You should use a password manager (1 Viewer)

IaHawk

Straight
Joined
Feb 1, 2018
Messages
820
Reaction score
1,678
Location
Iowa
Great post. Just switched from Free LastPass to paid 1Password, happy with it so far. I know I looked at Bitwarden as well, not sure why I passed on it. But like @FestiveKnight has said, pick one and use it.
 

Nex

Flush
Joined
Jan 25, 2017
Messages
2,127
Reaction score
2,957
Location
Club Hel, Downtown Megacity
You have to separate my recommendation of not using any kind of cloud services to store or transfer your confidential data from the question whether to use a password manager or not. I do recommend password managers since they make it easy to use a different random password for every site.

Syncing the password database without "cloud" by the way becomes much less of a hassle once you have keyed in all the account data you currently have. I mean, how often do you sign up for a new service... not that often. And you really can ignore recommendations to change your password for a site every X time units when you anyway use some long, completely random and individual password for each site, so there's no regular changes to existing data either. Making it a habit to only change the password database on one device (then copying and overwriting the DB on your other devices) also makes it easier.
 

dkersey

3 of a Kind
Joined
Feb 23, 2015
Messages
639
Reaction score
506
Location
Dallas, TX
Thanks for writing this up. This is the kick in the pants I need to do this!
 

k9dr

Royal Flush
Supporting Member
Joined
Oct 28, 2014
Messages
11,153
Reaction score
31,158
Location
Champa Bay
Can someone comment on which is better/stronger for a master password - either a random password of letters, numbers, and symbols like this: 4Z!YFYQ4kT+ or a string of random words like this: heliport-seafarer-youthful-wrinkle-engine
 

Pinesol13

Flush
Joined
Feb 21, 2019
Messages
1,169
Reaction score
2,654
Location
Upstate, NY
Can someone comment on which is better/stronger for a master password - either a random password of letters, numbers, and symbols like this: 4Z!YFYQ4kT+ or a string of random words like this: heliport-seafarer-youthful-wrinkle-engine

I've read all different articles that contradict one another on this. Some say random letters, numbers and symbols are best, some some a passphrase of 3-4 random words is best. Who really knows.

Personally, I like the random combo of letters numbers and symbols. I like to use a long sentence that I can remember, and use the first letter of each word, some words can become numbers or symbols. So I end up with a 20+ character password that seems like it's random, but is still easy for me to remember.
 

Nex

Flush
Joined
Jan 25, 2017
Messages
2,127
Reaction score
2,957
Location
Club Hel, Downtown Megacity
Random will always be stronger.
https://xkcd.com/936/

password_strength.png
 

Nex

Flush
Joined
Jan 25, 2017
Messages
2,127
Reaction score
2,957
Location
Club Hel, Downtown Megacity
Hypothetically, if someone knew how you generated your password (random characters or random words) then they can optimize the bruteforcing towards random words, they merely need a dictionary. So I'd mix at least one word in there that definitely does not appear in a dictionary.
 

LeGold

Full House
Site Vendor
Supporting Member
Joined
Jan 31, 2020
Messages
2,784
Reaction score
6,142
Location
Norway
Size matters. Then complexity. And, as xkcd says, it should be possible to remember.
 

IaHawk

Straight
Joined
Feb 1, 2018
Messages
820
Reaction score
1,678
Location
Iowa
My master password is a 6 word sentence (28 characters long with spaces). For those of you that have 20+ random characters, do you write them down?

I've never had a problem remembering my master password (sentence) but one thing I've done as a backup is send my wife a 3-4 sentence email and include my passphrase in there. So I have that in my sent items and she has it in her "Family" folder in her account. And no, it's not some normal email and then "Correct Horse Battery Staple!" for the last sentence! :LOL: :laugh:
 

FestiveKnight

Straight
Supporting Member
Joined
May 7, 2021
Messages
865
Reaction score
969
Location
United States
As others have said, my understanding has always been that size + randomly mixing in some numbers and symbols is best and from there it doesn’t really matter if it’s only numbers and symbols or also some worlds. I default to passcode but use passphrase when I know it’s something that I may need to manually enter or read out to someone (like my fiancée). This latter is rare
 

Nex

Flush
Joined
Jan 25, 2017
Messages
2,127
Reaction score
2,957
Location
Club Hel, Downtown Megacity
What I commonly stumbled over was that many websites (particularly finance) would have a fairly low hard limit on the length of the password you could set that made it impossible to use multi-word passwords.

So my strategy ended up being generating completely random passwords with the max length allowed for those site, and a sensible number of characters for other sites. Throw all those into a password manager, encrypt the password manager database with an easy-to-remember multi-word password into which some other crap is mixed in so that a dictionary won't help much at bruteforcing it. Even one or two of the words likely aren't found in any dictionary.
 

buzzmonkey

Straight
Joined
Jun 29, 2020
Messages
873
Reaction score
1,536
Location
USA
You're trying to increase your password's entropy. More characters helps, as does length. But for the master password you need to be able to remember it.

So it's completely ok to select a few random words and then strategically sprinkle in some characters.

ex) pAul$0nb@nAnastUmp

That's a really strong password that you should be able to memorize in a few minutes.
 

Jeff

4 of a Kind
Moderator
Supporting Member
Joined
Mar 26, 2013
Messages
5,242
Reaction score
8,730
Location
Chicagoland
I went to a cybersecurity seminar in my industry and one of the speakers was an ex-FBI agent that made the same point about the time that it takes to brute force a password. His point also was about the encryption on the password app.

He recommended 1Password.

When you get a password wallet, beware becoming dependent on face recognition or other crutches. I actually forgot the one password to open the password wallet...long story, but needless to say there's not a password recovery for the one password you need to open your password wallet.
 

bezerkus

Pair
Joined
Dec 9, 2021
Messages
105
Reaction score
271
Location
Utah
Good write up! Worked in financial institution cybersecurity for years and free Keepass works great. After 20 years of effort we've successfully made passwords harder to remember but easy for computers to guess. (that makes me laugh from the cartoon above). :) Using a long pass phrase will be better than complexity, even if relying on simpler words and no special characters, it will take longer to crack and require more computational resources than a shorter one with special characters and numbers. Even if hackers steal your encrypted password from a hacked company, they won't have the computing power and time needed to crack the password.
Image 14.jpg


Better:
Image 15.jpg


Did I just guess anyone's password? ;)
 

Attachments

  • Image 13.jpg
    Image 13.jpg
    43.2 KB · Views: 34
Last edited:

Geremie

Full House
Joined
May 27, 2016
Messages
3,467
Reaction score
4,721
Location
Toronto, Canada
Is there a limit on number of characters? Could someone use a paragraph from one of their favorite books with 500+ characters?
 

bezerkus

Pair
Joined
Dec 9, 2021
Messages
105
Reaction score
271
Location
Utah
Is there a limit on number of characters? Could someone use a paragraph from one of their favorite books with 500+ characters?
Usually 64 or even 128 characters would take trillions of years...500+, now that's flexing it. Usually max is set in forum settings so that is a question for the admin for sure. Longer than that and there are concerns over a long password DoS, Denial of Service Attack.
 

Nex

Flush
Joined
Jan 25, 2017
Messages
2,127
Reaction score
2,957
Location
Club Hel, Downtown Megacity
Good write up! Worked in financial institution cybersecurity for years and free Keepass works great. After 20 years of effort we've successfully made passwords harder to remember but easy for computers to guess. (that makes me laugh from the cartoon above). :) Using a long pass phrase will be better than complexity, even if relying on simpler words and no special characters, it will take longer to crack and require more computational resources than a shorter one with special characters and numbers. Even if hackers steal your encrypted password from a hacked company, they won't have the computing power and time needed to crack the password.
View attachment 836432

Better:
View attachment 836435

Did I just guess anyone's password? ;)

Pretty sure this "password strength tester" doesn't take dictionary attacks into account.

Also, while "Paulson" probably doesn't appear in a regular dictionary, if you know that the person's password is from a chip head site, you can add a custom dictionary using milieu terms.
 

Nex

Flush
Joined
Jan 25, 2017
Messages
2,127
Reaction score
2,957
Location
Club Hel, Downtown Megacity
Usually 64 or even 128 characters would take trillions of years...500+, now that's flexing it. Usually max is set in forum settings so that is a question for the admin for sure. Longer than that and there are concerns over a long password DoS, Denial of Service Attack.
Rate limiting can be implemented, or already is.

Also for all hashing algorithms I know, it barely makes a difference if you hash 64 or 128 characters in terms of compute time. Hashing megabytes of data versus merely a long password, sure, that takes noticeably longer, but everything in the range of what's plausible one would manually type into a text box...
 

bezerkus

Pair
Joined
Dec 9, 2021
Messages
105
Reaction score
271
Location
Utah
Pretty sure this "password strength tester" doesn't take dictionary attacks into account.

Also, while "Paulson" probably doesn't appear in a regular dictionary, if you know that the person's password is from a chip head site, you can add a custom dictionary using milieu terms.
Sow, Peepel hoo spel badlee hav gud parsswerdz? ;) Good point on dictionary, some testers do that too). I'm no mathematician, but it would still take nation-state resources to crack even a long enough spelled correctly sentence (5 words or more) as long as it wasn't a common phrase or quote (more random the better). Not advocating the not mispelling or special characters as that is just another layer, but the point is length should be most important (5 words should be sufficient). Most 'dictionary' attacks are just with lists of the most commonly used/breached passwords (phrases and special characters in all along with special ch@racter $ubstitutions). If you want to know if your password has been breached checkout https://haveibeenpwned.com/Passwords which is the same site other password checkers check against and others (along with the FBI) feed hundreds of millions of common passwords to.
 
Last edited:

JWC

Flush
Supporting Member
Joined
Aug 8, 2016
Messages
2,139
Reaction score
4,729
Location
NV
It’s better than nothing but leaves a lot to be desired. One big difference is that Google password manager doesn’t encrypt your passwords unless you change some settings but doing so breaks all the sync features. Because of this, Google could (if they wanted) go read any of your passwords right now. No one at Bitwarden could. (Somewhat a personal risk appetite question, how far do you trust Google?)

Similarly, BW is open source and Google PM is well, owned by Google, there are tons of benefits of open source software (as @Nex mentions above) but this is a big benefit to me of BW or KeePass over other options.

Lastly, BW also has a bunch of great QOL features not present in Google PM:

-customizable password generation
-notes and attachments
-storing items not tied to a website

I went back and added a few key accounts to bit warden, and added two factor authentication to these accounts as well.
 

dkersey

3 of a Kind
Joined
Feb 23, 2015
Messages
639
Reaction score
506
Location
Dallas, TX
I downloaded bitwarden a couple of months ago but couldn't bring myself to set it all up. I finally got around to it, and now feel alot better about managing passwords.

My previous method was only working about 80% of time, which was to forward an email to myself and move it to a special folder. Some times it would be there...sometimes not.

I believe I run a relatively simple life but it turns out I put about 80 entries in it!!!

Overall I'm thinking we are better off now.
 

buffalojim

4 of a Kind
Joined
Aug 28, 2020
Messages
7,316
Reaction score
14,204
Location
Buffalo, NY
I downloaded bitwarden a couple of months ago but couldn't bring myself to set it all up. I finally got around to it, and now feel alot better about managing passwords.

My previous method was only working about 80% of time, which was to forward an email to myself and move it to a special folder. Some times it would be there...sometimes not.

I believe I run a relatively simple life but it turns out I put about 80 entries in it!!!

Overall I'm thinking we are better off now.
Nice :tup:
:tup::tup:
 
Top Bottom