Jeff7
Lifer
- Jan 4, 2001
- 41,596
- 20
- 81
Even worse, once a biometric database with your biometric data is compromised, biometric security will never be secure again for you.
You can change your password, you can't change your biometric data.
Red Squirrel
No Lifer
Same here, worse is they all have different complexity requirements and all expire at different intervals. There's no way you're keeping that shit in sync. Most of mine I can keep in sync but there are a few that you can't change yourself, you can only change when they expire.
You'd figure you can just use the highest requirement for all of them so they're all the same, nope. Some HAVE to be 8 characters, no more no less, others have to be more, some have to be less, some can't have numbers, some HAVE to have numbers. It's totally ridiculous.
If it was up to me everything would tie in to a single very secure password, such as an RSA token.
Engineer
Elite Member
- Oct 9, 1999
- 39,230
- 701
- 126
For those of you who keep Excel files lying around, what's the best way to secure these while keeping convenience in mind?
I've thought about putting it in Google Drive since my Google account has 2 factor authentication setup, but maybe something more secure like SpiderOak? At the same time, if you think about it, if your Google account is compromised, most people's logins are compromised as well.
I realize the fact that it's plaintext is a huge setback in security, but storing it securely is likely to put you ahead of most people as long as your passwords are long/strong enough.
I've thought about putting it in Google Drive since my Google account has 2 factor authentication setup, but maybe something more secure like SpiderOak? At the same time, if you think about it, if your Google account is compromised, most people's logins are compromised as well.
I realize the fact that it's plaintext is a huge setback in security, but storing it securely is likely to put you ahead of most people as long as your passwords are long/strong enough.
rudeguy
Lifer
- Dec 27, 2001
- 47,351
- 14
- 61
lxskllr
No Lifer
- Nov 30, 2004
- 60,030
- 10,521
- 126
OverVolt
Lifer
- Aug 31, 2002
- 14,278
- 89
- 91
I use an algorithm for my passwords. Its really just the same password modified every-time it asks me to change it.
I agree with passwords for pointless services going in overkill mode on their password strengths. I don't care if my xbox got hacked I don't need text message authentication a garbled password, 3 emails and password recovery via home phone or whatever.
I agree with passwords for pointless services going in overkill mode on their password strengths. I don't care if my xbox got hacked I don't need text message authentication a garbled password, 3 emails and password recovery via home phone or whatever.
^
I agree, but for mission critical accounts--bank accounts, brokerage accounts, email, file storage I keep those on LastPass. For stuff I access more frequently, I use a strong password that I can remember + 2FA.
Crap like Anandtech Forums (sorry guys!) and XDA or other stuff I use a standard decently strong password that I toss across multiple sites where if I get hacked I have little to lose.
But using LastPass just begs for a portable format. So either I have to shell out $12 / year, which isn't bad at all, or I keep some sort of spreadsheet which is probably not as user friendly in the sense of autopopulating, but is easily accessible anywhere.
SpiderOak is probably great in that they have the whole zero knowledge privacy in mind, but its mobile interface just isn't friendly. Perhaps BoxCryptor is a better solution as it integrates with Google Drive, Dropbox, etc?
I agree, but for mission critical accounts--bank accounts, brokerage accounts, email, file storage I keep those on LastPass. For stuff I access more frequently, I use a strong password that I can remember + 2FA.
Crap like Anandtech Forums (sorry guys!) and XDA or other stuff I use a standard decently strong password that I toss across multiple sites where if I get hacked I have little to lose.
But using LastPass just begs for a portable format. So either I have to shell out $12 / year, which isn't bad at all, or I keep some sort of spreadsheet which is probably not as user friendly in the sense of autopopulating, but is easily accessible anywhere.
SpiderOak is probably great in that they have the whole zero knowledge privacy in mind, but its mobile interface just isn't friendly. Perhaps BoxCryptor is a better solution as it integrates with Google Drive, Dropbox, etc?
ultimatebob
Lifer
- Jul 1, 2001
- 25,134
- 2,450
- 126
Did you know that password is so popular now that many sites block you from using it?
Seriously, try using correcthorsebatterystaple as a password on Dropbox. It's blocked with a funny error message.
lxskllr
No Lifer
- Nov 30, 2004
- 60,030
- 10,521
- 126
I haven't had an issue with SpiderOak's Android client. If you don't want that, what's wrong with gpg? It's libre software, and cross platform. I can't confirm Apple support(who really cares? :^P), but it works on the other major platforms. BoxCryptor is proprietary, and being proprietary, it can't be trusted.
Agent11
Diamond Member
- Jan 22, 2006
- 3,535
- 1
- 0
Just use numbers for vowels in a word or short phrase with an underscore, if more than one word make one or the other capitalized, like: S4P13NT_b00b13s
Is it crackable? Probably. It meets most password requirements and should defeat most amateur attempts though.
Is it crackable? Probably. It meets most password requirements and should defeat most amateur attempts though.
Last edited:
destrekor
Lifer
- Nov 18, 2005
- 28,799
- 359
- 126
Passwords are still incredibly secure if they are LONG, do not include any reference words*, do not only attempt to create complexity by using reference words* with letter/number replacement, and are complex.
*reference words = as a few articles of recent have pointed out, cracking algorithms and tools now reference large databases of dictionary, encyclopedia, and fictional words. They also have no care for language distinction, alphanumeric and special character substitution (including ascii code, if the website allows them - this might still help realized complexity, temporarily), etc.
If it's something your brain, through ANY kind of memorization routine relating real and fictional things, can actually recall - it's probably no good under the scrutiny of modern password cracking.
But passwords such as:
even if, using a similar system, but limited to 15 characters... those aren't being effortlessly cracked using readily available tools and reference databases. Those require brute force, all-source reference, and dedicated effort.
No password, ever, can stand up to a super computer simply wiling away at it FOREVER. But, a 15 character password of absolute gibberish, styled like the quoted one (unless I'm missing substitutions for real words - I didn't analyze it
), will likely require dedicated CPU time for a few months to a a few decades. I cannot recall the "most up to date" analysis of brute force machine code breaking - a few years ago, I had read a 10 character password, one that couldn't be guessed with dictionary and database attacks, would take a few years to defeat. 8 characters required a day of CPU time, iirc, and it exponentially increased with length.
Of course, CPU processing ability has improved each year as well, so time estimates have probably dropped.
See, I use lastpass, and all my passwords are the max length a website allows, and are complete gibberish. NO rhyme or reason, nothing for me to remember.
Any password I end up remembering is because I've had to use it without lasspass autofill, like I've had to look it up on my phone and hand-type it on another device. I've remembered a few like that, and of course some websites force a change every few months so I end up no longer remembering a valid password.
*reference words = as a few articles of recent have pointed out, cracking algorithms and tools now reference large databases of dictionary, encyclopedia, and fictional words. They also have no care for language distinction, alphanumeric and special character substitution (including ascii code, if the website allows them - this might still help realized complexity, temporarily), etc.
If it's something your brain, through ANY kind of memorization routine relating real and fictional things, can actually recall - it's probably no good under the scrutiny of modern password cracking.
But passwords such as:
even if, using a similar system, but limited to 15 characters... those aren't being effortlessly cracked using readily available tools and reference databases. Those require brute force, all-source reference, and dedicated effort.
No password, ever, can stand up to a super computer simply wiling away at it FOREVER. But, a 15 character password of absolute gibberish, styled like the quoted one (unless I'm missing substitutions for real words - I didn't analyze it
), will likely require dedicated CPU time for a few months to a a few decades. I cannot recall the "most up to date" analysis of brute force machine code breaking - a few years ago, I had read a 10 character password, one that couldn't be guessed with dictionary and database attacks, would take a few years to defeat. 8 characters required a day of CPU time, iirc, and it exponentially increased with length.Of course, CPU processing ability has improved each year as well, so time estimates have probably dropped.
See, I use lastpass, and all my passwords are the max length a website allows, and are complete gibberish. NO rhyme or reason, nothing for me to remember.
Any password I end up remembering is because I've had to use it without lasspass autofill, like I've had to look it up on my phone and hand-type it on another device. I've remembered a few like that, and of course some websites force a change every few months so I end up no longer remembering a valid password.
Jeff7
Lifer
- Jan 4, 2001
- 41,596
- 20
- 81
I think my issue with SpiderOak is that it's not convenient. I realize it's trying to maximize security so no web interface, etc. The root of my problem is likely because I'm not paying for LastPass premium, so I can't have a complicated password for SpiderOak either on my Android phone.
BoxCryptor allows a pretty quick PIN setup and connects to DropBox with ease. It looks like they will have a web interface soon too. At the end of the day, the mobile phone is going to be the gating factor in security and if someone loses their phone, they're going to be in for a world of hurt.
As for gpg, I'm not sure how that will work. Is it pretty convenient?
Puppies04
Diamond Member
- Apr 25, 2011
- 5,909
- 17
- 76
If I cracked passwords for a living then "correct horse battery staple" would be my second guess after "password"
The problem is my password could be "h0n3y badg3rs m3lt in the m0uth but not in th3 tr33" which would take a normal computer several thousand years to guess but the second I use it on a site that either gets hacked or sells its users log on details then it goes on a list of passwords that will be checked within the first minute of any hack attempt which leads me to have 4 or 5 passwords that I use based on how much I trust the company in question.
In a perfect world I would have a different password for every site which I am seriously considering doing and having them all written down on a piece of A4 paper by my PC with a backup at my parents house. The chance of a hacker breaking into my house or anyone else finding a random piece of paper I hide uner my monitor is so miniscule we won't even bother discussing it.
On a side note.... does anyone know if a browser has every been hacked in a way which revealed auto filled usernames and passwords as I would have thought this would be the ultimate way to grab them. What sort of sevurity protects stored passwords and how long would it take a modest server to break?
The problem is my password could be "h0n3y badg3rs m3lt in the m0uth but not in th3 tr33" which would take a normal computer several thousand years to guess but the second I use it on a site that either gets hacked or sells its users log on details then it goes on a list of passwords that will be checked within the first minute of any hack attempt which leads me to have 4 or 5 passwords that I use based on how much I trust the company in question.
In a perfect world I would have a different password for every site which I am seriously considering doing and having them all written down on a piece of A4 paper by my PC with a backup at my parents house. The chance of a hacker breaking into my house or anyone else finding a random piece of paper I hide uner my monitor is so miniscule we won't even bother discussing it.
On a side note.... does anyone know if a browser has every been hacked in a way which revealed auto filled usernames and passwords as I would have thought this would be the ultimate way to grab them. What sort of sevurity protects stored passwords and how long would it take a modest server to break?
Last edited:
lxskllr
No Lifer
- Nov 30, 2004
- 60,030
- 10,521
- 126
On GNU/Linux, you'd encrypt a file thusly...
Code:
$ gpg -c myfinancial.info
Enter passphrase: YOUR-PASSWORD
Repeat passphrase: YOUR-PASSWORDto decrypt...
Code:
$ gpg myfinancial.info.gpg
gpg: CAST5 encrypted data
Enter passphrase: YOUR-PASSWORDAndroid is more push button, and maybe a little easier. I haven't used Windows, but I'd be surprised if it were harder than GNU/Linux, and it's probably easier. Gpg4Win is the Windows version...
http://www.gpg4win.org/
alkemyst
No Lifer
- Feb 13, 2001
- 83,769
- 19
- 81
This is a very good thing to do, I do this.
Any password hint I am required to enter is almost always "Hai!" or "Huh?"
My secure passwords are 17 characters+ It's hard to go above that as most sites limit you.
I use passphases more or less with capitals not usually starting any phrase and with some not so common substitutions.
alkemyst
No Lifer
- Feb 13, 2001
- 83,769
- 19
- 81
http://jeremiahgrossman.blogspot.com/2010/08/breaking-browsers-hacking-auto-complete.html
yes. I would never recommend autofill data to include ones' password if only due to someone being able to steal a PC (most computer passwords can be by-passed in about 1 min).
Third party password programs are usually pretty good.
Use a pattern on your keyboard. That way you only have to memorize it and not actually the whole thing. Example fr45tgFR$%TG , starts with f to g + shift f to g.
Red Squirrel
No Lifer
I'm sure it could easily be done, the same way some web exploits can modify your entire system files and registry just by simply loading a malicious web page.
Though perhaps all that stuff is fairly well encrypted, as I've never heard of any incident where it did happen.
password crackers know this technique, you'll actually get cracked faster than a shorter, random password.
JulesMaximus
No Lifer
- Jul 3, 2003
- 74,580
- 982
- 126
Ichinisan
Lifer
- Oct 9, 2002
- 28,298
- 1,235
- 136
ha ha ha im a dummy
im a idiot for posting my password
lol i just locked you out of your gmail and paypal idiot
now im gonna change ur pw on anandtech lol
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 22K
-
News NVIDIA and Intel to Develop AI Infrastructure and Personal Computing Products- Started by poke01
- Replies: 392
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
Facebook
Twitter