[Question regarding password security]

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
User avatar
Topic Author
steve321
Posts: 954
Joined: Sat Sep 09, 2017 9:16 am
Location: Southampton, UK

[Question regarding password security]

Post by steve321 »

i have several bank+brokerage accounts plus other accounts for which you need a password (like email, utility companies etc).
I am becoming more conscious of taking precautions to ensure these accounts are not hacked.
Is it ok to choose a pretty complicated password but the same for all accounts? It would be very hard for me to remember a password for each account (I tried that before and often had to ask for a new one since I forgot it).
I mean is there a bigger risk if all your passwords are the same? Or if for example all your financial accounts passwords are the same, but different from your email password, since you give your email address to your bank?
Please let me know what you think. Cheers.

[Post title modified for clarity by moderator oldcomputerguy]
Success does not bring happiness. In fact, happiness IS success. | 'There are only two tragedies in life: one is not getting what one wants, and the other is getting it.' Oscar Wilde
atikovi
Posts: 1020
Joined: Tue Sep 10, 2019 7:20 pm
Location: Suburban Washington DC

Re: Security question on one's passwords

Post by atikovi »

steve321 wrote: Sun Sep 13, 2020 9:12 am Is it ok to choose a pretty complicated password but the same for all accounts?
That's what I do or a slight variation there off. And they're not too complicated. No problem in 20+ years.
lazydavid
Posts: 5156
Joined: Wed Apr 06, 2016 1:37 pm

Re: Security question on one's passwords

Post by lazydavid »

You need a password manager. If a password is compromised at any site, every account where that same password is used will eventually be compromised as well. Since you won't always know when this occurs, the risk is too great, especially with financial accounts IMO.

I personally use LastPass, but there are several other great options in 1Password, Keepass, and others. A good password manager will automatically generate long, complex passwords that are unique for every site. You only need to create and remember one very secure passphrase to allow you to access your vault. It is VITALLY important that this passphrase be something you never have and never will use as a credential on any other site. Mine is over 30 characters long, but very easy for me to remember, and I can type it in about 2 seconds (8 or so on mobile).
jebmke
Posts: 25476
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Security question on one's passwords

Post by jebmke »

Password manager. Eliminates the need to remember. Some good "online" options as well as standalone (Keepass).
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
BogleTaxPro
Posts: 650
Joined: Sat Apr 04, 2020 6:08 pm

Re: Security question on one's passwords

Post by BogleTaxPro »

lazydavid wrote: Sun Sep 13, 2020 9:25 am You need a password manager. If a password is compromised at any site, every account where that same password is used will eventually be compromised as well. Since you won't always know when this occurs, the risk is too great, especially with financial accounts IMO.

I personally use LastPass, but there are several other great options in 1Password, Keepass, and others. A good password manager will automatically generate long, complex passwords that are unique for every site. You only need to create and remember one very secure passphrase to allow you to access your vault. It is VITALLY important that this passphrase be something you never have and never will use as a credential on any other site. Mine is over 30 characters long, but very easy for me to remember, and I can type it in about 2 seconds (8 or so on mobile).
+100!
mptfan
Posts: 7218
Joined: Mon Mar 05, 2007 8:58 am

Re: Security question on one's passwords

Post by mptfan »

steve321 wrote: Sun Sep 13, 2020 9:12 am Is it ok to choose a pretty complicated password but the same for all accounts?
No, that is definitely not ok. Use a password manager and make all of your passwords strong and unique, that is especially important for your financial accounts.
Broken Man 1999
Posts: 8626
Joined: Wed Apr 08, 2015 11:31 am
Location: West coast of Florida, near Champa Bay !

Re: Security question on one's passwords

Post by Broken Man 1999 »

BogleTaxPro wrote: Sun Sep 13, 2020 9:32 am
lazydavid wrote: Sun Sep 13, 2020 9:25 am You need a password manager. If a password is compromised at any site, every account where that same password is used will eventually be compromised as well. Since you won't always know when this occurs, the risk is too great, especially with financial accounts IMO.

I personally use LastPass, but there are several other great options in 1Password, Keepass, and others. A good password manager will automatically generate long, complex passwords that are unique for every site. You only need to create and remember one very secure passphrase to allow you to access your vault. It is VITALLY important that this passphrase be something you never have and never will use as a credential on any other site. Mine is over 30 characters long, but very easy for me to remember, and I can type it in about 2 seconds (8 or so on mobile).
+100!
I use LastPass, and my master password is a statement containing words relevant to only myself. If I showed my family members my statement they would have no reason to even associate any of the words to me, and they certainly know me best. Of course a written record of my master password is available to family members to use when I assume room temperature.

Broken Man 1999
“If I cannot drink Bourbon and smoke cigars in Heaven then I shall not go." - Mark Twain
donfairplay
Posts: 259
Joined: Mon Oct 06, 2008 8:16 pm

Re: Security question on one's passwords

Post by donfairplay »

atikovi wrote: Sun Sep 13, 2020 9:15 am
steve321 wrote: Sun Sep 13, 2020 9:12 am Is it ok to choose a pretty complicated password but the same for all accounts?
That's what I do or a slight variation there off. And they're not too complicated. No problem in 20+ years.
Using the same security question answer on all accounts? This is like using the same password as all accounts (possibly worse).

If your utility company,etc and its security question is breached, then all other accounts with the same security question answer are now breached. Very bad idea.
Last edited by donfairplay on Sun Sep 13, 2020 10:11 am, edited 2 times in total.
wander
Posts: 4424
Joined: Sat Oct 04, 2008 9:10 am

Re: Security question on one's passwords

Post by wander »

One complicated password for all is fine. But eventually, web sites require you to change passwords anyway.
jebmke
Posts: 25476
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Security question on one's passwords

Post by jebmke »

wander wrote: Sun Sep 13, 2020 10:07 am One complicated password for all is fine. But eventually, web sites require you to change passwords anyway.
I have never had to change my passwords at financial institutions. I can't remember the last time any online site of any kind required me to change my password. I've done it voluntarily for a couple of email accounts that I needed to strengthen.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
atikovi
Posts: 1020
Joined: Tue Sep 10, 2019 7:20 pm
Location: Suburban Washington DC

Re: Security question on one's passwords

Post by atikovi »

donfairplay wrote: Sun Sep 13, 2020 10:06 am
atikovi wrote: Sun Sep 13, 2020 9:15 am
steve321 wrote: Sun Sep 13, 2020 9:12 am Is it ok to choose a pretty complicated password but the same for all accounts?
That's what I do or a slight variation there off. And they're not too complicated. No problem in 20+ years.
Using the same security question answer on all accounts? This is as good of an idea as using the same password as all accounts (possibly worse).

If your utility company,etc and its security question is breached, then all other accounts with the same security question answer are now breached. Very bad idea.
What do you mean security question? This is about passwords.
wander
Posts: 4424
Joined: Sat Oct 04, 2008 9:10 am

Re: Security question on one's passwords

Post by wander »

jebmke wrote: Sun Sep 13, 2020 10:10 am
wander wrote: Sun Sep 13, 2020 10:07 am One complicated password for all is fine. But eventually, web sites require you to change passwords anyway.
I have never had to change my passwords at financial institutions. I can't remember the last time any online site of any kind required me to change my password. I've done it voluntarily for a couple of email accounts that I needed to strengthen.
That's good then. I don't think carry different passwords serve any benefits considering now you have 2-steps verification.
Jeff Albertson
Posts: 904
Joined: Sat Apr 06, 2013 7:11 pm
Location: Springfield

Re: Security question on one's passwords

Post by Jeff Albertson »

wander wrote: Sun Sep 13, 2020 10:07 am One complicated password for all is fine. But eventually, web sites require you to change passwords anyway.
worst advice you'll read this year!
donfairplay
Posts: 259
Joined: Mon Oct 06, 2008 8:16 pm

Re: Security question on one's passwords

Post by donfairplay »

atikovi wrote: Sun Sep 13, 2020 10:11 am
donfairplay wrote: Sun Sep 13, 2020 10:06 am
atikovi wrote: Sun Sep 13, 2020 9:15 am
steve321 wrote: Sun Sep 13, 2020 9:12 am Is it ok to choose a pretty complicated password but the same for all accounts?
That's what I do or a slight variation there off. And they're not too complicated. No problem in 20+ years.
Using the same security question answer on all accounts? This is as good of an idea as using the same password as all accounts (possibly worse).

If your utility company,etc and its security question is breached, then all other accounts with the same security question answer are now breached. Very bad idea.
What do you mean security question? This is about passwords.
I was going by the title of the post, assuming password meant the answer to the security question.

Either way, do people really just use the same password or security question answer for everything? The password/answer may be complicated, but it isn't secure.
User avatar
Topic Author
steve321
Posts: 954
Joined: Sat Sep 09, 2017 9:16 am
Location: Southampton, UK

Re: Security question on one's passwords

Post by steve321 »

lazydavid wrote: Sun Sep 13, 2020 9:25 am You need a password manager. If a password is compromised at any site, every account where that same password is used will eventually be compromised as well. Since you won't always know when this occurs, the risk is too great, especially with financial accounts IMO.

I personally use LastPass, but there are several other great options in 1Password, Keepass, and others. A good password manager will automatically generate long, complex passwords that are unique for every site. You only need to create and remember one very secure passphrase to allow you to access your vault. It is VITALLY important that this passphrase be something you never have and never will use as a credential on any other site. Mine is over 30 characters long, but very easy for me to remember, and I can type it in about 2 seconds (8 or so on mobile).
Thanks, just found the app (LastPass). Going to explore how it works.
So basically if I understood, with this the only risk would be if someone found out and guessed your password for LastPass, in which case if I understand correctly they could hack all your accounts, which is why you have to make that one password extra safe.
Last edited by steve321 on Sun Sep 13, 2020 10:33 am, edited 1 time in total.
Success does not bring happiness. In fact, happiness IS success. | 'There are only two tragedies in life: one is not getting what one wants, and the other is getting it.' Oscar Wilde
atikovi
Posts: 1020
Joined: Tue Sep 10, 2019 7:20 pm
Location: Suburban Washington DC

Re: Security question on one's passwords

Post by atikovi »

I'm annoyed when a site requires your password to have at least one upper or lowercase letter, one number, a special character, etc. You'd think you were creating a pw to access the site for NORAD, but its just some internet forum. If I can't use the pw I want, sometimes I just don't join.
lazydavid
Posts: 5156
Joined: Wed Apr 06, 2016 1:37 pm

Re: Security question on one's passwords

Post by lazydavid »

steve321 wrote: Sun Sep 13, 2020 10:19 am Thanks, just found the app (LastPass). Going to explore how it works.
So basically with this the only risk would be if someone found out and guessed your password for LastPass, in which case if I understand correctly they could hack all your accounts, which is why you have to make that one password extra safe, right?
I would be loath to say it's the only risk, but it is far and away the predominant risk. And yes, this is why that master password has to be very strong and never reused anywhere else.

Other risks and mitigations:

attacks against the client itself--these are exceedingly rare, but do happen, and are patched VERY quickly once found.
Tricking you into filling your passwords into the wrong site--password manager actually helps here, as it will refuse to fill your vanguard.com password on a spoof site like for example vangurd.com
Malware running on your machine, capturing passwords as they are submitted--if this happens, it's game over for every site you visit, password manager or no.

But yes, a strong master password is 99% of it. I have in the past posted my encrypted password for BogleHeads directly in a message thread, because without my master password, it's utterly useless
User avatar
JoMoney
Posts: 16260
Joined: Tue Jul 23, 2013 5:31 am

Re: Security question on one's passwords

Post by JoMoney »

Best practice is to use different, and complex passwords for each account.
For what it's worth, I tend to use similar patterns/word groupings but with slight variations for different accounts. It's just too cumbersome to be totally random.
What I do, is keep a numbered list of all my accounts/user-names (I do this in a spreadsheet file that I believe is relatively secure, but easy to access for me on my computer). Separately I keep a physical paper copy list of passwords (also numbered). That list is stored in a locked place that I have easy access to, and would be apparent to me if someone had broken in to it and passwords compromised. The password list is also padded with extra passwords that aren't actually being used, or not currently being used. If someone had gained access to either the user-name list or the password list alone, it would be more difficult to use them since they would still have to make multiple guesses, hopefully anyone that made multiple attempts to guess from the list would get the account flagged/locked-out before it was breached and I would have time to change the passwords if compromised.
I've contemplated adding some additional measures, like making up a PIN# that each password has in common but isn't written down, or sealing the password list in a signed envelope that would make it more apparent if someone else had accessed it, but there's rarely anyone else in my house that I would be concerned about accessing it, and it's already secured/locked well enough where I think I would know if someone had gotten to it.
"To achieve satisfactory investment results is easier than most people realize; to achieve superior results is harder than it looks." - Benjamin Graham
User avatar
tuningfork
Posts: 885
Joined: Wed Oct 30, 2013 8:30 pm

Re: Security question on one's passwords

Post by tuningfork »

wander wrote: Sun Sep 13, 2020 10:07 am One complicated password for all is fine. But eventually, web sites require you to change passwords anyway.
No no no no no no no no no no no no no no no no no no no no no no no no no no no no no

If you do this, your password is only as secure as the weakest site you use. You have no way of knowing how safely each site stores your password credentials. What if one of those sites stores passwords in plain text, or uses a trivially reversible encryption algorithm? Your one password will be exposed if that site is ever hacked. When passwords are exposed, hackers often try the same emails/passwords on many other sites, hoping to find the ones that are foolish enough to use the same password everywhere.

Facebook Stored Hundreds of Millions of User Passwords in Plain Text for Years

Google Stored G Suite Users' Passwords in Plain-Text for 14 Years
Robinhood Stored Passwords in Plaintext
Zynga 2019 Hack Update: 26M Plaintext Passwords Exposed

Even if it is complicated password, it is never a good idea to use it at more than one site.
atikovi
Posts: 1020
Joined: Tue Sep 10, 2019 7:20 pm
Location: Suburban Washington DC

Re: Security question on one's passwords

Post by atikovi »

On most websites aren't passwords stored so that even the owners couldn't retrieve them, which is why if you can't remember it, you have to reset it? They can't just email you the original password.
mptfan
Posts: 7218
Joined: Mon Mar 05, 2007 8:58 am

Re: Security question on one's passwords

Post by mptfan »

atikovi wrote: Sun Sep 13, 2020 11:07 am On most websites aren't passwords stored so that even the owners couldn't retrieve them, which is why if you can't remember it, you have to reset it? They can't just email you the original password.
Nobody knows how "most" websites store passwords.
atikovi
Posts: 1020
Joined: Tue Sep 10, 2019 7:20 pm
Location: Suburban Washington DC

Re: Security question on one's passwords

Post by atikovi »

OK wrong choice of words. How about, In general?
TallBoy29er
Posts: 1320
Joined: Thu Jul 18, 2013 9:06 pm

Re: Security question on one's passwords

Post by TallBoy29er »

wander wrote: Sun Sep 13, 2020 10:07 am One complicated password for all is fine. But eventually, web sites require you to change passwords anyway.
Just plain bad advice. As stated above, if any single site is breached, all sites that use that password are vulnerable. There are caches of breached passwords on the web.
TallBoy29er
Posts: 1320
Joined: Thu Jul 18, 2013 9:06 pm

Re: Security question on one's passwords

Post by TallBoy29er »

atikovi wrote: Sun Sep 13, 2020 11:13 am OK wrong choice of words. How about, In general?
Wrong again.
hayesfj
Posts: 54
Joined: Sat Dec 26, 2009 8:39 am

Re: Security question on one's passwords

Post by hayesfj »

1. Use LastPass or other Password manager. I have used the free version of LastPass for a couple of years and like it very much. LastPass will generate a very complicated password for each site if you like and keep track of it for you. Use a phrase with Upper and Lower Case letters, numbers, and special characters as your LastPass password. Example "Bogleis99Right$2"

2. Use Two-Factor authentication where possible. This means that the site sends a numerical code to your phone that you have to type into the site as part of the logon.

3. Use a separate email address for all financial institutions and only use that email for Vanguard, Fidelity, Bank, etc. That way if yor primary email gets compromised, they will not see any information about which financial institutions you use.

Be careful. Identity theft is real.
wander
Posts: 4424
Joined: Sat Oct 04, 2008 9:10 am

Re: Security question on one's passwords

Post by wander »

TallBoy29er wrote: Sun Sep 13, 2020 11:20 am
wander wrote: Sun Sep 13, 2020 10:07 am One complicated password for all is fine. But eventually, web sites require you to change passwords anyway.
Just plain bad advice. As stated above, if any single site is breached, all sites that use that password are vulnerable. There are caches of breached passwords on the web.
You have your choice. I have my choice.
Wrench
Posts: 1055
Joined: Sun Apr 28, 2019 10:21 am

Re: Security question on one's passwords

Post by Wrench »

steve321 wrote: Sun Sep 13, 2020 9:12 am i have several bank+brokerage accounts plus other accounts for which you need a password (like email, utility companies etc).
I am becoming more conscious of taking precautions to ensure these accounts are not hacked.
Is it ok to choose a pretty complicated password but the same for all accounts? It would be very hard for me to remember a password for each account (I tried that before and often had to ask for a new one since I forgot it).
I mean is there a bigger risk if all your passwords are the same? Or if for example all your financial accounts passwords are the same, but different from your email password, since you give your email address to your bank?
Please let me know what you think. Cheers.
As an independent IT support provider, I can't tell you how many users I have that have had one or more of their accounts breached, either through fishing attempts, or through no fault of their own at online accounts. Unique passwords for every site limits the potential losses. I personally don't care for LastPass or other online password managers precisely because they are online and themselves are subject to hacking. Risk is low, but still there. But, using LastPass or equivalent with a strong master password is way better than re-using the same passwords!

My approach? I use KeePass where the database is stored locally. I use both a (strong) master password AND and an encryption file for my KeePass database. EVERY account has a long, random password. Nothing is 100% secure, but this approach reduces the risk to a level I am comfortable with.

Bottom line: do something so you can use strong, unique passwords for every account where data is stored that you care about.

Wrench
User avatar
Kenkat
Posts: 9553
Joined: Thu Mar 01, 2007 10:18 am
Location: Cincinnati, OH

Re: Security question on one's passwords

Post by Kenkat »

mptfan wrote: Sun Sep 13, 2020 11:10 am
atikovi wrote: Sun Sep 13, 2020 11:07 am On most websites aren't passwords stored so that even the owners couldn't retrieve them, which is why if you can't remember it, you have to reset it? They can't just email you the original password.
Nobody knows how "most" websites store passwords.
While this is true, there are best practices that the vast majority of commercial financial sites will use. Password cryptography is very complex but can be thought of conceptually as “one way encryption”. Once encrypted, there is no straightforward or simple way* to turn it back into the original password. You can only run a candidate password through the same encryption and see if it matches the stored value; the other direction does not work.

* there are always ways, however, given a compromised source and enough time and computing power. Good password strategies will make time be equal to years or decades and computing power equal to “you ain’t got it“
Last edited by Kenkat on Sun Sep 13, 2020 11:34 am, edited 1 time in total.
Wrench
Posts: 1055
Joined: Sun Apr 28, 2019 10:21 am

Re: Security question on one's passwords

Post by Wrench »

wander wrote: Sun Sep 13, 2020 11:22 am
TallBoy29er wrote: Sun Sep 13, 2020 11:20 am
wander wrote: Sun Sep 13, 2020 10:07 am One complicated password for all is fine. But eventually, web sites require you to change passwords anyway.
Just plain bad advice. As stated above, if any single site is breached, all sites that use that password are vulnerable. There are caches of breached passwords on the web.
You have your choice. I have my choice.
Wander - Maybe you will be OK, but you are incurring a risk. If you understand the risk and are comfortable with it, you do you. Just like asset allocation we all have different risk tolerances. Perhaps you are more risk tolerant than many of the other posters (and me) when it comes to identity theft and/or information loss from hackers...
oldfort
Posts: 2781
Joined: Mon Mar 02, 2020 7:45 pm

Re: Security question on one's passwords

Post by oldfort »

Read this Microsoft article on why your password doesn't matter.
https://techcommunity.microsoft.com/t5/ ... a-p/731984
User avatar
Topic Author
steve321
Posts: 954
Joined: Sat Sep 09, 2017 9:16 am
Location: Southampton, UK

Re: Security question on one's passwords

Post by steve321 »

Wrench wrote: Sun Sep 13, 2020 11:25 am
steve321 wrote: Sun Sep 13, 2020 9:12 am i have several bank+brokerage accounts plus other accounts for which you need a password (like email, utility companies etc).
I am becoming more conscious of taking precautions to ensure these accounts are not hacked.
Is it ok to choose a pretty complicated password but the same for all accounts? It would be very hard for me to remember a password for each account (I tried that before and often had to ask for a new one since I forgot it).
I mean is there a bigger risk if all your passwords are the same? Or if for example all your financial accounts passwords are the same, but different from your email password, since you give your email address to your bank?
Please let me know what you think. Cheers.
As an independent IT support provider, I can't tell you how many users I have that have had one or more of their accounts breached, either through fishing attempts, or through no fault of their own at online accounts. Unique passwords for every site limits the potential losses. I personally don't care for LastPass or other online password managers precisely because they are online and themselves are subject to hacking. Risk is low, but still there. But, using LastPass or equivalent with a strong master password is way better than re-using the same passwords!

My approach? I use KeePass where the database is stored locally. I use both a (strong) master password AND and an encryption file for my KeePass database. EVERY account has a long, random password. Nothing is 100% secure, but this approach reduces the risk to a level I am comfortable with.

Bottom line: do something so you can use strong, unique passwords for every account where data is stored that you care about.

Wrench
Thank you I am going to explore this. As you must have realized I know nothing about computers so this question might sound stupid: when you say
KeePass where the database is stored locally
does it mean that you store the datebase yourself like on an external disk drive? Or is it still on the web?
Success does not bring happiness. In fact, happiness IS success. | 'There are only two tragedies in life: one is not getting what one wants, and the other is getting it.' Oscar Wilde
User avatar
Topic Author
steve321
Posts: 954
Joined: Sat Sep 09, 2017 9:16 am
Location: Southampton, UK

Re: Security question on one's passwords

Post by steve321 »

steve321 wrote: Sun Sep 13, 2020 11:40 am
Wrench wrote: Sun Sep 13, 2020 11:25 am
steve321 wrote: Sun Sep 13, 2020 9:12 am i have several bank+brokerage accounts plus other accounts for which you need a password (like email, utility companies etc).
I am becoming more conscious of taking precautions to ensure these accounts are not hacked.
Is it ok to choose a pretty complicated password but the same for all accounts? It would be very hard for me to remember a password for each account (I tried that before and often had to ask for a new one since I forgot it).
I mean is there a bigger risk if all your passwords are the same? Or if for example all your financial accounts passwords are the same, but different from your email password, since you give your email address to your bank?
Please let me know what you think. Cheers.
As an independent IT support provider, I can't tell you how many users I have that have had one or more of their accounts breached, either through fishing attempts, or through no fault of their own at online accounts. Unique passwords for every site limits the potential losses. I personally don't care for LastPass or other online password managers precisely because they are online and themselves are subject to hacking. Risk is low, but still there. But, using LastPass or equivalent with a strong master password is way better than re-using the same passwords!

My approach? I use KeePass where the database is stored locally. I use both a (strong) master password AND and an encryption file for my KeePass database. EVERY account has a long, random password. Nothing is 100% secure, but this approach reduces the risk to a level I am comfortable with.

Bottom line: do something so you can use strong, unique passwords for every account where data is stored that you care about.

Wrench
Thank you I am going to explore this. As you must have realized I know nothing about computers so this question might sound stupid: when you say
KeePass where the database is stored locally
does it mean that you store the database yourself like on an external disk drive? Or is it still on the web?
Success does not bring happiness. In fact, happiness IS success. | 'There are only two tragedies in life: one is not getting what one wants, and the other is getting it.' Oscar Wilde
User avatar
Topic Author
steve321
Posts: 954
Joined: Sat Sep 09, 2017 9:16 am
Location: Southampton, UK

Re: Security question on one's passwords

Post by steve321 »

Is there a way you can find out (besides the hard way...) if there's malware on your computer (PC or chromebook)?
Success does not bring happiness. In fact, happiness IS success. | 'There are only two tragedies in life: one is not getting what one wants, and the other is getting it.' Oscar Wilde
oldfort
Posts: 2781
Joined: Mon Mar 02, 2020 7:45 pm

Re: Security question on one's passwords

Post by oldfort »

steve321 wrote: Sun Sep 13, 2020 11:42 am Is there a way you can find out (besides the hard way...) if there's malware on your computer (PC or chromebook)?
Virus scan.
coachd50
Posts: 1778
Joined: Sun Oct 22, 2017 10:12 am

Re: Security question on one's passwords

Post by coachd50 »

wander wrote: Sun Sep 13, 2020 11:22 am
TallBoy29er wrote: Sun Sep 13, 2020 11:20 am
wander wrote: Sun Sep 13, 2020 10:07 am One complicated password for all is fine. But eventually, web sites require you to change passwords anyway.
Just plain bad advice. As stated above, if any single site is breached, all sites that use that password are vulnerable. There are caches of breached passwords on the web.
You have your choice. I have my choice.
I think the point is that your choice may seem "secure" from the perspective of someone randomly accessing one of your accounts/sites through a "brute force attack". However, that does not appear to consider the potential risk of someone hacking one of those sites themselves, and obtaining your password...and thus have access to MANY of your sites.
User avatar
ThereAreNoGurus
Posts: 970
Joined: Fri Jan 24, 2014 10:41 pm

Re: Security question on one's passwords

Post by ThereAreNoGurus »

Wrench wrote: Sun Sep 13, 2020 11:25 am
My approach? I use KeePass where the database is stored locally. I use both a (strong) master password AND and an encryption file for my KeePass database. EVERY account has a long, random password. Nothing is 100% secure, but this approach reduces the risk to a level I am comfortable with.

Bottom line: do something so you can use strong, unique passwords for every account where data is stored that you care about.
That's exactly what I use. (I use VeraCypt [free] for the encryption).
Trade the news and you will lose.
User avatar
JoeRetire
Posts: 15381
Joined: Tue Jan 16, 2018 1:44 pm

Re: Security question on one's passwords

Post by JoeRetire »

steve321 wrote: Sun Sep 13, 2020 9:12 amIs it ok to choose a pretty complicated password but the same for all accounts?
It's okay by me. It probably depends on how lucky you feel.

[quoteIt would be very hard for me to remember a password for each account (I tried that before and often had to ask for a new one since I forgot it).[/quote]
It's not that hard. You need to combine your base "pretty complicated password" with something unique to the account. At least that's what I do. Easy.
I mean is there a bigger risk if all your passwords are the same?
Of course. The risk is that once one password is compromised, they are all compromised. You get to decide how much riskier that is, and if you care or not.
This isn't just my wallet. It's an organizer, a memory and an old friend.
Wrench
Posts: 1055
Joined: Sun Apr 28, 2019 10:21 am

Re: Security question on one's passwords

Post by Wrench »

....
[/quote]
Thank you I am going to explore this. As you must have realized I know nothing about computers so this question might sound stupid: when you say
KeePass where the database is stored locally
does it mean that you store the datebase yourself like on an external disk drive? Or is it still on the web?
[/quote]

It can be stored on the hard drive of your computer, or on an external disk. Or, I have even set it up so the database is stored on google drive or dropbox (online "cloud" storage systems) but the encryption file is only stored locally. That way if your cloud storage is hacked your data cannot be read because the hacker does not have the encryption file even if somehow they guess (know) your master password. If you do it this way, the database can be accessed from multiple computers. I will say that I have found with my clients that KeePass is not nearly as easy to set up and use as LastPass. I usually end up having to help them initially (Most of my individual clients are not computer sophisticated). Also as open source freeware, there is no support like there is with LastPass. I'd try different approaches and see which one suits you best.

Good luck!

Wrench
User avatar
JoeRetire
Posts: 15381
Joined: Tue Jan 16, 2018 1:44 pm

Re: Security question on one's passwords

Post by JoeRetire »

atikovi wrote: Sun Sep 13, 2020 11:07 am On most websites aren't passwords stored so that even the owners couldn't retrieve them, which is why if you can't remember it, you have to reset it? They can't just email you the original password.
Most do. Some don't. How lucky do you feel?
This isn't just my wallet. It's an organizer, a memory and an old friend.
Case59
Posts: 225
Joined: Fri Dec 30, 2011 11:31 am

Re: Security question on one's passwords

Post by Case59 »

For important websites like banks and brokerages, I use an initials scheme. The password is comprised of the first letters of lines of a favorite song or poem, plus the year of the song or poem. So, if my favorite song is Stairway to Heaven (which of course it isn't or I wouldn't be using it here), for my bank, the password represents initials of the first two lines: Talwsatgig1971. It's complex, hard for any stranger to crack (I hope) but easy for me to remember and type.

I have variations for each important account, like second lines, last lines, different songs or poems, etc. For reminders, I keep a separate note for each account, but without the song or poem's names: "Vanguard: First two lines of favorite song."

I don't know if this makes a lot of sense , but it seems to have worked okay for me for years.
Last edited by Case59 on Sun Sep 13, 2020 12:08 pm, edited 3 times in total.
"Most quotations on the internet are incorrect."-Mark Twain
User avatar
warner25
Posts: 934
Joined: Wed Oct 29, 2014 4:38 pm

Re: Security question on one's passwords

Post by warner25 »

atikovi wrote: Sun Sep 13, 2020 9:15 amThat's what I do or a slight variation there off. And they're not too complicated. No problem in 20+ years.
As we say all the time in investing, don't confuse strategy with outcome...
atikovi wrote: Sun Sep 13, 2020 10:28 am I'm annoyed when a site requires your password to have at least one upper or lowercase letter, one number, a special character, etc.
This I agree with. And mathematically, a sufficiently long (but easier to remember and type) passphrase of all lower-case letters is stronger than a shorter (but harder to remember and type) password containing %&!#$. I think more administrators are starting to embrace this, but it will take a whole generation before nobody requires those crazy passwords anymore (along with password changes every 90 days, which NIST discouraged years ago).
User avatar
JoeRetire
Posts: 15381
Joined: Tue Jan 16, 2018 1:44 pm

Re: Security question on one's passwords

Post by JoeRetire »

Kenkat wrote: Sun Sep 13, 2020 11:34 amthere are best practices that the vast majority of commercial financial sites will use.
That is indeed true for the vast majority of commercial financial sites.
  • "vast majority" is not the same as "all". How lucky do you feel?
  • Nobody accesses only commercial financial sites. How lucky do you feel?
  • If you use the same password everywhere, your security is only as good as the weakest link. How lucky do you feel?
This isn't just my wallet. It's an organizer, a memory and an old friend.
egrets
Posts: 888
Joined: Sun Jul 05, 2020 2:56 pm
Location: Rhode Island

Re: Security question on one's passwords

Post by egrets »

jebmke wrote: Sun Sep 13, 2020 10:10 am
wander wrote: Sun Sep 13, 2020 10:07 am One complicated password for all is fine. But eventually, web sites require you to change passwords anyway.
I have never had to change my passwords at financial institutions. I can't remember the last time any online site of any kind required me to change my password. I've done it voluntarily for a couple of email accounts that I needed to strengthen.
Some of my credit unions require a periodic change. The Social Security website does also.

Not in 10,000 years would I use a password manager and keep all my passwords out on the web in one place.
jebmke
Posts: 25476
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: Security question on one's passwords

Post by jebmke »

egrets wrote: Sun Sep 13, 2020 11:59 am Not in 10,000 years would I use a password manager and keep all my passwords out on the web in one place.
Can't comment on the online ones because I don't use an online one. I use Keepass which is not online.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
User avatar
Kenkat
Posts: 9553
Joined: Thu Mar 01, 2007 10:18 am
Location: Cincinnati, OH

Re: Security question on one's passwords

Post by Kenkat »

JoeRetire wrote: Sun Sep 13, 2020 11:58 am
Kenkat wrote: Sun Sep 13, 2020 11:34 amthere are best practices that the vast majority of commercial financial sites will use.
That is indeed true for the vast majority of commercial financial sites.
  • "vast majority" is not the same as "all". How lucky do you feel?
  • Nobody accesses only commercial financial sites. How lucky do you feel?
  • If you use the same password everywhere, your security is only as good as the weakest link. How lucky do you feel?
Agree 100%; I’d never advocate using the same password for multiple sites (and didn’t above). I don’t even use the variation technique as a general rule - all passwords are pretty distinct from one another.
kbjeffrey
Posts: 66
Joined: Fri Aug 07, 2020 4:55 pm

Re: Security question on one's passwords

Post by kbjeffrey »

wander wrote: Sun Sep 13, 2020 10:07 am One complicated password for all is fine. But eventually, web sites require you to change passwords anyway.
Not such a good idea and especially risky if you use the same username. Some websites don't encrypt your passwords when they save them. When they are hacked or someone at the company behaves badly, they have have all your passwords.
User avatar
Kenkat
Posts: 9553
Joined: Thu Mar 01, 2007 10:18 am
Location: Cincinnati, OH

Re: Security question on one's passwords

Post by Kenkat »

oldfort wrote: Sun Sep 13, 2020 11:37 am Read this Microsoft article on why your password doesn't matter.
https://techcommunity.microsoft.com/t5/ ... a-p/731984
This is a very well written / well researched article on how accounts actually get compromised.
kbjeffrey
Posts: 66
Joined: Fri Aug 07, 2020 4:55 pm

Re: Security question on one's passwords

Post by kbjeffrey »

egrets wrote: Sun Sep 13, 2020 11:59 am
Not in 10,000 years would I use a password manager and keep all my passwords out on the web in one place.
You should take a look at Enpass. It is an open source password manager where you hold on to your own passwords. It is a favorite with the security researchers I've asked.
Nicolas
Posts: 4923
Joined: Wed Aug 22, 2012 7:41 am

Re: Security question on one's passwords

Post by Nicolas »

No, don’t do this, it’s not secure because if any site is compromised and your password is revealed then all of your accounts are immediately at risk. Use a password manager which will provide you with a unique uncrackable password for each of your sites (at least until quantum computers become a thing, anyway).

You need to remember only one master password. Then when logging in anywhere it’s just a copy and paste routine or, depending on the password manager and the site you’re applying it to, the username and password populate automatically.
Last edited by Nicolas on Sun Sep 13, 2020 6:59 pm, edited 2 times in total.
Katietsu
Posts: 7677
Joined: Sun Sep 22, 2013 1:48 am

Re: Security question on one's passwords

Post by Katietsu »

I separate how I handle passwords based on risk to me. I mean how much damage can someone do if they get my Netflix password? Is there some risk here that I am not considering? For that matter, I include credit card companies in the “not overly concerned” category. Don’t get me wrong, I still use a decent password on these sites, though may reuse the password based on category. Now when it comes to my bank and my money, I use a greater level of care.
Last edited by Katietsu on Sun Sep 13, 2020 12:18 pm, edited 1 time in total.
Post Reply