A piece of paper works well also. If someone breaks into my home I have more things to worry about than if someone stole a piece of paper.
But I assume that a USB key will let you copy and paste. Actually having to type in a good password is annoying. You are typing in a way you normally don’t type (in that you aren’t making real words) and you can’t even see your mistakes as you type.
Having to actually type in a password I have written down decreases my typing speed at least by a factor of 10.
This is absolutely true except for one thing: passwords you write down are likely to be shorter because you have to transcribe them from paper to keyboard.
I’ve recently gotten interested in a concept that’s similar to a password manager, except it doesn’t require keeping them written down anywhere. It basically consists of a deterministic password generator that generates passwords based on the site or account name and a good passphrase. I’ve written my own, which I’ve actually been using for a while, and it works pretty well. I’m confident that my passwords are nice and strong and unguessable, and the only thing I need to remember in order to regenerate them is the site names (which are saved in a list) and my passphrase, which is saved in my head.
A working prototype is here:
http://sdmbexample.nfshost.com/pw/
That’s dummy data, not my actual list of accounts, but if you type the same thing in both of those boxes (try “a” in both for example), the password boxes should fill with bullets indicating that there’s a password there. If you check the checkbox at the bottom, it’ll show you the actual PW it generated. Type something slightly different (e.g. “b”) in the passphrase boxes and it’ll give you wildly different passwords, through the magic of SHA256.
It’s quite rudimentary at the moment (it doesn’t allow you to edit the site list, for example – I do that by hand-editing a text file), but you get the idea. It also has the notions of password “schemes”, meaning you can specify a less-secure scheme for sites which have stupid password requirements like no exclamation points (this feature dedicated to the web programmers at Seattle City Light). See the password generated for “lamesite.com” in my example. And it also has a “version” number for each site, as well, so when an account needs a password change (ahem), you can just bump the number and that one entry changes.
Caveat: this prototype has been tested on chrome, safari and firefox, but it does some funky clipboard tricks for copying those bullet-obscured passwords, so I won’t be surprised to hear it doesn’t work everywhere. If you don’t see a list of sites when you load the page, that means it didn’t work for you. 
For curious cryptonerds, the generator is basically running all the input parameters through SHA256 and using the resulting bytes to select password chars based on the rules in the password scheme.
Thanks. I had the same problem - earlier today I received an email from Twitter which mentioned some feeds I had never heard of, in different languages. Turns out (after seeing this post) I have the same issue as you - I am now following 70-80 extra people on Twitter, mostly accounts in different languages. I reset the password; it was the same as SDMB’s and I used the same email for both. (For the record sensitive things like email and bank accounts and etc all have unique passwords.)
This fucking cracked me up. Everyone’s talking about mnemonics and password managers and what’s more secure and on and on. And you’re like “aww fuck it, I’ll just use the word password”. 
That’s something I would do as well. I didn’t change my password. It’s only used here and at the Giraffe boards. If someone logs in and pretends to be me. Oh well.
Looks like it’s a pretty good idea to maintain multiple email addresses for security as well…I can actually thank my provider’s overzealous spam prevention software for making me obtain a new email address for use with this message board. (Apparently it misinterpreted the stream of thread notifications.)
Well I went ahead and altered my SDMB password. Which has always been unlike any other password I’ve ever used.
Fine and dandy. Except that I’ve been enjoying the use of Tapatalk®. Until now. Now, when I click on a notify in my email to a thread I subscribe to and pick Tapatalk® as the method to use, it automatically enters my password. My old password. It tries 5 times as quickly as it can, at which point SDMB locks out the software for 15 minutes because of the wrong password.
I’m guessing if I remove the software from my sometimes-smart-phone, and reinstall it, I can use the new password on the reinstall?
Sorry the Board got hacked. 
I don’t know about Apple, but on Android under Manage Apps you can select Clear Data. That will remove the old password without having to uninstall/reinstall.
But I’m surprised Tapatalk doesn’t provide a way to change the password through the UI.
I would love to know how many people have since tried logging on as me using that.
Hell if I know.
Didn’t work for me.
You sure that’s what you used?
See, the Twitter logins don’t make sense. “I’ve just hacked someone’s password, how can I turn the most profit?” “I know! I’ll go subscribe to Twitter feeds!”
To me, the best steps are:
- Try email accounts, this both frustrates password reset attempts and allows you to get access to more accounts by resetting the password. Remember to change security questions and secondary emails so they can’t log in.
- Try shopping sites. Amazon, PayPal, iTunes, then smaller shopping sites.
- Banks. This isn’t likely to work as most banks have 2 factor authentication, but you could find out more information.
- Social networking. Find out more personal info (to answer questions), maybe get something from friends and family.
I know someone whose IM was hacked and what did the hackers do? Pose as her to “borrow” money from relatives. The hackers don’t even change passwords! Are they trying to be nice?
Yeah they do make sense actually. They are also revealing. The hacker has cracked the username/password combos. After checking the main banks and a couple of email providers, he sells the twitter stuff on the dark internet. Those playing with twitter accounts are third party/third world employees. That’s the small potatoes end of the business. But the fact that the merchandise was sold to them implies that this is a professional hack, and not one done on a lark. Pros slice these lists up into different exploit opportunities.
So, to reiterate: if you password is a variant of your financial account, change it.** If your password is a variant of your email account, change that password.** Because a captured email can be used to retrieve “lost” passwords from banks and brokers.
Oh, is that how Twitter followers are bought? That makes more sense. But why don’t they change the password, then?
Here’s a question.
Suppose you don’t use this username for anything other than the SDMB and an associated email account, what else could a hacker access and how? (The email account has a different password.)
If you’ve never used that password (or one related to it) for anything else, then the worst the attackers could do is log in under your name and say “Sex with sheep is fun”, or something. This is why it’s so important to not re-use passwords.
That depends on the method of generating keys. If your method of generating keys is “I take the name of the website and then append the same string to it for every site”, then you shouldn’t be saying that in public (and you shouldn’t be using that method at all). But if your method for generating keys is based on rolling dice, like I did for my bank account password, then you can reveal that with no harm.
Here, I’ll start. For my bank account, for each character, I rolled two 6-sided dice and flipped a coin. I used the dice as the digits of a base-6 number, to generate a random number from 0 to 35. Numbers from 0 to 9 I matched up to the corresponding digits, and numbers higher than that I matched up to the letters of the alphabet. The coin toss determined whether I pressed the shift key or not, so I could get lower-case letters, upper-case letters, digits, or any of the symbols above the digits. I then repeated that for a bunch of characters.
There, now you know the exact method I used to generate my bank password, and even with that information being public, my security has decreased not one iota.
How is that different to using a random password generator?
It is a random password generator. If you mean a computerized random password generator, I didn’t have one handy when I needed to set up my online banking, and didn’t feel like going through the research to find a good one right that moment, but I did have dice handy.
If we want to be overly pedantic, I now know your passwords don’t include special characters beyond shift-numerals, like [-+=<>] etc. So I could eliminate those from brute force rules I’m using to crack them, and your security is decreased.
Now in practical terms, it won’t really make a difference - either way, your password is effectively unbreakable by brute force methods given the computing power available today. And the insignificant bit you give up in your security provides benefits to others by demonstrating what a good password is and how to create one. But it’s still worth considering any time you reveal any part of your password security: is this information that someone can build into their cracking rule engine, and if they do, how much does it reduce my security? The answer to the first question is almost always going to be yes, no matter how tricky you think you are being. So make sure the answer to the second question is “not enough to matter.”
-
When you get that far down the food chain, the hackers aren’t especially saavy.
-
When you get that far down the food chain, the subcontractors are interchangeable. So you might not bother to change passwords.
-
If the user does NOT change his password, you know he’s inattentive. That implies you should focus more on his username/password combo and variants. For the same reason, a number of scammers claim explicitly (and sometimes accurately) that they hail from Nigeria. That way the 1/1,000,000 ignorant and cognitively challenged self-select themselves. In this case though, inattention doesn’t necessarily imply stupidity: much of their database presumably consists of one or two post wonders.