Donate to Remove ads

Got a credit card? use our Credit Card & Finance Calculators

Thanks to johnstevens77,Bhoddhisatva,scotia,Anonymous,Cornytiv34, for Donating to support the site

How best to manage strong passwords?

Seek assistance with all types of tech. - computer, phone, TV, heating controls etc.
Clariman
Lemon Quarter
Posts: 3268
Joined: November 4th, 2016, 12:17 am
Has thanked: 3077 times
Been thanked: 1557 times

How best to manage strong passwords?

#177995

Postby Clariman » November 3rd, 2018, 10:18 pm

I have received a spam email which actually shows a password that I have used in the past in the subject line (one of those ones that demands bitcoin payments otherwise it will show all your dodgy websites to your pals etc.). The website https://haveibeenpwned.com/ confirms that the userid has been compromised on the Android forums. More worryingly my main email account also appears as having been compromised. That concerns me more, so I will change passwords and I want to take a look at how best to manage passwords in the future.

Is a password manager a good idea? My worry has always been that if someone hacks the password manager site then they have access to everything.

Any recommendations on how to handle websites, passwords, security etc, gratefully received. The more I read the more I see recommendations to use a password manager such as 1password

Thanks
C

Lanark
Lemon Quarter
Posts: 1321
Joined: March 27th, 2017, 11:41 am
Has thanked: 595 times
Been thanked: 582 times

Re: How best to manage strong passwords?

#178001

Postby Lanark » November 3rd, 2018, 11:30 pm

These days I think you need some kind of generator/manager

heres a comparison:
https://ss64.com/docs/security.html

mc2fool
Lemon Half
Posts: 7812
Joined: November 4th, 2016, 11:24 am
Has thanked: 7 times
Been thanked: 3017 times

Re: How best to manage strong passwords?

#178002

Postby mc2fool » November 3rd, 2018, 11:36 pm

KeePass. https://keepass.info/

It's a local database, not an online one, so make sure you have a good backup system.

I use it along with the Firefox add-on Kee (not necessary but useful). https://www.kee.pm/

kiloran
Lemon Quarter
Posts: 4092
Joined: November 4th, 2016, 9:24 am
Has thanked: 3234 times
Been thanked: 2827 times

Re: How best to manage strong passwords?

#178003

Postby kiloran » November 3rd, 2018, 11:44 pm

Another vote for Keepass.
Works on Windows, Linux and Android.
Just make sure you keep one or more backup copies of the file containing all of your passwords

--kiloran

Breelander
Lemon Quarter
Posts: 4179
Joined: November 4th, 2016, 9:42 pm
Has thanked: 1000 times
Been thanked: 1855 times

Re: How best to manage strong passwords?

#178005

Postby Breelander » November 3rd, 2018, 11:49 pm

Image
https://xkcd.com/936/
This work is licensed under a Creative Commons Attribution-NonCommercial 2.5 License.

mc2fool
Lemon Half
Posts: 7812
Joined: November 4th, 2016, 11:24 am
Has thanked: 7 times
Been thanked: 3017 times

Re: How best to manage strong passwords?

#178006

Postby mc2fool » November 4th, 2018, 12:22 am

Breelander wrote:...

Easy to remember hard to guess is very good advice for your master password.

For the other several dozen/score/hundred a password manager is a good idea.

Itsallaguess
Lemon Half
Posts: 9129
Joined: November 4th, 2016, 1:16 pm
Has thanked: 4140 times
Been thanked: 10023 times

Re: How best to manage strong passwords?

#178008

Postby Itsallaguess » November 4th, 2018, 4:42 am

kiloran wrote:
Another vote for Keepass.


And another vote for Keepass from me too (https://keepass.info/)

I've used it for years, and would highly recommend it, although I use mine in a way that I think adds a significant additional security layer to the application, and adds other potential security benefits too, if required -

I use the last 'known good' version of Truecrypt (https://www.grc.com/misc/truecrypt/truecrypt.htm) to install a hidden, encrypted volume on my PC. When this hidden, encrypted volume is mounted using a simple dos-script, it asks for a password before then mounting the Truecrypt partition as what then looks like a quite normal drive-partition on my computer.

Once that's done (and it's important to again recognise the password-enabled security layer that's needed to do this), I then install Keepass 'inside' that hidden, encrypted Truecrypt partition. The Keepass password-database is of course encrypted itself, and the application will only open when a second password is entered to gain full access to the utility.

When I've finished using Keepass, I simple close the utility and then un-mount the Truecrypt volume from my PC, leaving the encrypted Keepass password database then living inside a hidden, encrypted Truecrypt volume on my PC....

I really do like the above process, as it gives me a lot of good benefits -

1. Two quite distinct security layers (Truecrypt / Keepass) between anyone using my PC and my important password information. Having no 'single-point-of-failure' by using these two distinct security layers is a really good benefit of the above process.

2. A hidden Truecrypt volume that can be mounted and un-mounted, and used to store any types of security-sensitive information and files, so not just the Keepass utility and password-database used in the above example - any files can be copied into the hidden Truecrypt volume, and then when the volume is un-mounted, a good layer of security then stops anyone else accessing those files.

3. The ability to keep copies of the Truecrypt volume (just a simple PC file) in safe locations away from the main PC. If anyone got their hands on the file, there are two really secure layers of password-protected security that anyone needs to get through (Truecyrpt, and then Keepass) for them to be able to access my important password information.

4. Back-ups of the Truecrypt file are completely portable, and can be used on any other Truecrypt-enabled machine, and I have access to a number of these, so my sensitive data can always be accessed using a number of methods, all of which are quite safe due to the requirement of the two distinct passwords required to mount the drive, and then access the Keepass password information.

5. I now only ever need to remember just two relatively strong passwords to gain access to the important information that I need. One password to mount the Truecrypt drive, and then a second password to open the Keepass utility. Everything else is inside the Keepass tool, and I can make those passwords as strong as I like, with no need to ever feel the need to remember them. They are stored and accessed by the Keepass utility, and are copied to where they need to go as and when I need them.

6. No more little-black-book in a drawer somewhere......

Cheers,

Itsallaguess

UncleEbenezer
The full Lemon
Posts: 10691
Joined: November 4th, 2016, 8:17 pm
Has thanked: 1459 times
Been thanked: 2965 times

Re: How best to manage strong passwords?

#178011

Postby UncleEbenezer » November 4th, 2018, 5:51 am

mc2fool wrote:KeePass. https://keepass.info/

It's a local database, not an online one, so make sure you have a good backup system.

I use it along with the Firefox add-on Kee (not necessary but useful). https://www.kee.pm/

A local database has a similar risk to an online one. A burglar gets it; an online attack while you're online might get it; a person getting an opportunistic moment at your laptop might copy it. An online database is likely to be inherently more secure on account of being professionally managed, but also vulnerable on account of being a high-value target and thus something an attacker might put serious effort into.

In both cases, your primary defence is to ensure anything that matters is encrypted. That's what a password manager does for you. Whether it's local or online, it doesn't matter if someone gets the data, so long as you don't tell them your passphrase to unlock it. This is not like a creditcard, where you can circumvent chip-and-pin by just reading the numbers to use it online or over the 'phone, or use the magnetic stripe locally.

UncleEbenezer
The full Lemon
Posts: 10691
Joined: November 4th, 2016, 8:17 pm
Has thanked: 1459 times
Been thanked: 2965 times

Re: How best to manage strong passwords?

#178012

Postby UncleEbenezer » November 4th, 2018, 5:59 am

Breelander wrote:https://xkcd.com/936/
This work is licensed under a Creative Commons Attribution-NonCommercial 2.5 License.

... and through ingenious cartoons, we've addressed a different (but deceptively similar) problem to that of managing actual passwords. xkcd's solution doesn't help with the real problem, which is dealing with lots of different passwords.

Dod101
The full Lemon
Posts: 16629
Joined: October 10th, 2017, 11:33 am
Has thanked: 4343 times
Been thanked: 7534 times

Re: How best to manage strong passwords?

#178019

Postby Dod101 » November 4th, 2018, 8:10 am

I feel slightly better now because recently I had a very similar email to the OP and it is a horrible feeling, as if I have been personally compromised. I guess I have not been specially picked out! On refection my password was very simple as I now realise and of course I immediately changed it (probably to something just as easily guessed)

Fundamentally though I have often wondered why just because you want to buy say printer ink or something you need a password. There are loads of sites where unless they are holding my credit card details (which they should not be doing) there seems to me to be no need for a password.

On the subject of keepass do we choose a password along the lines of Bree's example?

Dod

RececaDron
2 Lemon pips
Posts: 190
Joined: January 17th, 2018, 1:10 pm
Has thanked: 10 times
Been thanked: 50 times

Re: How best to manage strong passwords?

#178025

Postby RececaDron » November 4th, 2018, 9:22 am

Dod101 wrote:I feel slightly better now because recently I had a very similar email to the OP and it is a horrible feeling, as if I have been personally compromised. I guess I have not been specially picked out! On refection my password was very simple as I now realise and of course I immediately changed it (probably to something just as easily guessed)


Your password will have been obtained from a general website data breach, not from someone targeting you personally, or guessing your password.

eg.
https://www.actionfraudalert.co.uk/imag ... isaV_2.png

For each website where you have an account, you should have a lengthy, unique, randomly generated password, none of which need be remembered because they'll be stored within a secure password tool of some sort, protected by a complex master password. That master password, which itself needs to be a secure machine-unguessable one, is the only one you need to remember, and you can follow techniques like the one suggested above perhaps. By having unique passwords for each and every account, a data breach of any individual site (something which will inevitably occur from time to time) doesn't provide access to any of your other accounts.

Additionally, enable Two Factor Authentication on every website where it's offered, including and in particular any online email accounts you have.

Most people don't do any of this, and instead have one or two passwords or variations they use for the dozens or even hundreds of websites they're registered with, and as such are sitting ducks. By following the suggestions above, you'll immediately be in a better position than 99% of online users.

Clariman
Lemon Quarter
Posts: 3268
Joined: November 4th, 2016, 12:17 am
Has thanked: 3077 times
Been thanked: 1557 times

Re: How best to manage strong passwords?

#178029

Postby Clariman » November 4th, 2018, 9:36 am

Thanks everyone. That is really helpful. Roughly speaking, how long does it take to setup something like keepass on laptop, tablet and phone? By "setup" I mean install and recreate passwords to all the existing sites that I use (obviously dependent on the number). Just looking for an order of magnitude e.g. do I need to set aside an hour, half a day or a day to set it all up.

Thanks
C

UncleEbenezer
The full Lemon
Posts: 10691
Joined: November 4th, 2016, 8:17 pm
Has thanked: 1459 times
Been thanked: 2965 times

Re: How best to manage strong passwords?

#178030

Postby UncleEbenezer » November 4th, 2018, 9:48 am

Dod101 wrote:I feel slightly better now because recently I had a very similar email to the OP and it is a horrible feeling,

Recommended reading: https://www.theregister.co.uk/2018/10/2 ... ail_video/

You could read the comments too, from a bunch of cynical techies.

mc2fool
Lemon Half
Posts: 7812
Joined: November 4th, 2016, 11:24 am
Has thanked: 7 times
Been thanked: 3017 times

Re: How best to manage strong passwords?

#178041

Postby mc2fool » November 4th, 2018, 10:59 am

Clariman wrote:Thanks everyone. That is really helpful. Roughly speaking, how long does it take to setup something like keepass on laptop, tablet and phone? By "setup" I mean install and recreate passwords to all the existing sites that I use (obviously dependent on the number). Just looking for an order of magnitude e.g. do I need to set aside an hour, half a day or a day to set it all up.

That's an entirely how-long-is-a-bit-of-string question. :D The first thing to do is to find out how many logins you've got -- which will almost certainly be a quite a few more than you think!

If you let us know which browser(s) you're using then folks can advise on how to export the stored logins (which you'll need to import into KeePass). Then you can look through those and figure out which ones you don't want anymore (and log in to those sites and delete the account).

Then you're going to have to go through each site's change-my-password mechanism, which could be anything from a couple of clicks and pasting in your new (generated) password (twice), to having to give three "memorable" answers and entering a code they send to your mobile phone, etc, etc.

Setting up KeePass itself and importing your existing logins can be simple, but if you want to make more than just the most basic use of it then you'll need to spend some time reading up and setting up, although it can mostly be done incrementally, an entry at a time.

E.g. some things you might want to do are organise your login entries into folders (e.g. Banks, Forums, News Sites, etc), set up the site's icon (favicon) for entries, or set up "auto-type" to handle the "please enter characters 2,5 and 9 from your memorable place/name/date" type of passwords, etc.

kiloran
Lemon Quarter
Posts: 4092
Joined: November 4th, 2016, 9:24 am
Has thanked: 3234 times
Been thanked: 2827 times

Re: How best to manage strong passwords?

#178046

Postby kiloran » November 4th, 2018, 12:04 pm

Clariman wrote:Thanks everyone. That is really helpful. Roughly speaking, how long does it take to setup something like keepass on laptop, tablet and phone? By "setup" I mean install and recreate passwords to all the existing sites that I use (obviously dependent on the number). Just looking for an order of magnitude e.g. do I need to set aside an hour, half a day or a day to set it all up.

Thanks
C

Installing Keepass is simple, but entering or importing passwords will take time, especially if you also want to include things like the email address associated with each account, your answers to security questions, etc in addition to the main userid and password. For Windows, you might want to consider the portable version of Keepass (that's what I use) https://portableapps.com/apps/utilities ... s_portable

You must also understand that all of the data is in a single file (I think the default is database.kdb) and the PC, phone and tablet versions are independant of each other.
So if you update a password on your PC, it will NOT be automatically updated on the phone or tablet. I make all of my changes on the PC, and every now and again, I send the database.kdb file to the phone and tablet so that they all have the same info.

--kiloran

RececaDron
2 Lemon pips
Posts: 190
Joined: January 17th, 2018, 1:10 pm
Has thanked: 10 times
Been thanked: 50 times

Re: How best to manage strong passwords?

#178048

Postby RececaDron » November 4th, 2018, 12:19 pm

There are various options for password managers, with keepass being one of them, and one that often appeals to the more tech-savvy and/or those focused more on single (eg. PC) than cross-platforms.

The various password manager options out there have different pros and cons, different strengths and weaknesses, different features, so it'd seem reasonable for someone considering using a password manager for the first time to consider all the options available to them and pick the one that seems best suited to their needs, rather than assuming that what other posters here have plumped for is automatically the best option for them also. It might be the best option, but you'd only be able to determine that after reviewing the range of options. NB there is no perfect option, all involve trade-offs.

As with investments, do some research first rather than just piling in. There's plenty of info available out there.

tea42
Lemon Slice
Posts: 440
Joined: March 9th, 2017, 8:28 am
Has thanked: 77 times
Been thanked: 169 times

Re: How best to manage strong passwords?

#178052

Postby tea42 » November 4th, 2018, 1:07 pm

Secret Space Encryptor. Password generator and vault, and keep all the details of your bank accounts and logins for everything. Used it for years. Great encryption tools for text, files and directories too. Easy to share across tablet phone and PC. Soooo simple to use. Beats keepass, been there done that…

mc2fool
Lemon Half
Posts: 7812
Joined: November 4th, 2016, 11:24 am
Has thanked: 7 times
Been thanked: 3017 times

Re: How best to manage strong passwords?

#178059

Postby mc2fool » November 4th, 2018, 1:45 pm

kiloran wrote:You must also understand that all of the data is in a single file (I think the default is database.kdb) and the PC, phone and tablet versions are independant of each other.
So if you update a password on your PC, it will NOT be automatically updated on the phone or tablet. I make all of my changes on the PC, and every now and again, I send the database.kdb file to the phone and tablet so that they all have the same info.

There's a number of ways to handle that, of which mine is, admittedly, not the simplest, but works for me :D

I have a desktop and a laptop, both of which I can and often do create new or change existing KeePass entries on, and I have an Android phone on which uses the KeePass database as effectively read only.

KeePass has a Synchronization feature which will synchronise the changes in two databases, and I use that to synchronise the database on each of the desktop and laptop with a "central" one on a USB flash drive served by my router. This is all done automatically by triggers and scripts, which also copy the db to end-to-end encrypted online storage which is available from my phone. And they also automatically take backups...

mc2fool
Lemon Half
Posts: 7812
Joined: November 4th, 2016, 11:24 am
Has thanked: 7 times
Been thanked: 3017 times

Re: How best to manage strong passwords?

#178061

Postby mc2fool » November 4th, 2018, 1:54 pm

RececaDron wrote:There are various options for password managers, with keepass being one of them, and one that often appeals to the more tech-savvy and/or those focused more on single (eg. PC) than cross-platforms.

I'm not sure why you think that second part. I use it on Windows and Android and I know other Lemons use it on those and Linux too.

swill453
Lemon Half
Posts: 7962
Joined: November 4th, 2016, 6:11 pm
Has thanked: 984 times
Been thanked: 3643 times

Re: How best to manage strong passwords?

#178073

Postby swill453 » November 4th, 2018, 3:41 pm

Breelander wrote:https://xkcd.com/936/

The problem is that a lot of sites won't accept a password like that. Rules like - must have punctuation (also can't have punctuation), must have a number, must have capitals, limits on length, etc. etc., so you end up with a difficult to remember one anyway.

Scott.


Return to “Technology - Computers, TV, Phones etc.”

Who is online

Users browsing this forum: No registered users and 4 guests