Online passwords!!!

Midpack

Midpack

Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Joined
Jan 21, 2008
Messages
21,321
Location
NC
With yet another flurry of celebrity personal account hacks, Goodell, Zuckerburg, etc., the experts are again providing recommendations. The two that struck me:
  • 8 characters is no longer enough, no matter how clever/random they are.
  • It's a bother, but I can live with making this change.
  • Users need to have a unique password for each of their accounts.
  • I do have unique "strong" passwords for all of our accounts with any financial aspect. But we use one of 3-4 common passwords for our other 40-50 online accounts. If I have to have 50+ unique, strong passwords - I'll be locked out a lot. My memory is nowhere near that good.
What's the trick I'm overlooking?

One day passwords will be obsolete, replaced by retinal scan, fingerprint, gene sequencing. In the meantime, yikes!
 
Last edited:
After the massive attack of heartbleed bug a couple years ago, I started using the password manager Keepass. It has given me tremendous peace of mind, means I don't have to remember any passwords, and greatly reduces the time needed to access my protected sites. Keepass is locally stored (versus stored in the cloud like password manager lastpass). I don't store the password manager on my computer, but rather on four identical back-up thumb drives, two of which are protected behind an encrypted vault and kept at home, and two further back-up drives which are not encrypted are kept in my safe deposit box.

Keepassgenerates all of my passwords of a length as long as any site will allow (all of my passwords are very long and complex) and Keepass is only accessible with one global password, which I do not have written down anywhere. I've tested this global master password and it would take almost a hundred thousand years for my password manager to be hacked. The only two people know in the world know the global password are myself and my executor.

I would never use any password that is only eight words long, nor would I use one that doesn't contain numbers, special characters, and upper and lower case characters. Experts have advised strongly against using any password for more than one account, as this is one of the first things hackers look for. There has been considerable debate regarding password managers that are locally stored (as in on one's hard or thumb drive) versus stored in the cloud; however, I am personally extremely uncomfortable with cloud-based password managers and would never use them.
 
Last edited:
Many people use online password managers like 1Password or LastPass. I've been reluctant to go that route, since I'm not fully comfortable with all my passwords being managed by one entity that could be hacked, even though I know the two mentioned above use strong encryption that would be very difficult to crack.

My solution to password management, for now, is to use a locally-installed password manager (in my case, Password Agent) and to keep its data sync'ed between my desktop, laptop, and tablet. This allows me to have unique passwords for every site and also store things like security questions/answers, account numbers, and other info.
 
I have a unique and very complicated password for everything.

Happy user of 1Password since 2007 -- never a problem.
 
Options said:
After the massive attack of heartbleed bug a couple years ago, I started using the password manager Keepass. It has given me tremendous peace of mind, means I don't have to remember any passwords, and greatly reduces the time needed to access my protected sites. Keepass is locally stored (versus stored in the cloud like password manager lastpass). I don't store the password manager on my computer, but rather on four identical back-up thumb drives, two of which are protected behind an encrypted vault and kept at home, and two further back-up drives which are not encrypted are kept in my safe deposit box.

Keepassgenerates all of my passwords of a length as long as any site will allow (all of my passwords are very long and complex) and Keepass is only accessible with one global password, which I do not have written down anywhere. I've tested this global master password and it would take almost a hundred thousand years for my password manager to be hacked. The only two people know in the world know the global password are myself and my executor.

I would never use any password that is only eight words long, nor would I use one that doesn't contain numbers, special characters, and upper and lower case characters. Experts have advised strongly against using any password for more than one account, as this is one of the first things hackers look for. There has been considerable debate regarding password managers that are locally stored (as in on one's hard or thumb drive) versus stored in the cloud; however, I am personally extremely uncomfortable with cloud-based password managers and would never use them.
Click to expand...

Seems like a good idea...but how does this work on a use-ability scale? I often use several devices at home and not. How does it integrate with mobile devices? I will look into it, but it seems like it *could* be a pain.

I try to use a "general" password of 10 characters long, special characters, upper/lowercase/numbers. They are all different in that the 3 digit number is different for all of my sites. I have a list that shows what number goes with what site (e.g. Google: 319; Vanguard 320; USAA 321; etc. Of course, there are some that don't work as some websites won't take some special characters or have some other crazy rule that makes it difficult.
 
Last edited:
Sojourner said:
Many people use online password managers like 1Password or LastPass. I've been reluctant to go that route, since I'm not fully comfortable with all my passwords being managed by one entity that could be hacked, even though I know the two mentioned above use strong encryption that would be very difficult to crack.

My solution to password management, for now, is to use a locally-installed password manager (in my case, Password Agent) and to keep its data sync'ed between my desktop, laptop, and tablet. This allows me to have unique passwords for every site and also store things like security questions/answers, account numbers, and other info.
Click to expand...

It would take a hacker a hundred thousand years using the most sophisticated methods available today to hack the global password to my password manager, keepass, which is not stored on my machine, and which is further hidden behind an encrypted vault on my thumb drives at home. Lastpass and other cloud-based pw's use encryption between one's computer and their site. It all comes down to one's comfort level.

Nothing is bullet proof, but all debates (and articles) I've seen on the subject strongly recommend the use of password managers as they are the most safe of all.
 
braumeister said:
I have a unique and very complicated password for everything.

Happy user of 1Password since 2007 -- never a problem.
Click to expand...

I don't but I don't have much information stored on my devices that you can't already find on the internet without much trouble.

And our government and medical allies have the rest of it.
 
I'm more afraid of a keylogger program recording my keystrokes than someone or a program guessing my passwords. That said, no way could I try and remember my passwords with all the various requirements (some different) by the different websites. For example, one site may require special characters where another site doesn't allow special characters.

My system is to use a password manager with a master password or phrase and use randomly generated passwords pairs with a good password generator that's flexible to create the different combination of password requirements in length and acceptable characters.

Thus, if I'm under a truth serum and someone asks me what's my password, then I'll say "H*ll if I know." :LOL:

Oh, and I make backups of the encrypted password data just in case.
 
There are two common avenues of password hacking: decryption and brute force. In the first the hacker gains access to the master password list maintained by a site, then decodes it, in which case both simple and complex passwords are equally defeated.

The second, brute force, can easily be solved by better site design. In the brute force approach, hackers repeatedly try millions or billions of letter/number/symbol combinations until they happen upon the correct one. To thwart this the site can be designed to mark as incorrect any password entered within a few seconds of a prior attempt. After many (10? 100?) failed attempts the system should deny access. Implemention is neither difficult or new. I used systems during the 1970s that employed such security.

No security is impregnable but the idea is to make a hacker's job too time consuming to be worth the effort.
 
Last edited:
Of the accounts hacked, I wonder how many of them had 2-step verification enabled.

I have unique, long passwords for the financial accounts and most, if not all, have 2-step verification.

However, I have lots of accounts, like this site, where I use a limited set of passwords. So, if I start doing lots of weird things here then my account has probably been hacked.
 
Midpack said:
With yet another flurry of celebrity personal account hacks, Goodell, Zuckerburg, etc., the experts are again providing recommendations. The two that struck me:
  • 8 characters is no longer enough, no matter how clever/random they are.
  • It's a bother, but I can live with making this change.
Click to expand...
I think one should have at least 11 character passwords. Many sites also require one capital letter and a digit. Some special characters are banned at other sites. So my choice is to use Lastpass for PC, tablet, and smartphone. Free for just the PC, $12/year for mobile.
  • Users need to have a unique password for each of their accounts.
  • I do have unique "strong" passwords for all of our accounts with any financial aspect. But we use one of 3-4 common passwords for our other 40-50 online accounts. If I have to have 50+ unique, strong passwords - I'll be locked out a lot. My memory is nowhere near that good.
What's the trick I'm overlooking?
Click to expand...
Again I prefer Lastpass to solve this issue. Also, I would suggest for a smartphone one should have a fingerprint reader on it. This works really nicely with Lastpass. When I want to go to my bank app, I just login with my phone's fingerprint reader (Nexus 6P phone) using Lastpass. Would work for an Iphone too.

Another thing Lastpass offers is Secure Notes. This allows one to store something like a password template that is your rules for establishing certain key passwords. I do commit a few passwords to memory as well as having Lastpass remember them. Another option Lastpass offers is to lock the password view until one inputs the Lastpass master password for that site. Easy to do with a fingerprint reader on a phone.
 
Another tip, don't have a simple answer to those password challenge questions.

For example, don't have a 16 character complex password and then answer "Spot" to "What's your dog's name?". Your dog Spot won't get offended :).
 
FlyBoy5 said:
Seems like a good idea...but how does this work on a use-ability scale? I often use several devices at home and not. How does it integrate with mobile devices? I will look into it, but it seems like it *could* be a pain.

Again, there has been considerable debate regarding accessing financial sites on multiple devices, but I would never do it. For me, more devices = more vulnerability. I access protected sites from my computer only. Some people even go so far as to have only one dedicated computer to access financial sites only (I won't go that far). Actually, having a pw on one device is not at all a "pain". In fact, the use of password manager reduced my time paying bills and accessing protected sites considerably. The PW stores not only pw's, but site links as well so that any sites can be accessed directly from a link in the pw without having to bring up the site separately. You can also store other information there such as security questions, pin numbers, etc.

I try to use a "general" password of 10 characters long, special characters, upper/lowercase/numbers. They are all different in that the 3 digit number is different for all of my sites. I have a list that shows what number goes with what site (e.g. Google: 319; Vanguard 320; USAA 321; etc. Of course, there are some that don't work as some websites won't take some special characters or have some other crazy rule that makes it difficult.
Click to expand...

I can't believe I used to keep a list both on my computer and on paper, until I realized how vulnerable I was. What if someone breaks into your house and steals the list? This is what a password manager is for.

easysurfer said:
I'm more afraid of a keylogger program recording my keystrokes than someone or a program guessing my passwords. That said, no way could I try and remember my passwords with all the various requirements (some different) by the different websites. For example, one site may require special characters where another site doesn't allow special characters.

Keepass provides the capability to cut and paste pw's in order to defeat keyloggers, and to minimize the time in which the "cut" is stored in memory (as low as a few seconds).

My system is to use a password manager with a master password or phrase and use randomly generated passwords pairs with a good password generator that's flexible to create the different combination of password requirements in length and acceptable characters.

This is what keepass does, and I think LP as well, all though it's been a couple years since I looked at LP.

Thus, if I'm under a truth serum and someone asks me what's my password, then I'll say "H*ll if I know." :LOL:

Oh, and I make backups of the encrypted password data just in case.
Click to expand...

GrayHare said:
There are two common avenues of password hacking: decryption and brute force. In the first the hacker gains access to the master password list maintained by a site, then decodes it, in which case both simple and complex passwords are equally defeated.

The second, brute force, can easily be solved by better site design. In the brute force approach, hackers repeatedly try millions or billions of letter/number/symbol combinations until they happen upon the correct one. To thwart this the site can be designed to mark as incorrect any password entered within a few seconds of a prior attempt. After many (10? 100?) failed attempts the system should deny access. Implemention is neither difficult or new. I used systems during the 1970s that employed such security.

No security is impregnable but the idea is to make a hacker's job too time consuming to be worth the effort.
Click to expand...

Emphasis added

Thank you for stating the concept much more eloquently than I did (I read this stuff but can never remember the technical terms). I tested my master global pw in order to deter the brute force approach, hence the hundred thousand years to hack. Your last line is the exact logic experts use in recommending password managers.
 
FlyBoy5 said:
Seems like a good idea...but how does this work on a use-ability scale? I often use several devices at home and not. How does it integrate with mobile devices? I will look into it, but it seems like it *could* be a pain.
Click to expand...

1Password instantly syncs my passwords across all my devices.
It does the sync in an encrypted way, of course, and offers you a choice of which sync flavor you want to use (iCloud, Dropbox, or just your own local wifi network). I have used all three at one time or another.

As I said, no problems since I started using it in 2007.
 
Options said:
I can't believe I used to keep a list both on my computer and on paper, until I realized how vulnerable I was. What if someone breaks into your house and steals the list? This is what a password manager is for.
Click to expand...
My most sensitive passwords are on a USB drive in our safe, and I keep a hardcopy in the house. I could give you all day, and I am sure you would never find it...it's never left laying out, no one could steal it.

My less sensitive passwords are on my HD, but only those that would only be a nuisance if hacked.

But as OP, obviously I am looking for a better solution...
 
Options said:
I can't believe I used to keep a list both on my computer and on paper, until I realized how vulnerable I was. What if someone breaks into your house and steals the list? This is what a password manager is for. ...
Click to expand...

Like a few others, I'm just not ready to use a password manager (fears may be unfounded, but that's how I feel).

But I've been using a simple system for ~ 3 years that works for me.

A) For sites where security is just not a concern, I have a fairly complex, but easy to remember PW that I use for all these. So far, only a few exceptions to my general rule works with all these sites (>8, an UP alpha, a LC alpha, a number, and a special char).

B) For sites where I have a concern, I use use a common prefix and a common suffix for all. This makes it easy to remember, and adds plenty of complexity. For each site, I add a unique middle set of chars that are easy to remember. Example:

Common prefix APPLE123 --- Common Suffix zebra789

So local bank might be:

APPLE123lclb$zebra789

If my broker was Schwabb, it might be:

APPLE123swbzebra789

etc. I can add any special char requirements to the word. Nice thing about this, I can keep a low tech piece of paper with my passwords on it, even in my wallet, and it is secure. It would look like this:

mybank --- lclb$ ---
stocks --- swb ---
online bank --- olb$
Fidelity Credit Card --- fcc ---

See, not enough info there to give it away. All I need to remember are my prefix and suffix 'keys'. I can even write those down somewhere where the connection would not be made.

Works for me.

-ERD50
 
braumeister said:
1Password instantly syncs my passwords across all my devices.
It does the sync in an encrypted way, of course, and offers you a choice of which sync flavor you want to use (iCloud, Dropbox, or just your own local wifi network). I have used all three at one time or another.

As I said, no problems since I started using it in 2007.
Click to expand...

Yep..I have been learning quite a bit about these today. I am strongly considering Dashlane as it has features that seem pretty good. I have often wondered about "legacy issues" if I die or become incapacitated and Dashlane has a sweet deal for that. You can have your legacy contact send a request to Dashlane for access, but you can set a period of time before it's effective. So, if I give legacy access to my executor then they request access...Dashlane will send me an email telling me that my legacy contact is attempting access and it will allow you to deny it. After the set time period (that you chose), it will then allow the legacy contact to gain access. You can also make it where it's only allowed to access SOME passwords. Pretty neat, I think.
 
Lastpass user for over 3 years. I pay $12/year for their premium service.

Unique passwords pretty much everywhere along with two-factor authentication. A nice option with Lastpass is that I can use TouchID on all of my iOS devices. Access to Lastpass is locked down as much as possible. Even if you knew my Lastpass password, it would be difficult to get to my other passwords.

It's important to have multiple layers of security.
 
ERD50 said:
Like a few others, I'm just not ready to use a password manager (fears may be unfounded, but that's how I feel).

But I've been using a simple system for ~ 3 years that works for me.

A) For sites where security is just not a concern, I have a fairly complex, but easy to remember PW that I use for all these. So far, only a few exceptions to my general rule works with all these sites (>8, an UP alpha, a LC alpha, a number, and a special char).

B) For sites where I have a concern, I use use a common prefix and a common suffix for all. This makes it easy to remember, and adds plenty of complexity. For each site, I add a unique middle set of chars that are easy to remember. Example:

Common prefix APPLE123 --- Common Suffix zebra789

So local bank might be:

APPLE123lclb$zebra789

If my broker was Schwabb, it might be:

APPLE123swbzebra789

etc. I can add any special char requirements to the word. Nice thing about this, I can keep a low tech piece of paper with my passwords on it, even in my wallet, and it is secure. It would look like this:

mybank --- lclb$ ---
stocks --- swb ---
online bank --- olb$
Fidelity Credit Card --- fcc ---

See, not enough info there to give it away. All I need to remember are my prefix and suffix 'keys'. I can even write those down somewhere where the connection would not be made.

Works for me.

-ERD50
Click to expand...

That is SO COOL!!! I really, really like your prefix & suffix method and I am so impressed. I had never heard of that idea before. It seems ingenious to me, so much so that I might switch over to that method. I tried password software but do not like depending on it.
 
I divide my passwords into three classes depending on the information they have on me - sensitive (anything with SS and DOB and account numbers), and minor exposure (CC info stored), and very low exposure (name and email address, maybe shipping address).

The sensitive passwords are in a password protected file on a password protected encrypted drive on a password protected computer (all different passwords). The minor I often allow Keychain to store the password.

For very low exposure sites that have little more than one of my throw away email addresses I tend to reuse a handful of simple passwords. Anything above that level has a unique password.
 
ERD50 said:
...
So local bank might be:

APPLE123lclb$zebra789

If my broker was Schwabb, it might be:

APPLE123swbzebra789
...
Click to expand...
I used to have a system somewhat like this. One should avoid dictionary words though. So I would replace "zebra" with maybe "zbr" removing vowels. It certainly is a workable system.

What I've done is to favor frequent checking of accounts as a security measure. This was after reading how some on this forum checked much more frequently then I use to. W2R was an inspiration on this as I recall and maybe Audrey too :greetings10:.

This means I want to login somewhat effortlessly and frequently. Remembering this stuff and typing it in is a hassle. Typing on a smartphone is a hassle but less so on a PC. Even on a PC I found I make too many typing errors which might lead me to back off of frequent checking of accounts. On vacations I found that it was a hassle to check accounts and my memory is a little rusty when dealing with all the other things associated with travel.

That is why I chose to use Lastpass plus a smartphone fingerprint reader. Also I use 2 factor authentication as mentioned by some above.
 
Last edited:
You must log in or register to reply here.

Similar threads

REWahoo
  • Sticky
The History of Early-Retirement.org
3 4 5
Replies
111
Views
108K
Helen
Helen

Latest posts

Back
Top Bottom