Page 1 of 3

[Question regarding password security]

Posted: Sun Sep 13, 2020 9:12 am
by steve321
i have several bank+brokerage accounts plus other accounts for which you need a password (like email, utility companies etc).
I am becoming more conscious of taking precautions to ensure these accounts are not hacked.
Is it ok to choose a pretty complicated password but the same for all accounts? It would be very hard for me to remember a password for each account (I tried that before and often had to ask for a new one since I forgot it).
I mean is there a bigger risk if all your passwords are the same? Or if for example all your financial accounts passwords are the same, but different from your email password, since you give your email address to your bank?
Please let me know what you think. Cheers.

[Post title modified for clarity by moderator oldcomputerguy]

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 9:15 am
by atikovi
steve321 wrote: Sun Sep 13, 2020 9:12 am Is it ok to choose a pretty complicated password but the same for all accounts?
That's what I do or a slight variation there off. And they're not too complicated. No problem in 20+ years.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 9:25 am
by lazydavid
You need a password manager. If a password is compromised at any site, every account where that same password is used will eventually be compromised as well. Since you won't always know when this occurs, the risk is too great, especially with financial accounts IMO.

I personally use LastPass, but there are several other great options in 1Password, Keepass, and others. A good password manager will automatically generate long, complex passwords that are unique for every site. You only need to create and remember one very secure passphrase to allow you to access your vault. It is VITALLY important that this passphrase be something you never have and never will use as a credential on any other site. Mine is over 30 characters long, but very easy for me to remember, and I can type it in about 2 seconds (8 or so on mobile).

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 9:27 am
by jebmke
Password manager. Eliminates the need to remember. Some good "online" options as well as standalone (Keepass).

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 9:32 am
by BogleTaxPro
lazydavid wrote: Sun Sep 13, 2020 9:25 am You need a password manager. If a password is compromised at any site, every account where that same password is used will eventually be compromised as well. Since you won't always know when this occurs, the risk is too great, especially with financial accounts IMO.

I personally use LastPass, but there are several other great options in 1Password, Keepass, and others. A good password manager will automatically generate long, complex passwords that are unique for every site. You only need to create and remember one very secure passphrase to allow you to access your vault. It is VITALLY important that this passphrase be something you never have and never will use as a credential on any other site. Mine is over 30 characters long, but very easy for me to remember, and I can type it in about 2 seconds (8 or so on mobile).
+100!

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 9:59 am
by mptfan
steve321 wrote: Sun Sep 13, 2020 9:12 am Is it ok to choose a pretty complicated password but the same for all accounts?
No, that is definitely not ok. Use a password manager and make all of your passwords strong and unique, that is especially important for your financial accounts.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 10:03 am
by Broken Man 1999
BogleTaxPro wrote: Sun Sep 13, 2020 9:32 am
lazydavid wrote: Sun Sep 13, 2020 9:25 am You need a password manager. If a password is compromised at any site, every account where that same password is used will eventually be compromised as well. Since you won't always know when this occurs, the risk is too great, especially with financial accounts IMO.

I personally use LastPass, but there are several other great options in 1Password, Keepass, and others. A good password manager will automatically generate long, complex passwords that are unique for every site. You only need to create and remember one very secure passphrase to allow you to access your vault. It is VITALLY important that this passphrase be something you never have and never will use as a credential on any other site. Mine is over 30 characters long, but very easy for me to remember, and I can type it in about 2 seconds (8 or so on mobile).
+100!
I use LastPass, and my master password is a statement containing words relevant to only myself. If I showed my family members my statement they would have no reason to even associate any of the words to me, and they certainly know me best. Of course a written record of my master password is available to family members to use when I assume room temperature.

Broken Man 1999

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 10:06 am
by donfairplay
atikovi wrote: Sun Sep 13, 2020 9:15 am
steve321 wrote: Sun Sep 13, 2020 9:12 am Is it ok to choose a pretty complicated password but the same for all accounts?
That's what I do or a slight variation there off. And they're not too complicated. No problem in 20+ years.
Using the same security question answer on all accounts? This is like using the same password as all accounts (possibly worse).

If your utility company,etc and its security question is breached, then all other accounts with the same security question answer are now breached. Very bad idea.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 10:07 am
by wander
One complicated password for all is fine. But eventually, web sites require you to change passwords anyway.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 10:10 am
by jebmke
wander wrote: Sun Sep 13, 2020 10:07 am One complicated password for all is fine. But eventually, web sites require you to change passwords anyway.
I have never had to change my passwords at financial institutions. I can't remember the last time any online site of any kind required me to change my password. I've done it voluntarily for a couple of email accounts that I needed to strengthen.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 10:11 am
by atikovi
donfairplay wrote: Sun Sep 13, 2020 10:06 am
atikovi wrote: Sun Sep 13, 2020 9:15 am
steve321 wrote: Sun Sep 13, 2020 9:12 am Is it ok to choose a pretty complicated password but the same for all accounts?
That's what I do or a slight variation there off. And they're not too complicated. No problem in 20+ years.
Using the same security question answer on all accounts? This is as good of an idea as using the same password as all accounts (possibly worse).

If your utility company,etc and its security question is breached, then all other accounts with the same security question answer are now breached. Very bad idea.
What do you mean security question? This is about passwords.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 10:13 am
by wander
jebmke wrote: Sun Sep 13, 2020 10:10 am
wander wrote: Sun Sep 13, 2020 10:07 am One complicated password for all is fine. But eventually, web sites require you to change passwords anyway.
I have never had to change my passwords at financial institutions. I can't remember the last time any online site of any kind required me to change my password. I've done it voluntarily for a couple of email accounts that I needed to strengthen.
That's good then. I don't think carry different passwords serve any benefits considering now you have 2-steps verification.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 10:15 am
by Jeff Albertson
wander wrote: Sun Sep 13, 2020 10:07 am One complicated password for all is fine. But eventually, web sites require you to change passwords anyway.
worst advice you'll read this year!

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 10:16 am
by donfairplay
atikovi wrote: Sun Sep 13, 2020 10:11 am
donfairplay wrote: Sun Sep 13, 2020 10:06 am
atikovi wrote: Sun Sep 13, 2020 9:15 am
steve321 wrote: Sun Sep 13, 2020 9:12 am Is it ok to choose a pretty complicated password but the same for all accounts?
That's what I do or a slight variation there off. And they're not too complicated. No problem in 20+ years.
Using the same security question answer on all accounts? This is as good of an idea as using the same password as all accounts (possibly worse).

If your utility company,etc and its security question is breached, then all other accounts with the same security question answer are now breached. Very bad idea.
What do you mean security question? This is about passwords.
I was going by the title of the post, assuming password meant the answer to the security question.

Either way, do people really just use the same password or security question answer for everything? The password/answer may be complicated, but it isn't secure.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 10:19 am
by steve321
lazydavid wrote: Sun Sep 13, 2020 9:25 am You need a password manager. If a password is compromised at any site, every account where that same password is used will eventually be compromised as well. Since you won't always know when this occurs, the risk is too great, especially with financial accounts IMO.

I personally use LastPass, but there are several other great options in 1Password, Keepass, and others. A good password manager will automatically generate long, complex passwords that are unique for every site. You only need to create and remember one very secure passphrase to allow you to access your vault. It is VITALLY important that this passphrase be something you never have and never will use as a credential on any other site. Mine is over 30 characters long, but very easy for me to remember, and I can type it in about 2 seconds (8 or so on mobile).
Thanks, just found the app (LastPass). Going to explore how it works.
So basically if I understood, with this the only risk would be if someone found out and guessed your password for LastPass, in which case if I understand correctly they could hack all your accounts, which is why you have to make that one password extra safe.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 10:28 am
by atikovi
I'm annoyed when a site requires your password to have at least one upper or lowercase letter, one number, a special character, etc. You'd think you were creating a pw to access the site for NORAD, but its just some internet forum. If I can't use the pw I want, sometimes I just don't join.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 10:34 am
by lazydavid
steve321 wrote: Sun Sep 13, 2020 10:19 am Thanks, just found the app (LastPass). Going to explore how it works.
So basically with this the only risk would be if someone found out and guessed your password for LastPass, in which case if I understand correctly they could hack all your accounts, which is why you have to make that one password extra safe, right?
I would be loath to say it's the only risk, but it is far and away the predominant risk. And yes, this is why that master password has to be very strong and never reused anywhere else.

Other risks and mitigations:

attacks against the client itself--these are exceedingly rare, but do happen, and are patched VERY quickly once found.
Tricking you into filling your passwords into the wrong site--password manager actually helps here, as it will refuse to fill your vanguard.com password on a spoof site like for example vangurd.com
Malware running on your machine, capturing passwords as they are submitted--if this happens, it's game over for every site you visit, password manager or no.

But yes, a strong master password is 99% of it. I have in the past posted my encrypted password for BogleHeads directly in a message thread, because without my master password, it's utterly useless

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 10:34 am
by JoMoney
Best practice is to use different, and complex passwords for each account.
For what it's worth, I tend to use similar patterns/word groupings but with slight variations for different accounts. It's just too cumbersome to be totally random.
What I do, is keep a numbered list of all my accounts/user-names (I do this in a spreadsheet file that I believe is relatively secure, but easy to access for me on my computer). Separately I keep a physical paper copy list of passwords (also numbered). That list is stored in a locked place that I have easy access to, and would be apparent to me if someone had broken in to it and passwords compromised. The password list is also padded with extra passwords that aren't actually being used, or not currently being used. If someone had gained access to either the user-name list or the password list alone, it would be more difficult to use them since they would still have to make multiple guesses, hopefully anyone that made multiple attempts to guess from the list would get the account flagged/locked-out before it was breached and I would have time to change the passwords if compromised.
I've contemplated adding some additional measures, like making up a PIN# that each password has in common but isn't written down, or sealing the password list in a signed envelope that would make it more apparent if someone else had accessed it, but there's rarely anyone else in my house that I would be concerned about accessing it, and it's already secured/locked well enough where I think I would know if someone had gotten to it.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 10:53 am
by tuningfork
wander wrote: Sun Sep 13, 2020 10:07 am One complicated password for all is fine. But eventually, web sites require you to change passwords anyway.
No no no no no no no no no no no no no no no no no no no no no no no no no no no no no

If you do this, your password is only as secure as the weakest site you use. You have no way of knowing how safely each site stores your password credentials. What if one of those sites stores passwords in plain text, or uses a trivially reversible encryption algorithm? Your one password will be exposed if that site is ever hacked. When passwords are exposed, hackers often try the same emails/passwords on many other sites, hoping to find the ones that are foolish enough to use the same password everywhere.

Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years

Google Stored G Suite Users' Passwords in Plain-Text for 14 Years
Robinhood Stored Passwords in Plaintext
Zynga 2019 Hack Update: 26M Plaintext Passwords Exposed

Even if it is complicated password, it is never a good idea to use it at more than one site.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 11:07 am
by atikovi
On most websites aren't passwords stored so that even the owners couldn't retrieve them, which is why if you can't remember it, you have to reset it? They can't just email you the original password.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 11:10 am
by mptfan
atikovi wrote: Sun Sep 13, 2020 11:07 am On most websites aren't passwords stored so that even the owners couldn't retrieve them, which is why if you can't remember it, you have to reset it? They can't just email you the original password.
Nobody knows how "most" websites store passwords.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 11:13 am
by atikovi
OK wrong choice of words. How about, In general?

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 11:20 am
by TallBoy29er
wander wrote: Sun Sep 13, 2020 10:07 am One complicated password for all is fine. But eventually, web sites require you to change passwords anyway.
Just plain bad advice. As stated above, if any single site is breached, all sites that use that password are vulnerable. There are caches of breached passwords on the web.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 11:21 am
by TallBoy29er
atikovi wrote: Sun Sep 13, 2020 11:13 am OK wrong choice of words. How about, In general?
Wrong again.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 11:21 am
by hayesfj
1. Use LastPass or other Password manager. I have used the free version of LastPass for a couple of years and like it very much. LastPass will generate a very complicated password for each site if you like and keep track of it for you. Use a phrase with Upper and Lower Case letters, numbers, and special characters as your LastPass password. Example "Bogleis99Right$2"

2. Use Two-Factor authentication where possible. This means that the site sends a numerical code to your phone that you have to type into the site as part of the logon.

3. Use a separate email address for all financial institutions and only use that email for Vanguard, Fidelity, Bank, etc. That way if yor primary email gets compromised, they will not see any information about which financial institutions you use.

Be careful. Identity theft is real.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 11:22 am
by wander
TallBoy29er wrote: Sun Sep 13, 2020 11:20 am
wander wrote: Sun Sep 13, 2020 10:07 am One complicated password for all is fine. But eventually, web sites require you to change passwords anyway.
Just plain bad advice. As stated above, if any single site is breached, all sites that use that password are vulnerable. There are caches of breached passwords on the web.
You have your choice. I have my choice.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 11:25 am
by Wrench
steve321 wrote: Sun Sep 13, 2020 9:12 am i have several bank+brokerage accounts plus other accounts for which you need a password (like email, utility companies etc).
I am becoming more conscious of taking precautions to ensure these accounts are not hacked.
Is it ok to choose a pretty complicated password but the same for all accounts? It would be very hard for me to remember a password for each account (I tried that before and often had to ask for a new one since I forgot it).
I mean is there a bigger risk if all your passwords are the same? Or if for example all your financial accounts passwords are the same, but different from your email password, since you give your email address to your bank?
Please let me know what you think. Cheers.
As an independent IT support provider, I can't tell you how many users I have that have had one or more of their accounts breached, either through fishing attempts, or through no fault of their own at online accounts. Unique passwords for every site limits the potential losses. I personally don't care for LastPass or other online password managers precisely because they are online and themselves are subject to hacking. Risk is low, but still there. But, using LastPass or equivalent with a strong master password is way better than re-using the same passwords!

My approach? I use KeePass where the database is stored locally. I use both a (strong) master password AND and an encryption file for my KeePass database. EVERY account has a long, random password. Nothing is 100% secure, but this approach reduces the risk to a level I am comfortable with.

Bottom line: do something so you can use strong, unique passwords for every account where data is stored that you care about.

Wrench

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 11:34 am
by Kenkat
mptfan wrote: Sun Sep 13, 2020 11:10 am
atikovi wrote: Sun Sep 13, 2020 11:07 am On most websites aren't passwords stored so that even the owners couldn't retrieve them, which is why if you can't remember it, you have to reset it? They can't just email you the original password.
Nobody knows how "most" websites store passwords.
While this is true, there are best practices that the vast majority of commercial financial sites will use. Password cryptography is very complex but can be thought of conceptually as “one way encryption”. Once encrypted, there is no straightforward or simple way* to turn it back into the original password. You can only run a candidate password through the same encryption and see if it matches the stored value; the other direction does not work.

* there are always ways, however, given a compromised source and enough time and computing power. Good password strategies will make time be equal to years or decades and computing power equal to “you ain’t got it“

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 11:34 am
by Wrench
wander wrote: Sun Sep 13, 2020 11:22 am
TallBoy29er wrote: Sun Sep 13, 2020 11:20 am
wander wrote: Sun Sep 13, 2020 10:07 am One complicated password for all is fine. But eventually, web sites require you to change passwords anyway.
Just plain bad advice. As stated above, if any single site is breached, all sites that use that password are vulnerable. There are caches of breached passwords on the web.
You have your choice. I have my choice.
Wander - Maybe you will be OK, but you are incurring a risk. If you understand the risk and are comfortable with it, you do you. Just like asset allocation we all have different risk tolerances. Perhaps you are more risk tolerant than many of the other posters (and me) when it comes to identity theft and/or information loss from hackers...

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 11:37 am
by oldfort
Read this Microsoft article on why your password doesn't matter.
https://techcommunity.microsoft.com/t5/ ... a-p/731984

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 11:40 am
by steve321
Wrench wrote: Sun Sep 13, 2020 11:25 am
steve321 wrote: Sun Sep 13, 2020 9:12 am i have several bank+brokerage accounts plus other accounts for which you need a password (like email, utility companies etc).
I am becoming more conscious of taking precautions to ensure these accounts are not hacked.
Is it ok to choose a pretty complicated password but the same for all accounts? It would be very hard for me to remember a password for each account (I tried that before and often had to ask for a new one since I forgot it).
I mean is there a bigger risk if all your passwords are the same? Or if for example all your financial accounts passwords are the same, but different from your email password, since you give your email address to your bank?
Please let me know what you think. Cheers.
As an independent IT support provider, I can't tell you how many users I have that have had one or more of their accounts breached, either through fishing attempts, or through no fault of their own at online accounts. Unique passwords for every site limits the potential losses. I personally don't care for LastPass or other online password managers precisely because they are online and themselves are subject to hacking. Risk is low, but still there. But, using LastPass or equivalent with a strong master password is way better than re-using the same passwords!

My approach? I use KeePass where the database is stored locally. I use both a (strong) master password AND and an encryption file for my KeePass database. EVERY account has a long, random password. Nothing is 100% secure, but this approach reduces the risk to a level I am comfortable with.

Bottom line: do something so you can use strong, unique passwords for every account where data is stored that you care about.

Wrench
Thank you I am going to explore this. As you must have realized I know nothing about computers so this question might sound stupid: when you say
KeePass where the database is stored locally
does it mean that you store the datebase yourself like on an external disk drive? Or is it still on the web?

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 11:41 am
by steve321
steve321 wrote: Sun Sep 13, 2020 11:40 am
Wrench wrote: Sun Sep 13, 2020 11:25 am
steve321 wrote: Sun Sep 13, 2020 9:12 am i have several bank+brokerage accounts plus other accounts for which you need a password (like email, utility companies etc).
I am becoming more conscious of taking precautions to ensure these accounts are not hacked.
Is it ok to choose a pretty complicated password but the same for all accounts? It would be very hard for me to remember a password for each account (I tried that before and often had to ask for a new one since I forgot it).
I mean is there a bigger risk if all your passwords are the same? Or if for example all your financial accounts passwords are the same, but different from your email password, since you give your email address to your bank?
Please let me know what you think. Cheers.
As an independent IT support provider, I can't tell you how many users I have that have had one or more of their accounts breached, either through fishing attempts, or through no fault of their own at online accounts. Unique passwords for every site limits the potential losses. I personally don't care for LastPass or other online password managers precisely because they are online and themselves are subject to hacking. Risk is low, but still there. But, using LastPass or equivalent with a strong master password is way better than re-using the same passwords!

My approach? I use KeePass where the database is stored locally. I use both a (strong) master password AND and an encryption file for my KeePass database. EVERY account has a long, random password. Nothing is 100% secure, but this approach reduces the risk to a level I am comfortable with.

Bottom line: do something so you can use strong, unique passwords for every account where data is stored that you care about.

Wrench
Thank you I am going to explore this. As you must have realized I know nothing about computers so this question might sound stupid: when you say
KeePass where the database is stored locally
does it mean that you store the database yourself like on an external disk drive? Or is it still on the web?

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 11:42 am
by steve321
Is there a way you can find out (besides the hard way...) if there's malware on your computer (PC or chromebook)?

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 11:44 am
by oldfort
steve321 wrote: Sun Sep 13, 2020 11:42 am Is there a way you can find out (besides the hard way...) if there's malware on your computer (PC or chromebook)?
Virus scan.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 11:45 am
by coachd50
wander wrote: Sun Sep 13, 2020 11:22 am
TallBoy29er wrote: Sun Sep 13, 2020 11:20 am
wander wrote: Sun Sep 13, 2020 10:07 am One complicated password for all is fine. But eventually, web sites require you to change passwords anyway.
Just plain bad advice. As stated above, if any single site is breached, all sites that use that password are vulnerable. There are caches of breached passwords on the web.
You have your choice. I have my choice.
I think the point is that your choice may seem "secure" from the perspective of someone randomly accessing one of your accounts/sites through a "brute force attack". However, that does not appear to consider the potential risk of someone hacking one of those sites themselves, and obtaining your password...and thus have access to MANY of your sites.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 11:46 am
by ThereAreNoGurus
Wrench wrote: Sun Sep 13, 2020 11:25 am
My approach? I use KeePass where the database is stored locally. I use both a (strong) master password AND and an encryption file for my KeePass database. EVERY account has a long, random password. Nothing is 100% secure, but this approach reduces the risk to a level I am comfortable with.

Bottom line: do something so you can use strong, unique passwords for every account where data is stored that you care about.
That's exactly what I use. (I use VeraCypt [free] for the encryption).

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 11:50 am
by JoeRetire
steve321 wrote: Sun Sep 13, 2020 9:12 amIs it ok to choose a pretty complicated password but the same for all accounts?
It's okay by me. It probably depends on how lucky you feel.

[quoteIt would be very hard for me to remember a password for each account (I tried that before and often had to ask for a new one since I forgot it).[/quote]
It's not that hard. You need to combine your base "pretty complicated password" with something unique to the account. At least that's what I do. Easy.
I mean is there a bigger risk if all your passwords are the same?
Of course. The risk is that once one password is compromised, they are all compromised. You get to decide how much riskier that is, and if you care or not.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 11:53 am
by Wrench
....
[/quote]
Thank you I am going to explore this. As you must have realized I know nothing about computers so this question might sound stupid: when you say
KeePass where the database is stored locally
does it mean that you store the datebase yourself like on an external disk drive? Or is it still on the web?
[/quote]

It can be stored on the hard drive of your computer, or on an external disk. Or, I have even set it up so the database is stored on google drive or dropbox (online "cloud" storage systems) but the encryption file is only stored locally. That way if your cloud storage is hacked your data cannot be read because the hacker does not have the encryption file even if somehow they guess (know) your master password. If you do it this way, the database can be accessed from multiple computers. I will say that I have found with my clients that KeePass is not nearly as easy to set up and use as LastPass. I usually end up having to help them initially (Most of my individual clients are not computer sophisticated). Also as open source freeware, there is no support like there is with LastPass. I'd try different approaches and see which one suits you best.

Good luck!

Wrench

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 11:53 am
by JoeRetire
atikovi wrote: Sun Sep 13, 2020 11:07 am On most websites aren't passwords stored so that even the owners couldn't retrieve them, which is why if you can't remember it, you have to reset it? They can't just email you the original password.
Most do. Some don't. How lucky do you feel?

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 11:56 am
by Case59
For important websites like banks and brokerages, I use an initials scheme. The password is comprised of the first letters of lines of a favorite song or poem, plus the year of the song or poem. So, if my favorite song is Stairway to Heaven (which of course it isn't or I wouldn't be using it here), for my bank, the password represents initials of the first two lines: Talwsatgig1971. It's complex, hard for any stranger to crack (I hope) but easy for me to remember and type.

I have variations for each important account, like second lines, last lines, different songs or poems, etc. For reminders, I keep a separate note for each account, but without the song or poem's names: "Vanguard: First two lines of favorite song."

I don't know if this makes a lot of sense , but it seems to have worked okay for me for years.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 11:57 am
by warner25
atikovi wrote: Sun Sep 13, 2020 9:15 amThat's what I do or a slight variation there off. And they're not too complicated. No problem in 20+ years.
As we say all the time in investing, don't confuse strategy with outcome...
atikovi wrote: Sun Sep 13, 2020 10:28 am I'm annoyed when a site requires your password to have at least one upper or lowercase letter, one number, a special character, etc.
This I agree with. And mathematically, a sufficiently long (but easier to remember and type) passphrase of all lower-case letters is stronger than a shorter (but harder to remember and type) password containing %&!#$. I think more administrators are starting to embrace this, but it will take a whole generation before nobody requires those crazy passwords anymore (along with password changes every 90 days, which NIST discouraged years ago).

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 11:58 am
by JoeRetire
Kenkat wrote: Sun Sep 13, 2020 11:34 amthere are best practices that the vast majority of commercial financial sites will use.
That is indeed true for the vast majority of commercial financial sites.
  • "vast majority" is not the same as "all". How lucky do you feel?
  • Nobody accesses only commercial financial sites. How lucky do you feel?
  • If you use the same password everywhere, your security is only as good as the weakest link. How lucky do you feel?

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 11:59 am
by egrets
jebmke wrote: Sun Sep 13, 2020 10:10 am
wander wrote: Sun Sep 13, 2020 10:07 am One complicated password for all is fine. But eventually, web sites require you to change passwords anyway.
I have never had to change my passwords at financial institutions. I can't remember the last time any online site of any kind required me to change my password. I've done it voluntarily for a couple of email accounts that I needed to strengthen.
Some of my credit unions require a periodic change. The Social Security website does also.

Not in 10,000 years would I use a password manager and keep all my passwords out on the web in one place.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 12:03 pm
by jebmke
egrets wrote: Sun Sep 13, 2020 11:59 am Not in 10,000 years would I use a password manager and keep all my passwords out on the web in one place.
Can't comment on the online ones because I don't use an online one. I use Keepass which is not online.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 12:08 pm
by Kenkat
JoeRetire wrote: Sun Sep 13, 2020 11:58 am
Kenkat wrote: Sun Sep 13, 2020 11:34 amthere are best practices that the vast majority of commercial financial sites will use.
That is indeed true for the vast majority of commercial financial sites.
  • "vast majority" is not the same as "all". How lucky do you feel?
  • Nobody accesses only commercial financial sites. How lucky do you feel?
  • If you use the same password everywhere, your security is only as good as the weakest link. How lucky do you feel?
Agree 100%; I’d never advocate using the same password for multiple sites (and didn’t above). I don’t even use the variation technique as a general rule - all passwords are pretty distinct from one another.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 12:10 pm
by kbjeffrey
wander wrote: Sun Sep 13, 2020 10:07 am One complicated password for all is fine. But eventually, web sites require you to change passwords anyway.
Not such a good idea and especially risky if you use the same username. Some websites don't encrypt your passwords when they save them. When they are hacked or someone at the company behaves badly, they have have all your passwords.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 12:10 pm
by Kenkat
oldfort wrote: Sun Sep 13, 2020 11:37 am Read this Microsoft article on why your password doesn't matter.
https://techcommunity.microsoft.com/t5/ ... a-p/731984
This is a very well written / well researched article on how accounts actually get compromised.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 12:13 pm
by kbjeffrey
egrets wrote: Sun Sep 13, 2020 11:59 am
Not in 10,000 years would I use a password manager and keep all my passwords out on the web in one place.
You should take a look at Enpass. It is an open source password manager where you hold on to your own passwords. It is a favorite with the security researchers I've asked.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 12:14 pm
by Nicolas
No, don’t do this, it’s not secure because if any site is compromised and your password is revealed then all of your accounts are immediately at risk. Use a password manager which will provide you with a unique uncrackable password for each of your sites (at least until quantum computers become a thing, anyway).

You need to remember only one master password. Then when logging in anywhere it’s just a copy and paste routine or, depending on the password manager and the site you’re applying it to, the username and password populate automatically.

Re: Security question on one's passwords

Posted: Sun Sep 13, 2020 12:17 pm
by Katietsu
I separate how I handle passwords based on risk to me. I mean how much damage can someone do if they get my Netflix password? Is there some risk here that I am not considering? For that matter, I include credit card companies in the “not overly concerned” category. Don’t get me wrong, I still use a decent password on these sites, though may reuse the password based on category. Now when it comes to my bank and my money, I use a greater level of care.