• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

What is 'best practice' for password management?


ship69

Member
Member
UK

Posts
108
#1
Hi

What is the 'best practice' for managing one's passwords?

A) HOW SHOULD I STORE PASSWORDS?
Problems:
1. I need to manage a fairly large number (i.e. 50+). So there are too many to remember.

2. Obviously I don't want to keep them inside a simple unencrypted text file, in case my data gets hacked.

3. If I download dedicated password application how can I trust it?(!)

4. I don't trust 'The Cloud' nor any of the big data owners: google, apple, amazon, drop-box et al.

5. I don't want to be tied to anything that I cant migrate with me onto my next hardware, when I come to upgrade my PC(s).

Either way I dont really want to pay anything (certainly not more than a few dollars) for this security.

I was thinking of using something like TrueCrypt to create a virtual drive (that I encrypt robustly) and then storing my passwords in an ordinary text file.
That way I would have a single master password (for TrueCrypt) which would give access to all the other passwords.
[Aside: Obviously if I forget my master password I'm screwed!]


B) PASSWORD CONVENTIONS
As you know many sites require passwords that meet specific rules e.g.
- At least one upper AND one lower case letter
- At least one digit
- No tripplets (three characters the same next to each other) (iTunes!)
- No more than 16 characters

Double-click problems
Some sites allow extended ASCII characters (e.g. £$%^&*) , which give VASTLY better security of course. BUT they are a mighty pain to use regularly because if you double-click using Windows (XP /7 /8), windows doesn't accept extended as being part of 'a word' and ignores the extended ASCII characters in your password. And if you TRIPLE-click, it then selects the entire line! This is a nightmare if you are in and out of passwords all day.

SUMMARY
a) I want passwords that are pretty much secure.
e.g. say 1 trillion years from my desktop to crack according to this site:
https://howsecureismypassword.net
(Not that I trust it not to harvest whatever I put in and use against me!)
This is extremely hard (perhaps impossible) to achieve within 16 characters unless one uses extended ASCII.

b) For day-to-day convenience, I want to absolutely minimize the number of clicks and keystrokes.

c) For low security sites that I dont give a damn about, I just want something easy to type in.


- Any suggestions?

With thanks

J


P.S. Btw, for reasons of security I clear out cookies on a regular basis (for convenience using a utility - CCleaner)
 

My Computer

System One

  • OS
    Windows 8.1 Pro (x64)
    Computer type
    Laptop
    System Manufacturer/Model
    Samsung NP740U3E-S04UK (Series 7 Ultra Notebook)
    CPU
    Intel Core i5 - 3337U
    Motherboard
    Intel HM76 (?)
    Memory
    6GB DDR3 System Memory at 1600MHz
    Graphics Card(s)
    AMD Radeon™ HD 8570M graphics card with 1GB gDDR3 Graphic Memory (PowerExpress)
    Monitor(s) Displays
    13.3" SuperBright+ 350nit FHD LED Display with Touch Screeen Panel
    Screen Resolution
    (1920 x 1080)
    Hard Drives
    512GB mSATA Samsung (PM841 Series MZMTD512HAGL-00000 mSATA 512GB SATA III MLC Internal SSD)
    Keyboard
    Logitech MK700
    Mouse
    Logitech M705
    Internet Speed
    4 to 15Mbps
    Browser
    Firefox, MSIE, Chrome, Opera etc
    Antivirus
    AVG Cloudcare

caperjack

Just the Janitor
VIP Member
Guru
Posts
2,627
#2
Remember ,i just keep trying till i get it right ,
 

My Computer

System One

  • OS
    win8.1.1 enterprise
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Hinze57
    CPU
    AMD FX 6100 6core 3.30gHz
    Motherboard
    gigibyte ga-78lmy-s2p
    Memory
    4gig ddr3
    Graphics Card(s)
    Radon hd5000 Series
    Sound Card
    onboard realtek hd
    Monitor(s) Displays
    19" viewsonic/ 22"Samsung
    Screen Resolution
    1680x1050
    Hard Drives
    128gig ssd Kingston
    80gig WD 10000 rpm spinner
    Case
    micro
    Keyboard
    microsoft curve 200
    Mouse
    Logitech wireless M215
    Internet Speed
    high speed 20
    Browser
    ie 11
    Antivirus
    windows defender
    Other Info
    updated enterprise apr 2/14

ship69

Member
Member
UK

Posts
108
#3
I have a notebook (paper !) & I write them all down. :)
I keep a copy on Gmail in txt files.
I keep a copy on USB drive.
I keep a copy on DVD as txt files.
I keep a folder on the Desktop with serial #s & passwords & usernames.
I use Macrium Reflect to image my entire computer, on USB.

I think I'm covered on password recovery & user names, etc. .
Blimey. And dont tell me - you use "1234" and "password" wherever you can? ;)

Now, back to Best Practice... anyone?
 

My Computer

System One

  • OS
    Windows 8.1 Pro (x64)
    Computer type
    Laptop
    System Manufacturer/Model
    Samsung NP740U3E-S04UK (Series 7 Ultra Notebook)
    CPU
    Intel Core i5 - 3337U
    Motherboard
    Intel HM76 (?)
    Memory
    6GB DDR3 System Memory at 1600MHz
    Graphics Card(s)
    AMD Radeon™ HD 8570M graphics card with 1GB gDDR3 Graphic Memory (PowerExpress)
    Monitor(s) Displays
    13.3" SuperBright+ 350nit FHD LED Display with Touch Screeen Panel
    Screen Resolution
    (1920 x 1080)
    Hard Drives
    512GB mSATA Samsung (PM841 Series MZMTD512HAGL-00000 mSATA 512GB SATA III MLC Internal SSD)
    Keyboard
    Logitech MK700
    Mouse
    Logitech M705
    Internet Speed
    4 to 15Mbps
    Browser
    Firefox, MSIE, Chrome, Opera etc
    Antivirus
    AVG Cloudcare

arachnaut

New Member
Power User
Sunnyvale, CA USA

Posts
282
#4
I use KeePass and have passwords different for everything. I have a copy of the database on a thumb drive along with KeePass portable. KeePass has selectable algorithms including pronounceable passwords.

I also have a copy of the KeePass export plain-text in an password-protected ZIP file.

Another thing I do is format a thumb drive NTFS and make an encrypted folder using my encryption key. Anyone can get one for NTFS usage. I put lots of sensitive stuff there as only my account should be able to decipher the files.

And finally, I keep a portable copy of TrueCrypt and an encrypted folder on those same thumb drives.

But more generally:

These thumb drives are special. Some are NTFS and use my encryption key, the others are designed for boot purposes and are formatted using YUMI (see the pendrivelinux.com site). Using YUMI, I load a copy of Linux Mint, Acronis Rescue Media, F-Secure Rescue CD, and one of the rescue boot utilities disk. These will all fit rather easily on a small drive.

In the remaining space I put the Portable Apps launcher and several portable apps (see portableapps.com): 7-zip, System Explorer, KeePass, Chrome, LibreOffice, Notepad++, Irfanview, FileZilla, Audacity, VLC, the Sysinternal suite, Nirsoft tools, etc.

You should be able to fit these on an 8 or 16 GB flash drive with no trouble. I carry one around with me always.

I am not in the habit of routinely changing passwords. If the password is good now, how will changing it help? Since I never repeat them, one hacked account won't hurt me too much.

I don't think I would ever use a cloud-based storage for my passwords. I wouldn't put them on Google Drive or SkyDrive for example.
 

My Computer

System One

  • OS
    Windows 8.1 Pro with Media Center (64-bit)
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Custom-build
    CPU
    Intel Core i7-2600K @ 4.3 GHz
    Motherboard
    ASUS P8P67 PRO Rev 3.0
    Memory
    16 GB G.SKILL Ripjaws X DDR3 SDRAM DDR3 1600 (4 banks 4GB DIMM DDR3 8-8-8-24 5-32-12-7 1T 1.5V)
    Graphics Card(s)
    NVIDIA GeForce GT 440
    Sound Card
    Firewire Focusrite Saffire Pro 14
    Monitor(s) Displays
    LG W2353V
    Screen Resolution
    1920x1080
    Hard Drives
    2 of Seagate Barracuda XT ST32000641AS (2TB ea.);
    1 of Seagate Barracuda Green ST2000DL003 (2TB);
    1 of Hitachi Deskstar HDS722020ALA330 (2TB);
    2 of Seagate Desktop ST4000DM000-1F2168 (4TB)
    PSU
    Corsair AX850 Gold
    Case
    Cooler Master HAF 932 Advanced
    Cooling
    ThermalTake Silent 1156
    Keyboard
    Logitech K520
    Mouse
    Logitech M310
    Internet Speed
    7Mbps
    Browser
    Chrome
    Antivirus
    Kaspersky
    Other Info
    Event Studio Precision 6 powered audio monitors;
    Boston Acoustics CS Sub 10 Powered Subwoofer;
    NI Kore controller;
    NI Maschine controller;
    M-Audio Axiom 61 keyboard controller; expression pedal; sustain pedal;

    ... and tons of audio software ...

    I also keep two USB 3 thumb drives (A: and B:) attached with boot recovery and security stuff that I can boot into from BIOS in case of emergency

XweAponX

New Member
VIP Member
Pro User
#5
I use the same password or variations of it in most places, I keep them in a protected TXT file hidden deep in my system.
 

My Computer

System One

  • OS
    Windows 8 Pro with Media Center/Windows 7
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Asus M2N-MX SE Plus § DualCore AMD Athlon 64 X2, 2300 MHz (11.5 x 200) 4400+ § Corsair Value Select
    CPU
    AMD 4400+/4200+
    Motherboard
    Asus M2N-MX SE Plus/Asus A8M2N-LA (NodusM)
    Memory
    2 GB/3GB
    Graphics Card(s)
    GeForce 8400 GS/GeForce 210
    Sound Card
    nVIDIA GT218 - High Definition Audio Controller
    Monitor(s) Displays
    Hitachi 40" LCD HDTV
    Screen Resolution
    "1842 x 1036"
    Hard Drives
    WDC WD50 00AAKS-007AA SCSI Disk Device
    ST1000DL 002-9TT153 SCSI Disk Device
    WDC WD3200AAJB-00J3A0 ATA Device
    WDC WD32 WD-WCAPZ2942630 USB Device
    WD My Book 1140 USB Device
    PSU
    Works 550w
    Case
    MSI "M-Box"
    Cooling
    Water Cooled
    Keyboard
    Dell Keyboard
    Mouse
    Microsoft Intellimouse
    Internet Speed
    Cable Medium Speed
    Browser
    Chrome/IE 10
    Antivirus
    Eset NOD32 6.x/Win Defend
    Other Info
    Recently lost my Windows 8 on my main PC, had to go back to Windows 7.

crawfish

Member
Power User
Posts
454
#6
I was thinking of using something like TrueCrypt to create a virtual drive (that I encrypt robustly) and then storing my passwords in an ordinary text file.
That way I would have a single master password (for TrueCrypt) which would give access to all the other passwords.
[Aside: Obviously if I forget my master password I'm screwed!]
Good idea on Truecrypt, but unless you encrypt all your drives, you are subject to data leakage. Granted, you may not care about that risk, but TC makes it pretty easy to encrypt everything yet achieve a seamless experience. I have over a dozen drives, internal, external, thumb, SSD, etc, all of them single partition and TC'd, and the only time I have to enter a passphrase is when I boot my system. This is true even for the external drives I use in docks on two different systems. I keep one small thumb drive unencrypted for things like BIOS updates.

As for password management, I've used Keepass for years, and I currently have over 700 entries in it. You can set up profiles for password creation and specify length, characters used, etc. It also supports automated entry of usernames and passwords into web forms, but I've never used that feature. I just double-click on the user name to copy to clipboard, paste, repeat and rinse for password. I configure it to lock automatically when the system sleeps or I lock the workspace (Win+L), which provides some extra security for a live system.

Out of 700+ passwords, I have four committed to memory: My Truecrypt passphrase, my Keepass password, my Windows login, and my Apple ID. They are all different, strong, and used only for one purpose.
 

My Computer

System One

  • OS
    Windows 8.1 Pro with Media Center

DavidY

Active Member
VIP Member
Pro User
Posts
955
#7
My only worry about TrueCrypt would be that it doesn't claim to support Windows 8 yet. I'd be reasonably comfortable with encrypted containers, but I won't be using it for full-disk encryption on Windows 8 until it at least claims to be supported.
 

My Computer

System One

  • OS
    Windows 8.1, 10

crawfish

Member
Power User
Posts
454
#8
Oh, good point about TC and Windows 8. I keep forgetting this is a Windows 8 forum when the discussion isn't specifically about Windows 8. It doesn't really exist for me anywhere else.
 

My Computer

System One

  • OS
    Windows 8.1 Pro with Media Center

Mystere

Power User
VIP Member
Power User
Posts
1,925
#9
The point of failure is much more likely to be either on the website itself, or via malware such as a keylogger. However, things to remember:

If you encrypt a volume and store an unencrypted password on it, then when the volume is mounted it's vulnerable to any attack that may occur while your computer is on. For instance, a hacker gains remote access, they can see your unencrypted data on your encrypted drives because you have them mounted. The same goes for EFS.

You could store them in an encrypted zip file, but remember that many times data is stored silently in temp files and written to disk in the form of page file tables (from memory). So this data can ultimate be found if someone has full access to your computer.

I like LastPass. They provide the source code to their clients, so you can validate it if you like. And the key is stored locally on your computer so the service has no access to the unencrypted data. You may not like "the cloud" but if they can't unencrypt it, then it's perfectly safe. Your only concern is if someone develops a massive way to defeat modern encryption.

NOTE: LastPass is only secure if you do not use their Web based access, because that requires that THEY store a copy of the key so they can generate the web pages. You have to use the local client in order to keep things secure.
 

My Computer

System One

  • OS
    Windows 8.1 Pro
    CPU
    Intel i7 3770K
    Motherboard
    Gigabyte Z77X-UD4 TH
    Memory
    16GB DDR3 1600
    Graphics Card(s)
    nVidia GTX 650
    Sound Card
    Onboard Audio
    Monitor(s) Displays
    Auria 27" IPS + 2x Samsung 23"
    Screen Resolution
    2560x1440 + 2x 2048x1152
    Hard Drives
    Corsair m4 256GB, 2 WD 2TB drives
    Case
    Antec SOLO II
    Keyboard
    Microsoft Natural Ergonomic Keyboard 4000
    Mouse
    Logitech MX

ship69

Member
Member
UK

Posts
108
#10
For instance, a hacker gains remote access, they can see your unencrypted data on your encrypted drives because you have them mounted. The same goes for EFS.
Yikes, I am at the limits of my knowledge.
Ok, so mounting if a disk is a software process that enables the operating system to read and write data to the disk, yes?
So when you provide the password to TrueCrypt it can then "mount" the disk, and whilst you have it in that open state, any hacker of virus etc can also read your disk, yes?

Hmm... OK the main thing I'm concerned about is getting my entire computer stolen and in that situation the disk could not be mounted by any unless they had the password. Which with a reasonable passwords would be effectively impossible. But I get your central point.

LastPass sounds interesting if it is encrypting and decrypting locally that sounds good. But how does it manage to share the passwords across all your devices at once? Again I'm at the limits of my knowledge but surely each of your devices would need to store a copy of the key, and that doesn't sound so safe to me.
Likewise I wouldn't completely trust the plugins to not reveal what they are up to.

Regarding "the cloud" e.g. DropBox my main cry is that everything always seems to have holes in it! And I simply dont trust the dropbox software itself. i.e. The data on their server may appear to be massively encrypted. But
a) we've only get their word for it -maybe it's elaborately designed to LOOK like it's encrypted but actually there are very cleverly concealed holes.
b) they are installing software on my computer and don't completely trust that either.
Either way I thought that too much encryption was actually *illegal*, mainly because the state needs to be able to hack things if they really need to, albeit rather slowly and with a super-computer or two.
c) furthermore I have yet to forgive Apple iTunes for destroying my entire library of music for because I was trying to use my iPhone on two computers and it did like that, and eventually I clicked the wrong "choose which library you want" button.
d) there are always things you havent thought of, like they kick you out of your account without warning for breaking some petty rule of their (like what happened to me on Facebook).
e) things may well go wrong more often than we all think, big companies get hacked regularly, banks get hacked but they make damned sure we almost never hear about them.

Maybe in 5 years if nobody has ever hacked Dropbox, I'll consider it (or something similar), but until then, no. Any yes, in 10-15 years time, no doubt all this chat will seem dynosaur-like, as everything will be fully backed up, securely archived, spam and virus filtered for us and with massively faster networks, nobody in their right minds would do anything else. But until then, nope. Not I.
 

My Computer

System One

  • OS
    Windows 8.1 Pro (x64)
    Computer type
    Laptop
    System Manufacturer/Model
    Samsung NP740U3E-S04UK (Series 7 Ultra Notebook)
    CPU
    Intel Core i5 - 3337U
    Motherboard
    Intel HM76 (?)
    Memory
    6GB DDR3 System Memory at 1600MHz
    Graphics Card(s)
    AMD Radeon™ HD 8570M graphics card with 1GB gDDR3 Graphic Memory (PowerExpress)
    Monitor(s) Displays
    13.3" SuperBright+ 350nit FHD LED Display with Touch Screeen Panel
    Screen Resolution
    (1920 x 1080)
    Hard Drives
    512GB mSATA Samsung (PM841 Series MZMTD512HAGL-00000 mSATA 512GB SATA III MLC Internal SSD)
    Keyboard
    Logitech MK700
    Mouse
    Logitech M705
    Internet Speed
    4 to 15Mbps
    Browser
    Firefox, MSIE, Chrome, Opera etc
    Antivirus
    AVG Cloudcare

Wullail

Active Member
Pro User
Posts
467
#11
Lastpass , I know there is a small point of weakness because the data is transmitted , but if you make sure you don't have any trojans , keyloggers etc , then it should be secure, The master key doesn't have to be stored , I type it in manually every time I need to log in and access the list.

You have one single master password that decrypts all of them and it'll generate any length password for you using any combination of caps , special characters , letters / numbers etc without you needed to know them , but you can still look them up if needed.

it's has to be a balance between how time consuming it is to store and then retrieve your data and how secure you want it to be and for my money , lastpass does a pretty good job of doing it.
 

My Computer

System One

  • OS
    Windows 8 Pro
    Computer type
    PC/Desktop
    Memory
    6 GB
    Screen Resolution
    1280 x 1024
    Hard Drives
    12 TB in 6 disks
    PSU
    TX650
    Keyboard
    G15
    Mouse
    Intellimouse 3.0
    Internet Speed
    100 Mbits
    Browser
    Chrome
    Antivirus
    Trend Micro

crawfish

Member
Power User
Posts
454
#12
Yikes, I am at the limits of my knowledge.
Ok, so mounting if a disk is a software process that enables the operating system to read and write data to the disk, yes?
So when you provide the password to TrueCrypt it can then "mount" the disk, and whilst you have it in that open state, any hacker of virus etc can also read your disk, yes?
Well, of course. If it's accessible to you, it's accessible to anyone who can get into your computer.

Hmm... OK the main thing I'm concerned about is getting my entire computer stolen and in that situation the disk could not be mounted by any unless they had the password. Which with a reasonable passwords would be effectively impossible.
And TrueCrypt will guard against that provided you encrypt all your drives, particularly your system drive, which contains the pagefile and hibernation file. The TC web site goes into quite a bit of detail on the subject of data leakage, which I mentioned in my earlier post. I also mentioned configuring Keepass to lock itself whenever the workspace is locked, either with Win+L, sleep, shutdown, or whatever. I normally leave my system in sleep mode. If someone were to break in, unplug it, and steal it, they'd be out of luck due to my TrueCrypt usage which I described; they'd have to crack TrueCrypt, which no one has ever done as far as the world knows. However, if the crackhead thief sat down, resumed from sleep, and hacked my Windows login (yeah, right), he'd also have to crack my Keepass password to get to my 700 passwords. He'd have to do all this without ever powering down the computer, like George trying to preserve his Frogger high score. I'm not too worried about that, but if I were to be gone overnight, I'd power down completely, and then he'd have to crack TrueCrypt.
 

My Computer

System One

  • OS
    Windows 8.1 Pro with Media Center

DrJNAB

New Member
Posts
3
#13
Ascendo Datavault, highly recommend, syncs with mobile devices also. Try it. DrJ.
 

My Computer

System One

  • OS
    Windows 8.1
    Computer type
    PC/Desktop
    System Manufacturer/Model
    HP700-050
    CPU
    Intel Core i7 3.4 GHz
    Memory
    8GB DDR3 SDRAM
    Hard Drives
    1024GB

JOD

Member
Member
Posts
21
#14
As far as I know, the database is transfered to Last Pass in encrypted form and no masterkey is sent/stored, besides the encryption also uses e-mail address and several other hashing procedures, so Last Pass does not know anything (I am not technician, so excuse my bad wording). Entering the usernames and passwords using Last Pass (from local client) should be just as dangerous as typing them yourself, I suppose.

Lastpass , I know there is a small point of weakness because the data is transmitted , but if you make sure you don't have any trojans , keyloggers etc , then it should be secure, The master key doesn't have to be stored , I type it in manually every time I need to log in and access the list.
 

My Computer

System One

  • OS
    Windows 8 Pro 64bit
    Computer type
    PC/Desktop
    CPU
    Intel Core 2 Duo E8400
    Motherboard
    GIGABYTE G31M-ES2L
    Memory
    4 GB DDR2
    Graphics Card(s)
    NVIDIA GeForce GTX550 Ti 1 GB
    Screen Resolution
    1980 x 1080
Posts
5
#15
Hi all,
I use a simple system to store passwords. I have a few words & numbers that I will always remember & use the first letter or number to represent a group thus;
1 = 123
7 = 789
a = apple
b=bap
@ = @
for example 7-=>..-B#£[email protected]:[email protected] = [email protected]@123

Upper case means upper case for that character only and the other symbols are just there to confuse. The actual password is never shown anywhere in full only the tokenised version. I keep all passwords in .txt files + any other useful info - for example Amazon will be stored in amazon.txt. I have numerous backups and for regular use passwords I have them on hard copy & my phone.
 

My Computer

System One

  • OS
    Windows 8 Pro
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Self-build
    CPU
    Intel i5 3570
    Motherboard
    Gigabyte GA-Z77-DS3H rev. 1.0
    Memory
    8GB - Corsair PC3-12800 2 x 4GB 1600Mhz CL9 DDR3
    Graphics Card(s)
    Gigabyte 1GB R7790 OC
    Monitor(s) Displays
    Samsung Syncmaster S24B300
    Screen Resolution
    1920 x 1080
    PSU
    Corsair CMPSU-650TXV2UK
    Case
    Antec One Midi Tower Case
    Antivirus
    Microsoft

ARC1020

New Member
Power User
Posts
446
#16
As others have mentioned, it seems like Keepass is what you're looking for if you're looking for a locally stored password manager, and being open source the code is available for anyone to scrutinise.

On the subject of passwords, I think it's also worth reading some of the ArsTechnica articles about what off-line password cracking actually entails, as it's quite an eye opener for most people. They're not short articles, so read them when you have a bit of spare time. If you don't have enough time to read them all, then maybe just read the second article down.

Why passwords have never been weaker?and crackers have never been stronger | Ars Technica

How I became a password cracker | Ars Technica

Anatomy of a hack: How crackers ransack passwords like ?qeadzcwrsfxv1331? | Ars Technica

The secret to online safety: Lies, random characters, and a password manager | Ars Technica

It's also worth keeping in mind that your email account should be treated with the highest level of security as well, because if someone gains control of your email account, it's possible for them to request password resets from websites and intercept the password reset email. So if you're using an Outlook.com account, I'd strongly recommend turning on two-factor authentication.
 

My Computer

System One

  • OS
    Win 8 64-bit

Jcwisgod

New Member
Member
USA

Posts
265
#17

My Computer

System One

  • OS
    Windows 8
    Computer type
    Laptop
    System Manufacturer/Model
    HP Ultrabook
    CPU
    2.6 GHz Core i5-3317U
    Memory
    8 gb DDR3 Ram
    Screen Resolution
    1366 x 768
    Hard Drives
    320gb HDD, 120gb SSD
    Keyboard
    Backlight Island Style Keyboard
    Mouse
    Trackpad
    Internet Speed
    18 MB/S DL Speed
    Browser
    Opera
    Antivirus
    Avast/Malwarebytes

Coram Daes

.i hate fanbois.
Member
#18
I am currently using Lastpass, after having used Keepass. I found Keepass to be very good, but tedious. Lastpass gives me web integration and the ability to securely stor none web related password in text based notes. I do not know if this is VERY secure, but I need to use something. There are settings in Lastpass that will detect duplicate passwords, telling you to change them, you can enhance the encryption used for the server communication, and it is a better alternative to local encryption and alike.

I am a bit puzzled as to why none of you guys in the US did not link to www.grc.com? That has been a very good readup regarding passwords and their protection for me during many years. In particular the stuff about character repetitiveness on his page https://www.grc.com/haystack.htm .

W!8.............................l is theoretically a safer password than ZLLzrkFR6r6lQOQzOeRoPhVpLqf7Ri

You are still in the stone age, some of you.... :cool:
 

My Computer

System One

  • OS
    W7x64P
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Main WKS/Gaming Sloth
    CPU
    Phenom II X6 1075T, 3000 Mhz
    Motherboard
    Asus Sabretooth 990FX
    Memory
    16 GB PC3-10700
    Graphics Card(s)
    2 x ATI 6750
    Sound Card
    Asus Xonar DX
    Monitor(s) Displays
    2 x LG Flatron L2000C (3:4)
    Screen Resolution
    2 x 1600x1200
    Hard Drives
    WDC WD740ADFD (10k rpm)|
    WDC WD5000AAKS |
    WDC WD10EARS
    PSU
    750 W
    Case
    Cooler Master CM 690
    Cooling
    Cooler Master Hyper 612S
    Keyboard
    Logitech G110
    Mouse
    Logitech G700
    Internet Speed
    ADSL 30 MBit
    Antivirus
    ESET Endpoint Protection

Mystere

Power User
VIP Member
Power User
Posts
1,925
#19
While Steve Gibson has some good basic information on his site, he also has a lot of bad information.. so i'd be a bit careful about using his site. There was once an entire site devoted to how bad his information is, called grcsucks.com. Thankfully, it's been kept by the internet wayback machine.

GRC Sucks dot com | Debunking Steve Gibson, Syncookies, Nanomites, Pathlock

Regarding Mr. Gibson's claims on password strength, one must understand how passwords are cracked. Gibson is *ONLY* talking about brute force password only, something nobody does. Most password cracking is done using something called Rainbow tables, and dictionary lookups. These cracking techniques rely on the fact that people tend to use easy to remember patterns, and as such can greatly reduce the amount of time to crack a password. so using his example of D0g............................... D0g would be a very common pattern and likely exist in the tables, and thus much easier to crack. In fact, there are probably password cracking tools that specifically use combinations of common patterns with repetitions just like this, because it's a known password technique.

My guess is that someone could brute force any "haystack" password in under a couple of days, unless that haystack password also included some randomness to it.

And of course, I just found this article which basically says what I just said after a 5 second perusal of his "article"

keyliner.blogspot.com: GRC's Password Haystack
 

My Computer

System One

  • OS
    Windows 8.1 Pro
    CPU
    Intel i7 3770K
    Motherboard
    Gigabyte Z77X-UD4 TH
    Memory
    16GB DDR3 1600
    Graphics Card(s)
    nVidia GTX 650
    Sound Card
    Onboard Audio
    Monitor(s) Displays
    Auria 27" IPS + 2x Samsung 23"
    Screen Resolution
    2560x1440 + 2x 2048x1152
    Hard Drives
    Corsair m4 256GB, 2 WD 2TB drives
    Case
    Antec SOLO II
    Keyboard
    Microsoft Natural Ergonomic Keyboard 4000
    Mouse
    Logitech MX

XweAponX

New Member
VIP Member
Pro User
#20
Well, a lot of the services I use always block the account if logged in from any location other than the ones I use on my system, especially Facepyuke. I get "Password Reset" emails because someone had done this, or, when I try to log in, it makes me go through my security questions.

(Edit) I have a harder time remembering my security questions.
 

My Computer

System One

  • OS
    Windows 8 Pro with Media Center/Windows 7
    Computer type
    PC/Desktop
    System Manufacturer/Model
    Asus M2N-MX SE Plus § DualCore AMD Athlon 64 X2, 2300 MHz (11.5 x 200) 4400+ § Corsair Value Select
    CPU
    AMD 4400+/4200+
    Motherboard
    Asus M2N-MX SE Plus/Asus A8M2N-LA (NodusM)
    Memory
    2 GB/3GB
    Graphics Card(s)
    GeForce 8400 GS/GeForce 210
    Sound Card
    nVIDIA GT218 - High Definition Audio Controller
    Monitor(s) Displays
    Hitachi 40" LCD HDTV
    Screen Resolution
    "1842 x 1036"
    Hard Drives
    WDC WD50 00AAKS-007AA SCSI Disk Device
    ST1000DL 002-9TT153 SCSI Disk Device
    WDC WD3200AAJB-00J3A0 ATA Device
    WDC WD32 WD-WCAPZ2942630 USB Device
    WD My Book 1140 USB Device
    PSU
    Works 550w
    Case
    MSI "M-Box"
    Cooling
    Water Cooled
    Keyboard
    Dell Keyboard
    Mouse
    Microsoft Intellimouse
    Internet Speed
    Cable Medium Speed
    Browser
    Chrome/IE 10
    Antivirus
    Eset NOD32 6.x/Win Defend
    Other Info
    Recently lost my Windows 8 on my main PC, had to go back to Windows 7.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)