I have accounts in many different sites whether its banking, poker, forums etc. Read to not use same password on same site for obvious reasons. I have all my username/passwords on my computer in a microsoft office sheet and also on my usb as well. Obviously if i lose it, thats very bad b/c it has the site and the password in it. Also its passwords i made up so obviously it isn’t that secure.
I was recommended by others in a forum to use keepass to store my passwords/documents. I had never heard of this as im not very tech savy. I downloaded keepass 2 and it seems pretty nice. So basically i was told just remember your master password and thats all. Then you could put things like yahoo, hotmail etc and thus your password would be stored.
First off, what passwords do most of you use? Is it passwords that you easily remember and its something sorta simple or do you put some 15 or 20 digit/letter that isn’t even a word etc and thats your password? Or do you use keepass or another program to generate a password for you? At the moment, im considering just having keepass 2 get a new password for every site i go on and change every current password i have. Would you recommend that?
Also when you make password for each site, i assume none of you have exactly 20 letter/number password for each site right? I see keepass offer 40 hex, 128 hex and 256 hex. I dont know what that means but obviously from looking at it, the bigger the hex, the longer the password and more secure it should be. So would you recommend some sites do 128 hex, others 256 hex and some 40 hex? Because from looking at keepass, then i have to change the length of the generated password for each site i visit and i can’t imagine everyone doing this for like 30 sites for instance.
I would also need to have access to my passwords on my iphone 4s. Am i suppose to just download the mini keypass? The thing that also confuses me is how would i be able to access the keypass 2 program on my laptop that has my username/password for each site then? Do i have to manually type everything from the keypass 2 on laptop to my iphone 4s mini keypass? I can’t imagine i have to do this but then again theres no username when logging into keypass2.
So how would one backup the keypass 2 on their current laptop if somehow i dont have access to the laptop anymore? I know i cant just use another computer, download keypass 2 there then type my master password in and then it would open my keypass 2 from my laptop unless theres something im missing here? Thus at the moment if my computer doesn’t work anymore and i dont have access to keypass, then i wouldn’t have access to any of my passwords.
Do all of you recommend to write passwords down on paper as well? I do have my passwords on paper as a backup but these are the passwords that i created. But if its passwords generated by keypass 2… its going to be 20 letters long each and well that would seem to be lot of writing of passwords on a piece of paper. But curious if anyone keeps password on paper as well.
I use JoeyP1980 for everything, what do you use?
Using KeePass to generate a complex, impossible-to-remember password for you is kind of the point. However, you should not use the hex built-ins as standard password generators; these are limited to characters matching [0-9a-f], which is kind of a pathetic character pool. Use the standard password generator and tune it for whatever idiotic password rules are in effect for the site you’re generating it for. If the site has no rules, or they only tell you what the rules are after you try to break them, I usually first try a 32-length password with all the boxes checked except “Space” and “High ANSI”.
Copy the .kdbx file from your PC to your phone.
Copy the .kdbx file from your PC to your [insert backup device of your choice].
Writing all one’s randomly generated passwords on paper seems awfully retrograde and error-prone to me, but hey, whatever accelerates your protons.
There is a great XKCD cartoon that addresses passwords that is explained here: 936: Password Strength - explain xkcd
I, personally, maintain three passwords (well…four really).
-
A simple, short password for websites such as news sites. They do not have any info on me beyond the most basic. I really could not give a shit if someone hacks that account. There is nothing there.
-
A semi-complex password for sites such as the SDMB. They do not have info such as my bank account but my persona here matters to me and I would be upset if someone assumed my persona here and posted as if they were me.
-
A very complex password for bank accounts and shopping accounts (e.g. Amazon). These are places where people can rip me off. My passwords for these are very long but in line with the XKCD cartoon above so they are memorable.
-
A stupidly long password for Keepass which keeps all my passwords (more than the three above such as work passwords for various access). It is also in line with the XKCD cartoon above so it is easy for me to remember but it is absurdly long. Something like: TheSDMBisAmongMyTop10FavoriteBoards
A password such as that is nearly unbreakable.
How secure you want your passwords to be depends on what you’re using them for. Your online banking obviously needs a very good password, but for an online gaming site where all that’s at stake is your standing on the high scores list or the like, it might be fine to use “12345” or whatever. Plus, different sites will have different requirements for passwords: I recently set up an account, for instance, where the site was apparently rejecting everything that did not consist of exactly 8 letters and 1 digit. Yes, that’s a terrible setup, but it wasn’t my decision.
For a truly important password like for your bank, you want to make it as secure as the site will allow. This means making it long, making it draw from the full set of characters available, and (most importantly) making it random. Unassisted humans suck at generating randomness. You can get good random passwords by doing something like rolling dice, or you can get a program like KeyPass to do it for you.
My wifi password is something similar to: 11223344556677889900aabbccdd People laugh when I give it to them and tell me how complicated it is. But then I remind them that it’s actually really, really easy to remember but no one is going to guess it.
What’s funnier is when they call me because they don’t remember the password for their own wifi:
Did I set it up?
yeah.
[deep breath] it’s 11,22,33 all the way to 99,00,aa, etc
okay, got it thanks.
Also, I always liked the other thing that I’ve heard some people say that they do for security questions. When it asks you for things like your mother’s maiden name, first car, street you grew up on. They use made up answers. Always the same and consistent so they can remember them, but totally made up so someone that knows them would never be able to get past the part of a website that asked those questions.
That’s not in line with what the XKCD cartoon is recommending at all, as it’s not random. It might be long enough to work anyway, but it’s not nearly as good as a random password of the same length.
And sometimes they don’t even tell you the rules then. The site I mentioned in the previous post that had the terrible requirements, I tried to start with a good password, but it just kept telling me “The password provided does not meet length and/or complexity requirements”, or something like that. Well, I had all of the categories of characters in it, which is what’s usually meant by “complexity”, so I tried making it longer. Finally I realized that the site was complaining about the password being too secure, so I simplified it until I got to the 8 letters, 1 digit one.
Nonsense.
That would be a fantastic password in line with XKCD.
“SDMB” is not a word.
It has “is” after “SDMB”.
It has a number in the middle.
All that being in the middle will muddle any kind of dictionary attack and even if it was real words it is too long for a dictionary attack to work.
I submit the entropy on that is MORE than sufficient to foil any brute force attack.
What’s more I am willing to bet it does not appear on any Rainbow Tables.
It’s always fun playing the “Guess what’s wrong with my proposed password” game. Especially considering that each website seemingly has its own definition of the phrase “special character”, because we just can’t have you putting square brackets in your password. That simply will not do.
Also, the bizarre requirement that your password not exceed a certain length. So…you want less secure passwords, then?
Moderator Action
Since this is mostly an informal poll about how other users here manage their passwords, it is better suited to IMHO.
Moving thread from General Questions to In My Humble Opinion.
To be fair you are correct that a random string of words would be more difficult to guess.
The set of:
{{Words that Make Grammatical Sense}}
Is smaller than the set of:
{{Words in random order}}
That said I submit the password I suggested is still waaaay too long to be easily brute forced to the point that I suspect a “random” string of words would be no easier to guess.
Steve Gibson’s Generate Perfect Passwords.
FWIW, I use Keepass for storing passwords.
LastPass is considered one of the best password managers available and it’s FREE. I’ve been using it for the last year or so with Firefox and I love it!
I use the random password generator and just use a random string of characters as my security answer. I just make sure I store them in the notes section of the keepass entry. The one time I had to repeat ‘my mother’s maiden name’ to a phone rep at a financial institution it didn’t faze the rep at all that her name was ‘JI81hcsdT534hKddgH’. Some sites have several (usually three) secret questions and some don’t allow the same answers for each question and some do. One site had a secret question that required a date format for the answer, and would reject non-date answers. Morons!
As for the OP, you can use dropbox to store your password database, but if you do make sure that the master password is good (IMHO 35-50 characters). Also enable two factor authentication on your dropbox account. But then you can access it from your laptop, tablet, or phone and it is always the current version.
Is she from one of those countries desperately in need of vowels?
So for each password on keepass 2… are you guys suggesting every password to be generated to be at least 30 letters/numbers? Also are you saying every password for each site i should do exactly 32 letters/numbers? Isn’t that not really a good idea and probably some site do 25, others 33 etc?
I heard of lastpass but someone suggested that isn’t secure though…
The master password im bit confused. Am i suppose to use a very long password for this though? What if i forget it? Someone mentioned that if u dont remember your master password, then you are going to have a huge problem because without it, u wont have access to keypass anymore. Shouldn’t the master password be not too long where you should already know what is it though?
It’s been posted before…worth posting again: xkcd: Password Strength
You can make the master password a sentence or two that makes sense only to you (and I think you can use spaces in the master password). For instance, you could make it:
‘In 2008, I painted 425’ of window trim on the east side of my house 28 shades of purple. Bad idea? Yep.’
That’s going to be something you can remember, especially if you access the database frequently, but is probably something that would never be hacked in your lifetime. You might have to write it down for the first week, but you won’t need to to look at it after that.
You could also take out all of the spaces, or run a few of the words together like ‘the east sideofmyhouse28 shade ofpurple’.
I use my first wife’s birthday followed by my second wife’s initials for most things.