I'll bet that davidh in particular will be interested in this.

I recently got an email that was sent out to everyone with a login on one of the Apache Software Foundation's bug tracking systems warning us to change our password on the system and anywhere else that we are using the same login name and password. Someone had compromised their system, collecting passwords from anyone who logged in to one of the systems over possibly three days, and grabbing a copy of the password hash files for a later offline attempt at finding the passwords.

The Apache Software Foundation is a non-profit foundation that develops Free software through open source projects with volunteer developers. ASF projects include the Apache Httpd (web server) software that powers most of the world's web servers, and include some of the enterprise scale Java application servers that run many of the world's large business systems. I happen to be a developer on the Project Management Committee of the Apache SpamAssassin project, which produces the world's most popular open source spam filtering software, used by millions of ISPs, organizations, and individuals.

Compromising the ASF infrastructure could potentially have huge impact. Imagine if someone managed to get an unnoticed backdoor into the software that powers most web servers. That's a nightmare scenario that already has to be addressed given that it is an open source project that can have code submitted by anyone. The ASF infrastructure group is very high power and their security setup is very sophisticated.

The philosophy of openness practiced by the ASF means that their report on the breach gives a more complete account than we would normally get from news media versions of exploits that involved closed-mouth proprietary organizations.

Apache.org incident report for 04/09/2010 (http://blogs.apache.org/infra/date/20100413)

Yikes. That's downright scary.

I'll bet that davidh in particular will be interested in this.

I recently got an email that was sent out to everyone with a login on one of the Apache Software Foundation's bug tracking systems warning us to change our password on the system and anywhere else that we are using the same login name and password. Someone had compromised their system, collecting passwords from anyone who logged in to one of the systems over possibly three days, and grabbing a copy of the password hash files for a later offline attempt at finding the passwords.


Sidney,

Tangentially:

So what does this mean for those of us who have been out there on the web since DOS days? I no longer even remember some of the passwords I've used over the years. Should I get something like KeePassx?

And run around and change everything I can get my hands on?

Should I get something like KeePassx?

And run around and change everything I can get my hands on?

I hesitate to give advice that I don't follow, but this breach has pointed out to me that I need to think more carefully about how I choose what password I will reuse where. I have a few passwords I use based roughly on how important I think the use is, for example "high security" password for banks and credit card related things, low security for a forum membership where I have no admin rights and perhaps identified only in a pseudonym, etc.

But this has led me to think about what places I use a password also match up with an email address I use elsewhere with the same password, or lead to my real identity that leads to a known email address I use that leads to a place I use the same password. If one site is cracked and gives away my password, will the attacker know of other places to try the same password?

It also brings home the fact that any site, no matter how good its security, can get cracked some time and end up capturing passwords.

So, yes, it is a good idea to try to think of a way that is practical for you to have different passwords at some number of different sites. But I still have to think through what I am willing to actually do to accomplish that.

I hesitate to give advice that I don't follow, but this breach has pointed out to me that I need to think more carefully about how I choose what password I will reuse where. I have a few passwords I use based roughly on how important I think the use is, for example "high security" password for banks and credit card related things, low security for a forum membership where I have no admin rights and perhaps identified only in a pseudonym, etc.

But this has led me to think about what places I use a password also match up with an email address I use elsewhere with the same password, or lead to my real identity that leads to a known email address I use that leads to a place I use the same password. If one site is cracked and gives away my password, will the attacker know of other places to try the same password?

It also brings home the fact that any site, no matter how good its security, can get cracked some time and end up capturing passwords.

So, yes, it is a good idea to try to think of a way that is practical for you to have different passwords at some number of different sites. But I still have to think through what I am willing to actually do to accomplish that.

Sidney,

Well I took a modest first step that I probably should have implemented years ago. Using the Master Password feature of FireFox.

P.S. Took a second step, open to revision. I installed Password Safe v3.21, the portable version in my browser's folder (C:\program files\k-meleon\Password safe), with a hotkey and imported passwords from FireFox. This is open source stuff and looks promising. It's still early on.

I installed Password Safe v3.21...
I've been using Password Safe for several years, and I've been very happy with it. I didn't realize it's been updated--off to download now!

I have a different password for every site, and even my login ID isn't especially consistent. I think that someone's obtaining my login to one site won't help.

I've been using Password Safe for several years, and I've been very happy with it. I didn't realize it's been updated--off to download now!

I have a different password for every site, and even my login ID isn't especially consistent. I think that someone's obtaining my login to one site won't help.

Mike,

Good to know. After seeing Sidney's post, it jogged my memory that I needed to do something with my chaotic (at best) password handling. I've been trying and discarding lots of stuff since then and only arrived at Password Safe by accident and it was better than the other choices. Still don't have a real handle on using it, but that will come with time.

Thanks! :-)

...arrived at Password Safe by accident and it was better than the other choices. Still don't have a real handle on using it, but that will come with time.
I found it invaluable within a matter of hours.

I love the ability to add a URL to the entry, so that I can key Ctrl+L to go to the site (rather than sifting through bookmarks to find the right place), and then press a key to autotype the entry into the login fields.

A hint: the default key in Password Safe to autotype the user ID/password is Ctrl+T. However, a bug^H^H^Hfeature introduced about six months ago, on older, but recent versions of Password Safe meant that the Ctrl+<key> combination quit working. Fortunately, Password Safe allows the user to change the key combination, and I changed it to '='.

That non-shifted key works just fine, and it's great to go to a web page that requires logging in, ensure the cursor is in the user ID field (fortunately, most sites' Javascript takes care of that), and key '=' to log in automatically, with a package that's portable.

I found it invaluable within a matter of hours.

I love the ability to add a URL to the entry, so that I can key Ctrl+L to go to the site (rather than sifting through bookmarks to find the right place), and then press a key to autotype the entry into the login fields.

A hint: the default key in Password Safe to autotype the user ID/password is Ctrl+T. However, a bug^H^H^Hfeature introduced about six months ago, on older, but recent versions of Password Safe meant that the Ctrl+<key> combination quit working. Fortunately, Password Safe allows the user to change the key combination, and I changed it to '='.

That non-shifted key works just fine, and it's great to go to a web page that requires logging in, ensure the cursor is in the user ID field (fortunately, most sites' Javascript takes care of that), and key '=' to log in automatically, with a package that's portable.

Mike,

Thanks much. I'll play with it tomorrow when I have time. Meanwhile, I've loaded it up on a hotkey in K-Meleon so I can take it with me on a usb flash drive.

I found it invaluable within a matter of hours.



Mike,

I'm beginning to really like this thing. Got a couple more questions for you, if you don't mind.

I use FireFox as my backup browser and it has all my passwords. There is an extension called password exporter that I just loaded up there and it exports to either XML or CSV. However, when I try and import into Password Safe, it fails with an error message on XML and nothing seems to happen when I choose CSV (which is really just a text file with commas).

Have you tried to use import with it?

Tks.

XP PRO SP3, FF 3.5.9

I found it invaluable within a matter of hours.

I love the ability to add a URL to the entry, so that I can key Ctrl+L to go to the site (rather than sifting through bookmarks to find the right place), and then press a key to autotype the entry into the login fields.

A hint: the default key in Password Safe to autotype the user ID/password is Ctrl+T. However, a bug^H^H^Hfeature introduced about six months ago, on older, but recent versions of Password Safe meant that the Ctrl+<key> combination quit working. Fortunately, Password Safe allows the user to change the key combination, and I changed it to '='.

That non-shifted key works just fine, and it's great to go to a web page that requires logging in, ensure the cursor is in the user ID field (fortunately, most sites' Javascript takes care of that), and key '=' to log in automatically, with a package that's portable.

Mike,

Hmmm... Autotype, eh? I have been using the right click and pick an option
routine. Beginner choices probably!

Non-shifted key. Haven't seen that option, will have to try it next.

So far my impression is very positive. This is better than KeePass and Password Manager (sp?) and for that matter RoboForm.

P.S. One of the KM guys put together a macro to use the Password Exporter Extension in FireFox with K-Meleon. As that exporter doesn't natively create a txt or csv file that PasswordSafe can handle, he made the macro modify the exported file to a format that it could read. So now I have 52 passwords safely imported into PasswordSafe and I'm pretty darn happy. More to learn, but it is working out very nicely, very nicely indeed.

Tks!

P.P.S. That non-shifted key thingee is really, really good!

It looks to me like you did get all the passwords imported, Nick? Sorry I haven't been here for a few days. Life is getting so busy! It'll be like this for a couple more months... <sigh>

Mike,

It looks to me like you did get all the passwords imported, Nick?

Yes I did... as Password Exporter did not use a format that Password Safe recognized in CSV or XML, "disrupted" ported Password Exporter to K-Meleon from FireFox, then wrote a macro that edited Password Exporter's export CSV and changed it into a format that Password Safe could read. (Took more time to write this than it took to import all 52 of my user ids and passwords into Password Safe).

I really like this program. Slowly I'm learning to use your "hints" in my everday use. The first major change in my routine is I deleted all my passwords from FireFox and K-Meleon and am using Password Safe instead. Of course I have exported everything there to CSV and XML.



Sorry I haven't been here for a few days. Life is getting so busy! It'll be like this for a couple more months... <sigh>

Better to be busy, than not. I just went through a fallow period myself (almost an entire year) and it ain't fun.

Very happy.