We’d like to remind Forumites to please avoid political debate on the Forum.
This is to keep it a safe and useful space for MoneySaving discussions. Threads that are – or become – political in nature may be removed in line with the Forum’s rules. Thank you for your understanding.
📨 Have you signed up to the Forum's new Email Digest yet? Get a selection of trending threads sent straight to your inbox daily, weekly or monthly!
Where is the safest place to save all my pin numbers and passwords?
Comments
-
Barkin said:
Is this really becoming more common?masonic said:PRAISETHESUN said:
I agree it's probably overkill, but if they let me use a password of that length and there's no downside to doing so, then I'm going to use long passwords. If anything it only serves to future proof myself when they inevitably increase their security requirements.masonic said:pafpcg said:PRAISETHESUN said:+1 for a password manager for this sort of thing. Make sure you use a very strong master password + 2FA on it to protect the contents. Since you don't need to memorise the individual passwords apart from the master one, I then make sure to use the longest fully random alpha-numeric + symbol password that each site allows. It's a bit of a game for me to see how long I can make them. The longest password I have is a 4096 character one
Hmmm, you might think your password is 4096 characters....It's not unknown for systems to simply truncate a password to a more easily hashed value - how would you know? Have you tried supplying that system with just the first 4095 characters and checking it's rejected?Not unheard of, and something I've experienced. Far more common, and considered best practice, is to hash the password to a constant bit length. Meaning there is no additional security obtained through the use of a more complex password than the resultant hash. 256-bit is very common, corresponding to approx 32 characters (upper and lower alphanumeric + symbols). Some extra padding can help counter predictability, but anything over 100 would seem overkill. I've not got any longer than 64 (complex) charsThen there is the ever more common practice of asking for 3 random characters from the password,
I regularly get asked for random characters from an answer to a security question/phrase etc, but never from a password.I wouldn't make a distinction between passwords, PINs, and "security questions". They are all a single factor and different providers use them interchangeably. If a provider asks for one "something you know" in full and then random characters of another "something you know" to log in, then they are engaging in this practice.I've seen a few instances of providers who used to ask for the details in full, changing without warning to the "random characters from" approach, but none going from partial to full. An account I set up within the last month asked me to create a password, that there was no indication would not be requested in full. However, when it came to logging in, they asked for random characters. I don't recall which bank or BS, but next time I encounter it I will need to store it in a form that is easier for random character entry.There is then a trend to replace passwords with one-time codes, leaving security questions as the only "something you know" line of defence.1 -
Natwest/RBS do this when logging into Digital Banking.Barkin said:
Is this really becoming more common?masonic said:PRAISETHESUN said:
I agree it's probably overkill, but if they let me use a password of that length and there's no downside to doing so, then I'm going to use long passwords. If anything it only serves to future proof myself when they inevitably increase their security requirements.masonic said:pafpcg said:PRAISETHESUN said:+1 for a password manager for this sort of thing. Make sure you use a very strong master password + 2FA on it to protect the contents. Since you don't need to memorise the individual passwords apart from the master one, I then make sure to use the longest fully random alpha-numeric + symbol password that each site allows. It's a bit of a game for me to see how long I can make them. The longest password I have is a 4096 character oneHmmm, you might think your password is 4096 characters....It's not unknown for systems to simply truncate a password to a more easily hashed value - how would you know? Have you tried supplying that system with just the first 4095 characters and checking it's rejected?Not unheard of, and something I've experienced. Far more common, and considered best practice, is to hash the password to a constant bit length. Meaning there is no additional security obtained through the use of a more complex password than the resultant hash. 256-bit is very common, corresponding to approx 32 characters (upper and lower alphanumeric + symbols). Some extra padding can help counter predictability, but anything over 100 would seem overkill. I've not got any longer than 64 (complex) charsThen there is the ever more common practice of asking for 3 random characters from the password,
I regularly get asked for random characters from an answer to a security question/phrase etc, but never from a password.
Probably not a reason on it's own to use it but Bitwarden has a useful display option for passwords that displays the character positions in the string together with the values.An account I set up within the last month asked me to create a password, that there was no indication would not be requested in full. However, when it came to logging in, they asked for random characters. I don't recall which bank or BS, but next time I encounter it I will need to store it in a form that is easier for random character entry.
Looks like an old-school hex dump.*
* if you know, you know.3 -
In my experience this is purely a UK thing, and seems to be primarily related to online banking login systems. I've never seen it anywhere else.Barkin said:
Is this really becoming more common?masonic said:PRAISETHESUN said:
I agree it's probably overkill, but if they let me use a password of that length and there's no downside to doing so, then I'm going to use long passwords. If anything it only serves to future proof myself when they inevitably increase their security requirements.masonic said:pafpcg said:PRAISETHESUN said:+1 for a password manager for this sort of thing. Make sure you use a very strong master password + 2FA on it to protect the contents. Since you don't need to memorise the individual passwords apart from the master one, I then make sure to use the longest fully random alpha-numeric + symbol password that each site allows. It's a bit of a game for me to see how long I can make them. The longest password I have is a 4096 character oneHmmm, you might think your password is 4096 characters....It's not unknown for systems to simply truncate a password to a more easily hashed value - how would you know? Have you tried supplying that system with just the first 4095 characters and checking it's rejected?Not unheard of, and something I've experienced. Far more common, and considered best practice, is to hash the password to a constant bit length. Meaning there is no additional security obtained through the use of a more complex password than the resultant hash. 256-bit is very common, corresponding to approx 32 characters (upper and lower alphanumeric + symbols). Some extra padding can help counter predictability, but anything over 100 would seem overkill. I've not got any longer than 64 (complex) charsThen there is the ever more common practice of asking for 3 random characters from the password,
I regularly get asked for random characters from an answer to a security question/phrase etc, but never from a password.0 -
Lloyds, Halifax, TSB, and Nationwide also do it to access their online banking, as well as their apps, unless you use biometrics.flaneurs_lobster said:
Natwest/RBS do this when logging into Digital Banking.Barkin said:
Is this really becoming more common?masonic said:PRAISETHESUN said:
I agree it's probably overkill, but if they let me use a password of that length and there's no downside to doing so, then I'm going to use long passwords. If anything it only serves to future proof myself when they inevitably increase their security requirements.masonic said:pafpcg said:PRAISETHESUN said:+1 for a password manager for this sort of thing. Make sure you use a very strong master password + 2FA on it to protect the contents. Since you don't need to memorise the individual passwords apart from the master one, I then make sure to use the longest fully random alpha-numeric + symbol password that each site allows. It's a bit of a game for me to see how long I can make them. The longest password I have is a 4096 character oneHmmm, you might think your password is 4096 characters....It's not unknown for systems to simply truncate a password to a more easily hashed value - how would you know? Have you tried supplying that system with just the first 4095 characters and checking it's rejected?Not unheard of, and something I've experienced. Far more common, and considered best practice, is to hash the password to a constant bit length. Meaning there is no additional security obtained through the use of a more complex password than the resultant hash. 256-bit is very common, corresponding to approx 32 characters (upper and lower alphanumeric + symbols). Some extra padding can help counter predictability, but anything over 100 would seem overkill. I've not got any longer than 64 (complex) charsThen there is the ever more common practice of asking for 3 random characters from the password,
I regularly get asked for random characters from an answer to a security question/phrase etc, but never from a password.0 -
I have mine saved on Google password manager on my account is this not safe enough ?0
-
That is adequate, but poses a risk if your Google account is ever compromised, so you should make sure that it's well locked down.flopsy1973 said:I have mine saved on Google password manager on my account is this not safe enough ?0 -
flopsy1973 said:
Will from what I read, the experts do not recommend this. They say it is better to use a dedicated PWM.I have mine saved on Google password manager on my account is this not safe enough ?
Examples are:
Bitwarden (free)
Password XC (free)
1Password (paid)0 -
Keepass XC?Eyeful said:flopsy1973 said:
Will from what I read, the experts do not recommend this. They say it is better to use a dedicated PWM.I have mine saved on Google password manager on my account is this not safe enough ?
Examples are:
Bitwarden (free)
Password XC (free)
1Password (paid)0 -
Probably, I have been using KeePass XC on MacOS (Intel and Arm) and Windows for 7 years or so, it does exactly what I need it to do - I'll have to trust the boffins that it is actually difficult to crack, but it is running on a laptop that you have to log into, and it has an encrypted hard disk - so probably sufficient!masonic said:
Keepass XC?Eyeful said:flopsy1973 said:
Will from what I read, the experts do not recommend this. They say it is better to use a dedicated PWM.I have mine saved on Google password manager on my account is this not safe enough ?
Examples are:
Bitwarden (free)
Password XC (free)
1Password (paid)0 -
Make sure you have a 6 digit access code on your devices, or biometrics where supportedflopsy1973 said:I have mine saved on Google password manager on my account is this not safe enough ?0
Confirm your email address to Create Threads and Reply
Categories
- All Categories
- 352.1K Banking & Borrowing
- 253.6K Reduce Debt & Boost Income
- 454.2K Spending & Discounts
- 245.2K Work, Benefits & Business
- 600.8K Mortgages, Homes & Bills
- 177.5K Life & Family
- 259K Travel & Transport
- 1.5M Hobbies & Leisure
- 16K Discuss & Feedback
- 37.7K Read-Only Boards