How Safe Is Your Password?

[Paladin]

It's getting easier to hack passwords:

How Safe Is Your Password?



Lots of characters plus uppercase, plus numbers, plus symbols is the way to go.

I'm using "Dashlane" for passwords which helps a lot

[Tex1961]

Interesting... Thanks for sharing... When I sign up for a new site my Mac will assign a strong password... It's like 30 characters long with upper, lower case, letters, numbers and symbols.....

[RoyGBiv]

I use LastPass and BitWarden. LastPass recently went from being free for personal use to only being free on one type of device (computer / portable). I'm finding BitWarden to be a good substitute, but, LastPassk was better integrated with applications I use. I may pony up and pay for the premium version of LastPass, but I'll give BW a bit more trial time.

Took me a while to go through all my passwords and update them to randomly generated 16 character strings. But, I feel much better having done it. The motivation for me was a data breach that exposed a user name / password combination that I used frequently for low-risk websites like this forum. Little of any real value is at risk if someone hacks my account here, and many similar places. After a reported data breach, I had to go through and update any website of any importance to a new user/password. I figured it was a good time to get started with a password manager/generator.

About the only passwords I still keep only in my head are for banking.

[03Lightningrocks]

Time for armature hour folks. How does someone go about "hacking" a password? Is this something they do by using your user name or do they have to get access to your computer?

[Rafe]

I use a unique password for every website and registration and email account I have...that's like a lot of passwords. I use the free Dashlane password generator (it's recently been tweaked with some improvements, BTW). The only passwords I set that are fewer than 30 characters are ones I know I'll have to type in on my cell phone for app access; those are still at least 15 mixed characters, and it takes me forever to get some of them typed correctly...I'm not good at tiny touch screens; they're made for people with pianist fingers.

I'm old-school and get the jeebies at the notion of a password management application taking care of that for me. If the application fails or the data gets corrupted, I'm in a world of hurt. I keep all my account information in MS Word documents that are 256-bit AES encrypted; separate documents for for clients' websites I manage. On the first of each month I copy the previous month's document and rename it to indicate the current month and year. Then I use an app called AxCrypt to encrypt the already encrypted prior month's document. Then I archive the double-encrypted file to local storage as well as the cloud: one year of files locally, 24 months in the cloud. Stupidly complex, I know. But the whole two is one, one is none thing. Several times I've needed to go back and see the state of things for a client in previous months and those encrypted archives are lifesavers.

For the majority of website registrations I also use unique email addresses. I really don't want a password compromised, but I also don't want an email address siphoned off. For that purpose I use 33mail.com. It isn't a disposable email service (technically I guess it's an email masking service), and to use it effectively you really need one of the tiers of paid accounts. You get an unlimited number of email addresses (at last count I was using over 140), and inbound email will forward to a single account that you specify. You choose a subdomain name that isn't in use--say, "acme" as a Wile E. Coyote example--and then on the fly you just use any name in front "@acme.33mail.com"; don't have to create the alias, just use it and it creates automatically. Works like a charm. Then if spammers get hold of that email from a website whose security is too lax, you can just turn off that particular alias name. Easy and painless. To stay anonymous, you can even reply to an email and it will be sent as if under whatever 33mail alias was used for the inbound message. I seldom use that, but it's a handy feature.

Yeah, the internet has become a more treacherous place over the last couple of decades. Be careful out there.

[Rafe]

Time for armature hour folks. How does someone go about "hacking" a password? Is this something they do by using your user name or do they have to get access to your computer?

Here's one of the better explanations I've seen. It's a couple of years old, though, and I'm sure there are more sophisticated options today.

[RoyGBiv]

Time for armature hour folks. How does someone go about "hacking" a password? Is this something they do by using your user name or do they have to get access to your computer?

There are many ways... Here's a couple...

1. "Hacking" generally refers to gaining access to a companies data... a data breach. Maybe they find a flaw in the operating system and "exploit" it. Maybe a careless worker gets "phished".... example.... You give your name, address, phone, and set up a login and password at.... Walgreens. Someone hacks into Walgreens data and gains access to your information. Now they know your login and password... If you use that same login/password combination to get into Amazon, then the hackers might try to log in to your Amazon account and send themselves things. (Amazon is not a great example because they have better security and will ask you to confirm log ins from new devices, but, just an example).

2. Phishing..... You receive and email, or text or phone call... The email warns you that your bank account or your eBay account has been locked and please click the link to reset your password. You click the link and it takes you to a site that looks very much like Bank of America, you enter your login, old password and new password. Now the thieves have your login and "old password", actually your current password, and can clean you out.

Lots and lots of creative criminals on the internet.

https://portswigger.net/daily-swig/data-breach

[Rafe]

Lots and lots of creative criminals on the internet.

Yep; and we didn't mention another local-computer favorite: Trojan key-loggers. The popular anti-virus anti-malware programs do a good job of catching these, but load-in-RAM Trojan apps exist that will record your every keystroke and then send the data over the internet to the hacker's repository. There are even ways, if your WiFi network isn't secured, for hackers to be able to mirror your screen to a device not too far away...say a nondescript white van parked near your house. They can watch what you do and simultaneously capture the data being sent, including usernames and passwords. Always use strong encryption on your WiFi router. For example, WEP 64 and WEP 128 are deprecated and really shouldn't be used any longer. WPA and WPA1 are also outdated and shouldn't be used if you can avoid it. WPA2 is the way to go right now, but there are two flavors: TKIP and AES. TKIP is an older encryption carryover and really should only be used if you have older devices that can't use AES. On newer routers, you'll often just see "WPA2" or "WPS2-PSK."

[rtschl]

I use KeePassXC https://keepassxc.org/ to maintain my passwords. It encrypts the database with a master password and runs on Windows, Mac, and Linux and has a portable version that does not need to be installed to run. Since it's open source, there are apps (at least in Android) that you can download and use on your mobile devices.

I like this program as it lets me generate and keep custody of my own passwords not kept online by a company. Though unlikely, if they got hit by ransomware, or some other catastrophic disaster, I'm not relying on a third party that has to be online for access to my passwords that I have no idea what they are. You can always go through the password reset process if needed. I do store the encrypted database in my personal cloud that my mobile devices have access to. So if you use this, make sure you have a very strong complex master password that you won't forget and a backup somewhere that you keep up to date.

I generally do not use the same password for anything - especially financial, health, government, work, etc. For ones I need to manually type in my phone or have to change often, I like using passphrases mixed with special numbers and special characters or what is sometimes referred to as a secure version of dictionary random words. You can read a good article about strong passwords here: https://cybernews.com/best-password-man ... -password/ Examples the article uses of passphrase type passwords. NOTE: Since we can't use tabs in comments, I separated with colors:


I first went to Disneyland when I was 4 years old and it made me happy PASSWORD: I1stw2DLwIw8yrs&immJ

Jigsaw, quest, trait, fork PASSWORD: Jigsaw%Quest7trait/fork48

“One for all and all for one”: The Three Musketeers PASSWORD: 14A&A413Mu$keteers!

[03Lightningrocks]

Thank You for the information. I have received many texts and emails over the years trying to get me to "log in" due to issues. I delete them all and label them junk. I figure Amazon is not going to send me an email telling me to confirm my password. LOL

[RoyGBiv]

Lots and lots of creative criminals on the internet.

Yep; and we didn't mention another local-computer favorite: Trojan key-loggers.

I had to answer a call... busy morning.
Thanks for the added info... Great reminder on WiFi encryption. I had to double check that "Low" risk uses WPA2 on my router.

[Keith B]

I set all my passwords as ‘incorrect’. That way when I can’t remember my password and type in the wrong one, it comes back and says ‘Your password is incorrect’

[Flightmare]

I set all my passwords as ‘incorrect’. That way when I can’t remember my password and type in the wrong one, it comes back and says ‘Your password is incorrect’

I tried to set mine to "snub nose", but it told me "not long enough".

[powerboatr]

Lots and lots of creative criminals on the internet.

Yep; and we didn't mention another local-computer favorite: Trojan key-loggers.

I had to answer a call... busy morning.
Thanks for the added info... Great reminder on WiFi encryption. I had to double check that "Low" risk uses WPA2 on my router.

me to and we did just did the change password drill. my government accounts are sticklers for length and odd characters.
but my wifi is blocked by all the metal in the house form getting past the door

[jmorris]

The guy that does the XKCD comic is a physicist and worked in robotics at NASA's Langley Research Center in Virginia. Knows his math.



IT for over three decades and the most violated rule was "don't write it down" because of the complexities. Best thing DoD did was move away from passwords.