The new forums will be named Coin Return (based on the most recent vote)! You can check on the status and timeline of the transition to the new forums here.
The Guiding Principles and New Rules document is now in effect.
How to handle the ever growing need for more passwords?
Tzyr
Registered User regular
Registered User regular
Greetings,
It appears that with the more and more sites I join, the harder it is for me to remember passwords. It is not so much a big deal if I am regularly using the site. But come back a year or more later? Yeah, that method I had for remembering a password on a particular site is forgotten.
How can someone manage all these sites and passwords? I did read through this discussion on password security though having a system is great, I think I need a bit more help or else I will be writing passwords down everywhere/in my computer.
I have heard about software that can do it for you, so may people list some good ones they use? My big concern of course using something like this is if the software (and company) who makes these software are trustworthy. Any good articles on these types of tools?
If you do use a particular software, do you use it for all your passwords? In what cases would you not use the app to store a password?
I found this earlier post , so for a start what are people's opinions now on Keepass? I see others mention LastPass. How do they compare? Any others?
I don't mind paying for the app, if it is worth it.
Ideas?
It appears that with the more and more sites I join, the harder it is for me to remember passwords. It is not so much a big deal if I am regularly using the site. But come back a year or more later? Yeah, that method I had for remembering a password on a particular site is forgotten.
How can someone manage all these sites and passwords? I did read through this discussion on password security though having a system is great, I think I need a bit more help or else I will be writing passwords down everywhere/in my computer.
I have heard about software that can do it for you, so may people list some good ones they use? My big concern of course using something like this is if the software (and company) who makes these software are trustworthy. Any good articles on these types of tools?
If you do use a particular software, do you use it for all your passwords? In what cases would you not use the app to store a password?
I found this earlier post , so for a start what are people's opinions now on Keepass? I see others mention LastPass. How do they compare? Any others?
I don't mind paying for the app, if it is worth it.
Ideas?
0
Posts
You are comfortable using their auto-fill form option?
I've been using keepass for a while now and it's pretty solid. I use it to generate passwords for me at every site I register for now. KeePass is open source and it gets updated on a fairly regular basis.
I am trying out 1password at the moment. I ran into a problem with it (user error, but was confused about their UI); however, was able to recover so was happy they had a back-up plan for when one does something dumb.
word + identifier + number + punctuation.
In any combination you want:
word = Something you make up that is common across all sites/services. For example, "pinto".
identifier = Some kind of code that is site/service-based. The identifier for the Penny Arcade forum might be PA. I try to keep this in capitals to satisfy sites where that's a requirement.
number = just a number. Two or three digits. Let's use '58' for this example.
punctuation = a combination of punctuation to satisfy sites where that's a requirement. Let's say '!#'
So my passwords would be:
Penny Arcade forum: pintoPA58!#
Facebook: pintoFB58!#
G-mail: pintoGM58!#
It has worked for me for over a decade. Some sites require a bit of a modification, which can be annoying a year later when you don't remember the exception, but I'd rather have my passwords in my head in some way alone.
Further, keeping all your passwords in your head means that if something were ever to happen to you, it'd be very difficult dealing with your digital legacy.
When my Xbox account got hacked and I had $100 or so stolen from me, I went through and started using KeyPass. The password I have to remember is 37 characters long, and a phrase I'll never forget, with a slight bit in there to throw off the easy word associations. Takes me about 2-3 seconds to type. All my other passwords, including my 40-50 character long Steam password, are 100% randomly generated, and unique per site. I actually need to go through and reset them all, thanks to Heartbleed, but the most vital sites like Google all have 2-factor authentication on them anyways.
Also it's actually safer to keep passwords on sticky notes than your PC. Your PC can be compromised from anywhere in the world. A password on a sticky note needs physical access - and you likely have bigger shit to worry about in that case. Just don't keep it someplace obvious.
If nothing else, keep XKCD's comic on passwords in mind when making up your scheme:
Edit: according to Keypass, my master Keypass PW is about 137 bits in strength. If I were to chop it off a few letters earlier I could get that up to 151, but eh. "correcthorsebatterystaple" is 81 bits by the same metric, and should obviously never be used.
Edit2: Steam PW is 188 bits. Steam allows a lot wider range of ASCII to be used, however, so I've got brackets and spaces and all sorts of other things in there too.
writing things down isn't an awful solution for personal passwords either, assuming your note doesn't leave your desk or wherever. It's verboten in enterprise environments because lots of folks go through there, but if you just want to write passwords down in a notebook you keep in your desk that's fine
that's why we call it the struggle, you're supposed to sweat
I'm also in favor of KeePass, but putting the data in a cloud seems like a bad idea. If that is compromised potentially someone could get at your list, so for that reason I prefer to keep it local (knowing full well that potentially my PC could also compromised).
KeePass can be installed "portable" which means that not only the data but also program itself can be put anywhere, so I have put it on a USB stick thus if needed it I can get at my passwords anywhere there is a trustworthy PC. There is no need for that PC to have KeePass one just runs the program right off the USB stick.
Still, I do the usb portable version thing too. I just put a lot of trust into dropbox.
Anyway, I also use a formula system. Most my passwords start with a single word (actually an obscure word in a foreign language), followed by a two-digit number, followed by two letters taken from the name of whatever the password is for, usually the beginning or ending of its name. So my password for reddit, for example (as if I would ever use reddit) could end in "re" or "it."
If I ever have to change a password, I add 1 to the number used, or switch to the other end of the site/app name for the final two-letter piece.
This means that I cannot use the same formula for every site and if it is a site I stop going to for a while, I simply forget what their rules are/were.
Same goes with only using two characters like the reddit example. I would have to use the first two letters or something consistent for I would simply forget which one I chose. Again, it is not a problem if I frequent the site regularly. It is more if I return to it after a few months.
I will say though in my first attempts using 1password has kind of freaked me out a bit. I tried it out on a new site, and I used the program to generate a password for me. It all worked (other than the screw up I mentioned earlier which I fortunately resolved), but now I have no idea what the password is. If I ever lose the program/save gets corrupted and lose the backups, I could not even make a guess at the password.
I guess it's a different kind of system that I need to come up with but I will keep trying it with secondary sites for now.
Anyway, thanks all for your opinions.
I was concerned about using it across multiple devices, but so far the sync has been flawless and browser integration is great. Also the people at AgileBits are legit amazing and the customer service is great.
But they then need my PGP key, that's only on my computer and personal smartphone, as well as my master password. With the key they need to have the actual device in hand, and with the password my brain would need to be hacked. I believe that if you forget your password that the file itself does bad things so you can't brute force it, though I'm not 100% sure.
I'm fairly confident no one will get all the pieces to my password file and get access.
The people who are trying to get your password will not have access to your house, and the people who might break into your house do not have any interest in your passwords.
No question you're fairly safe and I agree someone getting all the pieces is unlikely. Maybe it is just me that's paranoid :-)
As always practical safety needs to be a compromise between convenience and security and just using individual passwords rather than reusing one password everywhere is much safer than what many is doing.
I'm kinda on this level. At this point most passwords are stolen online.
I'd say buy a small notebook and put stuff down. Maybe in shorthand so even if someone else reads it. Unless they know your short hand, the important stuff wont make sense. Then goto an office supply store and get a lockbox to keep it in. Hide it somewhere you can find it and either have the code something you'd know or hide the key in another place altogether.
1Password for iOS can cut'n'paste passwords via the clipboard. But you'll still have to type your master password to unlock 1PW to get at them.
I might use 1password for important passwords that I change, and keep the trash passwords for most sites.
2) Cut card to size required.
3) Put in wallet/store in a safe place
And, not to pimp any particular solution too hard (any of these is probably better than nothing), LastPass works across Windows, Android, and Apple products. In addition, it also supports several types of multi-factor identification, including Google Authenticator, Yubikey, and even a simple grid card that you can print out and carry around with you (think password Battleship).
Now we will never know it it's really CelestialBadger or some dirty hacker.
CelestialBadger is a sucknoob!!!!!!111111
I'm not a fan of password manager apps that require a master password to do password replay to sites, and I'm hugely not a fan of browser-based password managers.
But I'm also crazy ... not 9/11 was an inside job crazy ... but still.
We use it at work as well, it's invaluable here, because it has a fair bit of information in there should any member of the current IT team get run over or stabbed at the nearby subway and expire. The company accountant has the password to it just in case we both go to Subway and get stabbed to death.
And the reason butt simple passwords are dangerous is because of rainbow tables. Read up on rainbow tables and quiver in fear at your 8 character password that's your dog's name plus a year.
In short, use a password manager of some sort that generates passwords for you.
If you ever need to talk to someone, feel free to message me. Yes, that includes you.
No offense, but this is just objectively bad advice. From a user perspective, there is functionally no difference between what you are proposing and using a password manager with multi-factor authentication, except in your case you're making the email address (where you send your "password resets") the primary point of weakness. Guess which of these is the more secure option?
Also, this is just plain not feasible. Are you seriously recommending that people make up passwords and force themselves to memorize them, when they may be using dozens of different websites/logins on a regular basis? You said yourself that you end up having to reset your passwords because you can't remember them. What if you only have access to your smartphone and you need to access a particular account? Should people have to go through the entire password reset process just to get into the account? At that point you might as well make the passwords to all of your websites complete gibberish and do a one-time pad reset every time you need access. And I strongly doubt that any normal human being can make up enough passwords that are suitably complex on their own without resorting to heuristics and algorithms that then cause those passwords to become easily cracked.
The main issue with password protection today is not one of "internet security". There is no such thing as a perfectly secure system, especially if you are going to include human beings in the mix. The real problem is that people are re-using the same passwords over and over again, or are re-using common patterns that can be easily guessed. This causes a systemic issue, because if you use the same password for everything, or the same pattern for everything, a single breakdown in one account can cause every single one of your accounts to become vulnerable. Seriously, do you think you're the only genius out there who has considered using the same 10-character string followed by "bankofamerica" or "google" or "facebook" to access their accounts? Do you have any idea how easy it is to write an algorithm that can parse these kinds of patterns and include them in attacks? Especially if you are using the same email address as the ID for all of these accounts?
There is ultimately no system which is random enough to avoid cracking and yet user-friendly enough to remember that will save you once a major breach has occurred. Tons of people use LinkedIn as a professional matter of course, and that service was hacked not so long ago. Instagram was hacked at around the same time. At one point Google was the focal point of a major attack, and it spooked them so much they reported it publicly and told people to change their passwords even though they didn't "believe" that anything was stolen. And now, depending upon who you believe, anywhere from 5% to 95% of internet encryption was made vulnerable to this Heartbleed issue. Even 5% (a.k.a. 1 in 20) is more than enough information for a suitably-motivated hacker to break into your accounts and make your life miserable.
The storage part is fine from that description, but how do you create your passwords? Here's an excerpt from another Ars article describing just one built in set of options from a cracking program:
Again, that's not anything fancy. That comes built into a cracking program.
If you ever need to talk to someone, feel free to message me. Yes, that includes you.
One of the primary benefits of a password manager is that it allows you to use a completely different random password for any given account. This prevents any single breach from causing you to lose your entire internet identity.
Hacking a website does not yield actual passwords, unless they're being stored in plain text, in which case that website has given up on security. So generally what hackers get is the encrypted or hashed passwords. Theoretically I guess you could use password123 everywhere and just be sure and change it the second any place you use gets hacked, but realistically there will be some delay before the news that a site was hacked reaches you, assuming it ever gets released. If you have a strong enough password it becomes unrealistic to crack even if you have the encrypted hash stolen from a website.
For the randomized passwords generated by password managers you are probably pretty safe assuming it will never be cracked. But in the unlikely event that a password database gets stolen, enough years pass to make the computation of the hashes really easy, and there exists someone that hates you enough to still spend the massive (but no longer insurmountable) amount of time it takes to crack your 26 character randomized password, it's probably a good idea to rotate out your passwords every so often.