Join Early Retirement Today
Reply
 
Thread Tools Search this Thread Display Modes
Online passwords!!!
Old 06-08-2016, 09:19 AM   #1
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Midpack's Avatar
 
Join Date: Jan 2008
Location: Chicagoland
Posts: 11,971
Online passwords!!!

With yet another flurry of celebrity personal account hacks, Goodell, Zuckerburg, etc., the experts are again providing recommendations. The two that struck me:
  • 8 characters is no longer enough, no matter how clever/random they are.
  • It's a bother, but I can live with making this change.
  • Users need to have a unique password for each of their accounts.
  • I do have unique "strong" passwords for all of our accounts with any financial aspect. But we use one of 3-4 common passwords for our other 40-50 online accounts. If I have to have 50+ unique, strong passwords - I'll be locked out a lot. My memory is nowhere near that good.
What's the trick I'm overlooking?

One day passwords will be obsolete, replaced by retinal scan, fingerprint, gene sequencing. In the meantime, yikes!
__________________

__________________
No one agrees with other people's opinions; they merely agree with their own opinions -- expressed by somebody else. Sydney Tremayne
Retired Jun 2011 at age 57

Target AA: 60% equity funds / 35% bond funds / 5% cash
Target WR: Approx 2.5% Approx 20% SI (secure income, SS only)
Midpack is online now   Reply With Quote
Join the #1 Early Retirement and Financial Independence Forum Today - It's Totally Free!

Are you planning to be financially independent as early as possible so you can live life on your own terms? Discuss successful investing strategies, asset allocation models, tax strategies and other related topics in our online forum community. Our members range from young folks just starting their journey to financial independence, military retirees and even multimillionaires. No matter where you fit in you'll find that Early-Retirement.org is a great community to join. Best of all it's totally FREE!

You are currently viewing our boards as a guest so you have limited access to our community. Please take the time to register and you will gain a lot of great new features including; the ability to participate in discussions, network with our members, see fewer ads, upload photographs, create a retirement blog, send private messages and so much, much more!

Old 06-08-2016, 09:35 AM   #2
Thinks s/he gets paid by the post
 
Join Date: Jan 2008
Posts: 1,495
After the massive attack of heartbleed bug a couple years ago, I started using the password manager Keepass. It has given me tremendous peace of mind, means I don't have to remember any passwords, and greatly reduces the time needed to access my protected sites. Keepass is locally stored (versus stored in the cloud like password manager lastpass). I don't store the password manager on my computer, but rather on four identical back-up thumb drives, two of which are protected behind an encrypted vault and kept at home, and two further back-up drives which are not encrypted are kept in my safe deposit box.

Keepassgenerates all of my passwords of a length as long as any site will allow (all of my passwords are very long and complex) and Keepass is only accessible with one global password, which I do not have written down anywhere. I've tested this global master password and it would take almost a hundred thousand years for my password manager to be hacked. The only two people know in the world know the global password are myself and my executor.

I would never use any password that is only eight words long, nor would I use one that doesn't contain numbers, special characters, and upper and lower case characters. Experts have advised strongly against using any password for more than one account, as this is one of the first things hackers look for. There has been considerable debate regarding password managers that are locally stored (as in on one's hard or thumb drive) versus stored in the cloud; however, I am personally extremely uncomfortable with cloud-based password managers and would never use them.
__________________

__________________
Options is offline   Reply With Quote
Old 06-08-2016, 09:37 AM   #3
Full time employment: Posting here.
Sojourner's Avatar
 
Join Date: Jan 2012
Posts: 732
Many people use online password managers like 1Password or LastPass. I've been reluctant to go that route, since I'm not fully comfortable with all my passwords being managed by one entity that could be hacked, even though I know the two mentioned above use strong encryption that would be very difficult to crack.

My solution to password management, for now, is to use a locally-installed password manager (in my case, Password Agent) and to keep its data sync'ed between my desktop, laptop, and tablet. This allows me to have unique passwords for every site and also store things like security questions/answers, account numbers, and other info.
__________________
Sojourner is offline   Reply With Quote
Old 06-08-2016, 09:40 AM   #4
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
braumeister's Avatar
 
Join Date: Feb 2010
Location: Northern Kentucky
Posts: 8,592
I have a unique and very complicated password for everything.

Happy user of 1Password since 2007 -- never a problem.
__________________
braumeister is online now   Reply With Quote
Old 06-08-2016, 09:51 AM   #5
Thinks s/he gets paid by the post
ExFlyBoy5's Avatar
 
Join Date: May 2013
Posts: 1,977
Quote:
Originally Posted by Options View Post
After the massive attack of heartbleed bug a couple years ago, I started using the password manager Keepass. It has given me tremendous peace of mind, means I don't have to remember any passwords, and greatly reduces the time needed to access my protected sites. Keepass is locally stored (versus stored in the cloud like password manager lastpass). I don't store the password manager on my computer, but rather on four identical back-up thumb drives, two of which are protected behind an encrypted vault and kept at home, and two further back-up drives which are not encrypted are kept in my safe deposit box.

Keepassgenerates all of my passwords of a length as long as any site will allow (all of my passwords are very long and complex) and Keepass is only accessible with one global password, which I do not have written down anywhere. I've tested this global master password and it would take almost a hundred thousand years for my password manager to be hacked. The only two people know in the world know the global password are myself and my executor.

I would never use any password that is only eight words long, nor would I use one that doesn't contain numbers, special characters, and upper and lower case characters. Experts have advised strongly against using any password for more than one account, as this is one of the first things hackers look for. There has been considerable debate regarding password managers that are locally stored (as in on one's hard or thumb drive) versus stored in the cloud; however, I am personally extremely uncomfortable with cloud-based password managers and would never use them.
Seems like a good idea...but how does this work on a use-ability scale? I often use several devices at home and not. How does it integrate with mobile devices? I will look into it, but it seems like it *could* be a pain.

I try to use a "general" password of 10 characters long, special characters, upper/lowercase/numbers. They are all different in that the 3 digit number is different for all of my sites. I have a list that shows what number goes with what site (e.g. Google: 319; Vanguard 320; USAA 321; etc. Of course, there are some that don't work as some websites won't take some special characters or have some other crazy rule that makes it difficult.
__________________
Founder and Head Lounger @ The Life of Leisure Institute
Retired in 2014 at the Ripe Age of 40.
ExFlyBoy5 is offline   Reply With Quote
Old 06-08-2016, 09:53 AM   #6
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Chuckanut's Avatar
 
Join Date: Aug 2011
Location: West of the Mississippi
Posts: 6,328
From what I read at least on of the hacked celebrities had a password of dadada.
__________________
The worst decisions are usually made in times of anger and impatience.
Chuckanut is offline   Reply With Quote
Old 06-08-2016, 09:57 AM   #7
Thinks s/he gets paid by the post
 
Join Date: Jan 2008
Posts: 1,495
Quote:
Originally Posted by Sojourner View Post
Many people use online password managers like 1Password or LastPass. I've been reluctant to go that route, since I'm not fully comfortable with all my passwords being managed by one entity that could be hacked, even though I know the two mentioned above use strong encryption that would be very difficult to crack.

My solution to password management, for now, is to use a locally-installed password manager (in my case, Password Agent) and to keep its data sync'ed between my desktop, laptop, and tablet. This allows me to have unique passwords for every site and also store things like security questions/answers, account numbers, and other info.
It would take a hacker a hundred thousand years using the most sophisticated methods available today to hack the global password to my password manager, keepass, which is not stored on my machine, and which is further hidden behind an encrypted vault on my thumb drives at home. Lastpass and other cloud-based pw's use encryption between one's computer and their site. It all comes down to one's comfort level.

Nothing is bullet proof, but all debates (and articles) I've seen on the subject strongly recommend the use of password managers as they are the most safe of all.
__________________
Options is offline   Reply With Quote
Old 06-08-2016, 10:02 AM   #8
Moderator Emeritus
aja8888's Avatar
 
Join Date: Apr 2011
Location: The Woodlands, TX
Posts: 7,154
Quote:
Originally Posted by braumeister View Post
I have a unique and very complicated password for everything.

Happy user of 1Password since 2007 -- never a problem.
I don't but I don't have much information stored on my devices that you can't already find on the internet without much trouble.

And our government and medical allies have the rest of it.
__________________
......."Everybody has a plan until they get punched in the face." -- philosopher Mike Tyson.
aja8888 is offline   Reply With Quote
Old 06-08-2016, 10:07 AM   #9
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,885
I'm more afraid of a keylogger program recording my keystrokes than someone or a program guessing my passwords. That said, no way could I try and remember my passwords with all the various requirements (some different) by the different websites. For example, one site may require special characters where another site doesn't allow special characters.

My system is to use a password manager with a master password or phrase and use randomly generated passwords pairs with a good password generator that's flexible to create the different combination of password requirements in length and acceptable characters.

Thus, if I'm under a truth serum and someone asks me what's my password, then I'll say "H*ll if I know."

Oh, and I make backups of the encrypted password data just in case.
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is online now   Reply With Quote
Old 06-08-2016, 10:18 AM   #10
Thinks s/he gets paid by the post
 
Join Date: Nov 2011
Posts: 2,360
There are two common avenues of password hacking: decryption and brute force. In the first the hacker gains access to the master password list maintained by a site, then decodes it, in which case both simple and complex passwords are equally defeated.

The second, brute force, can easily be solved by better site design. In the brute force approach, hackers repeatedly try millions or billions of letter/number/symbol combinations until they happen upon the correct one. To thwart this the site can be designed to mark as incorrect any password entered within a few seconds of a prior attempt. After many (10? 100?) failed attempts the system should deny access. Implemention is neither difficult or new. I used systems during the 1970s that employed such security.

No security is impregnable but the idea is to make a hacker's job too time consuming to be worth the effort.
__________________
GrayHare is online now   Reply With Quote
Old 06-08-2016, 10:24 AM   #11
Moderator
Alan's Avatar
 
Join Date: Jul 2005
Location: Eee Bah Gum
Posts: 21,091
Of the accounts hacked, I wonder how many of them had 2-step verification enabled.

I have unique, long passwords for the financial accounts and most, if not all, have 2-step verification.

However, I have lots of accounts, like this site, where I use a limited set of passwords. So, if I start doing lots of weird things here then my account has probably been hacked.
__________________
Retired in Jan, 2010 at 55, moved to England in May 2016
Now it's adventure before dementia
Alan is offline   Reply With Quote
Old 06-08-2016, 10:37 AM   #12
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Lsbcal's Avatar
 
Join Date: May 2006
Location: west coast, hi there!
Posts: 5,676
Quote:
Originally Posted by Midpack View Post
With yet another flurry of celebrity personal account hacks, Goodell, Zuckerburg, etc., the experts are again providing recommendations. The two that struck me:
  • 8 characters is no longer enough, no matter how clever/random they are.
  • It's a bother, but I can live with making this change.
I think one should have at least 11 character passwords. Many sites also require one capital letter and a digit. Some special characters are banned at other sites. So my choice is to use Lastpass for PC, tablet, and smartphone. Free for just the PC, $12/year for mobile.
Quote:

  • Users need to have a unique password for each of their accounts.
  • I do have unique "strong" passwords for all of our accounts with any financial aspect. But we use one of 3-4 common passwords for our other 40-50 online accounts. If I have to have 50+ unique, strong passwords - I'll be locked out a lot. My memory is nowhere near that good.
What's the trick I'm overlooking?
Again I prefer Lastpass to solve this issue. Also, I would suggest for a smartphone one should have a fingerprint reader on it. This works really nicely with Lastpass. When I want to go to my bank app, I just login with my phone's fingerprint reader (Nexus 6P phone) using Lastpass. Would work for an Iphone too.

Another thing Lastpass offers is Secure Notes. This allows one to store something like a password template that is your rules for establishing certain key passwords. I do commit a few passwords to memory as well as having Lastpass remember them. Another option Lastpass offers is to lock the password view until one inputs the Lastpass master password for that site. Easy to do with a fingerprint reader on a phone.
__________________
Lsbcal is online now   Reply With Quote
Old 06-08-2016, 10:39 AM   #13
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,885
Another tip, don't have a simple answer to those password challenge questions.

For example, don't have a 16 character complex password and then answer "Spot" to "What's your dog's name?". Your dog Spot won't get offended .
__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is online now   Reply With Quote
Old 06-08-2016, 10:44 AM   #14
Thinks s/he gets paid by the post
 
Join Date: Jan 2008
Posts: 1,495
Quote:
Originally Posted by FlyBoy5 View Post
Seems like a good idea...but how does this work on a use-ability scale? I often use several devices at home and not. How does it integrate with mobile devices? I will look into it, but it seems like it *could* be a pain.

Again, there has been considerable debate regarding accessing financial sites on multiple devices, but I would never do it. For me, more devices = more vulnerability. I access protected sites from my computer only. Some people even go so far as to have only one dedicated computer to access financial sites only (I won't go that far). Actually, having a pw on one device is not at all a "pain". In fact, the use of password manager reduced my time paying bills and accessing protected sites considerably. The PW stores not only pw's, but site links as well so that any sites can be accessed directly from a link in the pw without having to bring up the site separately. You can also store other information there such as security questions, pin numbers, etc.

I try to use a "general" password of 10 characters long, special characters, upper/lowercase/numbers. They are all different in that the 3 digit number is different for all of my sites. I have a list that shows what number goes with what site (e.g. Google: 319; Vanguard 320; USAA 321; etc. Of course, there are some that don't work as some websites won't take some special characters or have some other crazy rule that makes it difficult.
I can't believe I used to keep a list both on my computer and on paper, until I realized how vulnerable I was. What if someone breaks into your house and steals the list? This is what a password manager is for.

Quote:
Originally Posted by easysurfer View Post
I'm more afraid of a keylogger program recording my keystrokes than someone or a program guessing my passwords. That said, no way could I try and remember my passwords with all the various requirements (some different) by the different websites. For example, one site may require special characters where another site doesn't allow special characters.

Keepass provides the capability to cut and paste pw's in order to defeat keyloggers, and to minimize the time in which the "cut" is stored in memory (as low as a few seconds).

My system is to use a password manager with a master password or phrase and use randomly generated passwords pairs with a good password generator that's flexible to create the different combination of password requirements in length and acceptable characters.

This is what keepass does, and I think LP as well, all though it's been a couple years since I looked at LP.

Thus, if I'm under a truth serum and someone asks me what's my password, then I'll say "H*ll if I know."

Oh, and I make backups of the encrypted password data just in case.
Quote:
Originally Posted by GrayHare View Post
There are two common avenues of password hacking: decryption and brute force. In the first the hacker gains access to the master password list maintained by a site, then decodes it, in which case both simple and complex passwords are equally defeated.

The second, brute force, can easily be solved by better site design. In the brute force approach, hackers repeatedly try millions or billions of letter/number/symbol combinations until they happen upon the correct one. To thwart this the site can be designed to mark as incorrect any password entered within a few seconds of a prior attempt. After many (10? 100?) failed attempts the system should deny access. Implemention is neither difficult or new. I used systems during the 1970s that employed such security.

No security is impregnable but the idea is to make a hacker's job too time consuming to be worth the effort.
Emphasis added

Thank you for stating the concept much more eloquently than I did (I read this stuff but can never remember the technical terms). I tested my master global pw in order to deter the brute force approach, hence the hundred thousand years to hack. Your last line is the exact logic experts use in recommending password managers.
__________________
Options is offline   Reply With Quote
Old 06-08-2016, 11:01 AM   #15
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
braumeister's Avatar
 
Join Date: Feb 2010
Location: Northern Kentucky
Posts: 8,592
Quote:
Originally Posted by FlyBoy5 View Post
Seems like a good idea...but how does this work on a use-ability scale? I often use several devices at home and not. How does it integrate with mobile devices? I will look into it, but it seems like it *could* be a pain.
1Password instantly syncs my passwords across all my devices.
It does the sync in an encrypted way, of course, and offers you a choice of which sync flavor you want to use (iCloud, Dropbox, or just your own local wifi network). I have used all three at one time or another.

As I said, no problems since I started using it in 2007.
__________________
braumeister is online now   Reply With Quote
Old 06-08-2016, 11:08 AM   #16
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
Midpack's Avatar
 
Join Date: Jan 2008
Location: Chicagoland
Posts: 11,971
Quote:
Originally Posted by Options View Post
I can't believe I used to keep a list both on my computer and on paper, until I realized how vulnerable I was. What if someone breaks into your house and steals the list? This is what a password manager is for.
My most sensitive passwords are on a USB drive in our safe, and I keep a hardcopy in the house. I could give you all day, and I am sure you would never find it...it's never left laying out, no one could steal it.

My less sensitive passwords are on my HD, but only those that would only be a nuisance if hacked.

But as OP, obviously I am looking for a better solution...
__________________
No one agrees with other people's opinions; they merely agree with their own opinions -- expressed by somebody else. Sydney Tremayne
Retired Jun 2011 at age 57

Target AA: 60% equity funds / 35% bond funds / 5% cash
Target WR: Approx 2.5% Approx 20% SI (secure income, SS only)
Midpack is online now   Reply With Quote
Old 06-08-2016, 11:09 AM   #17
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
 
Join Date: Sep 2005
Location: Northern IL
Posts: 18,274
Quote:
Originally Posted by Options View Post
I can't believe I used to keep a list both on my computer and on paper, until I realized how vulnerable I was. What if someone breaks into your house and steals the list? This is what a password manager is for. ...
Like a few others, I'm just not ready to use a password manager (fears may be unfounded, but that's how I feel).

But I've been using a simple system for ~ 3 years that works for me.

A) For sites where security is just not a concern, I have a fairly complex, but easy to remember PW that I use for all these. So far, only a few exceptions to my general rule works with all these sites (>8, an UP alpha, a LC alpha, a number, and a special char).

B) For sites where I have a concern, I use use a common prefix and a common suffix for all. This makes it easy to remember, and adds plenty of complexity. For each site, I add a unique middle set of chars that are easy to remember. Example:

Common prefix APPLE123 --- Common Suffix zebra789

So local bank might be:

APPLE123lclb$zebra789

If my broker was Schwabb, it might be:

APPLE123swbzebra789

etc. I can add any special char requirements to the word. Nice thing about this, I can keep a low tech piece of paper with my passwords on it, even in my wallet, and it is secure. It would look like this:

mybank --- lclb$ ---
stocks --- swb ---
online bank --- olb$
Fidelity Credit Card --- fcc ---

See, not enough info there to give it away. All I need to remember are my prefix and suffix 'keys'. I can even write those down somewhere where the connection would not be made.

Works for me.

-ERD50
__________________
ERD50 is online now   Reply With Quote
Old 06-08-2016, 11:15 AM   #18
Thinks s/he gets paid by the post
ExFlyBoy5's Avatar
 
Join Date: May 2013
Posts: 1,977
Quote:
Originally Posted by braumeister View Post
1Password instantly syncs my passwords across all my devices.
It does the sync in an encrypted way, of course, and offers you a choice of which sync flavor you want to use (iCloud, Dropbox, or just your own local wifi network). I have used all three at one time or another.

As I said, no problems since I started using it in 2007.
Yep..I have been learning quite a bit about these today. I am strongly considering Dashlane as it has features that seem pretty good. I have often wondered about "legacy issues" if I die or become incapacitated and Dashlane has a sweet deal for that. You can have your legacy contact send a request to Dashlane for access, but you can set a period of time before it's effective. So, if I give legacy access to my executor then they request access...Dashlane will send me an email telling me that my legacy contact is attempting access and it will allow you to deny it. After the set time period (that you chose), it will then allow the legacy contact to gain access. You can also make it where it's only allowed to access SOME passwords. Pretty neat, I think.
__________________
Founder and Head Lounger @ The Life of Leisure Institute
Retired in 2014 at the Ripe Age of 40.
ExFlyBoy5 is offline   Reply With Quote
Online passwords!!!
Old 06-08-2016, 11:17 AM   #19
Full time employment: Posting here.
 
Join Date: Aug 2007
Posts: 892
Online passwords!!!

Lastpass user for over 3 years. I pay $12/year for their premium service.

Unique passwords pretty much everywhere along with two-factor authentication. A nice option with Lastpass is that I can use TouchID on all of my iOS devices. Access to Lastpass is locked down as much as possible. Even if you knew my Lastpass password, it would be difficult to get to my other passwords.

It's important to have multiple layers of security.
__________________
Eat, Drink and Be Merry.
tulak is offline   Reply With Quote
Old 06-08-2016, 11:37 AM   #20
Give me a museum and I'll fill it. (Picasso)
Give me a forum ...
easysurfer's Avatar
 
Join Date: Jun 2008
Posts: 7,885
NFL's Twitter account got hacked by someone saying that Goodell had died. At least Goodell had a good comeback tweet:

Quote:
“Man, you leave the office for 1 day of golf [with Jim Kelly] & your own network kills you off,” Goodell said.
Roger Goodell pokes fun at Twitter hack | ProFootballTalk
__________________

__________________
Have you ever seen a headstone with these words
"If only I had spent more time at work" ... from "Busy Man" sung by Billy Ray Cyrus
easysurfer is online now   Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Yahoo Passwords Hacked easysurfer Other topics 8 07-12-2012 06:57 PM
Keeping passwords safe summer2007 FIRE and Money 46 03-21-2008 12:34 PM
Default passwords cute fuzzy bunny Other topics 0 02-22-2006 11:13 AM
Website to Borrow Passwords? haha Other topics 9 06-23-2005 12:09 PM

 

 
All times are GMT -6. The time now is 02:57 PM.
 
Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2017, vBulletin Solutions, Inc.