Passwords

I am registered at a LOT of sites - blogs, hosting accounts, stores, message boards, etc.  A few years ago I started using the Lastpass Chrome add-in to track and remember all these passwords.

One problem though: like most people I was using the same few passwords over and over.  I had fixed, mostly, the most egregious mistakes, such as using the same password for low-trust sites like bulletin boards as for critical sites like banks.  But Lastpass showed me was that I still had a lot of password duplication.

The Adobe security breach finally got me off my butt.  My user name and password were among those that Adobe lost (which was particularly irritating because Adobe was one of those software companies that demanded a registration even when one should not have been necessary).  There was nothing at Adobe of mine they could screw up -- the registration was obviously to try to sell me more stuff but I never bought anything.  But there were possibly other sites using the same password they could screw up.

So I began a mission to change my passwords to 12-digit randomly generated strings of letters and numbers.  Having Fastpass helped a ton, as I would never have remembered all the sites with which I had registrations.  There were hundreds.

This was a real slog, a task so boring it was equaled only by the month when I ripped all my CD's to my hard drive and surpassed only by the 3 months when I ripped all my DVD's to hard drives.  The problem was that every web site was essentially a little portal-like adventure puzzle, trying to figure out where the hell the options for password change could be found.  I challenge those of you who have registered at WhiteHouse.gov to sign a survey to find the place to change your password.  At JetBlue, there is no such option in the user accounts -- you have to log off and click "forgot my password" at the logon screen and then click on the option to reset the password, but the reset email never shows up.  At two or three sites I had to email the site web manager to send me a link to the password change page.

Anyway, it's finally done now.  There are a couple of sites I use from my iPad for which I had to create unique memorable passwords because iOS does not have very good support mechanisms for such services as Lastpass, though as Chrome for iOS gets better, I expect that to make the problem easier to manage.  I had forgotten how many of these passwords (Netflix, Hulu, Amazon, etc.) were plugged into things like my Roku.  It was irritating with the crappy remote to enter these random strings of characters as new passwords.

Of course security of the Lastpass account becomes a problem.  I guess I have to trust them.  My password for them is unique and never has been used anywhere else and contains no real English words.  I use 2-step verification at all times to log into it, so hopefully I am moderately well-protected.

  • nemome

    I take a line from a song, and then use first couple of letters or last couple of letters of each word in the line to create a password...easier to remember

  • John

    I use KeePass Password Safe for both Linux and Windows. I guess I preferred it to LastPass because all of its username and password data are stored on my hard drives and USB flash drives, not any type of third-party database. (That's how LastPass stores passwords, right?) My default is choosing 50-character passwords for any site that will let me, which is troublingly few. How is it possible that a national bank's website caps its passwords at 12 or 16 characters? And Microsoft? What do they care if I choose a longer password?

    Does anyone know how much extra storage space or bandwidth a website would need if every single user's password suddenly jumped to 50 characters? I'd love to know, even if it's just a rough estimate. Would that really put a strain on their computing resources? Why else do they set such low caps for password lengths?

  • Daublin

    An additional thing to take care of is to set up your backup access plan. Supply an email address you know you can get into. On your email site, supply a cell phone number where they can text you, and make sure it stays up to date.

    For anything you use for backup access, guard it very carefully. Anyone who gets access to that email address, or to that phone number, will be able to log into your accounts with it.

  • aczarnowski

    I went through this a while back myself. I'm another happy user of KeePass for the reason John mentioned. It also has an Android version. I'd rather manage moving the database file around myself than give the data to a third party.

    And, yes, the roku and Android app updates across multiple devices are a PITA.

    I've also come to realize that my long email address is a second helping of PITA in this space. I need to think of a shorter domain to register.

  • Arthur Felter

    This XKCD comic is relevant here.

    http://xkcd.com/936/

  • MingoV

    I started using LastPass early this year and went through the same hassle. I finally gave up on using special characters in passwords: too many sites wouldn't accept them. (Apparently their programmers don't know how to use higher ASCII.)

    I still use a single simple password for blog commenting, which means that I don't have to launch LastPass.

  • Shane

    My wife and I use Keepass. Works great. She has it on her Surface her Windows Phone and I have it on my computer. I know that there is an Android app. and I am pretty sure an Apple app.

  • Craig L

    I have a Word document.

  • bigmaq1980

    No, no, no. Not a good plan. What if your computer compromised by hackers, or is stolen, or was damaged in a fire...just as examples?
    LastPass, KeePass and apps like them are very easy to use and can store more than passwords - they also provide nice autofill for things like address, credit card numbers, etc.. Plus some provide their capability across platforms - e.g. smart phones, tablets, as well as computers.

    Highly recommended!

  • bigmaq1980

    Warren, have you checked out something like the Yubikey? Might be a way to address your security of LastPass account concern.

  • bigmaq1980

    Great suggestion.

  • Don

    Well played, Arthur! You can learn more about systems administration from reading XKCD than I learned in college :^).

    Personally I just use "P455w0rd" for everything. I add "!!" on the end for financial accounts :^).

    No one will EVER guess that!

  • ErikTheRed

    Since everyone else is adding their $.02... I use 1password.

    The downsides are:
    1) It's expensive - covering all of my devices cost around $100.
    2) It does so much that it requires more effort to learn.

    The upsides are:
    1) You can sync passwords between devices using most of the big cloud-based file sharing systems (iCloud, Dropbox, etc). The files stored in the cloud are encrypted with your main password.
    2) It supports Windows, OSX (Mac), and iOS (iPhone, iPad)
    3) It can handle multiple password lists, you you can share certain passwords with your spouse, business associates, etc.
    4) It's a reasonably secure design - all files are always encrypted against a master password. It would be nice if there was a way to restrict it to certain devices.

  • Chris

    Check out password-proxy.com or send me an email chrisg@pleasantsolutions.com. We have simple, and cost effective way to manage all your passwords.

  • jimcraq

    So, what is your Lastpass password, just out of curiosity?

  • MikeBruner

    Roku mobile app includes ability to type in stuff like passwords. That helps.

  • obloodyhell

    LOL, now you're going to really get screwed when some terrorists attack the location of the lastpass servers and shuts them down. :-D

  • obloodyhell

    I would point out that some password systems reject passwords that contain words in their dictionary, so this won't work as-is. Seriously.

    But it is true that longer passwords are worth more than just expanding the bit-space by enhancing the character set. I'd be concerned, though, that it's a lot easier to break Randall's scheme if you presume that's used -- because if you just take a dictionary with 20k random words in it, I suspect it would not take that long to run through 2,3,4,5 word combos from that dictionary at 1000 per second. Even more so if you tried a smaller set of 2k words first. Combinatoric expansion is pretty significant, but that's a pretty limited set of words there.

    Actually, the best system I've seen for passwords is to use a particular song you know well, e.g., "Yesterday": "Yesterday, All My Troubles Seemed So Far Away"... yamtssfa. Who the eph is going to figure that out? (no, you should use a DIFFERENT song than "Yesterday", but one you know well... "your song" with your first high school sweetheart, and probably pick a different lyric than the first one)

    If you know the song well, you can easily make a password as long as you want, then it's just a matter of remembering where to stop. Knowing what song you used, then what lyric you chose, is VERY personal info, not easy to research or find out socially.

  • obloodyhell

    BTW, those using LastPass -- you can export a local copy of all your current passwords onto your computer. I recommend doing this now, and then again later at regular intervals. You may find this to be A Real Good Thing to have. That's not info you want to lose access to at any point, if you can help it.

  • obloodyhell

    Try "FOAD". :o D

  • obloodyhell

    Dude, however smart you are, Randall is most likely smarter. If you pay any attention to his topics, the guy is not a lightweight. I'm sure the basis for this discussion came from interacting with high-level math types who specialize in this stuff. Because it's very clear he really pays attention to mathematics on a level well beyond what anyone not an actual math graduate student(or better) pays attention to... or not just a programmer but a computer security specialist, which is, essentially, the same as a math grad student.

    The biggest flaw in your comment is that you're attacking the source, not the argument, which Randall clearly elucidates in the toon. I imagine you ARE smart enough to recognize this is essentially "ad hominem".

    I don't care if it's a comic, he makes a good case for it. I can think of several improvements that make it immune to the most obvious form of attack (i.e., a dictionary-based one), yet keep it very "human memorable"... I'll leave that exercise to the reader :^D