Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length.

[Tug Fanatic]

Hopefully I will get an answer from somebody who understands this in a language that I will understand!

Like most people I have literally hundreds of passwords some of which are much more important than others. I do not reuse passwords and most of my passwords are horribly complicated. I do not allow my computer to remember passwords, I have two level passwords on things like my email accounts, I close my browser after using financial passwords & I regularly run virus checker, Malware Bytes & CCleaner. I regularly, often automatically, update my software. I have been recommended to look at Password Managers to sort out the complicated mess and improve security.

But I am concerned. At the moment I have control of my passwords and they are not recorded anywhere that will help anybody else. If someone breaks one then I have a problem but it will not cause problems elsewhere.

If I have a password manager then surely that password manager has everything. I think of hacks like Yahoo and wonder if someone could steal all of my passwords to everywhere in one go. I am also told by my bank etc not to ever share my password with anybody. I have a nasty feeling that they might see a password manager as sharing and thus deny any liability.

How do password mangers cope with those sites that ask for the say the third, fifth & then seventh characters of the password rather than the whole thing?

I am sure that the providers of the password managers have thought of all this & that if it were a problem nobody would recommend their use but I don't understand. As a child I was told don't buy anything you don't understand & that is where I am now.

I have searched the internet & cannot find an understandable explanation of how this works.

Explanation please.

[C-3PO]

Not sure if this helps - may give a little detail of one product available  - this stores your passwords and more in a secure, cloud-based vault that only you can access (can I hear alarm bells ringing)

https://identitysafe.norton.com/

I think it's fair to say nothing is 100% robust in this context and if that's enough doubt for you don't do it!!

The thought of giving lots of access details to a third party to store for me for free gives me the heebeegeebees

Don't think there is an easy solution for this one - I have a crib sheet in my wallet padded out with lots of noise (random alphanumeric padding and sometimes just word association) - with no direct reference to web site of instituition works for me!

C-3PO

[derekwarner]

This is an interesting question....

However I do not understand why an individual would need....'literally hundreds of passwords' 

Having said this, I am not prepared to commit my 13  individual account numbers & respective passwords to any supposedly encrypted cloud

I have a copy on a ZIP drive, a copy on my portable Ultrabook, a copy on my Desktop.......the latter 2 of these are backed up to individual external drives .....& the ZIP drive to a mirrored another ZIP drive........and the most used...a paper copy committed to an Excel spread sheet which is about the size of a credit card  & double sided & in my wallet

I think it would take a crew from your Bletchley Park a few years to understand my encrypted symbols understand what was what 

Derek

[C-3PO]

Nice one Derek! - Looks like so far 2/2 people say use a crib sheet in your wallet - now I am worried - is this what we all do:)

C-3PO

[Tug Fanatic]

Nice one Derek! - Looks like so far 2/2 people say use a crib sheet in your wallet - now I am worried - is this what we all do:)

C-3PO

No it isn't! We all have coping strategies but carrying the info I my wallet is way down my list of desirable solutions however well I think that I have disguised it.


Reading the Norton Identisafe page I agree that it is extremely vague about what "only you can access" means & how they achieve that. Nat at all convincing.

Hundreds of passwords? yes really. I have over 50 passwords that I regard as important and then lots more that are everyday - sorry but my password here falls into that category. It all comes to over 100 passwords & a lot of those are ID (most others start with my email address) & then a password. Several are id + password + keycard or computer number generator. That equates to over 150 things to remember.


As no one who has replied trusts these password managers why do they keep getting recommended.


I am not sure that paying for the service makes it any safer!

[dougal99]

I keep all my passwords on a computer not connected to the internet and backed up elsewhere (again no internet connection).

[tigertiger]

I read some advice on password security. It was as follows.
Most of the things that require passwords are very low level security, these only need to be simple passwords. Save the few complex harder to remember passwords for access to data that really needs to be kept secure. Email accounts should be secured as they are targeted for identity theft.

With the exception of email. As an individual your home computers are unlikely to be targeted by hackers, as they generally go for commercial systems. Exceptions I have heard of is if people are using commercial network software for home use, as you can be mistaken for a commercial network/target. Home wifi routers are targeted a lot in China as some people think it is cool to freeload other peoples bandwidth (mostly to download/stream movies). I am not sure if this is a problem in other parts of the world.

Regards your original question, there is a lot of advice online from independent expert sources.

[dougal99]

My anti virus tells me that my computer is being maliciously probed several times a day. Keeping your passwords on your computer would seem not to be a good idea if this is true and not just scaremongering on the part of the anti virus provider.

[Bob K]

Any software company, even very "secure" good names, that offer to store ALL your passwords for is asking for trouble IMHO.  It may be less likely that a reputable company may be hacked, but if they do then the nasties have the lot on you - every single file and access point.  You also stand the risk of losing the lot if anything happens to that data file.

Keep your passwords on a sheet of paper, locked in a secure cabinet, or a unique text file on a memory stick (with backup of course) uniquely kept elsewhere.  Even if your PC goes feet up you still have that remotely stored USB stick.

Better still, remember them - same as your card PIN numbers.  Do not write them down at all.

[tigertiger]

A few years ago I had lots of messages saying my computer was being tracked. It was a pop up advert for anti malware. In itself a form of malware.

[Colin Bishop]

I use KeePass: https://keepass.info/

The encrypted files can be copied between my devices.

And yes, I have dozens of the things too, it's almost inevitable these days.

Colin

[Nordlys]

Could you honestly remember 20 different passwords even if they were vaguely similar?
You are not supposed to use the same password over and over  -  this is the problem n'est pas?
But -  a solution is needed - interesting discussion.
N.

[tigertiger]

Andromeda
Bismark
Cunard
Dreadnought
Enterprise
Frigate
Gunboat
Hermes
etc.

[Tug Fanatic]

TigerTiger
Yes there is a lot of information on the internet but none that I have found is very specific about how it works nor about how it might be compromised. I am not sure how a list of ship related names would help me remember which applied to which account nor that such a list isn't a hackers delight as it narrows down your choices so much.

Just imagine that Photobucket (policy changes) or Yahoo (security issues) were Password Manager organisations.

I don't want a solution where the only thing that knows my passwords is something that I don't understand or where it is all held in the cloud.

Keepass sounds interesting. Perhaps not to protect my life savings but to deal with the vast majority of my passwords which are lower priority.

I have been reviewing all this & I am not sure that I even know all the groups/organisations that I have accounts/passwords registered with. Everything that I have purchased online for years has required me to set up an instantly forgotten account that gets remembered when I next shop with them & am surprised that they know me & ask for my password. Some solution is necessary as the list of pass words grows daily.

[Nordlys]

I got locked out of my NSI account for 5 days until a new password was activated all  because I got something wrong with an ID question once,
N

[Tug Fanatic]

I got locked out of my NSI account for 5 days until a new password was activated all  because I got something wrong with an ID question once,
N

Half the world must know my mothers maiden name, the first line of my address, postcode, the name of my first pet, first school & date of birth + plus the other usual questions, by now yet many still think that they need to ask me to help prove who I am. I am sure that this information will have been stolen in one of the data breaches somewhere. Any organisation that uses them hasn't a clue & I suspect is getting a false sense of security by asking for them. I remember reading a suggestion that I should make them up but then that is another list of passwords to remember.

[tigertiger]

The ship related names thing was a bit light hearted, but systems like this are useful for all those accounts where security is not important. There are ways to connect passwords with the account, with a little thought.
You are right that there are a lot of companies that want you to register an account, when you purchase (or even before). The result is usually spam, but it can be useful to track your own history,  sometimes. But if they are instantly forgotten, well it was probably only important to the companies marketing manager.


Regarding info on line. You did say in your OP that you did not want to get technical. There are reviews/comparisons in online publications that dumb things down for us mere mortals, but do allow us to make a more informed decision; and will give more knowledgeable answers (on the specialist topic of IT security) than you could expect on Mayhem.
As for who will be targeted next, and where the weaknesses in these companies systems are... they won't be advertised and some of the weaknesses won't be exploited until the are discovered. As some of the biggest names in tech have seen recently.

[timgarrod]

I use lastpass and it good.

word of warning, they are only as good as the master password(my master password is over 100 characters long)
this is good to check the passwords you use,
https://howsecureismypassword.net/

[Colin Bishop]

There is a more sober aspect to all this. With many of us doing online banking, gas, electricity and water accounts and, managing assets and all sorts of other things just imagine what would happen if you were to fall under the proverbial bus! Very often it is the man who does most of this as he is likely to be more technically savvy (sorry girls) and  is also more likely to shuffle off this mortal coil first. Your nearest and dearest could have a dreadful job sorting out your affairs without easy access to all the important passwords. Been there and done that as an Executor.

My Keepass master password is not a long one but it is a family in joke word which my Wife and Daughters will not forget but which is meaningless to anyone else and not guessable. They know how to access it if needs be and I do trust them of course.

My Wife and I have separate bank accounts and ISAs but the accounts are joint accounts to which we both have access to should there be an emergency so money would not be frozen if one of us should fall off the perch.

It is these practicalities that so many people overlook and which can cause so much extra grief and hassle in the event of a bereavement. I know people who do not make wills because they cannot acknowledge that one day there will be a need for them. By not taking action they are making things really difficult for their loved ones at what is already an extremely stressful time. You can't just assume 'that everything will turn out OK regardless', it won't!

Colin

[Tug Fanatic]

Yes & dying makes it easy. Total disability such as a serious stoke can be much worse as the, extremely expensive & slow, Court of Protection will get involved with every penny for as long as you live unless you have Lasting Power of Attorney.


We have it set up - if you don't I seriously suggest you find out why you might consider it.

[inertia]

I use Lasspass like Tim, for the reasons given by Colin.
My network manager guru Huw recommended it, along with a method of setting a master password which isn't over 100 characters long (it's 15).
My bank's system declined my card and they rang me when I tried to buy a guitar case. Said it was an "untypical purchase from a risky trade group".
Bless 'em.
'Nuff said.
DM

[Colin Bishop]

Maybe it was the Kalashnikov they thought you were going to put in it Dave.

Colin

[Tug Fanatic]

I use Lasspass like Tim, for the reasons given by Colin.
My network manager guru Huw recommended it, along with a method of setting a master password which isn't over 100 characters long (it's 15).
My bank's system declined my card and they rang me when I tried to buy a guitar case. Said it was an "untypical purchase from a risky trade group".
Bless 'em.
'Nuff said.
DM

Is there a way back if Lastpass create problems like Photobucket has managed to do?

[Colin Bishop]

Not sure about Lastpass or where it is actually located.

I like Keepass as it is a separate program which sits on each of your devices and you can import and export the master password database between therm. No faffing around with the Cloud etc. when you son't know where the information is being held/sent.

It won't automatically fill in your passwords when you are accessing applications. You need to open it in a separate window and copy or cut and paste or reference the information across depending on the nature of the password. OK, a bit of manual effort but you are in control. Suits me as DM would say.

Colin

[kinmel]

I have 2 "core passwords" - one financial and another for everywhere else, anyone can remember 2 passwords.

Each core is 9 characters long and includes Capitals, lower case, numbers and symbols, in themselves there is no meaning.

To create a password for a particular site, I start with the appropriate core and and add 3 characters into the core from somewhere in it's web address, always using the same method of selection.

For example perhaps on Mayhem I always land on http://www.modelboatmayhem.co.uk/forum/index.php?action=unread  , so might use "first letter", "fifth character" and lst vowel on every site. So with a core of  " &Z4_-tT> p"  here it would be  m&Z4_l-tT>pe.   and for http://www.theregister.co.uk/ it would be t&Z4_e-tT>pr

After a while, you create a new password without thinking about it and inputting it is equally automatic, I occasionally visit over 100 sites and each has a unique password and I just remember two 9 character sequences.

Simplicity can be overwhelmingly complex.