Passwords, mashwords..........

[Snowman]

I've used keepass for years, but have now switched to lastpass.com for most of my password needs. Its well worth investigating.

I never store banking or cc passwords though - neither on my pc nor online.

snowman

[Penforhire]

I'd tell you about my passwords... but then I'd have to kill you.

I carry them about in two encrypted forms. First is an encrypted HanDBase file on my iPhone. Second is on my USB drive (Sony Microvault on keychain) using the password manager function of Encrypt Stick. Encrypt Stick software is not perfect but has a few benefits over free TrueCrypt - no need to have Admin rights for mobile use, on-screen randomized keyboard with blanking on mouse-down events (defeats key loggers and most other snoops from getting your master password), and a semi-integrated browser that leaves no local history and fills in user names and passwords with right clicks (again defeating key loggers).

[cromag]

I use a couple relatively weak passwords for simple forums -- no financial connections or deep personal info at stake.

I use long, strong passwords for banking and a couple shopping sites, but I don't bank online often and for most shopping I don't establish an account unless I have to. I keep them in an encrypted database (flat file manager) with a misleading name.

[bwaldron]

Quote:

Originally Posted by carpetmojo

Does anyone out there use a totally different password for each use ?

Yes, I do. (I use LastPass to manage them.)

[DuskyRose]

I have a small Rolodex filer with all the passwords sorted by site name. Makes it very easy to change out old password to new ones, and I don't have to worry about it being wiped out in a computer crash. Plus I can scribble all kinds of notes on it with the password.

Then when we're gone for a few days, it gets thrown into the Media Safe. If the house get broken into, they'll have fun trying to get into that thing. If the house burns down, then my media backups are in there as well.

I just make sure to shred any old cards from it.

[russellmz00]

it's just better to use a simple algorithm for your passwords: take an old phone number, add the last three or four letters of the site's domain name, or the first three or part of it reversed, and have the last letter in caps. add a special character at the end.

so:
2175559876eaD+

there: you have an easy to remember, secure password, and no postit notes to steal. the only problem is when a site doesn't like certain special characters.

[Hellmark]

I don't have a different password for every account I have, because then I would have a couple hundred to remember. I always just had a few different passwords at any given time, making sure that important stuff like banking and credit cards didn't use the same as another.
what pissed me off about the Sony hack was that they were so slow about everything. They were hacked on the 17th, they shut down their servers without warning on the 20th, they didn't admit to being hacked until the 22nd, and they did not announce they lost info until the 26th. Here it is, the 29th, and info is leaking out that it credit card info may be floating around the 'net now (despite Sony saying it wasn't taken).

When my info is being held in their servers, and it all hits the fan, I want to know right away.

[FatDog]

I have nightmares about my 40+ accounts I try to keep track of. My last job was Sox compliant so I had 8 different databases all forcing me to change my password every 45 days - non of them would talk to the other so I could have 1 account. (They used all the reset my password requests to spam the auditors every two years.)


Our security manager at work uses a password manager on his cell phone. It's always with him and it generates a HUGE password using a seed value he gets by shaking the phone.

Personally - I think thats very un-secure but he uses a backup service to backup the file in-case the phone dies or gets lost.

I use a password manager on a flash drive so I can use it on any of the 4+ windows box's. I keep the same password manager on my main PC and every so often I print it out and shove the printout in a file folder.

And - for the web based accounts I use the browsers password manager to make it easy so I dont have to remember them. But these are always different from my Amazon, PayPal and baking passwords.

[rogue_librarian]

Quote:

Originally Posted by FatDog

I have nightmares about my 40+ accounts I try to keep track of. My last job was Sox compliant so I had 8 different databases all forcing me to change my password every 45 days - non of them would talk to the other so I could have 1 account.

Sounds like you could really profit from the device I mentioned earlier...

[Andrew H.]

Quote:

Originally Posted by russellmz00

it's just better to use a simple algorithm for your passwords: take an old phone number, add the last three or four letters of the site's domain name, or the first three or part of it reversed, and have the last letter in caps. add a special character at the end.

so:
2175559876eaD+

there: you have an easy to remember, secure password, and no postit notes to steal. the only problem is when a site doesn't like certain special characters.

I use a system like this for some of my passwords - the only problem is that one of my banks used to keep prompting me to change my password, which interfered with my system. (And I don't think that requiring people to change their password every month makes things more secure...it just causes people to have passwords like "PasswordA," replaced next month by "PasswordB".

[Penforhire]

The biggest problem with the system approach, integrating fixed strings with some portion of the URL, is many programs/sites have different password requirements (fixed # of chars, upper case, lower case, numbers/upper/lower required). Oh, and don't forget the security-conscious programs, like SAP at work, that require us to change our password every few weeks and don't allow a small rotation of passwords.

Otherwise it still has a weakness in that if someone steals your password for a given site they can usually figure out your naming algorithm and apply it elsewhere, making a simple system not significantly different than using a fixed password to start with.

[Andrew H.]

I also kind of think that requiring complicated passwords (like "2ef2QEd2ucRUGeya5uTa") with rotations is counterproductive. In the first place, most of the breaches involving passwords that I seem to hear about involve stolen password files, like the playstation case. I may have missed it, but I can't remember hearing about a brute force password attack in real life in...well, never. I'm not even sure if it's really possible, since most modern systems will lock you out if you get the password wrong too many times - I think my work adds a 10 minute delay if you get the password wrong three times (plus some sort of alert); I don't know what happens if you keep getting it wrong. Of course smartphones can usually be set to wipe the phone if you get the password wrong 10 times.

And requiring more complex passwords will just lead to people writing them down.

[Ripplinger]

Like many others here, I have a base of common passwords I use. Forums have the least secure and are often the same, but they too have alpha and numeral characters. Any financial site or where I purchase from often gets a very secure unique password. And I keep track of them all in a simple text file that I encrypt with a free program, AxCrypt. I've never really trusted programs that want to store all your passwords in their own database, I've have a few databases get corrupt for one reason or another (Sony Reader Library anyone?) and prefer my simple system.

[cromag]

Quote:

Originally Posted by Andrew H.

I also kind of think that requiring complicated passwords (like "2ef2QEd2ucRUGeya5uTa") with rotations is counterproductive. In the first place, most of the breaches involving passwords that I seem to hear about involve stolen password files, like the playstation case. I may have missed it, but I can't remember hearing about a brute force password attack in real life in...well, never. I'm not even sure if it's really possible, since most modern systems will lock you out if you get the password wrong too many times - I think my work adds a 10 minute delay if you get the password wrong three times (plus some sort of alert); I don't know what happens if you keep getting it wrong. Of course smartphones can usually be set to wipe the phone if you get the password wrong 10 times.

And requiring more complex passwords will just lead to people writing them down.

Actually, passwords are stored in encrypted form in all modern systems. Now that the encrypted passwords are in files on third-party machines they can be subjected to "brute force" type decryption (comparing them against entries in an encrypted dictionary, for instance) without worrying about being locked out for excessive trials and errors.

Its an arms race.

[Penforhire]

If Sony didn't store passwords properly encrypted (the Reuters news claim is passwords are part of the 2nd theft) then it would seem our trust in encryption policy is misplaced.