I read some useful suggestions on this subject in threads last year but didn’t bookmark them.

Just talking about stuff for all the various sites..Facebook, Twitter, STW, Online car/pet/house insurance. What useful easy to remember systems are people using these days to keep passwords unique but memorable? With a lot of these sites I’m now having to reset the passwords each time I log in. 😕

The only one I keep truly unique and etched in stone in my brain is my online banking one which I won’t duplicate for any other ones.

Are password “wallet” type apps for smartphones useful or quite unsecure?

I use the same one for every site I won’t lose money on or am not too bothered about getting hacked, then “special” ones for the important stuff.

I doubt this is unique and no doubt someone will tell me it’s not secure!

The system I use is to pick a word, bats for instance, complicate it by adding numbers and symbols, so buts becomes B@t5, then add some letters to that word that correspond to the website you are logging in to. For here B@t5 may become StWB@t5. This means I only need to remember one word and the name of the website does the rest for me. I’m sure it’s not perfect but it works for me.

I use the same one for every site I won’t lose money on or am not too bothered about getting hacked, then “special” ones for the important stuff.

+1

I use LastPass – and it’s also mandated for use by my company (which is involved in software security). It works well for me now I’m used to it and is available through a browser or an app. All I need to remember now is a single ‘hard’ master password. I also keep scans of things like passports and driving licenses in it.

Some people won’t like storing their passwords in ‘the cloud’ but I’m fine with it and if you want this sort of solution can recommend it.

I use the same password then add something relevant ( initials for example ) on the end depending on what site it is.
You still need to remember the unique part but you are half way there at least!

I use a similar solution to Al where most are the same of they aren’t important. Remember to keep your main email one separate as that is used to reset the rest :). For the important stuff I use roboform on a USB stick

Correct horse battery staple.

https://xkcd.com/936/

You need to protect against two things; having your password cracked, and having it harvested. Some sites still hold passwords in reversible encryption or, worse, plain text readable by anyone, so if that system is compromised then the crackers have a complete password list for everyone.

The system of having a ‘base’ password and then modifying it per-site based on some algorithm you choose (eg, ceaser-cyphering part of the domain name and appending it) isn’t a bad one at all. It’ll go a long way to preventing situations where passwords get harvested from insecure systems and then injected into a script attack on a more secure one; given a list of a thousand passwords, a hack attempt is going to go “does this work, yes / no” and then move on to the next.

What’s important to prevent a direct breach of your personal password is the password length. This is what xkcd is getting at; turning words into l33t-speak isn’t inherently more secure (crackers are aware of that little game), if it’s only a few characters long then it’ll still be brute-forced fairly readily. The more characters, the longer it takes.

Anecdotally; I had cause to break in to a system for work reasons recently. The last password to fall was one set by a systems administrator no longer in employ (as opposed to the regular user accounts); cracking every password on the box took me three minutes. Haxx0r style passwords wouldn’t have made a difference, but longer passwords and a more securely encrypted database could’ve rendered it impossible for all practical purposes.

Thanks Cougar!

It’ll take me ages to decide on a phrase though. 🙂 But, I agree, and can see why that works best.

Song lyrics, movie quotes? (Though the danger there is that “I’ll be back” makes its way onto a dictionary list so you still need to try to be obscure.)

Hah.

http://correcthorsebatterystaple.net/

Quite a lot of sites have a maximum limit on characters though, don’t they? So even if you have an unusually long unique base which is then slightly modified for each site, this will start to get confusing pretty fast to allow for length restrictions, no?

This is what I use also. You’re relying on them to not have a security breach but I’m fairly comfortable with it (I know some people aren’t). I just let it generate unique 12 character passwords for me. Bar a few sites that I really don’t care about and then I just use the same one for those.

I also don’t store my email password in lastpass.

“Correct horse battery staple.”

The maths is completely flawed in the cartoon above.

Most systems don’t store the raw password, they used a fixed length hash of the password similar to an md5sum. This means that no matter what length the raw password, the hash is always the same length. Hence cracking by brute force is the same regardless of the length of the original. NB You don’t even need to get the right password to crack it, just find an equivalent string which creates the same hash.

You should email Randall and point that out.

Apart from that it’s bollocks anyway trying to remember a phrase instead of a single word with some numbers in. We all have numbers that we use daily, phone numbers, work ID numbers, car reg or dates of birth for example that can be linked to single words.

Hence cracking by brute force is the same regardless of the length of the original

What’s important is randomness – a longer password gives more scope for randomness.

Try password safe, you store all your website passwords in it and then have a master password to ‘open’ the safe and copy paste into the web page. Then you dont have to remember them individually.

So much for a new year’s resolution. I still haven’t done anything about it. 😐

Similar to “password safe” idea above, Apple’s iCloud Keychain has a very neat feature in that it will automatically generate a random password when you need one which it will then store on your Mac/iPhone/iPad, so every one is unique and you don’t have to memorise (or even think about) them.

Most systems don’t store the raw password, they used a fixed length hash of the password similar to an md5sum. This means that no matter what length the raw password, the hash is always the same length.

I did not know this. Good info!

I use song lyrics and pick the first letters of the first few lines and then add numbers etc.

Still end up with the actual passwords in a secure place but at least the brute force hack is less likely to work.

What’s important is randomness – a longer password gives more scope for randomness.

Depends on the type of attack.

If the Hash is a fixed length then the advantage of a longer password is lost to a brute force attack.

If they use a common dictionary attack then common words will fail very quickly such as “P@55w0rd” etc.

I did not know this. Good info!

This is because if you compromise the system, all you get are the hashes which are completely useless as you can’t reverse them back to the original password just as you can’t re-create a video from the md5sum for the file.

Every time you enter your password, to verify yourself, the OS runs the hash, then delete all trace of the original string. It then compares the hash against the hash in it’s stored table and if they match, you’re in.

Knowledge of the correct hash is of no use to a hacker, making the system very secure.

At work I need 5 passwords for various systems, all must be different and each one must have at least one number, one non alphanumeric and no repeats.
You have to change passwords every 20 uses and cannot recycle them, I have yet to find a system that helps 🙁

I use KeePass to generate and hold the logins and passwords. The encrypted file holding it all is on Dropbox so I can use KeePass on my PC’s, Phone and Tablet keeping it all in sync.

Hilldodger: that sounds ridiculous. What area of work is that if you don’t mind me asking?

+1 for LastPass
Although why I bother when Mrs B uses same password for everything is beyond me
Apparently it’s too complicated

I have yet to find a system that helps

I use postit notes on my screen with all the various passwords on them….

hilldodger – how about something like twenty1*, then 2twenty*, twenty3*, 4twenty* etc

next system can start at thirty, so they’ll all progress (can’t believe your master system will remember back ten changes will it ? – or else use a different wildcard character for each group)

err, 😳

(I used to use a version of the postcode of online shops (typed using uppercase so that the numbers were !”£$% etc) but stopped – I reckon it’s fairly safe, as long as they don’t move the shop)

footflaps – Member

I have yet to find a system that helps

I use postit notes on my screen with all the various passwords on them….

You been looking over my shoulder?

Roboform. Encrypts passwords, syncs across devices and auto fills forms in your browser (although not on a mobile). Generates random passwords as well so they can be different for each site / app.
There’s a small annual fee, but it’s made my life much easier.

I use the first letter or number of each word from one of my previous addresses then use the postcode to fill the password to its maximum length. The shortest allowable one I’ve found is 10 didgits

For example

9 hawthorn Close
Bromley
London
Br20rx

Would turn in to 9hcblbr20r

Which looks completely random but is. Dry easy to remember and if it needs a symbol then I just use @9hc……

as said back at the top, work out which ones matter and which don’t. Any that don’t involve money or privacy get a single password.
The rest get something more complex, things like 2 step verification on google help a bit too.

Footfalls is mostly right, although there is also salting which makes deriving ‘same’ hashes significant harder unless you can derive the salt values. I’m an ex cryptographer so sadly have spent far too long trying to make things harder to break ! Fwiw I use last pass for simplicity and also use the site plus password combo. Depending on specific platforms I also use longer lengths as that can help. If anyone is bored they can ask more about crypto – it’s been a wee while but I did peer review a paper recently which was quite interesting.

There were some interesting articles about this subject on Ars Technica in the recent past. What I understood was that the logic behind horse mackerel etc is essentially false as crackers don’t brute force passwords they use dictionary searches and that these are much more powerful than you might imagine, hence only a long random password is truly secure.

Having said that, I mostly use a simple password for sites that don’t matter, and 1Password to generate and manage longer passwords for important stuff.

swedishmatt – Member
Hilldodger: that sounds ridiculous. What area of work is that if you don’t mind me asking?

Civil Servive science, and yes it is ridiculous, we have
Network login for desktops
Wifi login for laptops
E-procurement (purchasing) login
Result reporting login
Quality system login

Apart from the first 2 which I use all the time, I find it easier just to do a password reset request whenever I need to use any other system

In addition many of the lab areas need a 4-6 digit code to access, different for each – and this isn’t even a scary black helicopter type of facility, just public health/food science kind of stuff

Holy thread resurrection, batman!

“Correct horse battery staple.”

The maths is completely flawed in the cartoon above.

Most systems don’t store the raw password, they used a fixed length hash of the password similar to an md5sum. This means that no matter what length the raw password, the hash is always the same length. Hence cracking by brute force is the same regardless of the length of the original. NB You don’t even need to get the right password to crack it, just find an equivalent string which creates the same hash.

This didn’t sit right with me, but I couldn’t put my finger on exactly why. So I phoned a friend. He knows a bit about passwords and cryptography, given that he wrote PuTTY. This is what he replied:

Consider the following thought experiment. I roll a die, and based on the answer, I set my password to either “one”, “two”, “three”, “four”, “five” or “six”. Now that password gets hashed into a 256-bit checksum. I think it’s pretty clear that although iterating over 2^256 possible strings I never considered using would eventually work, iterating over just the six things I actually considered would also work, and be faster!

(A high-profile real case of this was the Debian OpenSSL key generation disaster, in which everyone’s RSA keys were generated using only 16 bits of entropy. Suddenly there’s no need to run full-strength factoring algorithms, because it’s easier to just generate all the 2^16 possible keys and then you know all their factorisations.)

But it’s certainly true that if the hash size is smaller than the password entropy, it provides an upper bound on the amount of work a cracker needs to do. And if the password hash isn’t cryptographically secure either, then yes, it may be possible to directly invert it to find a password which wasn’t the same one the user actually thought of but which hashes to the same thing so it’s “good enough” to use at the login prompt. Back in the 8-bit era, for example, the SJ Research Econet file server used a linear 24-bit hash with exactly that property – and you could network-sniff the hash value too. Completely pointless security theatre.

I still haven’t done anything about them. 🙁