Password Strategies

Hi everyone, I've been thinking lately about paying more attention to password security and thought it would be cool to start a thread for people to share tips and ideas on how to protect your data. Do you use a password manager? Choose passwords manually? How do you remember them? In short, what's your strategy, even if it's not perfect!

As for me, I have a couple of strong passwords committed to memory, and tend to use slight variations of them for each site I register on. Could definitely do with using stronger variations though... any tips for memorising?

One of my key password strategies is to never disclose details of my password strategies. And even now I may have said too much!

Using KeePass and it works well.

http://keepass.info/

I use a product called msecure - works on my phone, ipad and a PC version is available and can be synced up as well.

I have unique passwords for most sites (some less important sites do share a common password). I also, for most sites, have unique user names. I own a domain and where sites use email as the username I have something unique at that domain (for example [email protected]). That way it has increased security as anyone getting hold of an unencrytped list of usernames and passwords from one site would not have the correct item for either on any other site.

As far as the passwords go I use the random password generator on msecure to create the password. When generating the passwords I usually don't use special characters except where it is something really sensitive.

I remember probably about 3 of the passwords off by heart but most sites I just check on the app to get the ID and password.

I tend to keep the same password, but use a few different emails.

Some sites have unique addresses, like amazon, paypal etc but I tend to group thing like forums under it's own unique email address. If I start to get spammed on an particular address then I can either identify a source or at least narrow it down to a smaller group.

So I can remember I do keep a list of sites and emails with the password (in a secure format I know) on a note on icloud.

- I have a different password for each site/service online.
- I aim for a minimum of 20 random characters, spanning 0-9, A-Z, a-z and 2 specials. On some sites, I have upped this to 40 characters.
- I enable 2 factor-auth where possible.
- None of these passwords are stored anywhere, in any password storage system, password manager, on disk, or on paper.
- At no point are any of the sites where these passwords are used stored in any password storage system, password manager, on disk or on paper.

My process does involve knowledge of a master password, which again, I haven't stored anywhere, on disk or on paper. In theory, if you found out what this was, you could potentially find out the other passwords but you would still need to know what sites/services I have accounts with, and as I've just said above, I don't store that information in a readily accessible form (the process is actually all linked together using sha512 hashing (a one way process), not encryption (a reversible process)). In fact, even I can't get this information back.

FYI, my PayPal account got hacked several years ago now. That was an 8 character lower case only, random password, which I was using on other sites. That incident gave me a wake-up call so I devised my own system to generate random but recoverable passwords of any length (up to 80 characters max) for each site/service as required.

Computerphile have done some good videos discussing choosing and cracking passwords:

https://www.youtube.com/watch?v=3NjQ9b3pgIg
https://www.youtube.com/watch?v=7U-RbOKanYs

and it demonstrates that even replacing letters with numbers, and any other variants of this, are all now pitfalls for choosing a secure password. Only lengthy passwords with high-entropy are secure, and only if hashed using a secure hashing algorithm. Which reminds me - if you signup somewhere and they email your password back to you, at any point, well... enough said.

I have four basic passwords. Most are just alphanumeric with mixed case but based on meaningless phrases . I typically add a digit and/or character if a site demands it. I grade the passwords according to importance and they get shared across sites according to the sensitivity of the information I'm submitting.

The kind of thing I might use for a password is 'DrovEDoGShuttR'. It's susprising how easy I find it to remember something like that

One wrinkle is that I always use a unique email address for all my contacts. So knowing my password may not be enough to gain access.

Edited by Andrue (Thu 17-Nov-16 16:29:33)

I thing I do when needed is the security questions sometimes required when setting up an account - examples:

Q. Your Mothers maiden name?
A. fish n chips

Q. Name of your first pet?
A. wooden spoon

Q. Name of your last school?
A. Mr. Spock

etc. etc.

Nick

Really great suggestions guys! It's interesting to see how varied everyone's approaches are, I'll certainly be taking a few leaves out of your books, so to speak. I've been doing a little digging for more advice and came across a guide to choosing a strong password: https://www.1and1.co.uk/digitalguide/server/security...

I thought the "Using your own password system" section was particularly interesting. Basically the idea is to devise and memorise one strong master password and then add extentions to it for each site you sign up to. So if your master key is "G5w.&$;(9b.B", you could go for "4G5w.&$;(9bE.Ba", or something similar. So it's sort of like a manual version of a password manager, just made easier for you to commit each password to memory.

Long and strong master pass-phrases. KeePass-generated 16-character password for every online account.