Visit our Popular Forums

spsexton · 12-10-2017, 09:35

Here's advice on this from one of the most well respected security experts.
https://www.schneier.com/blog/archiv..._secure_1.html

Broadside · 12-10-2017, 10:05

I use DataVault Password Manager for Mac and iOS devices. All devices are synced through Dropbox, (other cloud storage works also). All data files are encrypted on both the device and the cloud. If your phone is hacked, the data file is useless to the hacker. And before the peanut gallery

jumps in, yes the encryption could POSSIBLY be broken, but not at all likely. All you really have to remember is a good strong password to get into the DataVault and the rest of your stuff becomes available. On any of these password managers, make sure it encrypts all data files.
This approach also helps out if something happens to you, your family can get access to accounts and such.
Hope that helps
Eric

maxingout · 12-10-2017, 10:09

Sometimes I use the names of cruising yachts that I have seen around the world as passwords, and I always use at least the names of two different yachts making the password longer and more difficult.

At other times, I choose the names of remote cruising destinations around the world as passwords.

Thumb drives are now so small that they are easy to hide, so that may be another way for me to store encrypted passwords.

MV Wanderlust · 12-10-2017, 10:50

As others have said, nothing is entirely bulletproof. If someone really wants in and has adequate skills, they'll get in. That said...

There are some really good password schemes that have already been shared. I've taken an approach similar to what others are doing with a minor modification. I chose a random word... not something from my past or a child or pet's name or has any significance so social engineering probably wouldn't figure it out... and then appended the date it was set.

For example:
Let's say the random word was something like Escalade.
And let's say the password is being used for Dropbox (I don't have a Dropbox account) and it was set on 9-17-2017.
The Dropbox password would become Escalade9172017$. The dollar sign is used as an example of an extended character but it could be any of them.
To remember the password for any site, I save a shortcut to it and edit the name of the shortcut to include the date it was set and the number 4, to represent the extended character used, if it was a dollar sign.
The password on any site can be changed as often as you like by just changing the date and then modifying the name of the shortcut with the new date.
This approach has been working for nearly twenty years and has never been hacked. It would be tough to hack without knowing the random word and yet the hint for each site is readily available.

tatomaceda · 12-10-2017, 10:52

I use a PASSPHRASE and a PIN. NO PAPER. NO FILE.
Most sites can support a 12 character password and requires both upper and lower case, numbers and special characters. I meet this requirement by creating an 8 character passphrase. For example, I convert "JEANNEAU" to "J34Nn=^u". Then tack on a four number PIN, say 1234.

Now here is how it works.
When I am logging in to:
cruisersforum.com, my password will be "J34Nn=^ucrui"
yahoo.com, my password will be "J34Nn=^uyaho"
ebay.com, my password will be "J34Nn=^uebay"
6pm.com, my password will be "J34Nn=^u6pm4"

The system provides for a UNIQUE password per website, but you only have to remember your special PASSPHRASE and PIN.

For those that have not picked it up yet, I use the PIN to figure our which letters of the websites name I will be using. For the same sites above, if my PIN where 6835 the passwords would be:
"J34Nn=^uesus" for cruisersforum.com
"J34Nn=^u68ho" for yahoo.com
"J34Nn=^u68a5" for ebay.com
"J34Nn=^u68m5" for 6pm.com

Nothing to get hacked, not much to remember, just be careful you don't bump your head.

One more thing, I actually have 2 PASSPHRASEs and PINs. I use a different one for sites where I have financial info and sites where I don't.

CarlF · 12-10-2017, 11:20

Security has gotten much easier in the last year mostly due to the spread of two factor authorization where a code is sent to your phone. With two factor enabled, it's almost impossible for a guy in Russia to get into your account even if your password is "1234". Here's what I do:

All my passwords go into standard Apple Notes - it has encryption based on Apple security. It copies to both my Iphone and ipad by SSL. Apple has never had a successful direct breach of Icloud (people get in by guessing passwords - not Apple's fault). I worry more about being hit by a meteor. I also encrypt the individual Apple note of passwords a 2nd time with a different password (although this really isn't necessary because you can't get past the lockscreen in the first place)

My Apple password is 16 characters long and only used for Apple. The passcode is six numbers. Fingerprint is also turned on. Two factor security is enabled so a code is sent to the phone for any change (two factor is also enabled on any account that allows it). The Iphone and Ipad are both set to erase themselves if someone gets the phone passcode on the lock screen wrong 10 times.

I only need a few passwords because I use the same password on any unimportant site - like this site. I'm not worried about someone posting here using my name - it might be an improvement

If an important site doesn't have two factor but uses "questions", my answers are not real so they can't be guessed (What city were you born in? "Ice Cream"). The answers are all put in the Apple Notes file.

I assume that any link in an email or text that later asks for my password or personal information is phishing. I back out and go to the site without using the link.

Here's a fun site to test your password:

https://howsecureismypassword.net

CaptTom · 12-10-2017, 11:21

Quote:

Originally Posted by Captain Bucknut

Passwords....i like the consistent algorithm method (it's also approved by the Catholic Church)...

I see what you did there. Good one!

Quote:

Originally Posted by ZULU40

It was discovered recently that an Australian defence supplier had been hacked over a period of 4 months. Turns out they hadnt changed passwords in over a year. Passwords like admin for admin and guest for guest.

Good example. They weren't hacked because some USER didn't change their 12-character, alpha-numeric, with numerals and special characters (but not the first or last character) and no more than two repeating characters and none containing any part of the last 12 you used, password.

They were hacked because (1) their IT shop was lazy, and (2) the hackers wanted to get into the whole system, not just some poor schmuck's individual account.

**David M** · 12-10-2017, 12:46

I use the name of the entity plus a series of letters and numbers after that which only my wife and I know. Never been hacked and each password is unique. No paper or recording it electronically necessary.

GILow · 12-10-2017, 12:48

Regarding the frequently changed passwords thing...

The main reason for this is actually manage the "social" weakness of passwords. That is, people in corporate offices will, no matter how hard you try to stop them, end up sharing passwords. There's always a "good" reason in their eyes, usually it is something to with needing urgent access to something while they are on the road without technology to gain that access.

So they share their current password with a fellow worker.

Now, if you force regular changes two things happen. 1. That shared password expires pretty soon, and 2. there is less temptation for the other person to write down the shared password and subsequently have it found, or 3, and this one is the real bugger, the tendency of the recipient of the shared password to share it with another coworker is also managed by the regular change. (It is an interesting and understandable behaviour that "shared" passwords are subsequently treated with much less respect than a person's own password.)

So the whole regularly-rotating password thing, I believe, is a bit of a furphy in the "normal" world. As noted, most hackers are going act very quickly on a discovered password, so the typical 60 - 90 day rotation scheme is unlikely to be much good unless the expiry date happens to be tomorrow or the next day.

Matt

mickeyelam · 12-10-2017, 14:31

This is a good discussion and contains some really useful information for those of us with lots of password. Like some of the others have mentioned, I have several hundred passwords in my IT world - both personal and work.

I'm highly resistant to changing passwords on a regular basis and recent (within the last five years) studies have pretty conclusively determined that regularly changing passwords is actually often harmful to security in that users tire of thinking up complex password and end up using easily guessed passwords rather than long, complex password.

In my mind, best practice is to use a LONG password that is also complex; how you come up with this password is up to you. You can use an algorithm as has been mentioned above or create a common root and derive passwords from that. The key characteristics of good passwords are that they are long and complex.

As for how to remember them, if you use an algorithm as outlined above, you could "remember" the password for any given site using the tricks mentioned. That doesn't really work for me due to the large numbers of passwords I have to keep track of, so I use (and recommend) a password manager. In my case, I use Dashlane and find it to be a large contributor to my peace of mind and my ease of use of password.

If you choose to use a password manager, it's key that you use one that encrypts the password database locally, even if it's then stored in the cloud. Basically, you're creating a copy of your password database that the application, by itself, can't open, and that requires your password and the correct copy of the database for use. Even if this is stored in the cloud (I highly recommend that approach for ease of use) the password database should be at least as secure as any website for which you may have a password and, ideally, should be much more secure because you can use a lllooonnnggg password for the database.

Ultimately, the responsibility for securing your online access rests with you, so it behooves you to use long, complex password wherever possible and to secure those passwords in some manner as discussed in this thread. Certainly, two-factor authentication is a must when available and I truly wish that more sites would leverage something like Google Authenticator to enable that two-factor capability.

Reefmagnet · 12-10-2017, 14:35

Simple rule to having a secure password. Use a password of at least 7 characters containing a mix of numbers, non alpha-numeric characters, lower case alpha and upper-case alpha. Avoid dictionary words preceeded or proceeded by just numbers. For example, "WindSong20!7" makes a very effective password that is easy enough to remember but is hard to crack by brute force and dictionary attacks. You can test the strength of a proposed password by using one of the many password testing sites on the internet like https://howsecureismypassword.net/.

I'd also advocate using a password vault like LastPass . Whilst it may have potential vulnerabilities, it is used commercially and is about as secure as you can get, especially when used with multi factor authentication. Personally, I just use around a total of 5 passwords that I don't forget for everything and for those wackjob sites with stupid password rules where I can't use one of my faves , I just click the "forgot my password" link should I need to login.

Captain-Avenger · 12-10-2017, 15:14

I use common phrases, and mispelll some off the wordds. I also throw in the numbers from my gym padlock that I have told to nobody. So "what a great day" becomes something like "whhatagraetday#172108".