02 Oct 2020, 4:10 pm
I’m NOT good with passwords, I need to change 62 passwords 
I’m not good with making up names, I used to be creative when I was in a teenager. I need to change my Apple ID, I changed the password, the password wasn’t strong enough, I changed it again, there need my current ID, stupid me forgot it already 
02 Oct 2020, 4:23 pm
I just had to change a ton of my passwords too (my Google account said they were compromised). It's a hassle and it stresses me out. I try to maintain a list of my important passwords, but I rely on saved passwords for most things. They say that biometric encryption may soon replace passwords, so I hope that makes things easier.
kokopelli
Veteran
Joined: 27 Nov 2017
Gender: Male
Posts: 3,657
Location: amid the sunlight and the dust and the wind
02 Oct 2020, 5:47 pm
Whenever possible, I use nonsense pass phrases. They are relatively easy to remember but are hard to guess if done right.
Usually they are four to six words. My worst ever was something like "He went to the desert seeking fine woolen roses, but all he found was a goose and nine feet."
Let's consider four to six word pass phrases.
If you randomly choose them out of a dictionary of 1,000 words, then there would be:
4 words: 1000^4=10^12 possibilities.
5 words: 1000^5=10^15 possibilities
6 words: 1000^6=10^16 possibilities
If the dictionary size was 50,000 words (always try to use at least one unusual word) and you have
4 words: 50000^4=6.25*10^18 possibilities
5 words: 50000^5=3.125*10^23 possibilities
6 words: 50000^6=1.5625*10^28 possibilities
And that's all with a space between each word and all the same case. Mix up the cases and it gets better. And maybe add some punctuation.
Even better is to misspell one or more words.
Some time ago I set up a wifi router to loan to someone for a week or two. I wanted a really easy to remember password and so I used "i wish i were an oscar meir weiner" as the password. Nobody else was able to log on even knowing the password. It turned out that since I misspelled mayer and wiener, nobody was able to hit the right combination of misspellings.
Anyway, on my 4 to 6 word passphrases, I don't just use 4 to 6 random words. Instead, they do have to follow grammatical rules to make them sound reasonable, if unlikely. I often use a slightly different form of the word than you would find in a dictionary. For example:
lovely little red baedeker
seventeen xanthodermic binocular monastery walls
Or I include other punctuation to make something sound like a really strange cooking ingredient:
92 # zenzizenzizenzic gopher feet
kokopelli
Veteran
Joined: 27 Nov 2017
Gender: Male
Posts: 3,657
Location: amid the sunlight and the dust and the wind
03 Oct 2020, 12:00 am
Another suggestion might be to use a password manager. Let it create absurdly complex passwords and remember them for you. Then all you need is one password.
Then there is this which is due come out sooner or later: https://dicekeys.com/
It's a set of 25 special dice that are only rolled once. That one roll is used to create a password that would be very difficult to guess.
A video https://dicekeys.com/videos/DemoScanOnS20.mp4
They not only use numbers on the dice, but also letters and the orientation of the dice and each dice is different than the other 24 dice.
For those who are interested, here are a couple of little math problems:
1) Given 25 unique dice that may appear in any order and you are taking the orientations into account as well as the number and letter on each dice, calculate how many combinations there are. Note that if there was 25 of a single dice, it would be 24^25=32,009,658,644,406,818,986,777,955,348,250,624 combinations. With 25 unique dice, it will be far more.
2) Given 100 unique dice, as above, from which 25 dice are randomly chosen, how many combinations would there be?
03 Oct 2020, 2:57 am
Try KeePassX or the community driven fork KeePassXC to create and store unique passwords.
KeePassX saves many different information e.g. user names, passwords, urls, attachments and comments in one single database. For a better management user-defined titles and icons can be specified for each single entry. Furthermore the entries are sorted in groups, which are customizable as well. The integrated search function allows to search in a single group or the complete database.
KeePassX offers a little utility for secure password generation. The password generator is very customizable, fast and easy to use. Especially someone who generates passwords frequently will appreciate this feature.
The complete database is always encrypted either with AES (alias Rijndael) or Twofish encryption algorithm using a 256 bit key. Therefore the saved information can be considered as quite safe. KeePassX uses a database format that is compatible with KeePass Password Safe. This makes the use of that application even more favourable.
Why use KeePassX over one of the other password managers?
On top of that, LastPass is a service which means your data is stored on 3rd party servers by default and the main interface for accessing data is a browser extension which has all kinds of security implications.
LastPass website claims that all of the encryption and decryption is handled locally and passwords are never sent to their servers in plain text. Chrome extension does include native (npapi) component which is supposed to safely handle crypto, but I still trust native open source application way more than I trust closed-source binary browser plugins.
1Password does have relatively good documentation which describes which cryptographic algorithms are used and how, but this doesn’t make a difference and change the fact that the application is not open source.
Synchronize the KeePassX database with your Android devices
04 Oct 2020, 12:12 pm
Double Retired
Veteran
Joined: 31 Jul 2020
Age: 69
Gender: Male
Posts: 5,221
Location: U.S.A. (Mid-Atlantic)
04 Oct 2020, 12:48 pm
Further information: Choosing and Protecting Passwords
Choosing a good password and remembering the good password are two separate problems. Make sure you do both. And that you do it differently for every place you need a password.
(Since you need to change so many passwords I'm guessing you already use different passwords for different places, but for the benefit of anyone who doesn't: Don't use the same password in different places!! Bad guys break into the less important systems with weak security, see what your password is there, and then go to the really important systems and see if you have the same password there...if you do, they smile!)
I tend to use one of two methods for choosing passwords:
(1) A pass phrase--but I don't use the words, I just use their first letters. And I mix in special characters and digits in a way that makes sense to me in that phrase. For instance, "The people on Wrong Planet are neurodiverse like me!" could get you "TpoWPanlm!"
(2) Random! 26 upper case + 26 lower case + 10 digits + 10 special characters I pick however = something I can use two dice and a coin to select from. I can randomly choose one position in the password for which I will only use an upper case, one where only a lower case will do, ditto with digits and special characters...all of the other positions get whatever is randomly drawn for them. These passwords can be as long as you want. And you'll need to be a savant or you'll need a password manager
_________________
When diagnosed I bought champagne!
I finally knew why people were strange.
kokopelli
Veteran
Joined: 27 Nov 2017
Gender: Male
Posts: 3,657
Location: amid the sunlight and the dust and the wind
05 Oct 2020, 3:42 pm
Choosing a good password and remembering the good password are two separate problems. Make sure you do both. And that you do it differently for every place you need a password.
(Since you need to change so many passwords I'm guessing you already use different passwords for different places, but for the benefit of anyone who doesn't: Don't use the same password in different places!! Bad guys break into the less important systems with weak security, see what your password is there, and then go to the really important systems and see if you have the same password there...if you do, they smile!)
I tend to use one of two methods for choosing passwords:
(1) A pass phrase--but I don't use the words, I just use their first letters. And I mix in special characters and digits in a way that makes sense to me in that phrase. For instance, "The people on Wrong Planet are neurodiverse like me!" could get you "TpoWPanlm!"
(2) Random! 26 upper case + 26 lower case + 10 digits + 10 special characters I pick however = something I can use two dice and a coin to select from. I can randomly choose one position in the password for which I will only use an upper case, one where only a lower case will do, ditto with digits and special characters...all of the other positions get whatever is randomly drawn for them. These passwords can be as long as you want. And you'll need to be a savant or you'll need a password manager
I have one password that I use on at least 500 devices at work. I initially tried having a separate password on each, but that because untenable -- I often ended up having to reset devices and reconfigure them again because I couldn't figure out what the password was for that device.
The only way that a password manager would work with those is if it kept all the passwords stored on all my computers and laptops and if it worked by the mac address of the device I need to connect to. Fortunately, I have a really strong firewall to protect them and direct incoming traffic to the devices are blocked.
05 Oct 2020, 4:13 pm
I learned a procedure like this back in the 1990s:
1) Select 50 words of 7 to 9 letters each letters at random from a dictionary (Link to Random Word Generator.)
2) Arrange them into 2 columns of 25 words each.
3) Capitalize each word.
4) Append a randomly-generated 6-digit number to the end of each word pair.
5) Delete the spaces. This results in 25 twenty-two character passwords.
6) Use the first one as the first password and note where used. Examples follow
• ElectionScenario281119
• OfficialWorkshop076438
• ComplainSuppress861149
• RecklessDefinite338642
• MidnightGovernor764371
• AdvocateMemorial316504
• SeasonalApproval524364
• DomesticSecurity469570
• CoincideComplete535004
• PracticeDaughter565199
• BehaviorFreshman919189
• DisgraceNotebook480676
• FootballAddicted411141
• ProfoundEngineer034091
• ContrastDominate443124
• MinistryMarathon688988
• BusinessResponse153968
• FragrantAccurate239199
• EmphasisChampion548995
• DialogueCucumber963988
• MomentumSpectrum979044
• DivisionApproach389575
• StrengthFountain880593
• MutationPriority184108
• MinorityTropical694365
Some people will replace a few characters here and there with other characters for added security:
• "MinorityTropical694365" becomes "M1nori7yTr0pic4l694E6S".
_________________
kokopelli
Veteran
Joined: 27 Nov 2017
Gender: Male
Posts: 3,657
Location: amid the sunlight and the dust and the wind
05 Oct 2020, 11:28 pm
1) Select 50 words of 7 to 9 letters each letters at random from a dictionary (Link to Random Word Generator.)
2) Arrange them into 2 columns of 25 words each.
3) Capitalize each word.
4) Append a randomly-generated 6-digit number to the end of each word pair.
5) Delete the spaces. This results in 25 twenty-two character passwords.
6) Use the first one as the first password and note where used. Examples follow
• ElectionScenario281119
• OfficialWorkshop076438
• ComplainSuppress861149
• RecklessDefinite338642
• MidnightGovernor764371
• AdvocateMemorial316504
• SeasonalApproval524364
• DomesticSecurity469570
• CoincideComplete535004
• PracticeDaughter565199
• BehaviorFreshman919189
• DisgraceNotebook480676
• FootballAddicted411141
• ProfoundEngineer034091
• ContrastDominate443124
• MinistryMarathon688988
• BusinessResponse153968
• FragrantAccurate239199
• EmphasisChampion548995
• DialogueCucumber963988
• MomentumSpectrum979044
• DivisionApproach389575
• StrengthFountain880593
• MutationPriority184108
• MinorityTropical694365
Some people will replace a few characters here and there with other characters for added security:
• "MinorityTropical694365" becomes "M1nori7yTr0pic4l694E6S".
From what I've read, programs written to try to guess passwords will often try the combinations of simple letter to number replacements as well.
So if they try MinorityTropical694365, most will supposedly try M1nori7yTr0pic41694E6S as well.
Double Retired
Veteran
Joined: 31 Jul 2020
Age: 69
Gender: Male
Posts: 5,221
Location: U.S.A. (Mid-Atlantic)
06 Oct 2020, 9:22 am
This December 2014 Time magazine article might be of interest.
There are techniques servers can use to protect password information. For instance, they should not store your actual password; they should store a "hash" of your password which has been generated by running your password through some difficult to reverse mathematical transformations--and when you logon they use the same transformation on the password you enter to see if it matches the stored hash.
But if the bad guys can get a copy of the server's file of hashed passwords, they can try brute-force cracking techniques to recover at least some of the passwords (perhaps yours!). Wikipedia has an entry on password cracking that reports "ordinary desktop computers can test over a hundred million passwords per second using password cracking tools running on a general purpose CPU".
As the FBI notes, the bad guys do not necessarily have to crack your password, they can use other techniques to get it. The U.S. CISA has interesting information, too.
If the bad guys can breach a poorly-protected system and crack your password there, they can then try the same password on other systems to see if it works.
No matter what you do, you are vulnerable. But be careful and you will be less vulnerable.
_________________
When diagnosed I bought champagne!
I finally knew why people were strange.
06 Oct 2020, 10:01 am
Double-Retired implies a valid point: No password-protection scheme is absolutely secure.
The best you can do is make it difficult for the casual Internet-user to guess your password.
• Make your password as long as possible.
• Use a random combination of upper-case letters, lower-case letters, numbers, and other characters as permitted.
• Do not share your passwords with anyone or keep them in their written form where they can easily be found.
If your password is difficult for you to remember ("ae2q31547vbtqetybSW$Y" instead of "SusieLovesBroccoliSoup") then it will be difficult for an attacker to guess. However, any readable password is just as vulnerable as an unreadable password of the same length to an attacker using the "Brute Force" method.
_________________
kokopelli
Veteran
Joined: 27 Nov 2017
Gender: Male
Posts: 3,657
Location: amid the sunlight and the dust and the wind
06 Oct 2020, 10:12 pm
There are techniques servers can use to protect password information. For instance, they should not store your actual password; they should store a "hash" of your password which has been generated by running your password through some difficult to reverse mathematical transformations--and when you logon they use the same transformation on the password you enter to see if it matches the stored hash.
But if the bad guys can get a copy of the server's file of hashed passwords, they can try brute-force cracking techniques to recover at least some of the passwords (perhaps yours!). Wikipedia has an entry on password cracking that reports "ordinary desktop computers can test over a hundred million passwords per second using password cracking tools running on a general purpose CPU".
As the FBI notes, the bad guys do not necessarily have to crack your password, they can use other techniques to get it. The U.S. CISA has interesting information, too.
If the bad guys can breach a poorly-protected system and crack your password there, they can then try the same password on other systems to see if it works.
No matter what you do, you are vulnerable. But be careful and you will be less vulnerable.
Hashes, if done correctly, are quite secure. It's the passwords that are encrypted that may not be secure.
When you do the hashes, you don't just do one round of hashing. The firewall I'm currently setting up is currently configured to go through 2^12 rounds of hashing for each password. The more rounds of hashing, the longer it would take an attacker who has a copy of the password file to try the passwords. The most rounds I've ever used required about 10 seconds to verify a single password.
The way I look at it is that you choose your passwords long enough that it would thousands of years for the fastest attacker to figure out your password. Long before that, they've got the easy pickings and yours is safe.
Of course, when you are connecting to someone else's server, you don't know how they did it. They may even still store the passwords in plain text. So you definitely don't want to repeat passwords.
30 Oct 2020, 5:38 pm
Just registered and this is my first post.
I've been using Roboform password manager for a while. It means you only have to remember one master password to access all of them.
You can also use it to randomly generate unique long passwords for each website.
Roboform is currently free if you choose not to store your passwords in the cloud. You just need to make sure your passwords file is backed up.
06 Nov 2020, 10:32 am
My stepdad told us what our password was 'supposed to be' when I was growing up...
Now we all have similar ones...
If I didn't know him better I'd consider that very controlling behaviour. He did it to mum too.
He isn't like that though. He still asks permission to use things. He just has this idea of an 'ideal password' based on a historical figure.
_________________
Not actually a girl
He/him
Double Retired
Veteran
Joined: 31 Jul 2020
Age: 69
Gender: Male
Posts: 5,221
Location: U.S.A. (Mid-Atlantic)
06 May 2022, 11:17 am
From Sophos: "How to pick a proper password"
_________________
When diagnosed I bought champagne!
I finally knew why people were strange.
