Passwords In A Paperless World

[Mycroft]

We use Dashlane.

[Paul Casey]

i have been using a device called a RecZone Password safe and findn it easy to load info,add info, easy to search and delets, edit info.

[CarlF]

A lot of the password suggestions are fighting the last war - not this one. Any 8 character password can be broken in a few minutes with a specially configured $1000 computer. Try this tester from Dashlane:

https://howsecureismypassword.net

Two factor security (where a code is sent to your phone when a new computer tries to login) is the biggest step forward in years. If a site offers it, ALWAYS use it. It makes it just about impossible for a guy to sit in Russia and break into your account if your phone is in your pocket in Ft. Lauderdale - even if your password is 1234.

Most hacks in the last few years are not by cracking passwords but tricking you into giving the hacker a password - called Phishing. A complicated password won't help if you hand it over. Never enter any information after clicking on an email link. Go to the site a different way (like a Google search).

[Jman]

Quote:

Originally Posted by CarlF

A lot of the password suggestions are fighting the last war - not this one. Any 8 character password can be broken in a few minutes with a specially configured $1000 computer. Try this tester from Dashlane:

That only works if you are trying to guess a known password. If you only have three guesses at it before a time out occurs, game over, even a 60 second time out will take the few minutes to years or 100 of years. That is what the complicated passwords are about.

Two phase is way better, agreed, but why do I have to go through this every month with my bank that has not even had one missed guess?

Answer: it makes the company look better when they get hacked from within... once a hacker is in, he reverses the encryption algorithm and now knows everyone’s password. Or worse it was never encrypted in the first place so he just discovers the password. Now he has a list of passwords and emails to try at other establishments, no guessing to worry about. So he now takes his list that he got barnaclejoescheapboatparts.com and sees if they will work at Wells Fargo or Citibank. Fortunately barnacle joe did not force you to use eight characters and special letters and numbers like it did at Wells Fargo, so you just used a simple password. It fails when trying to get into your bank account. But a few people who were trying to make their lives easy, used their special password at joes, and then they are breached.

[maxingout]

Thank you to the people contributing to this thread. I am just converting to the paperless world, and all the suggestions are a great help. Lots of options.

I need to investigate iPhone and iPad apps that are used for encryption of data. To my knowledge, nothing on my phone is encrypted, or if it is, I did not realize that it was encrypted.

So the next phase is to figure out how to encrypt things on my iPhone and iPad.

[CarlF]

JMan - absolutely agree about missed password counters. Even better, my iphone and ipad erase themselves if the screen unlock code is missed 10 times.

This erase feature combined with two factor is very secure. Even if someone steals my phone they can't unlock it to read the two-factor code. And if they have a website password, they can't get into the phone to use it. If they try a different computer, then the two factor code is needed.

Also agree that any important site (email accounts, banks, etc.) should always use a password that is not used anywhere else.

Also agree that some two factor systems are poorly designed or inconvenient. Almost all the new ones just send an SMS code. The code is only required if a new computer is used to login or an account change is requested - like trying to change the password. Except for these rare situations, no two factor code is required. I'd get after your bank to update their system.

[CaptTom]

Quote:

Originally Posted by Jman

...Now he has a list of passwords and emails to try at other establishments, no guessing to worry about. So he now takes his list that he got barnaclejoescheapboatparts.com and sees if they will work at Wells Fargo or Citibank...

Any indication this has ever really happened?

My gut says the bad guys are really looking to hack into the system that already contains what they want (financially or politically). Not the individual account of Joe Boater who may or may not have an account at any one of millions of banks worldwide. Seems it would be a LOT of work, repeated for each individual user, to scan the world for rare related account with the same password AND user ID.

[MamaKube]

I suggest generating a common stem that you like and meets all requirements such as "good4us!" and add the capital initial of the company at the beginning. Now you have a capital letter, a number, and a character. Then technically all your passwords are different, and you only need to remember the stem and if you need the ! at the end or not.

[krafthaus]

We use Lastpass with a very secure password to get in that database.
The layout of the app is very good to use and keeps things well organized.

[Rock-Head]

For those using threes for "E's" and such, there is a library of common substitutions that hackers/crackers use consistently. The password that is difficult or even impossible for a human to guess, much less remember, is one that is simple for a computer to guess. IMO in this day & age, 8-12 character passwords of mumbojumbo makes for poor security.

Key components to a good, secure passphrase is randomness, length & ability to recall.

Food for thought:

[john61ct]

https://www.theverge.com/2017/8/7/16...-cybersecurity

[maxingout]

More research on the password puzzle.

https://youtu.be/Q0GeMSFGIgI

[foggysail]

Quote:

Originally Posted by Dsanduril

One other thing, passwords really shouldn't be pass words - they should be pass phrases. Length is your friend. No less than the person who wrote the NIST standards on passwords and complexity recently apologized publicly and said that complexity (special characters, numbers, etc.) in a short password was not the right way to go, length was the key.

Think "The qu!ck br0wn Fox jumped over the lazy dog"

Yes indeed! The bank where I have a CC (only own one CC) recently required new passwords with both lower and upper case letters, number and a special character symbol.

So I called the bank to complain about their requirement. I was very politely told that was necessary and if I didn't like it to go elsewhere. AHOLES!

[foggysail]

I thought things were getting out of control when I finally had to use an accountant for taxes. Now people are telling me they need a service for passwords?????

ENOUGH

[Simi 60]

Quote:

Originally Posted by Dsanduril

One other thing, passwords really shouldn't be pass words - they should be pass phrases. Length is your friend. No less than the person who wrote the NIST standards on passwords and complexity recently apologized publicly and said that complexity (special characters, numbers, etc.) in a short password was not the right way to go, length was the key.

Think "The qu!ck br0wn Fox jumped over the lazy dog"

And do you keep the same pass phrase for everything or do you have to remember a book?