OT - How secure is your password - Page 2

MikeD · #16 04-19-2024, 03:02 PM

I use BitWarden. My experience with it is meh. Seems like I always find myself having to into it because I'm on multiple systems. And what about the LastPass debacle? I'm unconvinced of the utility and security of a password manager. Having to manually key in one of those long cryptic passwords would be a colossal pain in the you know what. My important accounts are 2 factor protected anyway. I think there is a balance between ultimate security and convenience. I think you computer security types don't quite get that.

slowpoke · #17 04-19-2024, 03:19 PM

Quote:

Originally Posted by C40_guy

Easy. Nine common letters plus four unique ones relevant to specific use...

i.e. Poopystuffebay# for ebay sign-on, Poopystuffamaz# for Amazon sign-on...

Except when one site leaks your unecrypted passwords, now people who want to target you know your general algorithm. E.g. Poopystuffpace# or Poopstuffpaceline#

Just use a password manager and generate unique passwords for each site. DIY spreadsheet or physical notebook can work, but you then need to sync it across multiple devices for backups et cetera.

Your three most likely mistakes you'll make online are probably:
- entering your credentials on a very believable phishing site
- having one of the many sites that you've reused your passwords leak that password
- buying stuff you don't need on Paceline

slowpoke · #18 04-19-2024, 03:23 PM

I love this forum and all, but if there's one place I worry about a leak, it would be here. We're running on super outdated software.

So make sure your Paceline password is different from any other site.

kingpin75s · #19 04-19-2024, 04:22 PM

Quote:

Originally Posted by NYCfixie

I work in Cybersecurity as well and what I tell friends/family/co-workers is:
- Use a password manager
- Have it create and store the passwords for you (15 characters minimum but the more the better)
- DO NOT use the same password for multiple accounts/services
- Make sure ALL accounts/services are setup for multi-factor authentication
- Your email password should be the STRONGEST password
(because if hackers can into your email they can often reset passwords for all other accounts/services since most people do not use multi-factor authentication)
- Your password manager should have your second strongest password
- Write your eMail and Password Manger passwords on an index card (yes, I mean paper) and store them safely some place in your home. DO NOT save them anywhere else.

Many commercial password managers can be (or have been) broken. Nothing is perfect. The safest method is to keep everything on paper, locked away at home, and never share with anyone.

Multi-factor authentication is not perfect. Hackers have found interesting ways to get around it (i.e. they can clone your mobile number to receive the multi-factor code you need to authorize yourself to a system after entering the password they have been able to figure out or steal from you).

The point is, most hackers are lazy so if you use a few different methods to protect yourself, hackers will move on and try to terrorize another person who may not have safeguards in place.

Be careful out there.

This all looks like pretty good stuff. Had to see what advice was being given here as NIST guidance was wrong up until about 6 years ago. I had to stonewall auditors for years until guidance finally matched real world experience. Frequent password change requirements of the past have always only lead to bad behavior. Length is key and complexity is secondary. 14 or more chars in my book.

jkbrwn · #20 04-19-2024, 05:00 PM

Quote:

Originally Posted by MikeD

I use BitWarden. My experience with it is meh. Seems like I always find myself having to into it because I'm on multiple systems. And what about the LastPass debacle? I'm unconvinced of the utility and security of a password manager. Having to manually key in one of those long cryptic passwords would be a colossal pain in the you know what. My important accounts are 2 factor protected anyway. I think there is a balance between ultimate security and convenience. I think you computer security types don't quite get that.

I don't use BW, I use 1Password (and LP at work) and I honestly don't think it could be any easier to deal with passwords with 1Password. It auto creates passwords on sign up pages and auto saves them for you. Its child's play. And its iOS integration is fantastic from an iPhone users perspective.

Louis · #21 04-19-2024, 05:08 PM

Quote:

Originally Posted by slowpoke

So make sure your Paceline password is different from any other site.

What % of PL users (say, those who visit the forum at least once a week) do you think use the PL password elsewhere too?

I sure hope that's a low, low number, because doing so would be truly foolish, especially if that pw is used for anything remotely important.

Ewiser · #22 04-19-2024, 05:21 PM

I had a password manager for years. But have switched to Apple’s built in password manager after seeing all the third part managers getting hacked.
I always you long multi character passwords and the Apple password manager will show comprised passwords too.
I also use two factor when it is offered on a login also. I have been doing web dev since forever and learned not to trust any site.

gravelreformist · #23 04-20-2024, 05:50 AM

Quote:

Originally Posted by MikeD

Then what happens if that program fails or you don't have access to it? I've been unwilling thus far to put all my faith in a password manager.

I use Password Safe which is free and open-source. The encrypted file is stored locally, so there is no service to go down. Storing it on any cloud platform makes it available across devices, including mobile.

I have yet to hear a convincing argument as to how anyone's personal system is better or more secure than a password safe.

gravelreformist · #24 04-20-2024, 05:52 AM

Quote:

Originally Posted by MikeD

I use BitWarden. My experience with it is meh. Seems like I always find myself having to into it because I'm on multiple systems. And what about the LastPass debacle? I'm unconvinced of the utility and security of a password manager. Having to manually key in one of those long cryptic passwords would be a colossal pain in the you know what. My important accounts are 2 factor protected anyway. I think there is a balance between ultimate security and convenience. I think you computer security types don't quite get that.

Having a fully populated safe that you know how to use improves both security and convenience. I don't ever have to think about passwords. My safe manages that for me. It's far more inconvenient to have to manage some personal system, which inevitably fails in some way so you are resetting a forgotten password, etc.

I've worked in IT for over two decades. I've seen every sort of personal system imagineable. The user always has some justification they've used to convince themselves that their system is better. It isn't.

JMT3 · #25 04-20-2024, 06:07 AM

I’ve only had information hacked once and it was years ago when the IRS site was hacked and I was one of the lucky 600,000 persons that had my SSN stolen and a return filed under my social security number.

Rules I live by are never click on links emailed or text to me from an unknown. Don’t click on links sent to me by a known if I’m not expecting it. I refuse to give my ssn number to anyone unless it’s bank and I’m there or on the phone if I called the bank. Make all purchased with my watch or phone not a card. Card all my card in a scan proof wallet. Save no credit card information on anyone’s site plus I tend to buy gift cards to make purchases. When in doubt don’t do it. A good chance if it’s too a good to be true it just not might be. Verify!

Other than the IRS hack that is my one and only.

C40_guy · #26 04-20-2024, 07:39 AM

Quote:

Originally Posted by jkbrwn

Insane when pw managers exist lol

So...lets say I need to log on to an airline site at a hotel using their computer...pw manager won't help me there...

C40_guy · #27 04-20-2024, 07:41 AM

Quote:

Originally Posted by slowpoke

Except when one site leaks your unecrypted passwords, now people who want to target you know your general algorithm. E.g. Poopystuffpace# or Poopstuffpaceline#

Most criminals aren't that smart, and they'd probably need more than one to figure out the pattern.

If criminals start using big data and AI to figure this out, it's game over anyway. Might as well just leave my wallet on the driveway.

oldpotatoe · #28 04-20-2024, 07:44 AM

Quote:

Originally Posted by benb

I long gave up on making them up myself. Use a program to generate a super secure one and then obviously you have to use a program to store them, it's impossible to remember them all when you have hundreds and they're totally random.

I make them up myself...various letters, caps and lower case, numbers and characters none which really apply to me, not related like no WlBldrTdy123&&, etc.

Then I write them in a notebook I have and yes, I have 5-6 pages of them but I don't have to depend on any 'service' to store them.

gravelreformist · #29 04-20-2024, 07:53 AM

Quote:

Originally Posted by C40_guy

So...lets say I need to log on to an airline site at a hotel using their computer...pw manager won't help me there...

First, the chance of me ever doing that is zero.

Second, it still helps because I'd just pull up my safe on my phone and type the password in manually (and then immediately change it!)

C40_guy · #30 04-20-2024, 08:04 AM

Quote:

Originally Posted by gravelreformist

Second, it still helps because I'd just pull up my safe on my phone and type the password in manually (and then immediately change it!)

Ah, that makes sense.