Passwords In A Paperless World

[Jim Cate]

Warning: Heresy follows...

For us who live aboard at anchor 95% of the time, and generally in low crime areas, what is really wrong with writing down passwords on a bit of paper which is kept separate from the computer? There's a small chance of a breakin and theft of the laptop, but not so much of a chance that the thief will search the boat, looking for that bit of paper, one that he does not even know exists?

So far, I've not done this, but after reading all the above posts, I think it a reasonable solution to a vexing problem.

Jim

[a64pilot]

God, I guess I’m a cave man, I have about three passwords that I use for everything, I have one or two sites like my Military pay site that requires a new one ever so often, and I have not really figured out how to handle that.
I had never really given it much thought to be truthful, I never knew there were programs for it.

[Dsanduril]

Jim,

nothing wrong if you only have a few - my personal database has well over 100 and my work database about five times as many. One suggestion, do as suggested above and write down hints rather than passwords:

Hint:Where my daughter lives
Password:Sydney lives in Fremantle near Perth

A64,

As long as you don't care about anything being stolen, no worries. All depends on whether or not you're talking about any sites that have your personal information, credit card info, etc. None of those should ever have a shared password. But the crap websites that force you to have an account - share away, just be certain your shared password has no relation with your more secure passwords, and make certain the sites really don't have any information you want kept safe. (I know some security mavens will get on me about that stance, but the reality is we have a lot of passwords these days that lock up things that don't need to be locked).

[GILow]

Quote:

Originally Posted by Suijin

I have two algorithms for all of my passwords. One is for passwords I don't change often or at all, the other for those I change monthly (finances, email, identity stuff). It's easier for me than storing them somewhere with cryptic hints.

Exactly what I do. 25 years of IT Management and I have never seen a better system.

[fernandosmooth]

Listen to my method !

Store the passwords anywhere, on a paper, in plain sight on the coffee table or in digital format.

The thing is, the initial part of the password is the same for all passwords and only you know.

For example:

Passwords

Bank 1: pumpkin9
Bank2: radio4

Those are the passwords for those banks. Those are written down in paper, anyone could see them but the real password for bank1 is Televisionpumpkin9 and the password for Bank2 is Televisionradio4. You see? The word Television only is known to you, that you never write it down, that is the only thing common in all passwords but that you never write it down.

[GordMay]

Re: Locks, Passwords, etc.
Unfortunately, if anyone (you) can get in, so can someone else.
The only ultimate security is when nobody can get in.
Do the best you can (some good ideas here), then worry (if you’re trying to secure very important stuff).

[Suijin]

The most secure password is the one that you change regularly. Keeping the same password for an extended period of time is a recipe for disaster.

It's like brushing your teeth. It's just good security hygiene. Yes it's a pain, but look at it this way; changing your financial passwords once a month for a year still takes less time than one trip to a physical bank. Convenience has a price, but it's often less than the benefit.

[dwedeking2]

If they want my financial account information it's easier for them to steal that from Equifax than trying to figure out my password.

[CaptTom]

Quote:

Originally Posted by Suijin

The most secure password is the one that you change regularly. Keeping the same password for an extended period of time is a recipe for disaster.

How so?

If you follow all the other advice; don't use the same password in multiple places, use a secure password, and don't share it with anyone, what's the difference?

If your password is stolen, the damage is already done. Changing the password 90 days later, or even 30, still gives the bad guys plenty of time to take what they want.

If your password is not stolen, then it's just as secure as the day you set it up.

I see too many systems where the password requirements go beyond common sense, to the point of pure silliness. Forcing people to write passwords down doesn't improve security, it weakens it.

Most of the "big" hacks we've heard about were accomplished via authorized users who are tricked into divulging their passwords. No amount of password complexity will prevent this.

One last thought: Most hacks are against a system, not an individual. The bad guys don't go to every bank in the world to see if your personal password works there, too. They go after all accounts at the bank they hacked. The only way using the same password in multiple places is bad is if someone is personally targeting YOU, and has some idea where all your accounts are.

[maxingout]

We were forced to change the passwords every 90 days on government accounts, and I don't think it increased security doing that.

While I was employed with the Indian Health Service, the only account compromised during my tenure was the Health and Human Services database that had all of the HHS employees information. It seems to me that hackers are going after the big fish.

On a more personal level, most of the time individuals get hacked, it seems to be the result of a low level phishing expedition.

I don't know much about computer security, but it seems to me that if there is malware on your computer that does key stroke logging, they will get your passwords anyway when you type them in. I have the feeling that a person needs to have a computer/tablet/smart phone that is totally clean and never cruises the internet or opens email so you are sure there is no key stroke logging software sending your passwords into cyberspace.

I have one I-pad that I don't use to cruise the world wide web or use to check emails, and hopefully it will never get any malware on board. I use that one to log in to things that are really important like financial accounts.

[ZULU40]

I put most on notepad text file on a USB
It doesn't look like a USB and is easily hidden

[Captain Bucknut]

Quote:

Originally Posted by Dsanduril

One other thing, passwords really shouldn't be pass words - they should be pass phrases. Length is your friend. No less than the person who wrote the NIST standards on passwords and complexity recently apologized publicly and said that complexity (special characters, numbers, etc.) in a short password was not the right way to go, length was the key.

Think "The qu!ck br0wn Fox jumped over the lazy dog"

Heard this on NPR a couple weeks ago and it has prompted me to rethink how I approach passwords and usernames.

I have tried to move away from using an email or my name or anything obvious as a username. I suggest using something such as your first boats name or a nickname for your kid..... but nothing that would be found in any of your social or electronic history.

Passwords....i like the consistent algorithm method (it's also approved by the Catholic Church) and then change it up for financials....

[ZULU40]

Quote:

Originally Posted by maxingout

We were forced to change the passwords every 90 days on government accounts, and I don't think it increased security doing that.

It was discovered recently that an Australian defence supplier had been hacked over a period of 4 months. Turns out they hadnt changed passwords in over a year. Passwords like admin for admin and guest for guest. Data on among other things F35 was compromised.

Defence Force hacked: Top secret technical information stolen

Quote:

Originally Posted by maxingout

While I was employed with the Indian Health Service, the only account compromised during my tenure was the Health and Human Services database that had all of the HHS employees information. It seems to me that hackers are going after the big fish.

On a more personal level, most of the time individuals get hacked, it seems to be the result of a low level phishing expedition.

thats true, usually email exploits, more worrying stolen laptops and browser based password saves.

Only online bank with what you are prepared to lose

[anacapaisland42]

I have a standard password that is easy to remember
e.g.
MyNameisFred

THEN
an easy to remember number such as your house/apt number converted to symbols.....e.g. 123 becomes !@#....789 becomes &*(

THEN
an easy to remember i.d. for the site e.g. your office site could be WORK

THEN.....and this is the big THEN.....add the all together and you get

MyNameisFred!@#WORK

OR e.g. your bank could be

MyNameisFred!@#BANK ,,,,,,etc etc

Every site has a different password but is easy to remember..and really hard to crack

Bill

Quote:

Originally Posted by maxingout

How are people storing passwords who are out cruising?

I don't think storing passwords on digital devices is a great idea because if the device is somehow hacked, all the passwords could be stolen.

I am uncomfortable with writing them down on paper and leaving them on the yacht.

The best thing I have been able to come up with is to have one book with the account log ins, and a separate book that has the passwords for those accounts set up in a way that nobody would think that the two books are related in any way.

Maybe I am overlooking a simpler and more secure way of storing passwords.

What are people doing to keep their passwords secure while out cruising? Where do they store those passwords?

[meirriba]

I have a file on my PC that contains all passwords. This file is encrypted and needs access rights (mine). All I remember is the procedure to open this one particular file.