What exactly are folk doing that the need 100+ passwords?

Using lots of websites.

Thanks for the suggestions/discussion everyone.

So all of your numerous passwords are protected by……a password?
Is it just me or is this a bit ummmmmm?

Not sure I see the problem, as long as your password is a good, strong, unique one that you can actually remember. It’s basically the same as saying that your PayPal (say) account is only protected by a password isn’t it? There’s nothing wrong with passwords in themselves.

I suppose there might be an argument that you’ve put all your eggs in one basket with things like LastPass, should they ever get hacked. That said I’ve never really checked them out so I’m not sure exactly how they work.

LastPass for me. Two factor enabled for non approved devices. Runs on my Mac, PC and phone. 100+ here too – some for work, most for other stuff. Also I have multiple email-ids so trying to remember that is beyond this bear of little brain 😉

Drac – Moderator
What use is the bit of paper at home if you’re sat a 100 miles away?

Common sites you’re likely to access – memory.

Write stuff down for all those complex ones you’re rarely likely to access. If you get stuck, “forgot my password”, so long as you have access to your email. Then repeat when you get home if you can’t remember what you just changed it to 😀

Though another option is to keep an obfuscated list in a password protected cloud document store. I use OneNote for things like this. The traffic is encrypted and stored encrypted, although Microsoft internally do have the keys to decrypt their cloud storage, although not sure they can get to password protected sections in OneNote.

Still, obscure document that would make little sense to most people. It would take a targeted attack looking specifically for password looking things and working out what sites they refer to. Vast majority of hacks go for places where passwords are obviously stored such as web sites, or password managers which could potentially be hacked via malware or a flaw in a browser that gives them access. They get them on mass and sell them on.

In the case of web site hacks though, if people like Talk Talk hashed the bloody passwords properly then it’s much harder to get them. Sounds like they used plain encryption and that’s two way. If it can be decrypted then there’s always a chance of it being cracked. First rule of web site design where passwords are involved – hash, never encrypt (sadly I keep coming across companies that break this and argue “oh we encrypt the passwords so it’s fine”). Better still, use delegated authentication so you are never storing any password related information anyway. Though the delegate is then a single point of attack.

Keepass for me, mainly use it from android phone and copied to dropbox. All this discussion making me think its probably time to change some passwords. Mine tend to be thematically linked but unique, however not completely unmemorable, so im not dipping in every day, for me the challenge is often is remembering the id as much as the password, is it email or not, if email which one, has a benefit on any compromise not being exploitable everywhere else.
I also try not to register with every damned website that i might have bought a hinge from once, use paypal where possible.

Been using 1Password for years on all Apple devices at home.
Works really well. Main file can be stored in Dropbox or iCloud, or locally.

May buy a windows license for it too so I can use to at work too, when I’m not surfing STW 😀

Lastpass is pretty damn secure

1. All encryption and decryption happens on your computer.
2. The sensitive data that is harbored on their servers is always encrypted before it’s sent so all they receive is gibberish.
3. Lastpass never receive the key to decrypt that data.

Furthermore, like any other service, you should be using two-factor authentication with LastPass. If you do, someone with your master password still will not be able to access your account, even in the event of a breach.

LastPass Gets the Green Light from Security Now!’s Steve Gibson

Also using an online password manager you are less likely fall foul of phising attacks

A browser-integrated password manager will only fill in a site-specific password if you’re actually visiting the correct site. So you won’t accidentally type in your Paypal.com password into http://www.paypal.com.us.cgi-bin.webscr.xzy.ru.

I really can’t imagine having a memory that allows me to remember 40+ passwords that are all unique and complex. Typically they’d be something like ‘y62htX$6jF%Ku*’ and I’ll be jiggered if I could remember one or two like that let alone dozens. If you can remember 40+ ‘complex’ passwords, I’d suggest you either need to take up card counting, a one man memory show or your passwords aren’t really that complex at all

I think your password is not as complex as you think it is. A system for remembering passwords and making them unique is a good thing:

e.g. make a base password, something long, but relatively easy to remember. Lets say “purple-crocodiles”, if you increase the complexity of this by adding some symbol/number/caps replacement then:

Purple-Cr0c0dile$ is still quite easy to remember.

Now you don’t want to use the same password on multiple sites – simple you add some site specific letters at the end (or start – or middle) or the password according to a system you define and remember. So your singletrack and facebook passwords might be:

Purple-STW+Cr0c0dile$ and
Purple-FBK+Cr0c0dile$

You don’t tell anyone your system or base password then even if one is compromised it takes a concerted effort with a degree of intelligence to guess what the others would be. You can make the base and combination harder to “read” as well (e.g. PSTWCr0c$) – or some people like to use the first letter of words from a song – say Ittw1wbSTWLamws2c.

I use essentially this approach but with a couple of base password & structure variants depending on my perception of the risk.

I have considered taking it one step further and hashing these passwords so they are gibberish and all I have to do is remember the password and hash method (and have access to a computer or website that will let me run and copy/paste the result).

e.g. those two passwords would become:

A9CD471148BED6CEE644B5D8B8C2E582
and
CB9EE944B518137E7CAF165F896DABC1

But since most sites are keen to have $ymbol$ Numb3r5 and Caps I’d probably need to add another short base to them; which added to the need to hash them and the pain of cut-n-pasting on a mobile device is enough to put me off. However my point is you really don’t need to write them down anywhere to remember large numbers of unique passwords. I have a general mistrust of all “vault” type systems as it is like saying I’ll keep the keys to all our vehicles in the safe. This is great unless (a) the safe gets compromised or (b) you loose the safe key.

Numbers and symbols instead of letters can still appear in password cracking dictionaries.

e.g. obvious ones, so using ! instead of i, 0 instead of o, $ instead of s.

People know these are typical substitutes, so a common word with those substituted may still be easy to crack.

People know these are typical substitutes, so a common word with those substituted may still be easy to crack.

If it is a worry, don’t sub it every time, maybe just change the second vowel in your phrase, or 1st in the first word second in the second word. Random caps is probably as good as subbing in terms of this type of attack, as is appending phone number or DOB – if they aren’t specifically targeting you that is.

Poly’s base examples are plenty secure enough for common usage. If they aren’t you should generate + store one or use 2FA.

If anyone with half a brain got hold of one of Poly’s passwords it wouldn’t take much to work out the pattern. No pattern means it’s very much harder to crack.

Numbers and symbols instead of letters can still appear in password cracking dictionaries.

e.g. obvious ones, so using ! instead of i, 0 instead of o, $ instead of s.

People know these are typical substitutes, so a common word with those substituted may still be easy to crack. Completely agree – I’m sure you are familiar with the XKCD on battery-horse-staple (and if you find that stuff interesting you will will probably be interested in this: https://www.ted.com/talks/lorrie_faith_cranor_what_s_wrong_with_your_pa_w0rd?language=en)

Personally I wouldn’t bother with symbols etc because the brute force attacker has no way of knowing if you use them or not and so probably wants to test them anyway. However if you are trying to define a “standard” base password it is easier to include them (and a mixture of upper, lower, number, symbol) as some sites insists on one or more.

drac –

If anyone with half a brain got hold of one of Poly’s passwords it wouldn’t take much to work out the pattern. No pattern means it’s very much harder to crack.

Indeed – the pattern I use in real life is a little less obvious that that (but it was easier to illustrate my point with a very simple case) – but if you had two passwords you would certainly be able to work it out (which is why I use two different systems for sites where security is critical and stuff like STW where the consequences of a breach are less serious but I have less faith in how the recipient of the password protects it). Of course that relies on someone actually being bothered to get into MY account, rather than just having a list of email addresses and passwords and hoping as 90% of people do that the same password works on a wide variety of accounts with the same email address. Whilst the majority of people are completely useless at password variation I think my approach will ensure working out my system is low priority. I don’t believe that normal hacks are caused by people applying common sense to look at lists of passwords – they are simply bots which munge through lists looking for exact matches. If I was writing a bot to get smarter than that it would take all the “somepassword1” and try “somepassword2” etc before I was trying to spot patterns*.

However as I said, if that worries you then you can use the Hash. Each password is unique with no pattern. But you don’t need to write down the hash – because you can recreate it at any time if you know which algorithm and the right (easily memorable) input.

IMO – as soon as people write down passwords (or probably worse use an excel / word document) their security is compromised, however the biggest threat is people using *exactly* the same password on multiple sites. I bet I could create a site in an afternoon that would let me easily collect passwords and matching email addresses (I’ve always been tempted just to see how bad the problem is). If I get you mail account password then with most password resets being mail based confirmation I can get into almost any account you have that doesn’t require two factor authentication.

* For this reason I believe that forcing regular password changes is a design flaw which encourages people to use poor systems or right them down (probably on post it notes stuck to the screen).

Common sites you’re likely to access – memory.

I have no idea what any of my passwords are.

That’s the best way drac, it means they can’t be tortured out of you 😀

Exactly.

Whoever said using a book. Dictionary attack

https://howsecureismypassword.net

Hashes are best as said however do I use them? No. Too easy to forget, still too many variables to remember and ultimately I don’t give a shit if someone gets my STW or Facebook passwords as they wont learn anything that they cant easily find out anyway. For online shopping I don’t store card details anywhere so in reality I only need to worry about banking passwords and Paypal. I only bank at home so it comes back to making a secure pass and sticking to it.

OT-ish, but do you use PayPal 2 factor authentication? I see a screen to set it up with SMS but NO details about how it works, how to turn it off, what to do if you lose your phone etc so I’m reluctant to proceed without an exit strategy!

I bet I could create a site in an afternoon that would let me easily collect passwords and matching email addresses (I’ve always been tempted just to see how bad the problem is).

Far and away the best way of getting someone’s password is to ask them. If I had a pound for every time I’ve had a conversation along the lines of “do you need my password?” – “no, I don’t want to know it” – “ok, it’s jennifer7” I could retire.

For this reason I believe that forcing regular password changes is a design flaw which encourages people to use poor systems or right them down (probably on post it notes stuck to the screen).

You’re not wrong. Hard to encourage sensible password usage in users when the administrators don’t even really get it.

I use Iliumsoft Ewallet. Apps for iPhone, iPad, Mac and PC and syncing over wifi between them.

Seems fine. It’s the synching and apps I like, but aware other tools do this too.

http://www.iliumsoft.com/

Don’t worry anyway. It won’t be long until the government requires us to hand over all passwords to everything anyway so if you forget you can just get it off the list that will have been leaked within a month of the system going live 😀

if the document is a docx all that you need to do is rename the file to .zip, delete the settings.xml from within the file and rename it back to .docx

I tried this with a Word 2013 file with Winrar/Winzip and 7zip. None worked. It is a legitimate work file that a colleague forgot the password for. I am now using a brute force program.

The best ones are like http://kestas.kuliukas.com/MultiPass/ you only need to remember one password and it doesn’t need to be stored in a crackable safe file, you just use the app to generate the password on the fly