Where is the safest place to save all my pin numbers and passwords?

PRAISETHESUN

+1 for a password manager for this sort of thing. Make sure you use a very strong master password + 2FA on it to protect the contents. Since you don't need to memorise the individual passwords apart from the master one, I then make sure to use the longest fully random alpha-numeric + symbol password that each site allows. It's a bit of a game for me to see how long I can make them. The longest password I have is a 4096 character one

pafpcg

PRAISETHESUN said:

+1 for a password manager for this sort of thing. Make sure you use a very strong master password + 2FA on it to protect the contents. Since you don't need to memorise the individual passwords apart from the master one, I then make sure to use the longest fully random alpha-numeric + symbol password that each site allows. It's a bit of a game for me to see how long I can make them. The longest password I have is a 4096 character one

Hmmm, you might think your password is 4096 characters....

It's not unknown for systems to simply truncate a password to a more easily hashed value - how would you know?  Have you tried supplying that system with just the first 4095 characters and checking it's rejected? 

I've used pass-phrases of considerable length & variety of characters, principally as one element in the securing of the VPNs between secure local area networks over an insecure network.  (The VPNs operated for months before ever needing to be restarted.) I understand that OpenVPN allows a maximum password length of 4096 characters but is limited in practice to 512.

PS:  Nowadays, with only my personal accounts to worry about, I write down my passwords and memorable phrases, but in a format only I and my partner understand (I hope!)

bobfredbob

The webcomic "xkcd 538" explains that you don't need a quantum computer to crack a password.  All you need is a $5 wrench.

You need to determine from whom you are keeping your secrets safe, and then decide an appropriate level of security.  Houses get robbed, but do you need to make life unnecessarily complicated?  Burglaries normally take about ten minutes, so your note pad security has to withstand being found within that time frame in the already highly unlikely situation that you get robbed.

If an accident or death befalls you, how will your spouse (or children) easily gain access to the accounts?  Can they easily find banks and sort codes and have access to money within an acceptable time-frame?

My parents ensured we knew exactly where all the birth/death/marriage certificates, house deeds, bank statements, etc., are kept, along with funeral wishes.  This is not being morbid.  I have left notes to remind relatives about things like doing an ISA transfer (rather than closing the account).

pafpcg

bobfredbob said:

The webcomic "xkcd 538" explains that you don't need a quantum computer to crack a password.  All you need is a $5 wrench.

You need to determine from whom you are keeping your secrets safe, and then decide an appropriate level of security.  Houses get robbed, but do you need to make life unnecessarily complicated?  Burglaries normally take about ten minutes, so your note pad security has to withstand being found within that time frame in the already highly unlikely situation that you get robbed.

If an accident or death befalls you, how will your spouse (or children) easily gain access to the accounts?  Can they easily find banks and sort codes and have access to money within an acceptable time-frame?

My parents ensured we knew exactly where all the birth/death/marriage certificates, house deeds, bank statements, etc., are kept, along with funeral wishes.  This is not being morbid.  I have left notes to remind relatives about things like doing an ISA transfer (rather than closing the account).

Plus, what might happen if your home is wrecked by fire or flood?  How will YOU get access to your accounts?

I recommend a water-proof fire-safe to keep essential or irreplaceable documents.  How much is it worth to preserve precious memorabilia such a parent's last birthday card or a child's first drawing of "My Mummy and Daddy"?

Beeblebr0x

https://www.techrepublic.com/article/time-to-crack-your-password-guide/

My passwords would currently take a minimum of 2qn years to crack

UnsureAboutthis

Password manager

We, ie me and my OH keep on forgetting our pin to our cc even though we can tap up to 100 quid it does not always work

So - in our mobile phones we save it as a telphone number,  EG 020 951 XXXX - the x's being the pin and use a name you know is not a real contact

masonic

pafpcg said:

PRAISETHESUN said:

+1 for a password manager for this sort of thing. Make sure you use a very strong master password + 2FA on it to protect the contents. Since you don't need to memorise the individual passwords apart from the master one, I then make sure to use the longest fully random alpha-numeric + symbol password that each site allows. It's a bit of a game for me to see how long I can make them. The longest password I have is a 4096 character one

Hmmm, you might think your password is 4096 characters....

It's not unknown for systems to simply truncate a password to a more easily hashed value - how would you know?  Have you tried supplying that system with just the first 4095 characters and checking it's rejected?

Not unheard of, and something I've experienced. Far more common, and considered best practice, is to hash the password to a constant bit length. Meaning there is no additional security obtained through the use of a more complex password than the resultant hash. 256-bit is very common, corresponding to approx 32 characters (upper and lower alphanumeric + symbols). Some extra padding can help counter predictability, but anything over 100 would seem overkill. I've not got any longer than 64 (complex) chars

PRAISETHESUN

masonic said:

pafpcg said:

PRAISETHESUN said:

+1 for a password manager for this sort of thing. Make sure you use a very strong master password + 2FA on it to protect the contents. Since you don't need to memorise the individual passwords apart from the master one, I then make sure to use the longest fully random alpha-numeric + symbol password that each site allows. It's a bit of a game for me to see how long I can make them. The longest password I have is a 4096 character one

Hmmm, you might think your password is 4096 characters....

It's not unknown for systems to simply truncate a password to a more easily hashed value - how would you know?  Have you tried supplying that system with just the first 4095 characters and checking it's rejected?

Not unheard of, and something I've experienced. Far more common, and considered best practice, is to hash the password to a constant bit length. Meaning there is no additional security obtained through the use of a more complex password than the resultant hash. 256-bit is very common, corresponding to approx 32 characters (upper and lower alphanumeric + symbols). Some extra padding can help counter predictability, but anything over 100 would seem overkill. I've not got any longer than 64 (complex) chars

I agree it's probably overkill, but if they let me use a password of that length and there's no downside to doing so, then I'm going to use long passwords. If anything it only serves to future proof myself when they inevitably increase their security requirements.

masonic

PRAISETHESUN said:

masonic said:

pafpcg said:

PRAISETHESUN said:

+1 for a password manager for this sort of thing. Make sure you use a very strong master password + 2FA on it to protect the contents. Since you don't need to memorise the individual passwords apart from the master one, I then make sure to use the longest fully random alpha-numeric + symbol password that each site allows. It's a bit of a game for me to see how long I can make them. The longest password I have is a 4096 character one

Hmmm, you might think your password is 4096 characters....

It's not unknown for systems to simply truncate a password to a more easily hashed value - how would you know?  Have you tried supplying that system with just the first 4095 characters and checking it's rejected?

Not unheard of, and something I've experienced. Far more common, and considered best practice, is to hash the password to a constant bit length. Meaning there is no additional security obtained through the use of a more complex password than the resultant hash. 256-bit is very common, corresponding to approx 32 characters (upper and lower alphanumeric + symbols). Some extra padding can help counter predictability, but anything over 100 would seem overkill. I've not got any longer than 64 (complex) chars

I agree it's probably overkill, but if they let me use a password of that length and there's no downside to doing so, then I'm going to use long passwords. If anything it only serves to future proof myself when they inevitably increase their security requirements.

Except if they are storing correctly, then they won't have the capacity to know it meets new requirements and should make you change it whenever their requirements change.

Then there is the ever more common practice of asking for 3 random characters from the password, necessitating its insecure storage on their side. It would be rather annoying for a login screen to ask you for the 21st, 1,203rd, and 3,894th character from your 4,096 character password.

Barkin

masonic said:

PRAISETHESUN said:

masonic said:

pafpcg said:

PRAISETHESUN said:

+1 for a password manager for this sort of thing. Make sure you use a very strong master password + 2FA on it to protect the contents. Since you don't need to memorise the individual passwords apart from the master one, I then make sure to use the longest fully random alpha-numeric + symbol password that each site allows. It's a bit of a game for me to see how long I can make them. The longest password I have is a 4096 character one

Hmmm, you might think your password is 4096 characters....

It's not unknown for systems to simply truncate a password to a more easily hashed value - how would you know?  Have you tried supplying that system with just the first 4095 characters and checking it's rejected?

Not unheard of, and something I've experienced. Far more common, and considered best practice, is to hash the password to a constant bit length. Meaning there is no additional security obtained through the use of a more complex password than the resultant hash. 256-bit is very common, corresponding to approx 32 characters (upper and lower alphanumeric + symbols). Some extra padding can help counter predictability, but anything over 100 would seem overkill. I've not got any longer than 64 (complex) chars

I agree it's probably overkill, but if they let me use a password of that length and there's no downside to doing so, then I'm going to use long passwords. If anything it only serves to future proof myself when they inevitably increase their security requirements.

Then there is the ever more common practice of asking for 3 random characters from the password, 

Is this really becoming more common?

I regularly get asked for random characters from an answer to a security question/phrase etc, but never from a password.