best tips for passwords?

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Topic Author
schmitz
Posts: 343
Joined: Thu Sep 01, 2011 5:21 pm

best tips for passwords?

Post by schmitz »

anyone have any good tips for creating safe passwords? what is most important?

1) length? 2) using non-letter characters? 3) changing them often? 4) does every website need a different password?

my guess is all of the above. however, is there a way to create passwords that dont need to be changed monthly and so I dont need to memorize 10+ passwords that are each 20+ characters long?

also are those password programs (like 1password) recommended/safe?
Beezthree
Posts: 183
Joined: Wed May 07, 2008 11:16 pm

Re: best tips for passwords?

Post by Beezthree »

length.
User avatar
jupiter_man
Posts: 69
Joined: Fri May 03, 2013 8:02 pm

Re: best tips for passwords?

Post by jupiter_man »

Length.
Use a long phrase at the end. e.g. BASE+SITE+Common-Phrase

BASE is same for all sites - this could be your fav complex key
SITE - this changes based on site - fidelity , vanguard etc
Common-Phrase - a long line e.g. ilikegoingtothegym or myfirstcarwasanissan
User avatar
Lacrocious
Posts: 378
Joined: Thu Mar 22, 2007 9:45 pm
Location: Wisconsin

Re: best tips for passwords?

Post by Lacrocious »

To be as safe as possible, go with random character passwords that are hard to remember and hard to type - as long as the site allows with as many different character types as you can (Upper case, lower case letters; numbers; symbols). Some sites restrict length or don't allow symbols, etc. I wouldn't recommend simple symbol substitution - hackers know people substitute a zero for the letter O, or a 3 for an E. Each site should have it's own password - don't share them. Lately - I have been using a two word pattern with numbers and symbols interjected. It makes it easier to remember and type them - but the unrelated words with the symbols and numbers make it hard to hack. Password managers usually can generate random passwords - so I use that on occasion as well for even stronger sites.

For password management, I use LastPass - it works well. I have used Roboform in the past - it works fine. There are others that I have not tried - just do your homework to understand what you are using and what protections it has. Don't lose your master password if you use a manager.

- L
Topic Author
schmitz
Posts: 343
Joined: Thu Sep 01, 2011 5:21 pm

Re: best tips for passwords?

Post by schmitz »

thanks for all the help everyone!
Lacrocious wrote:To be as safe as possible, go with random character passwords that are hard to remember and hard to type - as long as the site allows with as many different character types as you can (Upper case, lower case letters; numbers; symbols). Some sites restrict length or don't allow symbols, etc. I wouldn't recommend simple symbol substitution - hackers know people substitute a zero for the letter O, or a 3 for an E. Each site should have it's own password - don't share them. Lately - I have been using a two word pattern with numbers and symbols interjected. It makes it easier to remember and type them - but the unrelated words with the symbols and numbers make it hard to hack. Password managers usually can generate random passwords - so I use that on occasion as well for even stronger sites.

For password management, I use LastPass - it works well. I have used Roboform in the past - it works fine. There are others that I have not tried - just do your homework to understand what you are using and what protections it has. Don't lose your master password if you use a manager.

- L
if you have a different password for every site AND they are long/complicated, how do you remember them all? or is that why you use lastpass? without it, it seems almost impossible to remember many different complicated passwords.
User avatar
Ice-9
Posts: 1579
Joined: Wed Oct 15, 2008 12:40 pm
Location: MD

Re: best tips for passwords?

Post by Ice-9 »

I recently started using LastPass after years of using just about the exact method jupiter_man outlined so well above. While that previous method successfully generated complex passwords that I could actually remember, I realized that someone who hacked, say, Adobe's list of customer passwords might make guesses that my Yahoo password might be similar. For example, if jupiter_man's "BASE" and "Common-Phrase" were identical for the two sites, with just the "SITE" part of the formula different, it might not be too hard to guess.

Now, with LastPass, I generate a complex, unique, and too difficult to remember password for most sites. There are a couple sites for which I wanted to retain my ability to login outside of LastPass, and for those very rare sites I did think up genuinely unique, complex passwords. But other than those few sites, I rely on LastPass and a CSV file I exported from LastPass and keep in a TrueCrypt-encrypted container, just in case LastPass ever starts yielding errors.
winglessangel31
Posts: 211
Joined: Tue Feb 12, 2013 3:53 pm

Re: best tips for passwords?

Post by winglessangel31 »

I don't use Lastpass as a create-complex-password-then-forget tool because I like to know my passwords and know that I can use any device out there to get to my accounts. But this comic summarizes everything:
Image
Except don't use "correcthorsebatterystaple" because that's probably easy-to-guess now. :P
Starting From Scratch
Posts: 42
Joined: Sun Jul 26, 2009 7:03 am

Re: best tips for passwords?

Post by Starting From Scratch »

+1 for LastPass and TrueCrypt!
My investing "factors" formula: (1) Save More (2) Work Longer (3) Spend Less (4) Reduce Investment Cost
User avatar
yatesd
Posts: 1040
Joined: Sun Nov 03, 2013 7:19 am
Location: MD

Re: best tips for passwords?

Post by yatesd »

winglessangel31 wrote:I don't use Lastpass as a create-complex-password-then-forget tool because I like to know my passwords and know that I can use any device out there to get to my accounts. But this comic summarizes everything:
Image
Except don't use "correcthorsebatterystaple" because that's probably easy-to-guess now. :P
This works great, except if:

- Use this for all of your sites and one of them gets hacked
- Use this for all of your sites and one of them requires changing passwords every 90 days
- Use this for all of your sites, but one requires numbers, letters & special characters; Another requires numbers and letters, but doesn't work with special characters
- One of your sites doesn't allow repeating letters (example rr in correct)

Unfortunately, this is me. My work tries to be extra secure at their detriment. In fact, even my phone can't be accessed via bluetooth prior to entering a 6-digit random number with no repeating, ascending, or descending characters. By the time I enter my password to use hands free calling I have hit a guard rail. :D

I don't like using a password aggregator because IMHO it can even be more dangerous (and you personally don't know any of your passwords). It just seems like IT is transferring responsibility to the end user. It is getting to the point where most people now need to write or store their passwords somewhere...essentially taking on the liability themselves.
User avatar
Sunny Sarkar
Posts: 2443
Joined: Fri Mar 02, 2007 12:02 am
Location: Flower Mound, TX
Contact:

Re: best tips for passwords?

Post by Sunny Sarkar »

winglessangel31 wrote:I don't use Lastpass as a create-complex-password-then-forget tool because I like to know my passwords and know that I can use any device out there to get to my accounts.
The "use Lastpass as a create-complex-password-then-forget tool" strategy accomplishes 2 very important things:
  • 1. separate passwords for every account
    2. passwords can't be guessed by social engineering
I find trying to remember all the different passwords humanly impossible - there are just too many online accounts - and trying to remember them introduces the risk of compromising the above two in one way or another.

Once I gave up the control of my passwords to LastPass, I also found another use for it...
  • 3. separate usernames for every account - why not?
I also enjoy the laziness of not having to type my usernames/passwords and not having to click the login button :-)
"Buy-and-hold, long-term, all-market-index strategies, implemented at rock-bottom cost, are the surest of all routes to the accumulation of wealth" - John C. Bogle
Dave55
Posts: 2017
Joined: Tue Sep 03, 2013 2:51 pm

Re: best tips for passwords?

Post by Dave55 »

M Secure is a password vault (manager) that uses 256 blowfish encryption and has never been cracked. If someone attempts to open it it will destroy all the data in it after 5 attempts or however you preset it. You can input your made up passwords in the vault lock it and then open the vault to get a password when you need it. I have been using it for 2 years and love it. Here is their website: (M Seven Software):
https://msevensoftware.com/home
"Reality always wins, your only job is to get in touch with it." Wilfred Bion
buckstar
Posts: 231
Joined: Wed Jul 06, 2011 9:38 am

Re: best tips for passwords?

Post by buckstar »

Length of password is the single most important determinant of security. Ideally you would pick twenty random characters, but that's unrealistic to remember unless you use 1Password, LastPass, etc... I use Diceware to generate my passwords, simple, transparent, easy to remember and free (unless you have to buy the dice). See this for a discussion and instructions: http://world.std.com/~reinhold/diceware.html
User avatar
Toons
Posts: 14467
Joined: Fri Nov 21, 2008 9:20 am
Location: Hills of Tennessee

Re: best tips for passwords?

Post by Toons »

schmitz wrote:anyone have any good tips for creating safe passwords? what is most important?

1) length? 2) using non-letter characters? 3) changing them often? 4) does every website need a different password?

my guess is all of the above. however, is there a way to create passwords that dont need to be changed monthly and so I dont need to memorize 10+ passwords that are each 20+ characters long?

also are those password programs (like 1password) recommended/safe?
Use lastpass and let their software create passwords :happy

https://lastpass.com
"One does not accumulate but eliminate. It is not daily increase but daily decrease. The height of cultivation always runs to simplicity" –Bruce Lee
RNJ
Posts: 863
Joined: Mon Apr 08, 2013 9:06 am

Re: best tips for passwords?

Post by RNJ »

schmitz wrote:thanks for all the help everyone!
Lacrocious wrote:To be as safe as possible, go with random character passwords that are hard to remember and hard to type - as long as the site allows with as many different character types as you can (Upper case, lower case letters; numbers; symbols). Some sites restrict length or don't allow symbols, etc. I wouldn't recommend simple symbol substitution - hackers know people substitute a zero for the letter O, or a 3 for an E. Each site should have it's own password - don't share them. Lately - I have been using a two word pattern with numbers and symbols interjected. It makes it easier to remember and type them - but the unrelated words with the symbols and numbers make it hard to hack. Password managers usually can generate random passwords - so I use that on occasion as well for even stronger sites.

For password management, I use LastPass - it works well. I have used Roboform in the past - it works fine. There are others that I have not tried - just do your homework to understand what you are using and what protections it has. Don't lose your master password if you use a manager.

- L
if you have a different password for every site AND they are long/complicated, how do you remember them all? or is that why you use lastpass? without it, it seems almost impossible to remember many different complicated passwords.
The only piece of the password that would change from site to site is the name of the site used in the password. The rest of the password is the same.
User avatar
JonnyDVM
Posts: 2999
Joined: Wed Feb 12, 2014 5:51 pm
Location: Atlanta, GA

Re: best tips for passwords?

Post by JonnyDVM »

I have password keeper on my iPhone. I have roughly a dozen different passwords for work and of course all the personal passwords. Many are similar, I don't know anyone that actually has a completely random different password for everything. I would spend all day looking up pass codes. :oops:

Yesterday I was on the phone with a hotel/casino resetting a password for a rewards card. It required an upper case, lower case, number and special character. I commented that I thought that was ridiculous for something tied to a casino rewards card to have such a complicated password. It's really annoying that we now have to have not just a password for everything we do, but a complicated password.

Oh no! Someone hacked into my hard rock account and made room reservations ! What if they pretend to be me and get a two for one buffet!!! It could be the end of the world as we know it.
I’d trade it all for a little more | -C Montgomery Burns
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: best tips for passwords?

Post by tadamsmar »

Sharing your password with your spouse or anyone else violates our responsibilities under Vanguard's fraud reimbursement guarantee. If you need shared account access use Agent Authorization.
User avatar
Ged
Posts: 3945
Joined: Mon May 13, 2013 1:48 pm
Location: Roke

Re: best tips for passwords?

Post by Ged »

schmitz wrote:anyone have any good tips for creating safe passwords? what is most important?

1) length? 2) using non-letter characters? 3) changing them often? 4) does every website need a different password?

my guess is all of the above. however, is there a way to create passwords that dont need to be changed monthly and so I dont need to memorize 10+ passwords that are each 20+ characters long?

also are those password programs (like 1password) recommended/safe?
1. Not length, entropy.
2. The larger the character set the shorter the password needed for the same entropy.
3. Changing them often probably a waste of time unless the account contains data aggregated from multiple users where ongoing access would be useful.
4. YES!!!

Password keeper software is really the best way to implement this.
INDUBITABLY
Posts: 312
Joined: Fri Oct 26, 2007 12:01 pm

Re: best tips for passwords?

Post by INDUBITABLY »

I had a long post on the subject typed out only to have my login session time out and lose it (oh, the irony).

In summary:
  • Use a password manager (KeePass is good) to store both your passwords and "security" questions/answers
  • Use a password generator for both your passwords and "security" answers
  • Protect your primary email account (using 2 factor authentication when available)
  • BACKUP YOUR DATA! Or at least your encrypted password database, 'cause it's really important now.
  • Generate a password that you can remember for your master password (good password generators have a variety of schemes to do this well)
  • Write down your master password and keep it somewhere safe with your other important documents (losing your master password is the same thing as losing all copies of your password database, i.e., BAD NEWS)
  • Changing your passwords is somewhat important, mainly when changing your master password and stored account passwords together (limits the time an attacker would have to guess your master password). Good password managers will let you set a password change interval and remind you when it's time to change them.
"Ah ha! Once again, the conservative, sandwich-heavy portfolio pays off for the hungry investor!" - Dr. Zoidberg
winglessangel31
Posts: 211
Joined: Tue Feb 12, 2013 3:53 pm

Re: best tips for passwords?

Post by winglessangel31 »

yatesd wrote:
winglessangel31 wrote:I don't use Lastpass as a create-complex-password-then-forget tool because I like to know my passwords and know that I can use any device out there to get to my accounts. But this comic summarizes everything:
Image
Except don't use "correcthorsebatterystaple" because that's probably easy-to-guess now. :P
This works great, except if:

- Use this for all of your sites and one of them gets hacked
- Use this for all of your sites and one of them requires changing passwords every 90 days
- Use this for all of your sites, but one requires numbers, letters & special characters; Another requires numbers and letters, but doesn't work with special characters
- One of your sites doesn't allow repeating letters (example rr in correct)

Unfortunately, this is me. My work tries to be extra secure at their detriment. In fact, even my phone can't be accessed via bluetooth prior to entering a 6-digit random number with no repeating, ascending, or descending characters. By the time I enter my password to use hands free calling I have hit a guard rail. :D

I don't like using a password aggregator because IMHO it can even be more dangerous (and you personally don't know any of your passwords). It just seems like IT is transferring responsibility to the end user. It is getting to the point where most people now need to write or store their passwords somewhere...essentially taking on the liability themselves.
I never suggested using the same password everywhere. :)
User avatar
wilpat
Posts: 534
Joined: Sun Jan 20, 2008 6:30 pm

Re: best tips for passwords?

Post by wilpat »

I have several ways to do passwords.
1. My Marine Corps ID (from 58 years ago) in reverse order preceded by ! with Sir added to the end.
2. 2 or 3 of my grandkids middle names (girls UPPER CASE/boys lower case) in reverse order with the oldest preceded by ! the second oldest preceded by @ the third oldest preceded by # etc.
3. My maternal great grandmothers maiden name translated into French and reversed. Vowels lower case -- consonants UPPER CASE. Any 2 consecutive letters preceded by *
4. same as 2 but with different grandkids.
5. Something I haven't created yet.
Contrary to the belief of many, profit is not a four letter word!
winglessangel31
Posts: 211
Joined: Tue Feb 12, 2013 3:53 pm

Re: best tips for passwords?

Post by winglessangel31 »

Before this escalates and more people do it, it's always a risk that in a thread asking for password tips people start posting real examples of what they do. Your online identities are not that hard to reconcile. :oops: :!: :!: :shock:
sscritic
Posts: 21853
Joined: Thu Sep 06, 2007 8:36 am

Re: best tips for passwords?

Post by sscritic »

wilpat wrote: 2. 2 or 3 of my grandkids middle names (girls UPPER CASE/boys lower case) in reverse order with the oldest preceded by ! the second oldest preceded by @ the third oldest preceded by # etc.
I use nicknames, not real names. I also use birthdays of people outside my immediate family, if adult siblings count as outside my immediate family. I used to use my old girlfriend's birthday, but my wife didn't like it.
User avatar
Lacrocious
Posts: 378
Joined: Thu Mar 22, 2007 9:45 pm
Location: Wisconsin

Re: best tips for passwords?

Post by Lacrocious »

schmitz wrote:thanks for all the help everyone!
...if you have a different password for every site AND they are long/complicated, how do you remember them all? or is that why you use lastpass? without it, it seems almost impossible to remember many different complicated passwords....
Yes - that is why I use a password manager. I first used Roboform, then switched to LastPass.

I love the xkcd comic that was posted. It is basically what I do. Using the "password" from the comic - I might change it to be something like "17Horse!Staple83" - adding mixed case, numbers and symbols rather than the just the 4 random words from the comic "correcthorsebatterystaple". Note - none of these are anything like my passwords.

As others have said - make sure you remember your master password. LastPass has some methods to generate one-time-use master passwords that can be recovery passwords - generate one, save just the pwd in a secure location - printed in a safe or safe deposit box? or hidden somewhere secure. Maybe split it into multiple pieces and hide separately. You can also save a csv file- but be sure to encrypt it and store it securely.

- L
User avatar
yatesd
Posts: 1040
Joined: Sun Nov 03, 2013 7:19 am
Location: MD

Re: best tips for passwords?

Post by yatesd »

I never suggested using the same password everywhere. :)
winglessangel31,

I think you missed my point. I really like your comic and suggested technic. Actually thought about implementing it until I considered other challenges that I still need to face. Such as...

- changing passwords every 90 days
- Some sites having very challenging requirements while others don't allow passwords with the same complexity
- memory challenged

I'm not just looking for more challenging passwords...I also need to remember them.
Last edited by yatesd on Sun Feb 16, 2014 6:53 pm, edited 1 time in total.
User avatar
tennisplyr
Posts: 3703
Joined: Tue Jan 28, 2014 12:53 pm
Location: Sarasota, FL

Re: best tips for passwords?

Post by tennisplyr »

There are password protection programs that many use, see:

http://www.bogleheads.org/forum/viewtop ... d#p1880011

If you want to keep it simple, maybe the first four letters of the site and the year you graduated college, eg,

For Chase it would be: chas1982
“Those who move forward with a happy spirit will find that things always work out.” -Retired 13 years 😀
User avatar
telemark
Posts: 3389
Joined: Sat Aug 11, 2012 6:35 am

Re: best tips for passwords?

Post by telemark »

I recommend completely random passwords. Modern cracking programs have become very sophisticated, so if you can remember a password it almost certainly follows one of the patterns that a cracking program will try. And when you have dozens of accounts with varying degrees of security, there's an excellent chance that at least one of them will be hacked, so you should use a different password for each account. And once you're reached this point, there's really no choice but to use some kind of password manager to keep track of them all. Fortunately there are lots of good ones to choose from.

On the other hand, changing passwords regularly buys you very little in the way of security and makes an annoying business even more annoying.
Jeff Albertson
Posts: 904
Joined: Sat Apr 06, 2013 7:11 pm
Location: Springfield

Re: best tips for passwords?

Post by Jeff Albertson »

This weekend Google bought an Israeli developer of security technology, SlickLogin.

"A site enabled with SlickLogin’s technology can use your computer’s speakers to generate a high-frequency sound that’s silent to human ears but which can be picked up by the microphone on a smartphone. The phone has to be close to the computer. Each audio signal is unique, and based on a unique numerical key that’s generated on the back end. The service can also be used to sign into banks, corporate VPNs and pretty much any other kind of service."

No one knows what internet security will look like in a few years, but it could be much more secure.

FT: http://www.ft.com/intl/cms/s/0/ab00362c ... ab7de.html
recode: http://recode.net/2014/02/16/google-acq ... licklogin/
User avatar
g$$
Posts: 468
Joined: Tue Dec 20, 2011 11:17 pm
Location: San Francisco

Re: best tips for passwords?

Post by g$$ »

As others have suggested, try a password manager.

I use keepass and would recommend it. I've heard lastpass is great, though I've never tried it.

Because of keepass, I honestly don't even know most of my passwords. They're almost all 25 characters (or more), alphanumeric, contain special characters, and so garbled I just can't be bothered to know any of them.

Another benefit of this approach.... if one website gets hacked i can just change that one password and not worry about changing all of my passwords. They're all different after all.

-g$$
Beezthree
Posts: 183
Joined: Wed May 07, 2008 11:16 pm

Re: best tips for passwords?

Post by Beezthree »

i wish lastpass and the like were practical for me.

i do much of my internetting at work, behind a massive company firewall/filter that won't let me download or use any outside software. makes using lastpass or other similar password generating software impossible.

anyone have any ideas to circumvent this scenario? i'd love to be able to use this technology.
jebmke
Posts: 25474
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: best tips for passwords?

Post by jebmke »

Beezthree wrote:i wish lastpass and the like were practical for me.

i do much of my internetting at work, behind a massive company firewall/filter that won't let me download or use any outside software. makes using lastpass or other similar password generating software impossible.

anyone have any ideas to circumvent this scenario? i'd love to be able to use this technology.
Keepass has a smartphone app. I use Keepass on my laptops with the db file stored in Dropbox. With Dropbox and Keepass on my phone I can access the password database anywhere -- even without an internet connection.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
winglessangel31
Posts: 211
Joined: Tue Feb 12, 2013 3:53 pm

Re: best tips for passwords?

Post by winglessangel31 »

Beezthree wrote:i wish lastpass and the like were practical for me.

i do much of my internetting at work, behind a massive company firewall/filter that won't let me download or use any outside software. makes using lastpass or other similar password generating software impossible.

anyone have any ideas to circumvent this scenario? i'd love to be able to use this technology.
Don't. :) No matter how frustrating, you want to stay on your company's and their IT's good side.
Just create memorable passwords that are hard to crack. libertyGoofballAteMunchkins.
winglessangel31
Posts: 211
Joined: Tue Feb 12, 2013 3:53 pm

Re: best tips for passwords?

Post by winglessangel31 »

yatesd wrote:
I never suggested using the same password everywhere. :)
winglessangel31,

I think you missed my point. I really like your comic and suggested technic. Actually thought about implementing it until I considered other challenges that I still need to face. Such as...

- changing passwords every 90 days
- Some sites having very challenging requirements while others don't allow passwords with the same complexity
- memory challenged

I'm not just looking for more challenging passwords...I also need to remember them.
Ah :) if memory is a huge challenge, then really nothing can help... :P but having to change password every 90 days and complexity requirements aren't really arguments I'd buy :) For example, since someone else brought up Chase, and because it's convenient, here are seeds:
  • ChaseGirlScoutBearCookieMonsters
  • ChaseScoutBearQ3Mawnstahzzz
  • CsbQ3MzzzOm&nom
Perhaps in 90 days you make it:
  • ChaseRobberRobertRobinHoodTightsRightyLoosey
  • ChaseberertintTightyWhiteyRLucy
  • CheererTint80WhiteyRLC
:sharebeer
User avatar
g$$
Posts: 468
Joined: Tue Dec 20, 2011 11:17 pm
Location: San Francisco

Re: best tips for passwords?

Post by g$$ »

keepass can run from a thumbdrive. this would circumvent your issue with the employer. Just google search "keepass portable app"
rad597
Posts: 54
Joined: Fri Feb 27, 2009 10:57 am

Re: best tips for passwords?

Post by rad597 »

https://passfault.appspot.com/password_strength.html

Found this on USA today awhile back. Interesting to play with. I use 1password on our apple devices.
tbradnc
Posts: 1532
Joined: Wed Apr 02, 2008 8:30 am

Re: best tips for passwords?

Post by tbradnc »

I've never understood why password changes are forced and I'm glad Vanguard and Fidelity doesn't play that way.

My local regional bank forces a password change every 90 days and I really dislike it. Is the assumption someone is close to cracking your already very good password and you're going to foil them at the last moment and make them start all over?
User avatar
yatesd
Posts: 1040
Joined: Sun Nov 03, 2013 7:19 am
Location: MD

Re: best tips for passwords?

Post by yatesd »

Well, I am weak. I finally gave in and signed up for fast pass premium ($12) a year. Ironically, a little bit of a hassle for the two vendors I was most concerned about (VG and bank). However, it does seem to be working so far.

I prefer to pay for stuff that becomes critical for me so there is a reasonable level of obligation from the vendor. Same reason I use smugmug for photos/videos rather than a free provider that might just delete them on a whim. IMHO it is important to understand the business model, versus a free vendor that is data mining for advertisers, etc.
tbradnc
Posts: 1532
Joined: Wed Apr 02, 2008 8:30 am

Re: best tips for passwords?

Post by tbradnc »

I use Keeper (https://keepersecurity.com/). It's a pay subscription service as well.

What I like about it is that it doesn't try to do everything like remember my identity and credit cards and it doesn't botch a lot of my logins by crapping out during an automatic login process. It doesn't try to autofill forms which I like. To me, the failure of most of this type program is the kitchen sink approach - I just want to manage passwords.

I have to click a little lock icon to enter my username, then click another time to enter my password - so it works, 100% of the time.

It also has web access so I can access a password over an SSL connection if necessary and works perfectly on my iphone and ipad.
stan1
Posts: 14246
Joined: Mon Oct 08, 2007 4:35 pm

Re: best tips for passwords?

Post by stan1 »

Work around for work (where I can't install software OR use USB devices): I bring the username/password up in LastPass on my phone and type it in.
Warning: I am about 80% satisficer (accepting of good enough) and 20% maximizer
furwut
Posts: 2123
Joined: Tue Jun 05, 2012 8:54 pm

Re: best tips for passwords?

Post by furwut »

Another reason to store all your passwords using password manager software is to enable quick access to your accounts for your loved ones should you become indisposed.

A paper list is too easily lost, incomplete, or out of date. With a password manager all someone needs is your master password.
lightheir
Posts: 2684
Joined: Mon Oct 03, 2011 11:43 pm

Re: best tips for passwords?

Post by lightheir »

I use Keepass for all financials. Open source, reliable for years.

I actually prefer that Keepass isn't so easy to keep open on multiple browsers/phones. (As compared to Lastpass.) For financial pwds I want it to force me to really have to put in extra effort if I'm going to open financial software anywhere other than my home computer where it's safe. I do have the iphone keepass app as well, but it's only for emergencies - I've verified it works but otherwise never use it.
Jeff Albertson
Posts: 904
Joined: Sat Apr 06, 2013 7:11 pm
Location: Springfield

Re: best tips for passwords?

Post by Jeff Albertson »

Beezthree wrote:i wish lastpass and the like were practical for me.

i do much of my internetting at work, behind a massive company firewall/filter that won't let me download or use any outside software. makes using lastpass or other similar password generating software impossible.

anyone have any ideas to circumvent this scenario? i'd love to be able to use this technology.
Lastpass has smartphone apps that sync with your other devices. They also have a portable app that works off a USB thumbdrive, Lastpass Pocket.
https://helpdesk.lastpass.com/lastpass- ... ss-pocket/
User avatar
tadamsmar
Posts: 9972
Joined: Mon May 07, 2007 12:33 pm

Re: best tips for passwords?

Post by tadamsmar »

furwut wrote:Another reason to store all your passwords using password manager software is to enable quick access to your accounts for your loved ones should you become indisposed.

A paper list is too easily lost, incomplete, or out of date. With a password manager all someone needs is your master password.
If you do that then you are not living up to your responsibilities under Vanguard's fraud reimbursement guarantee:
Never share your user name, password, or other account-related information with anyone.
https://personal.vanguard.com/us/help/S ... ontent.jsp

Instead, you should use an agent authorization or the appropriate form to grant others access to your account:

https://personal.vanguard.com/us/litful ... C&subCat2=

I the case of a deceased person, the account should not be accessed. The executor and beneficiaries should contact Vanguard. You should provide them with instructions on how to do that.
rixer
Posts: 758
Joined: Tue Sep 11, 2012 4:18 pm

Re: best tips for passwords?

Post by rixer »

You can probably just use a random car license plate number you are following on the way home from work. that would be hard to hack, I would think.
pa7VQbb1kTkj1eLn3spK
Posts: 51
Joined: Sun Jan 26, 2014 1:05 pm

Re: best tips for passwords?

Post by pa7VQbb1kTkj1eLn3spK »

schmitz wrote:anyone have any good tips for creating safe passwords? what is most important?

1) length? 2) using non-letter characters? 3) changing them often? 4) does every website need a different password?

my guess is all of the above. however, is there a way to create passwords that dont need to be changed monthly and so I dont need to memorize 10+ passwords that are each 20+ characters long?

also are those password programs (like 1password) recommended/safe?
I use KeePass as a password manager. I randomly generate a password for every account and the only password I know from memory is my Gmail account as I use it to access mail from work and I use the two-step authentication method. I have no idea what my passwords are to the other 300 accounts I have (financial, shopping, message boards, etc.). With KeePass, I simply type in my master passphrase to open KeePass, and copy+paste the specific password into the site. There are cloud-based solutions, but I don't feel comfortable having my passwords kept outside my control. I keep the KeePass database file on an IronKey USB flash drive.

The following is based on me using KeePass:

1) Make the length as long as the site will support. It'll generally tell you how many max characters can be used.

2) Absolutely use non-alphabet characters. Some of the better sites will tell you what special symbols are allowed like spaces.

3) Because I randomly generate my passwords with special characters I don't change my passwords for all accounts. While it is good practice to change your password every couple of months, it's not feasible when you have over 300 accounts like I do. So, I focus on the financial type accounts and change those every six months or when I get bored. Accounts for message boards I don't change (just too many of them!) as I'm not as paranoid about them.

4) Yes, it is best practice that every password be different for each website. In fact, if the site allows, I randomly generate the username so it's different for each site, hence why my Boglehead's username is all gibberish.
User avatar
Random Musings
Posts: 6770
Joined: Thu Feb 22, 2007 3:24 pm
Location: Pennsylvania

Re: best tips for passwords?

Post by Random Musings »

rixer wrote:You can probably just use a random car license plate number you are following on the way home from work. that would be hard to hack, I would think.
Not enough length.

RM
I figure the odds be fifty-fifty I just might have something to say. FZ
Nowa Osoba
Posts: 6
Joined: Tue Sep 17, 2013 9:01 pm

Re: best tips for passwords?

Post by Nowa Osoba »

A few more tips:
--Security challenge questions should not be truthfully answered. A nonsensical passphrase is better, or even a long random string of characters if you don't have to give your answer to a human being over the phone
--A username of random characters may be good too
--Close all unnecessary accounts, and avoid opening new accounts for onetime transactions (e.g. online retailers). Less passwords to manage, and less accounts susceptible to data breaches
--Avoid storing bank and credit card information with online retailers unless completely necessary

I echo the recommendations for maximal entropy randomly generated passwords, password managers (keepass is my favorite), and multi-factor authentication.
richard
Posts: 7961
Joined: Tue Feb 20, 2007 2:38 pm
Contact:

Re: best tips for passwords?

Post by richard »

Nowa Osoba wrote:A few more tips:
--Security challenge questions should not be truthfully answered. A nonsensical passphrase is better, or even a long random string of characters if you don't have to give your answer to a human being over the phone<snip>
Security challenge questions are a major security hole. The typical questions are things that can be relatively easily discovered. There are numerous reports of crackers gaining access to accounts by figuring out the answers to security questions.
User avatar
zaplunken
Posts: 1368
Joined: Tue Jul 01, 2008 9:07 am

Re: best tips for passwords?

Post by zaplunken »

I am not directing this at anyone. I hope to show you that no matter what you think you are not really safe unless...

So any words and phrases in dictionaries whether English or foreign are useless. Cracking software using GPUs (forget what they are just know they are powerfully fast!) can run through billions of combinations a second.

So here's what you do:

1. use some form of password manager. By doing this you don't have to remember anything except the master password and that should be really long and complex but something you can remember. Ex - use names, dates, old addresses, old phone numbers, anything that you can remember so for example here's your master password:
kYlE!82312@12/24/65#jAcKsOn$06/25/82%that'sallfolks
alternate lower and upper case in words with every other or every 3rd character
kYle is your kid, friend, dog, spouse, whatever
! 1st separator and 1st special character on key board
82312 someone's zip code
@ 2nd separator and 2nd special character on key board
12/24/65 someones birth date
# 3rd separator and 3rd special character on key board
jAcKsOn last name or first name of someone
$ 4th separator and 4th special character on key board
06/25/82 another birth date or anniversary whatever you want
% 5th separator and 5th special character on key board
that'sallfolks how you end it

so that is such a crazy master password once you get the naming convention you want and you can remember and the length with upper, lower characters, numbers, special characters it is a good one!

now I use unique userids and passwords for everything and I use the max length and all the characters each site allows. For example here's what I might use for say a bank -
userid is Ym(4",ag2QLn8^]Pzn7b
password is 0(MpO-1QXt5${Ky7@hVz9*\cR.i

I make these up and it is easy to do this. Storing them in your password safe means you don't have to remember any of them, just the master password. I put the password safe on a flash drive not the c drive so it isn't online unless you plug it in. I keep 2 flash drives in case one fails. I print a copy of the password manger's contents and put it into my safe deposit box at the bank.

This is as safe as you can get. Forget your "tricky" ideas cuz crackers use all sorts of software to try all different combinations. Could they guess my stuff? Maybe but the length, complexity and randomness of these userids and passwords makes them pretty safe.
bertcooper
Posts: 4
Joined: Sun Jan 05, 2014 7:38 pm

Re: best tips for passwords?

Post by bertcooper »

Install Lastpass in your browser. Pick a nice, long, difficult password for it.

Now, you can use Lastpass to generate appropriately secure passwords for each unique account that you have. The best part is, Lastpass will remember them all, because their is no way you will. No more Post-It's in your drawer, no more secret notebook, no more secret spreadsheet...
winglessangel31
Posts: 211
Joined: Tue Feb 12, 2013 3:53 pm

Re: best tips for passwords?

Post by winglessangel31 »

I find it really intriguing that people are so comfortable with password managers that they'd trust the password manager to do all the memory work.
I find it also really intriguing that people are so comfortable with putting all eggs in one basket. Lose the master password/account, lose everything. That's exactly the argument for having unique passwords across sites---if you have one username/password compromised, the rest are still largely safe.
It is far too easy to accidentally the whole password manager account; you could forget, you could lose the encrypted files, you could have something hacked, and so on. The way people leave their hard drives unencrypted (e.g., not using Bitlocker or similar), the way lots of people leave machines unlocked when they leave the room... I don't know. :oops:
Post Reply