Password security

murphydavid

I just got this advice from one of my banks

…. security details for your online accounts. Do not write them down or save them on your computer…..
Also
Make sure you change your password regularly and make it difficult to guess by using a mix of letters and numbers.
Sounds like good advice but.

I regularly log in to several accounts even more shopping sites and have hundreds (it seems like) sites I am registered to including this one where I require a password.

Now how am I supposed to follow the above advice when I can hardly remember what I did last week without writing it down, never mind 40 or so passwords changed say once every 3 months that’s 160 passwords a year.

So what is the best way to remember it all. I don’t want to use the same password all over the place. I don’t want to spend money on encryption software not that I know anything about it. I kind of fight shy of things like let us remember your passwords for you and autofill etc.

At the moment I have a database file that I keep on a CDRW and that requires a password to open it. On this I keep all my passwords. As far as I’m concerned if the wrong person saw that it would be total disaster so I keep it in a safe place. But there is always a short period when I am logged onto the net and have that file open? (I do have Anti Virus – Fire wall and Anti spyware from Talk Talk)

Am I completely stupid in doing what I do or am I reasonably save, and if not safe then what is a convenient way to keep passwords available for someone who can only hold one or two passwords in their head?

Thanks

superscaper

Remember a system rather than the passwords. http://lifehacker.com/software/passwords/geek-to-live--choose-and-remember-great-passwords-184773.php

A:I

Yes, you should be fine. Just keep that CD in a safe place, maybe even write somthing random on the label. Thats better than having them on your local system.
I recomend password at least 8/9 characters long, consisting of letters/numbers and higher/lower case. No password should be a real word, or anything related to yourself(family meber, pet's name, house number etc)

You can only do so much to help yourself, the rest is down to the security of the websites you log into. The general idea is, that if somebody is determind enough, they will crack the site/passwords etc.
GL.

planemad

I have a password book with all usernames and passwords written in (a bit like a telephone book).
I write the passwords in code by leaving certain letters missing and only I know what they mean.
I also keep the book very safe inside a mini safe.

Also when typing any password I ALWAYS use th onscreen keyboard instead of the one in front of me.

BritBrat

The main point is if your bank asks you you never done anything against the advice/T&C.

Having said that normally there are more than one part to get into online banking and making a note of one part is not going to let them in if you can remember the rest of it.

isofa

If you have a Mac you can use the built-in Keychain system, on a PC, why not try KeePass part of the open source Portable Apps suite, it's at: http://portableapps.com/apps/utilities/keepass_portable

It is essentially a password manager, which encrypts all your passwords using powerful techniques with one master password. It can run on a USB key, leaving absolutely nothing behind on the host PC.

I use the technique described in the link posted by superscaper for many sites I have a base password then linked to a set of codes relating to the website.

nickj_2

you could have a look at roboform , https://www.roboform.com
it manages all your passwords and encrypts them

Matt_A_2

isofa wrote: »

...why not try KeePass part of the open source Portable Apps suite, it's at: http://portableapps.com/apps/utilities/keepass_portable

Second this. I work in IT Security and KeyPass is one of the best ways to manage passwords securely. By using it, you can safely set a unique 16 character (or more if you want), complex password for each account you want to protect. Storing it on a portable drive means that you can have access to your passwords wherever you go, and the encryption over the database files should mean that you're not afraid of losing it.

Three tips though:

1/. Use a pronounceable simple password (i.e. all alphabet characters but not a dictionary word) for sites that don't hold sensitive information about you (e.g. MSE forums). This should be the one password you do remember , and will make your life easier because you don't need to load up KeePass everytime you come to a login screen.

2/. Protect your KeePass database file using a strong password which is based on a phrase which you can remember (e.g. the lyric 'The long and winding road' generates the password 'Tl&wr'). Aim for 8 characters or more on this one.

3/. Keep a backup of the KeePass database file on your home PC (which will be secured with another password of course!). That way, if you lose your pen drive you can quickly change the passwords for all of your sensitive accounts in less time than it will take an attacker to break the encryption on the database file.


Stay safe kids. :cool:

wolfman

Try using Password Composer:
http://www.xs4all.nl/~jlpoutre/BoT/Javascript/PasswordComposer/

You basically come up with a "base" password, and it gets combined with the domain of the site you're logging in to, and hashed into a random alphanumeric password.

That way every site has a different password, but you only have to remember one base password.

I then set up levels of base password depending upon the site.

For things like email and bank details I use a rule based system like above. Good ideas for example are using songs to create the characters of the password.

GoofyGAT

Another option is to store your 'database' file in a password-protected TrueCrypt volume (TrueCrypt is free encryption software that can be used to safeguard other sensitive files & folders).

Last free version of RoboForm that did 30 passwords - get v5.7.6 (filename AiRoboForm-5-7-6.exe) from here. G

murphydavid

isofa wrote: »

If why not try KeePass part of the open source Portable Apps suite[URL="http://"][/URL]

I'm going to give this a try. I'm not a computer expert so It still leaves me with the thought that when I want to use a password I log on to my banks web site then I open the KeePass database. At this point is it possible for a hacker to see what I can see on my computer or is this just science fiction?
I mean I hear of computers sending out spam at the behest of a hacker without the owner knowing about it and things like that and also all I can see is asterix's if I were to type the passwords from memory (whats the reason for that?) so it makes me a bit paranoid.