Let's Talk about Passwords

[+Warwagon MVC]

Something I posted on my Facebook page, thought maybe someone might find it useful here too.

 

Let’s talk about passwords for a moment. Let’s see a show of hands: how many people use the same password on every site on the internet? I’m guessing it’s going to be quite a few of you. Let me explain for a moment why that is not the best idea.

 

For this example, let’s create a fake website and call it xyz. You go to the website xyz and they want you to create an account. You give them your email address and then you enter the same password you use for everything else on the internet. Now let’s pretend that xyz doesn’t have the world’s best security practices and they store your password in what they call plain text, meaning they don’t encrypt (protect) your password in their database. It’s just there for the world to see.

 

Now let’s pretend xyz gets hacked. The hacker downloads the entire database. Now they have your email address and the password you use all over the internet. The hackers, who now have your email address and password, go to amazon.com and enter your email address and password and they successfully log in! Now they go to paypal.com and successfully log in! Now they go to Walmart.com and successfully log in! I think you are getting the idea.

 

If you use the same password everywhere and just 1 of the many sites you have accounts on gets hacked, it compromises all of them. It’s like a house of cards.

I know you are thinking, how in the heck am I going to keep track of all my passwords if each website requires a different one?

 

Up to this point, there have been a couple of ways people have done it. Some users would create a file on their computer called passwords. Then they would store all of their passwords in that file. I would recommend not doing this for a couple of reasons.

 

1st: A lot of people tend to let random people connect into their computer by getting scammed or by calling a phone number that magically appears on their computer screen informing them that they are infected.  Once connected, the scammer can go through the User’s (your) files and even download them to their own machine. If they were to get the passwords file, they would have access to all of the user’s (your) passwords.

 

2nd: I don’t recommend storing your passwords in a text file because most people don’t back up their important information. If you store all of your passwords on a file on your computer and your hard drive crashes without a backup copy, you will lose all your passwords and many of them could be unrecoverable.

 

Another method people use is storing the passwords in the web browser. It’s handy but the browsers store them in a very insecure manner. Using the same example as above, when a user lets a stranger connect into their computer, they can see every password that the browser has stored.

 

I would recommend you check to see which passwords your browser is storing. You can do this by clicking start (button in the bottom left) and typing credential and clicking on the one called “Credential Manager”

 

Better ways to store your passwords SECURELY.

 

A couple of suggestions:

 

1st: Write them down in a book. Most people advise against writing down passwords in a book but I am personally of a different mindset. I’m far less concerned about someone breaking into your house and stealing your password book than I am with you using the same password all over the internet.

 

2nd:  You can store your passwords in what is called a “Password Manager”. There are a bunch of different ones, but the one I personally recommend is one called “Lastpass”. www.lastpass.com. Most of the functionality is available for free.

 

With Lastpass or any other secure password manager, you create a Masterpassword. This is a password to unlock all passwords. This is a password that you would have NEVER used ANYWHERE for ANYTHING ever before. It is the keys to the kingdom. When creating a Masterpassword, I would recommend that it be long and also padded. When I say padded I mean add stuff to the password to give it complexity and length.  For instance, using the word password as a password is easily guessable. It’s the first password a lot of people try. But if you pad the end of password with some symbols such as password*! It’s now not as easily guessable. This was just an example.  I would not recommend using the word “password” as your password ….no matter how much it’s padded.

 

The great benefit of Lastpass is that it can store ALL of your passwords for you. You won’t have to remember a single password again other than the “Masterpassword” that you have used to lock it. Once you have it set up, you will simply open your Password Manager and type in your unique “Masterpassword”. The program will then open up what could be called “The Bank”. Your “Bank” is holding all of your site passwords. When you click on the site you want, it goes to that site, automatically enters the password for that particular site and “BOOM”, you are logged in.

 

One of the greatest things about Lastpass is that it syncs your passwords (securely) to “The Cloud” so when you change to a new computer, you simply log back into Lastpass and all of your passwords are automatically synced to your new device. It also gives you the option to “Generate” a password. When you tell it to generate a password it creates a long random gibberish password. The best part is that you can use a different gibberish password on every single website and have Lastpass remember it for you. I’m not going into detail on how to use Lastpass as that would be very long read. What I will do is link you to the best video I can find that shows you how to use it.

 

One last thing, if you use Lastpass, I would recommend disabling the password manager that is built into the web browser. Below are instructions on how to disable the built in password manager depending on which browser you are using. My personal browser of choice is Chrome.

 

Internet Explorer :

1)      Open “Internet Explorer”

2)      Click the gear in the top right and select “Internet Options”

3)      Click on the “Content” tab

4)      Under “Autocomplete” click settings

5)      Uncheck “Usernames and Passwords on Forms”

6)      Click “Ok” and then “Ok” again

Firefox:

1)      Open “Firefox”

2)      Click the 3 horizontal lines in the top right

3)      Click “Options”

4)      On the left hand side click “Security”

5)      On the right hand side uncheck “Remember logins sites for”. (on this same screen you can also click “Saved logins” and write down and remove any currently saved passwords in Firefox.

6)      Now you can close the tab by hitting the X up on top.

 

Google Chrome:

1)      Open “Chrome”

2)      Click on the 3 vertical dots in the top right.

3)      Click “Settings”

4)      Click “Search Settings” at the very top and type in “Passwords”

5)      Click “Manager Passwords”

6)      Push the slider at the top next to “On” so it says “off” (On this same screen you can also write down and remove any currently saved passwords in chrome”

7)      Now you can close the tab by hitting the x on the top right.

 

Microsoft Edge:

1)      Open “Microsoft Edge”

2)      Click on the 3 horizontal dots in the top right

3)      Click “Settings”

4)      Scroll down and click “View Advanced Settings”

5)      Scroll down and slide the switch under “offer to save passwords” (if you click manage passwords, it will allow you to remove any passwords currently saved in “Microsoft Edge”. Unfortunately, as far as being able to write them down, Edge does not let you see the passwords)

6)      Now you can close “Edge”.

 

 

 

[Joe User]

Just a heads up for those who aren't LastPass fans or who don't want to spend to get the extra features.  

Keepass Password Safe (http://keepass.info/) is available for nearly every platform and it's open source.

 

Note: It's got the style and design of a open source utility, which is to say, it's ugly but it works really well.

 

To sync, just put the password file in Onedrive, Dropbox, Google Drive or your favorite cloud storage utility and access it where you need it.

 

 

 

[adrynalyne]

48 minutes ago, Joe User said:

Just a heads up for those who aren't LastPass fans or who don't want to spend to get the extra features.  

Keepass Password Safe (http://keepass.info/) is available for nearly every platform and it's open source.

 

Note: It's got the style and design of a open source utility, which is to say, it's ugly but it works really well.

 

To sync, just put the password file in Onedrive, Dropbox, Google Drive or your favorite cloud storage utility and access it where you need it.

 

 

 

Keepass doesn’t work very well with OTP. That’s why I use LastPass. 

[Mando]

Home

i have 3 personal passwords, one i use with any account that allows 2FA, financial/2FA and the rest. When required all are 16 characters, mixed case, alphanumeric with at least 8 digits interspersed in the passphrase. All retained securely on an AES stick, which only I know the passcode to, in a password encrypted Excel worksheet. (belt and braces)

 

I need to remember 3 passwords 1) Windows <duh> 2. AES stick unlock code 3. Secure doc pwd.

 

I do not use any 3rd party password retainer tools, imo all they need is hacked (which happens) and whala all your "secure" creds are pwned. they are a step up form Windows password manager...but not by much IMO.

 

Workplace

we have blocked all password managers at work, my users only have to remember 1 password ffs (hurrah for SSO)....try having normal accounts on all domains in our forest and ADM accounts with same requirements for every domain (10+ domains & assoc ADMS) then complain about remembering passwords

[devHead]

I have been using LastPass for about a year and a half now, and I love it.  I've been trying to get my Dad to use it; he presently runs DashLane, which for some reason starts up with Windows with a splash screen and sits on the taskbar all the time.  I don't know if he has unique passwords.  For many accounts that I have, I use the same password, which is a difficult word, but I see what you mean Warwagon that if just one of them is hacked, they will have my password for all my accounts.  My financial ones are all different and unique, and autogenerated by LastPass.

 

Nice article!

[+Warwagon MVC]

8 hours ago, Mando said:

When required all are 16 characters, mixed case, alphanumeric with at least 8 digits interspersed in the passphrase. All retained securely on an AES stick, which only I know the passcode to, in a password encrypted Excel worksheet. (belt and braces)

 

You mean the 3 passwords you switch between are all 16 characters, mixed case, alphanumeric with at least 8 digits interspersed in the passphrase?

[xendrome]

8 hours ago, Mando said:

I need to remember 3 passwords 1) Windows <duh> 2. AES stick unlock code 3. Secure doc pwd.

 

Are you saying you have a document with password in it, passworded?

[Joe User]

On 8/28/2017 at 4:54 PM, warwagon said:

You mean the 3 passwords you switch between are all 16 characters, mixed case, alphanumeric with at least 8 digits interspersed in the passphrase?

That's not too difficult to do really. Just switch to passphrases and you can easily do 50+ character mixed case, alphanumeric. Just don't go quoting something.

 

"I'll always remember 1998, it's my fav year & 2007 was pretty good too!!" 

 

71 characters and I'll be dead for many years before it's broken.

[oldtimefighter]

I like to think most Neowin members DO NOT use the same password for everything but maybe I am wrong.

 

Agreed, there is no reason not to physically record your passwords and do myself in a txt on my PC which I do backup with other important stuff on my PC. Some my think that is not a good idea but no one is getting access to my PC and if it was hacked I deserve everything that happens. I tried LastPass a while back and didn't like it. I just use Firefox's password manager with a master password which is secure enough. I DO NOT use it for bank/credit card passwords.

 

Another thing I would recommend is 2FA for one's main email account(s) as that is almost as important as your bank/credit card accounts.

[Mando]

On 8/28/2017 at 11:05 PM, xendrome said:

Are you saying you have a document with password in it, passworded?

pretty much, except in a work level there are literally hundreds of creds & pwds in said doc.

[Jamesmak]

Hehe, that's a great guide !)

[Circaflex]

I recently migrated away from LastPass and setup KeePass with my own device sync. It is not as user friendly, but I do feel I am in control of my passwords.

 

PSA to anyone on Firefox 57+, lastpass extension is not working. There is a developer build that you have to pester them about, but from what they have said on the message boards, dont expect anything until 57 stable is released.

[+Warwagon MVC]

5 minutes ago, Circaflex said:

I recently migrated away from LastPass and setup KeePass with my own device sync. It is not as user friendly, but I do feel I am in control of my passwords.

 

PSA to anyone on Firefox 57+, lastpass extension is not working. There is a developer build that you have to pester them about, but from what they have said on the message boards, dont expect anything until 57 stable is released.

Ya that's too bad. I'd love to live in the Firefox 57 beta for a while.

[Circaflex]

Just now, warwagon said:

Ya that's too bad. I'd love to live in the Firefox 57 beta for a while.

No doubt; it is really a snappy and responsive browser now. Most people before chose privacy (firefox) or speed (chrome) and now with the newest releases from Firefox, it is getting close to chrome in speed and responsiveness.