Password protection...

MontyB

All-Blacks Supporter
What do you guys do to secure your passwords?

Up until recently I have used the same password for everything but in recent months I have been upgrading and changing passwords currently I am using a mix of letters and numbers, capitals and lower case and at least 11 characters long and I am now storing them in a journal rather than online.

Does anyone do anything different?
Anyone using password generators or the password storage and encryption software that is available these days?

(It just seems weird to me be store passwords online and think they are safe).
 
I used to have a complicated but easily remembered system for remembering my passwords but it eventually ran out of viable choices so now my passwords are generated by Strong Password Generator http://strongpasswordgenerator.com/ and stored in a small ETronics Netbook (A$268) They are usually 15 characters or more, depending on the security level, or the requirements of some sites. e.g. I only use a smaller password for this site.

I originally bought my Netbook to use as my Music server and because I had no need for it to go online I removed the WiFi software, and now also use it to store my Passwords in a secure folder using FolderLock.

I also have a backup of the passwords on a printed sheet stored in my fireproof safe http://forum.jamestownevents.com/index.php/topic,112.0.html (second to last post on the page) where I also keep my 1TB backup drive,... and Yes, I have a backup of my Folderlock Locker on that too.

Paranoid.... me?... Nahhh, I had'm out with me tonsils as a little tacker.
 
Last edited:
I used to have a complicated but easily remembered system for remembering my passwords but it eventually ran out of viable choices so now my passwords are generated by Strong Password Generator http://strongpasswordgenerator.com/ and stored in a small ETronics Netbook (A$268) They are usually 15 characters or more, depending on the security level, or the requirements of some sites. e.g. I only use a smaller password for this site.

I originally bought my Netbook to use as my Music server and because I had no need for it to go online I removed the WiFi software, and now also use it to store my Passwords in a secure folder using FolderLock.

I also have a backup of the passwords on a printed sheet stored in my fireproof safe http://forum.jamestownevents.com/index.php/topic,112.0.html (second to last post on the page) where I also keep my 1TB backup drive,... and Yes, I have a backup of my Folderlock Locker on that too.

Paranoid.... me?... Nahhh, I had'm out with me tonsils as a little tacker.

Hehe I just tried that "Strong Password Generator" and it gave me this "H6V/"|M>}NB's,$" and happily told me to remember it like this "HOTEL 6 VICTOR / " | MIKE > } NOVEMBER BRAVO ' sierra , $" now I don't know about you but I have enough trouble remembering my name at 2am I am damn sure I will never remember that 10 minutes after I use it.

The question I have about storing passwords in locked folders or online is that anyone that has the ability to access your computer more than likely has the ability to access that folder as well so I have trouble in accepting they are secure beyond the first intrusion.

At this point all I have been doing is writing them down in a notebook and storing that notebook in my ammunition safe which is within arms reach of the computer desk.

But I have looked at my password list and they are all between 9 and 14 characters long with most of them being around 11 characters, I will probably try and increase them to 15-16 (16 seems to be the common maximum on most applications) and incorporate a few other character types.
 
Hehe I just tried that "Strong Password Generator" and it gave me this "H6V/"|M>}NB's,$" and happily told me to remember it like this "HOTEL 6 VICTOR / " | MIKE > } NOVEMBER BRAVO ' sierra , $" now I don't know about you but I have enough trouble remembering my name at 2am I am damn sure I will never remember that 10 minutes after I use it.

The question I have about storing passwords in locked folders or online is that anyone that has the ability to access your computer more than likely has the ability to access that folder as well so I have trouble in accepting they are secure beyond the first intrusion.

At this point all I have been doing is writing them down in a notebook and storing that notebook in my ammunition safe which is within arms reach of the computer desk.

But I have looked at my password list and they are all between 9 and 14 characters long with most of them being around 11 characters, I will probably try and increase them to 15-16 (16 seems to be the common maximum on most applications) and incorporate a few other character types.
Like yourself I have great difficulty remembering multiple passwords longer than about 7 characters, and can't see the sense in short ones. If I could remember the suggestion you were given, I'd certainly have no difficulty in remembering my passwords.

The alternative especially for frequently used passwords, is to put them in an unencrypted file on a memory stick with no indication as to what they are. This is OK for me as I only have about 6 passwords, the length of which tells me their security level. If you are really paranoid add a given number of symbols at a known location within every password, e.g. three dummy characters at positions 3,4 and 5 within the password, I couldn't imagine any person who found them bothering to try all the possible combinations. The memory stick is inserted while I copy a password and then removed and placed in the top drawer of the safe which is usually open while I'm about.

I change things like bank or Paypal access details, about every three to four months, some online sites like this one have never been changed.

Yeah, it's always been a bit of a "pet worry" of mine.

I know that the bloke who owns another site that I frequent uses the VIN of his BMW as his master password. He says if it's stolen he can always get his password from the insurance company, and I also have a copy of it. No, unfortunately not the Beemer,...:-D
 
Last edited:
I used to have an app for the Iphone that I would store my passwords on. I can't remember the name of the app but it had a 4 digit pin to get into the app and if the password was put in wrong 3 times it completely wiped all the info. This worked great for me because I had a million passwords I had to remember for work on numerous computers. The one thing I would always have on me was my cell.

You dont have to worry about somebody hacking your cell phone and if it gets lost and somebody tries to access the program it wipes everything after 3 failed login attempts. I no longer have the the phone but im sure if you looked up "password" in the app store you would find it.
 
Like yourself I have great difficulty remembering multiple passwords longer than about 7 characters, and can't see the sense in short ones. If I could remember the suggestion you were given, I'd certainly have no difficulty in remembering my passwords.

The alternative especially for frequently used passwords, is to put them in an unencrypted file on a memory stick with no indication as to what they are. This is OK for me as I only have about 6 passwords, the length of which tells me their security level. If you are really paranoid add a given number of symbols at a known location within every password, e.g. three dummy characters at positions 3,4 and 5 within the password, I couldn't imagine any person who found them bothering to try all the possible combinations. The memory stick is inserted while I copy a password and then removed and placed in the top drawer of the safe which is usually open while I'm about.

I change things like bank or Paypal access details, about every three to four months, some online sites like this one have never been changed.

Yeah, it's always been a bit of a "pet worry" of mine.

I know that the bloke who owns another site that I frequent uses the VIN of his BMW as his master password. He says if it's stolen he can always get his password from the insurance company, and I also have a copy of it. No, unfortunately not the Beemer,...:-D

I have a short term memory problem at times, so I use passwords that I will never forget, my RAF or Army numbers. They are ingrained into my soul.
 
I have a short term memory problem at times, so I use passwords that I will never forget, my RAF or Army numbers. They are ingrained into my soul.
That is possibly OK if you have a really long Service number, however mine is only a letter and 5 numbers.

Yeah, in the RAN we all knew one another back in those days.;-)

There are really only two things that I am quite passionate about with my 'puta, they are, security and backing up my data.
 
Last edited:
That is possibly OK if you have a really long Service number, however mine is only a letter and 5 numbers.

Yeah, in the RAN we all knew one another back in those days.;-)

There are really only two things that I am quite passionate about with my 'puta, they are, security and backing up my data.

My RAF number was a letter and 7 numbers, my army number was 8 numbers.

It took me quite a while to remember my RAF number. I had our Scottish D.I. shouting "WHAT'S YOUR NUMBER LADDIE?" To which I replied "erm, erm, erm I dunno Corporal." He went red in the face then shouted "TWICE ROUND THE SQUARE LADDIE, DOUBLE DOUBLE DOUBLE."

Ah, glorious days.
 
As a tech operator on various forums and pages and as a geek I am terribly paranoid as far as passwords and their use are concerned as I know that 90% of the people just go very sloppy about it (I usually crack the ones of my users within 24 hours when I attempt it), and I have developed a simple but effective system that enables me to:

- only have to remember one PW (and I would never write it this down anywhere), something that even I with my age induced short memory problems can easily cope with

- have a different and secure PW for any access I need without having to remember more than just one

- make sure my PWs are - at least at the moment and for normal users (CIA or the NSA would be another angle that I probably have not covered fully, just delayed) - more than just reasonable secure against attacks, be they dictionary or brute force type.

The only problem I have right now displaying this system is that it is 0117 here and I just stumbled over this thread but need to turn 2m horizontal *now* without further discussions, so permit me to delay my response a day and post it (my GMT+2) tomorrow night. Stay tuned, might be worthwile.

Rattler
 
Just to keep my promise (late again here, and again I should actually be in bed) here a quicky on PW creation and structuration, maybe not keeping up with all I promised above, but with the basics (and certainly secure enough for your everyday use), even if not really in depth:

Here a simple system for (almost) perfect but yet rememberable passwords:


1. Think of a sentence, a line of a poem, or a caption you can remember always, for explanation lets use e.g. “Passion is a positive obsession. Obsession is a negative passion.”

2. Form your password from the first letters of each word in the phrase, respecting Capital letters and including the punctuation, for the above case this would be:

"Piapo_Oianp."


3. Add with a connection key (I use "#") a numeric/symbol prefix THAT YOU NEVER CHANGE IN ANY PASSWORD (hence easy to remember), e.g. "3*2=7", your result will now be:

"3*2=7#Piapo_Oianp."

This now is your "Master password" that you can always remember (or at least re-construct, as it follows a system). DONT EVER WRITE THIS MASTER PW down anywhere, if you need a reminder for your base line just write the base phrase (not the prefix) down somewhere, without comment.

(Write down a PW? Big No-No...
hdbng.gif


*Never* write a PW down, be it on paper or on your machine.

You won´t believe it, but a recent study has shown that

- 36% of users write their PW on a piece of paper. Of those, 57% stick it to their monitor (or its back), and 33% stick it on the bottom of their keyboard. The rest keeps it either with his credit cards or in (or stuck to the bottom) of a drawer of their desk... Go figure how easy everybody is to crack, this not even taking into account that according to the same study, 12% of users use "password" as their password...

- 53% of users keep their PW somewhere on their computer, in clear text - Gosh!

An example on how unsecure you live, if you run FireFox on PC try the following:

One of Firefox's most convenient features is its ability to save the passwords you use to log on to web sites - like your webmail and online banking - so you don't have to type them in every time. Those saved passwords appear as asterisks in the password field.

In Firefox, from the Tools menu, choose Options, and in the Passwords tab hit the "View Saved Passwords" button. Then hit "Show Passwords."

Yup, there they are, all your high security passwords in plain text and full sight.

Try it. Right now. I'll wait.
hihi.gif


Now consider how easy it would be for your Firefox-lovin' housemate to log onto your Gmail, or the computer-sharing apprentice at the office to get into your checking account or your other half to discover all your porn site logins (ok, just kidding about the porn. Maybe
grin.gif
)

Not such a great feature anymore, eh?

Of course you can proof Firefox to secure your saved passwords without requiring you to give up the convenience of those autofilled login details, keep on reading.

- only 11% do not write their PW down ever - I am one of them)

4. As you want different passwords for different sites (e.g. for your Firefox Master-PW that would obscure your passwords in the above mentioned routine), you now decide (and MAY write down somewhere) a rule/system on how to denominate the programs, sites and registrations, I usually have 4 letters prefixes (you might need 5 if you have a large number of sites or functions on those sites), and in order to not forget them I have a list of those written down (they wont help a cracker if he found it as he does not even know what the list serves for), e.g. for "International Military Forums user" my prefix could be "imfu_". For "FireFox Master " my prefix could be be "FiFo_", etc. As said, you *can write those down safely* in a document e.g. called "sites shortname list", you dont need to remember those (just your master PW that you never write down).

Hence, in the above example, your PW for FireFox would now be: "FiFo_3*2=7#Piapo_Oianp." For you as user here it would be "imfu_3*2=7#Piapo_Oianp."

Check it out in the password safety tester (offline, of course, else *they* would just have read it.... :) ), and you get the following results:

http://rumkin.com/tools/password/passchk.php : "Strength: Strong - This password is typically good enough to safely guard sensitive information like financial records."

http://www.passwordmeter.com/ : "Exceptional: Exceeds minimum standards."

Or, in detail (for PCs, not Crays!) http://unwrongest.com/projects/password-strength/ : "Your password is forceable in 6.950652247107411e+83 years"

Sometimes sites only accept e.g. 16 or 12 characters, no problem either, you just shorten it (from the RIGHT, of course), test out the results for youself, e.g. with the 12 char version "imfu_3*2=7#P" :

http://rumkin.com/tools/password/passchk.php : "Strength: Reasonable - This password is fairly secure cryptographically and skilled hackers may need some good computing power to crack it. (Depends greatly on implementation!)"

http://www.passwordmeter.com/ : "Exceptional: Exceeds minimum standards."

http://unwrongest.com/projects/password-strength/ : "Your password is forceable in 5389762 years, 2 months"

Heavy loss in security, definitely, but still "reasonably" safe (for me 16 char is the minimum length, the result grows exponentially: "Your password is forceable in 420805123888006 years, 6 months")

Now, with this system, you have a strong password, at the same time a different one for every site or function or user, and you can always and easily remember or re-construct it.

Remember, though, that however strong you make your PW, it will be sent over the net when you send it, hence it can be captured and read during transfer (if you dont go through https), also, a key logger that someone installed on your comp directly or via virus/trojan will easily read it, etc.

Hence, I recommend to change the master PW for all sites regularily (I know this is hard, you have to change it in all your sites you registered, but if you are just a little paranoid probably a change every 4 weeks should keep you out of major trouble).

FWIW,

Rattler
 
J
An example on how unsecure you live, if you run FireFox on PC try the following:

One of Firefox's most convenient features is its ability to save the passwords you use to log on to web sites - like your webmail and online banking - so you don't have to type them in every time. Those saved passwords appear as asterisks in the password field.

In Firefox, from the Tools menu, choose Options, and in the Passwords tab hit the "View Saved Passwords" button. Then hit "Show Passwords."

Yup, there they are, all your high security passwords in plain text and full sight.

Try it. Right now. I'll wait.
hihi.gif

Rattler

Well,... I guess that's one thing I've got covered. Nothin',.... Nix, Nada, Zilch.

64ff4b1a.jpg


My major bother is changing passwords regularly, firstly because i've never compiled a list of all the sites etc., that I use, and secondly some sites have limitations, e.g. "must start with a letter" which means that one sized password is not always acceptable for all sites.
 
Last edited:
Back
Top