Thanks for the tip
In comments, OtherSteve schooled me on passwords and how I was doing them wrong:
Youre fundamentally wrong.
Im try and keep it short but if you are complaining about password requirements youre doing everything wrong. Every website password you have should be at least 16 chars random values.
If you arent using a password manager right now you are a fool and behind the curve.
Get LastPass, there are other options but LP is really hard to mess up. Install the extension into your browser, get the app for your phone. Set up account and add EVERYTHING to it. Get your spouse and employees to do the same if you share passwords with them.
LastPass never has your passwords they can see on their server, locally decrypted only. They never have your master password to open the vault. You will turn 2FA : multifactor on so that when accessing LastPass you need your phone and master pass every 30 days, meaning if someone stole your master password they would need to steal your phone to access also. You can make a OTP (one time password) sheet and put it in the safe so your spouse or kids can access your vault if you ever need them to.
There is ABSOLUTELY NO REASON to be complaining about password requirements right now. That is a symptom not of bass web policy, but of your bad practices.
I think bad practices is a chicken and egg thing. Do we have bad practices because of dumb password policies? Or do we have dumb password policies due to bad practices? But he’s right. LastPass makes everything work better and more securely. Thanks for the help. And I do recommend it.
January 2nd, 2019 at 5:22 pm
I like the Mac’s built-in password manager (Keyring).
As for dumb policies, they are mostly a variation of a guideline invented by the Federal government (NIST) decades ago. I recently saw an interview with Bill Burr, the author of that specification, in which he said that in retrospect that guideline was a bad idea and should not be used. Unfortunately, that hasn’t sunk in.
January 2nd, 2019 at 6:49 pm
For those who want a more open source/DIY solution, I use and recommend KeePass. There’s a little more work involved getting it to sync b/w desktop and phone (and elsewhere), but it has some cool options like using a key file along with a password for added security.
January 2nd, 2019 at 7:34 pm
I’m not a huge fan of cloud based password vaults. If it’s just my passwords, then it’s not worth the effort. Stick a whole much of peoples passwords in one place? Now that’s a target. Plus I have to trust that they are perfect in their security, something we’ve seen is impossible.
January 2nd, 2019 at 9:59 pm
I do it in an easier manner. Pick a phrase that relates to the account. For an HR thing I used “I hate this F’ing thing!”. You can write it down without worry.
That’s because the password is NOT that phrase, its how you *abbreviate* that phrase. For example “Ih8TfingTing!”
January 2nd, 2019 at 11:04 pm
An alternative viewpoint is that your passwords are far more at risk from a corporate “hack” or security breach than someone guessing it. Consider how many very large corporations (Target, Macys, Adidas, Sears, Kmart, Delta, Best Buy, Panera Bread, Arbys) have all had major breaches in 2018. A report from Shape Security estimates that 90% of the log in attempts on online retailers are by hackers using stolen data.
Please note I am not a cybergeek and as always could be wrong.
January 3rd, 2019 at 2:32 am
pkoning: Yes, NIST’s old recommendations were bad. The new ones are good, but it was annoying to have to explain to our former IT company that no passwords shouldn’t roll in 90days. That’s part of why they are the former IT company.
Ken: Nothing wrong with KeePass, except… it doesn’t have a great sharing feature which I like for family and coworkers. And you can easily set it up poorly. I recommend LastPass from my programmers to my mom because it basically can’t be done wrong.
January 3rd, 2019 at 2:42 am
Bruce: yes, it seems like targeting a cloud based password site would be a good target. Except that, LastPass and others know this. They don’t have your passwords. They have a blob that is encrypted and they can’t access it. When you log in, you request the blob, you decrypt it, you access it. Your master passpgrase is never sent to LastPass. They were “hacked” in 2015 and didn’t lose a single user password.
KCSteve: while it’s great you use phrases! You’re doing three bad things. One is writing down in an insecure place, where I do recommend securely storing passes. The next is derivatives, where you think you are clever, but a machine thinks that’s cute. And finally, you are storing hints, holing you’ll remember what they are later. I have over 200 passwords in my vault right now, all over 14 chars, all unique, all secure, all sharable to friends securely, and gun to my head I could disclose maybe two of them tops. I don’t need to know them. I don’t need to ever type them. That part of my brain can’t be used for other things now.
NumemJim: exactly. Which is why it’s so bad to re-use passwords on different sites (see LinkedIn-Dropbox back) and to use deritives. All sites get unique passwords. On a breech you change that site’s creds and move along. LastPass in particular will alert you during a self-run audit if a site you access has been publically breeches and tell you to change that pass.
January 3rd, 2019 at 2:52 am
Glad you listened!!
I promise you won’t be able to go back. And you’ll just smile when you watch someone else struggle with their logins.
As to the chicken and the egg, it’s getting better but passwords were the best system we had for some time. The problem comes down to this: hard for humans is easy for computers.
Cracking passwords is pretty easy for computers. So when you think you are being cute with “Gardening1!” You aren’t. You’re using a common word, figure 50,000 of those, a cap and two other chars, that’s something like 50000*2*93*93, to a realistically slow hash to password cracker, that’s less than 10 seconds to reverse.
Remembering passwords that are hard for machines to crack is super hard for humans. Remembering unique ones for every website is impossible.
I told my employees that when they think they’re being clever, the machine thinks that’s cute.
Glad you read that comment and got something from it!
January 3rd, 2019 at 3:02 am
NumemJim: to add to my comment… when a site gets “hacked” (exfil breach) they typically aren’t accessing your account directly but stealing the password hashes.
When you enter you password in any even slightly modern site, you password isn’t sent over the internet. A hash, a mathematical representation is sent and compared to the hash they generated when you first signed up.
So… thing is… you can’t reverse a hash back into a password without lots of guesses.
The hash for “pass1234” might be 12A5CF902A8FF934
The hash for “dnjehfhsbrhfjfngmsnz” might be D9E475AA205E02C0
Those two hashes are the same length and don’t give you an idea about the password. So… short version is when they try pass1234 it matches your hash, and you get hacked. But they will never get my password/hash match, because they’ll give up long before they guess and confirm it.
So in this case, the stronger/better passpgrase you use, the more likely it is you withstand a breach where the hashes were lost.
January 3rd, 2019 at 3:10 am
KCSteve: to add… as opposed to paper… my passwords are at my office, home, phone, any where I chose to log in at any time. Always up to date and in sync, if I update a site the manager defects that so my list is never outdated. And although I already mentioned it, the Chinese proverb they “the faintest or ink will outlast the strongest of memory”.
What you are doing is not easier 🙂
January 3rd, 2019 at 10:12 am
Hackers dont break passwords. Thats the front door. They go in through the backdoor. Hackers dont care about passwords. Passwords are meant for keeping your co-worker and/or your kids from accessing things.
January 3rd, 2019 at 11:18 am
So when you hear about a breach at a company and millions of people have their info hacked, do you really think that hackers went in and broke every single password for those people that were effected? Thats not how it works.
Passwords are a very, very weak form of protection. Kind of like locks on a door… a password really is only meant to keep people out who are not very determined.
January 3rd, 2019 at 10:24 pm
Lastpass has been compromised several times.
KeePass and Dropbox make for a pretty good combination.
January 4th, 2019 at 2:35 am
Wizard: LastPass had an event once. And no user vaults were lost. KeePass and Dropbox are fine, but you are actually just relying on Dropbox for the security; and they were hacked and data has been lost. So not a great example.
January 4th, 2019 at 2:40 am
Asswords: please tell me more about how jacks happen! Because what is lost when a company is breached is the user meta data and their hash. That’s what you can go buy on the markets right now. No one cared about Target and Home Depot losing their next year’s marketing plans or HR new hire forms, they cared about the millions of customer PII.
In terms of Yahoo, the billion hashes and their salts were worth more than and juicy Verizon news a hacker could have found. The entire point to breach a big company like this, is to get the customer information. That’s including the hash to reverse back to a password hoping the user plugged that in somewhere else because like ‘some people’, they didn’t really understand password policy.