Where is the safest place to save all my pin numbers and passwords?

masonic

Barkin said:

masonic said:

PRAISETHESUN said:

masonic said:

pafpcg said:

PRAISETHESUN said:

+1 for a password manager for this sort of thing. Make sure you use a very strong master password + 2FA on it to protect the contents. Since you don't need to memorise the individual passwords apart from the master one, I then make sure to use the longest fully random alpha-numeric + symbol password that each site allows. It's a bit of a game for me to see how long I can make them. The longest password I have is a 4096 character one

Hmmm, you might think your password is 4096 characters....

It's not unknown for systems to simply truncate a password to a more easily hashed value - how would you know?  Have you tried supplying that system with just the first 4095 characters and checking it's rejected?

Not unheard of, and something I've experienced. Far more common, and considered best practice, is to hash the password to a constant bit length. Meaning there is no additional security obtained through the use of a more complex password than the resultant hash. 256-bit is very common, corresponding to approx 32 characters (upper and lower alphanumeric + symbols). Some extra padding can help counter predictability, but anything over 100 would seem overkill. I've not got any longer than 64 (complex) chars

I agree it's probably overkill, but if they let me use a password of that length and there's no downside to doing so, then I'm going to use long passwords. If anything it only serves to future proof myself when they inevitably increase their security requirements.

Then there is the ever more common practice of asking for 3 random characters from the password, 

Is this really becoming more common?

I regularly get asked for random characters from an answer to a security question/phrase etc, but never from a password.

I wouldn't make a distinction between passwords, PINs, and "security questions". They are all a single factor and different providers use them interchangeably. If a provider asks for one "something you know" in full and then random characters of another "something you know" to log in, then they are engaging in this practice.

I've seen a few instances of providers who used to ask for the details in full, changing without warning to the "random characters from" approach, but none going from partial to full. An account I set up within the last month asked me to create a password, that there was no indication would not be requested in full. However, when it came to logging in, they asked for random characters. I don't recall which bank or BS, but next time I encounter it I will need to store it in a form that is easier for random character entry.

There is then a trend to replace passwords with one-time codes, leaving security questions as the only "something you know" line of defence.

flaneurs_lobster

Barkin said:

masonic said:

PRAISETHESUN said:

masonic said:

pafpcg said:

PRAISETHESUN said:

+1 for a password manager for this sort of thing. Make sure you use a very strong master password + 2FA on it to protect the contents. Since you don't need to memorise the individual passwords apart from the master one, I then make sure to use the longest fully random alpha-numeric + symbol password that each site allows. It's a bit of a game for me to see how long I can make them. The longest password I have is a 4096 character one

Hmmm, you might think your password is 4096 characters....

It's not unknown for systems to simply truncate a password to a more easily hashed value - how would you know?  Have you tried supplying that system with just the first 4095 characters and checking it's rejected?

Not unheard of, and something I've experienced. Far more common, and considered best practice, is to hash the password to a constant bit length. Meaning there is no additional security obtained through the use of a more complex password than the resultant hash. 256-bit is very common, corresponding to approx 32 characters (upper and lower alphanumeric + symbols). Some extra padding can help counter predictability, but anything over 100 would seem overkill. I've not got any longer than 64 (complex) chars

I agree it's probably overkill, but if they let me use a password of that length and there's no downside to doing so, then I'm going to use long passwords. If anything it only serves to future proof myself when they inevitably increase their security requirements.

Then there is the ever more common practice of asking for 3 random characters from the password, 

Is this really becoming more common?

I regularly get asked for random characters from an answer to a security question/phrase etc, but never from a password.

Natwest/RBS do this when logging into Digital Banking.

masonic said:

 An account I set up within the last month asked me to create a password, that there was no indication would not be requested in full. However, when it came to logging in, they asked for random characters. I don't recall which bank or BS, but next time I encounter it I will need to store it in a form that is easier for random character entry.

Probably not a reason on it's own to use it but Bitwarden has a useful display option for passwords that displays the character positions in the string together with the values. 

Looks like an old-school hex dump.*



* if you know, you know.

PRAISETHESUN

Barkin said:

masonic said:

PRAISETHESUN said:

masonic said:

pafpcg said:

PRAISETHESUN said:

+1 for a password manager for this sort of thing. Make sure you use a very strong master password + 2FA on it to protect the contents. Since you don't need to memorise the individual passwords apart from the master one, I then make sure to use the longest fully random alpha-numeric + symbol password that each site allows. It's a bit of a game for me to see how long I can make them. The longest password I have is a 4096 character one

Hmmm, you might think your password is 4096 characters....

It's not unknown for systems to simply truncate a password to a more easily hashed value - how would you know?  Have you tried supplying that system with just the first 4095 characters and checking it's rejected?

Not unheard of, and something I've experienced. Far more common, and considered best practice, is to hash the password to a constant bit length. Meaning there is no additional security obtained through the use of a more complex password than the resultant hash. 256-bit is very common, corresponding to approx 32 characters (upper and lower alphanumeric + symbols). Some extra padding can help counter predictability, but anything over 100 would seem overkill. I've not got any longer than 64 (complex) chars

I agree it's probably overkill, but if they let me use a password of that length and there's no downside to doing so, then I'm going to use long passwords. If anything it only serves to future proof myself when they inevitably increase their security requirements.

Then there is the ever more common practice of asking for 3 random characters from the password, 

Is this really becoming more common?

I regularly get asked for random characters from an answer to a security question/phrase etc, but never from a password.

In my experience this is purely a UK thing, and seems to be primarily related to online banking login systems. I've never seen it anywhere else.

EarthBoy

flaneurs_lobster said:

Barkin said:

masonic said:

PRAISETHESUN said:

masonic said:

pafpcg said:

PRAISETHESUN said:

+1 for a password manager for this sort of thing. Make sure you use a very strong master password + 2FA on it to protect the contents. Since you don't need to memorise the individual passwords apart from the master one, I then make sure to use the longest fully random alpha-numeric + symbol password that each site allows. It's a bit of a game for me to see how long I can make them. The longest password I have is a 4096 character one

Hmmm, you might think your password is 4096 characters....

It's not unknown for systems to simply truncate a password to a more easily hashed value - how would you know?  Have you tried supplying that system with just the first 4095 characters and checking it's rejected?

Not unheard of, and something I've experienced. Far more common, and considered best practice, is to hash the password to a constant bit length. Meaning there is no additional security obtained through the use of a more complex password than the resultant hash. 256-bit is very common, corresponding to approx 32 characters (upper and lower alphanumeric + symbols). Some extra padding can help counter predictability, but anything over 100 would seem overkill. I've not got any longer than 64 (complex) chars

I agree it's probably overkill, but if they let me use a password of that length and there's no downside to doing so, then I'm going to use long passwords. If anything it only serves to future proof myself when they inevitably increase their security requirements.

Then there is the ever more common practice of asking for 3 random characters from the password, 

Is this really becoming more common?

I regularly get asked for random characters from an answer to a security question/phrase etc, but never from a password.

Natwest/RBS do this when logging into Digital Banking.

Lloyds, Halifax, TSB, and Nationwide also do it to access their online banking, as well as their apps, unless you use biometrics. 

flopsy1973

I have mine saved on Google password manager on my account is this not safe enough ?

masonic

flopsy1973 said:

I have mine saved on Google password manager on my account is this not safe enough ?

That is adequate, but poses a risk if your Google account is ever compromised, so you should make sure that it's well locked down.

Eyeful

 flopsy1973 said:

I have mine saved on Google password manager on my account is this not safe enough ?

Will from what I read, the experts do not recommend this. They say it is better to use a dedicated PWM.
Examples are:
Bitwarden (free)
Password XC (free)
1Password (paid)

masonic

Eyeful said:

 flopsy1973 said:

I have mine saved on Google password manager on my account is this not safe enough ?

Will from what I read, the experts do not recommend this. They say it is better to use a dedicated PWM.
Examples are:
Bitwarden (free)
Password XC (free)
1Password (paid)

Keepass XC?

mon3ysav3r

masonic said:

Eyeful said:

 flopsy1973 said:

I have mine saved on Google password manager on my account is this not safe enough ?

Will from what I read, the experts do not recommend this. They say it is better to use a dedicated PWM.
Examples are:
Bitwarden (free)
Password XC (free)
1Password (paid)

Keepass XC?

Probably, I have been using KeePass XC on MacOS (Intel and Arm) and Windows for 7 years or so, it does exactly what I need it to do - I'll have to trust the boffins that it is actually difficult to crack, but it is running on a laptop that you have to log into, and it has an encrypted hard disk - so probably sufficient!

Beeblebr0x

flopsy1973 said:

I have mine saved on Google password manager on my account is this not safe enough ?

Make sure you have a 6 digit access code on your devices, or biometrics where supported