Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Old 06-08-2016, 11:48 AM   #21
Administrator
W2R's Avatar
 
Join Date: Jan 2007
Location: New Orleans
Posts: 38,933
Quote:
Originally Posted by ERD50 View Post
Like a few others, I'm just not ready to use a password manager (fears may be unfounded, but that's how I feel).

But I've been using a simple system for ~ 3 years that works for me.

A) For sites where security is just not a concern, I have a fairly complex, but easy to remember PW that I use for all these. So far, only a few exceptions to my general rule works with all these sites (>8, an UP alpha, a LC alpha, a number, and a special char).

B) For sites where I have a concern, I use use a common prefix and a common suffix for all. This makes it easy to remember, and adds plenty of complexity. For each site, I add a unique middle set of chars that are easy to remember. Example:

Common prefix APPLE123 --- Common Suffix zebra789

So local bank might be:

APPLE123lclb$zebra789

If my broker was Schwabb, it might be:

APPLE123swbzebra789

etc. I can add any special char requirements to the word. Nice thing about this, I can keep a low tech piece of paper with my passwords on it, even in my wallet, and it is secure. It would look like this:

mybank --- lclb$ ---
stocks --- swb ---
online bank --- olb$
Fidelity Credit Card --- fcc ---

See, not enough info there to give it away. All I need to remember are my prefix and suffix 'keys'. I can even write those down somewhere where the connection would not be made.

Works for me.

-ERD50
That is SO COOL!!! I really, really like your prefix & suffix method and I am so impressed. I had never heard of that idea before. It seems ingenious to me, so much so that I might switch over to that method. I tried password software but do not like depending on it.
__________________

__________________
Already we are boldly launched upon the deep; but soon we shall be lost in its unshored, harbourless immensities.

- - H. Melville, 1851
W2R is online now   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 06-08-2016, 12:05 PM   #22
Thinks s/he gets paid by the post
 
Join Date: May 2014
Location: Utrecht
Posts: 2,213
I use the same method as ERD50
__________________

__________________
Totoro is offline   Reply With Quote
Old 06-08-2016, 12:09 PM   #23
Administrator
W2R's Avatar
 
Join Date: Jan 2007
Location: New Orleans
Posts: 38,933
Quote:
Originally Posted by Totoro View Post
I use the same method as ERD50
Well then both of you have a cool method for remembering passwords!
__________________
Already we are boldly launched upon the deep; but soon we shall be lost in its unshored, harbourless immensities.

- - H. Melville, 1851
W2R is online now   Reply With Quote
Old 06-08-2016, 12:17 PM   #24
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 16,514
I divide my passwords into three classes depending on the information they have on me - sensitive (anything with SS and DOB and account numbers), and minor exposure (CC info stored), and very low exposure (name and email address, maybe shipping address).

The sensitive passwords are in a password protected file on a password protected encrypted drive on a password protected computer (all different passwords). The minor I often allow Keychain to store the password.

For very low exposure sites that have little more than one of my throw away email addresses I tend to reuse a handful of simple passwords. Anything above that level has a unique password.
__________________
Well, I thought I was retired. But it seems that now I'm working as a travel agent instead!
audreyh1 is online now   Reply With Quote
Old 06-08-2016, 12:30 PM   #25
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Lsbcal's Avatar
 
Join Date: May 2006
Location: west coast, hi there!
Posts: 5,695
Quote:
Originally Posted by ERD50 View Post
...
So local bank might be:

APPLE123lclb$zebra789

If my broker was Schwabb, it might be:

APPLE123swbzebra789
...
I used to have a system somewhat like this. One should avoid dictionary words though. So I would replace "zebra" with maybe "zbr" removing vowels. It certainly is a workable system.

What I've done is to favor frequent checking of accounts as a security measure. This was after reading how some on this forum checked much more frequently then I use to. W2R was an inspiration on this as I recall and maybe Audrey too .

This means I want to login somewhat effortlessly and frequently. Remembering this stuff and typing it in is a hassle. Typing on a smartphone is a hassle but less so on a PC. Even on a PC I found I make too many typing errors which might lead me to back off of frequent checking of accounts. On vacations I found that it was a hassle to check accounts and my memory is a little rusty when dealing with all the other things associated with travel.

That is why I chose to use Lastpass plus a smartphone fingerprint reader. Also I use 2 factor authentication as mentioned by some above.
__________________
Lsbcal is offline   Reply With Quote
Old 06-08-2016, 12:53 PM   #26
Thinks s/he gets paid by the post
Sunset's Avatar
 
Join Date: Jul 2014
Location: Chicago
Posts: 4,743
Quote:
Originally Posted by Options View Post
After the massive attack of heartbleed bug a couple years ago, I started using the password manager Keepass. It has given me tremendous peace of mind, means I don't have to remember any passwords, and greatly reduces the time needed to access my protected sites. Keepass is locally stored (versus stored in the cloud like password manager lastpass). I don't store the password manager on my computer, but rather on four identical back-up thumb drives, two of which are protected behind an encrypted vault and kept at home, and two further back-up drives which are not encrypted are kept in my safe deposit box.

Keepassgenerates all of my passwords of a length as long as any site will allow (all of my passwords are very long and complex) and Keepass is only accessible with one global password, which I do not have written down anywhere. I've tested this global master password and it would take almost a hundred thousand years for my password manager to be hacked. The only two people know in the world know the global password are myself and my executor.

I would never use any password that is only eight words long, nor would I use one that doesn't contain numbers, special characters, and upper and lower case characters. Experts have advised strongly against using any password for more than one account, as this is one of the first things hackers look for. There has been considerable debate regarding password managers that are locally stored (as in on one's hard or thumb drive) versus stored in the cloud; however, I am personally extremely uncomfortable with cloud-based password managers and would never use them.
+1
Easy to use, works reliably for years. I have over 200 Unique passwords.

It also provides a notes section so you can store the crazy unrelated answers to the security questions:
Example - What is your first pets name: Answer: AlexanderTheGreatWasAWhipperSnapper
__________________
Sunset is offline   Reply With Quote
Old 06-08-2016, 02:15 PM   #27
Thinks s/he gets paid by the post
gauss's Avatar
 
Join Date: Aug 2011
Posts: 1,712
I finally broke down and setup lastpass along with OATH authentication for the lastpass account (ie Google Authentication 30 second 6 digits rolling codes provided by my smartphone).

I figured having all the passwords available in one place which would allow a quick change if necessary would outweigh the risk of storing them together.

In the past I have had problems logging into a site that I don't use all the time due forgetting about a special character that needed to be added to that particular password or something. This is a bad feeling to have when you fear that your account may have been hacked or otherwise during times of stress.

I don't tend to share passwords between accounts rather I have a site specific portion of the password combined with a common root portion which serves to add characters.

-gauss
__________________
gauss is offline   Reply With Quote
Old 06-08-2016, 02:33 PM   #28
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
audreyh1's Avatar
 
Join Date: Jan 2006
Location: Rio Grande Valley
Posts: 16,514
If my sensitive accounts offer two pass verification, I enable it.
__________________
Well, I thought I was retired. But it seems that now I'm working as a travel agent instead!
audreyh1 is online now   Reply With Quote
Old 06-08-2016, 02:53 PM   #29
Full time employment: Posting here.
dixonge's Avatar
 
Join Date: Mar 2008
Location: Ajijic
Posts: 848
I've used a system similar to ERD50's for many years now. I think I first saw it discussed on a LifeHacker article? However, my fear is that even that system is too easy to figure out. For example, if a site is hacked and someone scrutinizes my password, would the pattern stand out? I try to minimize the risk by using only the first letters of a phrase for the parts that go on more than one site. So if I was using the lyrics of "My Bonnie Lies Over The Ocean" for my phrase, a site password might look something like this:

Mblotoelogmblots*0

It is amazingly easy to remember while satisfying all of the complexity requirements that most sites set up. Upon initial inspection it seems to be rather random, which would hopefully dissuade a hacker from further scrutiny. It's not foolproof, but it might be tricky enough to keep me from being an easy target.

So pick a phrase from a favorite song, preferably not one that is too well-known, and go for it. Unique for each site, easy enough to remember so that you don't have to write anything down or use a manager.

You can also check online to see if your email or User ID has been part of a hack. I had several sites come up, but since my passwords are unique I worry less...

https://haveibeenpwned.com/

One of my emails shows up in TEN sites that were hacked!
__________________
dixonge is online now   Reply With Quote
Old 06-08-2016, 03:07 PM   #30
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,896
Quote:
Originally Posted by ERD50 View Post
...

Common prefix APPLE123 --- Common Suffix zebra789

So local bank might be:

APPLE123lclb$zebra789

If my broker was Schwabb, it might be:

APPLE123swbzebra789


...

Works for me.

-ERD50
Glad the system works for you. For me, I prefer to just create my passwords with a random generator without any specific pattern. Using something like your example, my memory isn't good enough without effort.

For example, for Schawbb, I'd be asking myself "Was that swb? or Sch? or Swbb?" You get the idea.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is online now   Reply With Quote
Old 06-08-2016, 03:19 PM   #31
Full time employment: Posting here.
 
Join Date: Aug 2013
Location: North
Posts: 714
Many ways to obtain passwords, a keylogger, malware/spyware, database hack, human intelligence. The first level of defense is always on the person. You need to be just as humanly intelligent, if not more intelligent then those trying to cause harm.


VP of bank security recommends two-factor authentication, and a password locker. They actually make us take our laptops home every night...this is not a security measure, rather a continuity measure. if the bank is bombed tomorrow, at least I have my laptop to work off...yay!
__________________
AA (Stock/Bond/Cash ): 99/0/1% MIX (Small/Mid/Large): 50/25/25% BLEND(US/Foreign): 100/0%, (Value/Growth/Blend): X/X/X% REIT (Real Estate Equity): 50% of Assets

FIRE in 2031 @ 50yrs old (+/- 2yrs) w/ a hypothetical $2.5mil portfolio, 3 appreciated homes worth $1.0mil and rental income to fund my gap years until RMD. Assets will go to an inherited IRA where I plan on watching the investments grow until I die or the trust gets executed.
kgtest is offline   Reply With Quote
Old 06-08-2016, 03:19 PM   #32
Thinks s/he gets paid by the post
Sunset's Avatar
 
Join Date: Jul 2014
Location: Chicago
Posts: 4,743
[QUOTE=gauss;1742089....I don't tend to share passwords between accounts rather I have a site specific portion of the password combined with a common root portion which serves to add characters.
...[/QUOTE]

I did this a long time ago, but but realized if a hacker gets to see multiple of my passwords that it would be easy to figure out

cnnCOMMONROOT
yahooCOMMONROOT

Then they could just go to all the banks bofCOMMONROOT , etc...
__________________
Sunset is offline   Reply With Quote
Old 06-08-2016, 03:27 PM   #33
Thinks s/he gets paid by the post
Sunset's Avatar
 
Join Date: Jul 2014
Location: Chicago
Posts: 4,743
Quote:
Originally Posted by dixonge View Post
...

You can also check online to see if your email or User ID has been part of a hack. I had several sites come up, but since my passwords are unique I worry less...

https://haveibeenpwned.com/

One of my emails shows up in TEN sites that were hacked!
Thanks for this.
I use a different email address for every one of my important sites, if you own a domain you can have an incredible number of emails.

So if I get an email pretending to be from a bank on my regular email account, I know it's fake as they don't have my "regular" email address.
__________________
Sunset is offline   Reply With Quote
Old 06-08-2016, 03:53 PM   #34
Thinks s/he gets paid by the post
Cobra9777's Avatar
 
Join Date: Jul 2012
Location: Texas
Posts: 1,136
Quote:
Originally Posted by Options View Post
...I've tested this global master password and it would take almost a hundred thousand years for my password manager to be hacked...
I've used Password Safe for 15 years. I wouldn't be able to function without it. All my user IDs, passwords, and answers to security questions are random, unintelligible strings that conform to the maximum strength allowed by the site.

However, your post inspired me to beef-up the master password. I tested my existing password and got an estimate of 3 hours to brute-force it with an average home PC. I changed it to something which I can easily remember (I hope) and got an estimate of 10,000 centuries. That should be sufficient.

For whatever reason (probably habit), I always kept the original master password from 15 years ago, which was essentially a 4 digit pin with 2 letters at the end. Really dumb. Thanks for the prod.
__________________
Retired at 52 in July 2013. On to better things...
AA: 55% stock, 15% real estate, 27% bonds, 3% cash
WR: 2.0% SI: 2 pensions, some rental income, SS later
Cobra9777 is online now   Reply With Quote
Old 06-08-2016, 04:17 PM   #35
Thinks s/he gets paid by the post
 
Join Date: May 2014
Location: Utrecht
Posts: 2,213
Quote:
Originally Posted by Sunset View Post
cnnCOMMONROOT
yahooCOMMONROOT

Then they could just go to all the banks bofCOMMONROOT , etc...
You don't do bofCOMMONROOT but fruh9632!COMMONROOT (or similar). And then you write fruh9632! down.

Point is to be difficult enough to withstand most bulk attacks and not have a single point of failure (password managers or one password to unlock them all). Two-factor adds another layer for banking stuff (physical device + pin).

Perfect security doesn't exist, and if a competent person is out to get you, it's very unlikely one will withstand the attack.

Same reason you should use several e-mails and rotate every so often. Hacked and leaked files contain logins, which usually are e-mail or facebook handles. They get reused for attacking other sites. You'll drop out of the bulk attacks if you switch addresses every so often. That's why I frequently create a separate e-mail address for a new service I subscribe to (I have my own domain. so it's 5 seconds work).

I get alot of spam these days for example and phishing mails at one throwaway I used for my linkedin account. Not only do I know the source, I can also safely shut it down and switch.
__________________
Totoro is offline   Reply With Quote
Old 06-08-2016, 04:32 PM   #36
Thinks s/he gets paid by the post
ExFlyBoy5's Avatar
 
Join Date: May 2013
Posts: 1,977
I am in the process of setting up my Dashlane account and they have a test to see how good your master password is. I tested one that was very similar to the actual one and I guess I did pretty good...
Attached Images
File Type: jpg Untitled.jpg (72.4 KB, 15 views)
__________________
Founder and Head Lounger @ The Life of Leisure Institute
Retired in 2014 at the Ripe Age of 40.
ExFlyBoy5 is offline   Reply With Quote
Old 06-08-2016, 04:35 PM   #37
Thinks s/he gets paid by the post
ExFlyBoy5's Avatar
 
Join Date: May 2013
Posts: 1,977
OR...maybe not...guess I need to work on it since with a much larger password I came up with this
Attached Images
File Type: jpg Untitled.jpg (94.8 KB, 12 views)
__________________
Founder and Head Lounger @ The Life of Leisure Institute
Retired in 2014 at the Ripe Age of 40.
ExFlyBoy5 is offline   Reply With Quote
Old 06-08-2016, 06:22 PM   #38
Thinks s/he gets paid by the post
Rustic23's Avatar
 
Join Date: Dec 2005
Location: Lake Livingston, Tx
Posts: 3,624
I use Lastpass. While my Lstpass password is OK, it is not really that strong. It is based on an 18 character phrase using capital letters and some special characters.

I have an idea for a even stronger one. Something like this.

%s#!jfN9RxY2AwhWfEShxk5y

Now, I would never be able to remember this much less type it. However, I have access to a website. I could also use a free google site. I have thought of putting the password on an html and putting it online with no reference as to what it was for. Bring up the site, and copy paste. I have multiple gmail accounts, so it would be one I seldom use.

Thoughts?
__________________
If it is after 5:00 when I post I reserve the right to disavow anything I posted.
Rustic23 is offline   Reply With Quote
Old 06-08-2016, 06:48 PM   #39
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Lsbcal's Avatar
 
Join Date: May 2006
Location: west coast, hi there!
Posts: 5,695
Quote:
Originally Posted by Rustic23 View Post
I use Lastpass. While my Lstpass password is OK, it is not really that strong. It is based on an 18 character phrase using capital letters and some special characters.
...
18 characters is probably overkill unless one is using full dictionary words. Try running it through one of those password checkers. Naturally you don't want to use the exact same one you use but instead one that is close.
__________________
Lsbcal is offline   Reply With Quote
Old 06-08-2016, 06:52 PM   #40
Thinks s/he gets paid by the post
Rustic23's Avatar
 
Join Date: Dec 2005
Location: Lake Livingston, Tx
Posts: 3,624
It uses dictionary words I reset it to 12 letters numbers and special chapters. Password checkers say similar password 100% secure. Another said 34,000,000 to brute force by computer.



Sent from my iPad using Early Retirement Forum
__________________

__________________
If it is after 5:00 when I post I reserve the right to disavow anything I posted.
Rustic23 is offline   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Yahoo Passwords Hacked easysurfer Other topics 8 07-12-2012 06:57 PM
Keeping passwords safe summer2007 FIRE and Money 46 03-21-2008 12:34 PM
Default passwords cute fuzzy bunny Other topics 0 02-22-2006 11:13 AM
Website to Borrow Passwords? haha Other topics 9 06-23-2005 12:09 PM

 

 
All times are GMT -6. The time now is 09:57 PM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.