Pages:
Author

Topic: Is anyone still not using a Password Manager? (Read 2184 times)

full member
Activity: 210
Merit: 100
There seems no easy solution.

Strong passwords are forgotten easily if you don't often use them.

Password managers have a single source of failure. Crack the database password and you're in. Your life is fucked.


I sometimes use obscurity. For example, leave a complex password somewhere but without a username or the site concerned. Someone who might find it knows its a password but has use for it, it could be the password to absolutely anything.
newbie
Activity: 22
Merit: 0
My password for mtgox is something like this:
Yh&*(&$#hihJE83#*91@()$#G
and still when mtgox got hacked, just some hours before it got shutdown, I couldn't log in anymore, someone changed it and deleted my email from my account  Huh
How do you know your email got deleted ? It is possible logging in was disabled/difficult at that time no?
My password was very similar to the one displayed above and I hope it will be fine in a few days too- if trades are rolled back, at worst, is a bitcoin withdraw worth 1KUSD which cannot be more than 200BTC (and I expect these to be compensated for...) however, if someone has my password, I am counting on using the same IP to authenticate myself and will not be travelling to Latvia soon- I was wanting to withdraw my coins last week but was slow on that.


I know because everytime I try to recover my password, it says that there's no email for my account Sad. Hope it's just temporary disable of my account  Huh.
legendary
Activity: 1615
Merit: 1000
For passwords I need to remember on a daily basis, I will usually generate passes I can remember phonetically. One way I tend to do this is to look around wherever I am when I'm making the password, see what words come up in my mind at the moment, apply some free association until I come up with something you won't find in any dictionary, nor could even associate with the words I used. Then add capitalizations and special characters, typing out the password to see what kind of combination seems haptically natural to me.

So for example I'm looking at a plastic model of a space invader now. Invader > Vader >walsdorf>wassroed>W8SsR?3D

After a while of using this pass, I wouldn't need to remember the sequence I used to "derive" it, but before I get that accustomed to it, it can be useful to have a kind of memory trace I can refer to if I forget what it was.

For more important things I'll use longer passwords stored in a text file in an encrypted container secured with a long passphrase.
hero member
Activity: 609
Merit: 501
peace
My password for mtgox is something like this:
Yh&*(&$#hihJE83#*91@()$#G
and still when mtgox got hacked, just some hours before it got shutdown, I couldn't log in anymore, someone changed it and deleted my email from my account  Huh
How do you know your email got deleted ? It is possible logging in was disabled/difficult at that time no?
My password was very similar to the one displayed above and I hope it will be fine in a few days too- if trades are rolled back, at worst, is a bitcoin withdraw worth 1KUSD which cannot be more than 200BTC (and I expect these to be compensated for...) however, if someone has my password, I am counting on using the same IP to authenticate myself and will not be travelling to Latvia soon- I was wanting to withdraw my coins last week but was slow on that.
member
Activity: 112
Merit: 10
My password for mtgox is something like this:
Yh&*(&$#hihJE83#*91@()$#G
and still when mtgox got hacked, just some hours before it got shutdown, I couldn't log in anymore, someone changed it and deleted my email from my account  Huh
that's scary, I changed my password a couple of hours before mtgox went down.
newbie
Activity: 22
Merit: 0
My password for mtgox is something like this:
Yh&*(&$#hihJE83#*91@()$#G
and still when mtgox got hacked, just some hours before it got shutdown, I couldn't log in anymore, someone changed it and deleted my email from my account  Huh
legendary
Activity: 1022
Merit: 1001
Yup, never really liked the idea of 1 central location for all my passwords, having only 1 password to 'crack' to access them all, and keeping them all up to date etc but tried a free one last night and its works superbly. Picked up a stack of passwords on install and saved them to a central website. The 'auto-fill' is quite nice too (even better than chrome auto-fill). Quite like the software. Smiley
hero member
Activity: 721
Merit: 503
My "Password Manager" is in my brain, where nobody else can see them.


I keep about 50 passwords, each one with 12-16 random chars... my brain is just not up to that...

You can re-arrange the letters of a website to make passwords. For example, bitcoin.org could turn into n41iR32Rr22141R32Rr221.

The n is from the last letter of the domain.
The i is from the 2nd letter of the domain.
41R32Rr221 is what you memorize, and repeat it twice (with the i inserted into it). This is similarly done for every password. You could also have a number at the end for whether it's an even or odd number of characters in the domain.

A password I no longer use was once made up of the following (and this was years ago, so it's of no use to any potential attackers now):
6 random digits generated by a 386 (see, years ago)
another 6 letters+digits from the combination to the door lock for a hotel room somewhere in london

I mixed the 2 together to get a 12-digit password

But a website? That's silly

Another thing people commonly do is to take a dictionary word and add 2-3 digits, such as Flower29 - that's downright dumb, it only multiplies the number of words to try by 100 and that's not a lot.
You should try to avoid reducing the search space for a potential attacker - anything which has a yes/no answer you should consider as 1 bit of the key, if you answer yes or no, you've given away 1 bit of the key to the attacker on average.

People also do silly things like make their password a swearword when they're known for not swearing on the theory people won't try it - the common 4 letter swears are amongst the first tried (fuck, shit, cunt etc).

Generate random numbers, do whatever you must to memorise them, and if you really can't then store them on a completely disconnected device OR in paper form with something that stays on your person even while sleeping.

The purpose of my suggestion was to have a unique and effective password for every site that you can remember.

And that's good advice, but you should use true entropy and THEN add associations to help remember it, doing the reverse makes an attacker's job easier.
Here's a random password i've just generated (not used on any accounts of course):
77adc009ea6d
Totally random entropy, but I can find patterns to help me remember it.

adc? the band AC/DC with a bit missing
77 - 2 digits, easy to remember as it's duplicated
009 - 900 backwards, or 9/11 backwards -11

and so on


Basically, you use the same techniques schizophrenics use to find messages in the bible, but to find messages in your random password - it then sticks in your head better.
legendary
Activity: 1222
Merit: 1016
Live and Let Live
https://www.grc.com/%5Chaystack.htm

useful!  From this I should be secure!
full member
Activity: 196
Merit: 101
My "Password Manager" is in my brain, where nobody else can see them.


I keep about 50 passwords, each one with 12-16 random chars... my brain is just not up to that...

You can re-arrange the letters of a website to make passwords. For example, bitcoin.org could turn into n41iR32Rr22141R32Rr221.

The n is from the last letter of the domain.
The i is from the 2nd letter of the domain.
41R32Rr221 is what you memorize, and repeat it twice (with the i inserted into it). This is similarly done for every password. You could also have a number at the end for whether it's an even or odd number of characters in the domain.

A password I no longer use was once made up of the following (and this was years ago, so it's of no use to any potential attackers now):
6 random digits generated by a 386 (see, years ago)
another 6 letters+digits from the combination to the door lock for a hotel room somewhere in london

I mixed the 2 together to get a 12-digit password

But a website? That's silly

Another thing people commonly do is to take a dictionary word and add 2-3 digits, such as Flower29 - that's downright dumb, it only multiplies the number of words to try by 100 and that's not a lot.
You should try to avoid reducing the search space for a potential attacker - anything which has a yes/no answer you should consider as 1 bit of the key, if you answer yes or no, you've given away 1 bit of the key to the attacker on average.

People also do silly things like make their password a swearword when they're known for not swearing on the theory people won't try it - the common 4 letter swears are amongst the first tried (fuck, shit, cunt etc).

Generate random numbers, do whatever you must to memorise them, and if you really can't then store them on a completely disconnected device OR in paper form with something that stays on your person even while sleeping.

The purpose of my suggestion was to have a unique and effective password for every site that you can remember.

If you are using the same password for multiple websites, then you've already lost.
full member
Activity: 196
Merit: 101
Passwords are very important to remember. I disagree with handing them off to another authority.
hero member
Activity: 721
Merit: 503
My "Password Manager" is in my brain, where nobody else can see them.


I keep about 50 passwords, each one with 12-16 random chars... my brain is just not up to that...

You can re-arrange the letters of a website to make passwords. For example, bitcoin.org could turn into n41iR32Rr22141R32Rr221.

The n is from the last letter of the domain.
The i is from the 2nd letter of the domain.
41R32Rr221 is what you memorize, and repeat it twice (with the i inserted into it). This is similarly done for every password. You could also have a number at the end for whether it's an even or odd number of characters in the domain.

A password I no longer use was once made up of the following (and this was years ago, so it's of no use to any potential attackers now):
6 random digits generated by a 386 (see, years ago)
another 6 letters+digits from the combination to the door lock for a hotel room somewhere in london

I mixed the 2 together to get a 12-digit password

But a website? That's silly

Another thing people commonly do is to take a dictionary word and add 2-3 digits, such as Flower29 - that's downright dumb, it only multiplies the number of words to try by 100 and that's not a lot.
You should try to avoid reducing the search space for a potential attacker - anything which has a yes/no answer you should consider as 1 bit of the key, if you answer yes or no, you've given away 1 bit of the key to the attacker on average.

People also do silly things like make their password a swearword when they're known for not swearing on the theory people won't try it - the common 4 letter swears are amongst the first tried (fuck, shit, cunt etc).

Generate random numbers, do whatever you must to memorise them, and if you really can't then store them on a completely disconnected device OR in paper form with something that stays on your person even while sleeping.
newbie
Activity: 22
Merit: 0
keepassx.org has simplified my life immensely Smiley

Personally, i prefer to have my codes with me on my stick in an encrypted database rather than through an online interface-

PassPack encrypts your passwords using a key set by you, it has an online interface and an offline one (desktop application), and you can save a dump of the encrypted passwords. But KeePassX looks great as well, I checked it out before making my decision, but in my case I preferred an online interface...
newbie
Activity: 56
Merit: 0
Hi All,


Considering all the recent cases where people's usage of passwords turned out to be less than optimal (and sometimes just negligent), allow me to recommend a free, user friendly, secure password manager: passpack.com.

It can create random passwords for you at many lengths, so you can have very secure passwords, and most important - a different one for each service you use, for each encrypted wallet file you create, for exchanges and whatever...

I am not related to passpack in any way, I just wanted to take this opportunity and help in case a few of you feel overwhelmed by the need to manage many secure passwords at once.

If anyone else has a different tool they prefer please share it as well.


Lets take security up a notch, for everyone's sake...



Open Source Password Safe has the same features and more.
hero member
Activity: 609
Merit: 501
peace
keepassx.org has simplified my life immensely Smiley

Personally, i prefer to have my codes with me on my stick in an encrypted database rather than through an online interface-
full member
Activity: 196
Merit: 101
My "Password Manager" is in my brain, where nobody else can see them.


I keep about 50 passwords, each one with 12-16 random chars... my brain is just not up to that...

You can re-arrange the letters of a website to make passwords. For example, bitcoin.org could turn into n41iR32Rr22141R32Rr221.

The n is from the last letter of the domain.
The i is from the 2nd letter of the domain.
41R32Rr221 is what you memorize, and repeat it twice (with the i inserted into it). This is similarly done for every password. You could also have a number at the end for whether it's an even or odd number of characters in the domain.
hero member
Activity: 721
Merit: 503
My "Password Manager" is in my brain, where nobody else can see them.


I keep about 50 passwords, each one with 12-16 random chars... my brain is just not up to that...

Go to relentlessimprovement.com, order ortho-mind, alpha-GPC and piracetam. Next, get some pregnolone from healthmonthly.co.uk.
Take the above daily and avoid alcohol and bumps to the head while practicing neurofeedback and meditation.

Long term memory is EASY to enhance.
hero member
Activity: 721
Merit: 503
Hi All,


Considering all the recent cases where people's usage of passwords turned out to be less than optimal (and sometimes just negligent), allow me to recommend a free, user friendly, secure password manager: passpack.com.

It can create random passwords for you at many lengths, so you can have very secure passwords, and most important - a different one for each service you use, for each encrypted wallet file you create, for exchanges and whatever...

I am not related to passpack in any way, I just wanted to take this opportunity and help in case a few of you feel overwhelmed by the need to manage many secure passwords at once.

If anyone else has a different tool they prefer please share it as well.


Lets take security up a notch, for everyone's sake...




Or, you can generate them yourself on your own trusted hardware.
Take a linux netbook with no internet connection and run uuidgen a few times, memorise some of the results and store them in your brain.
If you MUST store passwords outside your brain, make sure that whatever you use to store the passwords remains on your person 24/7 even while sleeping.

DO NOT use a third-party website to generate passwords - it'd be trivial for that site to log all passwords it generates, and considering how easy it is to generate passwords yourself that stinks of a scam.
newbie
Activity: 22
Merit: 0
My "Password Manager" is in my brain, where nobody else can see them.


I keep about 50 passwords, each one with 12-16 random chars... my brain is just not up to that...
full member
Activity: 196
Merit: 101
My "Password Manager" is in my brain, where nobody else can see them.
Pages:
Jump to: