Password Security Part II

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
User avatar
Topic Author
CountryBoy
Posts: 1777
Joined: Wed Feb 28, 2007 9:21 am
Location: NY

Password Security Part II

Post by CountryBoy »

This thread is an attempt to build on the informed and generous advice provided by LadyGeek and others in another thread " Another reason why you should never reuse passwords..."

I have compiled a list of what individuals can do to increase the security of their passwords. It is not meant as the final word in psw security but rather a helpful first step compilation of what a novice should do to protect their password.

If I am wrong with what is on the list or omitted an item just let me know and I will try to correct it.

Thanks for your opinion and of course to those who posted so very generously in the original thread. Having just recently had my Yahoo psw hacked, I sense this is a topic one needs to act on.
1. Don’t confuse strategy with outcome, ie, just because you haven’t been hacked does not mean you will not be hacked at some point in the future with your current psw strategy.
2. Your psw should be at least 10-12 characters long; longer is definitely better. Vanguard will only allow 10 characters.
3. Have at least 2 upper case letters
4. Have at least 2 lower case letters
5. Have at least 2 numbers
6. Have at least 2 characters, such as an * and #
7. Do not try to have the psw be an easy to remember series of characters and numbers.
8. Change it at least every 3 months
9. Updating your anti-virus program regularly is obviously necessary.
10. Never reuse passwords
11. The length of the password matters more than the randomness, within reason.
12. Use multiple techniques, such as TrueCrypt (which can use a key file instead of a memorized password) and Keyfile to protect your data files.
13. As for keeping your data local, put your browser profile, email data, and all other sensitive information inside a TrueCrypt volume. Instead of memorizing a long password, TrueCrypt allows you to use a Keyfile. What's that mean? A file is used for the password. So, choose from any number of vacation pictures, programs, music, as your password. As long as you don't tell anyone where those files are, it's very secure. In fact, you can put the file on a USB stick and store it somewhere. Don't store the vacation pictures with this USB stick..
14. Don't use the same password for everything
15. If your email is through Yahoo or Microsoft look into setting up two step authentication for your security. If you don't know what this means, find out.
16. If you are going to store passwords, put them on a removable drive which is encrypted. Don't give them to other people.
17.

URLs to check out further on this topic:

Get an idea of your psw strength by going here:
https://www.microsoft.com/en-gb/securit ... ecker.aspx
https://www.grc.com/haystack.htm

Study more here:
https://www.grc.com/passwords.htm
https://lastpass.com/

On the internet there is no such thing as absolute security, rather only an increased statistical possibility that you won’t be hacked based on a prudent and informed strategy.

Yes, if they really want your info they will get you, or me, or anyone. After all, many major institutions have been hacked, among them

Pentagon
http://www.npr.org/blogs/thetwo-way/201 ... s-networks
and
NASA
http://abcnews.go.com/Technology/story?id=119423&page=1

I take no responsibility as to the implementation of the suggested strategies above, but if this gets you thinking about your security, then the purpose of the list will be served. Sometimes thought can be a useful prelude to action.

Good luck.
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Password Security Part II

Post by Epsilon Delta »

0. Before taking advice on passwords, ask the potential advisor to define "entropy" and to explain why it is relevant. If they can't do this ignore the rest of their advise.
User avatar
ogd
Posts: 4876
Joined: Thu Jun 14, 2012 11:43 pm

Re: Password Security Part II

Post by ogd »

CountryBoy: thanks for putting this together, I'm a fan of summary posts. This is a good list, but some emphasis is misplaced in my opinion. Some comments:
CountryBoy wrote:9. Updating your anti-virus program regularly is obviously necessary.
This, and in general "keep your computer secure" or even "keep a secure computer that you use for nothing else", should be #1. No password or password file will protect you from a compromised computer. This is by far the most frequent avenue of attack in practice; in contrast, brute force password attacks are relatively rare. It's quite possible that this is how they got into your Yahoo account.

The related item for online accounts is: always look for the security lock icon before entering your password.
CountryBoy wrote:14. Don't use the same password for everything
This should be #2, changed to "anything else". However strong the password, it doesn't help if you tell Yahoo your Vanguard password via the Yahoo password field. And it's one of the main reasons to even have stronger password for online accounts, see below. If you have a choice between remembering a single strong password or two weaker ones, you should choose the latter. This is why emphasis matters; someone might be going down your list and decide they can only have one password that is that strong.
CountryBoy wrote:2. Your psw should be at least 10-12 characters long; longer is definitely better. Vanguard will only allow 10 characters.
Since you mention Vanguard: password length matters quite a bit less for online providers, as mentioned (perhaps too controversially) in the original thread. Vanguard will only allow an attacker to try three or so passwords before locking up the account, if they even pass the security questions. The attack that a strong password does protect against is if someone gets internal access to Vanguard's password verification data and proceeds to try every password offline, like in the LinkedIn case. Even then: it's hard to imagine that this person doesn't also get access to other Vanguard stuff. If they can access the accounts directly, they don't need to find the password. Same deal if they can change the password verification data without being noticed. If, however, the password is being reused elsewhere, then there is more value to getting the password than accessing Vanguard accounts, which is the other big reason why you shouldn't reuse passwords.

Most of the numbers you see posted on speed of cracking passwords assume that the server data was obtained first. And, often times, that the password verification data (aka "hash") is computed with outdated, simplistic methods. While it's not safe to assume this, a bank or Vanguard can make password cracking very expensive (e.g. a second of CPU use per attempt, keeping up with modern CPUs) with no intervention on your part.

The password length rules are much more applicable to passwords protecting local data on your computer, for example TrueCrypt passwords, because if your computer gets stolen it's the only thing standing between the thief and your data.
CountryBoy wrote:8. Change it at least every 3 months
I would call this excessive. Perhaps a year is better.
CountryBoy wrote:11. The length of the password matters more than the randomness, within reason.
This one is rather odd. The password strength is proportional to r to the power of l, randomness and length respectively, so they both come into play and you're left with exploring the mathematical properties of the power function (how much length is better than how much randomness?). E.g. a 20-character password composed of three common words is rather weak.
CountryBoy wrote:12. Use multiple techniques, such as TrueCrypt (which can use a key file instead of a memorized password) and Keyfile to protect your data files.
You might want to remove this point and the next from the password discussion. Not only is it complicated and it has to do more with local data storage than password strength, but the key file stuff is actually dangerous. Sure, it can produce long random-looking passwords, but the entropy in those passwords is limited by the number of files to try (1000? 5000? still very low) -- some of which might get accidentally posted online.

Hope this helps.
User avatar
Topic Author
CountryBoy
Posts: 1777
Joined: Wed Feb 28, 2007 9:21 am
Location: NY

Re: Password Security Part II

Post by CountryBoy »

ogd

Many thanks for your comments. Most of them are too technical for me to respond to and that I will have to leave to others to debate, however, one of your comments implies that my list is a prioritized list with the most important item needing to be at the top. I never intended to convey that impression and am reluctant to get into a lengthy debate as to where on a prioritized list a specific item should be placed. While some items are clearly more important than others, I tend to subscribe to the theory that when it comes to security, the chain is only as strong as the weakest link.

Again, thanks.
User avatar
ogd
Posts: 4876
Joined: Thu Jun 14, 2012 11:43 pm

Re: Password Security Part II

Post by ogd »

CountryBoy: You're welcome. Whether you meant it or not, one certainly gets the impression that the order matters. Even if you remove the numbers and put a disclaimer "in no particular order", there's still going to be a cognitive bias associated with seeing an item at the top of the list. So it's worth putting a little bit of thought into the order, although certainly not "endless discussions" on the topic. I wouldn't argue much between a #2 and #3, but #1 vs #10 is different.
Gleevec
Posts: 346
Joined: Sun Mar 03, 2013 10:25 am

Re: Password Security Part II

Post by Gleevec »

Would like to reference this famous webcomic:

https://xkcd.com/936/
User avatar
Topic Author
CountryBoy
Posts: 1777
Joined: Wed Feb 28, 2007 9:21 am
Location: NY

Re: Password Security Part II

Post by CountryBoy »

ogd

Good point re the numbering and ordering on the list; I had not thought of that.
User avatar
Topic Author
CountryBoy
Posts: 1777
Joined: Wed Feb 28, 2007 9:21 am
Location: NY

Re: Password Security Part II

Post by CountryBoy »

Gleevec

Is that comic correct? If it is, then one can ignore all concerns re: upper case, lower case, numeric, and using such characters as !@#$%&* ?

It also sounds to me, who is a novice in this subject matter, that it is a invitingly simplistic answer to a very difficult and important question.

Since others are so much more knowledgeable on this topic, I would appreciate their feedback on this.

I realize as a Boglehead it is important to keep my portfolio simple, but I am not sure if that can be applied to psws and security.

And finally, the relevance of the word entropy here is what? Possibly that smaller words are a greater vacuum so to speak and that the longer the word = greater strength....
Last edited by CountryBoy on Mon Jul 22, 2013 1:26 pm, edited 1 time in total.
zeep
Posts: 146
Joined: Sat Oct 04, 2008 3:03 pm

Facebook connect/google sign-in/ open id

Post by zeep »

I recently started using a password manager in large part based on the advice on this site (thanks) not just for security but also for practical convenience. I got tired of doing password resets when trying to go back to a website I hadn't used for awhile and couldn't remember the password.

A lot garden variety websites provide an option to sign up using Facebook connect/google sign-in/ open id instead of creating a site specific account. While I'd never do this for a financial or high risk account , what are the pros and cons of using this type of third-party login service ? I could simply have my password manager create unique credentials for each account, but I doubt that I need that levels of security for media sites, greeting cards, blogs, etc and was thinking using one of these services to reduce complexity by limiting the number of credentials stored I the password manager.
Batousai
Posts: 47
Joined: Mon Jul 30, 2012 11:21 am

Re: Password Security Part II

Post by Batousai »

Forgive me, but passwords to online accounts are not being hacked because of weak passwords and large numbers of tries. They are hacked (most often) because of stolen credentials. That means if your password is 100 character string of letters, numbers and special characters, it is no stronger than a 4 digit pin of only numbers as nothing is being brute forced.

Moving to passwords are so complex they are impossible to remember does nothing to solve this. If anything, quite the opposite. It prompts people to write them down which is another mess. Password managers can help, however if the password manager is compromised, then every password you have is compromised.
User avatar
telemark
Posts: 3389
Joined: Sat Aug 11, 2012 6:35 am

Re: Password Security Part II

Post by telemark »

CountryBoy wrote:Gleevec

Is that comic correct? If it is, then one can ignore all concerns re: upper case, lower case, numeric, and using such characters as !@#$%&* ?
Probably not. Password cracking programs are becoming steadily more sophisticated, and random combinations of dictionary words are one of the things routinely checked for. There's a long, good discussion of cracking techniques at

http://arstechnica.com/security/2013/05 ... passwords/
User avatar
Topic Author
CountryBoy
Posts: 1777
Joined: Wed Feb 28, 2007 9:21 am
Location: NY

Re: Password Security Part II

Post by CountryBoy »

Batousai » Mon Jul 22, 2013 1:27 pm
Forgive me, but passwords to online accounts are not being hacked because of weak passwords and large numbers of tries. They are hacked (most often) because of stolen credentials.
I would greatly appreciate your explaining your basis for saying this statement. Is it anecdotal, scientific,...?

And what do you mean by 'stolen credentials?' That someone wrote it on a piece of paper and that paper was stolen?

Many thanks.
Last edited by CountryBoy on Mon Jul 22, 2013 2:57 pm, edited 1 time in total.
ted123
Posts: 416
Joined: Thu Feb 21, 2008 12:47 pm

Re: Password Security Part II

Post by ted123 »

telemark wrote:
CountryBoy wrote:Gleevec

Is that comic correct? If it is, then one can ignore all concerns re: upper case, lower case, numeric, and using such characters as !@#$%&* ?
Probably not. Password cracking programs are becoming steadily more sophisticated, and random combinations of dictionary words are one of the things routinely checked for. There's a long, good discussion of cracking techniques at

http://arstechnica.com/security/2013/05 ... passwords/
I'm not an expert, but I read that article when it came out, and I reached the opposite conclusion you did. My understanding is that a four-word passphrase would be significantly stronger than a single memorable password with common substitutions. Even with the advanced cracking techniques, it seems passphrases of 3 or more truly random words are going to be difficult to crack.

(That article is part of a great series at Ars Technica and it's worth reading the comments as well.)

That said, I don't think it's right to say that you can ignore case and substitutions. No one should think that substituting "$" for "S" or capitalizing random letters provides significant additional protection to their own specific password -- it would still be susceptible to a dictionary attack. But I think the practice, on the whole, increases the number of combinations required for a dictionary attack, which helps the password-using public on the whole.

Personally, I can't really remember too many good passwords. I have a handful of good, unique passphrases for sites I must remember, and a password manager for everything else (which get strings of randomly generated characters). Two-factor authentication is on my to-do list.
User avatar
ogd
Posts: 4876
Joined: Thu Jun 14, 2012 11:43 pm

Re: Password Security Part II

Post by ogd »

telemark wrote:
CountryBoy wrote:Gleevec

Is that comic correct? If it is, then one can ignore all concerns re: upper case, lower case, numeric, and using such characters as !@#$%&* ?
Probably not. Password cracking programs are becoming steadily more sophisticated, and random combinations of dictionary words are one of the things routinely checked for. There's a long, good discussion of cracking techniques at

http://arstechnica.com/security/2013/05 ... passwords/
telemark: the comic is indeed correct (xkcd is pretty thorough when it comes to math / computer science). The strength of the "phrase" password does depend not on keeping secret the fact that it's composed of dictionary words. If the word choice has that much entropy, it's that hard to brute force it.

What the comic does leave out is that this doesn't matter as much for online websites because of account locking after N attempts; what matters a lot more is using a secure computer. And what the arstechnica article leaves out from its computation-porn is that password hashes can be made much stronger on the server (Vanguard) side. For example, applying the hash a million times instead of once (actual details are a little more complicated).
User avatar
telemark
Posts: 3389
Joined: Sat Aug 11, 2012 6:35 am

Re: Password Security Part II

Post by telemark »

Using dictionary words greatly reduces the effective entropy. The comic would be correct if crackers restricted themselves to brute-force attacks, but they aren't that stupid. Rather than ask everyone to read the entire article cited, I will extract the relevant bit here:
The specific type of hybrid attack that cracked that password is known as a combinator attack. It combines each word in a dictionary with every other word in the dictionary. Because these attacks are capable of generating a huge number of guesses--the square of the number of words in the dict--crackers often work with smaller word lists or simply terminate a run in progress once things start slowing down. Other times, they combine words from one big dictionary with words from a smaller one. Steube was able to crack "momof3g8kids" because he had "momof3g" in his 111 million dict and "8kids" in a smaller dict.

"The combinator attack got it! It's cool," he said. Then referring to the oft-cited xkcd comic, he added: "This is an answer to the batteryhorsestaple thing."
User avatar
Topic Author
CountryBoy
Posts: 1777
Joined: Wed Feb 28, 2007 9:21 am
Location: NY

Re: Password Security Part II

Post by CountryBoy »

And what chance does the man on the street have of not being hacked if the following are true:

Pentagon
http://www.npr.org/blogs/thetwo-way/201 ... s-networks

and

NASA
http://abcnews.go.com/Technology/story?id=119423&page=1
ted123
Posts: 416
Joined: Thu Feb 21, 2008 12:47 pm

Re: Password Security Part II

Post by ted123 »

telemark wrote:Using dictionary words greatly reduces the effective entropy. The comic would be correct if crackers restricted themselves to brute-force attacks, but they aren't that stupid. Rather than ask everyone to read the entire article cited, I will extract the relevant bit here:
The specific type of hybrid attack that cracked that password is known as a combinator attack. It combines each word in a dictionary with every other word in the dictionary. Because these attacks are capable of generating a huge number of guesses--the square of the number of words in the dict--crackers often work with smaller word lists or simply terminate a run in progress once things start slowing down. Other times, they combine words from one big dictionary with words from a smaller one. Steube was able to crack "momof3g8kids" because he had "momof3g" in his 111 million dict and "8kids" in a smaller dict.

"The combinator attack got it! It's cool," he said. Then referring to the oft-cited xkcd comic, he added: "This is an answer to the batteryhorsestaple thing."
Two points:

1) In the comic, the alternative to "battery_horse_staple_whatever" was, in fact, a dictionary word, just with some common substitutions. Are you arguing there is more entropy in one dictionary word than in four?

2) Reading the paragraph you quoted carefully, it doesn't fully support its own conclusion. They never would have gotten "battery_horse_staple_whatever" because their combination attack was combining only two words. In theory, they could combine more, except even at two words, they need to use smaller word lists or terminate progress "once things start slowing down." And that's leaving aside that they don't even try to guess whether there's a space (as in the the comic) or some other special character separating the words.
User avatar
FNK
Posts: 1360
Joined: Tue May 17, 2011 7:01 pm

Re: Password Security Part II

Post by FNK »

xkcd has the entropy computation with little grey boxes right there. Assuming you're getting 4 words out of a 2000 word vocabulary, you get 44 bits of entropy. That's better than a slightly mangled word. However, that's worse than 8 fully random characters.

NOW: LastPass works with a few two-factor authentication systems. Use that with a good enough password to protect your LastPass account and have LastPass generate fully random 16 character paswords for actual sites.
User avatar
ogd
Posts: 4876
Joined: Thu Jun 14, 2012 11:43 pm

Re: Password Security Part II

Post by ogd »

telemark wrote:Using dictionary words greatly reduces the effective entropy. The comic would be correct if crackers restricted themselves to brute-force attacks, but they aren't that stupid. Rather than ask everyone to read the entire article cited, I will extract the relevant bit here.
telemark: the comic does not misrepresent the entropy of the phrase. Knowing that it's composed of four dictionary words, the remaining entropy is roughly log2(3000 ^ 4) which is 46 bits. Author states 44, probably counting fewer common words.

It would be wrong to count it as 28 random letters, which is 133 bits even if one allows only lowercase and spaces.

Edit: please also read the hover text of the image...
User avatar
telemark
Posts: 3389
Joined: Sat Aug 11, 2012 6:35 am

Re: Password Security Part II

Post by telemark »

ogd wrote:Edit: please also read the hover text of the image...
If you feel that you are trapped in an infuriating argument, please accept my own sincere apologies. The comic is not wrong in a narrow technical sense, but I think it relies on a poor assumption (no stolen hashes) and leads people to draw an incorrect conclusion (short passwords are always weaker than long ones). Will try to expand on this when I have more time.

And a 2000-word dictionary is rather small: the actual entropy of that phrase is probably much larger.
User avatar
ogd
Posts: 4876
Joined: Thu Jun 14, 2012 11:43 pm

Re: Password Security Part II

Post by ogd »

telemark: apology accepted.

FNK: I like LastPass a lot and I'm a subscriber. That said, I still don't trust them with my 3-4 most sensitive passwords, so I can't in good conscience recommend that anyone use it for Vanguard, for example.
covertfantom
Posts: 228
Joined: Thu Feb 02, 2012 6:42 pm

Re: Password Security Part II

Post by covertfantom »

I use KeePass as my key ring and generator of random passwords. It integrates well with all browsers on the Windows platform, Windows, and Android. Wouldn't recommend it for the average Joe though - for some reason open source always seems to mean "hard to use".
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Password Security Part II

Post by Epsilon Delta »

A more formal version of horse_correct_staple approach in the xkcd comic is known as diceware.

http://world.std.com/~reinhold/diceware.html

This is an approach backed by actual logic and actual math giving actual security*. It is also takes account of human characteristics** to allow remembering strong passwords with minimum effort.

* security against password guessing or stolen hashes, it won't do anything about armed men breaking your door down.
** at least the characteristics of some people, if you can't remember words then using something else.
User avatar
Topic Author
CountryBoy
Posts: 1777
Joined: Wed Feb 28, 2007 9:21 am
Location: NY

Re: Password Security Part II

Post by CountryBoy »

In the previous thread on this topic the statement was made that Vanguard allowed ten spaces in length for a password.

I just changed my Vanguard psw to one 12 spaces in length.

Does anyone have a fact based opinion on this topic? Please cite your source.

Thanks.
mnaspbh
Posts: 204
Joined: Fri Sep 09, 2011 12:26 pm

Re: Password Security Part II

Post by mnaspbh »

How about adding "never, ever, ever, ever, ever type your password into some site that claims to analyze the strength of your password" ?
User avatar
GTF
Posts: 53
Joined: Thu Jun 20, 2013 8:13 pm

Re: Password Security Part II

Post by GTF »

covertfantom wrote:I use KeePass as my key ring and generator of random passwords. It integrates well with all browsers on the Windows platform, Windows, and Android. Wouldn't recommend it for the average Joe though - for some reason open source always seems to mean "hard to use".
+1 KeePassX excellent free product built on Linux OS, but works fine in Windoze environment.

Now if I were a hacker (Linux User) I would not attack your personel passwords or your computer. I would go after
the server that housed your forum then I would probably have all the user names and passwords on that forum. Fortunately most of the password lists are not plain text but hashed. As a Linux user/tester, I know this to be true as the Ubuntu Forum are closed now due to hackers gaining access. Food for thought..
frequency
Posts: 6
Joined: Mon Jul 22, 2013 7:12 pm

Re: Password Security Part II

Post by frequency »

Greetings. I've been lurking around for some time, and thought that perhaps I may be able to contribute some of my own experience with password security.

First and foremost, it is important to use a separate unique password for all your accounts, and to occasionally update them with newer passwords. Try to add at least one symbol and number to the mix, as it will make brute forcing a password take considerably more time.

For those with more password anxiety, my setup is as follows:

I use KeePass for my password database. KeePassX or the newer KeePass2 are both cross platform compatiable (Windows, Max, *NIX). To obscure things some, I set the preferences to not remember where my last opened password database file is. In addition, I do not use the kbx extension type so as to not advertise what type of file it is in the event the password database was somehow intercepted.

KeePass requires a master password and optionally an additional keyfile to open the password database (don't use a keyfile unless you know how to write protect it and have a backup somewhere, otherwise you may lock yourself out!!!). KeePass lets you conveniently categorize entries for different accounts with a title, password, and additional notes. It has a password generator that enables one to randomly generate a password by collecting additional entropy from mouse movements and random keystrokes.

When utilizing a password database, it is very important to assure that the passwords remain secure and not lost. Personally, I backup -- through synchronization -- to several 2.5" portable hard drives I rotate through as one may do with tapes on a server. The hard drives are full disk encrypted with the Linux Unified Key Setup (LUKS), which I find to be the only sane balance balance between security and ease of use. Unfortunately the average computer user may find this hard to set up as it is incompatible with Windows. A less secure alternative I recall is that one could use a program in Microsoft Windows called TrueCrypt to set up a full disk encrypted external hard drive or flash drive.

Using keepass to manage an encrypted password database, and developing a habit of rotating encrypted backups, may not be adequate depending on your level of password paranoia. The last element that needs to seriously consider is the security of your base operating system. For most users, Microsoft Windows has a really weak immune system and there may be no band-aid big enough to stop the threat of software keyloggers, remote backdoors, etc. Personally, I use Debian on a full disk encrypted partition with no swap file. When I do use Windows programs it is usually loaded it up on a Virtual Machine through Debian Linux.

I think my point may be that real password security is not easy for the average user, but for those who want to take the time to learn it can be done reasonably well. Some of the mistakes I've seen in my work regarding data compromises/breaches involve the end user storing passwords in a plain text files on infected machines, phishing scams, recycling computers without adequately wiping data, or using the same password for multiple accounts so that one when website is compromised many additional accounts fall in suit.
User avatar
Topic Author
CountryBoy
Posts: 1777
Joined: Wed Feb 28, 2007 9:21 am
Location: NY

Re: Password Security Part II

Post by CountryBoy »

Ok folks since I am the guy who put up the OP, I have a major request: let's keep this discussion on the level of " the average user."

There are many people here who are very knowledgeable on this topic and are well above " the average user" level. For those people who are advanced and wish to post advanced info, please start a separate thread for your discussions.

And thanks,

country boy
'just your average joe' trying to make do........
patrick
Posts: 2594
Joined: Fri Sep 04, 2009 3:39 am
Location: Mega-City One

Re: Password Security Part II

Post by patrick »

CountryBoy wrote:Is that comic correct? If it is, then one can ignore all concerns re: upper case, lower case, numeric, and using such characters as !@#$%&* ?
The comic doesn't quite say that those things are useless. Rather, it says that the advantage of using four words instead of just one is much greater than the advantage of adding a couple of symbols to the end. It is certainly correct about that.

The time estimates and the stuff in parenthesis on the second box are more questionable, however. It assumes the attacker could continuously attempt to login over and over, at the rate of 1000 logins per second, for 3 whole days! Most systems would slow down or completely block the login attempts long before that. I suspect that, in practice, someone who didn't steal the hashes is more likely to break into your account either by (1) using a keylogger on your computer or (2) abusing the password reset feature.

If the attacker did steal the hashes, using 4 randomly selected common words (from a list of the 2000 most common words) might not be enough, but using 8 randomly selected common words should be more than enough.
zeep
Posts: 146
Joined: Sat Oct 04, 2008 3:03 pm

Re: Facebook connect/google sign-in/ open id

Post by zeep »

As an average non-techie, I'd like to bump my question:
zeep wrote:I recently started using a password manager in large part based on the advice on this site (thanks) not just for security but also for practical convenience. I got tired of doing password resets when trying to go back to a website I hadn't used for awhile and couldn't remember the password.

A lot garden variety websites provide an option to sign up using Facebook connect/google sign-in/ open id instead of creating a site specific account. While I'd never do this for a financial or high risk account , what are the pros and cons of using this type of third-party login service ? I could simply have my password manager create unique credentials for each account, but I doubt that I need that levels of security for media sites, greeting cards, blogs, etc and was thinking using one of these services to reduce complexity by limiting the number of credentials stored I the password manager.
patrick
Posts: 2594
Joined: Fri Sep 04, 2009 3:39 am
Location: Mega-City One

Re: Password Security Part II

Post by patrick »

Nitpick: the comic does seem to be a little off on the punctuation though -- it indicates 4 bits of entropy implying 16 possible symbols, but I can easily find about twice as many on my quite ordinary keyboard:

`-=[]\;',./~~!@#$%^&*()_+{}|:"<>?

This doesn't much change the overall conclusion that four words is better than one decorated word.
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: Password Security Part II

Post by Mudpuppy »

I have become a fan of recommending a modified diceware/dicewords approach combined with a password locker to the average person. The modification I suggest is using short, random "joiners" to the individual word, such as "correct#3horse%HbatteryE4staple" (to use the famous xkcd comic passphrase) and/or to use made-up words (such as those produced by pronounceable password generators) instead of dictionary words.

Is this as good as a totally random password of the same length? Of course not. A random password of the same length will have a larger search space. However, it is much better than the typical 6-9 character password most people use. Combination attacks are nowhere near as feasible as the quote said. A dictionary with 111 million words run in combination mode on a GPU cracker chews through enormous resources, which slows down the attempt rate. Sure, given enough time and a big enough dictionary, they could stumble across the password. But the same could be said for be given enough time and a long enough pattern generator as well. Abandon perfection. Seek "good enough" and "better than what you're currently doing".

Is it easier for the average person to remember? Most certainly. Behavioral and cognitive science has shown that people have difficulty remember more than about a half dozen "items". That's why the most common password lengths are 6-9 characters, because each character in a random password is an item to the brain. A word on the other hand is one item. Four words would be four items, the order of the words would be another item, and the separators another item. It will be harder to remember than an English phrase, but nowhere near as difficult to remember as random passwords of the same length.

So use some variation on this method to make a stupendously long passphrase for a password locker program. Then let the program handle everything else. Make sure you backup the data in the program. And it's okay to print the passwords out periodically, as long as you protect the paper (e.g. print it out and put it in your safe deposit box). Same thing goes for writing down your master passphrase in case you get bonked on the head, have a stroke, or otherwise have cause to forget it. It's not the act of writing down a password that's insecure; it's writing down passwords and not securing the paper that's the problem. So a paper in your safe deposit box is fine, but a post-it by your monitor is not.
Gleevec
Posts: 346
Joined: Sun Mar 03, 2013 10:25 am

Re: Password Security Part II

Post by Gleevec »

Its all about entropy.

Soon though, with IOS7, will have built-in password syncing across all my devices so wont have to even worry about that. Just got to make sure my master password is hard to crack =)

Or maybe apple will get smart and use fingerprinting plus voice as your password to your iDevice and then get access to your LastPass-like iOS service
User avatar
ogd
Posts: 4876
Joined: Thu Jun 14, 2012 11:43 pm

Re: Password Security Part II

Post by ogd »

CountryBoy wrote:Ok folks since I am the guy who put up the OP, I have a major request: let's keep this discussion on the level of " the average user."

There are many people here who are very knowledgeable on this topic and are well above " the average user" level. For those people who are advanced and wish to post advanced info, please start a separate thread for your discussions.

And thanks,

country boy
'just your average joe' trying to make do........
CountryBoy: Fair enough! I think that a couple of new things can be discerned from all the entropy noise (pun intended) that can be put in simple words.

1) Long "phrase" passwords, made of English words, are an alternative to short, random-looking ones like you propose. However, I'm not sure this can be heartily recommended to common folk (and I use the term very respectfully), because it's fraught with peril. For example, choosing a verse from a favorite song or Shakespeare. One has to choose truly random words. If you think http://world.std.com/~reinhold/diceware.html is understandable and usable by the public at large, then you might choose to include it as a recommendation. Proposed wording: "if you are having trouble remembering passwords like above, consider using a different approach: long phrases composed of random English words. To choose words at random, consider Diceware (link). Do not use a verse or a sentence that makes sense!"

2) Password managers. "Consider using a reputable password manager program for non-essential passwords, such as websites or secondary email accounts. This will keep you from reusing passwords and let you focus on having a few strong passwords for the crucial accounts and for the password manager itself". The part about "non-essential" is my opinion, but like I said I can't recommend using them for one's big money accounts, since you are very much dependent on their authors getting it right.

This in addition to the reordering of priorities that I proposed earlier.
jchef
Posts: 263
Joined: Wed Aug 29, 2012 7:04 am

Re: Facebook connect/google sign-in/ open id

Post by jchef »

zeep wrote:IA lot garden variety websites provide an option to sign up using Facebook connect/google sign-in/ open id instead of creating a site specific account. While I'd never do this for a financial or high risk account , what are the pros and cons of using this type of third-party login service ? I could simply have my password manager create unique credentials for each account, but I doubt that I need that levels of security for media sites, greeting cards, blogs, etc and was thinking using one of these services to reduce complexity by limiting the number of credentials stored I the password manager.
This is known as OAuth.

Off the top of my head, here are the cons:
  • The main con for this is if your Facebook or Google or OpenId, etc., accounts are hacked into, it is possible for the hacker to gain access to the websites where you are using OAuth to log in.
  • And you are also relying on the OAuth provider correctly implementing OAuth. This apparently is not trivial.
And the pros:
  • The pros include simplicity. There are less passwords you need to memorize or store (or even worse, reuse). The site you are logging into does not get access to your Facebook or Google password.
  • Many small sites don't do password security very well, so there is a very good chance that Facebook's or Google's implementation of OAuth is stronger than if you directly create a username and password on the small site.

I'm honestly not certain what the tracking issues are with OAuth. So, if you use Google to log into another website I'm not sure how much info, if any, Google will be adding to their profile of you. This may be of concern to some people.

Since accounts such as Google and Facebook offer two factor authentication, I would suggest you use it. Even if you aren't using OAuth, I would still suggest you use it. But with OAuth you have additional reasons to start using two factor.
jchef
Posts: 263
Joined: Wed Aug 29, 2012 7:04 am

Re: Password Security Part II

Post by jchef »

ogd wrote: 2) Password managers. "Consider using a reputable password manager program for non-essential passwords, such as websites or secondary email accounts. This will keep you from reusing passwords and let you focus on having a few strong passwords for the crucial accounts and for the password manager itself". The part about "non-essential" is my opinion, but like I said I can't recommend using them for one's big money accounts, since you are very much dependent on their authors getting it right.
I'm actually am willing to store all of my essential passwords in KeePass.

Perfect security doesn't exist, instead you can just try to maximize security. I'll try to simply explain while I feel I have better security by storing everything in KeePass.


KeePass was started in 2003, it's a mature product. While properly implemented encryption is not simple, it's also not exceptionally complex, you just need to ensure you are avoiding stupid mistakes. They've had to time to hopefully work out any bugs and seeing as it is a well known open source project, it presumably has been examined by experts (although I have no proof of this point).

Because KeePass has a large number of users, if someone does manage to crack it, it likely won't remain a secret for too long.

And even if KeePass is secretly cracked, there is still no easy way for someone to get access to my database. They would have to get access to my desktop, laptop, phone or Dropbox account. All of these devices have decent security protection. Not perfect, but decent.

So for someone to both have access to my KeePass database and know how to crack KeePass (or know my password and have my key file) is a low probability event. Certain not impossible, but not very likely.



The second main point is that I have two financial passwords which are a maximum of 8 characters and one which is a maximum of 6 numbers. The one with 6 numbers has other protections, such as if I log in from a different computer it asks me security questions, but still its password length is incredibly stupid. (It's ING Direct Canada if anyone cares).

Because of these limitations, I like to change these passwords frequently. And I also like the 8 character password to contain special characters, in addition to letters and numbers.

Without using a password manager, it really wouldn't be practical to keep on changing passwords and keep the passwords as complex as possible. I just don't have the ability to properly memorize stuff like this if it's frequently changing.

(In case anyone is wondering, by frequently I mean 3 or 4 times a year. Not every time I log in or anything silly like that)




So while I fully agree there is some risk in storing my essential passwords in a password database, I consider it a smaller risk than not doing it. Others may disagree.
User avatar
Topic Author
CountryBoy
Posts: 1777
Joined: Wed Feb 28, 2007 9:21 am
Location: NY

Re: Password Security Part II

Post by CountryBoy »

As I put in my original post:
Yes, if they really want your info they will get you, or me, or anyone. After all, many major institutions have been hacked, among them

Pentagon
http://www.npr.org/blogs/thetwo-way/201 ... s-networks
and
NASA
http://abcnews.go.com/Technology/story?id=119423&page=1
Do people care to comment on the above?
Sidney
Posts: 6784
Joined: Thu Mar 08, 2007 5:06 pm

Re: Password Security Part II

Post by Sidney »

Link to NPR seems to be broken. But looking at the other one, my reaction is that these are two high profile targets. In assessing your risk, you need to ask yourself if you are a likely target.
I always wanted to be a procrastinator.
User avatar
Sunny Sarkar
Posts: 2443
Joined: Fri Mar 02, 2007 12:02 am
Location: Flower Mound, TX
Contact:

Re: Password Security Part II

Post by Sunny Sarkar »

Epsilon Delta wrote:0. Before taking advice on passwords, ask the potential advisor to define "entropy" and to explain why it is relevant. If they can't do this ignore the rest of their advise.
All anyone needs to understand entropy is to look at the mess in my study :oops:
"Buy-and-hold, long-term, all-market-index strategies, implemented at rock-bottom cost, are the surest of all routes to the accumulation of wealth" - John C. Bogle
User avatar
telemark
Posts: 3389
Joined: Sat Aug 11, 2012 6:35 am

Re: Password Security Part II

Post by telemark »

The thing to understand about the cartoon is that the entropy calculations only apply when the words are randomly chosen. Four words you pick yourself will not be as secure. (For a strong password you should use six or seven words, as the Diceware people recommend). Even a short password can be stronger than a decorated word, if it is randomly generated. Bottom line: don't make up your own passwords, use some kind of generator.

Combine that with "don't reuse passwords", which I heartily recommend, and any hope of remembering them all yourself is pretty much gone.
User avatar
Epsilon Delta
Posts: 8090
Joined: Thu Apr 28, 2011 7:00 pm

Re: Password Security Part II

Post by Epsilon Delta »

One thing to note is that not all accounts are the same so you don't need the same security on all accounts. You can use weaker and shorter passwords for, say, bogleheads.org, than for vanguard.com. Things that require strong passwords include financial accounts, any email you use for password recovery and any password manager. It is a personal decision whether it is easier to use strong passwords everywhere or to triage your accounts.
ogd wrote: 1) Long "phrase" passwords, made of English words, are an alternative to short, random-looking ones like you propose. However, I'm not sure this can be heartily recommended to common folk (and I use the term very respectfully), because it's fraught with peril. For example, choosing a verse from a favorite song or Shakespeare. One has to choose truly random words. If you think http://world.std.com/~reinhold/diceware.html is understandable and usable by the public at large, then you might choose to include it as a recommendation. Proposed wording: "if you are having trouble remembering passwords like above, consider using a different approach: long phrases composed of random English words. To choose words at random, consider Diceware (link). Do not use a verse or a sentence that makes sense!"
The key to any strong password is random. People are not good at random. They are just as bad at random when picking 10 character phrase with 2 upper case, 2 lower case, 2 digits and 2 special characters as they are picking a five word pass phrase. A lot of people think keyboard patterns and the like are random, but they are not. So if you want a strong password use a real random generator. Ideally you'd throw dice, flip coins, draw cards or similar. A decent second choice for most purposes is to let the computer chose a random password. Many of the password managers can do this.
User avatar
ogd
Posts: 4876
Joined: Thu Jun 14, 2012 11:43 pm

Re: Password Security Part II

Post by ogd »

Epsilon Delta wrote:One thing to note is that not all accounts are the same so you don't need the same security on all accounts. You can use weaker and shorter passwords for, say, bogleheads.org, than for vanguard.com. Things that require strong passwords include financial accounts, any email you use for password recovery and any password manager. It is a personal decision whether it is easier to use strong passwords everywhere or to triage your accounts.
What you wrote is true, but the point remains that the need for super-strong passwords for online accounts is often over-estimated. You will note that diceware itself, otherwise paranoid, says that it's reasonable to use shorter passwords for those, with some disclaimers (search in page "If all you need right now is a login password", read that paragraph and the link). Diceware concerns itself more with passwords for encrypted files or disks, which an attacker can get a hold of and go to work on in the comfort of their own home.
Epsilon Delta wrote:A decent second choice for most purposes is to let the computer chose a random password. Many of the password managers can do this.
Agreed, modulo the above. I have in the past generated a password with a password manager, without allowing it to store it because I considered it too sensitive.
User avatar
Topic Author
CountryBoy
Posts: 1777
Joined: Wed Feb 28, 2007 9:21 am
Location: NY

Re: Password Security Part II

Post by CountryBoy »

It is beginning to sound to me as if the average Joe on the street wants to Really protect himself with psw security, that he has to go out and learn a lot of geeky software. Since I am not a geek, but greatly respect those that are, I guess I need to resign myself to a few of the basics suggested in the OP and hope for the best.

I was hoping it would turn out better, but it is what it is.
User avatar
craigr
Posts: 2696
Joined: Tue Mar 13, 2007 6:54 pm

Re: Password Security Part II

Post by craigr »

Many account compromises are not people cracking passwords directly. The perpetrators are stealing passwords with malware on target machines, bogus sites to phish, capturing passwords in unencrypted network traffic, etc. Cracking passwords on most sites won't work due to lock-out procedures plus it always raises huge red flags which the thieves do not want. If they aren't doing the above, then they are directly compromising the servers of the company to get to user access credentials, etc. None of which the user's password can prevent!

For PC users the best thing they can do is to pick a reasonably good password for critical sites like banking, etc. Then they must run anti-malware software religiously to keep problems off their machine.

Some of the malware today is quite sophisticated. Going to the point of pulling over critical system files to a fake virtual environment to mimic your home computer appearance to online security checks. It's too complicated to explain here. But the main thing is you don't want to get your machine infected.

So given the above if you are very paranoid you may want to keep a beater machine around that you only use for doing financial transactions and you don't use for any other reason. Nor do you let your kids use it. Even better as well, get your kids their own computer to screw up and don't let them use yours because they'll probably get it infected doing whatever it is they are doing. Also, stay off pirate sites, torrents, adult sites, etc. These are all good places to get malware.

Outside of this, there isn't much the average person can do. Use a good password. Change it every now and then. Log onto your account every week or so to make sure there isn't anything weird going on. Etc.

One issue for Vanguard is that they are not using two-factor authentication. So stealing a password along with answers to some simple questions is enough to be an issue. And if malware steals your local environment and security cookies, then they could bypass these extra checks and just use the password. Even then, Vanguard is not going to let anyone add on a new account to wire money out to Romania so there is still some protection. Maybe someone could log in and execute trades maliciously though. So that is an issue.

If you use things like Gmail, consider setting it up for two-factor authentication. There is a Google Authenticator app you can download for free. Once your account is setup you have to enter a password and an authenticator code that rotates every 60 seconds. You can also keep a list of codes printed out in your wallet to use for backups. Without the authenticator codes it is significantly harder for malware to compromise your account at Google.

Ideally, Vanguard should do something similar. But there are technical and support issues involved and I'm sure they looked into all of these options and probably decided it isn't worth it to them. Perhaps internally losses have not become a big enough problem to justify the costs to make additional security improvements. Or there could be technical barriers. However, financial companies get burned all the time with hacks but they don't publicize it. It's just a cost of doing business and they weigh that cost against convenience for their customers.

P.S. Been involved in the computer security field now for a long time...
Last edited by craigr on Tue Jul 23, 2013 6:31 pm, edited 2 times in total.
IMPORTANT NOTE: My old website crawlingroad{dot}com is no longer available or run by me.
User avatar
LadyGeek
Site Admin
Posts: 95686
Joined: Sat Dec 20, 2008 4:34 pm
Location: Philadelphia
Contact:

Re: Password Security Part II

Post by LadyGeek »

CountryBoy wrote:Since I am not a geek, but greatly respect those that are, I guess I need to resign myself to a few of the basics suggested in the OP and hope for the best.
The whole point is to use good passwords. If you can't figure out the password software, then a look at what the experts can do without software: GRC's | Password Haystacks: How Well Hidden is Your Needle?  

To start, watch the ABC News interview highlighted at the top of the page: How safe are your computer passwords? - it's a good tutorial.

Search that page and you'll find that this website was recommended in Consumer Reports: How to create a strong password (and remember it)

(I had previously posted this link here: Re: Another reason why you should never reuse passwords...)
Wiki To some, the glass is half full. To others, the glass is half empty. To an engineer, it's twice the size it needs to be.
jchef
Posts: 263
Joined: Wed Aug 29, 2012 7:04 am

Re: Password Security Part II

Post by jchef »

CountryBoy wrote:It is beginning to sound to me as if the average Joe on the street wants to Really protect himself with psw security, that he has to go out and learn a lot of geeky software.
I don't think it's that bad.

Security is a matter of degrees. There are always ways to make yourself a bit more secure, but with a few steps you can make yourself fairly highly secure and greatly reduce your chances of being a target.

  • Use a password manager. KeePass is freely available and not too difficult to learn the basics. And you don't need to learn any of the more complex features if you don't want to.
  • Create a reasonably complex master passphrase. The chances are no one will ever steal your password database and try to break into it. And even if someone does, they are likely to give up after a while.
  • So even a semi-sensical master passphrase such as "My favorite color 36 are BALLbasket" is unlikely to be cracked. You could try to use tools to help with a master password, but the truth is as long as it is sufficiently long and not too obvious, you're likely to be fine.
  • Use the password manager to create and store long random passwords for all of your logins.
  • Make backups of the password manage database. And if you want, print out a copy on paper and keep it somewhere safe.

If you follow these not-too-complex steps you won't be the most secure, but you'll be more secure than most. And for most people that's probably enough.
mnaspbh
Posts: 204
Joined: Fri Sep 09, 2011 12:26 pm

Re: Password Security Part II

Post by mnaspbh »

It's all about the threat models. What kinds of adversaries do you want to be protected against?

The most common causes of compromised "valuable" accounts, based on talking with many friends and co-workers in the security industry, are:

(1) Reused passwords. This accounts for the vast majority of account compromises. "Reuse" includes using the same password at multiple sites, and using (simple) site-specific password variants per site. An attacker compromises any of the passwords, and will systematically try them on a very large number of other sites, and will often find a match.

(2) Flaws in third-party systems. These can render passwords moot--it doesn't matter what the passwords are if an attacker just grabs them all from an unencrypted database or can intercept them as they come in.

(3) Malware. Like (2), but on the user's machine--it doesn't matter how strong the passwords are if a keylogger or other malware can just grab them when they're typed.

(4) Phishing. A user clicks on a link in an email, or instant message chat, etc., and are redirected to a real-looking login page for a site. When they log in to "fix their account" or "check if that's really you/your spouse/etc in the arrest records", their username and password are captured. Again, it doesn't matter how strong the passwords are.

(5) Bulk password-cracking attacks. These are really the only place where weak passwords come into play.

Criminals often use these attacks together. If they get any passwords one way, they'll try them on many other sites (password reuse). They'll use them to craft phishing messages that further attack you, or are used in social-engineering attacks on your friends/contacts (the infamous "Help, I got robbed in [some foreign city] and need money" attack). When a third-party system's databases are compromised, bulk cracking attacks will be used to find weak passwords, and those will be used in further attacks.

Most of these attacks can be partially or completely automated, and the payoff for a successful attack can be big--anywhere from a few dollars per set of account credentials to thousands (or more) for a well-executed bank-draining malware/phishing attack.

The take-away is that password security is a very small part of staying safe online. Google has a set of material aimed at the lay-person about staying safe online that is fairly good, and there are many other sources for similar information.
User avatar
Topic Author
CountryBoy
Posts: 1777
Joined: Wed Feb 28, 2007 9:21 am
Location: NY

Re: Password Security Part II

Post by CountryBoy »

Lots to digest here. I am going to study what people have written and get back to you folks.

Thanks to all.

cb
User avatar
Topic Author
CountryBoy
Posts: 1777
Joined: Wed Feb 28, 2007 9:21 am
Location: NY

Re: Password Security Part II

Post by CountryBoy »

Everyone answering to this thread has been wonderful and informative. In a token gesture of thanks I have put your comments together in one long list that the Bogleheads may wish to add to and post somewhere.

Please note that I have come to see password security as not so much an absolute science as it is a subject that can have different answers for different people. By that I mean different people have greatly differing views as to what consitutes good password security.

The list:*

The following are steps you may wish to take to prevent your own passwords from being hacked:
• Don’t confuse strategy with outcome, ie, just because you haven’t been hacked does not mean you will not be hacked at some point in the future with your current psw strategy..
• Your psw should be at least 12 characters long; longer is definitely better.
• Avoid passwords based on repetition, dictionary words, letter or number sequences, usernames, relative or pet names, romantic links (current or past), or biographical information (e.g., ID numbers, ancestors' names or dates).
• Have at least 2 upper case letters
• Have at least 2 lower case letters
• Have at least 2 numbers
• Have at least 2 characters, such as an * and @
• Do not try to have the psw be an easy to remember series of characters and numbers.
• Change it at least every 6 months
• Updating your anti-virus programs regularly is definitely necessary.
• Never reuse passwords or use the same one for everything.
• The length of the password matters more than the randomness, within reason.
• If your email is through Yahoo or Microsoft consider learning about and setting up two step authentication for your security.
• If you are going to store passwords, put them on a removable drive which is encrypted. Don't give them to other people.
If you follow these not-too-complex steps you won't be the most secure, but you'll be more secure than most. And for most people that's probably enough.
Other strategies to consider:
• Use multiple techniques, such as TrueCrypt (which can use a key file instead of a memorized password) and Keyfile to protect your data files.
•As for keeping your data local, people may wish to put browser profile, email data, and all other sensitive information inside a TrueCrypt volume. Instead of memorizing a long password, TrueCrypt allows you to use a Keyfile. What's that mean? A file is used for the password. So, choose from any number of vacation pictures, programs, music, as your password. As long as you don't tell anyone where those files are, it's very secure. In fact, you can put the file on a USB stick and store it somewhere. Don't store the vacation pictures with this USB stick.

Study more here:

http://arstechnica.com/security/2013/05 ... passwords/
https://www.grc.com/passwords.htm
https://lastpass.com/

Note - On the internet there is no such thing as absolute security, rather only an increased statistical possibility that you won’t be hacked based on a prudent and informed strategy.

Yes, if they really want your info they will get you, or me, or anyone. After all, the Pentagon and NASA have been hacked.

Pentagon
http://www.npr.org/blogs/thetwo-way/201 ... s-networks
and

NASA
http://abcnews.go.com/Technology/story?id=119423&page=1

*Note: I have not included 2 different websites where an individual can test the strength of their psw. One member noted that one should "never, never, ever, ever, ever, ever" use a website to check their password. So to enter one's psw into:

https://www.microsoft.com/en-gb/securit ... ecker.aspx
or
https://www.grc.com/haystack.htm

is possibly not a good idea. Members may wish to discuss this issue.

My thanks to everyone for their sharing of expertise on this topic. My only wish is that more people across the internet could benefit from the guidance you have given here.

country boy
User avatar
zaplunken
Posts: 1368
Joined: Tue Jul 01, 2008 9:07 am

Re: Password Security Part II

Post by zaplunken »

CountryBoy wrote:It is beginning to sound to me as if the average Joe on the street wants to Really protect himself with psw security, that he has to go out and learn a lot of geeky software. Since I am not a geek, but greatly respect those that are, I guess I need to resign myself to a few of the basics suggested in the OP and hope for the best.

I was hoping it would turn out better, but it is what it is.
Not so. I loved that other thread and this one too. :D The other thread convinced me to stop using the same passwords at multiple sites, they were not as good as I thought anyway! It convinced me to use KeePass. A lot of the stuff in these 2 threads I can understand and a lot is over my head. I read many of the articles about password security that were links and learned a lot.

So here's my how to do it.

KeePass is easy to use, I use it at a low level of complexity. My master password is 24 positions in length. It is comprised of upper and lower case letters, numbers and special characters. It is a convoluted phrase that means something to me, no one would think of it, I use the 1st letter of each word and if you saw it well it is jibberish so it is pretty random. I keep my KeePass database on 2 flash drives not my c-drive so you have to have them to even try to access KeePass. I have 2 because one is a backup just in case. I did print out the userids and passwords in the database but that list is in my safe deposit box.

I have used the How well is your needle hidden site to test my passwords strength but I don't use the real passwords. I like to make up my own passwords vs letting KeePass do it. So for example say my password for a site was 9kU#)ab7V"Mkz8&Wb: (don't laugh that is a perfect example of my passwords tho Vanguard's would be just 10 characters in length). So at the How well is your needle hidden site I'd use the following substitute password and note it corresponds character type by character type in each position 3gE[^pn2K;Dir1\Lz! and it tells me it is really good! So you can use that site just don't use your actual passwords.

I store my security questions in KeePass. What is your grandmother's first name? The answer is cat4& be4 pizza73 or what is your mother's maiden name the answer is truck22 55vampire clue$ (of course those are not the real answers !) and when I read that to them no one says huh as it is the correct answer!

So KeePass is excellent for storing and retrieving complex random passwords and security questions. I have not changed any yet tho they are 1 year old. :sharebeer
Post Reply