[ale] help - how do I log into learnstreet without ...

Ron Frazier (ALE) atllinuxenthinfo at techstarship.com
Wed Mar 27 19:09:07 EDT 2013 

Hi Jim,

I'm surprised that we even have to have this particular discussion.  Best in class user login security, as RECOMMENDED by security experts, IS precisely to have separate and distinct logins and passwords for EVERY website you use.  That is exactly what I'm doing, except some of my usernames are similar.  Two factor authentication is better, but not always available.

When the crackers obtain the password databases of a major web provider, like they did with linkedin last year, even if the passwords are hashed, the crackers use crack engines and rainbow tables, etc. to guess up to 4 billion hashes / second.  They can crack 6 character passwords in hours and 12 character ones in days.  They can easily crack 80% of the passwords from some site like linkedin in a very short time.

Of course I've heard of classes of passwords.  I used to have a high, a medium, and a low "care factor" password.  They were in the 12-14 character range.  After the linkedin database was compromised, I knew that there was a very real possibility that the crackers could have my complete login credentials to linkedin, and potentially publish them, within a few days.  So, I obviously had to change my linkedin password.  They probably required me to, but if the cracker got in and changed it first, I'd be toast.

The other problem was, about 30 other websites shared that particular "medium" level password.  I had no master password database.  So, it was a major pain in the rear to even figure out which sites had the password.  I had some of the passwords stored in evernote, but not all.  Every website that shared the linkedin password had to be changed.

LastPass exists to solve this particular problem.  Since I knew I had to change those 30 website passwords anyway, I decided to invest the time into learning to use LastPass and installed it on my PC's.  This took a few days.  I changed not only the 30 or so sites that were using the "medium" password that linkedin used, I changed every site I was connected to and used a 15 character random password generated by lastpass.

More recently, when Evernote got hacked, we had a discussion on this topic here on ALE, and the consensus of people in the know in the security field is that anything less than 20 characters for a password is too small.  So, I took a couple of days AGAIN, to update every password in my LastPass database, all 53 or so of them.  Obviously, I started with evernote.  Every site I log into now has its own distinct password which is 64 random characters if it will tolerate that, or whatever the maximum that it will tolerate is.  Unfortunately, some of my banks and government agency logins are 20 characters or less, but they will probably do for now.

So, yes, I have 53 distinct and unlinked long random passwords that I cannot possibly remember.  You're darned straight.  If crackers obtain the password database for any one of these sites, which they will, I want the odds to be exceedingly remote that they will crack my password before I learn about the issue and change it.  Furthermore, this way, I never again have to be concerned that a security breach at one site will compromise the other sites.

By the way, I've had my identity stolen once, probably due to an old security breach at the Driver's License Office.  Someone got enough data to forge some checks in my name and buy some appliances from Lowe's with checks that I had supposedly had written.  I found out about it quickly, but it was still a time consuming and royal mess to clean up.  There may still be scars on my credit record I don't know about.  That's not something I ever want to repeat, in any shape or form.  So, I maintain maximum security over the public things I have control over.

Here are some quotes from your message below:

">all so you can use lastpass and never remember any of the passwords"

I don't have 53 logins so I can use lastpass.  I use lastpass so I can have state of the art security on my 53 logins.

">Maybe a gmail account named ronlearnstreet"

I've already set up a fake github account so I can log into learnstreet.  But, I shouldn't have to.  When I authorized it, I had to give learnstreet permission to modify public parts of my github profile.  If I were using the github account for any real purpose, I wouldn't like that.  If I do want to use github for a real purpose, I'll set up a separate account.

">Unless you are using a windows machine...."

Irrelevant to this discussion.  I deal with login security the same way whether I'm running Linux or Windows.

Also, I have 4 PC's which dual boot Windows and Ubuntu 11.04.  Ubuntu 11.04 is out of support, and is soon to be fired and replaced with Mint 13.  I'm running Mint 13 in a VM.  And I'm typing this on an Android tablet.

So, there's plenty of Linux at this house.

And finally "I'm not trying to be mean or attacking"

That's good to know.  8-)

Sincerely,

Ron



Jim Kinney <jim.kinney at gmail.com> wrote:

>Ron, your level of paranoia is becoming disturbing. I'm not trying to
>be
>mean or attacking, but seriously, this is sounding a bit nutty to me.
>
>So you now have a zillion different web accounts that are TOTALLY
>unlinked
>except that you use them. They all have a different password.
>
>53
>
>_separate_
>
>logins
>
>all so you can use lastpass and never remember any of the passwords.
>Have
>you not heard of having classes of passwords? Some really strong ones
>for
>banking sites. Some moderate ones for stuff that matters but is not a
>crisis. And some "who gives a crap" logins and passwords for stuff that
>is
>not really relevant. like a crap twitter or gmail or faceplant account
>so
>you can access a programming tutorial site.
>
>So you can't use the learnstreet site. bummer
>
>Maybe a gmail account named ronlearnstreet is too easy as you clearly
>like
>to do it the hardest way possible. You never use it for email. It's
>only
>used to access learnstreet. Still only one password per account. It's
>just
>you have to login on gmail.
>
>learnstreet looks to be (mostly) free. So you give some tracking data
>for
>classes. With a bogus email account, so what?
>
>Unless you are using a windows machine, it's pretty easy to dump
>tracking
>crap.
>
>Unless you are using a windows machine....
>
>hmmm...
>
>windows user?
>
>on the Atlanta _Linux_ Enthusiasts mailing list...
>
>On Wed, Mar 27, 2013 at 4:02 PM, Ron Frazier (ALE) <
>atllinuxenthinfo at techstarship.com> wrote:
>
>> Hi James,
>>
>> Thanks for the link.  I looked over it briefly.  However, I
>specifically
>> DON'T want the logins from different sites interacting with each
>other.
>>  That's why I spent 2 days putting 53 separate logins into lastpass. 
>I
>> want every site to have different credentials.  That way, if one is
>> compromised, it doesn't affect the others.
>>
>> Sincerely,
>>
>> Ron
>>
>>
>>
>> On 3/27/2013 2:24 PM, James Sumners wrote:
>>
>>> There's not really any reason to avoid using your Google account for
>>> such things -- http://openidexplained.com/
>>>
>>> On Wed, Mar 27, 2013 at 2:01 PM, Ron Frazier (ALE)
>>> <atllinuxenthinfo@**techstarship.com
><atllinuxenthinfo at techstarship.com>>
>>>  wrote:
>>>
>>>
>>>> Help!  How do I log into learnstreet without a login on google,
>twitter,
>>>> facebook, or github?  I can't figure out how to register / sign in.
> I
>>>> don't
>>>> use any of those services.
>>>>
>>>> (Yes I have a gmail account that I never use that I had to set up
>for my
>>>> Android tablet.  I don't like to give that login / email to
>anyone.)
>>>>
>>>> Sincerely,
>>>>
>>>> Ron
>>>>
>>>>
>>>
>>>
>>
>> --
>>
>> (PS - If you email me and don't get a quick response, you might want
>to
>> call on the phone.  I get about 300 emails per day from alternate
>energy
>> mailing lists and such.  I don't always see new email messages very
>> quickly.)
>>
>> Ron Frazier
>> 770-205-9422 (O)   Leave a message.
>> linuxdude AT techstarship.com
>>
>> ______________________________**_________________
>> Ale mailing list
>> Ale at ale.org
>>
>http://mail.ale.org/mailman/**listinfo/ale<http://mail.ale.org/mailman/listinfo/ale>
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>
>http://mail.ale.org/mailman/**listinfo<http://mail.ale.org/mailman/listinfo>
>>
>
>
>
>-- 
>-- 
>James P. Kinney III
>*
>*Every time you stop a school, you will have to build a jail. What you
>gain
>at one end you lose at the other. It's like feeding a dog on his own
>tail.
>It won't fatten the dog.
>- Speech 11/23/1900 Mark Twain
>*
>http://electjimkinney.org
>http://heretothereideas.blogspot.com/
>*
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>http://mail.ale.org/mailman/listinfo/ale
>See JOBS, ANNOUNCE and SCHOOLS lists at
>http://mail.ale.org/mailman/listinfo


--

Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9 Mail.
Please excuse my potential brevity if I'm typing on the touch screen.

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new email messages very quickly.)

Ron Frazier
770-205-9422 (O)   Leave a message.
linuxdude AT techstarship.com

More information about the Ale mailing list