topic Re: Identity Safe logins in Norton Internet Security / Norton AntiVirus

Identity Safe logins

CyberBlaster — Wed, 21 May 2008 17:44:47 GMT

I like the Identity Safe feature in NIS 2008 but I have a question. You give us the option to ask for our password before entering a specific login information, (which is a great option) and the rest just automatic get entered. The only thing is, since there is no lock or password needed to manage the logins and that option, someone can just turn it off or review my password for it anyway. You could just say just logout of the service but that defeats the purpose of the option I am talking about.

Re: Identity Safe logins

Rasputin — Wed, 21 May 2008 21:47:35 GMT

Go to Control Panel and create a password protected sign on with your self as the admistrator.

You can create different user profiles for others who use your computer, if any.

While you are there if you'r using XP Pro or Vista Pro turn off file sharing and turn on your file encryption.

Each time you leave your computer sign off.

Re: Identity Safe logins

CyberBlaster — Wed, 21 May 2008 23:30:12 GMT

Thats great now everyone knows how to make a new user on windows xp but that isn't the issue.

If you have used the Identity safe login manger before you know there is an option to prompt for your password (this can be set for each site). Thats what I am talking about. I'm just saying symantec there is a hole in your setup here, because I can turn that option off without the password.

Re: Identity Safe logins

Phil — Thu, 22 May 2008 13:09:29 GMT

Simply log out of ID safe when you are done using it. It is not automatic, and I don't think that option is available yet.

Re: Identity Safe logins

CyberBlaster — Thu, 22 May 2008 23:43:45 GMT

Yeah there is an option to ask for the password after 15 mins of inactivity but, take a look in the Manage Login menu. They give the option to prompt for your Identity safe password (there is a little check box for EACH login infomation that says: Require Identity Safe password before filling). So for example the login infomation for, lets say a forum you could have it setup so it just logs in as soon as you go to the site, no questions asked. However lets say you go to your online banking, you can have it ask for your Identity Safe password just to make sure, before it logs you in. This is what I like about it, the only thing is and what I am trying to get across is, that little check box can be unchecked without the password. So you can just uncheck it then go to the online banking then magicly it logs you in. I'm just saying we need a option to put the password on the manage Logins menu so that can't happen.

Re: Identity Safe logins

huwyngr — Fri, 23 May 2008 01:46:24 GMT

CyberBlaster wrote:
[ .... ] This is what I like about it, the only thing is and what I am trying to get across is, that little check box can be unchecked without the password. So you can just uncheck it then go to the online banking then magicly it logs you in. I'm just saying we need a option to put the password on the manage Logins menu so that can't happen.

Seems to me that this is a valid and important point -- that that check box should be inside the controlled area.

Let's see what Norton say about this?

Re: Identity Safe logins

Rasputin — Sat, 24 May 2008 00:08:46 GMT

CyberBlaster, I regret that you were disappointed in my post which you apparently thought was off topic. You pointed out that you think that Symantec should correct a defect in the pass word interface which you believe is a security hazard.

I agree with you on this.

My experience in dealing with large corporation is that getting a problem corrected like this is a little like waiting for some one turn the Titanic around using a paddle.

Until the problem is corrected the end users are left with the idea that we are not defenseless if we can come up with an effective work around that will protect the pass word.

In addition to the above there usually are a number of pass words and other sensitive information that needs to be protected.

If no one else uses your pc then using a start up password for start up access, turning off file sharing and the using of AES 256 encrytpion is likely to protect not only the potentially exposed vault pass word but all off the pass words and sensitive information including financial, medical and other information.

Beyond this if a person is really concerned about pass word protection then if the computer can be made to boot from a UPC drive then the windows start up keys can be moved off of drive C to a UPC drive. With out the presence of the windows start up keys an attacker would encounter the Blue Screen of Death and possibly a little note from BIOS saying “No Operating System Found”.

Safety would dictate that one makes sure that the system will boot from the UPC before any one tries this and backing up the Windows Start up Keys is really a good idea.

In Addition to the above, if the entire PC is backed up to an external HD or an off premise server then the user should be aware that the back ups should be backed up to AES 256 or other high grade ciphers.

Re: Identity Safe logins

CyberBlaster — Sat, 24 May 2008 22:25:32 GMT

Yeah, sorry I posted the response kinda harshly I wasn't it the greatest mood at the time :smileytongue:

The problem isn't a big deal for me since I have a computer to myself and no one else uses it (except in rare cases). I was just hopeing to point it out and have Norton work on fixing it. I agree sometimes you can point these thing out and they go unanswered from companies. But, since Norton has just started these forums and trying out the whole user interaction thing, I was hopeing to see someone from Norton say something about it by now. Even if its the standard one liner message that they will work on it lol :smileywink:

Re: Identity Safe logins

MelodicWynd — Sun, 25 May 2008 07:37:59 GMT

hi CyberBlaster - i know SYMC folks are watching and i've seen posts from their folks about changes that coincide with what users are posting about, so i think you have a good idea. i'd recommend a more straightforward strategy - list the steps, confirm whether it is as designed or a defect and make your case. i don't see much value doing it otherwise...

"enhancement request" - recommend SYMC password protect ID Safe login options to protect secure information. sound about right?

mel

Re: Identity Safe logins

Rasputin — Sun, 25 May 2008 22:08:43 GMT

“We are aware of the problem and our engineers are working on a solution”.

I saw this so many times on America Off Line that I thought it was their company logo.

Cheers

Re: Identity Safe logins

CyberBlaster — Tue, 27 May 2008 15:39:56 GMT

The problem is how it is designed, they just need to password protect the manage login part. They just forgot to check that hole, I don't think it would be that hard to fix.

Re: Identity Safe logins

Tony_Weiss — Wed, 28 May 2008 23:48:10 GMT

Thanks, CyberBlaster. I've communicated this information to our product teams to review this suggestion. Great job!

Re: Identity Safe logins

BillR — Wed, 04 Jun 2008 23:20:20 GMT

Thank you for your question about Identity Safe. We are planning to change the way this feature works in our NIS 2009 release. We will require the Identity Safe password to change this setting. If your subscription to NIS 2008 is up-to-date, you will be able to download and install NIS 2009 once it becomes available.

Re: Identity Safe logins

CyberBlaster — Sun, 08 Jun 2008 17:20:22 GMT

Nice, thanks for letting me know.