Donate to Remove ads

Got a credit card? use our Credit Card & Finance Calculators

Thanks to johnstevens77,Bhoddhisatva,scotia,Anonymous,Cornytiv34, for Donating to support the site

How best to manage strong passwords?

Seek assistance with all types of tech. - computer, phone, TV, heating controls etc.
scrumpyjack
Lemon Quarter
Posts: 4816
Joined: November 4th, 2016, 10:15 am
Has thanked: 606 times
Been thanked: 2675 times

Re: How best to manage strong passwords?

#178118

Postby scrumpyjack » November 4th, 2018, 7:45 pm

Of course you really don't know what coding the programmers of Keepass or Lastpass have put in their software. They say it's all only on your local drive and encrypted, but you cannot be certain that a programmer hasn't put code in it that sends the passwords somewherw else or whatever. It's a black box which you have no way of verifying what's in that box in terms of coding.

Maybe I'm just paranoid?

mc2fool
Lemon Half
Posts: 7812
Joined: November 4th, 2016, 11:24 am
Has thanked: 7 times
Been thanked: 3017 times

Re: How best to manage strong passwords?

#178122

Postby mc2fool » November 4th, 2018, 8:09 pm

scrumpyjack wrote:Of course you really don't know what coding the programmers of Keepass or Lastpass have put in their software. They say it's all only on your local drive and encrypted, but you cannot be certain that a programmer hasn't put code in it that sends the passwords somewherw else or whatever. It's a black box which you have no way of verifying what's in that box in terms of coding.

Maybe I'm just paranoid?

In the case of KeePass, yes, you are :D

KeePass isn't a black box, it's open source. You can download the source code from https://sourceforge.net/projects/keepas ... 02.x/2.40/ and examine it, change it if you like, and build it yourself, and while the vast majority of users won't do that, there's enough enthusiasts that will that any differences between the released binaries and the public source code would be loudly alarmed.

LastPass, OTOH, is proprietary, is an online database, and has suffered several security incidents. https://en.wikipedia.org/wiki/LastPass

uspaul666
2 Lemon pips
Posts: 232
Joined: November 4th, 2016, 6:35 am
Has thanked: 195 times
Been thanked: 111 times

Re: How best to manage strong passwords?

#178127

Postby uspaul666 » November 4th, 2018, 9:15 pm

Clariman wrote:I have received a spam email which actually shows a password that I have used in the past in the subject line (one of those ones that demands bitcoin payments otherwise it will show all your dodgy websites to your pals etc.). The website https://haveibeenpwned.com/ confirms that the userid has been compromised on the Android forums. More worryingly my main email account also appears as having been compromised. That concerns me more, so I will change passwords and I want to take a look at how best to manage passwords in the future.

Is a password manager a good idea? My worry has always been that if someone hacks the password manager site then they have access to everything.

Any recommendations on how to handle websites, passwords, security etc, gratefully received. The more I read the more I see recommendations to use a password manager such as 1password

Thanks
C

(My bold)
If you got the same email as I got a couple of days ago then I’m guessing you think your email account, in particular, has been hacked because the email itself appears to have been sent by (or come from) you. if this is the case then be aware that the “From:”, the “Reply-to:” and “Sent-by:” value can all be faked/hacked and should really be ignored or untrusted.
Just to add to the good advice so far, another vote for keepass and the easiest way to make a strong password is to use a long password.

Dod101
The full Lemon
Posts: 16629
Joined: October 10th, 2017, 11:33 am
Has thanked: 4343 times
Been thanked: 7534 times

Re: How best to manage strong passwords?

#178227

Postby Dod101 » November 5th, 2018, 1:32 pm

I have been thinking about this again since I last contributed to this thread. I have a large number of passwords but in fact only less than half a dozen that to me really matter. Obviously my online banking is one but at least as important are the two giving access to my ISAs where the values are much higher than in my bank accounts.

After that there will be one or two such as Amazon (where they hold details of a debit visa card. Should I remove these details?) but I cannot think of any others that matter very much. In fact it is simply a nuisance and I do not know why online retailers require me to have a password anyway. It is me trying to buy from them not the other way round.

If my logic is correct then going to the trouble of keepass is the old sedge hammer to crack a nut and I might be better simply to change the passwords more regularly and make them longer.

Any thoughts?

Dod

tea42
Lemon Slice
Posts: 440
Joined: March 9th, 2017, 8:28 am
Has thanked: 77 times
Been thanked: 169 times

Re: How best to manage strong passwords?

#178279

Postby tea42 » November 5th, 2018, 4:10 pm

Secret Space Encryptor saves all your passwords in a password protected encrypted file on your device. You can copy that file to other devices or machines on which you can then put a copy of the program to access the passwords or documents elsewhere.

I would be wary of anything that kept your passwords online. We are always reading of password disasters by hackers gaining access to online stuff. If your sensitive information is well encrypted and in a place controlled only by you its more secure.

XFool
The full Lemon
Posts: 12636
Joined: November 8th, 2016, 7:21 pm
Been thanked: 2608 times

Re: How best to manage strong passwords?

#178302

Postby XFool » November 5th, 2018, 6:17 pm

tea42 wrote:I would be wary of anything that kept your passwords online. We are always reading of password disasters by hackers gaining access to online stuff. If your sensitive information is well encrypted and in a place controlled only by you its more secure.

Yep. That's why I use Post It notes.

Hack this! :)

Breelander
Lemon Quarter
Posts: 4179
Joined: November 4th, 2016, 9:42 pm
Has thanked: 1000 times
Been thanked: 1855 times

Re: How best to manage strong passwords?

#178304

Postby Breelander » November 5th, 2018, 6:23 pm

XFool wrote:Yep. That's why I use Post It notes.
Hack this! :)


That's so low-tech - I use a text file. ;)


No, seriously, I do - but what I write in the text file is a cryptic reminder of how I chose each password that only makes sense to me.

torata
Lemon Slice
Posts: 521
Joined: November 5th, 2016, 1:25 am
Has thanked: 203 times
Been thanked: 210 times

Re: How best to manage strong passwords?

#178343

Postby torata » November 5th, 2018, 10:32 pm

Dod101 wrote:If my logic is correct then going to the trouble of keepass is the old sedge hammer to crack a nut and I might be better simply to change the passwords more regularly and make them longer.

Any thoughts?

Dod


Dod

I think you'll find once you've started using one, you won't want to go back. You certainly won't want to remember passwords again apart from a couple of master passwords and maybe your cloud storage if that's were you keep backups.

I use LastPass (online, with an extension into all my browsers), with a long passphrase to activate it, for my less important passwords, like Lemon Fool. It fills in the passwords automatically when sites open, and updates automatically when the password is made or changed. Absolutely no effort at all.
(My understanding is that it only stores the encrypted passwords on line; all encryption and de-encryption is done on the local PC)

Then KeePass to include the more important passwords like financials, again with a long passphrase. KeePass can be used in various sophisticated ways, or you can use it almost like a notepad and just copy and paste the passwords, etc. I keep my CC details in KeePass and enter them every time on Amazon et al.

torata

superFoolish
Lemon Slice
Posts: 253
Joined: November 7th, 2016, 12:28 am
Been thanked: 57 times

Re: How best to manage strong passwords?

#178368

Postby superFoolish » November 6th, 2018, 6:39 am

I have been using Keepass on my PC and iOS devices for a few years. The Keepass database is kept in the cloud - not Google or Dropbox, but one that is based on on ownCloud, which is open source. The ownCloud server that I use is free for a small amount of storage; more than enough for my passwords. There are lots of these services about, so DYOR and ensure that you are happy with their security. Any changes to the Keepass file on my PC are automatically synchronised and become available to my portable devices. I think I may have paid $1.50 for the ownCloud iOS app (one of the few apps I have every paid for)!

For really important information (i.e. finances) stored in my Keepass file, I further obfuscate information and do not automate entry of credentials. For example, I don't enter the name or URL of a bank, and I change some details. For example, I might switch certain digits in the account number, password and PIN. Even if someone accessed the Keepass file and somehow associated an entry with a specific bank, they would have to figure out which digits to swap. This sounds more inconvenient than it is in practice; copying and pasting, and making the changes when logging-in takes less than 5 seconds. Probably over-paranoid, but it makes me happy.

There is an inherent risk in storing the password file online, but there's always going to be a risk at some point. You can reduce your chances of being hacked, by using lesser-known online services and, for example, renaming the keypass file to something that is not at all related to passwords and burying it in a folder with other boring-looking, similar-sized files. Along with a strong master password, I am satisfied that it is secure enough.

This has worked very well for me, for a few years now; I find it convenient enough to use it consistently for all my important passwords.

For trivial sites that contain no personal information and for which I use disposable email addresses, I tend to use Firefox's built-in password manager. I have an anonymous gmail account (e.g. madeup1234@gmail.com) and use email addresses such as madeup123+identifier@gmail.com for those websites. It aids in tracking where spam is coming from, and ensures there is no link with any of my 'real' email addresses. If I lost control of that gmail account, it would be of little consequence to me.

With regards to how long it takes to set it up, I probably spent an hour or two installing Keepass on my device and setting up the cloud synchronisation. I then entered my important financial accounts; maybe another half hour or so. I added the other accounts into Keepass 'organically', allowing Keepass to generate strong passwords.

One important thing to remember is to ensure that someone else (significant other?) knows how to access the information and, importantly, knows how to use it. My wife is very IT-competent, but we still sit down at least once a month, and she will log in and access various accounts, just to keep the processes (and master password) in her memory.

A related, but non-IT tip; we have details of all our financial arrangement stored in a location accessible to our trusted family-members. It's would be a nightmare for them to locate everything if both my wife and I popped our clogs simultaneously, especially as we have investments in multiple countries. My parents, now in their late 70s, have done this for us for many years now; whenever they leave the country, we receive an updated list of their financial affairs.

Whilst I am at it, here's one more tip (nothing to do with passwords): I photograph and email all significant purchase receipts to myself at receipts@mydomain.com, with a subject containing the store name and item description. This takes fewer than 30 seconds, and automatically goes into a receipts folder in a Gmail account. Fantastic for return of faulty items - I never have to think about where a receipt is any more, as Gmail has brilliant search facilities. This weekend, we bought some kitchen knives that have a 25 year warranty, so I did my usual photo-to-email thing, then pondered what kind of email system I might be using in my mid seventees! Whatever it is, I'll just need to type, or say, (or think!) 'kitchen knives receipt' (and hope that the manufacturer is still in business).

formoverfunction
Lemon Slice
Posts: 329
Joined: June 12th, 2018, 9:27 pm
Has thanked: 86 times
Been thanked: 115 times

Re: How best to manage strong passwords?

#178402

Postby formoverfunction » November 6th, 2018, 8:22 am

I use Keepass and a password generator, as I like to use at least 16 character passwords. I only ever use a password once.

If secondry approval is available I always switch that on.

When it's not in the form of a txt message, but a pin number, I keep the individual pin numbers in a Veracrypt file. The one's I use very often I just trust to memory.

I'll often create a specific "name, place of bith, mothers name" etc for each account and keep those in a safe place.

Does that slow me down? Yes, but it's nothing like the stress of dealing with changing all your passwords because some company has lost your details.

In my case, Linkedin AND 4 other companies, so far.

Dod101
The full Lemon
Posts: 16629
Joined: October 10th, 2017, 11:33 am
Has thanked: 4343 times
Been thanked: 7534 times

Re: How best to manage strong passwords?

#178423

Postby Dod101 » November 6th, 2018, 9:35 am

superFoolish and others. I realise now just how casual I am with passwords. I doubt that I will ever get to the stage of superFoolish but I will get myself sorted on this one. This is all very educational and I had no idea any of this existed.

Dod

seekingbalance
2 Lemon pips
Posts: 162
Joined: November 7th, 2016, 11:14 am
Has thanked: 16 times
Been thanked: 66 times

Re: How best to manage strong passwords?

#178480

Postby seekingbalance » November 6th, 2018, 11:44 am

I would echo formoverfunction’s point, and perhaps clarify it more - for at least the most important sites like banking, Amazon, shareholding’s etc, a good suggestion is to make up fictitious answers to the common security questions, as otherwise a single hack could expose all your security answers, such as mother’s maiden name, first car, best friend, where you were born.

For all my key logins I use a long password and make up answers to the security questions, even my date of birth, so they are not common across many sites.

And they can be crazy answers!

Example:
First car - elephant
Mother’s maiden name - fizzzbomb
Place of birth - elbow

For regular sites with no financial information I simply use Safari password manager and generate the very long one off passwords and store them in Safari, which at its current iteration now has a great feature which tells you where your passwords are reused or insecure. Chrome and Firefox have similar functions.

I never hold credit card details within an online site, it is only a bit more work to add those in each time, and wherever possible I never register at all.
Last edited by seekingbalance on November 6th, 2018, 11:48 am, edited 1 time in total.

seekingbalance
2 Lemon pips
Posts: 162
Joined: November 7th, 2016, 11:14 am
Has thanked: 16 times
Been thanked: 66 times

Re: How best to manage strong passwords?

#178481

Postby seekingbalance » November 6th, 2018, 11:46 am

And another point- make absolutely sure your email password is your most secure, and always enable two factor authentication so you get an alert if someone attempts to make a password change.

Having control of your email gives a hacker easy access to changing all your passwords.

Julian
Lemon Quarter
Posts: 1385
Joined: November 4th, 2016, 9:58 am
Has thanked: 532 times
Been thanked: 676 times

Re: How best to manage strong passwords?

#178714

Postby Julian » November 7th, 2018, 9:56 am

swill453 wrote:
Breelander wrote:https://xkcd.com/936/

The problem is that a lot of sites won't accept a password like that. Rules like - must have punctuation (also can't have punctuation), must have a number, must have capitals, limits on length, etc. etc., so you end up with a difficult to remember one anyway.

Scott.

That can be overcome by using your own personal transcription rules, e.g. any noun (doesn't have to be a proper noun) starts with a capital letter, any "s" is changed to a "5", any "i" to a "!" and any "a" to an "@" etc. so for instance "correcthorsebatterystaple" becomes "correctHor5eB@tterySt@ple". I also have fall-back rules to pad at the beginning and/or end if the transcriptions don't give me enough caps, specials or numbers to pass the format checks.

The issue is that one does need to remember which sites actually allow specials and not implement the transcriptions when typing the password into such a site. You might also notice with the example that sometimes one actually needs to make grammatical judgements! I capitalised both "battery" and "staple" because I took the decision that a battery-staple is a compound noun where both parts have similar weight and as such capitalised both parts. (I wonder whether the horse would agree with my decision.)

- Julian

Stompa
Lemon Slice
Posts: 825
Joined: November 4th, 2016, 6:29 pm
Has thanked: 152 times
Been thanked: 208 times

Re: How best to manage strong passwords?

#178722

Postby Stompa » November 7th, 2018, 10:32 am

formoverfunction wrote:I use Keepass and a password generator, as I like to use at least 16 character passwords.

Is that a different password generator to the one built in to Keepass (which seems to be capable of generating very long passwords of 1000+ characters)?

Dod101
The full Lemon
Posts: 16629
Joined: October 10th, 2017, 11:33 am
Has thanked: 4343 times
Been thanked: 7534 times

Re: How best to manage strong passwords?

#178738

Postby Dod101 » November 7th, 2018, 11:39 am

Julian wrote:[That can be overcome by using your own personal transcription rules, e.g. any noun (doesn't have to be a proper noun) starts with a capital letter, any "s" is changed to a "5", any "i" to a "!" and any "a" to an "@" etc. so for instance "correcthorsebatterystaple" becomes "correctHor5eB@tterySt@ple". I also have fall-back rules to pad at the beginning and/or end if the transcriptions don't give me enough caps, specials or numbers to pass the format checks.


I read recently that your transcriptions are a waste of effort because they are altogether too well known. I saw advice somewhere that it would be better to take some phrase that you know well, say 'The Night They Drove Old Dixie Down' (but a bit longer ideally) and simply take the first letter of each word, or I suppose just to complicate it you could take the first letter of the first word, the second of the second and so on. Obviously my phrase is not much good using the first method as there are far too many Ds but you get the idea.

Dod

mc2fool
Lemon Half
Posts: 7812
Joined: November 4th, 2016, 11:24 am
Has thanked: 7 times
Been thanked: 3017 times

Re: How best to manage strong passwords?

#178750

Postby mc2fool » November 7th, 2018, 12:10 pm

Dod101 wrote:
Julian wrote:[That can be overcome by using your own personal transcription rules, e.g. any noun (doesn't have to be a proper noun) starts with a capital letter, any "s" is changed to a "5", any "i" to a "!" and any "a" to an "@" etc. so for instance "correcthorsebatterystaple" becomes "correctHor5eB@tterySt@ple". I also have fall-back rules to pad at the beginning and/or end if the transcriptions don't give me enough caps, specials or numbers to pass the format checks.

I read recently that your transcriptions are a waste of effort because they are altogether too well known. I saw advice somewhere that it would be better to take some phrase that you know well, say 'The Night They Drove Old Dixie Down' (but a bit longer ideally) and simply take the first letter of each word

But that doesn't work when the site insists on your password including at least one number and at least one "special" character, which is what Julian's method was in answer to.

swill453
Lemon Half
Posts: 7962
Joined: November 4th, 2016, 6:11 pm
Has thanked: 984 times
Been thanked: 3643 times

Re: How best to manage strong passwords?

#178751

Postby swill453 » November 7th, 2018, 12:21 pm

mc2fool wrote:But that doesn't work when the site insists on your password including at least one number and at least one "special" character, which is what Julian's method was in answer to.

Quite. It's the sequence of words that makes the strong password, not the other characters.

Scott.

Julian
Lemon Quarter
Posts: 1385
Joined: November 4th, 2016, 9:58 am
Has thanked: 532 times
Been thanked: 676 times

Re: How best to manage strong passwords?

#178762

Postby Julian » November 7th, 2018, 12:46 pm

swill453 wrote:
mc2fool wrote:But that doesn't work when the site insists on your password including at least one number and at least one "special" character, which is what Julian's method was in answer to.

Quite. It's the sequence of words that makes the strong password, not the other characters.

Scott.

Indeed, or being pedantic not even "the sequence of words", simply the length of the sequence is what does it - the "words" bit is only so that the long sequences are memorable. In theory the fact that they are words actually weakens the password since it theoretically opens up the possibility of dictionary attacks but the increase in security from the sheer length of something like correcthorsebatterystaple massively outweighs the fact that the components are recognisable words. Doing even obvious transcriptions within those words does not reduce the length of the password hence has no detrimental effect on length or the strength.

Incidentally, re Dod's comment, I actually do use the first-letter-of-each-word-in-a-phrase technique rather than the correcthorse... technique but use transcriptions as mentioned in my previous post to insert caps, numbers and specials (but not the actual transcription rules that I posted - one can't be too careful). In fact I mostly use random long passwords stored in LastPass for things like forums and other sites that I am likely to only use from home, I only use phrase-based passwords for things I might want to log into when I am out and about and even there I embed the site-specific phrase into a standard much longer phrase-based string such that all those passwords are extremely long.

- Julian

formoverfunction
Lemon Slice
Posts: 329
Joined: June 12th, 2018, 9:27 pm
Has thanked: 86 times
Been thanked: 115 times

Re: How best to manage strong passwords?

#178814

Postby formoverfunction » November 7th, 2018, 4:25 pm

Stompa wrote:
formoverfunction wrote:I use Keepass and a password generator, as I like to use at least 16 character passwords.

Is that a different password generator to the one built in to Keepass (which seems to be capable of generating very long passwords of 1000+ characters)?


Yes, I use a terminal based generator as I most often use Linux or OSX.

It spits out a screen of muliple passwords to the size, hash etc that's been selected.

If I want 16 character I request 8 and then just combine 2 of the 8 number sequences.

That will also help eliminate any bias within the code.

I noticed once that OSX's password generator produced reguler sequences with "qg" May be chance, hey, it's not like I produce new passords every day.

Hope that helps.

If it's of interest I use a lot of the applications from Tails, without using Tails itself. Espcially, MAT if I'm posting pictures on site that I'm not sure strip out meta data. You can also use GIMP to do the same thing, but with a much heavier footprint.

https://en.wikipedia.org/wiki/Tails_(operating_system)


Return to “Technology - Computers, TV, Phones etc.”

Who is online

Users browsing this forum: No registered users and 18 guests