Something like ??ëtpå?š?ørd is easy to type on an iPhone but takes an age on Windows (if you can even figure out how).

Simple – you use ALT- codes 🙂

Using special characters is a pitfall all of its own, as a keyboard may not be mapped the way you think it is, and you can’t tell if the password is hidden 🙁

It’s more important IMO to be using different passwords everywhere, rather than trying to keep a few more secure passwords in your head.

The big problem with passwords, especially on the web, is that lots of people use the same things everywhere. Some poorly run forum or web store that you last used 5 years ago gets breached, and they have either plain text passwords (if really badly run) or password hashes (pretty easy to turn back into passwords unless they’re very long). Combine that with email addresses and it’s easy to hop from there into accessing your email, from there your bank account and other juicier accounts.

Keep them different, keep them long, and set up 2 factor authentication on anything important like your email.

I work for a large IT company and we have mandatory courses on password selection! Most of the above makes sense. The current best theory is to choose a phrase you know well and then replace characters with digits and punctuation.
This is is good until you have hundreds of passwords! I cheat and use similar passwords for sites that I don’t care about – but unique ones for important ones. I also have an online key safe for all passwords for when I forget them!

general rules and roboform as backup. The most important one is your main email and anything else that links to that. So lose your ipad without a PIN and it should be possible to reset lots of your passwords 🙂

It’s more important IMO to be using different passwords everywhere, rather than trying to keep a few more secure passwords in your head.

and

and set up 2 factor authentication on anything important like your email.

^^Yes. Don’t get hung up on the password thing. The biggest threats are either outside your control (cf Adobe etc) or addressable by other means (so malware protection etc). For genuinely important stuff, multi-factor is the way to go (hence banks go this route now).

IMO

Keep them different

For important stuff. If you crack my STW password you could probably impersonate me on a handful of other forums, that’s about it.

Latin names

its easier to allocate something memorable to an organisation or group of organisations

Usefully, latin names start with a capital letter too

you can then throw in an order (like 01,02,03) or year at the end for when you forget and need to renew, or you can turn a symbol in the word to a number

So, for example Singletrackworld password gets remembered as ‘dog’ and typed in as

Canisfamiliaris13 or
Canisfamiliar1s

But its nice and easy to remember “dog”

set up 2 factor authentication on anything that offers it

Tend to use it on everything that happens to offer it, almost silly not to.

This sums it up nicely, imo:

Don’t get hung up on the password thing. The biggest threats are either outside your control (cf Adobe etc) or addressable by other means (so malware protection etc). For genuinely important stuff, multi-factor is the way to go (hence banks go this route now).

One of my pet hates is the current culture which suggests passwords make things safer. At work I need a variety of codes for doors and passwords to use various programmes…

Front door code
Changing room door code
Air tube system door code
Office code
Boss’s office door code
Drug room code
IV store code
Computer password
My email password
Electronic prescribing password
Patient management password
Blood test label password
Blood results password
Regional bed status password
Blood glucose machine password
X-ray viewer password

Some of them last for a year, some last for a month, none of the passwords can be re-used.

Every new system that we use involves some kind of password, and everyone involved in training us thinks password security is great…

We just write them all down.

That’s the beauty of NHS IT. One previous trust I worked for demanded a password change every three months – so everyone’s password was “spring14” (or the next relevant season)…

Just write them down. Password security is more about password hacking and cyber threats, than someone coming in James bond style and stealing a scrap of paper hidden in some random drawer or place in your house.

One basic core password for everything with a unique symbol and jan14 feb14 mar14 as the months go by. All you have to do is remember the symbol for each account.

I keep myself logged in to as much as I can, and when that fails click where it says ‘Forgot password’

“Your password will expire in 3 days. Do you want to change it now?”

bring me solutions, not problems.

Not sure why I’d need a protected database on my password protected phone.

The database is likely to be encrypted, whereas the phone is not. I suspect that it’s relatively easy to get data off a password-protected phone.

I started using 1Password, in conjunction with iCloud Keychain on the phone, seems a decent compromise. This means I just have to remember one ‘strong’ password, which I have written down, split into 2, in case I forget it.

Probably would not have bothered, if I hadn’t got 1Password for £12 in the sale.

Bear in mind that “words” are vulnerable due to dictionary attacks, but whilst individual words are in a dictionary strings of words are not. When cracking passwords, you cannot crack the first word and then go “great, we’ve got one!” and crack the second word outside of Hollywood(*).

A password attempt either matches or it doesn’t, the scenario where the heroes are running around a huge display going “he’s got another one, only six characters to go!” is pure science fiction. If it did work like that, you could crack a password the length of a novel in less than the time it took me to write this sentence.

(* – and NTLM)

think you are confusing NTLM and LM there

One basic core password for everything with a unique symbol and jan14 feb14 mar14 as the months go by. All you have to do is remember the symbol for each account.

loved that approach when i was in school, managed to get a password hash from an admin and then had their password policy until we left.

+1 for keepass, with the DB on dropbox, google drive or whatever

There is an android & possibly an iphone app, so your passwords are available all the time via whatever device.

think you are confusing NTLM and LM there

Well spotted, yes. Been a while.

Thanks to Apple I’ve changed my password to something stupidly complicated that automatically securely shares across my Apple devices.

keepass

But what about the social stigma of a program on your phone, PC etc called KeepAss??

Quick password question, and i remember seeing this thread a few weeks ago, so thought i would keep things tidy and recycle/reuse.

Just bought a NAS cloud drive thing for the house, and i think today is as good a day as any to change the password i use for everything, which i was issued with in year 7 at school. (age 10… ish)

Question is, what are my limits for these passwords?

Minimum 8 letters
often must contain numbers so they might as well all contain numbers.
Is there a standard maximum letter limit?

+1 Keepass with encrypted database on Dropbox but then for added security you can setup Keepass so that as well as the main password it needs a keyfile to decrypt the DB. I manually add the keyfile to the devices/PC’s I use Keepass on.

Keepass can then be setup to use on each individual login whatever password rules are in place for that particular site/system, length of password, characters used and so on and then generate a random password.

Pictures work better than numbers. For instance if you have a number sequence – 5837 you make the numbers pictures in your head like instead of five you think of a “bee hive” instead of eight you think of a “gate” instead of three you think of a “tree” and seven would be “heaven”.
o your number is beehive, gate, tree, heaven. You have to picture it and it become easy to remember 🙂

I use a famous rapper’s real name, capitals in the right place. I use it for most things. Never had a problem until I had to explain to my girlfriend what it was!

I use the same, alphanum salt for all passwords followed by the site (fulllength or acronym). I got fed up of forgetting passwords, master passwords and losing notes.

i.e.

z123aBc0stw
z123aBc0google

However, as soon as one is compromised it won’t take a rocket scientist to work out the others. Oh well.

Just use a phrase with the correct use of an apostrophe in it – that rules out most people getting it.

Use the same phrase for all sites with extra pre/suffix taken from each site to personalise in the event of an attack.

A bit like PIN numbers: Cards 1…n, and choose a 3 digit PIN, say 123, so full PINs would be 1123, 2123, 3123… Just remember the order of your cards. Simples.