Password Security Reminder

[Seapy]

The complex, un-memorizable passwords created by password managers are useless if you are trying to access your account or website from someone else's computer....something that normally doesn't happen, but could very well happen in case of emergency---

And in the case of an emergency the last thing you need is to be locked out of your vital accounts.

My self generated passwords contain a code which is easy for me to memorise, yet individually remains reasonably complex which contains a unique pattern of upper and lower case characters, numbers and punctuation.  Given nothing of great value is at stake that's good enough in my book, with uppercase, lowercase, numbers and punctuation the number of combinations must be quite large, even with *only* 8 characters, it's not going to be guessed manually and brute force seems unlikely to be used to access an individual's forum account.  I use the Apple password management 'keychain' to store my passwords, which I believe involves automatically encrypting them while they are transmitted and stored, for convenience while accessing various websites and institutions.  I believe that's 'good enough'.

Websites limiting the number of attempts to access an account, then locking access for that account might be a simple way to prevent some casual attempts to make unauthorised access.

I do have them backed up in a little black book and to some degree they are memorable, although the way my memory is deteriorating not for much longer!!!  I think a card index wouldn't be ideal for me because individual cards might be lost or pilfered by small fingers, a small black book hidden away seems more secure.

I think we need to keep security below the level where it gets in the way of enjoying easy access, yet keep unintended, unwanted intruders at bay.  While this forum and others are a valuable asset for us, I can't see criminals devoting serious time trying to break passwords simply in order to post here.  They can after all read any item they wish for free and even make screenshots of as many images as they wish.

[Bruno Schroder]

Using a unique password for each web site is not too hard, with the right method. If you’re an average  individual user, not an employee of a well known organisation or a very visible individual, the same advice I’ve been giving for 30 years still apply.

Never use any existing word as password.
Use a unique password of at least 12 mixed characters, preferably 15 or 4 words chosen at random.

Unique password generation method:
-   Choose a song whose lyrics are widely available on the web so that you can always easily retrieve them
-   Choose your own personal combination of 3 special characters
-   Choose your rule to identify each web site, usually the first or the last 2 or 3 letters of the name
-   Take the first letter of each word in a line of the lyrics
-   Add your 3 special characters combination always at the same place
-   Add the web site identifier always at the same place

Using the first line of this song https://genius.com/Bob-dylan-the-times-they-are-a-changin-lyrics,
Come gather 'round people, wherever you roam,
 :”{ in 5th position
2 capital letters web ID in the end

produces for NikonGear: Cg’rp:”{,wyrNI or for Ebay: Cg’rp:”{,wyrEB

Type it a few times, muscle memory kicks in and it becomes very easy.

To completely renew your passwords, take the next line in the lyrics.
To retrieve a forgotten password, you only need to remember which line of the lyrics, your unique 3 special characters and position, your rule for identifying the web site and position.

I’ve been using this for almost 30 years and can retrieve forgotten passwords with a few tries

[CS]

The complex, un-memorizable passwords created by password managers are useless if you are trying to access your account or website from someone else's computer....something that normally doesn't happen, but could very well happen in case of emergency---the house burns down, etc.  All the websites I visit that have money involved have unique passwords that I made up and that I remember....or that I can look up on my handy small stack of 4x6" index cards which I try to leave on my desk at all times.
Yeah, those gimmicks like the "security questions" and the 'I Am Not A Robot' captchas are annoying.  I'm confident that the various market research departments knows that we all hate them.

Good points, Keith. However, the fact that 1Password (I have no experience with other 3rd party password managers, so I am not familiar with their capabilities) also  works from phone or tablet helps a great deal. Throw in a VPN and you're pretty safe. Then there's the part where you can access your computer remotely, from someone else's computer, unless your computer has become inaccessible, house burns down, etc, thereby accessing your destination of choice from your own machine. Not to say all of that makes things perfect, but they offer greater flexibility than one has without them, unless, they have a reliable alternative, such as you mention. OTOH, your index cards would not be useful from a remote location, someone else's computer, etc.

Using your own password creations is great, if you can recall each and every one, each and every time, as needed. Of course, the simpler you make them for yourself, the easier they become for hackers. Without doubt, the more secure passwords that one can use are not memorize-able, at least not by me. Having said all of that, not any particular solution works for everyone.

I find the "I am not a robot" images too small for my AMD affected eyesight to deal with. Moreover, I'm sure that my explicit comments concerning that feature would not be acceptable on this site. 

[Andrea B.]

I can't see criminals devoting serious time trying to break passwords simply in order to post here.

Password snoopers are not looking for your password in order to post here.

Hackers are looking for ways into websites in order to use the website's platform to spew clickable, money-generating spam, often porn. (This spam spewing thing happened to UVP in its early days.)

Hackers are looking for password patterns, such as the generating scheme mentioned above, which you might use on your other sites such as your bank account. Hackers are looking for passwords in order to plant ransomware by kidnapping your photos or personal health information or your financial information. Need I go on? No, you get the drift.

All those patterns and schemes you use to generate rememberable passwords? Hackers know those methods too and use them to crack your passwords with high speed computing which can generate literally gazillions of password hack attempts per second. It is probably not a good idea to use any schema or pattern to generate passwords. Cryptology tells us that randomly generated passwords making use of upper/lower case letters, digits and keyboard symbols are the way to go.Then send the password via HTTPS and transmitted over a VPN.

...gimmicks like the "security questions" and the 'I Am Not A Robot' captchas are annoying.

Those are not gimmicks used for your security. Those are used by a website to try to prevent bots from setting up false accounts. We have to remove fake bot accounts regularly even with security questions. Hackers use bots to set up a false account in order to look for any way into a website or into your accounts that they can find.


The complex, un-memorizable passwords created by password managers are useless if you are trying to access your account or website from someone else's computer.

If you are trying to access a financial account (for example) and are not using your home computer, then you *should* be blocked from access until you go through a two-party authentication. Financial institutions (banks, credit cards, brokers, etc) now keep track of where and how you log in so that they can look for suspicious logins. If you do not have a bank which offers two-party authentication, then get another bank! If a bank or a website offers to "remember" your computer, say NO.

It is not important to the bank or to marketing researchers whether or not you "like" two-party authentication because they are attempting to defeat fraud which costs them hundreds of millions of dollars a year. And besides, if some hacker finds a way into your financial accounts, then the bank knows you are going to raise holy hell and call a lawyer to go after them.

It is pretty bad out there in the Inter-Webs and Security is *not* a YMMV kind of thing. Make use of all the security you can set up when online -- strong random passwords, two-party authentication, browsers which support privacy, security questions, Capchas, password vaults, VPNs.

BTW, never, never, NEVER ever use your mother's maiden name in a security question.
They are all listed on Ancestry.com which is accessible by anybody for a mere $59/year.

That's all the advice I have for now. I'll be back in 2 or 3 months to check how things are going for Birna and the Crew. Adios!

[Ann]

I have just noticed the huge (30-fold!) increase in on-line visitors to NG in recent days.

I can't believe that this is a mere co-incidence but am fairly confident that it is probably the direct result of Andrea's hard work to get SSL Certification and make NG "Secure".

[Seapy]

Thank you Andrea, for taking the time and trouble to correct my misconceptions and for the sage advice on passwords.

[Seapy]

I have just noticed the huge (30-fold!) increase in on-line visitors to NG in recent days.

I can't believe that this is a mere co-incidence but am fairly confident that it is probably the direct result of Andrea's hard work to get SSL Certification and make NG "Secure".

One possibility, in addition to your theory is the titles of the threads.  I have noticed on our modest DSLR site that certain thread titles attract disproportionately large viewing figures, way way greater than our membership, some of that was prior to upgrading to HTTPS.

[bobfriedman]

strong password generator

https://passwordsgenerator.net

[Andrea B.]

That password generator site also has a name generator.
My new name is Zyonna Hacksworth.