Online passwords!!!

[W2R]

Quote:

Originally Posted by ERD50 Like a few others, I'm just not ready to use a password manager (fears may be unfounded, but that's how I feel). But I've been using a simple system for ~ 3 years that works for me. A) For sites where security is just not a concern, I have a fairly complex, but easy to remember PW that I use for all these. So far, only a few exceptions to my general rule works with all these sites (>8, an UP alpha, a LC alpha, a number, and a special char). B) For sites where I have a concern, I use use a common prefix and a common suffix for all. This makes it easy to remember, and adds plenty of complexity. For each site, I add a unique middle set of chars that are easy to remember. Example: Common prefix APPLE123 --- Common Suffix zebra789 So local bank might be: APPLE123lclb$zebra789 If my broker was Schwabb, it might be: APPLE123swbzebra789 etc. I can add any special char requirements to the word. Nice thing about this, I can keep a low tech piece of paper with my passwords on it, even in my wallet, and it is secure. It would look like this: mybank --- lclb$ --- stocks --- swb --- online bank --- olb$ Fidelity Credit Card --- fcc --- See, not enough info there to give it away. All I need to remember are my prefix and suffix 'keys'. I can even write those down somewhere where the connection would not be made. Works for me. -ERD50

That is SO COOL!!! I really, really like your prefix & suffix method and I am so impressed. I had never heard of that idea before. It seems ingenious to me, so much so that I might switch over to that method. I tried password software but do not like depending on it.

[Totoro]

I use the same method as ERD50

[W2R]

Quote:

Originally Posted by Totoro I use the same method as ERD50

Well then both of you have a cool method for remembering passwords!

[audreyh1]

I divide my passwords into three classes depending on the information they have on me - sensitive (anything with SS and DOB and account numbers), and minor exposure (CC info stored), and very low exposure (name and email address, maybe shipping address).

The sensitive passwords are in a password protected file on a password protected encrypted drive on a password protected computer (all different passwords). The minor I often allow Keychain to store the password.

For very low exposure sites that have little more than one of my throw away email addresses I tend to reuse a handful of simple passwords. Anything above that level has a unique password.

[Lsbcal]

Quote:

Originally Posted by ERD50 ... So local bank might be: APPLE123lclb$zebra789 If my broker was Schwabb, it might be: APPLE123swbzebra789 ...

I used to have a system somewhat like this. One should avoid dictionary words though. So I would replace "zebra" with maybe "zbr" removing vowels. It certainly is a workable system.

What I've done is to favor frequent checking of accounts as a security measure. This was after reading how some on this forum checked much more frequently then I use to. W2R was an inspiration on this as I recall and maybe Audrey too .

This means I want to login somewhat effortlessly and frequently. Remembering this stuff and typing it in is a hassle. Typing on a smartphone is a hassle but less so on a PC. Even on a PC I found I make too many typing errors which might lead me to back off of frequent checking of accounts. On vacations I found that it was a hassle to check accounts and my memory is a little rusty when dealing with all the other things associated with travel.

That is why I chose to use Lastpass plus a smartphone fingerprint reader. Also I use 2 factor authentication as mentioned by some above.

[Sunset]

Quote:

Originally Posted by Options After the massive attack of heartbleed bug a couple years ago, I started using the password manager Keepass. It has given me tremendous peace of mind, means I don't have to remember any passwords, and greatly reduces the time needed to access my protected sites. Keepass is locally stored (versus stored in the cloud like password manager lastpass). I don't store the password manager on my computer, but rather on four identical back-up thumb drives, two of which are protected behind an encrypted vault and kept at home, and two further back-up drives which are not encrypted are kept in my safe deposit box. Keepassgenerates all of my passwords of a length as long as any site will allow (all of my passwords are very long and complex) and Keepass is only accessible with one global password, which I do not have written down anywhere. I've tested this global master password and it would take almost a hundred thousand years for my password manager to be hacked. The only two people know in the world know the global password are myself and my executor. I would never use any password that is only eight words long, nor would I use one that doesn't contain numbers, special characters, and upper and lower case characters. Experts have advised strongly against using any password for more than one account, as this is one of the first things hackers look for. There has been considerable debate regarding password managers that are locally stored (as in on one's hard or thumb drive) versus stored in the cloud; however, I am personally extremely uncomfortable with cloud-based password managers and would never use them.

+1
Easy to use, works reliably for years. I have over 200 Unique passwords.

It also provides a notes section so you can store the crazy unrelated answers to the security questions:
Example - What is your first pets name: Answer: AlexanderTheGreatWasAWhipperSnapper

[gauss]

I finally broke down and setup lastpass along with OATH authentication for the lastpass account (ie Google Authentication 30 second 6 digits rolling codes provided by my smartphone).

I figured having all the passwords available in one place which would allow a quick change if necessary would outweigh the risk of storing them together.

In the past I have had problems logging into a site that I don't use all the time due forgetting about a special character that needed to be added to that particular password or something. This is a bad feeling to have when you fear that your account may have been hacked or otherwise during times of stress.

I don't tend to share passwords between accounts rather I have a site specific portion of the password combined with a common root portion which serves to add characters.

-gauss

[audreyh1]

If my sensitive accounts offer two pass verification, I enable it.

[dixonge]

I've used a system similar to ERD50's for many years now. I think I first saw it discussed on a LifeHacker article? However, my fear is that even that system is too easy to figure out. For example, if a site is hacked and someone scrutinizes my password, would the pattern stand out? I try to minimize the risk by using only the first letters of a phrase for the parts that go on more than one site. So if I was using the lyrics of "My Bonnie Lies Over The Ocean" for my phrase, a site password might look something like this:

Mblotoelogmblots*0

It is amazingly easy to remember while satisfying all of the complexity requirements that most sites set up. Upon initial inspection it seems to be rather random, which would hopefully dissuade a hacker from further scrutiny. It's not foolproof, but it might be tricky enough to keep me from being an easy target.

So pick a phrase from a favorite song, preferably not one that is too well-known, and go for it. Unique for each site, easy enough to remember so that you don't have to write anything down or use a manager.

You can also check online to see if your email or User ID has been part of a hack. I had several sites come up, but since my passwords are unique I worry less...

https://haveibeenpwned.com/

One of my emails shows up in TEN sites that were hacked!

[easysurfer]

Quote:

Originally Posted by ERD50 ... Common prefix APPLE123 --- Common Suffix zebra789 So local bank might be: APPLE123lclb$zebra789 If my broker was Schwabb, it might be: APPLE123swbzebra789 ... Works for me. -ERD50

Glad the system works for you. For me, I prefer to just create my passwords with a random generator without any specific pattern. Using something like your example, my memory isn't good enough without effort.

For example, for Schawbb, I'd be asking myself "Was that swb? or Sch? or Swbb?" You get the idea.

[kgtest]

Many ways to obtain passwords, a keylogger, malware/spyware, database hack, human intelligence. The first level of defense is always on the person. You need to be just as humanly intelligent, if not more intelligent then those trying to cause harm.


VP of bank security recommends two-factor authentication, and a password locker. They actually make us take our laptops home every night...this is not a security measure, rather a continuity measure. if the bank is bombed tomorrow, at least I have my laptop to work off...yay!

[Sunset]

[QUOTE=gauss;1742089....I don't tend to share passwords between accounts rather I have a site specific portion of the password combined with a common root portion which serves to add characters.
...[/QUOTE]

I did this a long time ago, but but realized if a hacker gets to see multiple of my passwords that it would be easy to figure out

cnnCOMMONROOT
yahooCOMMONROOT

Then they could just go to all the banks bofCOMMONROOT , etc...

[Sunset]

Quote:

Originally Posted by dixonge ... You can also check online to see if your email or User ID has been part of a hack. I had several sites come up, but since my passwords are unique I worry less... https://haveibeenpwned.com/ One of my emails shows up in TEN sites that were hacked!

Thanks for this.
I use a different email address for every one of my important sites, if you own a domain you can have an incredible number of emails.

So if I get an email pretending to be from a bank on my regular email account, I know it's fake as they don't have my "regular" email address.

[Cobra9777]

Quote:

Originally Posted by Options ...I've tested this global master password and it would take almost a hundred thousand years for my password manager to be hacked...

I've used Password Safe for 15 years. I wouldn't be able to function without it. All my user IDs, passwords, and answers to security questions are random, unintelligible strings that conform to the maximum strength allowed by the site.

However, your post inspired me to beef-up the master password. I tested my existing password and got an estimate of 3 hours to brute-force it with an average home PC. I changed it to something which I can easily remember (I hope) and got an estimate of 10,000 centuries. That should be sufficient.

For whatever reason (probably habit), I always kept the original master password from 15 years ago, which was essentially a 4 digit pin with 2 letters at the end. Really dumb. Thanks for the prod.

[Totoro]

Quote:

Originally Posted by Sunset cnnCOMMONROOT yahooCOMMONROOT Then they could just go to all the banks bofCOMMONROOT , etc...

You don't do bofCOMMONROOT but fruh9632!COMMONROOT (or similar). And then you write fruh9632! down.

Point is to be difficult enough to withstand most bulk attacks and not have a single point of failure (password managers or one password to unlock them all). Two-factor adds another layer for banking stuff (physical device + pin).

Perfect security doesn't exist, and if a competent person is out to get you, it's very unlikely one will withstand the attack.

Same reason you should use several e-mails and rotate every so often. Hacked and leaked files contain logins, which usually are e-mail or facebook handles. They get reused for attacking other sites. You'll drop out of the bulk attacks if you switch addresses every so often. That's why I frequently create a separate e-mail address for a new service I subscribe to (I have my own domain. so it's 5 seconds work).

I get alot of spam these days for example and phishing mails at one throwaway I used for my linkedin account. Not only do I know the source, I can also safely shut it down and switch.

[ExFlyBoy5]

I am in the process of setting up my Dashlane account and they have a test to see how good your master password is. I tested one that was very similar to the actual one and I guess I did pretty good...

[ExFlyBoy5]

OR...maybe not...guess I need to work on it since with a much larger password I came up with this

[Rustic23]

I use Lastpass. While my Lstpass password is OK, it is not really that strong. It is based on an 18 character phrase using capital letters and some special characters.

I have an idea for a even stronger one. Something like this.

%s#!jfN9RxY2AwhWfEShxk5y

Now, I would never be able to remember this much less type it. However, I have access to a website. I could also use a free google site. I have thought of putting the password on an html and putting it online with no reference as to what it was for. Bring up the site, and copy paste. I have multiple gmail accounts, so it would be one I seldom use.

Thoughts?

[Lsbcal]

Quote:

Originally Posted by Rustic23 I use Lastpass. While my Lstpass password is OK, it is not really that strong. It is based on an 18 character phrase using capital letters and some special characters. ...

18 characters is probably overkill unless one is using full dictionary words. Try running it through one of those password checkers. Naturally you don't want to use the exact same one you use but instead one that is close.

[Rustic23]

It uses dictionary words I reset it to 12 letters numbers and special chapters. Password checkers say similar password 100% secure. Another said 34,000,000 to brute force by computer.



Sent from my iPad using Early Retirement Forum