I have not yet broken down and downloaded one of the popular password managers to use. It appears that if you don’t use a password manager, you should use a passphrase of several random words for a password. Even a required IT training class at work suggests this. But then the advise is a different passphrase for each website you access with a password. That’s not going to work. Whose is going to remember 20 or more passphrases?
What about turning one passphrase into a password and then changing it to fit the website you are accessing? It will have a repeatable pattern but not be identical on each website and may look random to anyone who breaks one of them.
Here is an example:
Starting phrase - I hate working and I want to retire soon.
First iteration - iHwaiwtrs
Second iteration - iH8wai12rs where hate becomes H8 and want to become 12
Third iteration - iH8wai12RETIREs to make it longer. H for hate and RETIRE are in all-caps since I could remember those two “phrases” are the most important to me.
Since I wouldn’t want to remember passphrases for every website, I could modify for each website. Modification could add character which is often a requirement for passwords today.
Choices for Amazon:
iH8wai12RETIREs@am - first two letters of any company - may be too common
iH8wai12RETIREs@an - first and last letter of a company - may also be to common
iH8wai12RETIREs@aa - first and third letter of a company - harder but easy for me to remember
iH8wai12RETIREs@aan - first, third and last letter of a company - just to make it longer
No, I have not implemented yet and this is just an example.
Thoughts on this method. Would using a repeated pattern for the first 10 or so characters and then changes to several letters, character, or numbers at the end to differentiate between website be an okay way to approach it?
I have not yet broken down and downloaded one of the popular password managers to use.
I broke down a good while back. The first stage was allowing my browser, Firefox, to remember all my less important passwords. When they upgraded to generating strong passwords I graduated to using it to generate them. The net result is that my least important accounts have my most secure passwords.
My most important accounts… investing, banking, email and such, never get remembered* except by me; I have to type them in each time. So they are simpler, if not exactly simple.
In any case, Firefox takes care of the rest and keeps them in sync across multiple PCs and my phone. So much simpler!
*(Nor do they get written down, EXCEPT in a couple of sealed envelopes locked up in safes, just in case something bad happens to me.)
I’ve used this method for a while now and it works well. Staying consistent in usage helps to rein in the number of outstanding passwords to remember. I would suggest using more than 2 letters for the suffix portion as some companies overlap (Disney & Discovery). I typically use four letters.
As far as password managers, I’ve used two of them: LastPass and 1Password.
Recently, LastPass changed ownership and will only allow free usage in a browser OR mobile. You have to pay to get access to both. This may work out well for you if you primarily use 1 type of device.
My workplace has an enterprise license of 1Password that allows me free usage of 1Password. I can personally say that I love their software. I have it installed on every computer (Windows 10, Ubuntu Linux, Red Hat Enterprise Linux, etc) and mobile device (Android phone and iPad) that I own. The password vault in my account is encrypted with a key that only I have. So, if they ever get breached, all that is compromised is the personally encrypted vault. A pretty clever setup if you ask me. I also enjoy their mobile functionality as it handles both passwords and 2FA/MFA one-time passwords simply once the registration is complete. If you don’t mind paying, 1Password now handles all of my passwords, both at work and home.
It appears that if you don’t use a password manager, you should use a passphrase of several random words for a password.
^^ This. All the special numbers and characters do not matter much, length, spaces if allowed are great. Words that are unrelated so don’t use “eye in the sky” instead “sky dog train”
I rotate through passwords that for certain things.
Sensitiveness, bank, 401k, trading platform etc… same pw with 2nd step authentication.
Email, utility company, cell company, amazon a second password in common - 2nd step authentication.
Really unimportant stuff with no personal or banking info a 3rd password, 2nd stop optional but still good to have.
2-4 Pass phrases is easy to remember and group them by the kind of service and it works pretty good for me. The 2nd step authentication is golden, use it!
Canonian absolutely has the right idea. If your more sensitive services offer 2-Factor Authentication (especially via an app like Authy or Google Authenticator), SET IT UP TODAY. It’s a pain to get it setup, but it provides so much more security. It will essentially help to mitigate the risk of a password database (which are so commonly stored in plain text) breach from causing cascading breaches. Since so many passwords are used in multiple places, a password breach on one site/service could, when paired with your email, lead to compromise of very sensitive information (health records, banking and investments, etc). What 2FA/MFA will give you is a layer of protection especially via an app. If you have the 2 Factor sent to a phone number or another email address, it’s much less secure.
Protip: When you register your 2-Factor authentication, scan the QR code with 2 different mobile devices running the same application (Google Authenticator, Authy, etc). You’ll then have a backup in case you drop your phone in a river. I believe Google Authenticator will now let you transfer the registrations, but someone using it would have to confirm.
Do yourself a big favor, get a password manager. Then spend the time you save with your family or doing your favorite hobby.
I’ve tried 3 or 4 programs but prefer Lastpass. I used the free version for a couple years and when they started limiting the free version to only one device I bought the subscription/premium version. I generally only use it on my desktop computer and my Android phone. But I can access the vault from any device that has an Internet connection.
I now only have to remember one single passphrase. I have systematically switched all my passwords to ones that I’ve had Lastpass generate. The vault is encrypted and LastPass does not know the passphrase. I also use the extension in Chrome.
I just received an email yesterday letting me know that in March my account will automatically renew. So after a year I can say I am very happy with the software and service.
Password managers are a must going forward, at least until Microsoft/Google make them obsolete with whatever comes next. I’ve seen a number of intelligent ‘schemes’ to remember passphrases specific to the website. But there are two major fallacies in my mind:
While they make sense today as you leisurely use the sites, things are great. Will they be great when you are in a hurry, stressed, ill, etc? Will they work in five years when the old memory gets a little foggy? Will your designated heirs/executor be able to use your scheme? My password manager has passwords set years ago (I know, time to update). In some cases, I haven’t visited the site in a couple of years, but I might have to in the future, who knows. I doubt any passphrase system could accommodate remembering that.
As time goes by passphrases have to be more and more complicated. Most ‘important’ sites now require a combination of numbers, letters, capitals, symbols, etc plus a minimum length. I’ve even seen arcane rules like no sequential numbers. Working that into a memorable passphrase is difficult, period, let alone in a manner that you will remember.
Decent password managers all feature encrypted databases. Not even the company hosting the database can read it. Only you have the ‘key’ so let hackers do their thing. That’s not the source of worry about passwords obviously; it’s the Target, Walmart, etc database that gets hacked where all too often things are not encrypted. The fear that password managers have plain text databases is just that, fear. An oddly expressed danger is the company goes bankrupt and loses the database. In this day and age, not likely; someone is going to buy that database even in its encrypted form. Also, every password manager has a way to export the data to your computer (kinda defeats the purpose, but you can keep a copy locally).
Two-factor authentication is better as the next level. Texting a code is common, but experts say this is not all that secure due to being unencrypted in the SMS system. Dedicated authenticators are better. Two have been mentioned upstream. My company uses OKTA. A hardware key like Ubikey is the best, but pretty painful to use. Not sure how it works on mobile – does it plug into the phone?
I use Lastpass and pay for the subscription so my passwords are available everywhere. It’s the first program I came across and it serves the purpose. There are other managers that are as good, maybe better. I pay the annual fee. Can’t say what it is as it’s so trivial compared to the benefits I get. I get magazines (yeah, I’m that guy) that I don’t read that cost far more.
Two-factor authentication is better as the next level. Texting a code is common, but experts say this is not all that secure due to being unencrypted in the SMS system. Dedicated authenticators are better. Two have been mentioned upstream. My company uses OKTA. A hardware key like Ubikey is the best, but pretty painful to use. Not sure how it works on mobile – does it plug into the phone?
On this note about the hardware key, keep in mind once you connect to work, if someone hacks into your home computer they have an authenticated step right into work
Thanks for the link. My OCD kicked in when in the writeup, they used LassPass in one place where they meant to write 1Password. Probably recycled a bitwarden vs lasspass writeup.
I know 1password & bitwarden are highly regarded since even if hacked the data is encrypted and quite hard to get any info from, they cannot lookup your password nor can they retrieve it.
Do yourself a big favor, get a password manager… I’ve tried 3 or 4 programs but prefer Lastpass… I have systematically switched all my passwords to ones that I’ve had Lastpass generate. The vault is encrypted and LastPass does not know the passphrase.
Canonian nailed it! It is still not safe because Lastpass was hacked! What other evidence do we need to stay away?
I use lastpass also. Never had a problem with it. There’s been times when I visited a site I haven’t seen in years and lastpass has the password. I use simple passwords for non financial sites and complex ones for financials/ anything that I give a credit card too. Highly recommend you switch to one…doc
I use KeePass https://keepass.info/ and keep the database on the local drive. (I have a distrust of Internet-based password managers.)
Unfortunately, some of my earliest accounts have the simplest passwords. Fortunately, almost every site now has a different password and any time I had to go change my password (such as at my bank) it got a more secure password, so at least my financial sites and primary email provider have very secure passwords.
I still use an old fashioned address book to keep my various passwords. Most of them are disguised to look like people with some non-important added notes. If someone gets a hold of the book, I’ve got more problems than someone knowing the passwords.
My wife and I also use KeePass for managing our passwords. We have about 450 active passwords in our encrypted DB. Our encrypted DB is stored locally and we both have access to it via a shard drive on our NAS. What’s nice about KeePass is that they have a nice easy to use scripting language that allows you to run a script to sync the local DB (on each of our PC’s) to the main DB on the NAS. That way, we can share one DB file and it stays up-to-date with each of our data updates. We also use a free app on our mobile devices called KeePassium which will also read the KeePass DB for when we are on the go.
Works like a charm and we can keep very complex passwords that are not like anything else to drive potential hackers crazy
