Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
[split] TerranovaTeam's password storage
#1
(07-22-2015, 08:15 PM)krzys_h Wrote: I still don't know the password to our Twitter

About the passwords, we should put them someplace safe, where every administrator of TerranovaTeam will have access.

For example:
@RaptorParkowsky now is the only person, who have password to the Twitter TerranovaTeam's account.

Then @RaptorParkowsky has been kidnapped by UFO, eaten by dinosaur, bitten by cobra or simply died.

...then...

...there's no password to official TerranovaTeam's Twitter account. Nobody else know it. What TerranovaTeam will do with that?
Reply
#2
(07-22-2015, 10:13 PM)RaptorParkowsky Wrote: ...there's no password to official TerranovaTeam's Twitter account. Nobody else know it. What TerranovaTeam will do with that?
... Use the password recovery form? Dodgy
Reply
#3
(07-22-2015, 10:17 PM)krzys_h Wrote:
(07-22-2015, 10:13 PM)RaptorParkowsky Wrote: ...there's no password to official TerranovaTeam's Twitter account. Nobody else know it. What TerranovaTeam will do with that?
... Use the password recovery form? Dodgy

Another scenario:
@RaptorParkowsky now is the only person, who have password to the Twitter TerranovaTeam's account.

@RaptorParkowsky is going on the looong vacation to Caribbean, there's no contact with him, because he is in the jungle, hunting on wild dinosaurs.

Meantime there was 1000 commits on TerranovaTeam's repo. Colobot: Gold Edition finally have multiplayer. TerranovaTeam want to announce that in the whole world, but... you really must do a password recovery for this thing? You can also wait for @RaptorParkowsky, but there's no time to waste!

I mean, that will be more comfortable, if there will be safe place for that kind of things like passwords for social accounts. We are very distracted community, so I think that would be helpful, if the most important admins would have access to that.
Reply
#4
I suggest to encrypt it with double XOR cipher.

[Image: Problem.jpg]
[Image: XvN5CTW.png] [Image: UYXyyMS.png]
Reply
#5
Very funny, although one-time pad using XOR is a proven unbreakable cipher under certain conditions.

We could use secret sharing algorithm such as Shamir's scheme. k out of n people would be needed to decrypt a secret. Say 2 out of 3 people in our case.
"After three days without programming, life becomes meaningless."
~The Tao of Programming
Reply
#6
Here's how I would do it.

I would create a text file on some good, well-known, safe hosting, which lets for private documents. My first thought: Google Docs. Google document can be private, that is it can be available for view only for specific people. We store our passwords in there, give access to admins and problem solved.

Now, my arguments:
  • A separate database would require us to remember one, master password. Imagine the chaos happening, when one day everybody loses this password, which is not that far from real scenario considering how well we "remember" our actual passwords.
  • I don't like encrypting. It would require us to store keys for decrypting anyway, which are much more easier to be lost and generally, at least for me, it would be an unnecessary pain in the ***. There's much greater chance of a human mistake resulting in leaking a password than an appearance of an imaginary hacker who would get into our private document on Google Docs.
  • It's hard to find anyone who does not have a Google account already, nowadays. Everybody will use their normal, private, easier to remember passwords to log in on their accounts to gain access to the file, so there won't be any "hey, what was the password again?" messages.
However, there is one flaw with this solution. Accounts of the admins might be vulnerable. Level of security of the passwords will be measured in the level of security of the most vulnerable account (this may be a weak password, carelessness of the admin and so on...). But, we already work like that on forum, Facebook, etc., so it doesn't make any difference.

I'd be glad if you wrote what you think, so we can solve the problem of storing shared passwords as soon as possible.
[Image: XvN5CTW.png] [Image: UYXyyMS.png]
Reply
#7
I'm against storing the passwords without encryption. The Google Docs scenario would work for e.g. 2 people, but we have so many admins that this is too much risk. We were already hacked once and we still don't know why, remember? I'd at least use some basic GPG encryption.

My solution (Warning: NOT a good one):
Use the same password everywhere so we don't have to remember them all
Reply
#8
How about we store them in some KeePass database [http://keepass.info/] and still upload it to, e.g. Google Docs, but lock it with a master password? That way we only have to remember one (like @krzys_h wanted), to open the file and the rest can be as complicated and secure as we want them to be.

Edit: I've missed @Simbax's post up there, sorry. :/ It doesn't invalidate my point though, I still consider one master password to be quite reasonable. Definitely better than having different password for everything, like we do right now and in case someone actually forgets then, well, I guess that person would just do what everybody's been doing already and ask one of the admins for it.
And let's not forget the social engineering skills of desperate people.
[Image: 76561198011930439.png]
"But there's no sense crying over every mistake, you just keep on trying 'till you ran out of cake" - GLaDOS
Reply
#9
Well, it seems I wanted the most comfortable solution with a little cost of lower security, but Keepass seems to be the golden mean.
[Image: XvN5CTW.png] [Image: UYXyyMS.png]
Reply
#10
Small announcement:

Until the problem with passwords storing isn't resolved, I changed the password for @ColobotGame Twitter account into the same like on colobotppc at Gmail.

So don't broke anything and tweet carefully, as I really tied and loved this account. Wink
Reply


Forum Jump:


Users browsing this thread: 5 Guest(s)