Windows 8 and 8.1 Forums

What is 'best practice' for password management?

  1. #1

    Posts : 108
    Windows 8.1 Pro (x64)

    What is 'best practice' for password management?


    What is the 'best practice' for managing one's passwords?

    1. I need to manage a fairly large number (i.e. 50+). So there are too many to remember.

    2. Obviously I don't want to keep them inside a simple unencrypted text file, in case my data gets hacked.

    3. If I download dedicated password application how can I trust it?(!)

    4. I don't trust 'The Cloud' nor any of the big data owners: google, apple, amazon, drop-box et al.

    5. I don't want to be tied to anything that I cant migrate with me onto my next hardware, when I come to upgrade my PC(s).

    Either way I dont really want to pay anything (certainly not more than a few dollars) for this security.

    I was thinking of using something like TrueCrypt to create a virtual drive (that I encrypt robustly) and then storing my passwords in an ordinary text file.
    That way I would have a single master password (for TrueCrypt) which would give access to all the other passwords.
    [Aside: Obviously if I forget my master password I'm screwed!]

    As you know many sites require passwords that meet specific rules e.g.
    - At least one upper AND one lower case letter
    - At least one digit
    - No tripplets (three characters the same next to each other) (iTunes!)
    - No more than 16 characters

    Double-click problems
    Some sites allow extended ASCII characters (e.g. £$%^&*) , which give VASTLY better security of course. BUT they are a mighty pain to use regularly because if you double-click using Windows (XP /7 /8), windows doesn't accept extended as being part of 'a word' and ignores the extended ASCII characters in your password. And if you TRIPLE-click, it then selects the entire line! This is a nightmare if you are in and out of passwords all day.

    a) I want passwords that are pretty much secure.
    e.g. say 1 trillion years from my desktop to crack according to this site:
    (Not that I trust it not to harvest whatever I put in and use against me!)
    This is extremely hard (perhaps impossible) to achieve within 16 characters unless one uses extended ASCII.

    b) For day-to-day convenience, I want to absolutely minimize the number of clicks and keystrokes.

    c) For low security sites that I dont give a damn about, I just want something easy to type in.

    - Any suggestions?

    With thanks


    P.S. Btw, for reasons of security I clear out cookies on a regular basis (for convenience using a utility - CCleaner)

      My System SpecsSystem Spec

  2. #2

    Posts : 2,627
    win8.1.1 enterprise

    Remember ,i just keep trying till i get it right ,
      My System SpecsSystem Spec

  3. #3

    Posts : 108
    Windows 8.1 Pro (x64)

    Quote Originally Posted by David Bailey View Post
    I have a notebook (paper !) & I write them all down.
    I keep a copy on Gmail in txt files.
    I keep a copy on USB drive.
    I keep a copy on DVD as txt files.
    I keep a folder on the Desktop with serial #s & passwords & usernames.
    I use Macrium Reflect to image my entire computer, on USB.

    I think I'm covered on password recovery & user names, etc. .
    Blimey. And dont tell me - you use "1234" and "password" wherever you can?

    Now, back to Best Practice... anyone?
      My System SpecsSystem Spec

  4. #4

    Sunnyvale, CA USA
    Posts : 283
    Windows 8.1 Pro with Media Center (64-bit)

    I use KeePass and have passwords different for everything. I have a copy of the database on a thumb drive along with KeePass portable. KeePass has selectable algorithms including pronounceable passwords.

    I also have a copy of the KeePass export plain-text in an password-protected ZIP file.

    Another thing I do is format a thumb drive NTFS and make an encrypted folder using my encryption key. Anyone can get one for NTFS usage. I put lots of sensitive stuff there as only my account should be able to decipher the files.

    And finally, I keep a portable copy of TrueCrypt and an encrypted folder on those same thumb drives.

    But more generally:

    These thumb drives are special. Some are NTFS and use my encryption key, the others are designed for boot purposes and are formatted using YUMI (see the site). Using YUMI, I load a copy of Linux Mint, Acronis Rescue Media, F-Secure Rescue CD, and one of the rescue boot utilities disk. These will all fit rather easily on a small drive.

    In the remaining space I put the Portable Apps launcher and several portable apps (see 7-zip, System Explorer, KeePass, Chrome, LibreOffice, Notepad++, Irfanview, FileZilla, Audacity, VLC, the Sysinternal suite, Nirsoft tools, etc.

    You should be able to fit these on an 8 or 16 GB flash drive with no trouble. I carry one around with me always.

    I am not in the habit of routinely changing passwords. If the password is good now, how will changing it help? Since I never repeat them, one hacked account won't hurt me too much.

    I don't think I would ever use a cloud-based storage for my passwords. I wouldn't put them on Google Drive or SkyDrive for example.
      My System SpecsSystem Spec

  5. #5

    Sloe Deth, Californicatia
    Posts : 3,908
    Windows 8 Pro with Media Center/Windows 7

    I use the same password or variations of it in most places, I keep them in a protected TXT file hidden deep in my system.
      My System SpecsSystem Spec

  6. #6

    Posts : 454
    Windows 8.1 Pro with Media Center

    Quote Originally Posted by ship69 View Post
    I was thinking of using something like TrueCrypt to create a virtual drive (that I encrypt robustly) and then storing my passwords in an ordinary text file.
    That way I would have a single master password (for TrueCrypt) which would give access to all the other passwords.
    [Aside: Obviously if I forget my master password I'm screwed!]
    Good idea on Truecrypt, but unless you encrypt all your drives, you are subject to data leakage. Granted, you may not care about that risk, but TC makes it pretty easy to encrypt everything yet achieve a seamless experience. I have over a dozen drives, internal, external, thumb, SSD, etc, all of them single partition and TC'd, and the only time I have to enter a passphrase is when I boot my system. This is true even for the external drives I use in docks on two different systems. I keep one small thumb drive unencrypted for things like BIOS updates.

    As for password management, I've used Keepass for years, and I currently have over 700 entries in it. You can set up profiles for password creation and specify length, characters used, etc. It also supports automated entry of usernames and passwords into web forms, but I've never used that feature. I just double-click on the user name to copy to clipboard, paste, repeat and rinse for password. I configure it to lock automatically when the system sleeps or I lock the workspace (Win+L), which provides some extra security for a live system.

    Out of 700+ passwords, I have four committed to memory: My Truecrypt passphrase, my Keepass password, my Windows login, and my Apple ID. They are all different, strong, and used only for one purpose.
      My System SpecsSystem Spec

  7. #7

    Posts : 959
    Windows 8.1, 10

    My only worry about TrueCrypt would be that it doesn't claim to support Windows 8 yet. I'd be reasonably comfortable with encrypted containers, but I won't be using it for full-disk encryption on Windows 8 until it at least claims to be supported.
      My System SpecsSystem Spec

  8. #8

    Posts : 454
    Windows 8.1 Pro with Media Center

    Oh, good point about TC and Windows 8. I keep forgetting this is a Windows 8 forum when the discussion isn't specifically about Windows 8. It doesn't really exist for me anywhere else.
      My System SpecsSystem Spec

  9. #9

    Posts : 1,925
    Windows 8.1 Pro

    The point of failure is much more likely to be either on the website itself, or via malware such as a keylogger. However, things to remember:

    If you encrypt a volume and store an unencrypted password on it, then when the volume is mounted it's vulnerable to any attack that may occur while your computer is on. For instance, a hacker gains remote access, they can see your unencrypted data on your encrypted drives because you have them mounted. The same goes for EFS.

    You could store them in an encrypted zip file, but remember that many times data is stored silently in temp files and written to disk in the form of page file tables (from memory). So this data can ultimate be found if someone has full access to your computer.

    I like LastPass. They provide the source code to their clients, so you can validate it if you like. And the key is stored locally on your computer so the service has no access to the unencrypted data. You may not like "the cloud" but if they can't unencrypt it, then it's perfectly safe. Your only concern is if someone develops a massive way to defeat modern encryption.

    NOTE: LastPass is only secure if you do not use their Web based access, because that requires that THEY store a copy of the key so they can generate the web pages. You have to use the local client in order to keep things secure.
      My System SpecsSystem Spec

  10. #10

    Posts : 108
    Windows 8.1 Pro (x64)

    Quote Originally Posted by Mystere View Post
    For instance, a hacker gains remote access, they can see your unencrypted data on your encrypted drives because you have them mounted. The same goes for EFS.
    Yikes, I am at the limits of my knowledge.
    Ok, so mounting if a disk is a software process that enables the operating system to read and write data to the disk, yes?
    So when you provide the password to TrueCrypt it can then "mount" the disk, and whilst you have it in that open state, any hacker of virus etc can also read your disk, yes?

    Hmm... OK the main thing I'm concerned about is getting my entire computer stolen and in that situation the disk could not be mounted by any unless they had the password. Which with a reasonable passwords would be effectively impossible. But I get your central point.

    LastPass sounds interesting if it is encrypting and decrypting locally that sounds good. But how does it manage to share the passwords across all your devices at once? Again I'm at the limits of my knowledge but surely each of your devices would need to store a copy of the key, and that doesn't sound so safe to me.
    Likewise I wouldn't completely trust the plugins to not reveal what they are up to.

    Regarding "the cloud" e.g. DropBox my main cry is that everything always seems to have holes in it! And I simply dont trust the dropbox software itself. i.e. The data on their server may appear to be massively encrypted. But
    a) we've only get their word for it -maybe it's elaborately designed to LOOK like it's encrypted but actually there are very cleverly concealed holes.
    b) they are installing software on my computer and don't completely trust that either.
    Either way I thought that too much encryption was actually *illegal*, mainly because the state needs to be able to hack things if they really need to, albeit rather slowly and with a super-computer or two.
    c) furthermore I have yet to forgive Apple iTunes for destroying my entire library of music for because I was trying to use my iPhone on two computers and it did like that, and eventually I clicked the wrong "choose which library you want" button.
    d) there are always things you havent thought of, like they kick you out of your account without warning for breaking some petty rule of their (like what happened to me on Facebook).
    e) things may well go wrong more often than we all think, big companies get hacked regularly, banks get hacked but they make damned sure we almost never hear about them.

    Maybe in 5 years if nobody has ever hacked Dropbox, I'll consider it (or something similar), but until then, no. Any yes, in 10-15 years time, no doubt all this chat will seem dynosaur-like, as everything will be fully backed up, securely archived, spam and virus filtered for us and with massively faster networks, nobody in their right minds would do anything else. But until then, nope. Not I.
      My System SpecsSystem Spec

Page 1 of 3 123 LastLast
What is 'best practice' for password management?
Related Threads
For example, back in the day with XP I was told it was wise to to go into your network adapters (both Ethernet & Wireless) and disable the NetBIOS and all IPv6 functions. It was also wise to go in and disable certain services you would never use – like Remote Desktop. Does anyone have a link...
How to Reset Your Local User Account Password with Password Reset Disk in Windows 8 and 8.1 If you have previously created a password reset disk on a USB flash drive for your local user account in Windows 8, then this will show you how to use it to reset your password with a new password to be...
I found that once I upgraded to Windows 8.1 I had to use my Email account to Log In to my PC. The User has to have a Windows Account (Mine is originally Hotmail - Live - Outlook). I can not stand having the same Password and account info from my Email account the same as my PC. I had to...
Hi, this is somethig i do not get, and relly do not like how it seems to work: what i would like to achieve is 1) in first instance: to update *all the system* at a time, so far what it seems to me now it's like i have to manage two operating systems one on the desktop side and one on...
Must email password be same as desktop password? in User Accounts and Family Safety
I am a newbie with Windows 8, so I am trying to teach myself how to use Windows 8.1 via a virtual machine on Windows 7. I set up the user account using my Microsoft email account. I would like to use a different password on my desktop vs the email password. My email password since it is...
Read more at source: How hackable is your password? McAfee offers password tips | Security & Privacy - CNET News
Eight Forums Android App Eight Forums IOS App Follow us on Facebook