Hey Fred, Thanks for the great food for thought and for your suggestion on creating a dynamic PW based on the name of the site you're trying to access. That way the PW is long and somewhat unique. Gonna try some of that although I have about 100- 200 sites to go through.
"It is absolutely essential that you have a different password for every website you frequent." Excellent and thank you
I've gotten so I use two-factor authentication on all the websites I use. They send a 6-8 digit code via text message to my cellphone I have to type in to log in. Much more secure that way! I've also started using a search engine at https://duckduckgo.com/ because they don't track my internet searches and they've provided me an alias @duck.com email address that removes all trackers from emails before they make it to my inbox. "Very 73 de Cliff, KU4GW"
That method is suitable if there is no other option, but it is vulnerable to cloning attacks, and they receive your MFA code. Yes, it's convenient, but it gives a false sense of security.
2 mins for 8 mixed characters and letters..... under what circumstances? in what scenario? Well, the answer is in the link... Essentially the times listed are for GPU hardware against an MD5 hash. This is in no way realistic unless a leak has happened and your hash gets out. If that were an issue then yes, that service and possibly other services where you use the same password might be easily compromised. But if i setup a gmail account and let somone see if they can instantly crack it's 4 letter password... won't happen, gmail will limit number of attempts. So really you need a poor password AND you also need to fall victim of a breach before these figures become relevant. Best defence is don't use the same password all over the place. GOOD information on password security is good to have, but without qualification or context this is not good information.
Nobody can remember long passwords for all different websites, logins etc with 16+ characters, numbers and special characters. Nobody. And how do you solve that? Password manager? Well, how do you log in to such a password manager? To make matters worse, you also need to know which password goes with what. Questions about questions. Daniel HB9DDS
I've always used strong passwords and MFA when available, passwords stored in an app that encrypts the password store and self-destructs if the master password is entered wrong x times. Of course the master password is the weak link there so is necessarily complex. However, the password store only relates passwords to URLs and usernames in a way that I can remember but would be hard for anyone else - so you break in and get 100 different complex passwords but no clue as to where to use any of them. On the other hand the wife hates passwords so has very few that are easy to remember and used all over the place. I am working on that slowly, but at least she has a main one which is multiple words plus symbols and numbers that are easy for her to remember but is apparently the strongest in the table that Fred sent in post 1.
Right before I left the military (15 years ago...), I had about 6 type written pages of very strong passwords. I was thinking, "This is crazy!" Immediately after I left the military, it dropped to 2 pages of type written passwords. Whew! What a relief! Now, I'm up to 10 type written pages of very strong passwords. We're all being sucked deeper and deeper into a hole we all won't be able to get out of.
I manage my passwords with PWSafe, which is a free and open source application available for IOS, android and Windows (not sure about MAC). A single password (mine exceeds 26TN years to crack) protects an encrypted file you keep on a free server like Dropbox. The app works flawlessly across all of my devices and at least check I had close to 300 unique passwords all in the 100’s of billions of years range to crack. Has worked well for me for since before 2010. https://pwsafe.org/ Pro’s: Free and about as secure as it gets. Will do two factor if desired with Yubikey Con’s: Takes a little more time to setup across multiple devices than a packaged service (though once set up it is almost zero maintenance)
Thing is -- if you want to follow the good-password practices of having strong passwords and having different passwords for each device/website, a password manager is about the only viable option for folks with non-eidetic memories. I'm still using LastPass, despite their security breaches, trusting that the long phrase I use as a password is sufficiently robust to provide protection for a few more years, since it's "included" with my antivirus tool. I have been considering alternatives, however...and still haven't found anything that has all the features I want: Runs on Windows, MacOS, and Android; and can integrate with a common browser on all those platforms (ideally autofilling login and password information on demand) Easy access to secure random password generation Capability to sync among devices via some cloud service that I control (as opposed to a common repository) The "via some cloud service that I control" is the critical bit. It's only a matter of time before some other tools see the cloud database where users' password vaults are stored compromised. In an ideal world, this tool would also work as a 2FA authenticator tool that also syncs "secrets" (the damned QR codes, etc) among Windows / MacOS / Android devices via "cloud service that I control".... or I would find a standalone syncable 2FA device that could be paired with my new password manager. I'd use 2FA authenticators more if I didn't have to re-set-up the tools every time I change computers/phones.
