Got a credit card? use our Credit Card & Finance Calculators
Thanks to johnstevens77,Bhoddhisatva,scotia,Anonymous,Cornytiv34, for Donating to support the site
How best to manage strong passwords?
-
- Lemon Quarter
- Posts: 3268
- Joined: November 4th, 2016, 12:17 am
- Has thanked: 3077 times
- Been thanked: 1557 times
How best to manage strong passwords?
I have received a spam email which actually shows a password that I have used in the past in the subject line (one of those ones that demands bitcoin payments otherwise it will show all your dodgy websites to your pals etc.). The website https://haveibeenpwned.com/ confirms that the userid has been compromised on the Android forums. More worryingly my main email account also appears as having been compromised. That concerns me more, so I will change passwords and I want to take a look at how best to manage passwords in the future.
Is a password manager a good idea? My worry has always been that if someone hacks the password manager site then they have access to everything.
Any recommendations on how to handle websites, passwords, security etc, gratefully received. The more I read the more I see recommendations to use a password manager such as 1password
Thanks
C
Is a password manager a good idea? My worry has always been that if someone hacks the password manager site then they have access to everything.
Any recommendations on how to handle websites, passwords, security etc, gratefully received. The more I read the more I see recommendations to use a password manager such as 1password
Thanks
C
-
- Lemon Quarter
- Posts: 1321
- Joined: March 27th, 2017, 11:41 am
- Has thanked: 595 times
- Been thanked: 582 times
Re: How best to manage strong passwords?
These days I think you need some kind of generator/manager
heres a comparison:
https://ss64.com/docs/security.html
heres a comparison:
https://ss64.com/docs/security.html
-
- Lemon Half
- Posts: 7812
- Joined: November 4th, 2016, 11:24 am
- Has thanked: 7 times
- Been thanked: 3017 times
Re: How best to manage strong passwords?
KeePass. https://keepass.info/
It's a local database, not an online one, so make sure you have a good backup system.
I use it along with the Firefox add-on Kee (not necessary but useful). https://www.kee.pm/
It's a local database, not an online one, so make sure you have a good backup system.
I use it along with the Firefox add-on Kee (not necessary but useful). https://www.kee.pm/
-
- Lemon Quarter
- Posts: 4092
- Joined: November 4th, 2016, 9:24 am
- Has thanked: 3234 times
- Been thanked: 2827 times
Re: How best to manage strong passwords?
Another vote for Keepass.
Works on Windows, Linux and Android.
Just make sure you keep one or more backup copies of the file containing all of your passwords
--kiloran
Works on Windows, Linux and Android.
Just make sure you keep one or more backup copies of the file containing all of your passwords
--kiloran
-
- Lemon Quarter
- Posts: 4179
- Joined: November 4th, 2016, 9:42 pm
- Has thanked: 1000 times
- Been thanked: 1855 times
Re: How best to manage strong passwords?
https://xkcd.com/936/
This work is licensed under a Creative Commons Attribution-NonCommercial 2.5 License.
-
- Lemon Half
- Posts: 7812
- Joined: November 4th, 2016, 11:24 am
- Has thanked: 7 times
- Been thanked: 3017 times
Re: How best to manage strong passwords?
Breelander wrote:...
Easy to remember hard to guess is very good advice for your master password.
For the other several dozen/score/hundred a password manager is a good idea.
-
- Lemon Half
- Posts: 9129
- Joined: November 4th, 2016, 1:16 pm
- Has thanked: 4140 times
- Been thanked: 10023 times
Re: How best to manage strong passwords?
kiloran wrote:
Another vote for Keepass.
And another vote for Keepass from me too (https://keepass.info/)
I've used it for years, and would highly recommend it, although I use mine in a way that I think adds a significant additional security layer to the application, and adds other potential security benefits too, if required -
I use the last 'known good' version of Truecrypt (https://www.grc.com/misc/truecrypt/truecrypt.htm) to install a hidden, encrypted volume on my PC. When this hidden, encrypted volume is mounted using a simple dos-script, it asks for a password before then mounting the Truecrypt partition as what then looks like a quite normal drive-partition on my computer.
Once that's done (and it's important to again recognise the password-enabled security layer that's needed to do this), I then install Keepass 'inside' that hidden, encrypted Truecrypt partition. The Keepass password-database is of course encrypted itself, and the application will only open when a second password is entered to gain full access to the utility.
When I've finished using Keepass, I simple close the utility and then un-mount the Truecrypt volume from my PC, leaving the encrypted Keepass password database then living inside a hidden, encrypted Truecrypt volume on my PC....
I really do like the above process, as it gives me a lot of good benefits -
1. Two quite distinct security layers (Truecrypt / Keepass) between anyone using my PC and my important password information. Having no 'single-point-of-failure' by using these two distinct security layers is a really good benefit of the above process.
2. A hidden Truecrypt volume that can be mounted and un-mounted, and used to store any types of security-sensitive information and files, so not just the Keepass utility and password-database used in the above example - any files can be copied into the hidden Truecrypt volume, and then when the volume is un-mounted, a good layer of security then stops anyone else accessing those files.
3. The ability to keep copies of the Truecrypt volume (just a simple PC file) in safe locations away from the main PC. If anyone got their hands on the file, there are two really secure layers of password-protected security that anyone needs to get through (Truecyrpt, and then Keepass) for them to be able to access my important password information.
4. Back-ups of the Truecrypt file are completely portable, and can be used on any other Truecrypt-enabled machine, and I have access to a number of these, so my sensitive data can always be accessed using a number of methods, all of which are quite safe due to the requirement of the two distinct passwords required to mount the drive, and then access the Keepass password information.
5. I now only ever need to remember just two relatively strong passwords to gain access to the important information that I need. One password to mount the Truecrypt drive, and then a second password to open the Keepass utility. Everything else is inside the Keepass tool, and I can make those passwords as strong as I like, with no need to ever feel the need to remember them. They are stored and accessed by the Keepass utility, and are copied to where they need to go as and when I need them.
6. No more little-black-book in a drawer somewhere......
Cheers,
Itsallaguess
-
- The full Lemon
- Posts: 10691
- Joined: November 4th, 2016, 8:17 pm
- Has thanked: 1459 times
- Been thanked: 2965 times
Re: How best to manage strong passwords?
mc2fool wrote:KeePass. https://keepass.info/
It's a local database, not an online one, so make sure you have a good backup system.
I use it along with the Firefox add-on Kee (not necessary but useful). https://www.kee.pm/
A local database has a similar risk to an online one. A burglar gets it; an online attack while you're online might get it; a person getting an opportunistic moment at your laptop might copy it. An online database is likely to be inherently more secure on account of being professionally managed, but also vulnerable on account of being a high-value target and thus something an attacker might put serious effort into.
In both cases, your primary defence is to ensure anything that matters is encrypted. That's what a password manager does for you. Whether it's local or online, it doesn't matter if someone gets the data, so long as you don't tell them your passphrase to unlock it. This is not like a creditcard, where you can circumvent chip-and-pin by just reading the numbers to use it online or over the 'phone, or use the magnetic stripe locally.
-
- The full Lemon
- Posts: 10691
- Joined: November 4th, 2016, 8:17 pm
- Has thanked: 1459 times
- Been thanked: 2965 times
Re: How best to manage strong passwords?
Breelander wrote:https://xkcd.com/936/
This work is licensed under a Creative Commons Attribution-NonCommercial 2.5 License.
... and through ingenious cartoons, we've addressed a different (but deceptively similar) problem to that of managing actual passwords. xkcd's solution doesn't help with the real problem, which is dealing with lots of different passwords.
-
- The full Lemon
- Posts: 16629
- Joined: October 10th, 2017, 11:33 am
- Has thanked: 4343 times
- Been thanked: 7534 times
Re: How best to manage strong passwords?
I feel slightly better now because recently I had a very similar email to the OP and it is a horrible feeling, as if I have been personally compromised. I guess I have not been specially picked out! On refection my password was very simple as I now realise and of course I immediately changed it (probably to something just as easily guessed)
Fundamentally though I have often wondered why just because you want to buy say printer ink or something you need a password. There are loads of sites where unless they are holding my credit card details (which they should not be doing) there seems to me to be no need for a password.
On the subject of keepass do we choose a password along the lines of Bree's example?
Dod
Fundamentally though I have often wondered why just because you want to buy say printer ink or something you need a password. There are loads of sites where unless they are holding my credit card details (which they should not be doing) there seems to me to be no need for a password.
On the subject of keepass do we choose a password along the lines of Bree's example?
Dod
-
- 2 Lemon pips
- Posts: 190
- Joined: January 17th, 2018, 1:10 pm
- Has thanked: 10 times
- Been thanked: 50 times
Re: How best to manage strong passwords?
Dod101 wrote:I feel slightly better now because recently I had a very similar email to the OP and it is a horrible feeling, as if I have been personally compromised. I guess I have not been specially picked out! On refection my password was very simple as I now realise and of course I immediately changed it (probably to something just as easily guessed)
Your password will have been obtained from a general website data breach, not from someone targeting you personally, or guessing your password.
eg.
https://www.actionfraudalert.co.uk/imag ... isaV_2.png
For each website where you have an account, you should have a lengthy, unique, randomly generated password, none of which need be remembered because they'll be stored within a secure password tool of some sort, protected by a complex master password. That master password, which itself needs to be a secure machine-unguessable one, is the only one you need to remember, and you can follow techniques like the one suggested above perhaps. By having unique passwords for each and every account, a data breach of any individual site (something which will inevitably occur from time to time) doesn't provide access to any of your other accounts.
Additionally, enable Two Factor Authentication on every website where it's offered, including and in particular any online email accounts you have.
Most people don't do any of this, and instead have one or two passwords or variations they use for the dozens or even hundreds of websites they're registered with, and as such are sitting ducks. By following the suggestions above, you'll immediately be in a better position than 99% of online users.
-
- Lemon Quarter
- Posts: 3268
- Joined: November 4th, 2016, 12:17 am
- Has thanked: 3077 times
- Been thanked: 1557 times
Re: How best to manage strong passwords?
Thanks everyone. That is really helpful. Roughly speaking, how long does it take to setup something like keepass on laptop, tablet and phone? By "setup" I mean install and recreate passwords to all the existing sites that I use (obviously dependent on the number). Just looking for an order of magnitude e.g. do I need to set aside an hour, half a day or a day to set it all up.
Thanks
C
Thanks
C
-
- The full Lemon
- Posts: 10691
- Joined: November 4th, 2016, 8:17 pm
- Has thanked: 1459 times
- Been thanked: 2965 times
Re: How best to manage strong passwords?
Dod101 wrote:I feel slightly better now because recently I had a very similar email to the OP and it is a horrible feeling,
Recommended reading: https://www.theregister.co.uk/2018/10/2 ... ail_video/
You could read the comments too, from a bunch of cynical techies.
-
- Lemon Half
- Posts: 7812
- Joined: November 4th, 2016, 11:24 am
- Has thanked: 7 times
- Been thanked: 3017 times
Re: How best to manage strong passwords?
Clariman wrote:Thanks everyone. That is really helpful. Roughly speaking, how long does it take to setup something like keepass on laptop, tablet and phone? By "setup" I mean install and recreate passwords to all the existing sites that I use (obviously dependent on the number). Just looking for an order of magnitude e.g. do I need to set aside an hour, half a day or a day to set it all up.
That's an entirely how-long-is-a-bit-of-string question. The first thing to do is to find out how many logins you've got -- which will almost certainly be a quite a few more than you think!
If you let us know which browser(s) you're using then folks can advise on how to export the stored logins (which you'll need to import into KeePass). Then you can look through those and figure out which ones you don't want anymore (and log in to those sites and delete the account).
Then you're going to have to go through each site's change-my-password mechanism, which could be anything from a couple of clicks and pasting in your new (generated) password (twice), to having to give three "memorable" answers and entering a code they send to your mobile phone, etc, etc.
Setting up KeePass itself and importing your existing logins can be simple, but if you want to make more than just the most basic use of it then you'll need to spend some time reading up and setting up, although it can mostly be done incrementally, an entry at a time.
E.g. some things you might want to do are organise your login entries into folders (e.g. Banks, Forums, News Sites, etc), set up the site's icon (favicon) for entries, or set up "auto-type" to handle the "please enter characters 2,5 and 9 from your memorable place/name/date" type of passwords, etc.
-
- Lemon Quarter
- Posts: 4092
- Joined: November 4th, 2016, 9:24 am
- Has thanked: 3234 times
- Been thanked: 2827 times
Re: How best to manage strong passwords?
Clariman wrote:Thanks everyone. That is really helpful. Roughly speaking, how long does it take to setup something like keepass on laptop, tablet and phone? By "setup" I mean install and recreate passwords to all the existing sites that I use (obviously dependent on the number). Just looking for an order of magnitude e.g. do I need to set aside an hour, half a day or a day to set it all up.
Thanks
C
Installing Keepass is simple, but entering or importing passwords will take time, especially if you also want to include things like the email address associated with each account, your answers to security questions, etc in addition to the main userid and password. For Windows, you might want to consider the portable version of Keepass (that's what I use) https://portableapps.com/apps/utilities ... s_portable
You must also understand that all of the data is in a single file (I think the default is database.kdb) and the PC, phone and tablet versions are independant of each other.
So if you update a password on your PC, it will NOT be automatically updated on the phone or tablet. I make all of my changes on the PC, and every now and again, I send the database.kdb file to the phone and tablet so that they all have the same info.
--kiloran
-
- 2 Lemon pips
- Posts: 190
- Joined: January 17th, 2018, 1:10 pm
- Has thanked: 10 times
- Been thanked: 50 times
Re: How best to manage strong passwords?
There are various options for password managers, with keepass being one of them, and one that often appeals to the more tech-savvy and/or those focused more on single (eg. PC) than cross-platforms.
The various password manager options out there have different pros and cons, different strengths and weaknesses, different features, so it'd seem reasonable for someone considering using a password manager for the first time to consider all the options available to them and pick the one that seems best suited to their needs, rather than assuming that what other posters here have plumped for is automatically the best option for them also. It might be the best option, but you'd only be able to determine that after reviewing the range of options. NB there is no perfect option, all involve trade-offs.
As with investments, do some research first rather than just piling in. There's plenty of info available out there.
The various password manager options out there have different pros and cons, different strengths and weaknesses, different features, so it'd seem reasonable for someone considering using a password manager for the first time to consider all the options available to them and pick the one that seems best suited to their needs, rather than assuming that what other posters here have plumped for is automatically the best option for them also. It might be the best option, but you'd only be able to determine that after reviewing the range of options. NB there is no perfect option, all involve trade-offs.
As with investments, do some research first rather than just piling in. There's plenty of info available out there.
-
- Lemon Slice
- Posts: 440
- Joined: March 9th, 2017, 8:28 am
- Has thanked: 77 times
- Been thanked: 169 times
Re: How best to manage strong passwords?
Secret Space Encryptor. Password generator and vault, and keep all the details of your bank accounts and logins for everything. Used it for years. Great encryption tools for text, files and directories too. Easy to share across tablet phone and PC. Soooo simple to use. Beats keepass, been there done that…
-
- Lemon Half
- Posts: 7812
- Joined: November 4th, 2016, 11:24 am
- Has thanked: 7 times
- Been thanked: 3017 times
Re: How best to manage strong passwords?
kiloran wrote:You must also understand that all of the data is in a single file (I think the default is database.kdb) and the PC, phone and tablet versions are independant of each other.
So if you update a password on your PC, it will NOT be automatically updated on the phone or tablet. I make all of my changes on the PC, and every now and again, I send the database.kdb file to the phone and tablet so that they all have the same info.
There's a number of ways to handle that, of which mine is, admittedly, not the simplest, but works for me
I have a desktop and a laptop, both of which I can and often do create new or change existing KeePass entries on, and I have an Android phone on which uses the KeePass database as effectively read only.
KeePass has a Synchronization feature which will synchronise the changes in two databases, and I use that to synchronise the database on each of the desktop and laptop with a "central" one on a USB flash drive served by my router. This is all done automatically by triggers and scripts, which also copy the db to end-to-end encrypted online storage which is available from my phone. And they also automatically take backups...
-
- Lemon Half
- Posts: 7812
- Joined: November 4th, 2016, 11:24 am
- Has thanked: 7 times
- Been thanked: 3017 times
Re: How best to manage strong passwords?
RececaDron wrote:There are various options for password managers, with keepass being one of them, and one that often appeals to the more tech-savvy and/or those focused more on single (eg. PC) than cross-platforms.
I'm not sure why you think that second part. I use it on Windows and Android and I know other Lemons use it on those and Linux too.
-
- Lemon Half
- Posts: 7962
- Joined: November 4th, 2016, 6:11 pm
- Has thanked: 984 times
- Been thanked: 3643 times
Re: How best to manage strong passwords?
Breelander wrote:https://xkcd.com/936/
The problem is that a lot of sites won't accept a password like that. Rules like - must have punctuation (also can't have punctuation), must have a number, must have capitals, limits on length, etc. etc., so you end up with a difficult to remember one anyway.
Scott.
Return to “Technology - Computers, TV, Phones etc.”
Who is online
Users browsing this forum: No registered users and 4 guests