    that tries several million combos a second. Average
    time to crack any passwd is about 3 minutes.

    johns
     
    johns, Apr 2, 2004
    #7
  8. Piotr Makley

    Alan Connor Guest

    On Fri, 02 Apr 2004 18:46:27 GMT, Voyager <> wrote:
    >
    >
    > On Fri, 02 Apr 2004 13:29:30 +0100, Piotr Makley wrote:
    >
    >> I heard that the passwords used in some forms of Zip compression
    >> (eg. Winzip) can be extremely hard to crack if mixed case and
    >> special characters are used. Perhaps I could create a "password"
    >> using the opening sentence from a favorite novel or something like
    >> that?

    >
    > WinZip 9 introduced the use of 128 and 256-bit key AES encryption. Unless
    > there is a flaw in the WinZip implementation, this should make WinZip 9
    > encrypted archives effectively unbreakable.
    >
    > However -- if it were me -- I would use PGP.
    >


    If it were me, I'd send it by 'old-fashioned' mail. Anyone who doesn't assume
    that anything they send on the Internet (other than data encrypted with OTPs)
    can be read, is a fool.

    AC
     
    Alan Connor, Apr 2, 2004
    #8
  9. johns wrote:

    > There is a web
    > site where you can download a passwd cracker
    > that tries several million combos a second. Average
    > time to crack any passwd is about 3 minutes.


    OTOH, it took over 300 000 persons almost five years to crack RC5-64.

    Follow-ups narrowed.

    Thor

    --
    http://thorweb.anta.net/
     
    Thor Kottelin, Apr 2, 2004
    #9
  10. Piotr Makley

    Jim Watt Guest

    On Fri, 2 Apr 2004 11:48:30 -0800, "johns" <>
    wrote:

    >There is a web
    >site where you can download a passwd cracker
    >that tries several million combos a second. Average
    >time to crack any passwd is about 3 minutes.


    Thats a pretty meaningless statement.

    If the website only allows a limited number of
    attempts before locking out an IP for a time
    delay its not going to work. Nor is it going
    to get 'several million responses' per second
    anyway.

    In a real world test, I had a modem with a
    password. It had no time delay or lockout
    on entering password attempts. It took a
    week of sustained brute forcing to crack it
    and the password was only five characters.

    However, going back to the original question
    confidential data and the Internet - maybe if
    you have a secure server in a secure environment
    with strong password protection.



    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Apr 2, 2004
    #10
  11. Piotr Makley

    Arthur T. Guest

    In Message-ID:<94BF893EA742E31E75@130.133.1.4>,
    Piotr Makley <> wrote:

    >I want to put my master password file (which is a Word document)
    >onto my website.
    ><snip>
    >What is the best way of password protecting the files?


    I agree with those who say, "Don't do it." You're taking
    your most sensitive file and putting it where any defect in the
    encryption will let anyone have it.

    I'd suggest writing them down and carrying them with you.
    If you're sufficiently worried about the list getting lost, use a
    bit of steganography (e.g. make them look like names, addresses,
    and phone numbers, and keep them mixed in with your real address
    book.)

    One thing I haven't seen mentioned is cleanup. You're on a
    friend's computer and decrypt your web-based file. How do you
    get the decrypted file securely erased? How about the swap file?
    How do you know there are no key loggers? (Even if your friend
    wouldn't do that, maybe the FBI is investigating him.) If you're
    on a public access computer, cleanup is probably impossible, and
    key loggers might be more likely.

    If, despite all of these drawbacks, you do decide to put it
    out on the web, use something like PGP. For Win machines, you
    can create a self-decrypting archive - an executable which
    requires a passphrase. You don't need to depend on any
    particular software being on the machine you're working from.

    --
    Arthur T. - If address is munged, reply to: ar23hur "at" pobox "dot" com
     
    Arthur T., Apr 3, 2004
    #11
  12. Piotr Makley

    Piotr Makley Guest

    "johns" <> wrote:

    > You've got to be kidding ? If you are the type who
    > can't remember passwds,


    There is a lot too much data to remember (server names, etc).

    > or keep a physical copy
    > with you,


    I think it comes to about 20 pages.

    > then you will simply not take care with
    > any encryption program either. And rather than take
    > a chance that the janitor might "find" your dropped
    > card and throw it away, you'd rather let 10 million
    > computer guys have a crack at it ???


    That is why I posted to ask if there was a secure way of encrypting
    it.

    > There is a web
    > site where you can download a passwd cracker
    > that tries several million combos a second. Average
    > time to crack any passwd is about 3 minutes.


    ANY password? What about PGP or stuff like that? Surely they take
    longer then 3 minutes!
     
    Piotr Makley, Apr 3, 2004
    #12
  13. Piotr Makley

    Piotr Makley Guest

    Arthur T. <> wrote:

    > I agree with those who say, "Don't do it." You're taking
    > your most sensitive file and putting it where any defect in the
    > encryption will let anyone have it.
    >
    > I'd suggest writing them down and carrying them with you.
    > If you're sufficiently worried about the list getting lost, use a
    > bit of steganography (e.g. make them look like names, addresses,
    > and phone numbers, and keep them mixed in with your real address
    > book.)
    >
    > One thing I haven't seen mentioned is cleanup. You're on a
    > friend's computer and decrypt your web-based file. How do you
    > get the decrypted file securely erased? How about the swap file?
    > How do you know there are no key loggers? (Even if your friend
    > wouldn't do that, maybe the FBI is investigating him.) If you're
    > on a public access computer, cleanup is probably impossible, and
    > key loggers might be more likely.



    You make an important point about cleanup. I was hoping that some
    of the security applications took this into account.


    > If, despite all of these drawbacks, you do decide to put it
    > out on the web, use something like PGP. For Win machines, you
    > can create a self-decrypting archive - an executable which
    > requires a passphrase. You don't need to depend on any
    > particular software being on the machine you're working from.


    Following warning on this thread, I fear that that may not be
    secure enough. What do you think?
     
    Piotr Makley, Apr 3, 2004
    #13
  14. Piotr Makley

    Guest

    Piotr Makley <> wrote:
    > I want to put my master password file (which is a Word document)
    > onto my website.


    > The idea is that I can pull this document down from any PC and then
    > use the data.


    > Of course I need this to be as secure as practicably possible.


    > What is the best way of password protecting the files?


    > I heard that the passwords used in some forms of Zip compression
    > (eg. Winzip) can be extremely hard to crack if mixed case and
    > special characters are used. Perhaps I could create a "password"
    > using the opening sentence from a favorite novel or something like
    > that?


    > Thank you for any advice.


    How about using an USB-memory stick, containing a filesystem
    with the info.

    Could be plugged into most computers and fits in your pocket.


    --
    Peter Håkanson
    IPSec Sverige ( At Gothenburg Riverside )
    Sorry about my e-mail address, but i'm trying to keep spam out,
    remove "icke-reklam" if you feel for mailing me. Thanx.
     
    , Apr 3, 2004
    #14
  15. Piotr Makley

    Piotr Makley Guest

    wrote:

    > Piotr Makley <> wrote:
    >> I want to put my master password file (which is a Word
    >> document) onto my website.

    >
    >> The idea is that I can pull this document down from any PC
    >> and then use the data.

    >
    >> Of course I need this to be as secure as practicably
    >> possible.

    >
    >> What is the best way of password protecting the files?

    >
    >> I heard that the passwords used in some forms of Zip
    >> compression (eg. Winzip) can be extremely hard to crack if
    >> mixed case and special characters are used. Perhaps I could
    >> create a "password" using the opening sentence from a
    >> favorite novel or something like that?

    >
    >> Thank you for any advice.

    >
    > How about using an USB-memory stick, containing a filesystem
    > with the info.
    >
    > Could be plugged into most computers and fits in your pocket.
    >



    Unfortunately one PC I often visit does not have USB ports. So
    this won't work.

    Otherwise I like the idea.
     
    Piotr Makley, Apr 4, 2004
    #15
  16. Piotr Makley

    Arthur T. Guest

    In Message-ID:<94C160CBA819231E75@130.133.1.4>,
    Piotr Makley <> wrote:

    > wrote:
    >
    >> Piotr Makley <> wrote:
    >>> I want to put my master password file (which is a Word
    >>> document) onto my website.

    >>

    <snip>
    >> How about using an USB-memory stick, containing a filesystem
    >> with the info.
    >>
    >> Could be plugged into most computers and fits in your pocket.
    >>

    >
    >
    >Unfortunately one PC I often visit does not have USB ports. So
    >this won't work.
    >
    >Otherwise I like the idea.


    Less compact but more universal (and much cheaper):
    How about floppy and/or CD (or CD-RW). I can't think of any
    Windows machine that couldn't read one or the other.

    In either case, you could keep it encrypted (SDA) and
    decrypt *to a floppy* whenever you needed it. That obviates half
    of the cleanup problem. To reduce the rest of the cleanup
    problem, use plain text instead of WORD format. The floppy would
    contain two programs: The SDA of your password file and a secure
    wiping program to get rid of the plaintext decryption when you're
    done with it.

    I still think paper is a better alternative, though. *No*
    cleanup on someone else's computer. *No* having to run an
    executable on someone else's computer (would you want someone
    executing a program on *your* computer)?
    --
    Arthur T. - If address is munged, reply to: ar23hur "at" pobox "dot" com
     
    Arthur T., Apr 4, 2004
    #16
  17. Piotr Makley

    Jim Watt Guest

    On Sun, 04 Apr 2004 13:25:57 -0400, Arthur T. <>
    wrote:

    > Less compact but more universal (and much cheaper):
    >How about floppy and/or CD (or CD-RW). I can't think of any
    >Windows machine that couldn't read one or the other.


    I can, lots of them. And floppy drives do have a habit
    of eating disks.
    --
    Jim Watt
    http://www.gibnet.com
     
    Jim Watt, Apr 4, 2004
    #17
  18. Voyager wrote:
    > On Fri, 02 Apr 2004 13:29:30 +0100, Piotr Makley wrote:
    >>I heard that the passwords used in some forms of Zip compression
    >>(eg. Winzip) can be extremely hard to crack if mixed case and
    >>special characters are used. Perhaps I could create a "password"
    >>using the opening sentence from a favorite novel or something like
    >>that?

    >
    > WinZip 9 introduced the use of 128 and 256-bit key AES encryption. Unless
    > there is a flaw in the WinZip implementation, this should make WinZip 9
    > encrypted archives effectively unbreakable.
    >
    > However -- if it were me -- I would use PGP.


    The method used by WinZip 9 (<http://www.winzip.com/aes_info.htm>) to derive
    a key from the password is not computationally intensive. For PGP it is
    (RFC 2440 section 3.6.1.3 is the method used by most PGP implementations).
    So for any given way of choosing passwords, PGP should be more secure
    against a dictionary attack.

    The security of the OP's computer is likely to be a weaker link, though -
    especially since his newsreader is Outlook Express.

    David Hopwood <>
     
    David Hopwood, Apr 4, 2004
    #18
  19. Piotr Makley

    zenner Guest

    the outdated concept of having multiple backups comes to mind.
    "Jim Watt" <_way> wrote in message
    news:...
    > On Sun, 04 Apr 2004 13:25:57 -0400, Arthur T. <>
    > wrote:
    >
    > > Less compact but more universal (and much cheaper):
    > >How about floppy and/or CD (or CD-RW). I can't think of any
    > >Windows machine that couldn't read one or the other.

    >
    > I can, lots of them. And floppy drives do have a habit
    > of eating disks.
    > --
    > Jim Watt
    > http://www.gibnet.com



    ---
    Outgoing mail is certified Virus Free.
    Checked by AVG anti-virus system (http://www.grisoft.com).
    Version: 6.0.650 / Virus Database: 416 - Release Date: 4/4/2004
     
    zenner, Apr 5, 2004
    #19
  20. Piotr Makley

    Ford Prefect Guest

    Piotr Makley wrote:
    > I want to put my master password file (which is a Word document)
    > onto my website.


    One of the dumbest things I've ever heard anyone suggest...

    > The idea is that I can pull this document down from any PC and then
    > use the data.


    For waht? If you need to get at the data from anywhere, burn it to a
    CD and carry it in your pocket...

    ....but why would you even need to carry a master password list around
    anyways?

    > Of course I need this to be as secure as practicably possible.
    >
    > What is the best way of password protecting the files?
    >
    > I heard that the passwords used in some forms of Zip compression
    > (eg. Winzip) can be extremely hard to crack if mixed case and
    > special characters are used.


    You mean are extremely EASY to crack....

    > Perhaps I could create a "password"
    > using the opening sentence from a favorite novel or something like
    > that?


    REgardless of what password or phrase you use, why are you even
    thinking of putting a master password list onto the web????

    > Thank you for any advice.
     
    Ford Prefect, Apr 5, 2004
    #20
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. spg

    Putting links on web site?

    spg, Jun 24, 2003, in forum: Computer Support
    Replies:
    3
    Views:
    703
    SgtMinor
    Jun 25, 2003
  2. Chris

    Using Outlook as a confidential database

    Chris, Feb 28, 2004, in forum: Computer Support
    Replies:
    5
    Views:
    1,193
    Brian H¹©
    Feb 28, 2004
  3. AN O'Nymous

    Keeping confidential data safe?

    AN O'Nymous, Dec 29, 2005, in forum: Computer Security
    Replies:
    37
    Views:
    1,340
    Peter
    Jan 9, 2006
  4. J Rusnak
    Replies:
    0
    Views:
    468
    J Rusnak
    Mar 28, 2007
  5. J Rusnak
    Replies:
    6
    Views:
    478
    Doug Jacobs
    Apr 7, 2007
Loading...

Share This Page