Online passwords!!!

[Midpack]

With yet another flurry of celebrity personal account hacks, Goodell, Zuckerburg, etc., the experts are again providing recommendations. The two that struck me:

• 8 characters is no longer enough, no matter how clever/random they are.
• It's a bother, but I can live with making this change.

• Users need to have a unique password for each of their accounts.
• I do have unique "strong" passwords for all of our accounts with any financial aspect. But we use one of 3-4 common passwords for our other 40-50 online accounts. If I have to have 50+ unique, strong passwords - I'll be locked out a lot. My memory is nowhere near that good.

What's the trick I'm overlooking?

One day passwords will be obsolete, replaced by retinal scan, fingerprint, gene sequencing. In the meantime, yikes!

[Options]

After the massive attack of heartbleed bug a couple years ago, I started using the password manager Keepass. It has given me tremendous peace of mind, means I don't have to remember any passwords, and greatly reduces the time needed to access my protected sites. Keepass is locally stored (versus stored in the cloud like password manager lastpass). I don't store the password manager on my computer, but rather on four identical back-up thumb drives, two of which are protected behind an encrypted vault and kept at home, and two further back-up drives which are not encrypted are kept in my safe deposit box.

Keepassgenerates all of my passwords of a length as long as any site will allow (all of my passwords are very long and complex) and Keepass is only accessible with one global password, which I do not have written down anywhere. I've tested this global master password and it would take almost a hundred thousand years for my password manager to be hacked. The only two people know in the world know the global password are myself and my executor.

I would never use any password that is only eight words long, nor would I use one that doesn't contain numbers, special characters, and upper and lower case characters. Experts have advised strongly against using any password for more than one account, as this is one of the first things hackers look for. There has been considerable debate regarding password managers that are locally stored (as in on one's hard or thumb drive) versus stored in the cloud; however, I am personally extremely uncomfortable with cloud-based password managers and would never use them.

[Sojourner]

Many people use online password managers like 1Password or LastPass. I've been reluctant to go that route, since I'm not fully comfortable with all my passwords being managed by one entity that could be hacked, even though I know the two mentioned above use strong encryption that would be very difficult to crack.

My solution to password management, for now, is to use a locally-installed password manager (in my case, Password Agent) and to keep its data sync'ed between my desktop, laptop, and tablet. This allows me to have unique passwords for every site and also store things like security questions/answers, account numbers, and other info.

[braumeister]

I have a unique and very complicated password for everything.

Happy user of 1Password since 2007 -- never a problem.

[ExFlyBoy5]

Quote:

Originally Posted by Options After the massive attack of heartbleed bug a couple years ago, I started using the password manager Keepass. It has given me tremendous peace of mind, means I don't have to remember any passwords, and greatly reduces the time needed to access my protected sites. Keepass is locally stored (versus stored in the cloud like password manager lastpass). I don't store the password manager on my computer, but rather on four identical back-up thumb drives, two of which are protected behind an encrypted vault and kept at home, and two further back-up drives which are not encrypted are kept in my safe deposit box. Keepassgenerates all of my passwords of a length as long as any site will allow (all of my passwords are very long and complex) and Keepass is only accessible with one global password, which I do not have written down anywhere. I've tested this global master password and it would take almost a hundred thousand years for my password manager to be hacked. The only two people know in the world know the global password are myself and my executor. I would never use any password that is only eight words long, nor would I use one that doesn't contain numbers, special characters, and upper and lower case characters. Experts have advised strongly against using any password for more than one account, as this is one of the first things hackers look for. There has been considerable debate regarding password managers that are locally stored (as in on one's hard or thumb drive) versus stored in the cloud; however, I am personally extremely uncomfortable with cloud-based password managers and would never use them.

Seems like a good idea...but how does this work on a use-ability scale? I often use several devices at home and not. How does it integrate with mobile devices? I will look into it, but it seems like it *could* be a pain.

I try to use a "general" password of 10 characters long, special characters, upper/lowercase/numbers. They are all different in that the 3 digit number is different for all of my sites. I have a list that shows what number goes with what site (e.g. Google: 319; Vanguard 320; USAA 321; etc. Of course, there are some that don't work as some websites won't take some special characters or have some other crazy rule that makes it difficult.

[Chuckanut]

From what I read at least on of the hacked celebrities had a password of dadada.

[Options]

Quote:

Originally Posted by Sojourner Many people use online password managers like 1Password or LastPass. I've been reluctant to go that route, since I'm not fully comfortable with all my passwords being managed by one entity that could be hacked, even though I know the two mentioned above use strong encryption that would be very difficult to crack. My solution to password management, for now, is to use a locally-installed password manager (in my case, Password Agent) and to keep its data sync'ed between my desktop, laptop, and tablet. This allows me to have unique passwords for every site and also store things like security questions/answers, account numbers, and other info.

It would take a hacker a hundred thousand years using the most sophisticated methods available today to hack the global password to my password manager, keepass, which is not stored on my machine, and which is further hidden behind an encrypted vault on my thumb drives at home. Lastpass and other cloud-based pw's use encryption between one's computer and their site. It all comes down to one's comfort level.

Nothing is bullet proof, but all debates (and articles) I've seen on the subject strongly recommend the use of password managers as they are the most safe of all.

[aja8888]

Quote:

Originally Posted by braumeister I have a unique and very complicated password for everything. Happy user of 1Password since 2007 -- never a problem.

I don't but I don't have much information stored on my devices that you can't already find on the internet without much trouble.

And our government and medical allies have the rest of it.

[easysurfer]

I'm more afraid of a keylogger program recording my keystrokes than someone or a program guessing my passwords. That said, no way could I try and remember my passwords with all the various requirements (some different) by the different websites. For example, one site may require special characters where another site doesn't allow special characters.

My system is to use a password manager with a master password or phrase and use randomly generated passwords pairs with a good password generator that's flexible to create the different combination of password requirements in length and acceptable characters.

Thus, if I'm under a truth serum and someone asks me what's my password, then I'll say "H*ll if I know."

Oh, and I make backups of the encrypted password data just in case.

[GrayHare]

There are two common avenues of password hacking: decryption and brute force. In the first the hacker gains access to the master password list maintained by a site, then decodes it, in which case both simple and complex passwords are equally defeated.

The second, brute force, can easily be solved by better site design. In the brute force approach, hackers repeatedly try millions or billions of letter/number/symbol combinations until they happen upon the correct one. To thwart this the site can be designed to mark as incorrect any password entered within a few seconds of a prior attempt. After many (10? 100?) failed attempts the system should deny access. Implemention is neither difficult or new. I used systems during the 1970s that employed such security.

No security is impregnable but the idea is to make a hacker's job too time consuming to be worth the effort.

[Alan]

Of the accounts hacked, I wonder how many of them had 2-step verification enabled.

I have unique, long passwords for the financial accounts and most, if not all, have 2-step verification.

However, I have lots of accounts, like this site, where I use a limited set of passwords. So, if I start doing lots of weird things here then my account has probably been hacked.

[Lsbcal]

Quote:

Originally Posted by Midpack With yet another flurry of celebrity personal account hacks, Goodell, Zuckerburg, etc., the experts are again providing recommendations. The two that struck me: 8 characters is no longer enough, no matter how clever/random they are. It's a bother, but I can live with making this change.

I think one should have at least 11 character passwords. Many sites also require one capital letter and a digit. Some special characters are banned at other sites. So my choice is to use Lastpass for PC, tablet, and smartphone. Free for just the PC, $12/year for mobile.

Quote:

Users need to have a unique password for each of their accounts. I do have unique "strong" passwords for all of our accounts with any financial aspect. But we use one of 3-4 common passwords for our other 40-50 online accounts. If I have to have 50+ unique, strong passwords - I'll be locked out a lot. My memory is nowhere near that good. What's the trick I'm overlooking?

Again I prefer Lastpass to solve this issue. Also, I would suggest for a smartphone one should have a fingerprint reader on it. This works really nicely with Lastpass. When I want to go to my bank app, I just login with my phone's fingerprint reader (Nexus 6P phone) using Lastpass. Would work for an Iphone too.

Another thing Lastpass offers is Secure Notes. This allows one to store something like a password template that is your rules for establishing certain key passwords. I do commit a few passwords to memory as well as having Lastpass remember them. Another option Lastpass offers is to lock the password view until one inputs the Lastpass master password for that site. Easy to do with a fingerprint reader on a phone.

[easysurfer]

Another tip, don't have a simple answer to those password challenge questions.

For example, don't have a 16 character complex password and then answer "Spot" to "What's your dog's name?". Your dog Spot won't get offended .

[Options]

Quote:

Originally Posted by FlyBoy5 Seems like a good idea...but how does this work on a use-ability scale? I often use several devices at home and not. How does it integrate with mobile devices? I will look into it, but it seems like it *could* be a pain. Again, there has been considerable debate regarding accessing financial sites on multiple devices, but I would never do it. For me, more devices = more vulnerability. I access protected sites from my computer only. Some people even go so far as to have only one dedicated computer to access financial sites only (I won't go that far). Actually, having a pw on one device is not at all a "pain". In fact, the use of password manager reduced my time paying bills and accessing protected sites considerably. The PW stores not only pw's, but site links as well so that any sites can be accessed directly from a link in the pw without having to bring up the site separately. You can also store other information there such as security questions, pin numbers, etc. I try to use a "general" password of 10 characters long, special characters, upper/lowercase/numbers. They are all different in that the 3 digit number is different for all of my sites. I have a list that shows what number goes with what site (e.g. Google: 319; Vanguard 320; USAA 321; etc. Of course, there are some that don't work as some websites won't take some special characters or have some other crazy rule that makes it difficult.

I can't believe I used to keep a list both on my computer and on paper, until I realized how vulnerable I was. What if someone breaks into your house and steals the list? This is what a password manager is for.

Quote:

Originally Posted by easysurfer I'm more afraid of a keylogger program recording my keystrokes than someone or a program guessing my passwords. That said, no way could I try and remember my passwords with all the various requirements (some different) by the different websites. For example, one site may require special characters where another site doesn't allow special characters. Keepass provides the capability to cut and paste pw's in order to defeat keyloggers, and to minimize the time in which the "cut" is stored in memory (as low as a few seconds). My system is to use a password manager with a master password or phrase and use randomly generated passwords pairs with a good password generator that's flexible to create the different combination of password requirements in length and acceptable characters. This is what keepass does, and I think LP as well, all though it's been a couple years since I looked at LP. Thus, if I'm under a truth serum and someone asks me what's my password, then I'll say "H*ll if I know." Oh, and I make backups of the encrypted password data just in case.

Quote:

Originally Posted by GrayHare There are two common avenues of password hacking: decryption and brute force. In the first the hacker gains access to the master password list maintained by a site, then decodes it, in which case both simple and complex passwords are equally defeated. The second, brute force, can easily be solved by better site design. In the brute force approach, hackers repeatedly try millions or billions of letter/number/symbol combinations until they happen upon the correct one. To thwart this the site can be designed to mark as incorrect any password entered within a few seconds of a prior attempt. After many (10? 100?) failed attempts the system should deny access. Implemention is neither difficult or new. I used systems during the 1970s that employed such security. No security is impregnable but the idea is to make a hacker's job too time consuming to be worth the effort.

Emphasis added

Thank you for stating the concept much more eloquently than I did (I read this stuff but can never remember the technical terms). I tested my master global pw in order to deter the brute force approach, hence the hundred thousand years to hack. Your last line is the exact logic experts use in recommending password managers.

[braumeister]

Quote:

Originally Posted by FlyBoy5 Seems like a good idea...but how does this work on a use-ability scale? I often use several devices at home and not. How does it integrate with mobile devices? I will look into it, but it seems like it *could* be a pain.

1Password instantly syncs my passwords across all my devices.
It does the sync in an encrypted way, of course, and offers you a choice of which sync flavor you want to use (iCloud, Dropbox, or just your own local wifi network). I have used all three at one time or another.

As I said, no problems since I started using it in 2007.

[Midpack]

Quote:

Originally Posted by Options I can't believe I used to keep a list both on my computer and on paper, until I realized how vulnerable I was. What if someone breaks into your house and steals the list? This is what a password manager is for.

My most sensitive passwords are on a USB drive in our safe, and I keep a hardcopy in the house. I could give you all day, and I am sure you would never find it...it's never left laying out, no one could steal it.

My less sensitive passwords are on my HD, but only those that would only be a nuisance if hacked.

But as OP, obviously I am looking for a better solution...

[ERD50]

Quote:

Originally Posted by Options I can't believe I used to keep a list both on my computer and on paper, until I realized how vulnerable I was. What if someone breaks into your house and steals the list? This is what a password manager is for. ...

Like a few others, I'm just not ready to use a password manager (fears may be unfounded, but that's how I feel).

But I've been using a simple system for ~ 3 years that works for me.

A) For sites where security is just not a concern, I have a fairly complex, but easy to remember PW that I use for all these. So far, only a few exceptions to my general rule works with all these sites (>8, an UP alpha, a LC alpha, a number, and a special char).

B) For sites where I have a concern, I use use a common prefix and a common suffix for all. This makes it easy to remember, and adds plenty of complexity. For each site, I add a unique middle set of chars that are easy to remember. Example:

Common prefix APPLE123 --- Common Suffix zebra789

So local bank might be:

APPLE123lclb$zebra789

If my broker was Schwabb, it might be:

APPLE123swbzebra789

etc. I can add any special char requirements to the word. Nice thing about this, I can keep a low tech piece of paper with my passwords on it, even in my wallet, and it is secure. It would look like this:

mybank --- lclb$ ---
stocks --- swb ---
online bank --- olb$
Fidelity Credit Card --- fcc ---

See, not enough info there to give it away. All I need to remember are my prefix and suffix 'keys'. I can even write those down somewhere where the connection would not be made.

Works for me.

-ERD50

[ExFlyBoy5]

Quote:

Originally Posted by braumeister 1Password instantly syncs my passwords across all my devices. It does the sync in an encrypted way, of course, and offers you a choice of which sync flavor you want to use (iCloud, Dropbox, or just your own local wifi network). I have used all three at one time or another. As I said, no problems since I started using it in 2007.

Yep..I have been learning quite a bit about these today. I am strongly considering Dashlane as it has features that seem pretty good. I have often wondered about "legacy issues" if I die or become incapacitated and Dashlane has a sweet deal for that. You can have your legacy contact send a request to Dashlane for access, but you can set a period of time before it's effective. So, if I give legacy access to my executor then they request access...Dashlane will send me an email telling me that my legacy contact is attempting access and it will allow you to deny it. After the set time period (that you chose), it will then allow the legacy contact to gain access. You can also make it where it's only allowed to access SOME passwords. Pretty neat, I think.

[tulak]

Lastpass user for over 3 years. I pay $12/year for their premium service.

Unique passwords pretty much everywhere along with two-factor authentication. A nice option with Lastpass is that I can use TouchID on all of my iOS devices. Access to Lastpass is locked down as much as possible. Even if you knew my Lastpass password, it would be difficult to get to my other passwords.

It's important to have multiple layers of security.

[easysurfer]

NFL's Twitter account got hacked by someone saying that Goodell had died. At least Goodell had a good comeback tweet:

Quote:

“Man, you leave the office for 1 day of golf [with Jim Kelly] & your own network kills you off,” Goodell said.

Roger Goodell pokes fun at Twitter hack | ProFootballTalk