Online passwords

User avatar
pigfender
Posts: 2810
Joined: Tue Oct 12, 2010 10:25 am
Platform: Mac, Win + iOS
Location: I share a head with a great many personalities
Contact:

Fri Nov 01, 2013 4:03 pm Post

I'm about to do a complete refresh of all my online passwords, changing all of them to make sure that they are:
- unique
- strong
- known only to me.

The problem with that is that I'll have zero chance of ever remembering any of those unless I write them all down somewhere. Which means I have to go through the process of finding that each time I want to do *anything*.

So I was thinking, should I use one of those password manager things? I've always steered clear of them as they strike me as more of a security risk than an extra level of protection. Does anyone who knows what they are talking about have an opinion / recommendation on whether I should use one, and if so, which one?
http://www.pigfender.com | http://www.novelinaday.com
"Some dice only have sixes." nom, 19 Oct 2013
Image Image

User avatar
Jaysen
Posts: 6227
Joined: Mon Dec 17, 2007 4:00 am
Platform: Mac + Windows
Location: East-Be-Jesus-Nowhere SC, USA

Fri Nov 01, 2013 5:43 pm Post

Avoid anything free.
One password seems decent.

That said I take a different approach.
* Use one username (or as close to it as possible) for all accounts.
* Use one strong password.

Strong is relative though. The password dogs like steak dinners is actually stronger than Sc!v3neR#@%. compromise difficulty (both human and machine) is increase at a near exponential rate by length. If you are truly paranoid mix the two ideas for something like Uth3I5xingETH!MeansN0thing.

Don't forget to ask yourself one other important factor though: Is there really anything to loose if you are compromised? If you answer "yes", then you might want to take that stuff off the net. I don't do 'net banking or HR activities on the net for this very reason.
Jaysen

I have a wife and 2 kids that I can only attribute to a wiggle, a giggle, and the realization that she was out of my league so I might as well be happy with her as a friend. 26 years marriage later, I can't imagine life without her. -Me 10/7/09

ImageImage

User avatar
Juddbert
Posts: 1099
Joined: Sun May 13, 2007 2:08 pm
Platform: Mac
Location: Penzance, Cornwall, UK

Fri Nov 01, 2013 6:50 pm Post

Not a password manager/generator as such, but I use Yojimbo for all my personal data, with my passwords and other sensitive data encrypted. That way, I've just the one password to burn in to my decaying grey matter. Maybe not as convenient as a dedicated password manager, but I'm happier knowing that I retain an element of control.

Edit: Damn. Having posted, I've now noticed you're on Windows OS. Ignore the above: it's of no use to you whatsoever.
Can't write right. Don't care neither. Er...either.

Scrivener 3.1.1 on macOS 10.14.
Occasional player of the old Scappleodium...

dr
druid
Posts: 1721
Joined: Fri Jun 22, 2007 2:29 pm
Platform: Mac, Win + Linux
Location: Princeton NJ, USA

Fri Nov 01, 2013 7:03 pm Post

Pigfender, I recommend 1Password 4.
It runs on Mac, Windows, Android, and iOS.
You may synch it to Dropbox and all files stay up to date.
Plus it works via Chrome, Safari, and other browsers.
I think Jaysen's idea of one ID and one strong password is good.
It's amazing how many logon files you can build up.

User avatar
Sanguinius
Posts: 615
Joined: Sun Dec 04, 2011 4:16 pm
Platform: Windows

Fri Nov 01, 2013 7:07 pm Post

You could try Truecrypt, by creating an encrypted container with however long/complex of a password that you need which contains a single text file with all of your user names and passwords. This file would then only be on your computer, and not on the net, and you only need to remember the single password for the TC container.

Truecrypt IS free, but it is one of the rare free programs that is so good at what it does that you don't need anything else. It's completely secure and it's damn-near impossible to crack in a human lifetime, assuming your password is long/complex enough.

User avatar
robertdguthrie
Posts: 3075
Joined: Mon Nov 09, 2009 10:06 pm
Platform: Mac
Location: St. Louis, MO, USA
Contact:

Fri Nov 01, 2013 10:16 pm Post

I've been using 1password for windows/mac/ios for about a year. I'm pretty happy with it, though I do grumble at myself for choosing such a long master password to unlock it.
Often wrong, rarely in doubt.
Time for a change... I'm now rdale; same dog-avatar, same dog... channel?

User avatar
xiamenese
Posts: 4320
Joined: Mon Jan 29, 2007 1:32 am
Platform: Mac
Location: London or Exeter, UK.

Fri Nov 01, 2013 11:50 pm Post

I’m a belt-and-braces type of person. I’ve been using Yojimbo for years in exactly the way Juddbert describes, but I’ve been migrating to using 1Password for the last couple of years. So now I get 1Password to create the passwords for me, but I also copy them into my password-protected Yojimbo folder.

My only problem with 1Password is that there is no extension for OmniWeb, which I prefer way above all other browsers. Now that OmniWeb 6 is in beta, 64-bit and using the System engine rather than a proprietary modified version of it, I hope AgileBits will create the extension … then I could get rid of excursions into Safari or Chrome, though I will have to continue to use FireFox for my bank.
The Scrivenato sometimes known as Mr X.
iMac 27" (late 2015) 10.15.4, 24GB RAM, 512GB SSID
MBP17" (late 2011) 10.13.6, 16GB RAM, 2TB SSID
2017 iPad, iPadOS 13.3, 128GB, Apple Pencil
Scrivener, Scapple, Nisus Writer Pro, Bookends …

User avatar
nom
Posts: 1918
Joined: Sun Aug 31, 2008 12:02 am
Platform: Mac + iOS
Location: Melbourne, Australia
Contact:

Sat Nov 02, 2013 3:38 am Post

In terms of software tools for this job, 1Password seems to be the gold standard. One day I'm going to transfer to 1Password from SplashID (a hangover from my Palm days - it works but is neither easy to use, nor elegant).

One day...
Complete and utter NOMsense.
Image

ds
dspady
Posts: 104
Joined: Thu Sep 16, 2010 12:29 pm

Sat Nov 02, 2013 2:19 pm Post

An approach I use is to take a series of numbers (e.g. 3 or 34 or 345 or your old address number) and then extend it out to 'n' digits (say 8: thus 34 becomes 34343434) and then take the hex value of that number which, in this case is 20C0A0A and use that, or a variant such as 20C0a0a or 20c0a0a or 20c0a0a20c0a0a (i.e. double it) as your password. Then, be consistent in the number of digits you extend your series out (i.e. always use 7 or 8 or whatever) and if you need a hint to remind yourself, just write the original 'seed' value: in this case 34. You know what it is. So you could have a list of your relevant signons or whatever, with a seed value for each.

Hex calculators are built into Macs and PCs, so they are reasonably readily available.

Don

User avatar
r6d2
Posts: 735
Joined: Fri Aug 23, 2013 4:50 pm
Platform: Mac + Windows

Sun Nov 03, 2013 3:20 am Post

pigfender wrote:So I was thinking, should I use one of those password manager things? I've always steered clear of them as they strike me as more of a security risk than an extra level of protection.

I've been using LastPass for a few years now. It syncs across all computers and browsers (and mobile).

Regarding security, I try to comfort myself thinking that if a password manager company is hacked or compromised by an inside job, they'll be out of business in a wink. :roll:

Anyway, in a world where Google knows where you are and who you chat/mail/talk to, I don't care if they have my credit card number too. :wink:
r6d2

Beware of realism when writing. Avoid the usual zoo inhabitants. Summon the unicorns and the tritons, and give them reality!
--Julio Cortázar

User avatar
vic-k
Posts: 7135
Joined: Fri Apr 27, 2007 8:23 am
Platform: Mac + Windows
Location: Protesting in the nude, outside ex Red Lion TESCO Store

Sun Nov 03, 2013 2:33 pm Post

r6d2 wrote:I don't care if they have my credit card number too.
Unless they pass it on to Obama, and he uses it to finance drone spying operations on the ner'-do-'ells in Portland, Oregon. :shock:

Be Vigilant

Special Agent 006&abit Vic-k 8)

P.S. It could be even worse! He could then pass it on to Michele Obama and the kids, and let them loose in Bloomingdales and/or Tiffany's :shock: :? :( :cry:
As a professional, you, are your one and only asset. Without integrity you are worthless, but with it, you are priceless.

User avatar
Jaysen
Posts: 6227
Joined: Mon Dec 17, 2007 4:00 am
Platform: Mac + Windows
Location: East-Be-Jesus-Nowhere SC, USA

Mon Nov 04, 2013 2:04 pm Post

vic-k wrote:P.S. It could be even worse! He could then pass it on to Michele Obama and the kids, and let them loose in Bloomingdales and/or Tiffany's :shock: :? :( :cry:

My CC companies would say "Yeah, that is fraud. Those stores won't let that kind of redneck in the front door."
Jaysen

I have a wife and 2 kids that I can only attribute to a wiggle, a giggle, and the realization that she was out of my league so I might as well be happy with her as a friend. 26 years marriage later, I can't imagine life without her. -Me 10/7/09

ImageImage

Br
Briar Kit
Posts: 1787
Joined: Thu Apr 04, 2013 9:04 am
Platform: Mac

Tue Nov 05, 2013 7:59 pm Post

Some top passwords here to try...

http://www.bbc.co.uk/news/technology-24821528

:D
Account closed January 2017

User avatar
NorthboundTrain
Posts: 77
Joined: Sun Oct 21, 2012 11:57 am
Platform: Mac

Sat Jan 25, 2014 4:47 pm Post

Coming to this late, but just in case someone else stumbles along...

First off, using one password for everything is just a Bad Idea. Look at the number of security breaches in the last few months; if any one of them included a password of yours, you've just exposed your entire online presence. Couple that with the same account name and you've not only lost the keys to the kingdom, you've sent people a map to use, too. You need to vary your passwords. Each and every one of them should be different, and using a password manager is one of the best ways to do that.

Personally, I use LastPass. Why?

It’s a password manager that integrates with your browser, making for as seamless an integration as is possible. It’s available on all major desktop OSes (Windows, Mac & Linux), all major browsers (Firefox, Chrome, Internet Explorer, Safari & Opera) and all major mobile OSes (iOS, Android, BlackBerry and Windows). The basic usage is to create and remember one long, complicated password that unlocks all of your other passwords. Yes, you are completely hosed if someone gets your main password, but that’s why you make it long and complicated. If you set things up well in LastPass, the chances of a breach are small, so it really is tens of orders of magnitudes better than the low-tech alternatives. And, assuming it is somehow compromised, it’s no worse than using the same password everywhere, writing them down on a post-it note or in a poorly secured spreadsheet, but it will have taken the hacker a lot of trouble to get your data, so much so that they probably gave up and moved on instead of plugging away.

Here's the main site:


Here's the page on how their basic security technology works:


Besides being very good at what it does it also allows for the sharing of passwords (securely!) between two subscribers, which really helps when Will and I need to access the same account.

There are several options for multi-factor authentication, including Google Authenticator (which has a nice mobile app, and is what I use):


You want to use multi-factor authentication; it’s just safer and it’s very easy to set up. You also want to make sure that your settings log you out automatically if your computer is idle for some length of time (e.g. 5 minutes). Yes, it means that you will type in your long, complicated password several times a day sometimes; with practice, you’ll get good at typing it.

In the Spring of 2011 LastPass had a "security issue" (you can read about it here: http://blog.lastpass.com/2011_05_01_archive.html -- start reading in the section just above "Update 1" and then read the updates up from there). In a nutshell, they saw some network data activity that they could not explain, and reacted with extreme paranoia. This impressed me because: 1) they monitor things to the level where they can see that this particular network traffic is not "normal"; 2) they reacted immediately; and 3) their reaction was very paranoid. Rather than make me uncomfortable with their service, it makes me feel much, much better. I want them to react that way to a potential security breach (which was, in and of itself, very unlikely).

Anyhow, I've been using them since the Winter of 2010. I have their premium service, which is $1/month and I'd be willing tomorrow to pay 10 times that.

Oh, and in case you need convincing that you should be using such a service, read these:


The first one was the article that convinced me that I needed to change my password habits.
Regards,


joe