Get A Password Manager

After reading this, everyone should be getting a password manager.

I am convinced that the best way to get someone's password is to break into crappy sites like hobbyist bulletin boards.  I am on 10 or 12.  "So what", you say?  What can someone to do to you on a bulletin board?  Not much, but since you likely have scores of passwords, and you likely don't use different passwords for every site, then that user name and password on that crappy bulletin board may also work at Citibank.  Then you are in trouble.

I got a password manager last year (lastpass) and changed every password but one to 12 digit randomized passwords that the program then remembers.  That database is protected by a complicated password I have never used anywhere else and is not a real word, and protected by two-step log in (via Google authenticator).  The only other password that is not random is my email password I have to use so often from so many mobile devices that I have a long phrase I use for it that I can remember.

This is undeniably a hassle, particularly for mobile devices where lastpass and other password managers are behind and harder to use (in part because there are not as many browser plug in abilities).

I won't say this is bullet proof, but it is much better (I hope) than where I was before.

Is it safe enough?   Here is my theory, which requires a brief joke first.  Two men are camping in the woods when an angry bear shows up, clearly ready to devour them.  One man quickly starts putting on his tennis shoes.  The other says, "You don't think you can actually outrun that bear, do you."  His friend said, "No, but I don't have to outrun the bear, I just have to outrun you."  You can never be safe, but maybe you can make yourself a comparatively less inviting target.

Update:  The biggest hassle of all is changing your password on a hundred sites.  There is NO standard for where to locate the password-change links.  You will think at first smugly that surely it is all in the "my account" section of each web site.  OK, don't believe me.  You will find out.  It is a mess.   And Whitehouse.gov was one of the worst, by the way.

  • mesocyclone

    Do you really have 100 sites where the password protects anything worthwhile? Why not just change it on important sites, like ones where you can spend money by logging in?

  • Maria

    Annnd, I just now saw a news story where some of the password mgrs had hack attempts of late. I don't trust anything that sits "in the cloud" to be protected.

    I just come up with a sentence about the site and then use letters/symbols from that or on sites I change the password often - it's letters/symbols from a to-do list item/habit I want to change.

  • herdgadfly

    Hmmm ... I just signed in to comment on Coyote Blog using Discus which is the discussion software for most blogs now-a-days - except for Blogger blogs. One password , baby, and it is so simple it is rated "weak." So what if someone gets on this blog and pretends to be me?

    About the time that I used a password manager, I would lose or forget my p-word and then I would be locked out of everything forever. Old minds cannot take the risk of a password manager.

  • http://EasyOpinions.blogspot.com/ Andrew_M_Garland

    ( https://www.schneier.com/blog/archives/2014/03/choosing_secure_1.html )
    Choosing Secure Passwords
    === ===
    A typical password consists of a root plus an appendage. The root isn't necessarily a dictionary word, but it's usually something pronounceable. An appendage is either a suffix (90% of the time) or a prefix (10% of the time). One cracking program I saw started with a dictionary of about 1,000 common passwords, things like "letmein," "temp," "123456," and so on. Then it tested them each with about 100 common suffix appendages: "1," "4u," "69," "abc," "!," and so on. It recovered about a quarter of all passwords with just these 100,000 combinations.
    === ===

    Important sites need randomized passwords which can't usually be remembered. I like the free program PasswordSafe that Schneier wrote and distributes. It can operate from a memory stick.

    What do you do about the long master-password which you do have to remember? Use a personal phrase or just write it down and carry it in your wallet. You will memorize it after a while.

  • Halcyon

    I'm with Coyote here.I use Keepass for saving all my passwords and have over 100 sites with the passwords saved. Many of these are "junk" sites that I use the same password for, but for the important sites I let Keepass throw up an impossible to remember password that I then 'drag and drop' over to the site I'm using. Drag and drop negates any spyware that keylogs, screenshots or copies the clipboard.

  • LoneSnark

    Security is expensive. Therefore I spend my security wisely. Because 98% of my passwords don't protect anything of value, I use the same easy to remember password for 98% of my passwords. The other 2% of passwords are completely unique to each other and absolutely not stored in the cloud. I use an android app to store them and then I back up locally.

  • sailor116

    A password manager is great but has a high cost of use (good luck logging on from a friend's computer, etc.)

    A reasonable compromise solution is a password ALGORITHM which is both secure and easy to remember.

    For example:

    1) Start by remembering a "base password." For illustration purposes I will use "1234" but you should choose about 6-8 strange digits in real life, i.e. "2Gzi3w". Make sure it has a number, uppercase letter, and lowercase letter. I recommend against using special characters: yes they are somewhat more secure, but too many sites won't allow them which makes this fail to work. (The number of sites which REQUIRE a special character is far fewer than the number of sites which FORBID them)

    2) Make up an algorithm. Again, you'll only have to remember this once. Like, say:
    first letter of website/description, then third letter of website capitalized, then base password, then fourth and subsequent letters in lower case.

    3) You now have individual secure passwords for every website you visit.
    coyoteblog.com turns into "yC1234oteblog"
    hotmail.com turns into tH1234mail
    gmail.com turns into aG1234il
    capitalone.com turns into Pc1234italone

    And so on. Of course, it would be your base code instead of "1234."

    Of course, you can make things longer if you want. But no matter what you do, it's simple and relatively effective. And when you want to change passwords, you can just change your base code.

  • ofek5

    Just for the record lastpass has some security problems http://devd.me/papers/pwdmgr-usenix14.pdf

    Anyway the Hackers that are threat probably know your passwords already

    Hackers Probably Know Your Passwords http://www.motherjones.com/kevin-drum/2014/08/russian-hackers-probably-know-your-passwords

  • aczarnowski

    Yes, you should use a password manager. Yes, it is a minor PITA. You should still do it.

    I do not trust the cloud for personal data, especially passwords. So I'm also using KeePass 1.X on Windows, Linux and my Android phone. It works just like it says on the box. I have to copy the password database around by hand but it's fine. And this way I have backups.

  • Zoran Lazarevic

    I use an algorithm password.
    What do you do if your password manager database gets corrupted? Or lost?
    I guess you have to keep a good backup.

  • bigmaq1980

    Applying 80/20 is a good start. But there are a list of conditions that would have to be on the "unimportant" sites such that they never lead back to one of your important ones (e.g. unique user names, email ids, address, phone numbers, credit card, other identifying info) and should never have a password that is partially like one of the important sites.

    Why? As hackers get more sophisticated and eventually grab several of these "unimportant" ids (hopefully the administrators don't think security is any less necessary on those sites) and passwords, they will use other software to find possible matches - there are a variety of ways to do this.

    When some organization(s) is(are) capable of stealing 1.2 billion ids and passwords, you can bet they or their buyers are sophisticated enough to analyze the data. On that scale, there is gold to mine.

    http://www.s-consult.com/2014/06/16/evernote-forum-data-breach-drives-home-need-for-unique-password-on-every-site/

    The point is to give them as minimal a vulnerable profile as possible, and not be "easy pickings".

    .

    On another note, when using a password manager, I just learned we need to watch out when using autofill...

    http://forum.stanford.edu/events/2014slides/security/Suman%20pwdmgr.pdf

    The technology is not perfect, but folks who use it will be a few steps ahead of the other bear runner.

  • obloodyhell

    }}} then that user name and password on that crappy bulletin board may also work at Citibank.

    Then you're an idiot and deserve whatever happens to you.

    I have only 3 or 4 actual passwords, but they are of varying levels of security. The one I use for my wordpress login is much simpler and FAR more commonly used than the one I use for banking, which ... I DON'T EVEN ENTRUST TO THE PASSWORD MANAGER I **do** USE. I type that one in-full every time i access my online bank account.

    I use a different one for my mail accounts, which is fairly complex and IS stored in my password manager. And yes, the password manager itself has a unique password unused anywhere else.

    If someone manages (somehow) to guess my password and logon as "OBloodyHell", then Big Ephin' Deal. It's not going to give them A-1 CLUE about my password to my mail account, the pswd manager, or the bank account.

  • obloodyhell

    If I may suggest, the best way to derive a "random" text string for this purpose is to pick a song whose lyrics you know so well you can probably say them backwords with relative ease. Use the first character of each word as the string -- you only have to know which lyric line you used, and how many letters you chose. Sing the song in your head and you'll know the string.

    Example: Everyone knows the lyrics to "Yesterday": "Yesterday, All my troubles seemed so far away...". So yamtssfa -- it's not a word, so no dictionary attack is going to help. And even if someone thinks you used this technique, they still have to guess not only WHICH song you chose, but ALSO which LINE of the song you used, too. Good luck with that, fucker...

  • obloodyhell

    See my above comment about songs for this.

  • obloodyhell

    See my above comment about the use of songs for this purpose.

  • sailor116

    Actually, not.

    First of all, that doesn't have digits, which it should have.

    More to the point, it doesn't need to be all that simple because only have to remember it once. ONCE. it's not that much harder to remember "yamtssfa" than "YAmtsff8"

  • marque2

    Someone broke into my Disquis account and wrote this on my behalf
    :O

  • marque2

    You can convert some of the letters to digits - eg make Y 25 and digits don't really help much. Upper and lower case do much more to make a word secure. In fact it can make the password less secure. Instead of having 52 choices in 1 position you only have 10 making the choice at least 5 times less secure. It is only more secure if the numbers are put in randomly from a choice of 62 - rather than forced in (you must have 1 digit) which makes that digit a mere choice of 10.

  • obloodyhell

    }}} First of all, that doesn't have digits, which it should have.

    Actually, YES, first off, because it doesn't PRECLUDE this, genius. Second off, you are far, far better off with a password string of "fiuroeiuriueiuwuwhrhiakkthtoeooajkjeoor" than "wokr2310"

    The number of bits of entropy is far more critical to a password than the complexity of the character set, and length matters much more to this than the size of the selected character set. You're far better off with a long password that you can remember readily than a short one you can't.

    25 characters of 52 options is much more entropic than 8 characters of 62 options. So either way, you're wrong.

  • obloodyhell

    By the way... Lastpass allows you to save a local copy of your passwords and sites. It's probably not a bad idea to make one of these once in a while, as long as you keep it in a secure place.

  • bigmaq1980

    Many of the posted suggestions above are helpful, as even the password managers need a password (though alternatives exist).

    "You can convert some of the letters to digits" - a very good idea.

    I would add characters into that mix to expand the number of possibilities a hacker would have to overcome.

    Of course, for similar reasons, the longer the password string, the better. Most sites don't even tell you their maximum up front. For many it is 12, but I go with 30 and work my way down, based on whether the site gives an error message (often not specifying what the problem is, btw - also, some don't like characters).
    .

    As for logging on from a friend's computer...a rather unsafe practice as one does not really know how secure their pc is...if one is inclined to do that, then why not be safe about it and use a password manager from a USB drive (e.g. portable browser and Lastpass Pocket combo):
    https://lastpass.com/support.php?cmd=showfaq&id=866

  • bigmaq1980

    Good suggestion.

    If keeping it as an electronic file on a computer, one could compress it (e.g. zip) with a password.

    A paper copy in some place like a safety deposit box, with your last will is probably a good place too. An unecrypted file on a USB would be fine too vs paper (or encrypted with your named executor knowing the password).

  • bigmaq1980

    Couple of points:

    Interesting discussion about that study here:
    http://arstechnica.com/security/2014/07/severe-password-manager-attacks-steal-digital-keys-and-data-en-masse/

    Their conclusion is..."On the whole, readers are likely better off using a password manager than they are using the same password for multiple sites. For that reason, Ars still recommends that people use a password manager." Worth reading the whole article and the comments too.

    KeePass and similar products might be an alternative (not part of the study you cite, so don't know which, if any of those vulnerabilities it is subject to), but there are challenges with them from a practicality perspective:
    http://lifehacker.com/5944969/which-password-manager-is-the-most-secure

    The Mother Jones article is the same one Coyote used.

  • ofek5

    Point being that pass managers can by themselves serve as additional attack vector.
    breaking your pass managers gives the attacker the same benefit as discovering the same password for multiple sites will security wise.

  • bigmaq1980

    True...it is a risk that the Arstechnica article points out, but still recommends folks are better off using a password manager.

    Short of the alternatives mentioned (with their drawbacks), if a person has the basic knowledge, discipline and time, they can avoid password managers. Not really an option for many people.

  • Peter Modrák

    Well it could be good but only if you reusing some passwords only for unimportant sites (and I think this is the right way of dealing with passwords). If you reuse some password from important site there is a problem. If you want to read something more about reusing passwords, this can be a good start: http://blogen.stickypassword.com/to-re-use-or-not-to-re-use-that-is-the-password-question/ .

  • ofek5

    I dont advocate avoiding passwords i advocate understanding that its mostly useful against non professional or amaturish attempts to steal your information or invading your privacy,