Online passwords!!!

[Sunset]

After the massive attack of heartbleed bug a couple years ago, I started using the password manager Keepass. It has given me tremendous peace of mind, means I don't have to remember any passwords, and greatly reduces the time needed to access my protected sites. Keepass is locally stored (versus stored in the cloud like password manager lastpass). I don't store the password manager on my computer, but rather on four identical back-up thumb drives, two of which are protected behind an encrypted vault and kept at home, and two further back-up drives which are not encrypted are kept in my safe deposit box.

Keepassgenerates all of my passwords of a length as long as any site will allow (all of my passwords are very long and complex) and Keepass is only accessible with one global password, which I do not have written down anywhere. I've tested this global master password and it would take almost a hundred thousand years for my password manager to be hacked. The only two people know in the world know the global password are myself and my executor.

I would never use any password that is only eight words long, nor would I use one that doesn't contain numbers, special characters, and upper and lower case characters. Experts have advised strongly against using any password for more than one account, as this is one of the first things hackers look for. There has been considerable debate regarding password managers that are locally stored (as in on one's hard or thumb drive) versus stored in the cloud; however, I am personally extremely uncomfortable with cloud-based password managers and would never use them.

+1
Easy to use, works reliably for years. I have over 200 Unique passwords.

It also provides a notes section so you can store the crazy unrelated answers to the security questions:
Example - What is your first pets name: Answer: AlexanderTheGreatWasAWhipperSnapper

 

[gauss]

I finally broke down and setup lastpass along with OATH authentication for the lastpass account (ie Google Authentication 30 second 6 digits rolling codes provided by my smartphone).

I figured having all the passwords available in one place which would allow a quick change if necessary would outweigh the risk of storing them together.

In the past I have had problems logging into a site that I don't use all the time due forgetting about a special character that needed to be added to that particular password or something. This is a bad feeling to have when you fear that your account may have been hacked or otherwise during times of stress.

I don't tend to share passwords between accounts rather I have a site specific portion of the password combined with a common root portion which serves to add characters.

-gauss

 

[audreyh1]

If my sensitive accounts offer two pass verification, I enable it.

 

[dixonge]

I've used a system similar to ERD50's for many years now. I think I first saw it discussed on a LifeHacker article? However, my fear is that even that system is too easy to figure out. For example, if a site is hacked and someone scrutinizes my password, would the pattern stand out? I try to minimize the risk by using only the first letters of a phrase for the parts that go on more than one site. So if I was using the lyrics of "My Bonnie Lies Over The Ocean" for my phrase, a site password might look something like this:

Mblotoelogmblots*0

It is amazingly easy to remember while satisfying all of the complexity requirements that most sites set up. Upon initial inspection it seems to be rather random, which would hopefully dissuade a hacker from further scrutiny. It's not foolproof, but it might be tricky enough to keep me from being an easy target.

So pick a phrase from a favorite song, preferably not one that is too well-known, and go for it. Unique for each site, easy enough to remember so that you don't have to write anything down or use a manager.

You can also check online to see if your email or User ID has been part of a hack. I had several sites come up, but since my passwords are unique I worry less...

https://haveibeenpwned.com/

One of my emails shows up in TEN sites that were hacked!

 

[easysurfer]

...

Common prefix APPLE123 --- Common Suffix zebra789

So local bank might be:

APPLE123lclb$zebra789

If my broker was Schwabb, it might be:

APPLE123swbzebra789


...

Works for me.

-ERD50

Glad the system works for you. For me, I prefer to just create my passwords with a random generator without any specific pattern. Using something like your example, my memory isn't good enough without effort.

For example, for Schawbb, I'd be asking myself "Was that swb? or Sch? or Swbb?" You get the idea.

 

[kgtest]

Many ways to obtain passwords, a keylogger, malware/spyware, database hack, human intelligence. The first level of defense is always on the person. You need to be just as humanly intelligent, if not more intelligent then those trying to cause harm.


VP of bank security recommends two-factor authentication, and a password locker. They actually make us take our laptops home every night...this is not a security measure, rather a continuity measure. if the bank is bombed tomorrow, at least I have my laptop to work off...yay!

 

[Sunset]

I did this a long time ago, but but realized if a hacker gets to see multiple of my passwords that it would be easy to figure out

cnnCOMMONROOT
yahooCOMMONROOT

Then they could just go to all the banks bofCOMMONROOT , etc...

 

[Sunset]

...

You can also check online to see if your email or User ID has been part of a hack. I had several sites come up, but since my passwords are unique I worry less...

https://haveibeenpwned.com/

One of my emails shows up in TEN sites that were hacked!

Thanks for this.
I use a different email address for every one of my important sites, if you own a domain you can have an incredible number of emails.

So if I get an email pretending to be from a bank on my regular email account, I know it's fake as they don't have my "regular" email address.

 

[Cobra9777]

...I've tested this global master password and it would take almost a hundred thousand years for my password manager to be hacked...

I've used Password Safe for 15 years. I wouldn't be able to function without it. All my user IDs, passwords, and answers to security questions are random, unintelligible strings that conform to the maximum strength allowed by the site.

However, your post inspired me to beef-up the master password. I tested my existing password and got an estimate of 3 hours to brute-force it with an average home PC. I changed it to something which I can easily remember (I hope) and got an estimate of 10,000 centuries. That should be sufficient.

For whatever reason (probably habit), I always kept the original master password from 15 years ago, which was essentially a 4 digit pin with 2 letters at the end. Really dumb. Thanks for the prod.

 

[Totoro]

cnnCOMMONROOT
yahooCOMMONROOT

Then they could just go to all the banks bofCOMMONROOT , etc...

You don't do bofCOMMONROOT but fruh9632!COMMONROOT (or similar). And then you write fruh9632! down.

Point is to be difficult enough to withstand most bulk attacks and not have a single point of failure (password managers or one password to unlock them all). Two-factor adds another layer for banking stuff (physical device + pin).

Perfect security doesn't exist, and if a competent person is out to get you, it's very unlikely one will withstand the attack.

Same reason you should use several e-mails and rotate every so often. Hacked and leaked files contain logins, which usually are e-mail or facebook handles. They get reused for attacking other sites. You'll drop out of the bulk attacks if you switch addresses every so often. That's why I frequently create a separate e-mail address for a new service I subscribe to (I have my own domain. so it's 5 seconds work).

I get alot of spam these days for example and phishing mails at one throwaway I used for my linkedin account. Not only do I know the source, I can also safely shut it down and switch.

 

[ExFlyBoy5]

I am in the process of setting up my Dashlane account and they have a test to see how good your master password is. I tested one that was very similar to the actual one and I guess I did pretty good...

 

[ExFlyBoy5]

OR...maybe not...guess I need to work on it since with a much larger password I came up with this

 

[Rustic23]

I use Lastpass. While my Lstpass password is OK, it is not really that strong. It is based on an 18 character phrase using capital letters and some special characters.

I have an idea for a even stronger one. Something like this.

%s#!jfN9RxY2AwhWfEShxk5y

Now, I would never be able to remember this much less type it. However, I have access to a website. I could also use a free google site. I have thought of putting the password on an html and putting it online with no reference as to what it was for. Bring up the site, and copy paste. I have multiple gmail accounts, so it would be one I seldom use.

Thoughts?

 

[Lsbcal]

I use Lastpass. While my Lstpass password is OK, it is not really that strong. It is based on an 18 character phrase using capital letters and some special characters.
...

18 characters is probably overkill unless one is using full dictionary words. Try running it through one of those password checkers. Naturally you don't want to use the exact same one you use but instead one that is close.

 

[Rustic23]

It uses dictionary words I reset it to 12 letters numbers and special chapters. Password checkers say similar password 100% secure. Another said 34,000,000 to brute force by computer.



Sent from my iPad using Early Retirement Forum

 

[bmcgonig]

Glad the system works for you. For me, I prefer to just create my passwords with a random generator without any specific pattern. Using something like your example, my memory isn't good enough without effort.



For example, for Schawbb, I'd be asking myself "Was that swb? or Sch? or Swbb?" You get the idea.

I use something similar to ERD. I solve your example by always using the 1st, 3rd and 6th letter of the url. E.g., schwab.com would be shb etc. you could make it more complex by adding a number as a prefix which might be the position of the first letter of the name in the alphabet, or something like that. Then it would be 19shb. Then of,course you could be really geeky and convert the number 19 to hexadecimal and then it would be 13shb.

As long as it's rule based, then you won't forget ..as long as u don't forget the rule


Sent from my iPad using Early Retirement Forum

 

[easysurfer]

I use something similar to ERD. I solve your example by always using the 1st, 3rd and 6th letter of the url. E.g., schwab.com would be shb etc. you could make it more complex by adding a number as a prefix which might be the position of the first letter of the name in the alphabet, or something like that. Then it would be 19shb. Then of,course you could be really geeky and convert the number 19 to hexadecimal and then it would be 13shb.

As long as it's rule based, then you won't forget ..as long as u don't forget the rule


Sent from my iPad using Early Retirement Forum

I guess that would work as even if you happen to have a site with the 1st, 3rd, and 6th letter the same, that's probably a rare exception of having the same password for different sites. Do you commit the passwords to memory? Hmm...what happens when a site changes url? Do you update to use the new 1st, 3rd and 6th letters? Seems like a lot of effort to me.

But, I'm glad the system works for you. Knowing me, definitely I'd forget the rule .

 

[bmcgonig]

I guess that would work as even if you happen to have a site with the 1st, 3rd, and 6th letter the same, that's probably a rare exception of having the same password for different sites. Do you commit the passwords to memory? Hmm...what happens when a site changes url? Do you update to use the new 1st, 3rd and 6th letters? Seems like a lot of effort to me.

But, I'm glad the system works for you. Knowing me, definitely I'd forget the rule .

I don't think I've ever used a site that has changed urls..ever

No. I commit the rule to memory, that's the idea, one rule for a million sites.


Sent from my iPad using Early Retirement Forum

 

[easysurfer]

I don't think I've ever used a site that has changed urls..ever

No. I commit the rule to memory, that's the idea, one rule for a million sites.


Sent from my iPad using Early Retirement Forum

Didn't HSA Adminstrators change urls with all their turnover of new custodians over the past few years? That's a site that came to mind. Anyhow, glad you like your password system.

 

[savory]

After the massive attack of heartbleed bug a couple years ago, I started using the password manager Keepass. It has given me tremendous peace of mind, means I don't have to remember any passwords, and greatly reduces the time needed to access my protected sites. Keepass is locally stored (versus stored in the cloud like password manager lastpass). I don't store the password manager on my computer, but rather on four identical back-up thumb drives, two of which are protected behind an encrypted vault and kept at home, and two further back-up drives which are not encrypted are kept in my safe deposit box.

Keepassgenerates all of my passwords of a length as long as any site will allow (all of my passwords are very long and complex) and Keepass is only accessible with one global password, which I do not have written down anywhere. I've tested this global master password and it would take almost a hundred thousand years for my password manager to be hacked. The only two people know in the world know the global password are myself and my executor.

I would never use any password that is only eight words long, nor would I use one that doesn't contain numbers, special characters, and upper and lower case characters. Experts have advised strongly against using any password for more than one account, as this is one of the first things hackers look for. There has been considerable debate regarding password managers that are locally stored (as in on one's hard or thumb drive) versus stored in the cloud; however, I am personally extremely uncomfortable with cloud-based password managers and would never use them.

This is exactly what I do! My only addition is I use two factor as well on many accounts.

I have been convinced by people who know more than I do about this, that breaking passwords will work for the thief since they use sophisticated computers that can try infinite combinations. I am also convinced that some passwords, yours and mine, have been stolen already. Thieves have so many passwords that they may not have gotten to the ones in their inventory. Complicated passwords just take more time to break. Changing passwords means thieves need to start fresh. I think this is the key reason to change passwords frequently and to make major changes vs a character here and there.

 

[meierlde]

Another tip, don't have a simple answer to those password challenge questions.

For example, don't have a 16 character complex password and then answer "Spot" to "What's your dog's name?". Your dog Spot won't get offended .

Another question issue, if your mother has passed on, her obituary will contain her maiden name and your name since the survivors are often listed.

 

[ERD50]

I don't think I've ever used a site that has changed urls..ever

No. I commit the rule to memory, that's the idea, one rule for a million sites.


Sent from my iPad using Early Retirement Forum

I'm sure I've seen some of mine change the url. Their 'home' may be the same, but the page I want to get to directly to log in to the account changes. And sometimes not always easy to find from the home page, or takes a few extra clicks.

But I'll start looking, maybe mine are all a very basic start page now, it would help to have it rule based, But, whooops - just thought of something...

I put any required 'special chars' in the unique part of my 'prefix-suffix' system. I do that, because it seems that it isn't always the same set that are allowed/required, so they can't go in the common part. So that could mess up the 'rule'?

-ERD50

 

[Lsbcal]

I have run into sites that force a password update. Or they force a new password criteria. Then I had to change my PW rules or create an exception. Too much memory work for me.

My lastpass vault has 94 sites in it. Some are ancient.

 

[easysurfer]

Another question issue, if your mother has passed on, her obituary will contain her maiden name and your name since the survivors are often listed.

My answers have nothing to do with the questions and contain randomly generated numbers. Just because the challenge questions ask certain particular questions doesn't mean you have to answer them accordingly .

 

[bmcgonig]

I'm sure I've seen some of mine change the url. Their 'home' may be the same, but the page I want to get to directly to log in to the account changes. And sometimes not always easy to find from the home page, or takes a few extra clicks.



But I'll start looking, maybe mine are all a very basic start page now, it would help to have it rule based, But, whooops - just thought of something...



I put any required 'special chars' in the unique part of my 'prefix-suffix' system. I do that, because it seems that it isn't always the same set that are allowed/required, so they can't go in the common part. So that could mess up the 'rule'?



-ERD50

Yes. I go only to the home page, and navigate from there. Otherwise they're always changing

It would mess up the rule I guess. Personally I haven't come across a site that causes me issues....yet.


Sent from my iPad using Early Retirement Forum