Password Security Reminder

[Andrea B.]

Letting your browser save passwords is not considered secure.

Look for an app called a password safe, manager or vault. Install it, learn how to use it and keep your login passwords there.

For general info about storing passwords, read this: Password Manager.

As a particular example, you might want to read about 1Password, a free version of which I use on my MacBook.  [I have *no* affiliation with Agile Bits.]

There are lots more choices for this kind of app. List of Password Managers. Use of a password manager also permits creation of complex, unhackable passwords.

I'll add this two bits, FWIW. It's probably best not to use a cloud based password manager. Clouds have been known to disappear. There are hacks everyday of online data banks. But on the matter of clouds, YMMV. 

Should I mention backups here? Nah!
I'm sure everyone would know that their password manager requires a backup.
 

[Anthony]

I use Apple Keychain.  Are you aware of any issues with this?

[CS]

I use Apple Keychain.  Are you aware of any issues with this?

I've been using 1Password, the paid versions, for 12 years, and I highly recommend it over Apple Keychain.

https://www.macworld.com/article/3060630/why-not-pick-keychain-instead-of-1password-or-lastpass.html

[Andrea B.]

Anthony, password security is not my area! So I don't know what password manager apps might be considered vulnerable, or not, across the various platforms. I only know about the particular one I happen to use. 

[Hugh_3170]

Anthea, a timely reminder.  Thanks.

Do you know off hand what the rules for the NG password are, including its minimum and maximum lengths, allowable characters, its  UC and LC alpha requirements, and the minimum numbers of each character type that are required etc?

TIA.

EDIT:

I see that the NG site says:


Choose password
For best security, you should use eight or more characters with a combination of letters, numbers, and symbols.


New Question:  is 8 characters on the short side and should there be rules about the minimum numbers of upper and lower case alphabetic characters and numbers of special characters??  Maybe also an enforced update period?

[Anthony]

I've been using 1Password, the paid versions, for 12 years, and I highly recommend it over Apple Keychain.

https://www.macworld.com/article/3060630/why-not-pick-keychain-instead-of-1password-or-lastpass.html

Thanks for the comment and link.  I seem to fit the profile for Keychain, so will continue to use it for the time being.

[Ann]

Keychain works well enough for me.

Actually I get fairly infuriated by the need for Passwords and ever-increasing "Security" requirements.

Luckily I live in a place where security doesn't seem to matter too much: I never lock my car; only lock my house if I am actually going to be away; and have friends in the area who tell me that they don't even know where their house key is!

[CS]

Keychain works well enough for me.

Actually I get fairly infuriated by the need for Passwords and ever-increasing "Security" requirements.

Luckily I live in a place where security doesn't seem to matter too much: I never lock my car; only lock my house if I am actually going to be away; and have friends in the area who tell me that they don't even know where their house key is!

It's not likely that you get more agitated with the ever increasing security requirements than I do. One that really draws my ire is "Two Factor Authentication", YUK!

One might never draw the interest of some hacker, but, woe be to them if that happens and their password(s) are not up to the hacker's abilities.  I'm not knocking Apple Keychain, I just prefer 1Password which also works across our iPhones and iPad. Of course it goes without saying,  YMMV. 

It's great that you live in a safe area, but I'm not seeing the relevance of that WRT internet security, where your physical location is not a factor. Back when I was a kid, we lived in a safe area, now we live in a gated community, how times have changed.

[Ann]

I also do not look forward to being made to use two-stage authentication.

For that reason, I am deliberately one OS behind on my computers; and will only upgrade once the software which I use on a daily basis requires that I update my OS.

What becomes increasingly burdensome is maintaining parity of  OS, Site access and Passwords between several different computers and a number of other devices.

[Frank Fremerey]

The problem I have are 25 Billion accounts with 25 Billion Passwords all in my head. With a password manager I would create one single point of failiure and give all of my head free with only one Username / Password combination opening my Password manager. A password Manager is in my opinion a security risk I am not ready to take. Much better seems to me the two channel auth per site with different mobile numbers, Apps and Emailproviders having to be combined for ONE login.

[CS]

I also do not look forward to being made to use two-stage authentication.

For that reason, I am deliberately one OS behind on my computers; and will only upgrade once the software which I use on a daily basis requires that I update my OS.

What becomes increasingly burdensome is maintaining parity of  OS, Site access and Passwords between several different computers and a number of other devices.

And if that's not enough, some sites will accept your login info. then periodically hit you with a few security questions to be answered before you get to where you want to go. I just love to spend more time accessing a site than I do using it once I get by their idea of security!

[Andrea B.]

New Question:  is 8 characters on the short side and should there be rules about the minimum numbers of upper and lower case alphabetic characters and numbers of special characters?? Maybe also an enforced update period?

If we have transmission protected between your browser and the server and between the server and your browser, then I'm thinking that is enough. I don't see the need to *force* password complexity upon the Membership. But it is easy enough to do should the Membership eventually decide that they would like to have such a feature. 

[Ann]

I am very happy with the way Passwords in NG work now Andrea — I don't need any further complexity in my life!

[CS]

2 birds with one stone approach. This is a PNG test, plus, showing a screenshot of the 1password password generator window to show it's versatility for password creation. The green bar indicates the strength of the passwords as you generate them.

[pluton]

The complex, un-memorizable passwords created by password managers are useless if you are trying to access your account or website from someone else's computer....something that normally doesn't happen, but could very well happen in case of emergency---the house burns down, etc.  All the websites I visit that have money involved have unique passwords that I made up and that I remember....or that I can look up on my handy small stack of 4x6" index cards which I try to leave on my desk at all times.
Yeah, those gimmicks like the "security questions" and the 'I Am Not A Robot' captchas are annoying.  I'm confident that the various market research departments knows that we all hate them.