Passwords

[lorin]

Without giving away secrets, do any of you have a method to the madness with all these passwords? Everyone tells me don't have the same password for all these sites. So how do you remember them all, especially the ones that won't remember your password/pass phrase?

[Iolanthe]

I have exactly the same trouble Lorin. I have a folder in my email called "sign ins" where I put emails from sites acknowledging that I have joined, but many of them do not include the password! Also, I use a browser where I can click on a key and it signs in for me. I have a devil of a job if I accidentally delete the bookmark and the key doesn't work. I tend to use the same two or three passwords for many things - it's trying to remember which one I've used for which site that is difficult. We are told not to write them down, but I can't think of any other way of doing it. I have 3 different pin numbers for bank cards and I remember them as a tune - rather like the Close encounters tune would be 56441 (or I suppose it should be 23115).

[lorin]

I have exactly the same trouble Lorin. I have a folder in my email called "sign ins" where I put emails from sites acknowledging that I have joined, but many of them do not include the password! Also, I use a browser where I can click on a key and it signs in for me. I have a devil of a job if I accidentally delete the bookmark and the key doesn't work. I tend to use the same two or three passwords for many things - it's trying to remember which one I've used for which site that is difficult. We are told not to write them down, but I can't think of any other way of doing it. I have 3 different pin numbers for bank cards and I remember them as a tune - rather like the Close encounters tune would be 56441 (or I suppose it should be 23115).

But then putting them in an email folder is really risky isn't it? What if you get hacked? Someone has gotten into my email 2 times already. All my banking, retirement funds, IRA's, etc have different passwords. But if you try 2x and don't get it right they block you until you call the help desk. I was reading an article about paypal. According to paypal, 60% of their calls are for resetting passwords. They say that eventually getting onto a site will be retinal, but not in our time.

[ussusimiel]

lorin, Hashi would be a good person to ask about this, he's very interested in cryptography and may have some good suggestions.

I tend to use two methods for passwords. The first is to use a single password for all new important logins for a period of time; a year, two years or whatever suits. I keep a note of the new logins in a text file with a cryptic reference to the password that only I will know.

Sometimes, a new login will insist that you use capitals, numbers or symbols in your login. In such an instance I still use the same password but with certain of the letters replaced by numbers or symbols. Here's an example of what I'm talking about:

• basic password: insistence
  with capital: Insistence
  with capital and number: Insistenc3
  with capital, number and symbol: In$istenc3

3 and 1 are good numbers to use to replace 'e' and 'i'. I would use $ for 's' because of the shape. You could also use @ for 'a'.

You would still need to keep a note of which one you use for which, but the advantage of this method is that you can use the same basic password for a number of years. Obviously it's best to change the basic password after a certain length of time because if someone were to find it out they could get access to all of your important accounts.

For less important and less frequent logins, I try to use a password that associates with the site itself. For KW I use a word that is from the Chrons so it's easy to remember eg 'analystic', 'unambergrised', 'clinquant'. If it was a Physics site I might use something like 'darkmatter' or 'higgsboson'.

Here are the Top Twenty most used passwords. Do not use any of these!

123456
12345
123456789
Password
iloveyou
princess
rockyou
1234567
12345678
abc123
Nicole
Daniel
babygirl
monkey
Jessica
Lovely
michael
Ashley
654321
Qwerty

u.

[Iolanthe]

But then putting them in an email folder is really risky isn't it? What if you get hacked? Someone has gotten into my email 2 times already. All my banking, retirement funds, IRA's, etc have different passwords. But if you try 2x and don't get it right they block you until you call the help desk. I was reading an article about paypal. According to paypal, 60% of their calls are for resetting passwords. They say that eventually getting onto a site will be retinal, but not in our time.

Hadn't thought of that. My email has never been hacked, but someone got my bank details once. We got the money back, and haven't had any trouble since. I can actually remember my PayPal sign in!

[Iolanthe]

Here are the Top Twenty most used passwords. Do not use any of these!

123456
12345
123456789
Password
iloveyou
princess
rockyou
1234567
12345678
abc123
Nicole
Daniel
babygirl
monkey
Jessica
Lovely
michael
Ashley
654321
Qwerty

u.

I'm please to say I don't use any of those. Being a family historian I do tend to use certain surnames backwards as passwords, with some numbers as well.

[shadowbinding shoe]

It's probably smart to write down your passwords somewhere. If you're worried about email hacking, what with news about PRISMs and such, you can save them in a computer file or if you're still worried, on a piece of paper which you may then hide in various unlikely places such as inside your wooden leg (strapped to a pack of c4. - never can be too safe Of course it becomes vital that you remember the code for defusing your leg)

123456
12345
123456789
Password
iloveyou
princess
rockyou
1234567
12345678
abc123
Nicole
Daniel
babygirl
monkey
Jessica
Lovely
michael
Ashley
654321
Qwerty

I remember reading once that the most common passwords tended to contain God, swear-words and birthday dates and names of family & pets.

[ussusimiel]

123456
12345
123456789
Password
iloveyou
princess
rockyou
1234567
12345678
abc123
Nicole
Daniel
babygirl
monkey
Jessica
Lovely
michael
Ashley
654321
Qwerty

I remember reading once that the most common passwords tended to contain God, swear-words and birthday dates and names of family & pets.

Welcome to the new generation, they know their keyboard and their baby-names, but are godless and clean-tongued!

u.

[Iolanthe]

you can save them in a computer file or if you're still worried, on a piece of paper which you may then hide in various unlikely places such as inside your wooden leg (strapped to a pack of c4. - never can be too safe Of course it becomes vital that you remember the code for defusing your leg)

There, I knew that one day I'd find another use for the box I put my teeth into at night!

[Lefdmae Deemalr Effaeldm]

I'm amused to say that I use some like these, including "123456" - I even use "1" for a password at times But don't worry, that's where I have to put something for a password, but don't care about it getting known in the slightest. As for more serious things, I usually use a combination of a set part I just remember, a pattern and an association.

Additional bad ideas, apart from those most common passwords, are words, names, dates and any generally available personal data (like using your nickname as a password, while it's easy to see on your Facebook account). So, good passwords are easy for you to restore, but not for anyone else.

I tend to use associations with parts of songs. For example, for KW it can be
"children of the land
Love is still the answer take my hand"
Queen - The Prophet's Song. This will be (may be 1st or 2nd or 3rd letters, as you decide) - "cotllistatmh" or "hfhaosthnaya". Now let it be a PayPal account. I'll stick to Queen. Let Me Live
"All you do is take
And all I do is give"
The password is "ayditaaidig" (1st letters this time).

For additional safety and a bit more than letters, I take a piece I'm going to remember and base a pattern on, for example, lzJP1...@# - with he pattern above, this is "lzJP1cotllistatmhlzJP1@#" and "lzJP1ayditaaidig@#".

But for very important things it's healthier to make a full separate password though, and change it often. A few passwords are possible to just remember. Songs can be of use there as well, but with fresh symbols and numbers. The other part can be taken just from some other source, another song or not guessable association. For example, symbols based on just what you find looking good, numbers based on associations due to numerology - but that's a separate long story on its own and there are whole books on that, not much use to retell.

[deer of the dawn]

I keep passwords in a password-protected Word document on my computer.

I have one, really strong password I use for most everything; it includes numbers, caps and lower case.

If I ever get to where I want to have individual passwords for different sites, maybe I would use the same but add, say, the name of the site, or 1-3 letters from it, at the end.

I've never had my stuff hacked, so far.

[DoctorGamgee]

You should make up a sentence which you won't forget and use its acrostic/combination as your password.

For example:

Folger's coffee, $2.29 a pound at A&P.

or

Eggo waffles, 1.19 at Walmarts.

these become:

Fc$2.29a#aA&P
Ew1.19@W

Easy to remember, completely random. Upper/Lower, specials...

[aliantha]

I use a particular sequence (NOT my phone number or anything else that's easily guessable) as a base and change it up. Everything's written on a note in my phone (which is password-protected because I've got my work e-mail going to it and they're nuts about security).

I've also got most of my passwords written on post-its at home. Not the most secure system, I know....

[Akasri]

I have a program called KeePass (freeware, open source). It let's me store all the passwords in one file and then protect that file with a really superstrong password. Then I only have to remember that one password. I can store the password file on a thumbdrive that I carry around all the time for work.

The only problem is if I am on a machine that doesn't have KeePass installed.

I looked for a similar program that would use my smart phone but I'm just not that convinced of the phone security to trust using it.

[Iolanthe]

Hey Akasri, that looks good. I found it on the web and will download it. Thanks.

[Vraith]

Paranoid guy I know does much what Ak. says...all the passwords on a flash drive. But somehow [maybe there's software to do it???] even HE doesn't know what his passwords are...just what they go to.
And he drags/drops them [without seeing them??? don't ask me] to avoid keylogging stuff.

[Lefdmae Deemalr Effaeldm]

That is, so that if his pocket is picked or the flash drive just falls out or gets forgotten somewhere, all his data is permanently lost? I do hope he has a backup at least.

And keylogging can be avoided more easily with a screen leyboard. Not like that's needed that much in most cases.

This all reminds me of the joke about the Uncatchable Joe. In case anyone doesn't know that one:
Several cowboys are drinking. Suddenly, a person riding a horse gallops past them and disappears in the distance.
- Who was that?
- The Uncatchable Joe
- Wow, is he called so because he is that fast, so that nobody in the whole Wild West can catch him?
- No, because nobody wants to

[sgt.null]

Julie has all the important stuff. I have fun stuff. I employ just two passwords.

[Hashi Lebwohl]

I missed this thread before. My boss uses KeePass (or something like that) but he also tends to leetspeek his passwords, l1k3 7h15.

I have always found that a two-step system works perfectly but starting last year I upgraded this to four steps. First, start off with a relatively obscure word such as "roynish" or "riparian" of at least 6 letters--ideally you will actually use a word not in your native language like "zavreno", which is Czech for "closed" (but I can't put the hacek marks in there without using alt+ characters) or "cazador", which is Spanish for "hunter". Next, you leave the first and last letters where they are but rearrange all the others; now "cazador" becomes "codzaar". The third step I use, which is new, is to slide either one letter to the left or right on the keyboard but don't forget to wrap around--going left from "a" brings you to "l". After this step, "cazador" is now "vpfxsst". Capitalize one of the letters but not the first one, making our password "vpfxSst". Finally, throw on a four- or five-digit number such as "the zip code of the city in which I was born" and you have a nearly-unbreakable password: vpfxSst77057. For added complexity throw in a symbol like $ or % in between the letters and numbers. vpfxSst^77057--it would take thousands of centuries for even the most powerful brute-force attacks to get through that. If you forget which order you randomized the letters then shift them the opposite way you shift for the keyboard, turning "cazador" into "czadoar". The key to this sort of password protection is that a simple system compounded by a simple system which is subsequently compounded by a simple system becomes very complex very quickly.

A somewhat simpler method is to know where your password is without knowing what it is. Pick a book at random from your bookshelf then turn to a random page. Choose a word of at least 7 letters then jot down the page number, line number, and which word in the sentence your word is located. This can give you "roynish87139" (which I just made up at random but you get the picture). A little less uncrackable because it is a dictionary word but still fairly secure.

Effaeldm mentioned keyloggers. If you are the unfortunate recipient of one of those most malicious of malwares then no system of password protection can save you. Always keep your computer protected at all times--I use both Malwarebytes and Spybot Search&Destroy, update them frequenly, and never have any problems.

[lorin]

I have always found that a two-step system works perfectly but starting last year I upgraded this to four steps. First, start off with a relatively obscure word such as "roynish" or "riparian" of at least 6 letters--ideally you will actually use a word not in your native language like "zavreno", which is Czech for "closed" (but I can't put the hacek marks in there without using alt+ characters) or "cazador", which is Spanish for "hunter". Next, you leave the first and last letters where they are but rearrange all the others; now "cazador" becomes "codzaar". The third step I use, which is new, is to slide either one letter to the left or right on the keyboard but don't forget to wrap around--going left from "a" brings you to "l". After this step, "cazador" is now "vpfxsst". Capitalize one of the letters but not the first one, making our password "vpfxSst". Finally, throw on a four- or five-digit number such as "the zip code of the city in which I was born" and you have a nearly-unbreakable password: vpfxSst77057. For added complexity throw in a symbol like $ or % in between the letters and numbers. vpfxSst^77057--it would take thousands of centuries for even the most powerful brute-force attacks to get through that. If you forget which order you randomized the letters then shift them the opposite way you shift for the keyboard, turning "cazador" into "czadoar". The key to this sort of password protection is that a simple system compounded by a simple system which is subsequently compounded by a simple system becomes very complex very quickly.

A somewhat simpler method is to know where your password is without knowing what it is. Pick a book at random from your bookshelf then turn to a random page. Choose a word of at least 7 letters then jot down the page number, line number, and which word in the sentence your word is located. This can give you "roynish87139" (which I just made up at random but you get the picture). A little less uncrackable because it is a dictionary word but still fairly secure.

Do you do a separate one for each site?

Effaeldm mentioned keyloggers. If you are the unfortunate recipient of one of those most malicious of malwares then no system of password protection can save you. Always keep your computer protected at all times--I use both Malwarebytes and Spybot Search&Destroy, update them frequenly, and never have any problems.

I always wondered about something. Why do Macs rarely get attacked by these kind of things? Is it just that there are so many less macs than microsoft machines or are macs less vulnerable? I have never put protection on my mac and have never been 'invaded'.