You don't need to be an 'investor' to invest in Singletrack: 6 days left: 95% of target - Find out more
There was a time when I had one password for everything.
I soon realised I ought to use something a bit more secure for internet banking and, as all my password resets get sent to my email account, that needed something more secure as well.
I then started wondering about all the various forums and shops I use, so I devised a system of multiple passwords.
That wasn't much better though. Supposing someone at STW found out that my forum password was "grahamstw1", then they could take a guess that my passwords elsewhere were "grahamcrc1" or grahamwiggle1".
I increased the number and complexity of my passwords until I got to where I am now and can't possibly remember them all.
I've now got a password document with them all recorded as cryptic clues.
Without giving too much away, suppose my password was "orange5", I would record it as "filing cabinet", although they are actually clues based on personal puns and experiences that only I would know the answer to.
So what's the best way to remember them all ?
Having a notepad file in My Documents titled "Passwords" doesn't feel all that secure, but what's the alternative ?
I use a Keepass database stored on Google Drive. That way I can have a different password for every site. Plus I can access it anywhere.
A password store, I've got far too many to remember myself
I use eWallet
I use [url= http://www.mirekw.com/winfreeware/pins.html ]PINs[/url]
Simple and free (bit like yerself).
Lastpass. $12 a year gives you complete flexibility, free is still OK if you don't need it on your phone.
Keepass if you don't like the idea of any cloud service and want to know what is happening to your encrypted password file.
Getting passwords out of your head and moving to random 16+ character passwords for all those websites is a very good thing indeed.
I think this was discussed on QI.
The consensus seemed to be to write them down on paper and keep them at home - no risks of account hacking and burglars more likely to be distracted by shiny things than a scrawled-on piece of paper.
Write them down, maybe as clues rather than the passwords, then keep them in a safe place near your computer.
Best thing for passwords is long strings that are memorable, like the first line of a song or a film quote or something. Impossible for a computer to crack due to length, but great for us to remember. A lot of password policies don't allow it though.
I have several grades of password. Important stuff has dedicated passwords, but everything unimportant has the same one.
When choosing one I base it on something related to the site, or what I'm feeling at the time. But the key is to log out and in again after about 5 minutes, then again after an hour.
Not sure why I'd need a protected database on my password protected phone..
Also, for online banking - First Direct's Internet Banking Plus is great. Downloads a secure file to your PC which stores all the login details you want.
Pretty sure you can use it as a non-FD customer too.
https://internetbankingplus2.firstdirect.com/ibplus/mainservlet
[img] 
[/img]
The approach I take is to have a 'master' password and then tweak it based on domain name.
So for example, you could have a PW of "fishbanana", take the first three letters of the site - "sin", [url= http://en.wikipedia.org/wiki/Caesar_cipher ]Caesar Cypher[/url] it to "tjo" and add it to get "fishtjobanana". Memorable password that's unique to every site.
+1 for Keepass. Sync the database via dropbox and you can get at it from multiple devices so you don't have to worry about losing your only copy.
I use unique email addresses allocated to each organisation (which you can do if you have your own domain) which means I dont need to be so varied in my password because automated address/password thrashing will never have the same address and password as another.
Just write them down in a notebook. People who break into your house are not going to steal a notebook although they might well steal your laptop and people who are trying to steal from you via digital channels can't see your notebook.
If you want to be doubly security conscious then use a reference code that refers to a word from a favourite book, like this:
270-08-07-
is what you'd write down which would be a reference to page 270, line 8 word 7. But the actual password would be 270-08-07-Hautacam (using Mark Cavendish's Boy Racer as the reference book). This way you only need to remember the book.
Cougar, I thought the "words in the dictionary" technique was beatable. Surely that example falls into that category?
Personally, I use patterns I've visualised on my keyboard. It's not for everyone because I reckon you need to have an almost photographic memory, but it works for me and they all appear to be quite strong.
Having said that, some passwords from old, such as this forum account, are weak, so about time I changed, methinks...
I do what cougar's cartoon shows, top left. I use bike brands/parts whatever I've bought recently. Its definitely NOT hard to remember, as you have a standard set of numbers replacing letters.
(Not had a password cracked, ever!)
Ok using the common words thing but is a pain in the butt if you have to type it 10+ times a day.
Dashlane - is free. But my approach isn't as structured or organised as you lot..
write them down on paper and keep them at home
Just write them down in a notebook. People who break into your house are not going to steal a notebook
Wouldn't work for me. Half the time I need passwords I'm not at home. I'm either at work or out and about using my phone.
Best thing for passwords is long strings that are memorable, like the first line of a song or a film quote or something. Impossible for a computer to crack due to length, but great for us to remember. A lot of password policies don't allow it though.
If you want a shorter, password-policy-friendly, non-dictionary version then try something like this:
1) Take your line from a favourite song:
"Mary had a little lamb, Its fleece was white as snow"
2) Take the first letter of each word (or some variation of that):
"Mhall,Ifwwas"
3) Do some standard letter/number substitution:
"Mh4ll,1fwwa$"
4) Profit.
Cougar, I thought the "words in the dictionary" technique was beatable. Surely that example falls into that category?
Point was, it was an example of how you could construct memorable unique passwords from a root password; the construction of that root I didn't give a great deal of thought to. But, see the XKCD cartoon.
Wouldn't work for me. Half the time I need passwords I'm not at home.
It could still work if you carry a kindle or use a kindle (or similar) app? Or just a pdf of a technical manual on your computer or cloud store. Then stick the reference sheet on your phone.
I guess the "words in a dictionary" thing is that *if* they are truly random (chosen with Diceware etc.) then even if the hacker knows they are words, it is still unfeasible to check every combination. There are just so many more words than there are letters or numbers, but it isn't harder to remember a word than it is a letter.
A bigger brain. Or 'password' but with 5 instead of each S and a zero for the O, nobody will ever crack that.
I was actually referring to the cartoon example. I'm sure I read (or may have dreamed) that words that are identifiable as words are, as in the example of [i]correcthorsebatterystaple[/i], just a collection of words in the dictionary, whereas [i]fh476fgvbhd62890di*$gb%![/i] as an example, is a lot harder to crack, so to speak.
FYI - I don't claim to understand the password hacking process other than what I've found on the web. You can probably elaborate on how a hacking program works, yes...?
Although if I was that way inclined, after reading this thread, I may add picking up notebooks to my theiving list.muppetWrangler - Member
Just write them down in a notebook. People who break into your house are not going to steal a notebook although they might well steal your laptop and people who are trying to steal from you via digital channels can't see your notebook.
Personally, I just have about 4 passwords, that I mix and match. never had any bother with them being stolen, touch wood.
The only times I've had to change a password hasn't been down to it being hacked, it's been because the company that's supposed to be securely storing the password details has had their files stolen. I'm looking at you adobe and evernote! That is why I prefer lots of different passwords rather than one or two very complex ones.
edit
I may add picking up notebooks to my theiving list.
You'd need to steal the notebook and all the books in the house and then work your way through the books until you found the right combination, that's assuming I didn't use a pdf of a multi language 200 page manual for some household appliance.
I used to use the registration from my first car.
I have one vaguely secure one for vaguely secure stuff, and one not that secure for other stuff. It's probably not the ideal approach
I'm sure I read (or may have dreamed) that words that are identifiable as words are, as in the example of correcthorsebatterystaple, just a collection of words in the dictionary, whereas fh476fgvbhd62890di*$gb%! as an example, is a lot harder to crack, so to speak.
That's true, but correcthorsebatterystaple consists of 4 "units", each of which has thousands of possibilities (number of words in the dictionary), so the number of possible combinations is enormous. fh476fgvbhd62890di*$gb%! consists of a lot of "units", but each one has only about 50 possibilities (number of characters on the keyboard). The number of possible combinations may be more (or fewer) than a password with words, but it's impossible to remember.
Another point is that typing a password with odd characters on an iPhone is an absolute bugger.
Teasel afaik length is the most important thing, remembering a 30 charcter sentence is a shitload easier than 30 random alphanumeric
complexity helps too mind.
Bear in mind that "words" are vulnerable due to dictionary attacks, but whilst individual words are in a dictionary strings of words are not. When cracking passwords, you cannot crack the first word and then go "great, we've got one!" and crack the second word outside of Hollywood(*).
A password attempt either matches or it doesn't, the scenario where the heroes are running around a huge display going "he's got another one, only six characters to go!" is pure science fiction. If it did work like that, you could crack a password the length of a novel in less than the time it took me to write this sentence.
(* - and NTLM)
Okay, I think I understand how it works a little better now. Cheers, guys.
Oh, and,
Substituting 0s and 1s for o's and i's isn't fooling anyone; in a dictionary attack it will just be handled like a third case (along with upper and lower). Eg, if you're trying a password of "fred" then it'd commonly try fred, FRED, Fred, fr3d, FR3D, Fr3d, and so on.
There are something like 3,000 words in common usage, so a film quote might have something like 8 words in it - that gives 6*10^27 combinations of words, which is a stupidly large combination. Of course limiting it to quotes cuts that down a fair bit because to be grammatically correct there are far fewer combos. But then you could choose every other word from a quote, or use shakespeare. Or other languages for that matter!
Get all your passwords tattooed on your bikini area. This way only the people you really trust will ever get to see them and for someone to hack you they'd have to steal your skin.
Plus, if you ever forget one of them, you need only pay a quick visit to the bathroom to remind yourself of the appropriate one.
BTW...
the scenario where the heroes are running around a huge display going "he's got another one, only six characters to go!" is pure science fiction.
Gutted. I'm actually thinking about giving up computers completely...
Plus, if you ever forget one of them, you need only pay a quick visit to the bathroom to remind yourself of the appropriate one.
"Your password will expire in 3 days. Do you want to change it now?"
"Your password will expire in 3 days. Do you want to change it now?"
Suddenly, Memento makes sense.
I use 'password' for all of mine but change the font depending on the website. for example i may use comic sans for shonkytrackworld (i dont, its obviously terminal)
All written down on a sheet paper with a pen 🙄
Another point is that typing a password with odd characters on an iPhone is an absolute bugger.
Depends on the password. Something like [b]??ëtpå?š?ørd[/b] is [i]easy[/i] to type on an iPhone but takes an age on Windows (if you can even figure out how).
I found the simplest solution is to discretely Letmein1 insert them in forum posts, so if I ever forget, I can just look through my posting history for clues.
Something like ??ëtpå?š?ørd is easy to type on an iPhone but takes an age on Windows (if you can even figure out how).
Simple - you use ALT- codes 🙂
Using special characters is a pitfall all of its own, as a keyboard may not be mapped the way you think it is, and you can't tell if the password is hidden 🙁
It's more important IMO to be using different passwords everywhere, rather than trying to keep a few more secure passwords in your head.
The big problem with passwords, especially on the web, is that lots of people use the same things everywhere. Some poorly run forum or web store that you last used 5 years ago gets breached, and they have either plain text passwords (if really badly run) or password hashes (pretty easy to turn back into passwords unless they're very long). Combine that with email addresses and it's easy to hop from there into accessing your email, from there your bank account and other juicier accounts.
Keep them different, keep them long, and set up 2 factor authentication on anything important like your email.
I work for a large IT company and we have mandatory courses on password selection! Most of the above makes sense. The current best theory is to choose a phrase you know well and then replace characters with digits and punctuation.
This is is good until you have hundreds of passwords! I cheat and use similar passwords for sites that I don't care about - but unique ones for important ones. I also have an online key safe for all passwords for when I forget them!
general rules and roboform as backup. The most important one is your main email and anything else that links to that. So lose your ipad without a PIN and it should be possible to reset lots of your passwords 🙂
andIt's more important IMO to be using different passwords everywhere, rather than trying to keep a few more secure passwords in your head.
and set up 2 factor authentication on anything important like your email.
^^Yes. Don't get hung up on the password thing. The biggest threats are either outside your control (cf Adobe etc) or addressable by other means (so malware protection etc). For genuinely important stuff, multi-factor is the way to go (hence banks go this route now).
IMO
Keep them different
For important stuff. If you crack my STW password you could probably impersonate me on a handful of other forums, that's about it.
Latin names
its easier to allocate something memorable to an organisation or group of organisations
Usefully, latin names start with a capital letter too
you can then throw in an order (like 01,02,03) or year at the end for when you forget and need to renew, or you can turn a symbol in the word to a number
So, for example Singletrackworld password gets remembered as 'dog' and typed in as
Canisfamiliaris13 or
Canisfamiliar1s
But its nice and easy to remember "dog"
set up 2 factor authentication on anything [b]that offers it[/b]
Tend to use it on everything that happens to offer it, almost silly not to.
This sums it up nicely, imo:
Don't get hung up on the password thing. The biggest threats are either outside your control (cf Adobe etc) or addressable by other means (so malware protection etc). For genuinely important stuff, multi-factor is the way to go (hence banks go this route now).
One of my pet hates is the current culture which suggests passwords make things safer. At work I need a variety of codes for doors and passwords to use various programmes...
Front door code
Changing room door code
Air tube system door code
Office code
Boss's office door code
Drug room code
IV store code
Computer password
My email password
Electronic prescribing password
Patient management password
Blood test label password
Blood results password
Regional bed status password
Blood glucose machine password
X-ray viewer password
Some of them last for a year, some last for a month, none of the passwords can be re-used.
Every new system that we use involves some kind of password, and everyone involved in training us thinks password security is great...
We just write them all down.
That's the beauty of NHS IT. One previous trust I worked for demanded a password change every three months - so everyone's password was "spring14" (or the next relevant season)...
Just write them down. Password security is more about password hacking and cyber threats, than someone coming in James bond style and stealing a scrap of paper hidden in some random drawer or place in your house.
One basic core password for everything with a unique symbol and jan14 feb14 mar14 as the months go by. All you have to do is remember the symbol for each account.
I keep myself logged in to as much as I can, and when that fails click where it says 'Forgot password'
[i]"Your password will expire in 3 days. Do you want to change it now?" [/i]
bring me solutions, not problems.
Not sure why I'd need a protected database on my password protected phone.
The database is likely to be encrypted, whereas the phone is not. I suspect that it's relatively easy to get data off a password-protected phone.
I started using 1Password, in conjunction with iCloud Keychain on the phone, seems a decent compromise. This means I just have to remember one 'strong' password, which I have written down, split into 2, in case I forget it.
Probably would not have bothered, if I hadn't got 1Password for £12 in the sale.
Bear in mind that "words" are vulnerable due to dictionary attacks, but whilst individual words are in a dictionary strings of words are not. When cracking passwords, you cannot crack the first word and then go "great, we've got one!" and crack the second word outside of Hollywood(*).A password attempt either matches or it doesn't, the scenario where the heroes are running around a huge display going "he's got another one, only six characters to go!" is pure science fiction. If it did work like that, you could crack a password the length of a novel in less than the time it took me to write this sentence.
(* - and NTLM)
think you are confusing NTLM and LM there
One basic core password for everything with a unique symbol and jan14 feb14 mar14 as the months go by. All you have to do is remember the symbol for each account.
loved that approach when i was in school, managed to get a password hash from an admin and then had their password policy until we left.
+1 for keepass, with the DB on dropbox, google drive or whatever
There is an android & possibly an iphone app, so your passwords are available all the time via whatever device.
think you are confusing NTLM and LM there
Well spotted, yes. Been a while.
Thanks to Apple I've changed my password to something stupidly complicated that automatically securely shares across my Apple devices.
keepass
But what about the social stigma of a program on your phone, PC etc called KeepAss??
Quick password question, and i remember seeing this thread a few weeks ago, so thought i would keep things tidy and recycle/reuse.
Just bought a NAS cloud drive thing for the house, and i think today is as good a day as any to change the password i use for everything, which i was issued with in year 7 at school. (age 10... ish)
Question is, what are my limits for these passwords?
Minimum 8 letters
often must contain numbers so they might as well all contain numbers.
Is there a standard maximum letter limit?
+1 Keepass with encrypted database on Dropbox but then for added security you can setup Keepass so that as well as the main password it needs a keyfile to decrypt the DB. I manually add the keyfile to the devices/PC's I use Keepass on.
Keepass can then be setup to use on each individual login whatever password rules are in place for that particular site/system, length of password, characters used and so on and then generate a random password.
Pictures work better than numbers. For instance if you have a number sequence - 5837 you make the numbers pictures in your head like instead of five you think of a "bee hive" instead of eight you think of a "gate" instead of three you think of a "tree" and seven would be "heaven".
o your number is beehive, gate, tree, heaven. You have to picture it and it become easy to remember 🙂
I use a famous rapper's real name, capitals in the right place. I use it for most things. Never had a problem until I had to explain to my girlfriend what it was!
I use the same, alphanum salt for all passwords followed by the site (fulllength or acronym). I got fed up of forgetting passwords, master passwords and losing notes.
i.e.
z123aBc0stw
z123aBc0google
However, as soon as one is compromised it won't take a rocket scientist to work out the others. Oh well.
Just use a phrase with the correct use of an apostrophe in it - that rules out most people getting it.
Use the same phrase for all sites with extra pre/suffix taken from each site to personalise in the event of an attack.
A bit like PIN numbers: Cards 1...n, and choose a 3 digit PIN, say 123, so full PINs would be 1123, 2123, 3123... Just remember the order of your cards. Simples.