Warning: change your password please!

[respice finem]

Never use password managers, especially ones hosted on someone else's computer

There is no cloud, just other people's computers...
My "policy": credentials stored in a a rar file, encrypted with a really long and difficult password, located on an external USB stick (with multiple backups). Admittedly not very comfortable, but lets me at least feel a bit safer than cloud-based solutions.
That said, perfect online security doesn't exist anyway, a password stored in a browser can also be stolen, or I might catch a keylogger etc.

 

[Paul E]

Done, thanks for the heads up.

 

[Digby]

My "policy": credentials stored in a a rar file, encrypted with a really long and difficult password, located on an external USB stick (with multiple backups). Admittedly not very comfortable, but lets me at least feel a bit safer than cloud-based solutions.

Isn't that a bit OTT for sites where a breach would be relatively immaterial, presuming same password is not shared over multiple sites? I'm not saying to use bad passwords, but does it really need that level of concern on all websites. Wouldn't some kind of tiered system be better, depending on the importance of the website?

 

[ObjectiveSubjectivist]

What do you suggest, writing them on a notepad and putting in a drawer?

Thats actually the safest way to keep passwords.
Even if somebody breaks into your home, the last thing he is going to look for is notepad with your passwords

 

[respice finem]

Isn't that a bit OTT for sites where a breach would be relatively immaterial, presuming same password is not shared over multiple sites? I'm not saying to use bad passwords, but does it really need that level of concern on all websites. Wouldn't some kind of tiered system be better, depending on the importance of the website?

The best / most comfortable would be probable some form of easy biometric system. But, if someone would be able to steal or copy your biometrics = big trouble ahead. Yes there are different levels, but it's increasingly difficult to "keep your life offline".

 

[Blumlein 88]

The best / most comfortable would be probable some form of easy biometric system. But, if someone would be able to steal or copy your biometrics = big trouble ahead. Yes there are different levels, but it's increasingly difficult to "keep your life offline".

Well Pass Keys are something like that. Look into it. Google, Apple and Microsoft already have it available. Best Buy and Target already let you use them in place of pass words. A few other places too.

RIP Passwords? Passkey support rolls out to Chrome stable

With a huge list of caveats, initial Google passkey support is here.

arstechnica.com

 

[martijn86]

If your password is password then it's not hard to crack, these attacks target the low hanging fruit.

Also, adding a year and/or an exclamation mark at the end isn't going to save you.

Normally (if you're not a specific target) they just run the 10K most popular passwords (available to the public on GitHub) and a script that tries all the variations on those with capitals, numbers and special characters added. That's automated guessing and pretty fast, it'll give you some positives from a large database.

If you are a specific target because your account has greater value, trying to crack a password becomes an option. They'll try to brute-force all possible combinations of characters. On top of not being easy to guess, the length of a password now becomes important. Every extra character increases the number of possibilities exponentially. If we only count for letters, 26*10⁴ combinations are a lot faster to crunch than 26*10⁸. That's why passphrases are pretty effective if you need a long password that you can remember.

Control leaked e-mail. The easiest scam is just spamming a leaked e-mail address. No password involved. You can add a note to the e-mail adress you use to make an account. For example [email protected] has +asr added. The e-mail is still being delivered to [email protected]. However, if you get spam, you can see where is is directed to. If it is directed to +asr, ASR had willingly or unwillingly leaked your e-mail address. You can simply block all mail that's directed at the +asr combo, notify the sites owner and register a new e-mail (+asr2 for example) at the website.
For non specific targets, if your password is compromised as well, they'll likely try to login to your PayPal with the +asr e-mail. Even if your password isn't unique, that'll fail. But please, use unique passwords!

If you're the type of Audio enthousiast who has a NAS or home server to store their music, you can host your own Bitwarden server with Vaultwarden. This way your data is stored locally with open source software.

Safe browsing!

 

[dualazmak]

Thank you for the warning. Password was just changed into more complex one (16 characters) including upper scale alphabet numeric and symbols, and the two step verification enabled.

 

[Rednaxela]

Password changed to b@b3m@gn3t. They’re never gonna guess that one.

 

[respice finem]

Well Pass Keys are something like that. Look into it. Google and Apple and I think Microsoft already have it available. Best Buy and Target already let you use them in place of pass words. A few other places too.

Thanks, I'll consider other options when I see my old ways don't work any more - so far, they do. Yes I'm getting old

 

[Azathoth]

Thanks for the quick alert

 

[Blumlein 88]

Thanks, I'll consider other options when I see my old ways don't work any more - so far, they do. Yes I'm getting old

Well, might be a case of fixing something before it breaks. Plus it is actually much easier, much more secure and takes out even the possibility of a breech for several common methods of breeching sites. I wouldn't thing anything is perfect, but this is a big improvement in general security.

 

[Count Arthur]

Good enough for me:

I think the sun may have burned out by then.

 

[Blumlein 88]

I'm sure many know of such sites, but here is one you can check how strong your password is. Unlike some that simply assume brute force cracking this one uses known tables and password info so that some passwords deemed safe elsewhere are shown to not be so safe.

Password Tester | Test Your Password Strength | Bitwarden

Bitwarden offers the most trusted password tester tool to ensure your password strength will protect your online information. This free password strength tester is secure and easy to use. Test your passwords and explore the latest best practices to protect your online information.

bitwarden.com

 

[Newman]

Any chance you'll be able to use passkeys in the near future rather than passwords?

Yes please Amir and soon as possible.

 

[ReluctantGT]

Done! Thanks for the warning.

 

[Newman]

Good enough for me:

View attachment 258016
I think the sun may have burned out by then.

That’s today’s tech, unchanging forever.

 

[fpitas]

1234hackmeplease isn't good anymore?

 

[Blumlein 88]

One thing I'm not sure is a step forward are places that require upper and lowercase and special characters. For a time and sometimes still, I used pass phrases. I could easily remember several of those which were very long which makes them relatively secure. Not many sites let you simply use long pass phrases unless you check off those other requirements. Yet a 24 character pass phrase is better than a 12 character one with those different things in it.

 

[GD Fan]

What do you suggest, writing them on a notepad and putting in a drawer?

Seriously, if you have a unique password for every site, then you aren't going to remember 10+ login passwords (presuming they are decent passwords).

My long-standing practice. It's a considerable improvement over my preferred method of a post-it note on the side of my monitor!