Beware of these "Easy Password" apps

Fragment · 14 Jun 2015

Yeah I basically do the same with my gold bars. Don't put em in the safe or the next burglar will know that there is good stuff and also where it is...
I just put them into my wardrobe in my bedroom under some old clothes i never wear.

...uhhmm... wait ... what?!

But in all seriousness I have advice for people who are undecided about their "personal password police"

The way I do it... and it works out for me pretty solid and without having to use a 3rd party master key style solution...is just to
setup my passwords in the following scheme (it's not 100% according to what I do but I can tell you it is a very similar system)

FOR EXAMPLE

password for mail -> N5=i3yBz2paperK0F-4noL!

password for windows at home -> N5=i3yBz2workK0F-4noL!

password for amazon -> N5=i3yBz2stuffK0F-4noL!

password for bank account -> N5=i3yBz2emptyK0F-4noL!
(this is of course not a 1-way auth in most of the cases anyway)

so as you can see in this example case the passwords consist of 3 parts
2 parts that are identical in each password but that are using special characters, big letters, small letters and numbers
which are wrapped around one middle part that is easy to remember but is different for each password.
this way your password is not the same for every service and you still have a overall very high complexity for each password.
at the same time you can remember the identical parts easily because they are burnt into your head already...you just learn them and never forget them.
and the variable parts can be for example words that you can personally link with the service u are using them for and so they are pretty easy to remember as well.
of course you can use another logic, like use birthdates instead of words as the variable part. or soccer players. or something totally different. also there are much more ways of putting in different logic in these passwords ... you just have to be imaginative.

so yeah, basically this is kind of a master password (not variable part) solution for the poor

i only use different passwords when i expect the system i use it on to be prone to administrator abuse
to avoid admins checking for certain patterns. also on "unimportant" stuff like forums or (non-google-account-centralized) entertainment services. then i just use simple words or their modification. in the style and rather simple complexity of for example: n1ghtl1f3
but never the same password for more than 1 service.

jimbo45 · 15 Jun 2015

Fragment said:

Yeah I basically do the same with my gold bars. Don't put em in the safe or the next burglar will know that there is good stuff and also where it is...
I just put them into my wardrobe in my bedroom under some old clothes i never wear.

...uhhmm... wait ... what?!

But in all seriousness I have advice for people who are undecided about their "personal password police"

The way I do it... and it works out for me pretty solid and without having to use a 3rd party master key style solution...is just to
setup my passwords in the following scheme (it's not 100% according to what I do but I can tell you it is a very similar system)

FOR EXAMPLE

password for mail -> N5=i3yBz2paperK0F-4noL!

password for windows at home -> N5=i3yBz2workK0F-4noL!

password for amazon -> N5=i3yBz2stuffK0F-4noL!

password for bank account -> N5=i3yBz2emptyK0F-4noL!
(this is of course not a 1-way auth in most of the cases anyway)

so as you can see in this example case the passwords consist of 3 parts
2 parts that are identical in each password but that are using special characters, big letters, small letters and numbers
which are wrapped around one middle part that is easy to remember but is different for each password.
this way your password is not the same for every service and you still have a overall very high complexity for each password.
at the same time you can remember the identical parts easily because they are burnt into your head already...you just learn them and never forget them.
and the variable parts can be for example words that you can personally link with the service u are using them for and so they are pretty easy to remember as well.
of course you can use another logic, like use birthdates instead of words as the variable part. or soccer players. or something totally different. also there are much more ways of putting in different logic in these passwords ... you just have to be imaginative.

so yeah, basically this is kind of a master password (not variable part) solution for the poor

i only use different passwords when i expect the system i use it on to be prone to administrator abuse
to avoid admins checking for certain patterns. also on "unimportant" stuff like forums or (non-google-account-centralized) entertainment services. then i just use simple words or their modification. in the style and rather simple complexity of for example: n1ghtl1f3
but never the same password for more than 1 service.

Hi there

The point of the post wasn't to devise a password strategy but simply to point out that whatever your passwords were keeping them stored on a remote server IMO is NOT a good idea for all sorts of reasons.

However if you ARE considering password strategies a SIMPLE one which increases the Hacking complexity by a VERY considerable amount is always to insert a special character to the FRONT -- password cracking algorithms have to run for a lot longer to crack even SIMPLE passwords like PA55WORD if it's replaced by !PA55WORD. Unfortunately some logons won't allow special characters but when they do insert them in your password --but remember if you use a different keyboard --even a simple one like GB vs US the keys aren't then same for a lot of the special characters !!!! So accessing your site from say an airport terminal with their computers might cause a problem !!!

Cheers
jimbo

Cliff S · 15 Jun 2015

I do like Jimbo

I'm of the old school-- a black notebook hidden away in a reasonably inaccessible place seems the best (and "Lowest tech") solution of all.

Except my book is green. Another advantage of that is, I live alone in a foreign country, so if something happens to me the Polizei will find it(hopefully) and contact my Contacts, accounts and forums...etc and close everything, or give it to my next of kin in the States to do so.

BunnyJ · 15 Jun 2015

Cliff S said:

I do like Jimbo Except my book is green. Another advantage of that is, I live alone in a foreign country, so if something happens to me the Polizei will find it(hopefully) and contact my Contacts, accounts and forums...etc and close everything, or give it to my next of kin in the States to do so.

I've used the same basic technique for many years. When I worked at The Travelers we had lots of various ways to protect files and they worked.

Fragment · 15 Jun 2015

jimbo45 said:

Hi there

The point of the post wasn't to devise a password strategy but simply to point out that whatever your passwords were keeping them stored on a remote server IMO is NOT a good idea for all sorts of reasons.

However if you ARE considering password strategies a SIMPLE one which increases the Hacking complexity by a VERY considerable amount is always to insert a special character to the FRONT -- password cracking algorithms have to run for a lot longer to crack even SIMPLE passwords like PA55WORD if it's replaced by !PA55WORD. Unfortunately some logons won't allow special characters but when they do insert them in your password --but remember if you use a different keyboard --even a simple one like GB vs US the keys aren't then same for a lot of the special characters !!!! So accessing your site from say an airport terminal with their computers might cause a problem !!!

Cheers
jimbo

Well, the reason people store passwords online or in a master key tool is that they dont want to remember like 10 passwords but only one.
That's where my logic is aimed at. To have 10 different strong passwords that are not as hard to remember as those 10 for example: anHBC+gnvh-o
UWtAaXn@li7J
plKGHmdeud(O
o8GE0+AfodIB
wjÄBSSq9Op/k
sY)u2;uhJf6S
VXhlcodä91>6
zU*wEVW;:nYX
qOYvM]Nmp2)n
Oc/pml0/opK5

Your additional security hint of putting a special char at the beginning of a pw can of course be implemented in any password. Be it a master pw or w/e else...

DavidY · 15 Jun 2015

Jimbo, had you seen this when you created this thread?

https://blog.lastpass.com/2015/06/la...y-notice.html/

We want to notify our community that on Friday, our team discovered and blocked suspicious activity on our network. In our investigation, we have found no evidence that encrypted user vault data was taken, nor that LastPass user accounts were accessed. The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.

We are confident that our encryption measures are sufficient to protect the vast majority of users. LastPass strengthens the authentication hash with a random salt and 100,000 rounds of server-side PBKDF2-SHA256, in addition to the rounds performed client-side. This additional strengthening makes it difficult to attack the stolen hashes with any significant speed.

Nonetheless, we are taking additional measures to ensure that your data remains secure. We are requiring that all users who are logging in from a new device or IP address first verify their account by email, unless you have multifactor authentication enabled. As an added precaution, we will also be prompting users to update their master password.

An email is also being sent to all users regarding this security incident.

If you have a weak master password or if you have reused your master password on any other website, please update it immediately. Then replace the passwords on those other websites.

jimbo45 · 16 Jun 2015

DavidY said:

Jimbo, had you seen this when you created this thread?

https://blog.lastpass.com/2015/06/la...y-notice.html/

Hi there

When people say "Taking additional methods" - that means the ORIGINAL ones were simply not good enough.

It's like any Govt announcement saying "No reason to Panic".... or "There's plenty for everyone so no need to go out buying more..." etc.

Nobody believes those sorts of announcements in a million years -- even Gorilla's in a zoo would be suspicious.

If a Server also goes down which DOES happen (anybody who has ever used any sort of ONLINE banking - even if it's only to get cash out of an ATM) will surely have experienced an outage --even the mighty GOOGLE has had an outage or two --also quite recently -- then any application requiring access to the server will fail.

I still think the Black (or Green or colour of your choice) notebook is still the most secure.

Cheers
jimbo

Fragment · 16 Jun 2015

jimbo45 said:

Hi there

When people say "Taking additional methods" - that means the ORIGINAL ones were simply not good enough.

It's like any Govt announcement saying "No reason to Panic".... or "There's plenty for everyone so no need to go out buying more..." etc.

Nobody believes those sorts of announcements in a million years -- even Gorilla's in a zoo would be suspicious.

If a Server also goes down which DOES happen (anybody who has ever used any sort of ONLINE banking - even if it's only to get cash out of an ATM) will surely have experienced an outage --even the mighty GOOGLE has had an outage or two --also quite recently -- then any application requiring access to the server will fail.

I still think the Black (or Green or colour of your choice) notebook is still the most secure.

Cheers
jimbo

Technically, the most secure is your head only.
Of course. If you dont trust your own memorization capabilities...then you have a problem

or if you are not able to estimate them...

BunnyJ · 16 Jun 2015

Fragment said:

Technically, the most secure is your head only.
Of course. If you dont trust your own memorization capabilities...then you have a problem

or if you are not able to estimate them...

The best way is to change them monthly.. keep in your head or paper.. but change them is the only way to be safe.

Fragment · 16 Jun 2015

BunnyJ said:

The best way is to change them monthly.. keep in your head or paper.. but change them is the only way to be safe.

I was referring to the storing location because it was said earlier in the thread that keeping them on a seperate laptop in a secure location would be the safest, which is not true.

Keeping them only in your head doesnt exclude/prevent the ability to change your password(s) monthly/daily/hourly etc...