OT: Password hell advice

[musicbysterling]

Lately, I've seemed to lost control of my list of passwords. Even though I've attempted to consolidate them lately, there are some from over year ago that I've forgotten and/or can't find my notes on what they actually were. Can anyone recommend an app that would assist me in organizing my passwords?

Thx in advance!

[midinut]

We use LastPass and love it.

[Dave Bryce]

Are you on a Mac? If so, do you know about Keychain Access?

 

That may help.

 

dB

[GRollins]

I used to work in a mainframe computer center. We also had network stuff. Everything had passwords. Everything. I counted one time and there were something like four or five dozen userid/password combinations that I had to remember. Clearly impossible, especially when you consider that I had all my personal stuff as well; the better part of another hundred accounts' worth.

 

My solution?

 

A Word doc file (nowadays I use Libre Office) where I could keep all that plus associated notes for each site. High tech? Nope. By design. The problem with password programs is that you're one hack away from losing absolutely everything. NEVER EVER, EVER fall for the "Oh, we use best industry practices..." or "We use one million bit encryption!" or "We're the most security conscious people on the planet." Ever.

 

So what do I do for security? I'm a pack rat. I've got my last four PCs. I keep sensitive stuff like that on an old, air-gapped PC with double backups. Yes, I sometimes have to prise my lazy butt up out of my chair if I don't remember something.

 

Tough toenails.

 

1) I need the exercise to maintain my youthful, slender charm. (ahem)

2) I sleep better at night, knowing that I have control of my info.

 

Grey

 

Addendum #1: I repeat, NEVER assume that you're safe just because someone tells you how good a job they're doing. EVER. Gawd, the tales I could tell you from work about nitwits doing the dumbest things, then solemnly assuring everyone that everything was tight. Don't buy it.

Addendum #2: Last fall my personal email password was hacked. 14 characters. "Strong," by any metric. Pass phrase that verged on totally random to anyone but me...and yet someone broke it. Why anyone would expend the effort on po', little ol' me, I dasn't know, but they did. If I, as an official nobody, am worth that much effort then imagine the bounty that would result from going through the backdoor (and there's ALWAYS a backdoor) to one of the password programs.

Addendum #3: Don't say I didn't warn you...

[xKnuckles]

I use 1 password. I can't recommend it highly enough. It gives you crazily strong, different passwords for everything but all you ever have to remember is one password (which is never written down down anywhere). It is so good that I have taken to using it to store other things also: important notes etc. With each password you can also store other info if you wish, like your username, their web address, what the thing is actually for.....etc.

 

My life was a total, disastrous mess before I got it. Now I have this beautiful, calm, hummingbird filled epicentre of well organised sanity (....but regrettably surrounded by endless vortexes of shambolic confusion....)...

[The Real MC]

My passwords are recorded with good old pencil and paper. Hackers can't get to that.

[Reezekeys]

Safari on the Mac offers to make up passwords that seem pretty strong to me, then stores them. I never think about it. There have been times I've needed to access my stored passwords and they're not that hard to get to. You don't specify what platform you're on, but surely any Windows browser has the same feature?

[GRollins]

Oh, and another point...do not assume for a moment that because you haven't found yourself to be hacked today that you're safe. The people who truly mean harm crack the safeguards ahead of time, then sit patiently...waiting...waiting...for the right moment...

 

Don't say you weren't warned.

 

Grey

[musicbysterling]

Are you on a Mac? If so, do you know about Keychain Access?

 

That may help.

 

dB

[musicbysterling]

D"OH!

I"m a Mac user and completely forgot about Keychain. Thx DB et all!

[nursers]

Yep Keychain is great - I just create a new note in Keychain for specific passwords etc. I also use the functionality in Safari as Reezekeys mentioned, it works well

[KuruPrionz]

I have a Mac and use Keychain Access for many things that i don't really care much about being hacked.

 

And...

 

For more access to sites that I do NOT want anybody to have, ever...

 

I keep my passwords on seperate text documents that are stored on a USB drive and/or SD card (yes, I have backups!!).

 

ALWAYS EXTERNAL and only plugged in if I need a password. To protect against slimeware that tracks your keyboard strokes, I will drag the password file that I need (these have devious names too, all of them - something that reminds me what it is for and all kept in a folder with a ridiculous name) on to the desktop and remove the USB drive. That keeps the time that all of the passwords are on the computer very short.

 

I open the needed password file, select the password with the mouse - click and drag - and then use Command C to copy it. At that point I toss that copy of the file in the trash and empty it. Then I use Command V to paste the password into place and click the button to log on.

 

If somebody is tracking my keystrokes all they can see is that I've copied and pasted something. So far, so good.

Again, that is just for websites that I feel need to be kept secure.

For example, I have Keychain Access to MPN, I wouldn't worry too much of somebody hacked it and came on here spouting a bunch of crap. I do it all the time anyway!!! Cheers, Kuru

[Song80s]

Yeah, I use Safari as a tool. I have +50 p/w's. all these sites have their quirky character requirements.

 

But I believe its key to be organized. I have a word doc with my stuff.

 

I am also of the opinion that our personal info is all over the f'g place.

 

I am not worked up about elaborate p/w protection on music sites.

Thats my opinion.

[jazzpiano88]

I probably shouldn't give away my strategy but all of my passwords use 4 numbers.

 

It's easy then to have a cheat sheet on a piece of paper for every company:

 

Amazon: 7753

VISA: 4452

Facebook: 4390

 

The key is to have a fixed random prefix and postfix to the number:

 

Amazon: Tgbn3?7753Onv!Sz

VISA: Tgbn3?4452Onv!Sz

Facebook: Tgbn3?4390Onv!Sz

 

Hash table attacks could beat it, but I don't think anyone is using that these days outside of academic institutions.

[Docbop]

I don't trust password managers, how well do you know them, how safe their own site? The first thing I do is create passwords that I can make simple acronyms to help me remember them or I can write down and means nothing. I was programmer for one of the big universities and just to do my daily work needed to use five passwords that had to be changed monthly and no password could be reused for six months. So came up with use acronyms that I could write down and no one was the wiser.

 

Since being involved with computer security and this woman I knew who was the chief security nerd for one of the credit reporting agency's internal security. She put together a six node supercomputer she would test how quickly she could crack employee passwords with. It was fast and computer speeds are so much faster today. So then I realized LONG passwords are the key to being safe and they don't even have to be that crazy the length is the key. People who crack passwords in general go for bulk cracking so passwords that take too much time tend to get ignored, unless you are their specific target. So a long password might take an extra second to type but the return in security is worth it.

[nursers]

Yep the password length is a great point - for any websites I run, the admin login is at least 16 digits long.

[Marzzz]

1Password

[Sospiri]

I have two password for my bank account - that is the only account that could lose me money - and they are in my head. The rest are in a text file on an external backup drive that is not normally connected to any machine. So the only account that matters is in my head and I have taken reasonable precautions with everyone else's. If you can't accept that, don't give me access to your site!

[stillearning]

I use a separate, standalone, electronic device, not connected to the internet or any other device. It"s called Password Safe. I used to keep them on paper but it got cumbersome.

[AWkeys]

Excellent conversation! My brother is a tech-geek and he advised me that password length is most important. (Although many prefer password girth, yukyuk.) He told me even using a sentence works.

[ZioGuido]

Lately, I've seemed to lost control of my list of passwords. Even though I've attempted to consolidate them lately, there are some from over year ago that I've forgotten and/or can't find my notes on what they actually were. Can anyone recommend an app that would assist me in organizing my passwords?

Thx in advance!

 

Managing passwords has always been my bigger struggle since the day I created my first email account back in 1997. And the funny thing is that the very first App I have made for a mobile device is a virtual keychain. I released it only recently and only for the Android devices, it's called GSi SafeBox and it's free and ad-free, even though the first release is only in italian. I have just posted a new version in english that's currently in beta test. If you have an Android device and you wish to test it, here's the link to get into the beta program: https://play.google.com/apps/testing/com.genuinesoundware.gsisafebox.

 

I know there were already many similar apps for holding passwords in the mobile device, but most of them are cloud-based, that means that all your sensible informations are instantanously sent over the internet to someone else's computer (that's what a cloud is). And most free apps show annoying ads. I wanted to make my own implementation, something simple that keeps the data into the device's memory with no need to send the data elsewhere. Everything is stored into an encrypted XML file that can optionally be exported / imported to / from local memory or shared with other apps (e.g. sent via email for backup purpose).

 

If you give it a try, let me know what you think.

[Franz Schiller]

Using 1 password seems very very dangerous. Because if hackers figure out your Amazon login, for example, then they can get to your PayPal login, your credit card login. And you bet your ass they try all the major websites.

 

Personally, I use a password book...pen and paper.

[RandyFF]

don't understand how brute force cracking trying millions of potential combinations of words/letters work. If there's a limit of 5 tries for example, brute force cracking wouldn't work.

[Marzzz]

Using 1 password seems very very dangerous.

 

 

1Password

[Reezekeys]

Somewhat related to the topic here, maybe a side issue but I thought others might like to know about this. It's an interesting site that appears legit. Some of my email addresses were found to have been involved in data breaches. You can also search by entering a password which the guy who did this site says is safe (I read this in his FAQ) â I haven't done that yet though.

 

https://haveibeenpwned.com

 

PS - the guy likes & recommends 1Password but lays out his reasons why â he doesn't seem to be connected to the company in any way other than a user.

[elif]

... I know there were already many similar apps for holding passwords in the mobile device, but most of them are cloud-based, that means that all your sensible informations are instantanously sent over the internet to someone else's computer (that's what a cloud is)...

Rather, an AES-256 encrypted bundle of your sensible informations is sent over the internet...

 

Edit: (am a LastPass user) In the case of LastPass it is AES-256. Don't know about the others.

[EVC]

I use keepass. No extremely sensitive passwors in my safes (one personal and one for company related passwords). And the master password is long (25+ characters), with numbers, symbols, lower/upper case letters. I keep the database in my google drive.

 

I wonder if it is worth saving the data base(s) in a VeraCrypt container (AES(Twofish(Serpent)) encrypted).

[ZioGuido]

Rather, an AES-256 encrypted bundle of your sensible informations is sent over the internet...

How can you be sure? You just trust the system.

 

I too store almost all my passwords into Chrome, at least the low-risk ones, not those of the bank accounts or important things. Anyway, I wanted something that doesn't send the passwords anywhere, so I made my own app, and I'm sure that the passwords stay into the phone.

[ZioGuido]

However, keeping the feet on the ground, in a real situation I think that the level of protection should be proportional to the importance of the thing to protect. If you're the president of the USA and know the passwords to launch nuclear missiles, or if you're some very rich person with billions of dollars on offshore bank accounts, probably you need something like (AES(Twofish(Serpent)) encrypted)... but for common mortals a 6~8 characters password encrypted with Blowfish is more than enough.

[TommyRude]

Our company uses LastPass, but in general these password applications freak me out a bit. They are supposed to protect you, but intuitively they seem to group all your crown jewels into one location? So in the sad event someone gets in, they get it ALL instead of one piece?

 

So maybe something to think about is which passwords are you trying to manage? Only group up the low risk accounts into a manager, and make it much harder for hackers to get to your super-sensitive, high risk accounts, i.e. bank accounts, brokerage accounts, et al. Segregate those out in a safe place, like on a post-it behind your refrigerator