password security?

OK, in the other thread http://grassrootsmotorsports.com/forum/off-topic-discussion/facebook-issues-or-is-it-apple-issues-or-is-it-a-s/79056/page1/#post1443397 I had an issue with an e-mail address I didn’t know I had apparently being hacked and used to set up a Facebook account. I’ve now deleted that email address and changed the passwords, but that brings up a new issue, what to do about creating and remembering passwords.

Due to so many people being hacked passwords have got harder and harder to remember, you now must have upper and lower case letters with numbers too. The problem is they are next to impossible to remembered, writing them down is counterproductive so how do people remember them. I know there are sites out there that you can record them on, but surely they need a password so if someone hacks that they have access to all your passwords so you may as well only have one password to start with.

Anyone got any ideas or safe sites to use?

Thanks

Here's one idea:

https://xkcd.com/936/

If adding complexity is too hard, add length. Keeping your password out of the top few hundred most common passwords already puts you lightyears ahead of the crowd. Mix in words translated from languages with different alphabets, obscure model codes you know, leetspeak, anything your memory can handle.

You can go to password management using an encrypted store, don't get scared, it's easy.

Have a unique (and strong!) password for your email if nothing else. Your email is the keys to the kingdom of all online services.

At least use different passwords for different "security levels." For example forums would be low security, social networks medium, shopping high, and email is the king of them all (and I guess banking would be on the same level - but keep email unique!).

'Nother edit: DON'T use online password storage services, it's a downright terrible idea! Use offline software that uses an encrypted store. I'll post back with some soon.

Password storage software:

KeePass:

http://keepass.info/

If that's not multi-platform enough for you, use a TrueCrypt container with a text file in it. That's a little geekier but by no means difficult.

Edit: and keep your offline password store backed up! Flash drives tend to fail irrecoverably and without warning, don't trust any one of them too much.

Again don't use anything that doesn't use encrypted storage (this takes some research, do it) and don't put it in any online service where someone else is keeping your password in who-knows-what form...plaintext for all we know.

I use KeePass and have for a couple of years now. It works well considering my job requires 75+ individual accounts on various systems.

I have a ton of passwords to remember, all are only in my head...the key for the main backup drives in my home server is over 40 characters long. I figured using a level of encryption that was illegal in France was the least I could do

I've taken to using passwords which I remember more by the pattern I make on the keyboard than the characters themselves. Er, that's how I type them, anyway. Reasonable length, upper/lower/numeric/special characters, but usually not too bad to type, and not going to turn up in anybody's dictionary.

While I'm not a giant Google fan, I do contemplate moving my mail over there in part because they offer two-factor authentication; when using a new machine, you have to enter a code from a phone app to log in, in addition to your password. So if someone guesses/gets your password and tries to log in from another computer, it's a no-go.

Hey, I just found out my webhost offers multifactor authentication! Using the same Google Authenticator app, so I'm going to set that up, too.

Might be worth looking into whether Apple does for the .me/.icloud as well...

As an aside, you have the option to print out about a dozen prefab codes to tuck in your wallet so if you need to log into another machine and don't have your phone handy, you can still check mail.

Ransom wrote: I've taken to using passwords which I remember more by the pattern I make on the keyboard than the characters themselves. Er, that's how I type them, anyway. Reasonable length, upper/lower/numeric/special characters, but usually not too bad to type, and not going to turn up in anybody's dictionary.

Careful with this. I once realized that the password I needed for a login I didn't use too often was being remembered by my fingers instead of my brain, when I couldn't log into the service through a phone.

I read an article on cracking passwords and one of the more important things that stood out was that a LONG password is far more important then a RANDOM one.

This is a assuming someone is trying to brute force crack passwords after getting the hash table (which obviously requires hacking the website storing it).

For social engineering a password, randomess will tend to be a bit more effective.

I use a sentence of nonsense words together.

Eat.snacky.smores!

God_is_@_bullet

Rape.babies.R.delicious!

I always throw in some sort if punctuation and misspell words or mix case to a pattern I keep in my head. So... I remember the pattern and a sentence.

I second the use of a password manager (in my case 1Password because I love spending too much money). All of my non-work passwords are complicated, throwaway, and stored on my home computer and my phone. My work passwords are stored in my head only.

I use the same password for everything. 1-2-3-4.

Wally wrote: I use the same password for everything. 1-2-3-4.

That's the combination I have on my luggage!

Seriously, the "correct horse battery stapler" approach linked to above is a good one; I've been using similar "forget computerese, just make it freaking LONG" approach to new passwords a lot lately.

Another one for Keypass. I only have to remember one, and I make it a good one. And, if someone gets hold of any of my other passwords (which are all Keypass-generated and are as long as possible with upper-case, lower-case, numbers and symbols whenever allowed), they only have the one. I used to use one password for everything, but I knew I was playing with fire doing that, so I adopted Keypass and have been very happy with it. Only thing I don't like about it is the lack of a native Chrome app, so it doesn't work on my Chromebook.

"This is my password today!" is more secure than "V4?1@R1t6"

Computers can't quite handle the spaces and the length.

I don't use mobile devices (at least that need any sort of password) .. so for my home use I just write them down …. who's going to get them ?

Writing them down on a piece of paper isn't a terrible idea, some companies still put them on a piece of paper in a sealed envelope in a safe instead of using password management. The problem is that the piece of paper is easy to misplace or get accidentally destroyed and is then reliant on physical security to keep the password secret, unlike an encrypted password store.

Thanks all, I'll have to look into Keypass. The thing is it has to be simple, absolutely dead simple. My wife and I share everything, she’s actually more intelligent than me, but computers are just not her thing. She would have the same password for everything and still get confused. I mean I've told her 10,000,000 times that you can close programs with Command Q, or that you can tab between open programs, but it just won’t sink in. Every single time she just minimizes one program or tab and opens another, so you get to the computer and find dozens of programs or tabs open. Same on her iPhone, I'll pick it up and find she has 60 or 70 apps open with many duplicates so it's running super slow. No matter how many times I tell her, her brain just doesn't retain info on how to close them. She thinks I’m a freeking computer genius, where the truth is I’m really one step above an ameba.

Check out roboform too. I've been using for several years. Once installed and set up it's dead simple.

In reply to Adrian_Thompson:

As you mentioned Command-Q I assume you're on OS X?

I do use KeePass, however I haven't been impressed with the way it runs on Mac OS. It does work, but it acquires a few UI quirks I can do without. What I tend to do instead is run it via Parallels on OS X, which instantly improves the experience at the expense of running Windows in a Window.

BoxheadTim wrote: In reply to Adrian_Thompson: As you mentioned Command-Q I assume you're on OS X? I do use KeePass, however I haven't been impressed with the way it runs on Mac OS. It does work, but it acquires a few UI quirks I can do without. What I tend to do instead is run it via Parallels on OS X, which instantly improves the experience at the expense of running Windows in a Window.

Yes, Mac at home, PC at work where there's a whole team of IT professionals to keep the world running, I told you I'm an amoeba on the computer scale.

Work Windows 7
Home computer OSx
Tablets Android
Phone iPhone iOS

And the problem is I want to access everything on all of them by both myself and my wife.

KeePass has both an Android and an iPhone client, so you should be good.

when I worked at a place that I used a computer (county land records) we had to change our passwords quarterly … I wrote mine down on a piece of tape and stuck it on the top edge of the display … LOL

nothing anyone could do EVEN IF they "got" into my computer … pissed off the IT folk to no end

Another good idea is to use a pattern on the keyboard. As long as you can remember the starting key the rest is easy, unless you have to give it to someone.

Another way is think of a sentence that has some numbers and names. Take the first letter off every word and use as your password. Easy to remember and all nonsense to anyone else. "I read Grassroots Motorsports message board on my phone during work and it costs my company $16 per minute" becomes IrGMmbompdwaicmc$16m. Secure and nonsense. The more absurd the better as you are more likely to remember it