Where is the safest place to save all my pin numbers and passwords?

Barkin

masonic said:

Barkin said:

masonic said:

PRAISETHESUN said:

masonic said:

pafpcg said:

PRAISETHESUN said:

+1 for a password manager for this sort of thing. Make sure you use a very strong master password + 2FA on it to protect the contents. Since you don't need to memorise the individual passwords apart from the master one, I then make sure to use the longest fully random alpha-numeric + symbol password that each site allows. It's a bit of a game for me to see how long I can make them. The longest password I have is a 4096 character one

Hmmm, you might think your password is 4096 characters....

It's not unknown for systems to simply truncate a password to a more easily hashed value - how would you know?  Have you tried supplying that system with just the first 4095 characters and checking it's rejected?

Not unheard of, and something I've experienced. Far more common, and considered best practice, is to hash the password to a constant bit length. Meaning there is no additional security obtained through the use of a more complex password than the resultant hash. 256-bit is very common, corresponding to approx 32 characters (upper and lower alphanumeric + symbols). Some extra padding can help counter predictability, but anything over 100 would seem overkill. I've not got any longer than 64 (complex) chars

I agree it's probably overkill, but if they let me use a password of that length and there's no downside to doing so, then I'm going to use long passwords. If anything it only serves to future proof myself when they inevitably increase their security requirements.

Then there is the ever more common practice of asking for 3 random characters from the password, 

Is this really becoming more common?

I regularly get asked for random characters from an answer to a security question/phrase etc, but never from a password.

I wouldn't make a distinction between passwords, PINs, and "security questions". They are all a single factor and different providers use them interchangeably. If a provider asks for one "something you know" in full and then random characters of another "something you know" to log in, then they are engaging in this practice.

Sure, I get what you're saying, but a password is likely very different to a memorable info type of response, from a usability viewpoint.

Enter the 4th, 13th and 7th characters from a (strong, password manager generated for example) password, where the password is cFe2#1Ww5X*5Sa7l

is somewhat different to entering the 1st, 4th and 5th characters of the name of your 1st pet - Tiddles.

Barkin

EarthBoy said:

flaneurs_lobster said:

Barkin said:

masonic said:

PRAISETHESUN said:

masonic said:

pafpcg said:

PRAISETHESUN said:

+1 for a password manager for this sort of thing. Make sure you use a very strong master password + 2FA on it to protect the contents. Since you don't need to memorise the individual passwords apart from the master one, I then make sure to use the longest fully random alpha-numeric + symbol password that each site allows. It's a bit of a game for me to see how long I can make them. The longest password I have is a 4096 character one

Hmmm, you might think your password is 4096 characters....

It's not unknown for systems to simply truncate a password to a more easily hashed value - how would you know?  Have you tried supplying that system with just the first 4095 characters and checking it's rejected?

Not unheard of, and something I've experienced. Far more common, and considered best practice, is to hash the password to a constant bit length. Meaning there is no additional security obtained through the use of a more complex password than the resultant hash. 256-bit is very common, corresponding to approx 32 characters (upper and lower alphanumeric + symbols). Some extra padding can help counter predictability, but anything over 100 would seem overkill. I've not got any longer than 64 (complex) chars

I agree it's probably overkill, but if they let me use a password of that length and there's no downside to doing so, then I'm going to use long passwords. If anything it only serves to future proof myself when they inevitably increase their security requirements.

Then there is the ever more common practice of asking for 3 random characters from the password, 

Is this really becoming more common?

I regularly get asked for random characters from an answer to a security question/phrase etc, but never from a password.

Natwest/RBS do this when logging into Digital Banking.

Lloyds, Halifax, TSB, and Nationwide also do it to access their online banking, as well as their apps, unless you use biometrics. 

Unless my online banking is different to yours, Lloyds & Halifax always require the password to be entered in full.

masonic

Barkin said:

masonic said:

Barkin said:

masonic said:

PRAISETHESUN said:

masonic said:

pafpcg said:

PRAISETHESUN said:

+1 for a password manager for this sort of thing. Make sure you use a very strong master password + 2FA on it to protect the contents. Since you don't need to memorise the individual passwords apart from the master one, I then make sure to use the longest fully random alpha-numeric + symbol password that each site allows. It's a bit of a game for me to see how long I can make them. The longest password I have is a 4096 character one

Hmmm, you might think your password is 4096 characters....

It's not unknown for systems to simply truncate a password to a more easily hashed value - how would you know?  Have you tried supplying that system with just the first 4095 characters and checking it's rejected?

Not unheard of, and something I've experienced. Far more common, and considered best practice, is to hash the password to a constant bit length. Meaning there is no additional security obtained through the use of a more complex password than the resultant hash. 256-bit is very common, corresponding to approx 32 characters (upper and lower alphanumeric + symbols). Some extra padding can help counter predictability, but anything over 100 would seem overkill. I've not got any longer than 64 (complex) chars

I agree it's probably overkill, but if they let me use a password of that length and there's no downside to doing so, then I'm going to use long passwords. If anything it only serves to future proof myself when they inevitably increase their security requirements.

Then there is the ever more common practice of asking for 3 random characters from the password, 

Is this really becoming more common?

I regularly get asked for random characters from an answer to a security question/phrase etc, but never from a password.

I wouldn't make a distinction between passwords, PINs, and "security questions". They are all a single factor and different providers use them interchangeably. If a provider asks for one "something you know" in full and then random characters of another "something you know" to log in, then they are engaging in this practice.

Sure, I get what you're saying, but a password is likely very different to a memorable info type of response, from a usability viewpoint.

Enter the 4th, 13th and 7th characters from a (strong, password manager generated for example) password, where the password is cFe2#1Ww5X*5Sa7l

is somewhat different to entering the 1st, 4th and 5th characters of the name of your 1st pet - Tiddles.

When you know you'll be asked for random characters, that's all the more reason to go with a strong complex string. Either password or memorable info. I don't think it is good practice to use actual answers for security questions. Not least because others may know this information and security details will be then have to be shared between sites as there is so much overlap between questions.

In most cases, I get asked for answers to memorable info type questions in full (sometimes over the phone), so I use random phrases rather than a complex string.

Eyeful

masonic said:

Eyeful said:

 flopsy1973 said:

I have mine saved on Google password manager on my account is this not safe enough ?

Will from what I read, the experts do not recommend this. They say it is better to use a dedicated PWM.
Examples are:
Bitwarden (free)
Password XC (free)
1Password (paid)

Keepass XC?

Yes, you are correct it is Keepass XC

viv0147

I use 1Password its really good but it does cost