Online passwords

I’m about to do a complete refresh of all my online passwords, changing all of them to make sure that they are:

  • unique
  • strong
  • known only to me.

The problem with that is that I’ll have zero chance of ever remembering any of those unless I write them all down somewhere. Which means I have to go through the process of finding that each time I want to do anything.

So I was thinking, should I use one of those password manager things? I’ve always steered clear of them as they strike me as more of a security risk than an extra level of protection. Does anyone who knows what they are talking about have an opinion / recommendation on whether I should use one, and if so, which one?

Avoid anything free.
One password seems decent.

That said I take a different approach.

  • Use one username (or as close to it as possible) for all accounts.
  • Use one strong password.

Strong is relative though. The password dogs like steak dinners is actually stronger than Sc!v3neR#@%. compromise difficulty (both human and machine) is increase at a near exponential rate by length. If you are truly paranoid mix the two ideas for something like Uth3I5xingETH!MeansN0thing.

Don’t forget to ask yourself one other important factor though: Is there really anything to loose if you are compromised? If you answer “yes”, then you might want to take that stuff off the net. I don’t do 'net banking or HR activities on the net for this very reason.

Not a password manager/generator as such, but I use Yojimbo for all my personal data, with my passwords and other sensitive data encrypted. That way, I’ve just the one password to burn in to my decaying grey matter. Maybe not as convenient as a dedicated password manager, but I’m happier knowing that I retain an element of control.

Edit: Damn. Having posted, I’ve now noticed you’re on Windows OS. Ignore the above: it’s of no use to you whatsoever.

Pigfender, I recommend 1Password 4.
It runs on Mac, Windows, Android, and iOS.
You may synch it to Dropbox and all files stay up to date.
Plus it works via Chrome, Safari, and other browsers.
I think Jaysen’s idea of one ID and one strong password is good.
It’s amazing how many logon files you can build up.

You could try Truecrypt, by creating an encrypted container with however long/complex of a password that you need which contains a single text file with all of your user names and passwords. This file would then only be on your computer, and not on the net, and you only need to remember the single password for the TC container.

Truecrypt IS free, but it is one of the rare free programs that is so good at what it does that you don’t need anything else. It’s completely secure and it’s damn-near impossible to crack in a human lifetime, assuming your password is long/complex enough.

I’ve been using 1password for windows/mac/ios for about a year. I’m pretty happy with it, though I do grumble at myself for choosing such a long master password to unlock it.

I’m a belt-and-braces type of person. I’ve been using Yojimbo for years in exactly the way Juddbert describes, but I’ve been migrating to using 1Password for the last couple of years. So now I get 1Password to create the passwords for me, but I also copy them into my password-protected Yojimbo folder.

My only problem with 1Password is that there is no extension for OmniWeb, which I prefer way above all other browsers. Now that OmniWeb 6 is in beta, 64-bit and using the System engine rather than a proprietary modified version of it, I hope AgileBits will create the extension … then I could get rid of excursions into Safari or Chrome, though I will have to continue to use FireFox for my bank.

In terms of software tools for this job, 1Password seems to be the gold standard. One day I’m going to transfer to 1Password from SplashID (a hangover from my Palm days - it works but is neither easy to use, nor elegant).

One day…

An approach I use is to take a series of numbers (e.g. 3 or 34 or 345 or your old address number) and then extend it out to ‘n’ digits (say 8: thus 34 becomes 34343434) and then take the hex value of that number which, in this case is 20C0A0A and use that, or a variant such as 20C0a0a or 20c0a0a or 20c0a0a20c0a0a (i.e. double it) as your password. Then, be consistent in the number of digits you extend your series out (i.e. always use 7 or 8 or whatever) and if you need a hint to remind yourself, just write the original ‘seed’ value: in this case 34. You know what it is. So you could have a list of your relevant signons or whatever, with a seed value for each.

Hex calculators are built into Macs and PCs, so they are reasonably readily available.

Don

I’ve been using LastPass for a few years now. It syncs across all computers and browsers (and mobile).

Regarding security, I try to comfort myself thinking that if a password manager company is hacked or compromised by an inside job, they’ll be out of business in a wink. :unamused:

Anyway, in a world where Google knows where you are and who you chat/mail/talk to, I don’t care if they have my credit card number too. :wink:

Unless they pass it on to Obama, and he uses it to finance drone spying operations on the ner’-do-'ells in Portland, Oregon. :open_mouth:

Be Vigilant

Special Agent 006&abit Vic-k 8)

P.S. It could be even worse! He could then pass it on to Michele Obama and the kids, and let them loose in Bloomingdales and/or Tiffany’s :open_mouth: :confused: :frowning: :cry:

My CC companies would say “Yeah, that is fraud. Those stores won’t let that kind of redneck in the front door.”

Some top passwords here to try…

bbc.co.uk/news/technology-24821528

:smiley:

Coming to this late, but just in case someone else stumbles along…

First off, using one password for everything is just a Bad Idea. Look at the number of security breaches in the last few months; if any one of them included a password of yours, you’ve just exposed your entire online presence. Couple that with the same account name and you’ve not only lost the keys to the kingdom, you’ve sent people a map to use, too. You need to vary your passwords. Each and every one of them should be different, and using a password manager is one of the best ways to do that.

Personally, I use LastPass. Why?

It’s a password manager that integrates with your browser, making for as seamless an integration as is possible. It’s available on all major desktop OSes (Windows, Mac & Linux), all major browsers (Firefox, Chrome, Internet Explorer, Safari & Opera) and all major mobile OSes (iOS, Android, BlackBerry and Windows). The basic usage is to create and remember one long, complicated password that unlocks all of your other passwords. Yes, you are completely hosed if someone gets your main password, but that’s why you make it long and complicated. If you set things up well in LastPass, the chances of a breach are small, so it really is tens of orders of magnitudes better than the low-tech alternatives. And, assuming it is somehow compromised, it’s no worse than using the same password everywhere, writing them down on a post-it note or in a poorly secured spreadsheet, but it will have taken the hacker a lot of trouble to get your data, so much so that they probably gave up and moved on instead of plugging away.

Here’s the main site:

Here’s the page on how their basic security technology works:

Besides being very good at what it does it also allows for the sharing of passwords (securely!) between two subscribers, which really helps when Will and I need to access the same account.

There are several options for multi-factor authentication, including Google Authenticator (which has a nice mobile app, and is what I use):

You want to use multi-factor authentication; it’s just safer and it’s very easy to set up. You also want to make sure that your settings log you out automatically if your computer is idle for some length of time (e.g. 5 minutes). Yes, it means that you will type in your long, complicated password several times a day sometimes; with practice, you’ll get good at typing it.

In the Spring of 2011 LastPass had a “security issue” (you can read about it here: blog.lastpass.com/2011_05_01_archive.html – start reading in the section just above “Update 1” and then read the updates up from there). In a nutshell, they saw some network data activity that they could not explain, and reacted with extreme paranoia. This impressed me because: 1) they monitor things to the level where they can see that this particular network traffic is not “normal”; 2) they reacted immediately; and 3) their reaction was very paranoid. Rather than make me uncomfortable with their service, it makes me feel much, much better. I want them to react that way to a potential security breach (which was, in and of itself, very unlikely).

Anyhow, I’ve been using them since the Winter of 2010. I have their premium service, which is $1/month and I’d be willing tomorrow to pay 10 times that.

Oh, and in case you need convincing that you should be using such a service, read these:

The first one was the article that convinced me that I needed to change my password habits.