Forum menu
There was a time when I had one password for everything.
I soon realised I ought to use something a bit more secure for internet banking and, as all my password resets get sent to my email account, that needed something more secure as well.
I then started wondering about all the various forums and shops I use, so I devised a system of multiple passwords.
That wasn't much better though. Supposing someone at STW found out that my forum password was "grahamstw1", then they could take a guess that my passwords elsewhere were "grahamcrc1" or grahamwiggle1".
I increased the number and complexity of my passwords until I got to where I am now and can't possibly remember them all.
I've now got a password document with them all recorded as cryptic clues.
Without giving too much away, suppose my password was "orange5", I would record it as "filing cabinet", although they are actually clues based on personal puns and experiences that only I would know the answer to.
So what's the best way to remember them all ?
Having a notepad file in My Documents titled "Passwords" doesn't feel all that secure, but what's the alternative ?
I use a Keepass database stored on Google Drive. That way I can have a different password for every site. Plus I can access it anywhere.
A password store, I've got far too many to remember myself
I use eWallet
I use [url= http://www.mirekw.com/winfreeware/pins.html ]PINs[/url]
Simple and free (bit like yerself).
Lastpass. $12 a year gives you complete flexibility, free is still OK if you don't need it on your phone.
Keepass if you don't like the idea of any cloud service and want to know what is happening to your encrypted password file.
Getting passwords out of your head and moving to random 16+ character passwords for all those websites is a very good thing indeed.
I think this was discussed on QI.
The consensus seemed to be to write them down on paper and keep them at home - no risks of account hacking and burglars more likely to be distracted by shiny things than a scrawled-on piece of paper.
Write them down, maybe as clues rather than the passwords, then keep them in a safe place near your computer.
Best thing for passwords is long strings that are memorable, like the first line of a song or a film quote or something. Impossible for a computer to crack due to length, but great for us to remember. A lot of password policies don't allow it though.
I have several grades of password. Important stuff has dedicated passwords, but everything unimportant has the same one.
When choosing one I base it on something related to the site, or what I'm feeling at the time. But the key is to log out and in again after about 5 minutes, then again after an hour.
Not sure why I'd need a protected database on my password protected phone..
Also, for online banking - First Direct's Internet Banking Plus is great. Downloads a secure file to your PC which stores all the login details you want.
Pretty sure you can use it as a non-FD customer too.
https://internetbankingplus2.firstdirect.com/ibplus/mainservlet
[img] 
[/img]
The approach I take is to have a 'master' password and then tweak it based on domain name.
So for example, you could have a PW of "fishbanana", take the first three letters of the site - "sin", [url= http://en.wikipedia.org/wiki/Caesar_cipher ]Caesar Cypher[/url] it to "tjo" and add it to get "fishtjobanana". Memorable password that's unique to every site.
+1 for Keepass. Sync the database via dropbox and you can get at it from multiple devices so you don't have to worry about losing your only copy.
I use unique email addresses allocated to each organisation (which you can do if you have your own domain) which means I dont need to be so varied in my password because automated address/password thrashing will never have the same address and password as another.
Just write them down in a notebook. People who break into your house are not going to steal a notebook although they might well steal your laptop and people who are trying to steal from you via digital channels can't see your notebook.
If you want to be doubly security conscious then use a reference code that refers to a word from a favourite book, like this:
270-08-07-
is what you'd write down which would be a reference to page 270, line 8 word 7. But the actual password would be 270-08-07-Hautacam (using Mark Cavendish's Boy Racer as the reference book). This way you only need to remember the book.
Cougar, I thought the "words in the dictionary" technique was beatable. Surely that example falls into that category?
Personally, I use patterns I've visualised on my keyboard. It's not for everyone because I reckon you need to have an almost photographic memory, but it works for me and they all appear to be quite strong.
Having said that, some passwords from old, such as this forum account, are weak, so about time I changed, methinks...
I do what cougar's cartoon shows, top left. I use bike brands/parts whatever I've bought recently. Its definitely NOT hard to remember, as you have a standard set of numbers replacing letters.
(Not had a password cracked, ever!)
Ok using the common words thing but is a pain in the butt if you have to type it 10+ times a day.
Dashlane - is free. But my approach isn't as structured or organised as you lot..
write them down on paper and keep them at home
Just write them down in a notebook. People who break into your house are not going to steal a notebook
Wouldn't work for me. Half the time I need passwords I'm not at home. I'm either at work or out and about using my phone.
Best thing for passwords is long strings that are memorable, like the first line of a song or a film quote or something. Impossible for a computer to crack due to length, but great for us to remember. A lot of password policies don't allow it though.
If you want a shorter, password-policy-friendly, non-dictionary version then try something like this:
1) Take your line from a favourite song:
"Mary had a little lamb, Its fleece was white as snow"
2) Take the first letter of each word (or some variation of that):
"Mhall,Ifwwas"
3) Do some standard letter/number substitution:
"Mh4ll,1fwwa$"
4) Profit.
Cougar, I thought the "words in the dictionary" technique was beatable. Surely that example falls into that category?
Point was, it was an example of how you could construct memorable unique passwords from a root password; the construction of that root I didn't give a great deal of thought to. But, see the XKCD cartoon.
Wouldn't work for me. Half the time I need passwords I'm not at home.
It could still work if you carry a kindle or use a kindle (or similar) app? Or just a pdf of a technical manual on your computer or cloud store. Then stick the reference sheet on your phone.
I guess the "words in a dictionary" thing is that *if* they are truly random (chosen with Diceware etc.) then even if the hacker knows they are words, it is still unfeasible to check every combination. There are just so many more words than there are letters or numbers, but it isn't harder to remember a word than it is a letter.
A bigger brain. Or 'password' but with 5 instead of each S and a zero for the O, nobody will ever crack that.
I was actually referring to the cartoon example. I'm sure I read (or may have dreamed) that words that are identifiable as words are, as in the example of [i]correcthorsebatterystaple[/i], just a collection of words in the dictionary, whereas [i]fh476fgvbhd62890di*$gb%![/i] as an example, is a lot harder to crack, so to speak.
FYI - I don't claim to understand the password hacking process other than what I've found on the web. You can probably elaborate on how a hacking program works, yes...?
Although if I was that way inclined, after reading this thread, I may add picking up notebooks to my theiving list.muppetWrangler - Member
Just write them down in a notebook. People who break into your house are not going to steal a notebook although they might well steal your laptop and people who are trying to steal from you via digital channels can't see your notebook.
Personally, I just have about 4 passwords, that I mix and match. never had any bother with them being stolen, touch wood.
The only times I've had to change a password hasn't been down to it being hacked, it's been because the company that's supposed to be securely storing the password details has had their files stolen. I'm looking at you adobe and evernote! That is why I prefer lots of different passwords rather than one or two very complex ones.
edit
I may add picking up notebooks to my theiving list.
You'd need to steal the notebook and all the books in the house and then work your way through the books until you found the right combination, that's assuming I didn't use a pdf of a multi language 200 page manual for some household appliance.
I used to use the registration from my first car.
I have one vaguely secure one for vaguely secure stuff, and one not that secure for other stuff. It's probably not the ideal approach
I'm sure I read (or may have dreamed) that words that are identifiable as words are, as in the example of correcthorsebatterystaple, just a collection of words in the dictionary, whereas fh476fgvbhd62890di*$gb%! as an example, is a lot harder to crack, so to speak.
That's true, but correcthorsebatterystaple consists of 4 "units", each of which has thousands of possibilities (number of words in the dictionary), so the number of possible combinations is enormous. fh476fgvbhd62890di*$gb%! consists of a lot of "units", but each one has only about 50 possibilities (number of characters on the keyboard). The number of possible combinations may be more (or fewer) than a password with words, but it's impossible to remember.
Another point is that typing a password with odd characters on an iPhone is an absolute bugger.
Teasel afaik length is the most important thing, remembering a 30 charcter sentence is a shitload easier than 30 random alphanumeric
complexity helps too mind.
Bear in mind that "words" are vulnerable due to dictionary attacks, but whilst individual words are in a dictionary strings of words are not. When cracking passwords, you cannot crack the first word and then go "great, we've got one!" and crack the second word outside of Hollywood(*).
A password attempt either matches or it doesn't, the scenario where the heroes are running around a huge display going "he's got another one, only six characters to go!" is pure science fiction. If it did work like that, you could crack a password the length of a novel in less than the time it took me to write this sentence.
(* - and NTLM)
Okay, I think I understand how it works a little better now. Cheers, guys.
Oh, and,
Substituting 0s and 1s for o's and i's isn't fooling anyone; in a dictionary attack it will just be handled like a third case (along with upper and lower). Eg, if you're trying a password of "fred" then it'd commonly try fred, FRED, Fred, fr3d, FR3D, Fr3d, and so on.
There are something like 3,000 words in common usage, so a film quote might have something like 8 words in it - that gives 6*10^27 combinations of words, which is a stupidly large combination. Of course limiting it to quotes cuts that down a fair bit because to be grammatically correct there are far fewer combos. But then you could choose every other word from a quote, or use shakespeare. Or other languages for that matter!
Get all your passwords tattooed on your bikini area. This way only the people you really trust will ever get to see them and for someone to hack you they'd have to steal your skin.
Plus, if you ever forget one of them, you need only pay a quick visit to the bathroom to remind yourself of the appropriate one.
BTW...
the scenario where the heroes are running around a huge display going "he's got another one, only six characters to go!" is pure science fiction.
Gutted. I'm actually thinking about giving up computers completely...
Plus, if you ever forget one of them, you need only pay a quick visit to the bathroom to remind yourself of the appropriate one.
"Your password will expire in 3 days. Do you want to change it now?"
"Your password will expire in 3 days. Do you want to change it now?"
Suddenly, Memento makes sense.
I use 'password' for all of mine but change the font depending on the website. for example i may use comic sans for shonkytrackworld (i dont, its obviously terminal)
All written down on a sheet paper with a pen 🙄
Another point is that typing a password with odd characters on an iPhone is an absolute bugger.
Depends on the password. Something like [b]??ëtpå?š?ørd[/b] is [i]easy[/i] to type on an iPhone but takes an age on Windows (if you can even figure out how).
I found the simplest solution is to discretely Letmein1 insert them in forum posts, so if I ever forget, I can just look through my posting history for clues.
Something like ??ëtpå?š?ørd is easy to type on an iPhone but takes an age on Windows (if you can even figure out how).
Simple - you use ALT- codes 🙂
Using special characters is a pitfall all of its own, as a keyboard may not be mapped the way you think it is, and you can't tell if the password is hidden 🙁
It's more important IMO to be using different passwords everywhere, rather than trying to keep a few more secure passwords in your head.
The big problem with passwords, especially on the web, is that lots of people use the same things everywhere. Some poorly run forum or web store that you last used 5 years ago gets breached, and they have either plain text passwords (if really badly run) or password hashes (pretty easy to turn back into passwords unless they're very long). Combine that with email addresses and it's easy to hop from there into accessing your email, from there your bank account and other juicier accounts.
Keep them different, keep them long, and set up 2 factor authentication on anything important like your email.
I work for a large IT company and we have mandatory courses on password selection! Most of the above makes sense. The current best theory is to choose a phrase you know well and then replace characters with digits and punctuation.
This is is good until you have hundreds of passwords! I cheat and use similar passwords for sites that I don't care about - but unique ones for important ones. I also have an online key safe for all passwords for when I forget them!
general rules and roboform as backup. The most important one is your main email and anything else that links to that. So lose your ipad without a PIN and it should be possible to reset lots of your passwords 🙂
andIt's more important IMO to be using different passwords everywhere, rather than trying to keep a few more secure passwords in your head.
and set up 2 factor authentication on anything important like your email.
^^Yes. Don't get hung up on the password thing. The biggest threats are either outside your control (cf Adobe etc) or addressable by other means (so malware protection etc). For genuinely important stuff, multi-factor is the way to go (hence banks go this route now).
IMO