Keeping Passwords Safe

[DGShaffer]

Years back I started an excel spread sheet for a bunch of personal information including passwords, login, web address links, security question answers, etc. It's also password protected

What I have learned is that I only use one simple 6 digit login for any site that's non sensitive. I use a password generator for any site requiring sensitive or financial information and change it fairly often. I also check my credit report often

[Pepper2]

Quote:

Originally Posted by Playtime III

We keep a phone/address book (the thing you parents used to keep all of their phone numbers and addresses of friends). The book is a great back up should my Norton cards and log-ins fail.

Same here. The log does not stand out in appearance,just another binder among other manuals and road atlases etc.

[NukeRef]

I use RoboForm2Go. It's on a flash drive, and loads a green program on your machine when you plug it in.

[bruceisla]

Quote:

Originally Posted by DGShaffer

What I have learned is that I only use one simple 6 digit login for any site that's non sensitive. I use a password generator for any site requiring sensitive or financial information and change it fairly often. I also check my credit report often

Pretty much the same for me ... if it's not connected to "my money", who cares ...

[pcurt23]

I use 1password it is not free, but easy to use.

[SeeTheUSA]

Quote:

Originally Posted by pcurt23

I use 1password it is not free, but easy to use.

X2 on 1password. Have used it for several years and like it.

[sirpurrcival]

As a computer engineer, I go old school. Firstly, I try to simplify the password issue by using the same one for non sensitive sites. Even if it does get hacked on a particular site, that doesn't really matter unless they they know your other sites and to follow up on that theme, the words "non sensitive" take on a lot of meaning here. There aren't many who would really have much to gain by posing as me on this site for example. Crooks are in it for money and where there is none to be had, they generally aren't to be found.

2nd. I always am a little leery of all the password management programs out there. I used to manage passwords for a company network system and all I really needed for a series of users (in the 100's) was an excel spreadsheet. It can be password protected and a small excel file can be named any number of innocuous things.

3rd. Ask yourself exactly "what do you know about the company that makes that freeware password manager". Who wrote it, what kind of features might they have built into it? Free is just that, free. Any programmer from anywhere can put software up on the net.

Some other alternatives

You can use the notepad functions on your smartphones. Make sure your phones are password protected (no pun intended). Your phone is almost always with most folks these days. It can be a big benefit to have that information at your disposal especially if you are using your phone to surf the web. However, phones can be stolen too so you may want to consider phone apps that wipe your phone after entering 3 wrong passwords. Some of these are built in, others may be 3rd party.

Lastly, I really don't like it when programs put your passwords in for you. Think about it. If your computer falls into the wrong hands or is compromised, they don't even need the passwords to get at your stuff. There really is no substitute for manual entry. I am constantly stunned when working on computers that I can access banking and other financial information by simply going to a website. Nothing like that shortcut on the desktop that says "BANKING" to invite ne'er do wells. Don't take any solace in the idea that your computer is protected. Any computer guy worth his salt can usually bypass these things in a matter of minutes. Especially when end users very often circumvent some of the security features themselves by failing to enable them (fingerprint scanners for example).

The best security and safety is 1 part common sense, 1 part guile, 1 part paranoia. Play the "what if" game. What if my computer or phone is stolen, what if I have to unexpectedly change a password. What if I have to recover all that information. In some ways, a good old paper list in a safe is not a bad idea. I frequently encourage my customers to create a "tech bible" with passwords for things like wireless internet connections. The ones who take the advice often find that it saves them a lot of hassle and money when it comes to having someone fix some problem they are having. Paper has the benefit of being "unhackable" as well.

Everybody has their own system that they are comfortable with. The truth is that for most "recreational" users, simple, straightforward solutions will answer 90% of the needs most users have.

[smiller]

Quote:

Originally Posted by sirpurrcival

Lastly, I really don't like it when programs put your passwords in for you. Think about it. If your computer falls into the wrong hands or is compromised, they don't even need the passwords to get at your stuff. There really is no substitute for manual entry.

Many good thoughts in your post, but I disagree with the above for two reasons. One, a good password program (I'm referring to LastPass here, but I assume other quality programs are similar) manages the risk in a number of ways. First, a master password must first be input for any auto-fill function to work so someone gaining control of your computer by theft would not have access since they would have to unlock/reboot the computer which would clear the master password. There is a chance that someone could attempt to use your active computer while you are away grabbing a doughnut, but you can set the password to expire based on screen lock or a timer to minimize this possibility. And someone can look at your Excel file just as easily (easier in fact, unless you are perfect) while you are grabbing that doughnut, or maybe even copy the file.

One must always remember the inevitable human factors involved in password management. Yes, you can keep the passwords in a notepad/Excel file but will you necessarily be any better in protecting that than an automated system would? Will you always close it when you walk away? And if trust yourself to that extent, why is closing/locking an auto-fill program any different? And in fact an automated system is actually safer because it isn't subject to you forgetting. And that doesn't include issues with using passwords on multiple machines, etc. In the real world a properly implemented password program is in the vast majority of cases safer than a manual system. The operator has to do their part to make either system safe, but doing your part is a lot easier with automation. And in the human realm, 'easier' means it actually gets done.

[Wayne M]

Quote:

Originally Posted by DGShaffer

Years back I started an excel spread sheet for a bunch of personal information including passwords, login, web address links, security question answers, etc. It's also password protected

What I have learned is that I only use one simple 6 digit login for any site that's non sensitive. I use a password generator for any site requiring sensitive or financial information and change it fairly often. I also check my credit report often

First, let me start with this: Crack Excel Password and if you believe that people in the business of stealing computers for financial gain don't have these program...well, they do. As for the link, it is just an example and there are many others out there that will cost a little money, but do the job well.

Second, my forte was computer forensic analysis. That is, obtaining computers and analyzing the information that was on them for policy violations, or users breaking the law. Programs are available and relatively real cheap that will let you change the administrator password on a computer in less than 5 minute run time. Just put in the DVD and it will run on boot-up. Once that is done you have free range of the computer. Protecting any of the "office" type programs with passwords is a no brainer and so easily cracked. Any password that is a multiple of 7 numbers, letters, upper/lower case and special characters are the easiest to crack and 8-13 of the same are more difficult if all the combinations are used.

The real problem is when you don't suspect that your system has been compromised, or your password file stolen. That gives the perpetrators much more time to use brute force on passwords.

However, unless you are a banker or a financial guru, I don't think you have to worry. Any of the methods of using files will work for you, even the written and stored safely list.

The point is - nothing is safe. A question was once asked what a secure connection is. The answer was something like a system that is in a secure vault with no outside connections and a guard at the door. But then how well do you trust the guard?