PointBreeze
Recycles dryer sheets
+1 I do not store it in the vendor's cloud, I store it in my own. I really like this software.
Many many Passwords
- Thread starter rkser
- Start date
+1 I do not store it in the vendor's cloud, I store it in my own. I really like this software.
Norton PW Manager
I use Norton Password Manager, which comes with Norton AV. I don't know if its the best, and I really don't like most Norton products, but this one woks and gives me options that some of the simple PW managers may not have.
I use Norton Password Manager, which comes with Norton AV. I don't know if its the best, and I really don't like most Norton products, but this one woks and gives me options that some of the simple PW managers may not have.
I've done a lot of thinking about this. We have so many passwords with so many convoluted rules that it becomes problematic.
We opted for a simple approach that renders a secure password with one hole/leak in the method which I'll discuss in the end of this.
Some passwords can be short (8-12 chars) and some need to be long.
We have two templates. What is a template in this context? It is basically a pattern of chars that only my wife and I know and we know it instinctively and without having the think. We have 2 templates, a long and a short but they follow the same substitutions and the same remembrance criteria.
First we substitute chars (s is $, i is 1, L is 7, 5 is S, a is @, c for k, k for c, etc.). We also substitute our first initial of our first name with # as our names both start with the same letter, in this example m but that's not our first initial, BTW.
The variable is extracted from the domain so fidelity.com would take 2 chars, make them upper case and insert them into the template at the same place.
Example with fidelity.com we might take the 3rd and 4th chars DE and insert them into the center of our template.
Our template is something both of us would never forget. Making up an example let's say our honeymoon was in San Marino (it was not). Our short template Fidelity password would be 5@n__#@r1n0 (first names start with m) with DE inserted in the middle or 5@nDE#@r1n0. This may be a weak example but hopefully the method is clear. We never forget where our honeymoon is and through repetitive use we get used to the template and insertion of 2 chars. You might ask what about ba.com which only has 2 chars? We just back up to ba and there are no single letter domain names that we login to so we don't have a key substitution problem.
Vanguard key is NG so pw would be 5@nNG#@r1n0, Schwab would be HW so pw is 5@nHW#@r1n0. See the problem? If these were stacked in a list it would be easy to guess our capitalone password. That said, we never write these down digitally where they can be stolen and listed. We have the templates and hints written on a document but even that document is a little cryptic. It is written down and stored securely in plain sight in case dementia or other mental issue happens as we age and we just forget or can't remember details.
We have another longer key (same unforgettable thing) that is only used when 12 or more characters are required.
I "invented" this method about 20 years ago and it has served us well during that time. I don't trust online sources because those get hacked (most of them have been hacked), they go out of business, they are in business to make profits and if they stop making profits they often just shutdown. I also don't trust electronic storage because it breaks or if in the cloud we have no control over it and it could go away at anytime without our control. Our brains are still the best method for long term storage of passwords (my strong opinion only).
One time my wife forgot the template due to disuse and I just told her, "remember where we honeymooned?" and she replied, "Oh yeah, I remember the template now" and boom, she was logged in and everything was restored in her brain. I told her to stop caching her passwords and to input them and showed her how to remove them from cache, too.
This method is not for everyone and anyone can make a variant of this approach, even a much simpler variant and it would be very secure as long as you stop writing passwords down or write them digitally to a password manager.
We opted for a simple approach that renders a secure password with one hole/leak in the method which I'll discuss in the end of this.
Some passwords can be short (8-12 chars) and some need to be long.
We have two templates. What is a template in this context? It is basically a pattern of chars that only my wife and I know and we know it instinctively and without having the think. We have 2 templates, a long and a short but they follow the same substitutions and the same remembrance criteria.
First we substitute chars (s is $, i is 1, L is 7, 5 is S, a is @, c for k, k for c, etc.). We also substitute our first initial of our first name with # as our names both start with the same letter, in this example m but that's not our first initial, BTW.
The variable is extracted from the domain so fidelity.com would take 2 chars, make them upper case and insert them into the template at the same place.
Example with fidelity.com we might take the 3rd and 4th chars DE and insert them into the center of our template.
Our template is something both of us would never forget. Making up an example let's say our honeymoon was in San Marino (it was not). Our short template Fidelity password would be 5@n__#@r1n0 (first names start with m) with DE inserted in the middle or 5@nDE#@r1n0. This may be a weak example but hopefully the method is clear. We never forget where our honeymoon is and through repetitive use we get used to the template and insertion of 2 chars. You might ask what about ba.com which only has 2 chars? We just back up to ba and there are no single letter domain names that we login to so we don't have a key substitution problem.
Vanguard key is NG so pw would be 5@nNG#@r1n0, Schwab would be HW so pw is 5@nHW#@r1n0. See the problem? If these were stacked in a list it would be easy to guess our capitalone password. That said, we never write these down digitally where they can be stolen and listed. We have the templates and hints written on a document but even that document is a little cryptic. It is written down and stored securely in plain sight in case dementia or other mental issue happens as we age and we just forget or can't remember details.
We have another longer key (same unforgettable thing) that is only used when 12 or more characters are required.
I "invented" this method about 20 years ago and it has served us well during that time. I don't trust online sources because those get hacked (most of them have been hacked), they go out of business, they are in business to make profits and if they stop making profits they often just shutdown. I also don't trust electronic storage because it breaks or if in the cloud we have no control over it and it could go away at anytime without our control. Our brains are still the best method for long term storage of passwords (my strong opinion only).
One time my wife forgot the template due to disuse and I just told her, "remember where we honeymooned?" and she replied, "Oh yeah, I remember the template now" and boom, she was logged in and everything was restored in her brain. I told her to stop caching her passwords and to input them and showed her how to remove them from cache, too.
This method is not for everyone and anyone can make a variant of this approach, even a much simpler variant and it would be very secure as long as you stop writing passwords down or write them digitally to a password manager.
Out-to-Lunch
Thinks s/he gets paid by the post
Very interesting and very good.
However, what about sites that force you to change your password every X months? Seems like you are SOL...
Sunset
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
OP - Interesting.
How do you store the 3->4 security question answers to the various sites that require them ?
While you might now write down your passwords, they are written down at the sites that use them. A very remote issue could be that you have passwords at some poorly secured sites.
I have had sites when I clicked "forgot password" send me the actual password, which they should not be able to see, because if they can see it, so can a hacker when the hacker steals the database.
So if you use this template at a few weak sites, it's possible that hacker software uses the common email address they get to relate different passwords and sites to a user. People often use the same password across sites, or just slight variations like: 1567Fidelity and 1234BankOfA as examples. So maybe hackers would do pattern matching on the passwords and see the commonality quickly.
I prefer to use a password manager on my computer.
It allows me to store the security answers which are all random and unrelated to the question differently for each site.
Some of my passwords are ~55 random characters long, others are limited by the sites to 25 characters or whatever limit they have.
All passwords are random, not based on a common pattern.
My disks are encrypted. I back them up to multiple backups.
But I'm always interested in hearing ideas, as there is something to learn sometimes.
How do you store the 3->4 security question answers to the various sites that require them ?
While you might now write down your passwords, they are written down at the sites that use them. A very remote issue could be that you have passwords at some poorly secured sites.
I have had sites when I clicked "forgot password" send me the actual password, which they should not be able to see, because if they can see it, so can a hacker when the hacker steals the database.
So if you use this template at a few weak sites, it's possible that hacker software uses the common email address they get to relate different passwords and sites to a user. People often use the same password across sites, or just slight variations like: 1567Fidelity and 1234BankOfA as examples. So maybe hackers would do pattern matching on the passwords and see the commonality quickly.
I prefer to use a password manager on my computer.
It allows me to store the security answers which are all random and unrelated to the question differently for each site.
Some of my passwords are ~55 random characters long, others are limited by the sites to 25 characters or whatever limit they have.
All passwords are random, not based on a common pattern.
My disks are encrypted. I back them up to multiple backups.
But I'm always interested in hearing ideas, as there is something to learn sometimes.
MdaPetralia
Recycles dryer sheets
- Joined
- Oct 30, 2021
- Messages
- 80
My wife and I also have been using a similar pattern for years. However, it has become increasing more difficult to keep up the same pattern when sites force password resets and wont let you reuse previous passwords or if a site doesn't take one of your special chars in your pattern. Then what do you do?
So, I recently started using a password manager (Bitwarden). I have the same doubts as you do so just starting using it for the non-critical and non-financial sites (e.g. like for this forum). I must admit it has been very easy to setup/use and makes signing on to sites effortless. It also allows you to create encrypted backups so you can import into other password managers if you decide to switch at some point. They also claim only encrypted data goes through/is stored in the cloud for the purposes of you being able to access on other devices, only your device(s) can decrypt it.
ERD50
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
I use a similar system (I wrote about it years ago), but I keep the standard pattern just upper/lower case and numerals, no special chars. I add the special char to the unique segment, so I can make it work with any site-specific restrictions or requirements.
My system is something like:
APPLE123<xxxxxx>zebra789
where <xxxxx> is unique to the site, and "APPLE123", "zebra789" are my memorized patterns (also written down in a place away from my password). But don't use common words or number patterns. And length is more important than complexity.
This allows me to write down the unique segment, it's no good w/o the patterns, and those become muscle memory after a while, so it's easy.
-ERD50
bobandsherry
Thinks s/he gets paid by the post
- Joined
- Nov 24, 2015
- Messages
- 2,692
I found this info on hacking passwords. With computers hacking away at guessing passwords it's more about time it takes to run through the iterations. In other words, the longer the password the more time it would take for a computer find your password. Inclusive of alpha, numeric and special characters then helps with the complexity and therefore time required. Based on this any password shorter than 9 characters is ripe for computer to hack regardless of what patterns you might choose.
- Joined
- Nov 27, 2014
- Messages
- 9,251
I’m about to embark on a redo of all our passwords. My main focus is to strengthen our financial passwords. I want them all to be long and random so I may use a password generator for them. I’m also going to make a different user name for each account that is also random. I would include my email in the “financial” or high security group. That way if one account is compromised, there’s no connection to the others.
The next step is shopping and various sites that store a credit card. I get notifications on my cards and they protect you against fraud on these so I’ll just go with something cryptic for the password and not worry about similar or duplicate user names - we’ll see on that one. Still, a high security situation.
Then there are forums like this one. I’ll probably just have a few user names and a couple passwords. I already tie all my social media accounts and forums to a junk email account if possible. And then I’ll have some junk passwords and user names for one off sites.
Anyway, I’ll be looking at tools to help with this, but I still think my password protected Excel file works fine.
The next step is shopping and various sites that store a credit card. I get notifications on my cards and they protect you against fraud on these so I’ll just go with something cryptic for the password and not worry about similar or duplicate user names - we’ll see on that one. Still, a high security situation.
Then there are forums like this one. I’ll probably just have a few user names and a couple passwords. I already tie all my social media accounts and forums to a junk email account if possible. And then I’ll have some junk passwords and user names for one off sites.
Anyway, I’ll be looking at tools to help with this, but I still think my password protected Excel file works fine.
I've been happy with 1Password for over 15 years now, and there is really nothing about it I don't like, and nowhere it doesn't work for me. Perhaps a slight learning curve if you're new to it, but there is good built-in help.
lemming
Full time employment: Posting here.
- Joined
- May 29, 2008
- Messages
- 600
May I ask what you do for user names? I figure that my actual name as a customer of the bank is the first hack information on a list of saleable marks. So I have a different name for all my financial records.
(I see Jerry just posted a user name info point)
I have been messing up my log ins lately. Sticky keys or bad memory. I have new passwords for all and I have to look them up, Can't make myself trust a master password generator. I would probably lose that too.
(I see Jerry just posted a user name info point)
I have been messing up my log ins lately. Sticky keys or bad memory. I have new passwords for all and I have to look them up, Can't make myself trust a master password generator. I would probably lose that too.
What this brings up is the concept of password aging, long the mantra of the information security (infosec) world.
Professionally, I am quite steeped in password and security management and for years I would have continuous debate with infosec people regarding password aging (expiration, etc.) with the belief that password aging in practice actually decreases security.
Recently, the infosec world has come to their senses and the conventional wisdom is slowly agreeing with my original contention that it is less safe than not. Typical article is here.
That said, for sites that do password aging we revert to the old fashioned way, we just write them down and try to keep them secret.
Professionally, I am quite steeped in password and security management and for years I would have continuous debate with infosec people regarding password aging (expiration, etc.) with the belief that password aging in practice actually decreases security.
Recently, the infosec world has come to their senses and the conventional wisdom is slowly agreeing with my original contention that it is less safe than not. Typical article is here.
That said, for sites that do password aging we revert to the old fashioned way, we just write them down and try to keep them secret.
I’m curious as to how the hackers get around the issue of accounts being locked after relatively few failed attempts.
Sunset
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
Unless they are targeting an individual, the best way is to get a copy of the database that holds the login passwords.
This way there is no timeout, no limit on the running of a script, and can try a huge number per second (thousands -> millions) against a password entry.
First script is a dictionary type to look for all the idiots with passwords: 12345, password123, secret123, etc.
Then it comes down to cracking the passwords.
The attempt on the bank/brokerage/etc is no attempt after that, it is a straight forward login.
A recent case in Canada reflects that investigators tried 175 million passcodes to break into a suspects iPhones. It takes them eight days to test 30 million passcodes from an existing passcode dictionary. Since the suspect uses alpha-numeric passcodes, that means 44 nonillion potential combinations on each of his three iphones. https://cybernews.com/news/ottawa-police-phone-passcode-court/
gamboolman
Recycles dryer sheets
We have pretty well given up and just use the Apple/Mac password auto generated thing.
It was easier for the 1st ~40 year of the Internet to use our initials, the old dead dogs name or our wedding date...but the sites required more longer convoluted passwords !
It was easier for the 1st ~40 year of the Internet to use our initials, the old dead dogs name or our wedding date...but the sites required more longer convoluted passwords !
bobandsherry
Thinks s/he gets paid by the post
- Joined
- Nov 24, 2015
- Messages
- 2,692
Not all accounts are set up to lock after few attempts If it did I'd be locked out of my Microsoft account every couple of hours. The Microsoft Authenticator shows all the attempts to login to my account, hundreds of attempts yesterday. I counted 65 in a 4 hour window. I wish I had visibility like to on all my other accounts.
Markola
Thinks s/he gets paid by the post
Passwords occupy a certain level of hell. The future will be a theft-proof, non-transferable token that verifies each person online with certainty.
Sunset
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
So for the 30 million tries, they were able to do ~43.4 attempts per second.
I suspect they were limited in speed due to interacting with the phone via computer.
They would the computer send a password try to the phone and the computer would evaluate the response, then repeat. Problem is in computer terms the communication takes time and the phone is slow compared to the computer.
Al18
Full time employment: Posting here.
LastPass was hacked just over a year ago https://www.wired.com/story/lastpass-breach-vaults-password-managers/
I guess that is why 2FA is so important. My banks, US and UK, use an authenticator rather than rely on passwords. The authenticators themselves also rely on biometrics (Face ID in my case) or another password to activate them.
target2019
Give me a museum and I'll fill it. (Picasso) Give me a forum ...
That is correct. It produced a large influx of users to 1Password.
It also produced a lot of discussion on various forms about security models, why one app may be more hardened than another. https://support.1password.com/1password-security/
Too much to consume at that link in one sitting, but the devil is in the details (or lack of) in various password managers.
mpeirce
Thinks s/he gets paid by the post
I won’t say it…. but passkeys…
