sgt_zim
AH legend
- Joined
- Mar 26, 2017
- Messages
- 4,544
- Reaction score
- 17,443
- Location
- Richmond, Texas
- Media
- 33
- Articles
- 1
- Member of
- NRA, Houston Safari Club Foundation, NWTF
- Hunted
- South Africa, Idaho, Texas, Louisiana
What do your passwords look like?
In my mind there are two kinds of passwords you should use.
I probably have more than 400 online accounts...banks, BBS like this one, shopping, etc. I don't know a single one of those passwords.
For most people, there are probably only 2 passwords you should remember off the top of your head - the one you use to log on to your PC, and the one to your password vault. Note that MS Excel does NOT count as a password vault. If a malicious actor breaks into your PC, one of the very first things he's going to do is search for all files with a spreadsheet extension, like .xlsx, and all document extensions like .docx.
There are a number of password vaults (mostly free), but there are 2 in particular I'd urge you to consider, with pros and cons to follow.
Lastpass
there are both a free and subscription version. the subscription version allows you to share account info with other people on your lastpass account (like your spouse). The vault's interface is your web browser
Pros:
inexpensive/free - the paid version is about $20/year, I think, maybe less.
cloud-based - which means it is portable. you can log into their website from anywhere in the world, from any computer in the world, and fetch your account names and passwords
can be used to auto-generate random gibberish for passwords, with passwords as long as 50 characters
auto-fill feature, or copy/paste. this means that even if a malicious actor has installed a key logger on your PC, he won't be able to capture any of the account names or passwords you're using because you never type them
Cons:
cloud-based. malicious actors are constantly trying to break in. but the flip side to this is...these guys actually know what they're doing WRT protecting their data, so they're a much tougher nut to crack than you are
KeePass:
completely free
Pros:
not cloud-based. KeePass is an application you download and install on your PC.
can be used to auto-gen passwords to a very long length, greater than 50 characters as I recall
hackers have been trying to decrypt KeePass databases for years, but the key is randomly generated and very long. The compute power to decrypt the key doesn't exist.
Cons:
not cloud-based - if your laptop dies or is stolen, and you don't have a backup copy of the database, you're going to have to go to the trouble of setting new passwords for all of your online accounts. this can be mitigated by storing a backup copy of the database in OneDrive or Google Drive or DropBox, but that just means you're going to need to remember one more (hopefully very complex) password
so, on to the kind of passwords you should use which you'll actually remember.
I know we're all gun nuts here, but I'm going to make an example out of golf. Suppose you are an avid golfer, and you've got a set of Pings. You might come up with a password to reflect that. "I love to swing my pings" could be done this way as a password: eyeLuv2$w!ngmyPings. That is a VERY complex and long password, 19 characters. Assuming a bad guy knew your password was 19 characters long, and assuming he knew you used UPPER, lower, numerals 0-9, and special characters (there are 32 special characters available on an American English keyboard), there are 94^19 (26 UPPER, 26 lower, 10 numerals, 32 special characters) possible permutations.
94^19 ~= 30,800,000,000,000,000,000,000,000,000,000,000,000 different combinations of characters he'd have to go through to crack your password. Given current normal compute power, it would take longer than the universe has existed to go through every combination.
But more than likely, our bad guy has no idea how long your password is, and he'll probably assume it's only 8 or 10 characters long, and will probably only have UPPER, lower, and numerals, so only 62^8 or 62^10 permutations. For us, that's still quite a large number of permutations, but for a computer with current normal compute power, would probably only take a few hours or maybe a couple days to crack.
Come up with a reasonably long, complex, and memorable password to get into your PC, and another reasonably long and complex password to log into your password vault. For all the rest, use your vault to generate passwords to the greatest length a given website will allow. If a website will allow a 40 character password, then set your vault to generate a 40-character password combo of U, l, n, and spc. Preferably, the passwords for your PC and your password vaults are a minimum of 16 characters.
2-factor or multi-factor authentication (2FA or MFA)
Google and Microsoft, among others, support 2FA/MFA. You submit your account name and password, then they send a one-time passcode to your cell phone that you will need to type into the browser (doesn't matter if there's a key logger present here because this code is usually only good for about 5 or 10 minutes) to finish authentication. Using SMS is not ideal, but for non-corporate accounts, the risk is extremely low; so low as not to need worrying about.
Setting up MFA with reputable vendors like Google and MS is pretty easy, and only takes a couple minutes.
Digital security, like physical security, is a pain in the ass. But it is the world we live in. It would be nice if I didn't need to carry a set of keys with me everywhere I go - one for the house, one for the truck, one for the mail box, one for the office, one for the tonneau cover on my truck, one for my safe, one for my wife's car, one for my parents' house, one for my gun vault, locks for my Pelican gun case...
In my mind there are two kinds of passwords you should use.
I probably have more than 400 online accounts...banks, BBS like this one, shopping, etc. I don't know a single one of those passwords.
For most people, there are probably only 2 passwords you should remember off the top of your head - the one you use to log on to your PC, and the one to your password vault. Note that MS Excel does NOT count as a password vault. If a malicious actor breaks into your PC, one of the very first things he's going to do is search for all files with a spreadsheet extension, like .xlsx, and all document extensions like .docx.
There are a number of password vaults (mostly free), but there are 2 in particular I'd urge you to consider, with pros and cons to follow.
Lastpass
there are both a free and subscription version. the subscription version allows you to share account info with other people on your lastpass account (like your spouse). The vault's interface is your web browser
Pros:
inexpensive/free - the paid version is about $20/year, I think, maybe less.
cloud-based - which means it is portable. you can log into their website from anywhere in the world, from any computer in the world, and fetch your account names and passwords
can be used to auto-generate random gibberish for passwords, with passwords as long as 50 characters
auto-fill feature, or copy/paste. this means that even if a malicious actor has installed a key logger on your PC, he won't be able to capture any of the account names or passwords you're using because you never type them
Cons:
cloud-based. malicious actors are constantly trying to break in. but the flip side to this is...these guys actually know what they're doing WRT protecting their data, so they're a much tougher nut to crack than you are
KeePass:
completely free
Pros:
not cloud-based. KeePass is an application you download and install on your PC.
can be used to auto-gen passwords to a very long length, greater than 50 characters as I recall
hackers have been trying to decrypt KeePass databases for years, but the key is randomly generated and very long. The compute power to decrypt the key doesn't exist.
Cons:
not cloud-based - if your laptop dies or is stolen, and you don't have a backup copy of the database, you're going to have to go to the trouble of setting new passwords for all of your online accounts. this can be mitigated by storing a backup copy of the database in OneDrive or Google Drive or DropBox, but that just means you're going to need to remember one more (hopefully very complex) password
so, on to the kind of passwords you should use which you'll actually remember.
I know we're all gun nuts here, but I'm going to make an example out of golf. Suppose you are an avid golfer, and you've got a set of Pings. You might come up with a password to reflect that. "I love to swing my pings" could be done this way as a password: eyeLuv2$w!ngmyPings. That is a VERY complex and long password, 19 characters. Assuming a bad guy knew your password was 19 characters long, and assuming he knew you used UPPER, lower, numerals 0-9, and special characters (there are 32 special characters available on an American English keyboard), there are 94^19 (26 UPPER, 26 lower, 10 numerals, 32 special characters) possible permutations.
94^19 ~= 30,800,000,000,000,000,000,000,000,000,000,000,000 different combinations of characters he'd have to go through to crack your password. Given current normal compute power, it would take longer than the universe has existed to go through every combination.
But more than likely, our bad guy has no idea how long your password is, and he'll probably assume it's only 8 or 10 characters long, and will probably only have UPPER, lower, and numerals, so only 62^8 or 62^10 permutations. For us, that's still quite a large number of permutations, but for a computer with current normal compute power, would probably only take a few hours or maybe a couple days to crack.
Come up with a reasonably long, complex, and memorable password to get into your PC, and another reasonably long and complex password to log into your password vault. For all the rest, use your vault to generate passwords to the greatest length a given website will allow. If a website will allow a 40 character password, then set your vault to generate a 40-character password combo of U, l, n, and spc. Preferably, the passwords for your PC and your password vaults are a minimum of 16 characters.
2-factor or multi-factor authentication (2FA or MFA)
Google and Microsoft, among others, support 2FA/MFA. You submit your account name and password, then they send a one-time passcode to your cell phone that you will need to type into the browser (doesn't matter if there's a key logger present here because this code is usually only good for about 5 or 10 minutes) to finish authentication. Using SMS is not ideal, but for non-corporate accounts, the risk is extremely low; so low as not to need worrying about.
Setting up MFA with reputable vendors like Google and MS is pretty easy, and only takes a couple minutes.
Digital security, like physical security, is a pain in the ass. But it is the world we live in. It would be nice if I didn't need to carry a set of keys with me everywhere I go - one for the house, one for the truck, one for the mail box, one for the office, one for the tonneau cover on my truck, one for my safe, one for my wife's car, one for my parents' house, one for my gun vault, locks for my Pelican gun case...