A password manager lowers the cost of password security. I don’t have to have one for the bank, one for e-mail, one for Facebook, and one for everything else; it’s just as easy to have a uique password for each account. I don’t have to have security tiers; it’s just as easy to use an eight-letter dictionary word as it is to use 25 characters of entropy complete with mixed-case letters and numbers and symbols and Z̩̯̖͖͙̪̀a̩̜̙͍l͖g͍o̢͈̹ ̛̬͔͔͍̜t̩͖̼͡ḙ̸̝̲̯͔ͅx̠̣̠̩͙t̲̜̙* and whatever else.
But why am I bothering? How secure do my passwords really need to be?
I don’t see a gopnik crowing about getting into two forum accounts, a recipe collection, and a bank account that had nearly $2,500 once. I’m nobody, so there’s no reason to track my movements or my purchases, or gather blackmail material (not that there is any). I have no reputation worth ruining, nor any influence worth impersonating me to take advantage of. I certainly don’t need outrunning-the-bear security. Is there any real reason I, personally, shouldn’t use the same easy password for pretty much everything?
*I don’t know if this would actually be possible. Sure would be secure, though.
As so often, the question in the subject line doesn’t match the question in the post. As for the subject line, that’s a technical question and it depends on how many tries an attacker gets. Your four-digit PIN is good enough to protect thousands in your bank account because you only get a few tries. But many passwords can fall into the wrong hands in encrypted form and then people can try as long as they feel like at millions of tries per second so then anything less than 10 characters or based on dictionary words isn’t good enough.
But the question in the post is whether you need more than a token password because nobody is going to try to get at your stuff anyway. Then I certainly hope you don’t do any online banking, or even buy stuff online.
Remember the story of Icarus? He thought he had it all figured out.
Not really offering how important it is as much as how to do it…
Most of us all have a few favorite songs or two. And a favorite line in the song. Pull the first letter off of each word of the line in a song an add a !$%& and number to it or whatever. The song makes it easy to remember, but pretty hard to break.
Add a number or two. Cap some.
Chestnuts roasting on an open fire - !CroaoF9
I also have a password manager on my cell phone (do we still say cell phone?)
Anywho, the main password is also based on a song. It’s gibberish(no that’s not my pw but also based on a song) . And If that was broken into somehow, nothing is direct. No web site info nothing to say what it goes to. Just a single letter that will clue me into where this goes.
Another option, say for your work password, if you only use it at work… You have books in your office. Pick a page and use the first letter of every word in the last sentence of that page. Now all you have to remember is “Page 121” And what book it is. Very simple, and if you can remember 121, and the book, well you will never forget your password. Beats the hell out of a sticky note.
The bad guys are getting rich stealing $500 each from millions of people. Not from draining Bill Gate’s checking account.
More precisely, they’re stealing $500 each from millions of people’s credit cards and the law provides that most of the cost is *directly *borne by the merchants, banks, and card issuers. Of course indirectly we the people actually bear 100% of the cost in the form of increased consumer prices and bank fees & interest rates.
At any rate, the real issue for you is that IF the bad guys get ahold of your info, you get to spend the next few years trying to un-fuxxor your credit ratings and accounts. It may not cost you a dime in hard costs, but avoiding that hassle is worth many thousand dollars in head- and heart-ache.
So your passwords need to be not common compared to most people’s, and most importantly, not common between any two online accounts you have. That is what will protect you from being a random victim of bad guys trawling for accounts.
Of the two, the latter (unique passwords per account) is actually the more important, and the one almost everyone screws up. Luckily it’s also the one a password manager really shines at solving.
As said by others above, password length is the best defense against a concerted offline attack on a stolen password database that includes your PW. Password managers are also the enabling technology for 15-20 character passwords for each of your accounts.
Why would it matter if your password is a “dictionary” word. Aren’t hackers using computers to steal your password? Can these computers recognize a dictionary word as opposed to a random group of letters?
There are different attack methodologies - ‘Dictionary’ in this context just means a list of strings that are common, likely or obvious enough to be worth trying - this will include the classic ‘obvious’ passwords such as ‘LetMeIn’ ‘Superman’ and ‘Password123’ etc.
(Strictly) in theory, any logic or methodology you apply to the task of constructing a password to make it more memorable (such as using real words, mnemonics, etc), also makes it more vulnerable to attack.
One of the easiest password formulas I’ve ever heard:
Pick a three letter group that you won’t forget. Capitalize one letter anywhere in the group. For example, my name might be John Henry Jones, so I’ll use jhJ.
Pick a special character. I’ll use @ for this example.
Pick three more letters that identify the website and capitalize one letter anywhere in the group.
Pick a 4 digit number that you will easily remember. I’ll pick my best friend’s birthday: 0207.
Now put those together in an order that you will always follow. If you want, you can split the 4 digit string into two groups of two, as long as you are consistent about how you do the split.
Let’s assume that I am going to create a login for Republic Bank. I’ll use reP for the website letter group. My password could be jhJ@reP0207 or jhJ02@reP07. According to a variety of password strength checkers, it will take about three years to brute force crack that password structure.
And since three of the letters change depending on the website, I have a unique, hi strength password for any secure site I choose.
That may well be difficult to brute force, but its weak in the sense that it follows a predictable formula and once one of your passwords is leaked for one site, it becomes very much easier to divine the others.