I’ve used lastpass and passible, both encrypted password management programs you can have on your PC, tablet or phone (well, on my Apple phones anyway…no idea if there is an Android version). Either would work for you. I like passible as I can use biometrics to access the password, and it has features to let me take the password or username and autofill for websites and such. It’s also encrypted and is local, so not a problem with trusting a cloud based company.
Really, any of these or others would work. Just something that you are comfortable using but is encrypted and secure will be fine. Everyone hates passwords, but, frankly, it’s a huge security issue. Even having strong passwords isn’t enough unless they are also changed frequently. Really, the best thing is to use multi-factor authentication, maybe with a combination of tokens, passphrases and bio-metrics. If you have the chance to use two factor authentication at least you should (I do it with my Steam account as well as anything else that uses it).
I’m curious about those with 100+ passwords. Are these all sites where security is important? 4 or 5 financial sites; some merchants who have your credit card details; some important email accounts; do they really add up to 100+?
My facebook, sdmb accounts, etc. have trivial passwords. If someone wants to impersonate me on a message board, have at it! Could be fun.
This is what I do. (Though I’m surprised Amazon doesn’t retain your credit card info.)
Sure. Even if you use a strong password regiment (which is 8 or more characters using alpha numeric values as well as special characters and no easily identified words or phrases), the more you use that password the more likely it is to eventually be hacked. So, if you use your strong password here on the 'dope, say, the likelihood is that, eventually, someone, somewhere will get that password. If you use it for 10 years, it’s pretty likely that will happen, either because the 'dope gets hacked or because the system you are using is compromised in some way. If you use that same password (as people often do) for other sites, that likelihood goes up quite a bit.
So, changing often helps. But, if it’s the only authentication method used, even that can be hacked by a really determined hacker depending on if it’s worth their while. It’s why a single factor authentication isn’t felt to be enough today, even if that one factor is itself very difficult to brute force (say a long passphrase with strong password methodology, randomly generated and changed every month or so). For the purposes of this OP it’s really not a factor…the OP doesn’t even like to use passwords at all :p…but I think most organizations are going to two factor as a minimum, and multi-factor is really gaining steam, at least in many cyber circles.
The best password is 99991. If you brute force, it would take 99,991 guesses. If you start at 99999 and work backwards after several tries you will think “this will never work” and give up.
I know this will sound coy, but (obviously) I don’t want to go into great detail.
I have three fairly simple rules* that I use to make a password from the name of the website, the name of the account, or the name of the program/service I need to access. The result is that I can generate a password for my Domino’s account that’s different from my Facebook account, but I can reproduce them at will. I’ll admit that I have to think for a moment sometimes, but I’m rarely stumped.
Are they the best possible passwords one could use? Probably not, but I prefer this to using a password program or maintaining a list. Been doing it for over 10 years and never really had a problem.
*Think along the lines of rules like: Take the first eight letters. If there are fewer than eight, repeat the first letter to make eight. Put a dollar sign and an ampersand after the first vowel that’s not at the beginning. Insert the numeric values of the last two letters exactly halfway through the password and capitalize them. So my password for Domino’s might be “Ddo$&1519minos”…
First of all, Amazon retains my credit card information. I’m not sure why it doesn’t do that for you. Second, I have over a hundred entries in Lastpass. At least a dozen are work-related sites, half a dozen are financial institutions, another six or so are airlines, hotels and the like, perhaps fifteen or so are retailers like Macy’s or The Gap, where I shop online, and so forth. Plus I use the app to store license keys for software, and other info. The nice thing is that once you entrust your passwords to such a scheme, the individual passwords can be ridiculously complex and unique.
Right.
But, if you never re-use the password (which is what password managers are for), then changing it frequently isn’t very useful.
In fact, I suspect that changing strong passwords frequently (especially when organizations force this process) make it more likely that your password will be compromised, because it increases the number of times that a Man-in-the-middle attack or spoof can occur.
I used to a use a strategy like this, but long ago switched to a password manager (KeePass, with the encrypted blob stored in the cloud where all of my devices can find it).
The problem is the leaking of one password causing everything in that tier to become vulnerable, and in the escalation from one tier to another. For example, if passwords leak from, say, Target, are all of your shopping sites now vulnerable, do you need to change all of those passwords?
The escalation one is potentially scarier. What if your password from some random message board leaks. But that is the same username and password you use for your email. Now somebody has access to your email, which they can easily use to change the passwords on your bank account.
Anyway, just use a password manager. All of these memorized systems and such are fine, but I don’t even worry about it anymore. For the majority of places, when I need to login in, I unlock my password manager, and then the username and password fields autofill with the necessary information. I’ve had sites I use leak the passwords. All I have to do is change my password for that site, and update it in my password manager. I don’t have to worry about did I use the password someplace else?
I also think a piece of paper or notebook is fine, if you only ever need to login from one physical location. That is actually true for many people. The main drawbacks I see with a notebook are more practical than security related. The difficulty of syncing across locations and the inability to make backups being the largest two I can think of. Not only is there a cached copy of my password database on all my devices, but I also have versioned backups in the event I need to ever go back in time. Spilled coffee might ruin my laptop, but it won’t lock me out of my bank account.
And this “all they have to do is break into your password manager” is definitely a concern, but hopefully it is the same as saying “all they have to do is break this incredibly strong encryption, that not even governments can break.”
Passwords are a funny thing. A lot of the rules we have now for creating passwords came from a man named Bill Burr; and it’s become ingrained into society even though he now admits he was wrong!
“For 20 years, the standard advice for creating a “strong” password that is hard to crack has been to use a mix of letters, numbers and symbols.”
“The result is that people create odd-looking passwords and then have to write them down, which is of course less secure than something you can memorize.”
“The NIST’s revised tips say users should pick a string of simple English words — and only be forced to change them if there’s been evidence of a security break-in.”
Absolutely.
9 characters is only around 80^9 = 1.3x10^17 combinations.*
This cluster can manage 350x10^9 guesses/second, which means it could crack 9 characters in about 65 hours on average.
30 characters is around 80^30 = 1.2x10^57, or 40 orders of magnitude harder to brute-force.
Here is a website that summarizes it:
(I’m not vouching for their times).
I assumed 80 as a reasonable number of characters than can be generated with a standard keyboard without resorting to too many gyrations - the actual number of possible characters is larger, but most people aren’t going to use accented characters in their password…
What concerns me is the online snycing. I’m considering looking into getting a yubikey or something else that will do OTP and use that in conjunction with a password manager. But then that’s something I could lose and potentially lock myself out of my account? I don’t know. It feels like it’s very hard to stay on top of security.
If done correctly (and that is a big IF) all that is ever stored remotely, or ever leaves a device, is encrypted. The decryption only takes place on the local device. The way mine works is my phone (for instance) downloads the encrypted blob, decrypts it with my password, and then maybe makes a change, encrypts the database, and uploads it as an encrypted blob. My laptop notices the file in the cloud has changed, and downloads the new encrypted blob.
I am very confident that if somebody had just the encrypted blob, and nothing else, they would not be able to open it. I think if there is a vulnerability it is much, much more likely to involve a rogue program accessing the decrypted information in memory, screen scraping the data when I look at it, or even tricking me into entering my password at a fake website. The password managers are written to prevent those things, but they certainly have bugs in them, and in some cases the attacks may be beyond the password manager’s ability to prevent, such as the fake website one. Don’t let perfect be the enemy of good. I have made the decision to trade a future possible bug in my password manager against the known vulnerability of using the same password at multiple places.
Yubikey and things like that are great, but none of the places I keep money have anything more sophisticated than SMS/call based two factor authentication.
Oh yeah, as far as locking yourself out of your account. Most places that use two factor will also give you some recovery codes, or some such. Then if you lose your OTP device, you enter one of the recovery codes (you did save them, right?) to access your account, and then can attach a new OTP device.
Thank you for the replies. I’m not yet convinced, however.
Is this not also an issue with using a password manager? OK, not “one password” perhaps, but the leaking of whatever the password manager requires for access. Or is this risk vastly reduced by the use of 2(+?) factor authentication?
[/quote]
For example, if passwords leak from, say, Target, are all of your shopping sites now vulnerable, do you need to change all of those passwords?
[/quote]
I would say no, because I don’t care whatsoever if someone logs on to a shopping site as me. Provided my card information isn’t saved on there, what are they going to do? Even if my card info is saved, I check my statements regularly for anything I don’t recognise, which everyone should do anyway.
I agree this is a risk, which is why I would never use an important password for a message board/shopping site.
If, as George Carlin famously said, there are 400,000 words in the English language, there are 400,000^4 = 2.56*10^22 ways to do a four-word password, or about as strong as a 12-character string. But you’ll have an easier time remembering the words.
But here’s something that I wonder about: you know how your browser remembers usernames and passwords for you so you don’t have to type them in every time? That means Firefox or Chrome or whatever you use has them stored somewhere. A few months back, I was able to access my list of stored passwords in Chrome (I’ve already forgotten how), and copied them and saved them to a spreadsheet, which gives me access to them that isn’t dependent on Chrome.
And a lot of the passwords were to sites I hadn’t accessed from that (relatively recently acquired) laptop because I hadn’t been there for many years, so obviously Chrome consolidates my info across devices and has it stored somewhere in the proverbial ‘cloud.’
Makes me somewhat concerned that Chrome’s password reservoir could be hacked. Not concerned enough to do anything about it, but still concerned.
Yes, if you have it synced to a Google account, your autofill passwords can be accessed at passwords.google.com, but you need to be able to log into your Google account (so you need that “master password.”) Similarly, on your Chrome browser, on the local machine you can access your auto-fill passwords under chrome://settings/passwords, but you need the local account password to view the auto-saved passwords.
