Password Manager

Neil_Jones

dbrookf said:

Neil_Jones said:

dbrookf said:

Were_Doomed said:

The idea is for you to be able to remember ONE very strong password ... the key for Lastpass (or similar). Then for every website that you require a password, make each one very, very strong and let Lastpass remember those passwords for you. (You want strong passwords for the websites, and each one should be different. Doing that can make them all hard to remember ... which is why you use a password manager).

Ahhhhh thank you!

Of course if you could remember your password for somewebsite is !*63H9{cn801^z, then you wouldn't need a password manager in the first place. 

You can check how secure your passwords are at websites like https://www.security.org/how-secure-is-my-password/ - the above example says it would take a computer 4 billion years to crack.  And if I stick a number one on the end of it - 4 hundred billion years.  Secure enough?  Maybe so, especially if you change it regularly.

So would you suggest i used really obscure ones like this?

As a general rule the more obscure, the more longer and the more "non standard" characters it uses, the better.    Long passwords are good; long passwords that include random words and phrases are better. If your letter combinations are not in the dictionary, your phrases are not in published literature, and none of it is grammatically correct, they will be harder to crack.

This might be worth reading:

https://www.mentalfloss.com/article/504786/8-tips-make-your-passwords-strong-possible

Remember the whole point of password managers is to remember the passwords you won't be able to.  The human brain cannot cope with something like the example I posted, especially if you have two dozen of similar complex passwords for two dozen sites, you'll just either forget them all together or if you do remember more than about three, they'll get mashed together in your head, pushing out the "real" ones in the process and you won't have a clue whether the tilde comes before or after the ampersand or whether it was a capital Z or not.

PRAISETHESUN

As previous posters have mentioned the whole point of a password manager is to allow you to have strong, unique passwords on every online service. This stops attacks based on reusing compromised passwords and also slows down cracking by exponentially increasing the time it takes to brute force/dictionary attack passwords. You only need to remember your master password and you let the password manager remember the rest - so make the actual passwords to websites as long and complicated as possible.

I always default to a 99 character password that uses a mix of random lowercase, uppercase, symbols and numbers, unless there is a reason I cannot.

It's probably overkill but if the website supports this type of password then I'm going to use it. It makes literally no difference to me using "Password1234" compared to this as they are entered into the websites using the password manager in the same amount of time. The only time I use weaker passwords is if a particular website restricts my passwords in any way - which happens often for older services. In those situations I use the longest and complicated password possible using the restricted length and character sets. Your biggest risk by this point is giving away your password through some of phishing scam rather than your accounts actually being hacked.

dbrookf

Thank you.... what about using the randomly selected ones?

PRAISETHESUN

dbrookf said:

Thank you.... what about using the randomly selected ones?

You need something secure you can remember for your master password (this can be random if you can remember it) and then I'd definitely recommend randomly generated ones for everything else -  make sure to maximise complexity using upper/lowercase, symbols, numbers and max allowable length. Have a unique random password for every site. Most password managers can randomly generate passwords for you if needed.

Additionally, for every site that supports it I'd also recommend turning on two-factor authentication (2FA). Using an authenticator app like Authy is preferable to SMS/email, but even those work much better than nothing.

dbrookf

Another question please! What if I want to stop using the Manager and I used their randomly selected passwords? How could I retrieve them?

Neil_Jones

dbrookf said:

Another question please! What if I want to stop using the Manager and I used their randomly selected passwords? How could I retrieve them?

You should be able to export them or view them when you log into the manager.

If worse comes to the worse you can always go to the websites and do a "Forgot my password" link click.

PRAISETHESUN

dbrookf said:

Another question please! What if I want to stop using the Manager and I used their randomly selected passwords? How could I retrieve them?

It'll depend on the particular password manager, but you should at the very least be able to view them without issue. You might be able to export them, or at the very least you could simply write them down somewhere secure - I'd recommend against this though and suggest you instead visit the websites concerned and change them to something more memorable if you decide to go down that route, as @Neil_Jones has suggested.

getmore4less

dbrookf said:

Another question please! What if I want to stop using the Manager and I used their randomly selected passwords? How could I retrieve them?

When I moved over to a manager was surprised how many sites I had, still not done them all as months later some are very infrequent use and could never remember even when simple PW. Let the manager do its stuff remembering the info. My backup solution in case the manager access becomes an issue or no longer wanted is a printout. Not ideal as that needs to be secured in the house. The follow up issue is when you keel over does someone know what accounts you have or know how to access a list.

inspectorperez

I have been reading this thread with interest being extremely conscious of password security. I generally use long auto generated passwords for most sites.
What does occur to me is though how the executors of the future deal with banking institutions or other organisations when administering the affairs of a deceased? I guess it probably becomes totally academic and back to old fashioned correspondence by letter.
The one I use is Keepass (for desktop) with its little sister Mini Keepass for iPad. The developer unfortunately no longer supports the software, so I shall have to move on.

getmore4less

The important thing with death is there is a record of what there is and where it is.

A good exercise is to do a practice run of your own estate administration(using IHT400 forms)  even better is have you potential heir/executor do it without any help from you.