Remove ads

Introducing the LemonFools Personal Finance Calculators

How best to manage strong passwords?

Seek assistance with technology
stevensfo
Lemon Slice
Posts: 440
Joined: November 5th, 2016, 8:43 am
Has thanked: 105 times
Been thanked: 72 times

Re: How best to manage strong passwords?

#178832

Postby stevensfo » November 7th, 2018, 5:54 pm

The problem is that a lot of sites won't accept a password like that. Rules like - must have punctuation (also can't have punctuation), must have a number, must have capitals, limits on length, etc. etc., so you end up with a difficult to remember one anyway.


I have an advantage in knowing a few languages and use them for passwords. But the real trick is having an imagination and a sense of humour. Just a silly example: say you loved the Asterix books when you were young. His best friend was Obelix and they had magic potion. So your password could be something like 'Obelix*potion!!!'. The * stands for Asterix. The !!! means you remember reading your favourite books three times....etc.

Basically, you use a combination that you know you'll never forget cos it's so silly and it means something to you.

Steve

Stompa
2 Lemon pips
Posts: 170
Joined: November 4th, 2016, 6:29 pm
Has thanked: 8 times
Been thanked: 21 times

Re: How best to manage strong passwords?

#178855

Postby Stompa » November 7th, 2018, 7:54 pm

formoverfunction wrote:If it's of interest I use a lot of the applications from Tails, without using Tails itself. Espcially, MAT if I'm posting pictures on site that I'm not sure strip out meta data. You can also use GIMP to do the same thing, but with a much heavier footprint.

Thanks, I do sometimes use Tails, but only for Tor. I must take a look at what else is in there.

mc2fool
Lemon Quarter
Posts: 1054
Joined: November 4th, 2016, 11:24 am
Has thanked: 4 times
Been thanked: 192 times

Re: How best to manage strong passwords?

#178864

Postby mc2fool » November 7th, 2018, 8:59 pm

stevensfo wrote:But the real trick is having an imagination and a sense of humour.

And a truly prodigious memory or an extremely simple online life.

stevensfo wrote:Basically, you use a combination that you know you'll never forget cos it's so silly and it means something to you.

How many such online logins that you'll never forget do you have?

superFoolish
2 Lemon pips
Posts: 218
Joined: November 7th, 2016, 12:28 am
Been thanked: 50 times

Re: How best to manage strong passwords?

#178890

Postby superFoolish » November 8th, 2018, 12:25 am

Dod101 wrote:superFoolish and others. I realise now just how casual I am with passwords. I doubt that I will ever get to the stage of superFoolish but I will get myself sorted on this one. This is all very educational and I had no idea any of this existed.


I recommend getting started with the basics immediately...

1) Install your password vault of choice (e.g. Keepass)
2) Add your most important accounts (e.g. finance) and, using the password generator, change your passwords to be unique and secure.
3) Consistently use the password vault for those account until you are confident in using it.

Ensure that the password vault has a unique, strong password that you can remember.

In the first instance, forget all the fancy stuff that I (and others) have mentioned. The above is far more secure than doing nothing.

Once you are confident with using your password vault, start to add your other online accounts, and whenever you create a new online account, use your vault as a matter of habit.

As mentioned, for trivial accounts (e.g. help forums into which I do not enter my real name, etc), I use my browser's built-in password store with 'disposable' gmail address combinations.

Within a couple of months, it'll be second nature and then, perhaps, you could think about the 'clever' stuff if you need it.

Howard
2 Lemon pips
Posts: 215
Joined: November 4th, 2016, 8:26 pm
Has thanked: 79 times
Been thanked: 118 times

Re: How best to manage strong passwords?

#178895

Postby Howard » November 8th, 2018, 1:08 am

This may sound rather simple, but why not just write your passwords in a notebook?

I have done this for 20 years. There is no possibility of anyone ever finding them electronically from the notebook. The important ones are written in a code which only I can decifer, so if the notebook was stolen they would be virtually impossible to decode.

This has saved me a lot of hassle and complication. In practice I only have around 20 important passwords. Yes, I do use very long passwords for the most important sites, but they are very few. My main email password is probably the longest.

For most unimportant tasks, eg buying online, I use a fairly simple password, but don't add any real personal data.

I would be reluctant to store major passwords online, however they were supposed to be encrypted.

Maybe this is a bit old-fashioned?

regards

Howard

vrdiver
Lemon Quarter
Posts: 1506
Joined: November 5th, 2016, 2:22 am
Has thanked: 237 times
Been thanked: 449 times

Re: How best to manage strong passwords?

#178896

Postby vrdiver » November 8th, 2018, 2:23 am

superFoolish wrote:I recommend getting started with the basics immediately...

Seconded.

I use KeePass but still have to remember a few passwords:
a) main email - probably biggest security risk if it gets taken over
b) KeePass database - biggest pain if it's ever lost, forgotten or corrupted (so DB is backed up and password is seared into memory)
c) Google (or Microsoft account)
d) motherboard BIOS security (PC won't boot without it)
e) Bitlocker (Windows encryption on C and D drives)

The rest are all in KeePass. I use it for everything as it avoids having to remember which accounts are trivial and which are important, or somewhere in between.

Second level security (encrypting the encrypted database file, disguising it etc, is good, but can be done at leisure during or after the basic data is transcribed into KeePass (or whichever vault you end up selecting).

I keep a copy of my database in the cloud (pick whichever service you trust, but I tend to go for Google or Microsoft, as they are supposed to be good at this sort of thing!) which I can then access via a Chrome extension in read-only mode (i.e. no need for KeePass software to be on the browsing machine) so is accessible on any device. I prefer this versus say, LastPass, as I want control of the database, not being wholly trusting of on-line service providers whose business model makes them stand out specifically as THE place to hack for important accounts data.

I originally had my security data in a password-protected MS Word document (yes, I know!) and it probably took me a month or two to move all the data across. Not that there was a month's worth of work, just that once I'd set up KeePass, read how to use it and started playing, I typically moved a handful of accounts at any one time, rather than making a proper task of it. As they entered KeePass, so they were deleted from the MS Word document. I made it a rule to not log in to a site unless its data had been transferred. It's also the perfect time to go and change weak re-used passwords to unique, strong ones.

KeePass will let you organise your entries into folders and sub-folders, so you can group financials, insurance, social, hobbies, loyalty sites etc. together, handy when showing your trusted other what they need to access in the event, or even for when your executor sees it for the first time, having received instructions and password via your will (a potential security breach if the will is stolen and the thief can get access to your computer of backup, but something to worry about later, rather than a reason for delaying getting set up).

I tend to be creative with answers to security questions; I wish there was a site I only logged in to on a Wednesday, 'cos then I could "identify as female on Wednesdays" and actually be telling the truth :) Just be careful to consider any consequences; e.g., if a site had reason to demand documentary proof of ID then having a different D-O-B, might cause delays etc. (think banks, insurance, government and bookies - tax and money basically).

Password managers can be used as simply as a secure document - so you go in and copy/paste relevant data whenever you need it, or they can automate security processes for you. One feature of KeePass that's worth its weight in gold is the "autotype" facility, which you can customise to meet specific sites login protocols.

E.g. Bank-of-VRDiver wants me to input 3 characters from my very long and very secure password, but the three characters are randomly selected (by the bank) each time. Rather than have to open the entry in edit mode to reveal the password (or copy and paste the password to plain text to read it somewhere) and then try to figure out if character 18 is a "I", "1" or "l" etc. you can configure KeePass to let you select which characters it will return: (In KeePass, if you open the Bank-of-VRDiver entry and select the Auto-Type tab, then put {PICKCHARS:Password:ID=1,C=1}{PICKCHARS:Password:ID=2,C=1}{PICKCHARS:Password:ID=3,C=1}{TAB} in the "Override default sequence" field will, when logging into the bank, present a selection screen where you just click on the numbered circles that correspond to the characters you've been asked for).

Not the most fun you can have on a computer, but it's more fun than having your finances etc. hacked.

VRD

Dod101
Lemon Quarter
Posts: 1953
Joined: October 10th, 2017, 11:33 am
Has thanked: 343 times
Been thanked: 659 times

Re: How best to manage strong passwords?

#178912

Postby Dod101 » November 8th, 2018, 7:13 am

Thanks again. I think the superFoolish simple guide for novices is the pattern I will use to start with anyway. That seems sensible and simple to familiarise myself with how things work.

Currently I have a mixture between holding the important (and probably not very secure) passwords in my head and writing down somewhere those for what I regard as trivial sites.

I have no idea what my password is for my email. Can I recover this or set it up anew in the usual way, ie forgotten password button and start again?

VRD Again I am grateful for your comments but one step at a time for a simple soul like me.

This thread is though surely an excellent reference for the future, and not just for me but for anyone who wants to improve their online security.

Dod

stevensfo
Lemon Slice
Posts: 440
Joined: November 5th, 2016, 8:43 am
Has thanked: 105 times
Been thanked: 72 times

Re: How best to manage strong passwords?

#178916

Postby stevensfo » November 8th, 2018, 7:57 am

How many such online logins that you'll never forget do you have?


Well, in my case I tend to keep them on an email that I send to myself and reply whenever I need to change something. That way, I can access them wherever I am in the world. I just leave a cryptic clue that helps me remember the password.

If I were using that password I mentioned for this site, I may write something like:

lemool fat french guy,friend,soup,really great.

Having been a great fan of the Asterix books, that's enough to jog my memory and remember 'Obelix*potion!!!'

There are others I use with mixtures of strong swearwords in English, French and Polish that I can never forget. The mixture of foreign words with other characters makes them almost impossible to guess.

Or, I can do what many people seem to do at work. Simply write them on a post-it and stick it to the PC or under the desk! :-)

Steve

Infrasonic
Lemon Quarter
Posts: 1086
Joined: November 4th, 2016, 2:25 pm
Has thanked: 106 times
Been thanked: 161 times

Re: How best to manage strong passwords?

#178925

Postby Infrasonic » November 8th, 2018, 8:36 am

https://www.theregister.co.uk/2018/11/0 ... ncryption/

Fundamental flaws in the encryption system used by popular solid-state drives (SSDs) can be exploited by miscreants to easily decrypt data, once they've got their hands on the equipment.

A paper [PDF] drawn up by researchers Carlo Meijer and Bernard van Gastel at Radboud University in the Netherlands, and made public today, describes these critical weaknesses. The bottom line is: the drives require a password to encrypt and decrypt their contents, however this password can be bypassed, allowing crooks and snoops to access ciphered data.
Cont.

mc2fool
Lemon Quarter
Posts: 1054
Joined: November 4th, 2016, 11:24 am
Has thanked: 4 times
Been thanked: 192 times

Re: How best to manage strong passwords?

#178937

Postby mc2fool » November 8th, 2018, 9:42 am

vrdiver wrote:...which I can then access via a Chrome extension in read-only mode (i.e. no need for KeePass software to be on the browsing machine)

Which Chrome extension do you use? There seem to be several....

Howard
2 Lemon pips
Posts: 215
Joined: November 4th, 2016, 8:26 pm
Has thanked: 79 times
Been thanked: 118 times

Re: How best to manage strong passwords?

#178939

Postby Howard » November 8th, 2018, 9:48 am

Dod101 wrote:Thanks again. I think the superFoolish simple guide for novices is the pattern I will use to start with anyway. That seems sensible and simple to familiarise myself with how things work.

Currently I have a mixture between holding the important (and probably not very secure) passwords in my head and writing down somewhere those for what I regard as trivial sites.

I have no idea what my password is for my email. Can I recover this or set it up anew in the usual way, ie forgotten password button and start again?

VRD Again I am grateful for your comments but one step at a time for a simple soul like me.

This thread is though surely an excellent reference for the future, and not just for me but for anyone who wants to improve their online security.

Dod


Dod,

Do let us know how you get on. I did try using an online tool but found it over-complicated. Most important financial sites now use two factor log-in processes, so you still have to remember a second password or phrase. Where do you keep that and how do you, for example, enter the second and fifth character with an online storage tool?

This possibly won't apply to you, but if a husband and wife have an account with the same organisation, using an online manager to handle two passwords for the same site but different accounts when using the same computer and two factor log-in is complex.

Also, if using a browser like Chrome, one finds that Google have remembered your passwords as well unless you take action to stop this.

I'll be very interested to hear if you find the online storage process straightforward. And for the non-technical user, there is the concern that you are actually giving your passwords to an international organisation which you know nothing about and might not invest in. What is their culture? Do you approve of it?

In the end, a notebook may be easier and has its security attractions. I should add that mine is kept at home and I keep a very short list of passwords in my wallet for travel purposes. These are written in my "code" and would give me access to bank account etc if my phone was lost.

Good luck with the technology. I look forward to hearing your progress.

Howard

mc2fool
Lemon Quarter
Posts: 1054
Joined: November 4th, 2016, 11:24 am
Has thanked: 4 times
Been thanked: 192 times

Re: How best to manage strong passwords?

#178940

Postby mc2fool » November 8th, 2018, 9:53 am

stevensfo wrote:
How many such online logins that you'll never forget do you have?

Well, in my case I tend to keep them on an email that I send to myself and reply whenever I need to change something. That way, I can access them wherever I am in the world. I just leave a cryptic clue that helps me remember the password.

Ok, so they're not actually passwords that "you'll never forget" then, and you use email as your password "database"!

And that all works well for the 100+ passwords you've got?

UncleEbenezer
Lemon Quarter
Posts: 2670
Joined: November 4th, 2016, 8:17 pm
Has thanked: 263 times
Been thanked: 359 times

Re: How best to manage strong passwords?

#178949

Postby UncleEbenezer » November 8th, 2018, 10:24 am

Infrasonic wrote:https://www.theregister.co.uk/2018/11/05/busted_ssd_encryption/

Fundamental flaws in the encryption system used by popular solid-state drives (SSDs) can be exploited by miscreants to easily decrypt data, once they've got their hands on the equipment.

A paper [PDF] drawn up by researchers Carlo Meijer and Bernard van Gastel at Radboud University in the Netherlands, and made public today, describes these critical weaknesses. The bottom line is: the drives require a password to encrypt and decrypt their contents, however this password can be bypassed, allowing crooks and snoops to access ciphered data.
Cont.

Yes, and?

Not everyone here is techie, so let's spell it out. Those defects in certain hardware encryption have absolutely no bearing on the software encryption used by password managers as discussed in this thread.

stevensfo
Lemon Slice
Posts: 440
Joined: November 5th, 2016, 8:43 am
Has thanked: 105 times
Been thanked: 72 times

Re: How best to manage strong passwords?

#178955

Postby stevensfo » November 8th, 2018, 10:51 am

Ok, so they're not actually passwords that "you'll never forget" then, and you use email as your password "database"!

And that all works well for the 100+ passwords you've got?


Well, loads of websites have changed over the years and there are lots of logins that I haven't used for ages and probably never will. I have about 25 passwords that I need and the cryptic clues I use seem to work perfectly well.

With 100+ passwords, I admit that the system I use could start to become difficult and I would probably use an open source encryption program like Axcrypt or Truecrypt.

Steve

PS The worst cases are those sites that change their security procedures and don't seem to get round to telling me. I hadn't logged onto Santander for a few years and last time I tried, discovered that everything had changed and my codes and passnumbers etc didn't work.

Infrasonic
Lemon Quarter
Posts: 1086
Joined: November 4th, 2016, 2:25 pm
Has thanked: 106 times
Been thanked: 161 times

Re: How best to manage strong passwords?

#178964

Postby Infrasonic » November 8th, 2018, 11:27 am

UncleEbenezer wrote:
Infrasonic wrote:https://www.theregister.co.uk/2018/11/05/busted_ssd_encryption/

Fundamental flaws in the encryption system used by popular solid-state drives (SSDs) can be exploited by miscreants to easily decrypt data, once they've got their hands on the equipment.

A paper [PDF] drawn up by researchers Carlo Meijer and Bernard van Gastel at Radboud University in the Netherlands, and made public today, describes these critical weaknesses. The bottom line is: the drives require a password to encrypt and decrypt their contents, however this password can be bypassed, allowing crooks and snoops to access ciphered data.
Cont.

Yes, and?

Not everyone here is techie, so let's spell it out. Those defects in certain hardware encryption have absolutely no bearing on the software encryption used by password managers as discussed in this thread.


Dedicated software password managers aren't the only thing under discussion in this thread...
It's relevant if people are relying on SSD hardware encryption to store their passwords thinking they are 'secure'.
The linked to thread also mentions Bitlocker.

mc2fool
Lemon Quarter
Posts: 1054
Joined: November 4th, 2016, 11:24 am
Has thanked: 4 times
Been thanked: 192 times

Re: How best to manage strong passwords?

#178965

Postby mc2fool » November 8th, 2018, 11:31 am

stevensfo wrote:
Ok, so they're not actually passwords that "you'll never forget" then, and you use email as your password "database"!

And that all works well for the 100+ passwords you've got?

Well, loads of websites have changed over the years and there are lots of logins that I haven't used for ages and probably never will. I have about 25 passwords that I need and the cryptic clues I use seem to work perfectly well.

With 100+ passwords, I admit that the system I use could start to become difficult and I would probably use an open source encryption program like Axcrypt or Truecrypt.

Yes, that's the point I was getting at, there's lots of "works for me" type of solutions that are good enough for smallish numbers of passwords but as folks may be reading this looking for solutions for themselves it's worth pointing out the limitations of them.

BTW, it'd be helpful if you used the [quote="username"] facility (rather than just [quote]) so that those you are responding to get a notification of being quoted, rather than just discovering it incidentally....

vrdiver
Lemon Quarter
Posts: 1506
Joined: November 5th, 2016, 2:22 am
Has thanked: 237 times
Been thanked: 449 times

Re: How best to manage strong passwords?

#178971

Postby vrdiver » November 8th, 2018, 12:00 pm

mc2fool wrote:
vrdiver wrote:...which I can then access via a Chrome extension in read-only mode (i.e. no need for KeePass software to be on the browsing machine)

Which Chrome extension do you use? There seem to be several....

I use CKP. I tell it where my database is (PC or cloud location) and it will match the site url I am on with entries in the database. You unlock it with the KeePass master password, but can choose for CKP to forget the master password immediately or after a period of time (30 min - to 24 hours) or remember forever (if you feel lucky!).

You can do manual searches (so if you stored "Lemon Fool" in the DB but not the actual url, you could still use it online to login, whereas a hacker would have to identify the site of interest for themselves).

You can delete entries, but I've not tried to add any (and the online DB is not my master copy anyway).

Would be happy to hear if others have a different app that has any advantages.

VRD

Julian
Lemon Slice
Posts: 422
Joined: November 4th, 2016, 9:58 am
Has thanked: 75 times
Been thanked: 104 times

Re: How best to manage strong passwords?

#178993

Postby Julian » November 8th, 2018, 1:30 pm

mc2fool wrote:
stevensfo wrote:But the real trick is having an imagination and a sense of humour.

And a truly prodigious memory or an extremely simple online life.

stevensfo wrote:Basically, you use a combination that you know you'll never forget cos it's so silly and it means something to you.

How many such online logins that you'll never forget do you have?

I definitely agree with Steve that a somewhat whacky imagination helps (not exactly what he said, I'm putting my own spin on it).

On the memory thing I try to relate the phrases (in my case phrases, but could just as well be imagery to give the words to be concatenated) to the site I am creating a password for.

For instance, if I had a Tesla car which had some associated online account that I wanted to remember the password for, I would probably either go at it from the car angle, so maybe connect it somehow with my memories and experiences of buying my first ever car, or go the company angle and connect something to my impressions of Elon Musk. Or even go off on a more extreme tangent and, since it's fairly widely acknowledged that the Robert Downey Jr Iron Man films took a lot of inspiration for the main character from Elon Musk, I might even go with an Iron Man or a Robert Downey Junior angle.

What that means to me is that when I want to remember the password I can more easily retrace my thought processes I went through in coming up with it in the first place because the starting point is always connected in some obscure way to the site/product/service/organisation that I am trying to remember the password for.

Again, imagination is crucial here because it has to be a connection so wacky, obscure and/or personal that no one else would be able to guess it.

- Julian

mc2fool
Lemon Quarter
Posts: 1054
Joined: November 4th, 2016, 11:24 am
Has thanked: 4 times
Been thanked: 192 times

Re: How best to manage strong passwords?

#179011

Postby mc2fool » November 8th, 2018, 3:51 pm

Julian wrote:I definitely agree with Steve that a somewhat whacky imagination helps (not exactly what he said, I'm putting my own spin on it).

On the memory thing I try to relate the phrases (in my case phrases, but could just as well be imagery to give the words to be concatenated) to the site I am creating a password for.

For instance, if I had a Tesla car which had some associated online account that I wanted to remember the password for, I would probably either go at it from the car angle, so maybe connect it somehow with my memories and experiences of buying my first ever car, or go the company angle and connect something to my impressions of Elon Musk. Or even go off on a more extreme tangent and, since it's fairly widely acknowledged that the Robert Downey Jr Iron Man films took a lot of inspiration for the main character from Elon Musk, I might even go with an Iron Man or a Robert Downey Junior angle.

What that means to me is that when I want to remember the password I can more easily retrace my thought processes I went through in coming up with it in the first place because the starting point is always connected in some obscure way to the site/product/service/organisation that I am trying to remember the password for.

Again, imagination is crucial here because it has to be a connection so wacky, obscure and/or personal that no one else would be able to guess it.

Having passwords that are difficult to guess is the easy part. Here's one: eh8Uq:Ajd~~6tj5Tio,3

The mechanisms you and Steve have come up with are for remembering (not so easy for humans to guess) passwords, but as with Steve's system (and as he agrees), they don't scale well, and even if you are Mr Memory, once you get beyond, oh, say 39 or so*, the steps to will become increasingly difficult and you'll need to write them down somewhere. So then comes the question of what do you use for password storage?

* ;)

mc2fool
Lemon Quarter
Posts: 1054
Joined: November 4th, 2016, 11:24 am
Has thanked: 4 times
Been thanked: 192 times

Re: How best to manage strong passwords?

#179012

Postby mc2fool » November 8th, 2018, 3:54 pm

vrdiver wrote:I use CKP.

Thanks, I'll check it out. I mostly use Firefox, and with that KeeFox, but I do also use Chrome occasionally, esp. on my phone, so I'll take a look....


Return to “Computers, TVs & Phones”

Who is online

Users browsing this forum: No registered users and 3 guests