Changing Passwords

[frayne]

How often do you change passwords on your financial accounts ? I've been using the same passwords for my accounts for years and never had a problem but was just thinking might be a good idea to change them.
Do you and if you do, change, how often ?

Thanks in advance.

[CoolChange]

I probably do not change mine often enough: Every 2-3 years or when forced to by a specific institution. But, I do use strong passwords (the longest combination of random characters, numbers and symbols allowed) which are unique to each institution.

Yes, I am in a world of hurt if I ever lose my password manager or forget the master pass phrase; but, I do keep multiple backups in multiple locations. And, if I get a conk on the head bad enough to make me forget that pass phrase, I will likely have bigger worries to deal with.

[ERD50]

I can't see any logic to changing a password just to change it. If it isn't a reasonably complex one, then change it to a better one. If you think you've been hacked, obviously change it.

The only scenario I can imagine is where you were hacked w/o your knowledge, and the crook decided to wait 6 months to do anything. Then changing the PW in the interim would thwart their attempt. But I can't imagine that happening in real life. So what's the point?

If someone is trying to brute-force their way in by guessing your PW, what is the chance that your new PW would be one they already tried so they won't retry it? Near 0.000000000%.

To a degree, changing PWs is a bad thing. Since it makes it harder to remember, there is a tendency to make them simpler. That is a bigger weakness.

I've finally come up with a system that works well for me, been using it 100% for about a year, and longer in a more limited way. I just have a couple complex terms that are uncommon, but easy for me to remember. I stick a shorter, unique term in the middle, that I can write down with a clue as to which site it belongs to. So even though it is written down, the key terms are not, so that is safe. For any site where I'm not concerned about security, I use the same PW which has enough chars, a number and UC and LC letters so it works for most every site.

-ERD50

[walkinwood]

Quote:

Originally Posted by ERD50 I can't see any logic to changing a password just to change it. If it isn't a reasonably complex one, then change it to a better one. If you think you've been hacked, obviously change it. ... -ERD50

+1
I think it is more important to have long passwords with a big character set (alphanumeric & special characters) than it is to change them. Also, have different usernames and passwords at each institution. Use two-step authentication if available & a password manager to keep track.

[BOBOT]

Lastpass.

[MBAustin]

If you want more information about passwords than you knew existed, this is a great $10 e-book
Take Control of Your Passwords

The latest advice is not to worry about changing passwords frequently, but to make sure to use long & strong & unique (never use the same one on two sites) passwords. Which requires a system (as ERD50 recommends) and/or a password manager such as BOBOT suggested.

[racy]

I'm more worried about shopping at Target.
Target data stolen in hack showing up on black market | Security & Privacy - CNET News

[veremchuka]

I set up KeePass in the summer of 2012 and started to use very complex meaningless userids, passwords and my security questions make no sense at all. It'll be 2 years this summer and I will change everything at that point just because. The more articles I read about passwords and cracking the more paranoid I become. I now store the KP database on 2 flash drive not the c drive.

[tulak]

I'm about to try Lastpass. I've been using KeePass on a Mac, but that's been a pain. Lastpass looks solid and is cross platform, which is a must for me.

I like the option of having one master password and then a different password for each site I visit. I don't have to worry about any of the individual passwords, only the master password. I expect that Lastpass will make using unique passwords even easier, since it's integrated into each web browser and available on tablets and smartphones. Plus, it looks like there's an option to backup your database to a local file.

For those that are more interested in how Lastpass works, there's a transcript of a podcast where they go into more detail: https://www.grc.com/sn/sn-256.htm

[savory]

Quote:

Originally Posted by veremchuka I set up KeePass in the summer of 2012 and started to use very complex meaningless userids, passwords and my security questions make no sense at all. It'll be 2 years this summer and I will change everything at that point just because. The more articles I read about passwords and cracking the more paranoid I become. I now store the KP database on 2 flash drive not the c drive.

Last night coincidentally we had a long family conversation about security. SIL works in an area of computer security. We ended up with virtually the same recommendation as veremchuka.

One of the reasons for the meaningless/complex words (not English or other language words), is they take longer to figure out. So, if you are ever hacked, it buys some time to change the password before it is learned. We ended up with Keepass vs. Lastpass because LP is stored online. We also ended up with a flash drive since it is not stored on the computer. 2 level verification was the preferred method if/when it can be accomplished.

SIL rule of thumb was the more convenient the password storage, the less safe it is.

[easysurfer]

My passwords are randomly generated and encrypted.

[Chuckanut]

Lastpass, two factor authentication when possible, and an encrypted hard drive.

[martyp]

This past couple of days I've changed all my passwords. I had not done it in years. Some of my not so important sites had weak passwords. My financial site passwords were strong but I decided it was time to change it up. There is a lot of good advice about creating strong passwords on the internet including some calculators to evaluate the strength of your password choice.

I just bought 1Password for my Mac. So far it seems OK. I am going to keep my financial passwords off of 1Password and anyplace on my computer for now. I'll keep a handwritten list somewhere in the house and safe deposit box.

[tulak]

I spent a good part of today migrating my passwords to Lastpass. So far I like it. I went ahead and paid the $12/year for premium. One nice feature is that I can share passwords with my wife. We share a bunch of accounts, so this is a nice extra for us.

I still need to setup two-factor authentication. I'll work on that tomorrow, along with a local backup of the database. I'm still 50/50 if I want to include my more sensitive accounts. I wish those sites had two-factor authentication. That would make using Lastpass with them much safer.

Either way, I'm glad I've finally cleaned up my passwords. One more item to check off my todo list.

[Chuckanut]

Anybody who was having problems with LastPass remembering trusted computers (started about June 12) should know that they claim to have fixed the problem. Delete and reinstall LastPass on your browser.

[dallas27]

Randomly generated, 16 characters or more. 20 i think

[LoneAspen]

I finally decided to start using a password manager, and change all of my passwords to be something different and unique across sites. After much Googling, I went with LastPass and so far it's working great.

I always use the maximum number of characters a site permits, and if they don't list a maximum, I use 32 characters.

I'm also going to order a YubiKey and upgrade to LastPass Premium so I can have the two-factor authentication with a dedicated hardware device. Well worth the cost of the YubiKey and $12 a year for LastPass. They deserve at least that much from me for making such a great product.

Also, for those of you with brokerage accounts... If you really want to secure your brokerage account login, check to see if they offer their own dedicated two-factor authentication. For example, Schwab offers their own authentication token you can tie to your account.

[tulak]

I've been using LastPass premium for six months now and love it. It's made my life much simpler.

I ended up using Google Authenticator for two-factor authentication. It's worked well for me and was easy to setup.

[wqo3wt76]

+1 for lastpass

Also extremely important is to use 2-factor authentication for your email (easy with gmail). Since every account you have is probably tied to that email address it makes it really hard for a hacker to change your password.

2-factor with google sends a text to your cell phone for "out of band" authentication. Only happens on "untrusted" computers so nearly no hassle.