OT: Password hell advice

[xKnuckles]

Using 1 password seems very very dangerous. Because if hackers figure out your Amazon login, for example, then they can get to your PayPal login, your credit card login. And you bet your ass they try all the major websites.

 

Personally, I use a password book...pen and paper.

I think you misunderstand how 1Password works; as did I before I joined it. It works like this:

 

You have a secure, highly encrypted vault. Only you can access it. Not even the makers of the program can access it. So you go in when you need to remember a password and there they all are. You can insert the relevant password into whichever website you are trying to login to without any keystrokes - just a mouse click.

 

if you need a new password for a website you have just joined, you access 1Password and its gives you a unique, crazily complicated password. You insert it with a single click and 1Password forevermore remembers it for you. They can be as long as you wish. Mine are all long.

 

So, if your amazon account was hacked, apart from the mega online shopping session that the thieves would indulge in, that password would be useless to them because every single one of your other passwords are different. The master 1Password is never written down anywhere so cannot be hacked.

[Docbop]

don't understand how brute force cracking trying millions of potential combinations of words/letters work. If there's a limit of 5 tries for example, brute force cracking wouldn't work.

 

Pro's don't brute force they crack passwords in bulk with small supercomputers with multiple password crackers running multiple cack dictionaries. Feed in thousands of accounts and encrypted passwords then use the accounts they cracked. My last job before retiring was for a company who's name made many hacker think was a financial institution. Every morning I'd start my day was a big cup of coffee and then read though the security logs on my servers. The logs were filled with various levels of people trying to break in. If I saw a lot of IP's from a range I check to see who owned them and see what country, sometimes a region. Other times it would look like some kid in another country trying to learn to hack by all the attempts from on IP. Being in other countries not much you could do because none actually got in they just tried. I'd see some IP's from the US but less often because in US even just pinging a server the law could come down on you it they wanted to. A lot of the attempt came in spurts from a particular country and we were like okay hacking 101 class is in session again we'll get a lot of log entires from them for the next month.

 

Bottom line is anything can be broken into IF they want something bad enough and willing to spend the time it take. For the average person they are just going for the low hanging fruit so use good passwords to keep from being that low hanging fruit.

[OB Dave]

don't understand how brute force cracking trying millions of potential combinations of words/letters work. If there's a limit of 5 tries for example, brute force cracking wouldn't work.

You're assuming that they're coming in through the front door. if they gain access to the underlying password file, they can brute force crack as fast as their computing hardware will run.

[elif]

Our company uses LastPass, but in general these password applications freak me out a bit. They are supposed to protect you, but intuitively they seem to group all your crown jewels into one location? So in the sad event someone gets in, they get it ALL instead of one piece?

They would have to get your master password, which is not stored anywhere, though two-factor authentication should protect against this event.

 

I have at least a dozen user names and over two hundred long, random looking passwords. If I didn't have a PW manager I might store them in an encrypted spreadsheet, decrypt, copy and paste every time I want to log in somewhere, (I guess that is a PW manager of a sort). I suppose at some point it boils down to a level of trust and I acknowledge that most people are not comfortable with a centralized anything WRT their passwords.. I've looked the encryption model for the manager I use and am okay with it. If it didn't auto-fill user names and passwords for sites I frequent (even this one !), I would probably hunt for something else.

[elif]

don't understand how brute force cracking trying millions of potential combinations of words/letters work. If there's a limit of 5 tries for example, brute force cracking wouldn't work.

You're assuming that they're coming in through the front door. if they gain access to the underlying password file, they can brute force crack as fast as their computing hardware will run.

Every algorithm can be cracked but depending on the algorithm, it might take a really long time, like millions of years using a supercomputer for AES-256. However, as computing power increases...

[Docbop]

don't understand how brute force cracking trying millions of potential combinations of words/letters work. If there's a limit of 5 tries for example, brute force cracking wouldn't work.

You're assuming that they're coming in through the front door. if they gain access to the underlying password file, they can brute force crack as fast as their computing hardware will run.

 

 

Bottom line if someone can physically get to your computer you're screwed period.

[RandyFF]

don't understand how brute force cracking trying millions of potential combinations of words/letters work. If there's a limit of 5 tries for example, brute force cracking wouldn't work.

You're assuming that they're coming in through the front door. if they gain access to the underlying password file, they can brute force crack as fast as their computing hardware will run.

Every algorithm can be cracked but depending on the algorithm, it might take a really long time, like millions of years using a supercomputer for AES-256. However, as computing power increases...

 

The new quantum computers coming down the road will probably run circles around current super computers. It may not take millions of years at that point.

 

OT: I was tripping on that as an analogy to people being smart, like the latest i9 intel chips, and the jump to being a genius, the equivalent of a super computer, is hard to beat. But then you put quantum computing on the table and that becomes the equivalent of once in a generation brilliance that is beyond the scope of even a genius.

 

Yes, I admit sci-fi has rotted my brain!

[harmonizer]

Part of what makes anything potentially hackable is any assumption that a certain first step will not ever happen.

The German Enigma code was broken during WWII partly due to a carelessly consistent repetition in part of the messages sent,

and partly because no one could ever imagine that some type of electronic computer could be used to do a brute force attack against that part of the message.

For the case of the Enigma code, the ROI to the British was incredibly large, so breaking the Enigma code was worthy of an incredibly large investment by the British.

 

It helps greatly if you make it less economically feasible for an attacker to succeed.

But one should also believe that a codebreaking or decryption task which currently seems unattainable will someday become achievable,

and after the initial success using very expensive methods, that method will become more easily in reach by those attempting more mundane tasks like stealing money from someone's online banking account.

[J_tour]

I really wish I knew the best answer. I've LastPass and a number of others, but TBH I just got sick of making sure my local DB was backed up, and I wouldn't do it in the cloud.

 

Much like it sounds like OP did, I just decided eff it and keep a long list on pencil and paper.

 

But, there's some problems there. You spill a beverage on your desk, or whatever.

 

I think the real problem are the ridiculous ever-changing requirements for passwords etc. I think that's known to be a non-optimal security procedure.

 

So, I just go all Rain Man and come up with ridiculous schemes and basically keep it in my head, with paper backup.

[hipogrito]

Hi,

 

I like a combination of 2 things mentioned before:

 

- Put them in a piece of paper, not in the computer.

- But, do not write the whole password. Have a common part known to you in some part of the password (beginning, end, middle, after 5 characters, whatever) and just write down the other part. That common part is the only thing you need to memorize. That way, even if your piece of paper ends up in the hands of somebody, that person can't really enter anywhere because doesn't know that common part.

 

For example:

 

Your memorized part is "SecretlyInLoveWithKennyG"

 

And then you write down in your piece of paper:

 

Amazon: B.E.Z.O.S.I.S.

MusicPlayer: bryceis

 

 

And your full passwords will be:

 

Amazon: B.E.Z.O.S.I.S.SecretlyInLoveWithKennyG

MusicPlayer: bryceisSecretlyInLoveWithKennyG

 

My 2 cents,

 

Regards,

Fran

[Markay]

Having recently been the subject of an intense attack in my day job on our servers that did some damage but not fatal, cause it cracked on old and long forgotten user admin account we moved from pass Words to pass PHRASES. And while we have common attack ports closed, on ocassion we open them to see what is going on and the deluge starts all over.

 

These can be easily remembered and according to a Kaspersky testing site, if you use it to test, use a similar pattern not your real paas phrase, something like "key board forum is great" Include spaces. Easy to remember and have different one for each site. According to Kaspersky something like this at current computer power would take a billion years to crack.

[EVC]

I would rather use "K3y b0@rd f0Rum !$ Gr&@7". Still fairly easy to remember.

 

OK, I exagerated a little in the substitutions, but I do replace letters with symbols and numbers at some points of my passwords. The use of space is a good idea BTW, I will incorporate it.

[Joe Muscara]

I was a huge fan of 1Password, but then they moved the Mac version to subscription and I have not upgraded to that. That seems to have caused me to lose Safari integration as the Extension no longer works, causing me to have to copy the username/email and password separately (I use different disposable email addresses on most sites, which has saved me from quite a bit of spam over the years). It's not critical but kind of tedious. I just found their pricing for the subscription a bit more than I'd like for it.

 

Between that and Keychain which finally works on apps in iOS, I'm covered. It's a funny thing, I don't even remotely know most of my passwords anymore They're gibberish to me so at least they can't be guessed by anyone.

 

A little OT -- has anyone gotten those threatening emails where they apparently used one of those breaches to get your email and password from some site ages ago? They say your password was pa$$w0rd or whatever, they used your camera to record you watching porn, ha ha, you have some interesting kinks, and if you don't give them some amount of bitcoin they'll release this video to embarrass you. What I found especially funny was that they sent a second, more threatening email. I was like, as if. Go ahead. I almost wanted to write them back and tell them to go ahead but I knew that would just get more crap from them.

 

But, they did have one of my old passwords that I used to use on non-critical sites, so change your passwords if you have any like that.

[RandyFF]

One problem with really long passwords is that many if not most sites DO NOT give you the option of seeing what you're typing in, so not only does the password take a bit of time to enter, it takes twice as long because you can't see what you've typed to spell check it, so you have to go slow enough to make sure you enter it correctly in the first place.

 

This comes up for me as I try a half dozen passwords to see which of my stock passwords I used.

[Docbop]

One problem with really long passwords is that many if not most sites DO NOT give you the option of seeing what you're typing in, so not only does the password take a bit of time to enter, it takes twice as long because you can't see what you've typed to spell check it, so you have to go slow enough to make sure you enter it correctly in the first place.

 

This comes up for me as I try a half dozen passwords to see which of my stock passwords I used.

 

 

For stuff like that long passwords or situations where if I make a typo which I do a lot it hard or impossible to go back and correct what I will do is open a text editor and type it in there then cut and paste the long password or text in. Then just exit the text editor without saving. To it's worth the security or avoiding typos in chats and etc.

[EVC]

And that is the reason why I use keepass, one long password only and then just click on the autotype icon for the account to log into.

[MoodyBluesKeys]

I use Ascendo DataVault. I first started using it when I had a BlackBerry Storm!!, and it would sync with Windows. Now, I use a later version, which is available for Windows, Mac, and IOS (I think Android also). It has the usual AES encryption, bolstered with a feature that erases the database if password in put in wrong ten times. Note that I DO keep a copy of the database in another location on my primary computer, just in case it gets erased, because I store the database in iCloud for the iPhone and iPads.

It is fully customizable, so I have not just passwords, but other useful information (such as serial numbers on equipment, software keys for different programs, and so on). I have hundreds of passwords, don't use the same one for multiple sites, computers, whatever. The database is over 1,000 items now (there was a problem years ago when the version wouldn't take over about 950 or so, but that has been fixed).

Reason for using this one is primarily that I don't know where I will be or what computer/device will be at hand when I need to know something from it. My commercial client logins/passwords are also stored in it.

The program can be used to insert passwords in browsers, but I don't use that feature. I also never store passwords in browsers themselves, turn off that feature right from the beginning.

 

Finally, I printed out a complete list a year or so ago, big stack of paper (and will update at some point). That printout is stored in the locked gun save in the home.

 

When I worked on the military project of NMCI, the master administrator account was renamed to something that gave no clue what it was. When it had to be used (there were lower administrative accounts with lesser powers), the rules required that a new password be set immediately after logging off with it. The password was 24 characters. One person would input the first twelve, and write on a sheet of paper. Another person would input the last twelve, also writing it. Then the two pieces of paper would be locked in a safe in the Network Operations Center. This was also done for the root account for the Solaris Unix servers.

[xKnuckles]

I was a huge fan of 1Password, but then they moved the Mac version to subscription and I have not upgraded to that. That seems to have caused me to lose Safari integration as the Extension no longer works, causing me to have to copy the username/email and password separately (I use different disposable email addresses on most sites, which has saved me from quite a bit of spam over the years). It's not critical but kind of tedious. I just found their pricing for the subscription a bit more than I'd like for it.

 

I totally agree with you about subscriptions. I got 1Password before subscriptions came in and have stuck to it like a limpet ever since - fighting off all of their attempts to make me 'upgrade"....

 

I wonder how many people ever take the time to add up how much money they are forking out every year on all of these subscriptions... Some of them are so inane... subscriptions for silly little apps that are worth virtually nothing...

I find the whole trend extremely sinister (not to mention CRAZILY expensive! ) and I refuse point blank to go near them. Join me in my crusade!!!! If we all say 'NO" they will start selling things normally again. As they should.

 

.

[Joe Muscara]

I wonder how many people ever take the time to add up how much money they are forking out every year on all of these subscriptions... Some of them are so inane... subscriptions for silly little apps that are worth virtually nothing...

I find the whole trend extremely sinister (not to mention CRAZILY expensive! ) and I refuse point blank to go near them. Join me in my crusade!!!! If we all say 'NO" they will start selling things normally again. As they should.

I'm not 100% against subscriptions, but the math has to make sense for me. If I would have spent that much for upgrades each year or every other year, then I'm usually okay with it. Or, if I use it all the time and the price make sense, sure. I get the model from the developer's perspective too. A steady flow of money is great. But again, it has to make sense to me in a number of ways.

 

I've thought the 1Password price is a bit high. There's another music practice app that I like (Modacity) that's a bit much for what I use it for. I want to support him, but the subscription is too much IMNSHO. If I start using or needing the features that aren't accessible without paying, I'll reconsider.

[GRollins]

From the I Told You So Department:

 

LastPass has been hacked and is in a mad PR scramble to reassure everyone that everything is just peachy.

 

Spoiler alert--things are not peachy.

 

Don't say you weren't warned. Don't say, "Oh, I'm safe because I use [competing service]." Don't say that it won't happen to you because you're so sweet and adorable and pure of heart.

 

I told you so.

 

Grey

[stoken6]

1 hour ago, GRollins said:

From the I Told You So Department:

 

LastPass has been hacked and is in a mad PR scramble to reassure everyone that everything is just peachy.

 

Spoiler alert--things are not peachy.

 

Don't say you weren't warned. Don't say, "Oh, I'm safe because I use [competing service]." Don't say that it won't happen to you because you're so sweet and adorable and pure of heart.

 

I told you so.

 

Grey

Do you know I never used a password manager because I was concerned about this sort of thing? I've got to say LastPass have handled the PR side of things spectacularly badly here. 

 

Cheers, Mike.

[Delaware Dave]

On 5/4/2020 at 9:38 AM, ZioGuido said:

 

Managing passwords has always been my bigger struggle since the day I created my first email account back in 1997. And the funny thing is that the very first App I have made for a mobile device is a virtual keychain. I released it only recently and only for the Android devices, it's called GSi SafeBox and it's free and ad-free, even though the first release is only in italian. I have just posted a new version in english that's currently in beta test. If you have an Android device and you wish to test it, here's the link to get into the beta program: https://play.google.com/apps/testing/com.genuinesoundware.gsisafebox.

 

I know there were already many similar apps for holding passwords in the mobile device, but most of them are cloud-based, that means that all your sensible informations are instantanously sent over the internet to someone else's computer (that's what a cloud is). And most free apps show annoying ads. I wanted to make my own implementation, something simple that keeps the data into the device's memory with no need to send the data elsewhere. Everything is stored into an encrypted XML file that can optionally be exported / imported to / from local memory or shared with other apps (e.g. sent via email for backup purpose).

 

If you give it a try, let me know what you think.

I've been using GSI Safebox for a couple of years, it's local on the device so no 3rd party storage is involved.  Backup files of the device are encrypted .xml files and can be stored anywhere and, it's free.

 

https://play.google.com/store/apps/details?id=com.genuinesoundware.gsisafebox&hl=en_ZA&gl=US&referrer=utm_source%3Dgoogle%26utm_medium%3Dorganic%26utm_term%3Dgsi+safebox

[RABid]

A few things to remember...

 

You don't need a password that would take a super computer 2 years to solve. You need a password that is harder to crack than 50% of the people who have an account at the same site. In fact, when a site is attacked the target is not usually the user accounts, it is the system account.

 

If a hacker does manage to find your password they will quickly try that email-password combination on lots of other sites to see where else they can get access. That is why you never use the same password at multiple sites.

 

Pencil and paper are good. Deceptive use of pencil and paper is better. I used to keep a list of phone numbers in my wallet from before cell phones were common. Mixed in with actual phone numbers were fake people and numbers. Example: Amos Hibbard - 226-1754. Amos = Amazon. Hibbard = hyphen. 1754 is the numerical part of the password. So the password for Amazon would be my standard word or phrase plus a hyphen plus 1754. Same with pin numbers. Whenever the bank would give me a new pin number it would go on the list as part of a phone number.

 

Accept that fact that your information is going to be compromised some day. No matter how careful you are. Medical visits alone will put your information in a bad place. SAMSHA requires that any medical facility that bills Medicare or Medicaid collect a lot of personnel information. Name, birthdate, SSN, address, income, all the things that a hacker would love to have to open a new credit card under your name. They even require things like sexual preference. They have the biggest data collection in the government, surpassing the census bureau. SAMSHA has learned over the years that the more data they have the better they can negotiate with each individual congress person and tell them they need more money to serve specific groups. That is why hospitals are such a huge target now for hackers. The hospital chain that serves my small town was compromised a few months ago. Being hacked and blackmailed. They didn't pay at first and their electronic records system was suddenly unavailable. They also violated federal regulations by not notifying the public and sending notices to clients that their data may be compromised. Word got out when doctors and nurses began telling patients why they were having to do services without their electronic records. It was a major mess and they finally paid the ransom. Who knows how many records the hacker may have taken. Those records are very complete. Some of my family members signed up for LifeLine monitoring, paid for by the hospital. Activity monitoring is very important.

 

My experience. 15 years ago I started getting statements on my insurance for a hospital stay in the D.C. area. My insurance company was no help in resolving the matter. They had paid for a week long stay and no one at the insurance company seemed to care that they had paid it by mistake. Even the fraud department was no help. I talked to several people at the hospital and the billing agency. Finally talked to a person who remembered my case. Seems a person with the same name and birthdate had lapsed coverage. A "helpful" insurance company employee gave them corrected information. Updated insurance account number, address, etc... MY insurance account number and personal information. Still, the insurance company did not want to bother with fixing this. It was not until our agency went through the renewal process for health insurance that I was able to do something. When the insurance agent presented her pitch to renew our insurance contract for another year I was setting at the table. When I told my story to the agent the insurance company finally decided to do something. 

[Stokely]

I can't speak to how secure (or not) it really is, but boy life became easier once I started using Bitwarden.   One really long password to remember and then I don't need to generate or remember all the other ones.

Sucks to think about the pw managers getting hacked though!

For anything really dangerous, like paypal, I now use 2-factor auth so that I have to respond to a texted code before I can pay for anything.

My impression was that it makes little difference to use weird characters/numbers, that length matters more?  And so it's better to use pass phrases (?)  I haven't looked into this for a few years, caveat.

 

[miden]

I'm surprised so many have divulged their password strategies in a forum open to public scrutiny (not posting)....I have mine but I share that with no-one

[miden]

Not sure what's so funny DE - don't see you laughing at any other posts? Hackers are serious criminals who are always on the lookout for a "way in".

 

Wouldn't be surpised if  you throw your bills out in the bin (assuming you still use paper ones)

[bill5]

I use Brave and it offers to auto-save passwords which I do for most things, except really critical things like my bank or work. For that I simply have it memorized. Hackers can't hack that. 

[bill5]

10 hours ago, miden said:

I'm surprised so many have divulged their password strategies in a forum open to public scrutiny (not posting)....I have mine but I share that with no-one

Divulging a strategy is pretty useless to a crook when you talk in generalities as people are here. Pretty sure no one's given out an actual password. Like it would matter even then probably because it's not like anyone is using their real name here. (Spoiler alert: my name isn't really bill). 

[Docbop]

Like Rabid said hackers these days want quantities not just a few people.   The risk for just hacking a few people isn't worth the reward.   Most hacking is coming from a couple countries by organized crime. These places unemployment is high and getting into hacking is easy job to get.  My last job I went back to computers the company had a name that sounded like a finance company.  Every morning I'd check the security logs and they'd vary in how full they were with amater hacker knocking on doors to see if they could find a potential target.   If I saw lots of activity for I'd check where it was coming from and 90% of the time it was from outside the US.   Sometime we could tell that hacking school was back in session in a particular country by the quanity of computers sniffing our servers.   But all this is outside the US so no one is going to do anything about it.  

 

Hacking and online scams are just part of life and like all life there is crime around us so you just have to use your Street Smarts to watch out and take precautions. 

[TommyRude]

On 12/30/2022 at 1:46 AM, GRollins said:

From the I Told You So Department:

 

LastPass has been hacked and is in a mad PR scramble to reassure everyone that everything is just peachy.

 

Spoiler alert--things are not peachy.

 

Don't say you weren't warned. Don't say, "Oh, I'm safe because I use [competing service]." Don't say that it won't happen to you because you're so sweet and adorable and pure of heart.

 

I told you so.

 

Grey

No...  I told YOU so! 😂