Passwords

[Sunset]

OP - I have used keepass for years.
- You can set up groups in in each group you put your information for each site.
- For example I have groups: Bank, Stocks, Email, Shopping, Bills to Pay, etc
- In my Bank group I put the entries for each bank.
- There is a notes section for each entry, so as you enter the Username, password, URL of the website, you can in the notes section below enter the security questions and answers.

- You will be able to copy and paste from your spreadsheet as you create each entry, keeping the passwords you currently have.

Here is the keepass website, and I took it from clicking help on my keepass application: KeePass Password Safe

I have a different password for each of my 100's of websites I visit, and different answers for the security questions even if the questions are repeated across sites, as my answers are simply made up and written down in keepass.

I copy the keepass file (its an encrypted file) to a couple of flash drives to keep it as backup. And I can take it with me traveling so I have access to all my websites even when on the road.
http://keepass.info/screenshots.html

 

[Sunset]

I don't use a password manager since I don't trust any program with my whole digital life.
One option is set up a Veracrypt container and keep your passwords in it.

Of course you realize you are trusting the Veracrypt container, so you are trusting a program with your whole digital life.

For my traveling computer I have a truecrypt container, and I put all my information, including my encrypted keepass within it.

 

[easysurfer]

Of course you realize you are trusting the Veracrypt container, so you are trusting a program with your whole digital life.

For my traveling computer I have a truecrypt container, and I put all my information, including my encrypted keepass within it.

I use Veracrypt containers too for sensitive information like copies of my taxes. A part of me (the paranoid self) wants to encrypt the PDF versions of my tax returns and then store in Veracrypt. Different password than the Veracrypt container, of course. But that's kind of overkill....I think .

Back on topic, I suggest that if the OP decides on a local password manager, to download a few and try out with a few passwords just to find one with a comfortable look and feel. As, one thing to avoid is populating several entries then not liking the interface. Once deciding on a password manager, go with that.

 

[jonat]

It's one thing to roll your own storage for passwords, but how do you create a different, strong password for each site? And what happens if you lose access to that storage? Most people use a "system" that is easily cracked by popular password cracking tools. Good password managers also include random password generators and make it easy to populate and save a different password for each site. 12 or more characters are recommended nowadays.

 

[savory]

OP - I have used keepass for years.
- You can set up groups in in each group you put your information for each site.
- For example I have groups: Bank, Stocks, Email, Shopping, Bills to Pay, etc
- In my Bank group I put the entries for each bank.
- There is a notes section for each entry, so as you enter the Username, password, URL of the website, you can in the notes section below enter the security questions and answers.

- You will be able to copy and paste from your spreadsheet as you create each entry, keeping the passwords you currently have.

Here is the keepass website, and I took it from clicking help on my keepass application: KeePass Password Safe

I have a different password for each of my 100's of websites I visit, and different answers for the security questions even if the questions are repeated across sites, as my answers are simply made up and written down in keepass.

I copy the keepass file (its an encrypted file) to a couple of flash drives to keep it as backup. And I can take it with me traveling so I have access to all my websites even when on the road.
http://keepass.info/screenshots.html

I follow nearly the same approach. For sites I am not as concerned about hacks, I use a sophisticated password generated by Keepass but I will allow Google to save on my computer for convenience.

As for financial and related sites, they stay on my thumb drive which has a 'locker'. I use the Kingston brand.

Many people like the convenience of having financial information available on their various devices. This makes me uncomfortable and I do not use my phone except to be prepared to check expected fraud while traveling.

Finally, I use a VPN anytime I am on a wireless outside of our home.

Additional thought - My son and SIL have been amazingly helpful to me. If your son is willing to take the time, I think his initial guidance is good.

 

[googily]

LastPass when initially being set up will cycle through all of your browser cookies to sniff out any passwords it finds there--which shows you how insecure it is to allow your browsers to save that stuff.

I've used LastPass since 2012 and can't live without it. I also use its "Secure Notes" feature to save my driver's license and passport #s, DH's info (SSN, etc), my freeze pins at the credit bureaus, etc. etc.

There's tons of features which you can read up on.

Also, and maybe more important, is to enable two-factor authentication wherever you can. And not by using SMS as the second layer, but something like Google Authenticator, which generates a random six-digit code that you then enter when prompted.

 

[mpeirce]

LastPass when initially being set up will cycle through all of your browser cookies to sniff out any passwords it finds there--which shows you how insecure it is to allow your browsers to save that stuff.

Safari doesn't store passwords in cookies. It encrypts them in your iCloud Keychain. Not insecure at all.

 

[jonat]

No browser stores passwords in cookies. But all of them, even Safari, store them in a way that is discoverable by code running in the browser.

 

[mpeirce]

No browser stores passwords in cookies. But all of them, even Safari, store them in a way that is discoverable by code running in the browser.

Obviously once the password is entered in a text field Javascript can access it.

Are there actual exploits that go beyond the obvious? Any reference would be helpful.

 

[jonat]

The major advantage of an independent password manager is the support for multiple platforms and browsers, along with the usual (though not universal) tools for generating random passwords. Browser password managers don't do this. If you use a single platform and browser, and the browser provides a protected password manager (Safari, Chrome and Firefox do), then that's ok, as long as you generate a unique, strong password for each site.

 

[easysurfer]

While on the topic of passwords, how do folks here prefer going about creating their passwords? From your mind? Built-in password generator of password manager? Password generator website? Password generator software or app?

For me, the built in password generator in the password manager I use isn't flexible enough in that there's no way to exclude difficult to read special characters.

I've been using a combination of a website that produces readable passwords (alpha numeric) then adding in a # or % myself. Been using this along with an old password generating program to generate random numbers (for my user ids).

 

[FIREd]

I used a password manager for a few years but I am back to using a paper notebook to track all of my passwords.

 

[braumeister]

For me, the built in password generator in the password manager I use isn't flexible enough in that there's no way to exclude difficult to read special characters.

Actually, that's one of the things I like best about 1Password. When I activate the password generator it brings up a window that lets me customize it on the fly. Here's a sample:

 

[easysurfer]

I used a password manager for a few years but I am back to using a paper notebook to track all of my passwords.

How's the paper notebook method working for you?

I confess that in my early days, I was one of those folks who would use passwords like name of pet, or mother's maiden name. Then eventually to add a number like password of "spot1". Then "$pot1". Also, confess to the bad practice of using the same id and password across accounts.

With a password manager, randomization is your friend.

Been digging around trying out different password generators. Found one where, "Boom!" a good password is just a couple mouse clicks away .

 

[easysurfer]

Actually, that's one of the things I like best about 1Password. When I activate the password generator it brings up a window that lets me customize it on the fly. Here's a sample:
View attachment 26867

With 1Password, are your customization settings saved? My trusty old (circa 2002 or 2003) password generator program I was using didn't save the customization. So, I had to click and set each time.

Too many mouse clicks (or taps on a phone) becomes cumbersome in password creation.

 

[FIREd]

How's the paper notebook method working for you?

I confess that in my early days, I was one of those folks who would use passwords like name of pet, or mother's maiden name. Then eventually to add a number like password of "spot1". Then "$pot1". Also, confess to the bad practice of using the same id and password across accounts.

With a password manager, randomization is your friend.

Been digging around trying out different password generators. Found one where, "Boom!" a good password is just a couple mouse clicks away .

The paper notebook works just fine for me. I have pretty good memory and I usually remember even complex passwords after using them just a couple times, so I do not need to refer to the notebook all that often. But I do not visit hundreds of different websites as some do here (I have virtually no social media presence).

Password randomization is no issue. You can either use a password generator or create your own password. I have a letter sheet full of random letters (some in caps), numbers, and special characters or symbols. I close your eye, point somewhere on the sheet with my finger and generate my new random password that way...

 

[braumeister]

With 1Password, are your customization settings saved?

Yes, until I change them again, which I do often. Some sites won't let you use special characters, or only certain characters, so I check every time I create one. It's also easy to just click in the newly generated password and edit individual characters before activating it. A very flexible system.

 

[Tadpole]

When I was a kid I often found myself alone to amuse myself on my grandfather's farm. I would run around making up non-sense songs and often would keep a phrase or two for use everyday. Many of my passwords use the second character of the words in one of these phrases (first if only one character word) with a recipe of numbers and special characters that I can remember embedded in the character strings. My passwords are typically 15 or more characters long. It was a fun way of doing passwords no one could just guess but, sigh, it now looks like it wasn't so good a method after all (not long enough).

 

[googily]

These days the experts are starting to warn people away from shorter passwords even with special symbols. Much longer passwords--which can be phrases that are far more easily remembered--are considered far more secure.

This is a great visual explanation:

 

[easysurfer]

An example with my "Go to" password generator I found middle of the night.

I have the program in the quick launch bar on my Windows PC. As soon as the program launches a password is created and copied to the clipboard. If I like the password, all I have to do is copy and paste to my password manager . Otherwise, refresh until I like the one generated.

The settings are saved which are important as most of the time, I'll be creating passwords that are 16 characters long with the other set attributes.

 

[easysurfer]

Yes, until I change them again, which I do often. Some sites won't let you use special characters, or only certain characters, so I check every time I create one. It's also easy to just click in the newly generated password and edit individual characters before activating it. A very flexible system.

Yes, I've used the strategy of editing individual characters too when I have to.

 

[Ian S]

After trying a number of password managers, I've grown accustomed to LastPass and have been quite happy with it. Its cross platform capability is great and I have it set up on my phone with fingerprint ID. With its prompt whenever entering login info on a website, it makes it easy to build its database pretty much automatically when you first start using it and anytime you add a website. It has the random password generator with customization for sites that exclude certain characters. It has autofill that works well and on a number of websites, it works without you having to click any buttons at all although that behavior can also be controlled.

 

[Trooper]

The paper notebook works just fine for me...

What happens if you want to visit a website while not at home, say on a mobile device, or someone's computer? Just curious as I'm struggling with developing a system myself.

 

[Trooper]

An example with my "Go to" password generator I found middle of the night.

Is this a web-based generator? I have read that web-based ones aren't very safe as they can store/transmit data about the PWs they generate.

 

[easysurfer]

Is this a web-based generator? I have read that web-based ones aren't very safe as they can store/transmit data about the PWs they generate.

No, not web generated. It is a free Windows program called "Awesome Password Generator.