closing tag is in template navbar
timefactors watches



TZ-UK Fundraiser
Page 1 of 2 12 LastLast
Results 1 to 50 of 51

Thread: Educate me about online passwords ..

  1. #1

    Educate me about online passwords ..

    Like many, I have numerous online accounts across a range of websites such as forum, retail and other personal profile application.

    It's increasingly difficult to remember the associated passwords for login to these sites and I routinely find myself having to reset at login or use the same password across multiple sites.

    What I'm interested in are my options for better managing this. As I see it, two of those might be;

    i) Use a password manager app to store those password, accessible by one single password that I only need to remember,
    ii) An auto password generator that produces a random password for single use at point of access.

    I'm not keen on the former for the reason of having this information stored in one single location, which needs to be accessed each and every time to retrieve log-in details whenever I need them.

    I have no idea how applicable the latter might be in use for the majority of sites I might wish to utilise it, for example here.

    Are there any infosec or cybersec oriented members here who could give me in layman's terms a rundown of what I need to know, or what options I might have?

    Ideally in application it would cross platforms and service providers, e.g. safari on an iphone, explorer on a pc, using google or other search engine and be of use across application say for example Amazon, Paypal, tz-uk!

    Much obliged.

  2. #2
    Master
    Join Date
    Jun 2008
    Location
    Herts
    Posts
    2,166
    I use a password manager now. It also generates random passwords based on rules you can tweak. They get stored offline and online so sync across devices. On my iPhone the app secures using touchid so is easy to use. It also has browser plugin If all your passwords are currently stored in your web browser then generally they can be extracted automatically into the password manager and it also check for dupes and advises which to change. I imagine most will recommend 1Password or LastPass with Keepass as the open source solution.

    Your other option is to work out some scheme based on website name that allows you to mentally calculate what the password will be.

    Note I keep any banking stuff completely separate in other encrypted means.
    Last edited by reecie; 17th January 2018 at 14:45.

  3. #3
    Hello, thanks for the reply.

    Interesting you mention touchID as I was using it on the iPhone to unlock it until I read a Schneier on Security article on fingerprint recognition which put me off. So it's back to the 6 digit passcode to unlock the phone now, at least that I can remember.

    Thing with storing (encrypted?) passwords in the browser though is a) wouldn't that be restricted to that particular browser installation, and b) what happens when I reset/clear the browser.

    I'll have a look at those two you mentioned. I'm not averse to paying for an app though provided it's effective and cross-functional.

  4. #4
    Master
    Join Date
    Jun 2008
    Location
    Herts
    Posts
    2,166
    The browser add ons log into the cloud or local copy to get the passwords. They are not part of the browser cache. Browsers themselves like FF can also store passwords completely separately if you let them to allow auto login.

  5. #5
    Master
    Join Date
    Apr 2016
    Location
    Yorkshireman at heart
    Posts
    3,133
    Blog Entries
    2
    I write them down on a piece of paper but often lose the piece of paper

  6. #6
    Craftsman
    Join Date
    Sep 2014
    Location
    Glasgow
    Posts
    358
    I use Password Safe to store all my online passwords: https://pwsafe.org/. I have installed this into a folder within DropBox, this way I have access to it where ever I am and have an internet connection. I use the native application on windows and have an app that works on my android devices.

    I use a unique password for all my accounts, it is 12 characters long and contains Uppercase, Lowercase, Numbers and Symbols. I use the application to autogenerate each password. Within the application I configure the web URL, username and password and then when i need to access a site use this. It allows you to drag and drop or copy to the clipboard, so is really easy to get this information out without re-typing.

    Just make sure you protect this with a decent password and this becomes the only password you need to actually remember.

    One last thing, make sure you setuyp your browser to NEVER save passwords as these are very insecure.

  7. #7
    I use Dashlane password manager which installs an extension to the browser(s) which autofills the password (on booting PC, Dashlane password is entered to enable this). The password itself is always stored in the password manager, not the browser so clearing the browser cache will have no effect.

    Not so slick on iPhone, autofill doesn't work.

  8. #8
    I use mSecure on Mac, Windows and Android. Stores password database in the cloud (Dropbox, etc) and syncs to various device apps.

  9. #9
    Thanks all for the further comments (notwithstanding paper based remark - I am not a great deal further along that myself .. .. )

    Ok so it looks like a password manager / browser add-on is the way to go. Shall trial one out I think.

  10. #10
    I was to.d a good way to do this, pick a word, change a few letters for numbers , add a punctuation note, then add a reference to the site.

    Example. TZUK. P1ll0wtz@

    American Express. P1ll0wae@

    RAC. P1ll0wra

  11. #11
    Journeyman
    Join Date
    Jan 2018
    Location
    HERTS
    Posts
    113
    Paper notepad, your passwords will be secure from online hacking.

  12. #12
    Master
    Join Date
    Feb 2017
    Location
    Wales
    Posts
    1,088
    Quote Originally Posted by PaulM View Post
    Paper notepad, your passwords will be secure from online hacking.
    This^. The old ways are sometimes still the best. Doesn't help if you need a password away from the notepads location though.

  13. #13
    Master Templogin's Avatar
    Join Date
    Oct 2015
    Location
    Shetland
    Posts
    2,724
    1Password integrates nicely between Apple devices.

  14. #14
    Quote Originally Posted by justin44 View Post
    I was to.d a good way to do this, pick a word, change a few letters for numbers , add a punctuation note, then add a reference to the site.

    Example. TZUK. P1ll0wtz@

    American Express. P1ll0wae@

    RAC. P1ll0wra
    Some sites that I log-in to now insist on an alpha numeric with punctuation key (one of the reasons that I keep forgetting my passwords!!)

    I suppose a possible weakness in encrypting a password in the fashion above is that if it's common knowledge, then someone determined to hack the account already has part of the password. Exchanging the letters E, I or O for 3, 1 or 0 is probably not strong enough leaving having to choose a pretty random word not readily guessed!

  15. #15
    Master
    Join Date
    Jan 2011
    Location
    Maidenhead-ish UK
    Posts
    1,515
    Quote Originally Posted by howie77 View Post
    Ok so it looks like a password manager / browser add-on is the way to go. Shall trial one out I think.
    In general Password Managers fall into two groups: those that store the encrypted database on the vendors servers (which enables you to access it from any device via the internet) & those that only store it locally, usually on something like a USB key. If you are paranoid about security then you'll look for the latter, if you want a more flexible system you'll choose the former. Personally I use Lastpass which has extensions for most browsers and iOS/Android apps.
    https://www.lastpass.com/

    There are other features you may, or may not, consider advantageous:
    1) Two Factor Authentication: as well as a master password to access the database you can require an external device such as a Yubikey which you plug into a USB port & touch when prompted. This one works via NFC as well if your phone supports it:

    https://www.amazon.co.uk/Yubico-Y-07.../dp/B00LX8KZZ8

    2) You can set up an Emergency Access feature whereby if you die or become incapacitated your designated contact can get access to your passwords.

    3) You can store other documents in the database so that they can be accessed from any device. I travel a lot so I have pdf copies of insurances, passport, optician prescriptions & numerous other documents stored so I can access them if needed.

    Don't be tempted to use the browser password managers as they may not be secure.

  16. #16
    Banned
    Join Date
    Mar 2011
    Location
    Peterborough
    Posts
    2,841
    Blog Entries
    1
    Quote Originally Posted by justin44 View Post
    I was to.d a good way to do this, pick a word, change a few letters for numbers , add a punctuation note, then add a reference to the site.

    Example. TZUK. P1ll0wtz@

    American Express. P1ll0wae@

    RAC. P1ll0wra

    Actually that is NOT a particularly secure way of generating a password, and it is frustrating that password managers think that it is.

    A much more secure way is to use a phrase from a book or a film that you can remember along with a consistent way of making a brute force attack more complex.

    It's all about levels of entropy (Google it)

    eg. TheDarkSideOfTheMoon is significantly more secure than P45sw0rD* in terms of a brute force attack, and also easier to remember.





    Daniel.
    Last edited by amnesia; 17th January 2018 at 17:40.

  17. #17
    Master blackal's Avatar
    Join Date
    Mar 2012
    Location
    Scottish Borders
    Posts
    9,538
    Quote Originally Posted by PaulM View Post
    Paper notepad, your passwords will be secure from online hacking.

    You could adapt my method for remembering PINs for Credit Cards:

    What appears to be random numbers in a square - but only I know the table assigned to which card, and the grouping for the numbers. There are so many combinations, and tables - that it would be impossible for a thief to work it out.

    I print it out, laminate it - and keep it in my wallet with my credit cards. When you have to check the card PIN - the person at the counter doesn't know which table you are looking at, or what possible grouping/line of numbers.

    Should be able to increase the tables to 6x6 and include letters and symbols.
    Attached Images Attached Images

  18. #18
    Craftsman T1ckT0ck's Avatar
    Join Date
    Jan 2017
    Location
    Norwich, Norfolk
    Posts
    825
    Lastpass is superb, used it for a few years and it does the job seamlessly across devices e.g. phone, tablet and laptop.

  19. #19
    Master
    Join Date
    Jan 2011
    Location
    Maidenhead-ish UK
    Posts
    1,515
    Quote Originally Posted by amnesia View Post
    Actually that is NOT a particularly secure way of generating a password, and it is frustrating that password managers think that it is.

    A much more secure way is to use a phrase from a book or a film that you can remember along with a consistent way of making a brute force attack more complex.

    It's all about levels of entropy (Google it)

    eg. TheDarkSideOfTheMoon is significantly more secure than P45sw0rD* in terms of a brute force attack, and also easier to remember.
    Unfortunately chbs & any similar password is useless as it doesn't satisfy the requirements for many sites in that it's too long/no numbers/no capitals/no special characters. It's also only one password so unless you use it everywhere (the absolute worst thing you can do) you're back into remembering different sequences.

    It is however a good way to generate a Master Password for a password manager.

  20. #20
    Master robcuk's Avatar
    Join Date
    May 2008
    Location
    Haarlem, NL
    Posts
    2,648
    I use Keeper on all mobile devices, it also has a Chrome Extension which allows me to run it on my locked down work PC

    It has a security audit feature which checks the ‘trickyness’ of you different passwords.

    You can set it up to use Touch ID or Face ID to unlock, but it still has a 2 factor check too, so, at least once a month you have to feed it your Google Authenticator generated 6 digits too.

    Oh, and it can be set to send an access code to someone else after a set period of inactivity, and you can choose which passwords they can get.

    Worth the small fee, and the reason I now have 180 unique passwords in it, plus backup codes and scans of important docs.

  21. #21
    Passwords are the Bain of life, too easy most of the time or use the same one every where.

    Find a formula that works for you but remember you could need to change every 90 days, best to be unique for every website to avoid scrappers getting your password and trying all obvious sites.

  22. #22
    Master
    Join Date
    Dec 2012
    Location
    Scotland!
    Posts
    1,063
    Quote Originally Posted by howie77 View Post
    What I'm interested in are my options for better managing this. As I see it, two of those might be;

    i) Use a password manager app to store those password, accessible by one single password that I only need to remember,
    ii) An auto password generator that produces a random password for single use at point of access.

    I'm not keen on the former for the reason of having this information stored in one single location, which needs to be accessed each and every time to retrieve log-in details whenever I need them.
    A combination of the two is good. Use a password manager to generate unique password for each site, then store those in the password manager protected by one very good password.
    You can make a password that is time-consuming to brute force but easy to remember by using a rule. For example you choose "Mary had a little lamb" as your password. Short words capitalised, long words use first letter only, and append a fixed number of characters front and/or back. So your password could become
    ;;;mHADAll;;;
    You can make it longer by writing in full different words or such like, which in turn will make hard to brute force

    Checked in GRC it reckons 38.9 centuries for a cracking array to churn through that
    https://www.grc.com/haystack.htm
    That page is an interesting read in itself.

  23. #23
    Quote Originally Posted by justin44 View Post
    I was to.d a good way to do this, pick a word, change a few letters for numbers , add a punctuation note, then add a reference to the site.

    Example. TZUK. P1ll0wtz@

    American Express. P1ll0wae@

    RAC. P1ll0wra
    These are now considered weaker passwords because there are a limited number of symbols used to exchange for letters. Once you swap the symbols to letters you can do a straight up dictionary search. A more secure password would be a series of 4 random words separated by hyphens. An even more secure password would be 20 random characters.

    To the OP, I use 1Password and enable 2 factor authentication on any account I can.

  24. #24
    Quote Originally Posted by Phil Lee View Post
    These are now considered weaker passwords because there are a limited number of symbols used to exchange for letters. Once you swap the symbols to letters you can do a straight up dictionary search. A more secure password would be a series of 4 random words separated by hyphens. An even more secure password would be 20 random characters.

    To the OP, I use 1Password and enable 2 factor authentication on any account I can.
    Surely the hacker would have to know the format of the password, otherwise you're just choosing 1 from 36 (say) characters instead of 1 from 26?

  25. #25
    Master Templogin's Avatar
    Join Date
    Oct 2015
    Location
    Shetland
    Posts
    2,724
    The best password is the one that you can't remember, which is where random password generators come in. Make them nice and complex, 20 or more letters if the site will allow it. To really improve things we need 2 factor authentication. One of the best systems that I have come across is a proximity card, which you carry and is read by your device as the 2FA.

    Of course there are several forms of decryption. Brute force is often mentioned, rubber pipe decryption less so.

  26. #26
    Grand Master Glamdring's Avatar
    Join Date
    Oct 2007
    Location
    Doncaster, UK
    Posts
    16,651
    I use an Excel file to store my passwords. Email, username, password. None is repeated from site to sight though my username might be. I keep the Excel file on the cloud with a paid-for account, and on a hard drive. I have collected so many over the years. The only one not written down is my bank password and PIN. That's in my feeble brain but so far it's worked.

  27. #27
    Master Templogin's Avatar
    Join Date
    Oct 2015
    Location
    Shetland
    Posts
    2,724
    How is your Excel file protected? If it is by using the password system built into Excel that can easily be cracked with online tools readily available.

  28. #28
    Grand Master Glamdring's Avatar
    Join Date
    Oct 2007
    Location
    Doncaster, UK
    Posts
    16,651
    Quote Originally Posted by Templogin View Post
    How is your Excel file protected? If it is by using the password system built into Excel that can easily be cracked with online tools readily available.
    ,
    It isn't. I just live in hope that malware won't find it. There are limits. Now, I suppose, those are famous last words and I've just jinxed myself.

  29. #29
    Master Templogin's Avatar
    Join Date
    Oct 2015
    Location
    Shetland
    Posts
    2,724
    I would strongly recommend that you remove the file, there may be backups in the cloud though, encrypt* the file and put it back, the latter only if you must. If it was me I would be changing all those passwords.

    * Not with Excel's encryption

  30. #30
    Grand Master Glamdring's Avatar
    Join Date
    Oct 2007
    Location
    Doncaster, UK
    Posts
    16,651
    Quote Originally Posted by Templogin View Post
    I would strongly recommend that you remove the file, there may be backups in the cloud though, encrypt* the file and put it back, the latter only if you must. If it was me I would be changing all those passwords.

    * Not with Excel's encryption
    I have 278 sites collected over fifteen years plus, and each with their own username and password. I won't live long enough to change all of those.

  31. #31
    Master
    Join Date
    Jun 2008
    Location
    Herts
    Posts
    2,166
    I know LastPass has an auto password change feature. Then again if you have been fine for 15 years I dare say you will be ok for a few more.

  32. #32
    Master pacifichrono's Avatar
    Join Date
    Apr 2008
    Location
    San Diego
    Posts
    7,939
    Quote Originally Posted by Glamdring View Post
    I use an Excel file to store my passwords. Email, username, password. None is repeated from site to sight though my username might be. I keep the Excel file on the cloud with a paid-for account, and on a hard drive. I have collected so many over the years. The only one not written down is my bank password and PIN. That's in my feeble brain but so far it's worked.
    I do pretty much the same, except my Excel file is only on my hard drive. The file name is very obscure, among hundreds of others, and even if you open it with the PW, the file looks like something completely unrelated.

  33. #33
    Quote Originally Posted by Templogin View Post
    1Password integrates nicely between Apple devices.
    ^^ This with passwords set to use x amount of random words with a special character as a separator and 2FA when I can.

  34. #34
    Grand Master dkpw's Avatar
    Join Date
    Sep 2009
    Location
    Edinburgh
    Posts
    10,802
    I've used LastPass for several years now, and it's a great product. The key (pardon the pun) is to select a really secure password for it that you will not forget, you are putting all of your eggs in one basket after all AND to use a two stage authentication process, such as Google Authenticator.

    It also has an option to run a security analysis on your saved passwords and accounts, which will check when you last changed a password, whether any of your sites have been compromised and whether a password is used on more than one site. Should you find any which do require updating or changing, it can very often do it for you and it will chose a very secure password indeed.


  35. #35
    Master
    Join Date
    May 2010
    Location
    UK
    Posts
    9,823
    So... last pass or 1password?

    I am all Apple, except for work which is a fairly locked down PC.

    My only concern would be that if I were without my phone / iPad, I’d be stuck? How do you get around that? As it is now I just memorise all my passwords but it’s becoming difficult...

  36. #36
    With 1Password you can access your passwords through a secure website. You just have to remember your master password.

  37. #37
    Master
    Join Date
    May 2010
    Location
    UK
    Posts
    9,823
    Quote Originally Posted by Phil Lee View Post
    With 1Password you can access your passwords through a secure website. You just have to remember your master password.
    Cheers Phil.

    Would you suggest 1Password is the best app? I don’t mind paying for the service if there’s a better app?

  38. #38
    I prefer 1Password to LastPass but that's probably because I'm a long time user. I now pay for their family subscription which gives me and my wife access to apps on iOS, Mac and Windows

    I like that you can share vaults between people in a family and have private ones too. You can also have a travel vault. When you switch to travel mode through the website all non travel passwords are deleted from all apps. They only exist in the master online vault until you get home.
    Last edited by Phil Lee; 31st March 2018 at 13:44.

  39. #39
    Master Templogin's Avatar
    Join Date
    Oct 2015
    Location
    Shetland
    Posts
    2,724
    Quote Originally Posted by Phil Lee View Post
    I prefer 1Password to LastPass but that's probably because I'm a long time user. I now pay for their family subscription which gives me access to apps on iOS, Mac and Windows as well as my wife.

    I like that you can share vaults between people in a family and have private ones too. You can also have a travel vault. When you switch to travel mode through the website all non travel passwords are deleted from all apps. They only exist in the master online vault until you get home.
    I have the 1Password family subscription too, but seem to get little access to my wife.

  40. #40
    Quote Originally Posted by Templogin View Post
    I have the 1Password family subscription too, but seem to get little access to my wife.
    That was an interesting typo from me.

  41. #41
    Master
    Join Date
    Jan 2011
    Location
    Maidenhead-ish UK
    Posts
    1,515
    I think either Lastpass or 1Password are worth invetsigating & which one you end up depends on how youe want to use it. I'm a Lastpass user & find it good. Both are free to try so you can see which you prefer. Lastpass lets you add 2FA via dongle such as a Yubikey but it's not essential if your paranoia level isn't that high.

  42. #42
    Master
    Join Date
    May 2010
    Location
    UK
    Posts
    9,823
    Ok thanks guys - I’ll give 1Password a go first as I like the user interface from the App Store info... and I trust Phil when it comes to all things IT (ps hope you’re well Phil).

    Thanks again

  43. #43
    Master
    Join Date
    May 2010
    Location
    UK
    Posts
    9,823
    I’ve got the 1Password app on my iPhone now, with a 1 month free trial... but how do I import all my passwords (all currently stored in safari)?

    Can’t find the option anywhere.

  44. #44
    Craftsman Robti's Avatar
    Join Date
    Apr 2017
    Location
    Hamilton Scotland
    Posts
    511
    So reading through this thread, even when using Apple suggested passwords are we saying that’s not enough and to go for one of the recommendations posted here ?
    Thanks

  45. #45
    Craftsman Robti's Avatar
    Join Date
    Apr 2017
    Location
    Hamilton Scotland
    Posts
    511
    Quote Originally Posted by ach5 View Post
    I’ve got the 1Password app on my iPhone now, with a 1 month free trial... but how do I import all my passwords (all currently stored in safari)?

    Can’t find the option anywhere.
    I had that trial a while back and I don’t know if different now but you had to change every password when you visited a site, I really was looking at that time for something automated

  46. #46
    Master
    Join Date
    May 2010
    Location
    UK
    Posts
    9,823
    Quote Originally Posted by Robti View Post
    So reading through this thread, even when using Apple suggested passwords are we saying that’s not enough and to go for one of the recommendations posted here ?
    Thanks
    That's what I have inferred from this.

    Ive got 1Password but i'll be damned if I can figure out how to import the dozens and dozens of passwords I have got.

    Maybe I have to do that on the desktop version, so am downloading that now.

  47. #47
    Have a look at this support post:

    https://support.1password.com/import/

  48. #48
    Master
    Join Date
    May 2010
    Location
    UK
    Posts
    9,823
    Quote Originally Posted by Phil Lee View Post
    Have a look at this support post:

    https://support.1password.com/import/
    Cheers Phil. I assumed there's be an option within the iOS app to just "linK" and transfer all the data.

    I'll do it this way.

    But I might just create all new passwords to be ultra-secure.

  49. #49
    Master
    Join Date
    May 2010
    Location
    UK
    Posts
    9,823
    ^ wow, that procedure for importing passwords is way, way above my IT abilities (and patience).

    I just can't get 1Password to integrate and work properly - it certainly doesn't just pop up like Safari / KeyChain does to suggest passwords / auto-fill.

    Spent 10 mins trying to get it to work with TZUK and have given up!

    I assume it's me and not the app, otherwise people wouldn't speak so highly of it, but Im giving up for now!

  50. #50
    Master
    Join Date
    Jan 2011
    Location
    Maidenhead-ish UK
    Posts
    1,515
    That's a nuisance. I dont use Apple/Safari so I can't help much but there is a "passive" option that Lastpass suggest:

    https://helpdesk.lastpass.com/import...word-managers/

    This seems as if it should copy the username & password that Safari autofills when you vist a site - you should get a dialogue box that asks you if you want to save the information into Lastpass. It does mean doing this for every site but it may be worth a try. Once you have the information in Lastpass then it can be exported & imported into 1Password.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Do Not Sell My Personal Information