I know there are a number of apps to store passwords in etc. but for me, most of them seem Over the top? Any decent apps someone can recommend or any lockable note keeping apps anyone can recommend etc?
Any PW making hints anyone can suggest. Ideally, I'd like it to be something on my phone, because usually I keep my phone with me everywhere I go.
I tried Google keep, but couldn't find a way to lock a particular note.
Thanks
And i guess your username is username
No - my username and passwords are a bit more complex than those! Upper/lower case plus numerals.
With a couple of minor variations if the site in question requires something stronger.
There are other ways to be careful - I have a separate bank account for online use, and only transfer funds to Paypal as required.
As for my other stuff, the hackers are welcome if they can be bothered!
LastPass
Google Chrome, syncs across my phone and laptop.
I keep mine under my tin-foil hat
1Password on Mac
Roboform on PC
Just a few months ago I started an a5 book where I list passwords. Makes life easier to have it written down on a book at my desk. There are so many websites, I have 7 pages of passwords written.
Ditto. Keep my very long and slowly growing list as a Word file on a USB stick and print out as required. Keep the printout hidden near my home PC. Commonly used passwords, e.g. email, bank, eBay, etc. are memorised so I can access accounts on my phone, iPad and other people's PCs when not at home.
You two must be at least 100
Almost. And the contents of my mattress are out of bounds to all but me.
This is what I do sometimes. I asked my parents to do the same since they always forget their passwords or emails haha
In a biscuit tin with my stocks and bonds hidden down the back in the chook house, ones I use more often are written on my dog with a sharpie.
I use Lastpass. It just works.
For low level sites (Eg Forums) which do not contain and personal information, I just use the same basic password. If a site requires personal information other than email, I let Lasspass generate a 15 digit password
For top level passwords (Eg Lastpass, Bank Accounts, Email) an easy to remember nonsense phrase of at least 15 characters is as good as any, like. (273YellowHoldens). I don't always use my own devices to log into banks and email, so it is more convenient to log in directly than use Lastpass.
If I have one criticism it is that the form fill does not always work. I read somewhere last week that US Government is now recommending financial institutions provide better support for password managers.
why not have every website including the forums generate the >15 digit passwords? since lastpass will store it regardless?
the only thing I do is to vary the length of the passwords, 20 characters for most sites, 60-70 characters for emails/banks etc.
I only tick the easy to read option.
I worked in retail for a while many years ago. They used 'word conversions' for numbers to put cost prices on item tags. I have about 100 passwords now, and have them all 'encrypted' using a letter sequence. This means my passwords must have some numbers in them. You must keep this or any list constantly up-to-date. I use some common words for the letters, then slightly alter them in my word document to something close (eg 'patrice' would become 'patricia', any letter underlined if I need to use a capital letter) with say 2 capital letters that convert to the numbers. You could use 'special characters' too, though boring (maybe as a diversion?) If you use a ten-letter word with no repeat letters, then the first letter is say zero, the second is one etc. Use a word that you remember, but not too obvious. A fair example would be 'BANKOPHILE' where B is one, E is 9 etc. It's all on a simple word document, about 6 or 8 font size, and it fits easily on 1 page, which I re-phone-photo after every change, and print (carried with me) about every 3 months, having noted important changes by hand on it in the meantime (also, put a 'date last changed' on the top). The company the password is for is abbreviated in front of it, in alphabetical order. (eg ozbgn: patr#iciaPK where hash is a fake). I also keep lots of other stuff like passport number coded here too. It's worked well for about 20 years. Be sure to absolutely destroy old printed copies. If you prefer 'cloud' or whatever, you can still use all or part of this system to add another security layer. It's not hackproof but, the more you make the passwords 'mnemonic', the safer they'll be. eg if you use your dog's name as part of a password (don't do this!), fido say, put 'dog' in instead - but remember all your tricks! And NEVER EVER tell anyone what the 'code' word is, or even that you use a code.
I use a couple of other tricks but I'd have to hit 'delete all' with your memory if I told you ALL of them!
Pretty much what I was trying to say below. Can remember many many many combinations of passwords very easily.
Can remember many many many combinations of passwords very easily.
Until dementia sets in.
I'll have them in long term memory. I just won't know where I was going.
Lastpass for me - you should do a poll thing
good idea - done
thanks
PasswordState
As a primarily Apple user, 1Password is a great option for OSX / iOS.. Their Windows version is… adequate, but not as good as on the versions on other OS. Honestly, most of the options you have listed are perfectly good solutions to the problem, and simply using a password manager and generated passwords makes you more secure than 95% of the population. If you do sync the passwords using a provider like Dropbox, make sure to utilise their 2 factor authentication feature.
"password" is too obvious.
My password is "username"
I use a strong password mixed with different prompts from the website it is for. That way I have a myriad of passwords I can easily remember. Just a complex pattern. Depending on the level of security needed I up the complexity. Bank ones are quite unique. Ozbargain is a lower level of security and uniqueness.
Username: admin
Password: password
I use identity safe that comes with norton internet security. It also has a configurable password generator.
Like others, it stores encrypted passwords on their server and can be accessed via mobile through the app. Been working good for about a year now
i store all my passwords in arnotts cookie tin
Bitwarden. As good as LastPass but free and Open source.
LastPass with a Yubikey for 2FA
Photographic memory
In head
1Password with Dropbox Sync
2FA enabled on Dropbox
=> I have all my passwords synchronised across all my devices at all times - computer, tablet, phone, watch, smart fridge, etc.
My password is "incorrect". In this way, I don't have to remember anything. Every time I type in the wrong password, the computer prompts me with:
"Your password is incorrect."
:)
Video Ezy used to ask for a password to borrow videos. Mine used to be "forgot". :)
Lastpass
Dashlane for about the last three years or so.
Blur = basic passwords
Brain = important passwords
I store some of my account details in my iPhone's ios notes app.
Can lock the note with fingerprint of password. Readily available for me whenever I needed.
Other data that I seldom use: I put them in MS Excel and lock it with password.
Somehow I don't prefer using third party apps (or cloud) to store my passwords.
Fairly sure iOS notes is backed up in the icloud, likely in plaintext as it's not designed to hold confidential data.
Excel certainly communicates online with Microsoft unless you go through and stop it - depending on version, 2016 is near-impossible to lock down for example - and it would be as simple as opening up your temporary files cache to find the document.
Can lock the note with fingerprint of password. Readily available for me whenever I needed.
Potential exposure:
1. Lock screen bypass will make this easily available to all and sundry with physical access to the phone.
2. In certain situations (e.g. traversing borders) you may be mandated to unlock your phone and hand it over to Border Security.
3. Trusted computer with malware on it can (and has) been used to retrieve this sort of data from phones.
4. The notes app is not meant to be a secure storage app, therefore the ios features that provide native code functions for protected elements (think stuff like keychain management, run-time encryption/decryption etc) may not be leveraged.
Other data that I seldom use: I put them in MS Excel and lock it with password.
Trivial to crack if the password is not enormous. Heaps of commercial tools that allow you to run dictionary/incremental brute force attacks. Also, if the excel file is opened on a compromised host, password and content of the file would be in memory. Lastly, older versions MS Office "protection" is very easy to crack.
Somehow I don't prefer using third party apps (or cloud) to store my passwords.
IMHO, it is most likely better than what you're doing. Admittedly, nothing is 100% hack-proof, but a proper password manager makes stuff a ton harder. Remember, you're not trying to out-run the bear, you're just trying to out-run the other guy. ;)
Edit: I messed up the formatting.
I lock the important note always after reading it, so how can anyone open it, even if phone is unlocked? Note can be locked with fingerprint or password, whichever one feels comfortable with.
I locke MS Excel spreadsheet with a combination of characters, for my peace of mind :-)
I know that nothing is foolproof, but I'm comfortable with the tools I use and the passwords I set.
i just use password for all my accounts. but i dont like pizza
WHAT?? You're crazy!! Pizza is great!
Any PW making hints anyone can suggest
www.slashgear.com/originator-of-webs-password-rules-admits-h…
Protip:
If you want different password for each site and still remembers each one of them:
Use the first 5 alphabet of the website and then followed by say 3 sets of digits meaningful to you. Can add capital at first letter. if website has less than 5 characters use repeat sequence.
ie:
Ozbar007 for ozbargain
Nbanb007 for NBA
Youpo007 for youporn
This is terrible advice. This kind of "construction" is towards the very top of all decent password cracking masks. If even one of your passwords gets cracked (which it almost definitely will), the passwords to all your other sites are now easy to discern. Use long, randomly generated passwords and a password manager.
tell me the probability you can guess which one is capital and how many numbers and character combination to crack that. If you do sweep it will take the same time as your "random" chosen password.
if you're worried about the hacker being able to work out the pattern, just do it from backwards of the website. or remove 1 char. be creative a bit. there are so many easy ways to obscure patterns
This is completely incorrect.
Most cracking does not happen against a live account where you can only try one password at a time. It is done offline against a list of encrypted passwords called "hashes". Depending on the encryption used, a standard gaming machine can potentially attempt hundreds of thousands, if not millions of passwords PER SECOND. Before they start just brute forcing random characters, they run through all their "masks". A mask is a blueprint for constructing a password, which very quickly reduces the search space .. eg
[Capital Letter][5 x lower case letters][3 x digits][Special character]
You may have thousands of mask combinations that you run through, generated based on the experience you've gained with every previous password you've cracked. If you crack a password with a unique construction, you add the mask to the list so it's quick to identify next time.
As for the password space size being similar.. They aren't. If you don't take into account the masks (which reduce yours, but not mine):
Your password: 221,919,451,578,090 max attempts needed.
20 character random password: 3,622,996,024,341,650,240,846,169,344,922,329,517,120 max attempts needed.
So whats the difference in time to crack say between:
Johnny1973
with
Onziba1973
or
Niaozg1973
?
If you are just concerned aboit the amount of character, you can repeat the sequence to add the character. My post was about making your password easier to remember.
No real difference at all. If you're making hundreds of thousands (or millions) of guesses per second, those two guesses would be moments apart.
sorry i edited after your post. agree that longer chars mean harder to crack but my advise was about having sometjing easier to remember. the amoint of chars can be added themselves.
ie. site name sequence + some unique word and number you use same to other sites ie. combo + Broden_1292
Johnny1973 will get cracked way sooner than the other 2 if a dictionary attack is used with a year mutator.
[dictionary]+[word]
Based on a decent English language dictionary with hybrid mode (i.e. dictionary attack + incremental attack).
I understand your original intention, but any "rules" that you follow to make the password memorable for a human, is exactly what makes it easy to crack. It's also means that if even one of your passwords is cracked, ALL your other passwords instantly become vulnerable. If one of my passwords gets cracked, they only have access to one site.
Just as an example, I ran a search against the passwords that have so far been cracked from the LinkedIn breach, and found almost 900,000 passwords that match your original "formula" (out of 61m). Those 900,000 people probably thought they had unique, difficult to guess passwords… but they were some of the first cracked. The users with those 900,000 passwords using the same formula as you are now at risk on every other site out there, because they're following an easily discernable process. It's worth noting that my password in linkedin was a long random string, and it is one of the 3% of LinkedIn passwords not yet cracked.
@Praeto: Yeah if they are really after you, it will be easy to crack. Luckily most of hackers are just after quick, bulk search to find low hanging fruit.
I only use formula for sites that I don't really care if it got compromised (ie. public discussion forum). For personal email or things like that I have different passwords.
@djmm:
Johnny1973 being a name and a date (ie birthdate) will DEFINTIELY be in a password cracking dictrionary.
As a result, the difference will be milliseconsds to crack Johnny1973 versus a few seconds to crack the other short, non-complex passwords.
None of the examples you provide are good examples of passwords, but the fact that Johnny1973 contains a name instantly makes it far worse than the others.
Check out my linked arstechnica article (elsewhere in this thread) on password cracking.
Am a sys admin, use Lastpass.
Does lastpass work with Apple and pc? I mean can they easily sync?
Yes, as far as I'm aware LastPass is the most cross platform of all the Password Manager options.
Having said that, the vast majority support both Mac and Windows.
i use 1password which i dont think is very good and after reading some of the comments here sounds like there are way better options.
If you're primarily using Apple gear and infrastructure, 1Password is an excellent choice. If you're primarily a windows user, there are better options.
@Praeto: I use iPhone but computer is all windows.
I don't really like 1Password anyway.
I feel it lacks quality of life features.
Going through this thread, it was a real eye-opener. As my circle largely revolves around tech-heads (largely in cyber security) and family members who've had proper 'cyber-hygiene' drilled into them over the years, I haven't seen folks without proper password management strategies in a while.
My post is intended to be educational and is not an attack on folk in here. If I can convince even a single person to tighten up their password management, that's mission accomplished for me. :)
There are a few key reasons as to why a password manager trumps the "I remember all my passwords":
Some additional thoughts based on some of the posts in the thread:
So please do yourselves a favour and get a password manager and don't be penny-wise pound-foolish.
Great post!
"Physically writing down your password with some funky mnemonic device may seem smart, but it is trivially defeated with a few smart word mangling rules."
^^^ Very important. Almost every mnemonic system listed in this thread is accounted for in the first 50 lines of the mask file being used by password crackers (masks outline the "blueprint" of a password). Those passwords you think are really clever.. aren't. You should be using a password that is completely random, and uses as many characters as the site allows.
If you look at sites where hashes are shared and cracked (like hashes.org), you'll see that some of the big hashes like LinkedIn are now 97% cracked. If you use the same mnemonic rules for constructing all your passwords, and one is cracked (such as LinkedIn), everyone now knows exactly how to break all your other passwords.
This is a great post, all the upvotes for you! A good password manager (and I note favourably you go out of your way to not endorse a specific one here) is the only solution that scales. I've used one for 9 years and have 1,900 items therein - if nothing else (and there's a lot else, as you note) no mnemonic will help if you don't remember the site you signed up for six years ago…
Thanks for sharing. I can't decide between Enpass, Dashlane, KeePass and LastPass. I would only use it on iPhone and Mac. What would you suggest?
Are there any users for Dashlane?
I got the recommendation for dashlane recently. How good is it?
Been using it for 2 years now. Really good and available on multi performs. I like the auto sign in feature on Android as well, protected by my fingerprint.
I recently switched to Dashlane from Lastpass, does the tasks I want better than LP without the bloat.
1Password. I've been using it for nearly 10 years combined with Dropbox sync and it's never failed me, although their Windows apps are a little buggy and really really ugly compared to their Mac equivalents.
I recently got work onboard with 1Password for Teams. That's how invested I am.
I pretty much remember all my passwords, same password but different last keywords depending on the account / service / site .
Mooltipass. No online service dependency, needs physical interaction to send through credential information, credentials stored on an encrypted smart card with 256bit AES, enter in false master pin 3 times it destorys the card. Can make backups of Smart card and have multiple users. Devices case is tamper proof.
Is the name a 5th Element Reference?
most definitely :)
i use iCloud keychain, which stores passwords across all my apple devices.. i also have started using this in combination with the iCloud suggested passwords that come up (usually a super complicated password over a dozen characters long) can anyone comment on if these are good choices.
An option is missing:
Brain
That option is only missing for those who don’t own an actual brain.
When you have not much going in your life you do not need much. I am sure your little brain will do you.
I'm in the cyber security industry. Although it is argued there are better products I utilise lastpass.
On my phone it has fingerprint authority, as well as a very complex password.
Most of my passwords (still migrating) are 100 characters long where permitted
Why on earth would you need 100 character passwords?
a typical password is a very poor form of security, by having it 100 characters long it means it wouldn't be possible to crack using any a dictionary or hybrid attack. And trying to brute force a randomly generated 100 character password would result in you being dead before it's cracked.
having it 100 characters long it means it wouldn't be possible to crack using any a dictionary or hybrid attack.
A 12 character password with symbols would take decades to crack, 100 is overkill and pointless.
@Scab:
Today maybe…
I'd also consider 100 overkill, but who cares if your password manager is entering it for you anyway?
Then why settle for 100, make it 500.
Regardless of whether the process is automated, it's pointless.
@Scab: I could crack that in a couple of hours. In reply to your other comment, most websites won't accept more than 100
Thanks for the advice. Sounds like you have gone for the pro version.
Do you happen to know roughly how many passwords you could store with the free 50mb version?
I'm actually using the free version…I can't tell you the answer but I've never had an issue
Oh no kidding. Sounds like the free version will do the job for me then, cheers!!
Keepass and sync to PC/notebook/phone with Google Drive.
I don't know any of my passwords and don't need to. They are all 16+ characters long randomly generated. You can just copy/paste right out of Keepass without revealing.
Also 2FA wherever possible too.
I recently started doing customer support for AgileBits (makers of 1Password), but have been using their apps (and more recently their membership subscription) for almost a decade before joining them. I'm a firm believer that any (reputable) dedicated password management software used to store long, unique passwords for each service is better than almost any of the alternatives – mnemonics, substitutions, plain ol' memory. Of course I have my preference, but I'd take most any over a lot of the alternatives mentioned here.
As far as password generation goes, the real test is how easy/hard it is to crack a password with full knowledge of the method used to create said password. Every algorithm/system in this thread I've read fails this test – I like Diceware for this, though the trick is to let the generative process be truly random (dice are good at random; computers so-so, humans not so much).
As the (sole!) Australian rep of the AgileBits team (ninety-odd folk worldwide, with head office based in Toronto), if any OzBargainer cares to kick the tires of a 1Password membership with our 30-day free trial, feel free to PM me for any assistance (or for as much of a bargain as I can swing… 😜🔐🐨).
So can I sign up for a free trial on the Mac and then download all my data? Reason being I've decided to move to Lastpass as I can have applications on iPhone and Mac for free. TBH I don't want to pay for the subscription on the Mac as I would hardly ever use it, it would just be a nice to have. I do like the 1Password iPhone application but after reading a lot of the comments on this post I've decided to move to Lastpass. The fact that I can have it on the iPhone and the Mac on a free account is a bonus.
I've struggled with this question and as such, I have tried:
I would highly recommend ENPASS https://www.enpass.io/ for the following reasons:
I've been using it for more than 18 months now.
Give it a go, it's free and easy to use. Don't forget to install the browser extension so it will be simpler to use.
That one does look interesting.
Is it just me or does Kee-Pass look like Keep-Ass?
Just me? Alrighty then
Samsung Notes under a locked note requiring fingerprint to open. Quick and easy.
These days if you use Apple, they will store your password on the keychain and is portable across device. Also does auto sign in from the browser and free. Furthermore the keychain can be protected by fingerprint if you have an iPhone. Hope this helps. Not really a Windows user but there are many apps out there. Some cheaper than others.
Yeah same, because I use a Mac I'm automatically using Keychain and because I use Chrome to web browse I'm also automatically using Google Smart Lock.
Don't even have to think about it :)
not being able to sync across device on the free version kinda sucks.
That's too complex. Just password. Capitals, characters and numbers make it difficult for me to remember.