|
There are isolated problems with current patches, but they are well-known and documented on this site. |
There are 3 ways to keep track of hundreds of unique passwords:
I blogged about using a formula here
https://michaelhorowitz.com/BestPasswordAdvice.php
I also cited 13 reasons why a formula is better than password manager software.
Opinions …
Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com
I agree that the paper and pencil solution is the safest. But I have my doubts about the “formula” approach. I prefer random-like passwords at least 12 characters long and changing them every two months, at least those I care enough about keeping safe, to do that.
If one uses a formula, as I understand what is proposed in the blog, could not any enterprising soul bent on partaking of one’s savings figure them out, once enough of one’s passwords have been looked up with some adequate tool (if my bank can do it, why not others as well?) showing the same n-characters, arranged in the same groups in all of them, although these may be placed in different positions, making the figuring of other whole passwords as easy as if no formula had been used? And what then?
Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).
MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV
Formula works for me to an extent (e.g. I have a formula for PC password) but when you have in excess of fifty passwords to manage, need to change them regularly and need to avoid reusing and doubling up…
A formula is great if you just want passwords, but I also need user IDs, secret questions, CC numbers etc and I want the credentials entered for me, including extra check boxes and those annoying second or third screens. A password manager is the only way to retain all that information in one secure place and enter it easily.
cheers, Paul
If you create a formula to create passwords, the formula itself effectively becomes the password… not just for one, but for every site you visit. If an attacker is able to figure out the formula from a few known passwords to other sites that may be compromised (by a security breach of any of the various sites you use), it gives that attacker the keys to the kingdom.
If I was an attacker and I saw a password that started with something like “BabeRuth,” I would assume that was exactly what it is. Making up a password that has only a bit of it that changes is not a new idea. Using one’s favorite baseball player or other such thing as the password is as old as passwords, and adding stuff on the end is not much different. Neither is obfuscating it by replacing the letter O with a zero or using nonstandard capitalization schemes.
If two passwords were compromised, any doubt over the schema is removed. If the total password length was 12 characters, generally regarded as a good length for a strong password (I prefer more, but YMMV), the password with “BabeRuth” already known becomes effectively four characters long, which is trivial to brute force even if those four are truly random. It’s not, though. Your proposal includes an example of “BabeRuthbook” for Barnes and Noble, though, and that’s far from random. If I look at that password, and I know it’s for Barnes and Noble, bookstore, I’ve got a really good idea of your entire password schema. It may take a few guesses to get “BabeRuthjungle” for Amazon, but it would probably be in the first five or so tries.
I use passwords that are randomly generated (as much as random generation is possible on a computer) and that are of substantial length. It’s extremely convenient, and requires no installation of anything, save for the bit that generates the passwords. To login, I just click the username field and select the user ID I wish to use from the dropdown box, hit enter, and it fills in the username and password field. In the rare cases where this does not work, I use an addon that acts in conjunction with the built-in Firefox password manager to force-fill the password in a location I specify. No site has ever been able to block that.
I never have to type or copy-paste passwords in on a per-site basis to log in. There are no keypresses that can be keylogged, no clipboard access that can be read by any program. Of course, if something has access to my keypresses or my clipboard, it means a nasty bit of code is already on my system (with admin rights in the case of the keylogger), so that’s pretty much game over in and of itself, but not having the password vulnerable to keyloggers or clipboard scrapers at least reduces the attack surface.
A process that can read the password from memory would be able to grab it in any case, but that’s a good deal more difficult (with ASLR and the like) than the other two methods.
As long as the encryption of the password store on the SSD is not broken, the odds of my passwords leaking is minimal. Not zero, of course… nothing is 100% secure, but I think I’m in pretty good shape. I’ve got the outer layer of self-encryption on my Swift laptop (even as compromised as it is, it costs nothing performance-wise, so I still have it set), then the layer of LUKS encryption, and under that, the Firefox/Waterfox master password (which encrypts the entire password store locally).
If some web-based method of compromising the Firefox password store were devised, it would probably be found and made public before it happened to me, just based on the law of averages, and the fix would be in the next release of Waterfox, which receives all of the Firefox security updates. It could hit me first, but it’s not very likely, and it would depend on there being an exploitable flaw in the first place (that can be exploited even though I have scripts heavily restricted with uMatrix).
As for the 13 reasons:
There is a learning curve with all software. Techies underestimate how much of a pain this can be for non-techies.
It doesn’t get easier than clicking in the username box and selecting one from the dropdown list. It’s a lot less painful than having to type passwords. The password store would have to be secured by some form of encryption, like any other sensitive data on the hard drive or SSD, which can be accomplished by selecting a master password in Firefox/Waterfox. Since it is only one password, there’s no need to make it memorable with regard to any one site. I actually just created a random string and made up a mnemonic to apply to it to make it memorable.
No software runs on every Operating System or supports every web browser,
I don’t use every operating system or every web browser. If I can find one thing that works for my browser and my OS, that’s good enough. Most people are looking for something that suits their needs, not everyone’s.
Firefox and Waterfox both run on anything that I would be using to browse password-protected sites, and several that I would not: there are versions of each for Windows, Mac, Linux, and Android. The iOS version of Firefox (like every other browser) is so hamstrung by Apple’s restrictions that I have no idea what its actual capabilities are. It may well have a password manager that is as good as what Firefox has to offer natively, in which case I would have no problem with it in that one way, if I wanted to use a mobile platform. In other ways… that’s another topic.
The most secure Operating System most people have access to is a Chromebook running in Guest Mode. A formula works there, a password manager does not.
I don’t use Chrome or anything else Google if I can avoid it, and if I did, it would not be in guest mode. Passwords as strong as mine are not feasible without persistent data storage. That’s a problem for people who use that platform to solve, not for me. There’s no use in limiting myself to a solution based on what would work for a platform I do not use and would not use.
All software has bugs, password managers included. Not only might you be vulnerable to a bug, but you certainly are on the hook for keeping the password manager software up to date.
It’s part of the browser. That needs to be kept updated regardless of whether you use its password manager. Even if it wasn’t, it would probably be available in an APT repo somewhere, so it would be updated just as easily as the browser itself, though I would certainly want to vet it first if/when I ever saw it available as an update to make sure it was the real deal if it was a PPA.
With a password manager you have to trust that it works correctly.
That’s the same with all software, and is particularly important with anything related to security. Still, the password manager is really super simple. The rest of the browser, not so much!
A formula lets you write down the variable part of the password – safely.
That’s not really what I would call safe. If it is evident what the book is for, as it would be, that effectively shortens the password to the same string for each site in the list… “BabeRuth” in your example.
When a password manager generates passwords for you, it may create a password that is too long for the target system, or, that contains characters the target system does not allow.
If you want “BabeRuthbook” to be your password for Barnes & Noble, but it demands you have at least one number and one special character, you’re in the same situation. If the password generator generated a password that is too long, hit backspace a time or two; if it doesn’t like some character, hit the button and generate another one. It’s only happened to me a handful of times, and it’s always been simple to fix it in a couple of seconds.
Some websites do not allow passwords to be pasted into the logon form.
That only matters the first time I enter a password for a site during the account creation phase (if it does this, generally it is in the ‘confirm password’ field, and even then I have never let that stop me from doing it anyway (though it simulates keypresses, and is therefore subject to the same keylogging risk as typing a password). Otherwise, there’s no copy/paste at all. It’s entered by the browser itself, and it ignores autocomplete=off.
A formula is free, some password managers are also free, but some are not.
Firefox is free. If someone out there finds that a paid one fits his needs better than anything for free, that’s great, but I only need a solution for me. I’m not trying to find one universal solution for everyone. There isn’t one.
The security of web browser extensions.
Not everyone that uses the Firefox password manager even uses addons, and the newer Webextensions addons are not, by design, able to access the unencrypted passwords or the file system at all. All they can access are the encrypted hashes.
Even so, web browser extensions are software. It always pays to be careful when using any software. If you run anything that turns out to be malicious on your machine, whether or not it is related to security, it could have a malicious payload that compromises your security.
Anyone who uses a malicious addon is potentially at risk of having the password stolen, even if they never use any password manager to store passwords. If it gets typed into a password field, it’s in the browser just as surely as if it was pulled from a password store somewhere.
When using someone else’s computer, the password manager software is not available
For me, that’s not a bug… that’s a feature. I don’t want to be able to enter my passwords into any PC that I personally do not know has been operated and maintained properly. I have no way of knowing if someone else has been clicking on every unsolicited email attachment or if they have been downloading and running “warez” that are probably full of malware.
My PCs are used by me and me alone… every thing that is done to them was done to them by me.
What if you want to switch away from a password manager you are currently using?
Then I will switch. At best, it’s a simple matter of importing the Firefox data. At worst, it’s no harder than if you wanted to switch from your method to mine (enter the passwords into each site by your existing means and save it in the new manager by whatever method it uses).
All your eggs in one basket? Really?
Typing each password into the same browser on the same computer is just as much “putting all your eggs in one basket” as having that browser store them for you. If there is malware on the system, whether it be a malicious addon, virus, worm, Trojan horse, or whatever else, your passwords are not safe even if you never have any password manager save anything.
Having one password schema that ties together every password you use is even worse. If I see a password “BabeRuthbook” for Barnes & Noble, a place to buy a book, I’ve already got your entire password scheme figured out. If one password is compromised, they are all compromised.
If you see “F9J&WZX”1FSf5m.” on my Barnes & Noble account (the quotation mark in the center is part of the password), that’s all you’ve got. You’re no closer to getting any of the other passwords than if you had no info at all about my Barnes & Noble account.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)
If you create a formula to create passwords, the formula itself effectively becomes the password… not just for one, but for every site you visit.
This is a mis-understanding. My fault. See my above reply regarding hard vs. soft formulas.
If two passwords were compromised, any doubt over the schema is removed.
Two passwords for the same account name/email address. Varying email addresses is another whole topic. See http://www.DefensiveComputingChecklist.com for more on that.
Your proposal includes an example of “BabeRuthbook” for Barnes and Noble, though, and that’s far from random.
That was a brutally simplistic example to illustrate the concept. I clearly said that “MickeyMantlebook” was better, “MickeyMantle-book” better still and
“Mickey-book-Mantle” better still. That’s an 18 character long password with almost no thought behind it.
And, yes, a password formula is less than perfect, but it is still surely better than what many people use and thus would be a big improvement for many. So too would writing down passwords on paper, at least that avoids re-using a password.
When using someone else’s computer, the password manager software is not available
For me, that’s not a bug… that’s a feature.
Touche 
Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com
When you guys say I use a _____ to ______ Please fill in the blanks so others can try or research what you have experienced. Please and Thanks
My 1st, #1, AllStar advice? Have a valid backup image of your drives.
Macrium Free
Aomie Backupper
Acronis True Image (not free but very good)
Many of your arguments (OP) are factually incorrect especially when you consider KeePass as an option.
* KeePass is multiplatform and runs on everything, short of mobile devices. However, there are KeePass forks that are available on mobile devices.
* KeePass does not need a browser plugin to interact with web forms, that’s what its auto-type feature is for.
* KeePassXC being open source and hosted on GitHub means that it can be trusted because it is subject to code review and scrutiny.
I see a lot of your reasons against knee jerk reactions are themselves knee jerk in nature. A little more research would have gone a long way, here.
I use KeePassXC (just recently switched from KeePass since XC is a fork that is truly cross-platform) and store my KDBX DB file both locally and in Google Drive. The DB is encrypted, so Google cannot snoop it. My passwords are available anywhere I want.
Couldn’t live without KeePass. My eyes are getting old and I would have trouble looking at a printed sheet with my hundreds of passwords – many of which are 30+ characters. Many years ago I used the formula approach but realized if someone got hold of a couple they’d be able to figure out all of them.
We all have different needs so, no argument for or against different systems, just questions.
I used a formula approach many years ago at work for network logon and for restricted databases accessed. After an initial period, requirements changed and we were forced to update passwords monthly. I kept it working by inserting numbers in strategic positions that matched the month and an abbreviation of the month. Simplified example 01JanPassword; 02FebPassword (substitute ‘Password’ with complex password). Other rules changed. I updated my formula. Eventually we shifted to a one-password system and once logged on, the password in the environment set permissions for levels of access into different systems, other than when accessing external organisation databases. From that experience as security requirements evolved:
Group A (but Telemetry disabled Tasks and Registry)
1) Dell Inspiron with Win 11 64 Home permanently in dock due to "sorry spares no longer made".
2) Dell Inspiron with Win 11 64 Home (substantial discount with Pro version available only at full price)
My password manager is a password-protected Excel spreadsheet. A dictionary attack is useless on any of my passwords, as they are all combinations of upper and lower case letters, numbers, special characters, and no recognizable words.
It has been my experience that password fields that won’t allow right-click/paste seem to not understand Ctrl + V. Whenever I register at a new site, I create the password in my spreadsheet first, then paste it into the password field for the site; that way, I don’t forget to store it.
I let Firefox remember many of my passwords, such as for this site, which simplifies things a great deal.
Same here!
Though I promise myself i will start using keeppass, the excel spreadsheet has worked for 20 some years. I use GRC.com to generate a good password which usually needs to be truncated and is often chopped up and rearranged for kicks and giggles…
Security experts (rules me out) advise frequent change of password. Where do you go after BabeRuthjungle?
That’s changing. It turns out that forcing password changes just leads to people using simpler passwords with the least amount of change that the policy permits, increasing the use of bad passwords like “qwerty” or “1234” or whatever they can get it to accept, often appending or incrementing a number at the end, as you indicate. Now a lot of the supposed experts are coming around to the idea that a password should be changed when there is reasonable suspicion of it being compromised, but not based on the passage of a unit of time.
That, of course, means nothing if the site or organization in question insists on password changes anyway. These policies have the least impact on users of password managers… any password is as good as any other, so go ahead, generate a new one, it makes no difference. The only real annoyance about this for me is that I have to manually sync the password on my other PCs, since I’ve chosen not to use any sync features or service, but it doesn’t happen so often that the convenience of auto sync would outweigh the niggling worry that having my password database somewhere “out there” will lead to disaster, even with assurances that it is encrypted before transit.
Dell XPS 13/9310, i5-1135G7/16GB, KDE Neon 6.2
XPG Xenia 15, i7-9750H/32GB & GTX1660ti, Kubuntu 24.04
Acer Swift Go 14, i5-1335U/16GB, Kubuntu 24.04 (and Win 11)
I had a nice long secure p/w memorized for a .gov I worked at. They made mandatory periodic changes to ones password. I added a 1 or 2 to the end of a much shorter p/w for years after that b/s.
KeePass gets around that by “Auto-Typing” the characters for you – like using a very fast keyboard. Other managers inject the password directly into the field.
Perhaps I didn’t make that very clear. In my experience, when a password field rejects a right-click/paste, I just use Ctrl + V (my password is already copied to the clipboard) and my password gets pasted into the field and I’m logged in.
I’ve had very few experiences with web sites which reject right-click paste but also reject a keyboard ctrl-v. Still, this is good to know about. Maybe a similar extension exists for other browsers. I haven’t tried the available extensions for Chrome, and one of them has an unprintable (against the rules of this site) word in its title.
-- rc primak
Paul T ( #1927395 ) has made a very interesting comment here, including a link to an article (in the site of a company called “Enzoic”) about a new set of proposed password-management guidelines coming from the National Institute of Standards (NIST), that this is required to provide, whenever opportune, as advice to the government to be implemented across all government agencies, once approved. A proposal that, as the article explains, could turn upside-down existing best practices (and, in my opinion, even that is an understatement!)
I copy a relevant excerpt from the article here:
“NIST 800-63-3: Digital Identity Guidelines has made some long overdue changes when it comes to recommendations for user password management.
The new framework recommends, among other things:
But these items listed in the article are not all the changes most users would probably welcome (once the reasons for them are sufficiently explained and understood). For example, there is the proposal to allow people to see the actual characters they are entering in the password field and not just asterisks.
The full NIST proposal can be read here:
https://pages.nist.gov/800-63-3/sp800-63b.html
The relevant section is this:
5112-Memorized Secret Verifiers
Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).
MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV
From the local archives:
https://www.askwoody.com/forums/topic/worst-passwords-ever/
From the local archives: Worst Passwords Ever
My heroes. Hackers busy with low hanging fruit means less chance those of us who use complex passwords will become victims.
The worst I saw bearing in mind the person’s job is close to a tie.
One was a teacher who gave his password to students. He tried to give it to me. Far from green around the gills, I refused. When something goes wrong they are quick to whistle and point, dragging you into things you could have avoided with a refusal.
The other example was when I was in a role that managed a door security access system (as well as many other things). I configured access for about 600 staff, correctly allocating each to work areas required to complete their tasks (bulk database work, not manual. Staff below me edited manually. After initial bulk configuration, my role was audit). Our Regional Security Advisor turned up one day. This was the man regionally responsible for spreading the message about system security, including developing strong passwords and not sharing them. His role trumped mine so he was granted full administrator access. I left him alone with the system. MISTAKE! Among the changes that had staff screaming about non-access , he dropped my access to non-administrator. I phoned. He refused to come back. He gave me his password that I still remember almost 20 years later QWOPZXNM.
Group A (but Telemetry disabled Tasks and Registry)
1) Dell Inspiron with Win 11 64 Home permanently in dock due to "sorry spares no longer made".
2) Dell Inspiron with Win 11 64 Home (substantial discount with Pro version available only at full price)
Establishing policies and procedures is necessary and must come from top brass and have some teeth. If top brass does not endorse a “safe computer makes a safe company” there is no chance of enforcing a safe policy. There are several facets to enabling slack behavior.
As a technical person, you may advise safe practice to personnel, but unless top brass endorses and enforces safe practice, you will be told by Postit ABC 123 that any safety practices are unnecessary.
Under the scenario I have described, top brass will emerge unscathed; Postit ABC 123 will emerge unscathed; the company, however, will be at risk; and technical staff will clean up the ensuing mess.
3 ways to keep track of hundreds of unique passwords:
1. write them down on paper
2. use password manager software
3. use a formula to generate easy to remember passwords
1. That isn’t remotely practical for hundreds. You can’t sort on paper.
3. That isn’t remotely practical for hundreds. The formula is of course, but the itsy bitsies added to both ends—absolutely no way the average user will remember them.
writing down passwords on paper, at least that avoids re-using a password
How? You can’t sort on paper. Nobody is going to write down their new password and then carefully scan thru hundreds of others in multiple pages of this notebook they have to carry everywhere, which of course everyone quickly figures out is their password notebook.
I use an input manager [Roboform] because I often need to input far more than login info on websites, and I have a keyboard shortcut to add some gibberish after the auto-password. The prime consideration of this method is it’s convenient, and therefore not subject to the usage degradation over time which most techie ‘solutions’ have suffered.
The gibberish is merely a minor extra layer, since it’s also convenient. As such, it—or a password manager alone—is a better recommendation for the general public than other totally impractical ‘solutions’.
Lugh.
~
Alienware Aurora R6; Win10 Home x64 1803; Office 365 x32
i7-7700; GeForce GTX 1060; 16GB DDR4 2400; 1TB SSD, 256GB SSD, 4TB HD
Paul T ( #1927395 ) has made a very interesting comment here, including a link to an article (in the site of a company called “Enzoic”) about a new set of proposed password-management guidelines coming from the National Institute of Standards (NIST), that this is required to provide, whenever opportune, as advice to the government to be implemented across all government agencies, once approved. A proposal that, as the article explains, could turn upside-down existing best practices (and, in my opinion, even that is an understatement!)
Agreed. I read that as applying in government and large organisations (often closed systems) where many people are less than cautious with passwords and take the laziest method possible to comply with rules. They write passwords on desk blotters, sticky notes, deliberately share them… all sorts of bad practices. Forcing password changes and rules probably does increase the incidence of sloppy habits.
People access public networks are more likely to be exposed to hacking activity (in my case, logon details nabbed twice but not cracked).
Complex passwords and regular password changes increase security. In a high risk environment it makes sense to beef up personal security no matter what government guidelines recommend.
Group A (but Telemetry disabled Tasks and Registry)
1) Dell Inspiron with Win 11 64 Home permanently in dock due to "sorry spares no longer made".
2) Dell Inspiron with Win 11 64 Home (substantial discount with Pro version available only at full price)
Has anyone mentioned SQRL, aka “Squirrel” From Steve Gibson?
Secure Quick Reliable Login
https://www.grc.com/sqrl/sqrl.htm
nice but IIRC each web site must implement a SQRL server function.
I use KeePass for the passwords that have to be really strange or that I use only once or twice a year (e.g., for the state insurance exchange). Easy enough to copy and paste the passwords.
An important point, though, is that I store them only on my desktop at the office. The ones I use at home are based on an easy-to-remember formula that has many possible results, and I use the individual passwords often enough to know which one is for which site.
My biggest problem with passwords is sites that don’t allow strong ones! The Social Security Administration, for example, makes a big deal of creating a password and then tells you it must be exactly 8 characters, contain at least 1 letter and 1 numeral, and it’s case-insensitive! Does anyone have an example of a less-secure set of password requirements? Yeesh!
I did forget to mention that good password managers also have the ability to generate passwords based on rules you provide (minimum/maximum length, required/acceptable characters, etc.). If you happen to get one that doesn’t qualify, just generate another.
To take things in a different direction, let’s consider the recommendations from most security pros. They are recommending doing away with typed passwords altogether. Precisely for many of the reasons people have posted in this thread. People make lousy password managers, and software is always prone to hacking. Biometrics are not ideal, and can be fooled, but this is the direction most researchers have been recommending for years now.
Microsoft wants you to STOP using PASSWORDS (and here’s why you should listen to them)
https://www.express.co.uk/life-style/science-technology/793816/Microsoft-Update-Password-Forgot
Why Passwords Might (Finally) Go Away
https://www.pcmag.com/commentary/364693/why-passwords-might-finally-go-away
-- rc primak
.
.
.
.
.
.
.
.
.
Credentials are inconvenient and thus the primary attraction of password managers is to reduce that inconvenience. Therein lies the trap.
I have used the password manager SplashID for nearly 20 years. It was developed for Palm devices and came with a Windows app that allowed syncing of the database between a Windows PC and the Palm device. As Palm faded, apps for iOS, Android, Windows phones, and Mac evolved. SplashData also evolved to provide a browser-based solution ala LastPass and Dashlane. (This is wide support although not universal.)
I do not use the Web solutions. To this day, I manually sync between my primary desktop and my phone. The database never hits the Web. When away from my primary PC, I use my phone to lookup credentials and type them in on a foreign system. (My use of foreign systems is rare and I never use them to access my financial accounts.)
This is in no way convenient.
I do consider it very safe; the database has never been breached or compromised and it does not live anywhere on the Web.
As for passwords, I do use a formula but it is not one that can be guessed. Because I may have to enter credentials manually, I wanted passwords that were easy to type; random strings are tedious and prone to error. For convenience (I know), I adopted pairs of English words with punctuation and digits, such as Granitic-Woolskin-60, a design that satisfies the requirements for almost all systems. But while this password system is based on a formula, no part of the password reveals the formula.
For more examples, see https://www.fastie.com/help/passwords.php.
Web-based password managers are convenient. Inconvenience keeps the boogeyman away.
Steve Gibson is definitely the man.
I am an old “fuddy duddy” and do not trust my passwords to “password managers” – – they HAVE been hacked. And paper tends to fall into a black hole in my office.
I have used an encrypted file program (Secret! by Linkesoft) for over 20 years that resides on my computer and on my smart phone and I sync them weekly. Sync feature is not automatic, but works well. This also means I only have to give my children (estate executor) ONE password for them to have access to all of my online accounts. And at my age, that is a comfort.
Greetings from the Stone Age. I keep passwords on 3×5 index cards in an old-fashioned alphabetically indexed steel card file, which allows room for other login info for a given site- i.e., answers to secondary questions such as favorite ice cream flavor and suchlike. New cards easily added.
Said card file lives in the safe along with other valuables.
I, also, have been using Password Safe for at least 10 years. It’s available free across Windows, Mac, Linux. On Mac it’s called PwSafe as I recall. You can set complexity rules for passwords for each entry. It provides you with a hierarchical folder structure to organize your passwords and a place to write notes for each entry. It’s super handy and I use it to store other sensitive information such as family members SS numbers, etc. I try to look at each sites password rules and use the maximum length they allow.
I also use LastPass for convenience but avoid putting really important passwords there. My “master” generator of passwords is always Password Safe.
For websites that don’t allow you to paste passwords (as an idiotic “security” feature – NOT) in Firefox you can do this: about:config | set “dom.event.clipboardevents.enabled” to false are restart FF.
Hey, everyone. Since you are asking:
As far as remembering passwords, this technique works for me.
I keep all my passwords in a Word document. Each entry is in this format:
Name of web site: Ask Woody (new line)
URL: AskWoody.com (new line)
User ID: user name or e-mail (new line)
[Optional: e-mail address (new line)]
Password: (password) (new line)
Password Reset Date (new line)
Any other comments {Enter} (End ¶)
Save the document as Password.docx. The document is password protected. I only have to remember the password for the Password document. The passwords for each web site can be as unique or as long as I want them. New entries are added at the end of the document.
When I go to a web site where I need to log in, I simply open the password document, search for the web site, highlight the password, and press CTRL-C. Then I jump back to the web site and paste it into the password field. (A few web sites don’t allow this, so I may have to remember it or jot it down temporarily.)
If I want the passwords to use on another device, I just copy the entire document.
I sometimes use a web site called Secure Password generator to generate long random passwords. If I don’t like a password it suggests, I can modify it a bit before I use it.
I never forget a password, and it’s totally free.
If you want convenience, fine. But convenience is the enemy of security. Always has been. Always will be.
Every approach has its pros and cons. You make it sound like your approach is all upside which is never the case.
I’ll see your 40 years as a computer techie, and raise you one
Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com
I guess I’m the other user of Roboform. Got a few problems, but seems to satisfy most objections. I use long, complex passwords which work on most sires, but websites themselves seem to be hostile to automated password managers in many cases.
This pretty much follows my thinking after reading both the blog post from the OP and then this response. Some of the points in the blog have to do with having to be able to use something on essentially every OS out there, which most people do not do (although this community is likely the exception or that).
I have been using LastPass for a number of years and found it to be simple and easy to use, so much so that I have installed the free version on the computers of a number of non-tech people I wind up “supporting”. They only need to remember the one master password (I usually ask them to give that to me as well, which I store in an encrypted file with a pseudonym for when they forget it). LastPass and other similar applications include the ability to fine tune the generated password to meet site requirements (number, letters, caps, special characters either used or not used) which, as noted, the “formula” does not support and therefore the user would have to remember the special case for some sites where they had to use a symbol or number in the formula and where they did not. And for a relatively small fee, which the programmers are certainly entitled to, I use it on my phone and a second computer (desk and laptop) and everything is synced.
The listed “breaches” of LastPass are all older, have been resolved and pretty much everything gets attacked these days, including government systems on a regular basis. If that was a criteria for not trusting anything, then you need to stick to driving to the bank and talking with a teller (ATMs can be hacked, you know) and only paying cash for everything.
I save all of my passwords in an encrypted text file which is not stored in a location which is indexed by the Windows Search function. Instead, the encrypted file is saved on a separate partition for which I have disallowed indexing by the Windows Search function. I never save any sensitive stuff in My Documents since this folder by default is indexed by Windows. In fact (at least in Win7), not indexing Users and everything under Users (includes My Documents), breaks the Windows Search function in some search scenarios. This seems to apply to all special folders such as My Documents.
If you desire to further defeat malware from quickly finding a saved password file, even in non-indexed locations on your computer, you can use Shellbag Analyzer & Cleaner to blow out all folders on your computer which you have accessed. Moreover, Shellbags within the Windows Registry also records all other computers (and the computer name) which you access via your local network. Every folder or other computer or every other folder on another networked computer which you access does get stored under Shellbags within your computer’s Windows Registry. Shellbags within the Windows Registry is yet another area which malware may search. When using Shellbag Analyzer & Cleaner, do not ever blow out the default Control Panel Shellbags. Shellbag Analyzer & Cleaner does give you a warning about this. If Shellbag Analyzer & Cleaner gives you a warning that you need to reboot your computer before you make any changes in Windows Explorer, instead of rebooting you can simply log off and then log back into Windows. Get Shellbag Analyzer & Cleaner straight from the author from here:
https://privazer.com/en/download-shellbag-analyzer-shellbag-cleaner.php
If you want to further sanitize your computer, then you might consider using PrivaZer by the same author. Get PrivaZer straight from the author from here:
https://privazer.com/en/download.php
I have no affiliation with the author of the above software.
I never use the words “password” or “login” within the text file or in the file name. I also never use “.com” or “.net” within the text file. The reason for saving the file to a non-indexed location is that most password stealing malware will scan the Windows search index for files or file contents which contain “password” or “login” or “.COM” or “.NET”. Similarly, I avoid using the “@” character within the test file. My AV program is configured to block access to the partition if any new or unknown process tries to access the partition.
I always use CCleaner to clear all browsing history after I have closed my web browser. This is a really good thing to do, since sometimes poorly coded JavaScript can keep the web browser running in the background even though the web browser appears to have been closed. This occurs once in a blue moon. Sometimes the issue is caused by a web browser extension or add-on which must be tracked down and removed.
Some web sites set super cookies in IE which, even if you were using a different web browser, CCleaner will skip cleaning since CCleaner can’t handle the complex super cookie. In this scenario go to Control Panel >> Internet Options >> General and then delete all Browsing History. This issue can occur after visiting porn web sites.
I never delete previously used passwords in my text file. This allows me to easily search and verify that I am not about to reuse a previously used password. I never save my login names (which usually is one of my alternate email addresses) or passwords for online banking, online purchasing, or bill and card payments in my web browsers.
I periodically check my email addresses with HaveIBeenPowned to see if any of my email addresses are the subject of a recent data breach. If so, I generate a new alternate email address and then replace the the breached email address and password with the new email address on all other web sites for which I used the breached email address. For the breached web site, I generate a different new email address and a new password. This different yet new email address will never be used for any other web site since I figure, “Hacked once, probably will get hacked again.” The thing about changing all other web sites to the new alternate email address is to make those web sites throw errors when hackers try to use the breached email address or the new email address for the hacked web site. If the old breached email address is no longer valid on all other web sites, then the hacker can’t even begin to try either my old breached password or derivatives of my breached password.
All passwords contain random special characters. If a web site allows it, I make sure that passwords are at least 14 characters long.
I hope that this post is helpful to everyone in terms of reducing their risks after a given web site is reported as breached, and in terms of things to do if you store your passwords anywhere on your computer.
A lot of comments about Keypass, but what about Lastpass? No one like that?
I have used RoboForm for years and have been satisfied with it. Realistically it is the best for me since I do have many accounts and a very poor memory. Lost computers and data many times but always been able to obtain passwords and relevant data. Just my 2 cents worth.
I use and like Lastpass. In general, avoid using password managers for storing passwords for more secure accounts such as banking, financial, email, paypal, etc. Use an old fashioned address book/phone book, 2 factor authentication, and cyrptic password hints for my more secure accounts. On occasion when somewhat uncertain about whether I really want to store a password with a password manager, will edit the password to add or subtract some characters and leave myself a cryptic note in the Lastpass note section. LastPass has a security checkup which looks for easy and duplicate passwords. If you need a copy of your Lastpass accounts you can export your lastpass list (which includes passwords) and store a digital or paper copy in your safety deposit box. Delete this password list from my device immediately. These additional steps may be viewed by some as totally unnecessary, but in the end one has use whatever methods make them feel safest.
There are some really good recommendations here. But I still think that for those of us that use computers at a fixed and reasonably safe location, such as at home or in the office of a small business, creating and keeping passwords in an encrypted text (ASCII) file on a USB flash drive or some other external storage device — but a small USB flash one is probably the easiest to use — is a simple and convenient solution. When one needs to enter a password online, plug in the USB drive, copy and paste the needed password from the drive to the password field on screen, and is done. Of course: what happens when, now and then, one goes on a trip and needs to carry the computer along, if the USB drive is let behind or, even worse, disappears in transit or a hotel…
My best answer is to keep backups of the encrypted passwords’ file in some other device(s) at home or the small business’ office (but what if the shop is burglarized?), and, as usual, hope you’ll be lucky. Because I believe that there is nothing safer than this, even if this is not perfectly safe. Sadly, nothing is perfect in our sublunary world, there is always some risk in everything we do and only varying degrees of safety.
Ex-Windows user (Win. 98, XP, 7); since mid-2017 using also macOS. Presently on Monterey 12.15 & sometimes running also Linux (Mint).
MacBook Pro circa mid-2015, 15" display, with 16GB 1600 GHz DDR3 RAM, 1 TB SSD, a Haswell architecture Intel CPU with 4 Cores and 8 Threads model i7-4870HQ @ 2.50GHz.
Intel Iris Pro GPU with Built-in Bus, VRAM 1.5 GB, Display 2880 x 1800 Retina, 24-Bit color.
macOS Monterey; browsers: Waterfox "Current", Vivaldi and (now and then) Chrome; security apps. Intego AV
We each have our prefered way. Mine has been Keepass for many years. Between my wife and I, we’re running it on Windows 7, Windows 10, Linux and Android. Why I like it:
It does not store any passwords in the browser nor any browser extension – reducing the attack surface. I only have to remember one master password – which can be routinely changed in order to minimize risk. The password file is strongly encrypted. It can be set to lock its workspace after a predetermined number of seconds of inactivity.
I can select a url from within the database and Keepass will automatically start my default browser and open a tab at the sign-in page. A simple right-click on “auto-type” fills in the username and password and I’m signed in. It has a notes section in each entry that allows us to input phone numbers, security questions & answers, over-the-phone verbal “passwords” and any other info desired. It can create randomized passwords for new entries. It has good search capabilities. It can find weak, similar or duplicate passwords.
We synch all our devices by storing the encrypted password file on Dropbox and setting all our devices to point to that online location. (If I update an entry, it will automatically be reflected on all devices.)
I have installed an add-on for Keepass that will check all my passwords against the “Have I Been Pwnd” databreach listing. Since I don’t want this to be done by online checking, I download the HIBP database as it is updated and have the extension do all password checking locally on my computer. Plus it has lots of other “geeky” capabilities… 
It’s a good balance between security and convenience that works for us quite nicely. We have around 300 entries, by the way.
“The only truly secure computer is the one that’s had the heavy sledge hammer treatment.”
Win10 Pro x64 22H2, Win10 Home 22H2, Linux Mint + a cat with 'tortitude'.
Great subject! I use a pw manager and love it, except when I hate it. That’s life. My daughter has a different approach: she just hits “Forgot Password”, gets a new one and she’s in.
Discuss.
A lot of comments about Keypass, but what about Lastpass? No one like that?
I have been very happy with LastPass for at least 5 years. My wife prefers a paper notebook.
I’ve used roboform for many years and find it convenient. Am able to access it on iPhone and iPad when away from home.
I have just read this debate with interest.
Started using Password managers with RoboForm, (paid) but when thy changed it and wanted more monies I then tried over the years, a number of different managers, probably the best of lot was Last-pass, I used for a number of years until it became a bit of a problem.
I have a problem with buying software that is ‘Rental’, so am now using Bitwarden which I find is excellent.
Ray
Start with a gibberish phrase that would only mean something to you and that you can easily remember.
Then compose the actual password using a formula such as using the first letter of each word in the phrase, while adding caps, numbers, & special characters in a pattern that you can remember.
No need to write it down, or use a manager.
Windows 10 Pro 22H2
And another related thought, but more for obfuscating your username and password associations:
Use a different username (non-email if possible) for your most sensitive accounts. That way if a password for an email username gets compromised, there is less likelihood of that being matched up with a sensitive account’s username.
Windows 10 Pro 22H2
And reuse for how many accounts?
As many as you wish. But I would recommend making each account’s password unique in some way, using a pattern that only you know, and can remember.
And consider using 2-factor authentication for sensitive accounts, as an extra layer of protection.
Windows 10 Pro 22H2
using a pattern that only you know, and can remember.
My own personal pattern is to always include the serial # and acronym of a piece of equipment I regularly worked on 30 years ago as part of my passwords.
I’m positive that makes a dictionary attack impossible and, since all existing versions of that equipment were decommissioned and ground into scrap 15 years ago, I’m pretty sure no one but me will ever figure it out!
As many as you wish. But I would recommend making each account’s password unique in some way, using a pattern that only you know, and can remember.
But still “No need to write it down, or use a manager.” for all these unique passwords?
You could write down hints for the pattern, if necessary. But without the random keywords, nobody would be able to guess the password.
I tried a password manager for a year or so, but 2 things changed my mind about using a manager:
So yep, patterns are my thing now. Plus 2-factor authentication for the truly important stuff.
Windows 10 Pro 22H2
Or just use a free password manager to create and store the passwords.
cheers, Paul
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
Notifications
