Online passwords!!!

[Sunset]

I use Lastpass. While my Lstpass password is OK, it is not really that strong. It is based on an 18 character phrase using capital letters and some special characters.

I have an idea for a even stronger one. Something like this.

%s#!jfN9RxY2AwhWfEShxk5y

Now, I would never be able to remember this much less type it. However, I have access to a website. I could also use a free google site. I have thought of putting the password on an html and putting it online with no reference as to what it was for. Bring up the site, and copy paste. I have multiple gmail accounts, so it would be one I seldom use.

Thoughts?

You would not have access to it when that site , even gmail went down.
How about making a couple of image files on your computer, with a special name.
Then you simply copy the image file name + another image file name + a simple phrase "MomLovesMeTheBest".

So it could be like:
IMG_20160119_164443.jpgStates_for_Retirement.jpgMomLovesMeTheBest

 

[Fishingmn]

Like others I use keepass for any password with financial implications. I honestly don't even know what my passwords are as I let keepass auto generate random strings and then just do a copy/paste to those sites whenever I need to log in.

For everything else I do keep an Excel document with non-important passwords. I probably have 200+ places I've set up accounts at. Most of them are different from each other but having the Excel doc is certainly a risk.

 

[ERD50]

That is SO COOL!!! I really, really like your prefix & suffix method and I am so impressed. I had never heard of that idea before. It seems ingenious to me, so much so that I might switch over to that method. I tried password software but do not like depending on it.

Thanks. And if you like that, maybe some day I'll share how I chose a new email address, one that I could reliably give over the phone with little chance of a mix up.

BTW, I was thinking that rather than prefix-(unique)-suffix, I could just use a longer prefix. But one of the sites limited the length of the password to something shorter than my prefix-suffix alone! But that was easily handled. On that site, my cheat sheet just says something like:

mybank --- lclb$ (nada)

instead of my usual:

mybank --- lclb$ ---

Where the "---" marks the prefix or suffix is to be added.

I mentioned this has worked for me for about 3 years, as I often find that many systems that I come with (for anything, not just computers, passwords, etc), seem great at first, but fade away after a year. Something makes them not as great as first thought.

I need to start doing a similar thing for those pesky challenge questions. APPLE123Timbuktu would be a better answer than just Timbuktu, and again, I can just write it down as ---Timbuktu.

And as noted, best to sub a more complex random string, but still easily remembered and typed (try it! - keep caps sequential for example). An earlier suggestion was the first letters of the words to a song or phrase. But be careful! I found a list of 64,000 common passwords, and I was surprised to find fsa7ya in that list! Spolier .... scan down, and highlight for the answer....






(Highlight for answer)
Four Score And 7 Years Ago
(/Highlight for answer)

-ERD50

 

[ExFlyBoy5]

This thread has resulted in me spending an inordinate amount of time trying to "secure" my passwords. I elected to download Dashlane since it has pretty darn good reviews but so far, it has been a huge pain in my arse. The "auto changer" doesn't work at all and I can't seem to figure out why. Even trying to change them manually is being a pain. It has divided Amazon into 3 different accounts (retail site, seller site and video site) and I have had to spend about 20 minutes just going in and making them all match. I know I am getting older which means I will become more and more technically challenged, but this is ridiculous.

So, I think I am going to use the password generator and just manually change the websites that REALLY matter (financial, etc.) and forget the rest of them since the automated process just doesn't work very well. If someone wants to hack into my forum account...more power to them.

I would say over the last two days, I have spent about 6 hours on this. Damn good thing I am retired!

 

[W2R]

Thanks, ERD50. Great food for thought and honestly I think this is the most ingenious solution to the password issue that I have ever seen. I can keep the three letter "middle" part written down in my password protected Excel file, without worrying about how easy it would be for hackers to break into it. Even if they did, it wouldn't do them any good.

 

[easysurfer]

This thread has resulted in me spending an inordinate amount of time trying to "secure" my passwords. I elected to download Dashlane since it has pretty darn good reviews but so far, it has been a huge pain in my arse. The "auto changer" doesn't work at all and I can't seem to figure out why. Even trying to change them manually is being a pain. It has divided Amazon into 3 different accounts (retail site, seller site and video site) and I have had to spend about 20 minutes just going in and making them all match. I know I am getting older which means I will become more and more technically challenged, but this is ridiculous.

So, I think I am going to use the password generator and just manually change the websites that REALLY matter (financial, etc.) and forget the rest of them since the automated process just doesn't work very well. If someone wants to hack into my forum account...more power to them.

I would say over the last two days, I have spent about 6 hours on this. Damn good thing I am retired!

Some password managers are a bit overkill which kind of defeats the purpose.

For saving passwords, I don't separate by groups as I think that's just extra wasted effort. I can see perhaps, a group for work, another for personal. But for me, I don't distinguish say "games" vs "finances" groups for passwords.

Too many features at the price of simplicity. I'm happy with Password Corral (Windows only, though I also have it working on my Linux laptop). Password Corral isn't as popular as some of the others, but I think has a good interface, allows for copy/paste of user id/passwords, has freehand "comments" section for adding thing like the Q & A of those darn challenge questions, stored locally as encrypted file. Plus, it is free. I used to use Password Safe (among others), but IMO, found Password Corral easier to use.

 

[ExFlyBoy5]

Some password managers are a bit overkill which kind of defeats the purpose. Too many features at the price of simplicity.

I think that's the issue I *had* with it. Just logging onto a page required 2 or 3 separate clicks and it just complicated things. I have a list of passwords that haven't been changed in a while and I will deal with that in the next couple of days. I am going to my old way, just make them a bit longer and add in a couple extra special characters.

 

[zinger1457]

Because of the OPM hack they offered free monitoring with MyIDCare so I signed up. Got a notice last week that my email address and password has shown up on a list that the bad guys sell. No details were provided on what web site the email address and password were taken from, I rarely use my email address to login to any accounts. They didn't even show the password, just a string of asterisks. I use LastPast to manage my passwords so it was easy to go in and search for all my accounts with my email as a login, then went out and changed all the passwords. I use the LastPass password generator to create the passwords so they are all very secure and unique, never use the same one on multiple site.

 

[easysurfer]

I think that's the issue I *had* with it. Just logging onto a page required 2 or 3 separate clicks and it just complicated things. I have a list of passwords that haven't been changed in a while and I will deal with that in the next couple of days. I am going to my old way, just make them a bit longer and add in a couple extra special characters.

Feeling the complexity in the past, I thought about just creating a spreadsheet that I can encrypt and cut and paste. But then for security, I'd have to encrypt/decrypt back and forth. Plus, sorting too.

I like Password Corral because it kind of looks like a spreadsheet and my password list is sorted by descriptions I use (for example, Amazon ... to Yahoo). Just checked and I happen to have exactly 200 entries. I can easily scroll through my list. As mentioned earlier, I don't use groups as that would just complicate things as I prefer to go through my list A through Z, non-grouped.

 

[ERD50]

Glad the system works for you. For me, I prefer to just create my passwords with a random generator without any specific pattern. Using something like your example, my memory isn't good enough without effort.

For example, for Schawbb, I'd be asking myself "Was that swb? or Sch? or Swbb?" You get the idea.

Feeling the complexity in the past, I thought about just creating a spreadsheet that I can encrypt and cut and paste. But then for security, I'd have to encrypt/decrypt back and forth. Plus, sorting too.
...

But you see, because I don't keep the (easily remembered) prefix and suffix together with the unique 'key' for each site, I just keep the keys written down right by the computer.

There's really only about 5 or 6 sites that I regularly check with this more secure system (plus maybe a dozen more that I don't access regularly), so those got memorized really quickly, and I can glance at the sheet if I need. No clicks, no web site access, no digging up and sorting/scrolling from a spreadsheet.

I use a simpler, common one for sites where I don't really care about security that much.

-ERD50

 

[ejman]

The schemes that rely on remembering what goes where on a lengthy password and what gets abbreviated or not sounds like a wonderful test for Alzheimers The one security check I do subscribe to is to check my financial sites everyday for unusual activity.

This brings me to a question. Every financial institution I deal with has a system whereby access is permanently denied if one types the wrong password three times. There is a lengthy reauthorization process involving an actual phone call etc. How does the brute force approach manage to try millions of passwords if I get shut down after three attempts?

 

[ChiliPepr]

Lastpass user for over 3 years. I pay $12/year for their premium service.

I also use LastPass, for example, my last password I used for a site was: 6C#wy!H1#VI1ZaR

I could not tell you what any of my passwords are.

 

[ChiliPepr]

Another question issue, if your mother has passed on, her obituary will contain her maiden name and your name since the survivors are often listed.

I always use the same random string for those questions... mother maiden name "PumkinPie"; best friend in elementary school "PumkinPie"; street I grew up on, you guessed it, "PumkinPie"

 

[ERD50]

... This brings me to a question. Every financial institution I deal with has a system whereby access is permanently denied if one types the wrong password three times. There is a lengthy reauthorization process involving an actual phone call etc. How does the brute force approach manage to try millions of passwords if I get shut down after three attempts?

I had wondered that too, but I think this is the answer. They aren't after your account, they are after any account, and as many as they can hack.

So they try once, maybe twice on yours, then move to the next one. They probably have millions that they can try. And then they come back a day or so later, and try again. Eventually, they get some open.

Makes no difference if they try your account a million times, or a million accounts one time. Odds are the same. Maybe someone who is/was in the security business can confirm/deny this?

I always use the same random string for those questions... mother maiden name "PumkinPie"; best friend in elementary school "PumkinPie"; street I grew up on, you guessed it, "PumkinPie"

I tried that once (I used ApplePie ), and the darn thing kicked them out, chiding me for using the same answer for multiple questions. Heck, how is a bad guy going to know I did that?

-ERD50

 

[ExFlyBoy5]

I always use the same random string for those questions... mother maiden name "PumkinPie"; best friend in elementary school "PumkinPie"; street I grew up on, you guessed it, "PumkinPie"

Will they let you use the same answer for multiple questions? I have not tried your approach but I think it wouldn't work in that case.

 

[Sunset]

Some password managers are a bit overkill which kind of defeats the purpose.

.......
... I'm happy with Password Corral (Windows only, though I also have it working on my Linux laptop). Password Corral isn't as popular as some of the others, but I think has a good interface, allows for copy/paste of user id/passwords, has freehand "comments" section for adding thing like the Q & A of those darn challenge questions, stored locally as encrypted file. Plus, it is free. I used to use Password Safe (among others), but IMO, found Password Corral easier to use.

You would probably like keepass since it runs on linux and windows and has everything you mentioned above plus wipes the copy memory automatically after a time you set.

One thing I like about password managers vs an encrypted excel spreadsheet is that if I turn off the computer the passwords are all gone, unlike a spreadsheet or text file I forgot to encrypt before shutting down.

KeePass Password Safe

 

[easysurfer]

You would probably like keepass since it runs on linux and windows and has everything you mentioned above plus wipes the copy memory automatically after a time you set.

One thing I like about password managers vs an encrypted excel spreadsheet is that if I turn off the computer the passwords are all gone, unlike a spreadsheet or text file I forgot to encrypt before shutting down.

KeePass Password Safe

I may have to do some playing around with KeePass just for grins. Always like to know what is out there.

Looking at the screenshots, I think there are similarities to Password Corral. But as you mentioned, Keepass is not Windows only.

Cygnus Productions [Password Corral - Freeware]

 

[sailor]

I would never use any password that is only eight words long

As a software engineer I would like to point out that 8 words password is huge. About 2^88 entropy there.
See here for an example of using only 4 words passwords: https://xkcd.com/936/

 

[someguy]

There is an interesting twist to consider in all this: how the law treats passwords versus biometrics. In the US, you can't be forced to divulge or supply a password. However, you can be forced to supply your fingerprint, among other biometric data. So if you are using only a thumb print to access your password DB, you could be legally forced to provide the "keys to your kingdom". Same with the newer iPhones with TouchID.

I think someone mentioned this already but IMO the biggest risk from hackers to most people is the following scenario:

1) Hackers penetrate a site that stores passwords in clear text. Storing passwords in clear text is a big no-no, but plenty of even large companies do it, sometimes in a secondary/test database.
3) Hackers download a huge number of username, email, password combinations.
3) Hackers then try username+password and email+password on dozens of other sites (e.g., Vanguard)

Even if only 1% of the combinations work, if #1 is a sufficiently large site, they have hit pay dirt. In this case, because there is no brute-force taking place, password complexity is irrelevant. This is obviously where schemes like ED50's or password managers come in.

 

[CaliKid]

I love the info here. I think I am a slacker so need to beef things up on some sites.

However, most sites it's not that big of a deal if the hack in. My credit card for example has really good security. If you log in from a new computer they make you get a password from your phone or email. Ok, but what do I care if they hack into my credit card? Are they going to pay my bill for me? Ya, I get it that they can cause trouble but aren't most hackers looking for ways to get money!?

Also, it seems to me, that email is the most important. If a person figures out your email they can reset just about any website.

 

[Lsbcal]

...
Also, it seems to me, that email is the most important. If a person figures out your email they can reset just about any website.

+1

Today I wanted to update my password at a site that has my credit card to pay the small monthly bill. The only way I could do this was to request a password reset. So they just sent the reset to my email and I login using their link from my email. No verification it was me other then it comes from my email. No security questions.

That is why my email password is very strong.

 

[savory]

From today's WSJ concerning the hacks of Twitter

The hacks primarily affect computer users who use the same password for multiple accounts and who don’t use additional security measures such as text-message notifications when someone tries to access an account from a new computer. On Sunday, hackers used a password from the 2012 LinkedIn breach to take over Mark Zuckerberg’s Twitter account. Monday, German software company TeamViewer GmbH said that criminals were using this data to take over the accounts of some of its customers.

I am even more convinced that passwords should not share any part of any password. I understand it is easier to remember but at least for important information, including finances, a long unique password, changed regularly, offers the best protection. And, two factor is an added layer that is worth the time to me.

Twitter: Passwords Leaked for Millions of Accounts - WSJ

 

[audreyh1]

I love the info here. I think I am a slacker so need to beef things up on some sites.

However, most sites it's not that big of a deal if the hack in. My credit card for example has really good security. If you log in from a new computer they make you get a password from your phone or email. Ok, but what do I care if they hack into my credit card? Are they going to pay my bill for me? Ya, I get it that they can cause trouble but aren't most hackers looking for ways to get money!?

Also, it seems to me, that email is the most important. If a person figures out your email they can reset just about any website.

They have to break into your email account and shut you out of it.

We own our own domain names, so it's not so easy for someone to take over our email addresses.

You hear about yahoo account break-ins and others though. I've always been leery of "free" email accounts considering how important an email address is to many accounts.

Here is how hackers use stolen cards to make money: they buy tons of gift cards - that can then be passed along as cash. They also stolen credit cards to buy popular items from big box stores that are easy to sell.

 

[ERD50]

+1

Today I wanted to update my password at a site that has my credit card to pay the small monthly bill. The only way I could do this was to request a password reset. So they just sent the reset to my email and I login using their link from my email. No verification it was me other then it comes from my email. No security questions.

That is why my email password is very strong.

Sounds bad, but it sounds like you were logged in to request the password reset, so maybe that's how that worked?

This is another reason why having the login and the password on the same entry screen of the web page is important. If it fails, it should say that either login or password is incorrect, so no clue as to which. Otherwise, once they guess the login, they can request a password reset.

So yes, it is important to have a strong email password - in the case above, once they have your email, they can intercept password resets - especially dangerous if the login to the account is the email address!

From today's WSJ concerning the hacks of Twitter
....

I am even more convinced that passwords should not share any part of any password. I understand it is easier to remember but at least for important information, including finances, a long unique password, changed regularly, offers the best protection. And, two factor is an added layer that is worth the time to me.

But they wouldn't know which part was shared - I don't think it's adding any risk.

And what advantage is there to changing your password often? I think that has been exposed as a myth - it often leads to people using simpler passwords. It's not like a bad guy is going to sit on a hacked password for 6 months before using it.

-ERD50

 

[Lsbcal]

Sounds bad, but it sounds like you were logged in to request the password reset, so maybe that's how that worked?

This is another reason why having the login and the password on the same entry screen of the web page is important. If it fails, it should say that either login or password is incorrect, so no clue as to which. Otherwise, once they guess the login, they can request a password reset.
...

Good point and never really thought about it that way.

Maybe that is why Vanguard went to the ogin and password on the same screen. They did away with the unique picture which was a shame as I kind of liked the chipmunk I chose. Anyway, they did add 2FA and beefed up the allowed number of characters in the password. It feels safer.