Discussion
davek_964 said:
Although I like the idea of something which manages complicated passwords for all of my online accounts - doesn't it only makes sense if you allow it to auto fill forms?
NoYou open the password safe with your complex password you hold in your head. Go to the record for the site you want to log into, and then use the information held.
So even if they do steal your tablet, and defeat that password, they still have to know your complex password to get into the safe to go anywhere else.
Tis a damn good reason not to use the password auto fill in browsers though.
A few days ago I decided to give one a try. I'm also one of those people who has a relatively simple password for sites like this but more complex unique passwords for important stuff. However, due to the varying rules on passwords, I sometimes need hints to remind me what's different for a particular site and I figured a password manager was a good way to store those hints even if I don't use it to generate a random password.
By coincidence, I received an email over night saying that the database of one of my simple sites has been compromised - usernames and (hashed) passwords have been obtained.
Potentially, this gives the attackers access to a number of sites I use, which I don't like. So I've now generated complex passwords from the password manager for all simple sites.
By coincidence, I received an email over night saying that the database of one of my simple sites has been compromised - usernames and (hashed) passwords have been obtained.
Potentially, this gives the attackers access to a number of sites I use, which I don't like. So I've now generated complex passwords from the password manager for all simple sites.
If you're still not convinced passwords matter go here and put in your email address(es) https://haveibeenpwned.com/
Totally safe site as I know I'm some random guy on the internet.
Totally safe site as I know I'm some random guy on the internet.
AW111 said:
Mr Pointy said:
It's people like you that password managers were invented for. Just try one of them, it makes life much easier.
When you die, how will your family access your accounts?
I have less than 10 online accounts in total.When you die, how will your family access your accounts?
The only one that matters is the bank, and family will have to contact them directly anyway when I die, so it's not much of an issue.
When you die, how will your family access your password safe?
https://helpdesk.lastpass.com/emergency-access/
You may not be dead: you may be incapacitated & your accounts would be inaccessible.
Mr Pointy said:
Like this:
https://helpdesk.lastpass.com/emergency-access/
You may not be dead: you may be incapacitated & your accounts would be inaccessible.
Like I said - I don't have any important web accounts. Your life is different to mine.https://helpdesk.lastpass.com/emergency-access/
You may not be dead: you may be incapacitated & your accounts would be inaccessible.
Hoofy said:
I use this kind of format.
website name - special phrase - number
So you could have yours as
PistonHeadsHoofyisthebest1111
For google:
GoogleHoofyisthebest1111
Facebook:
FacebookHoofyisthebest1111
If you are forced to change the password then:
PistonHeadsHoofyisthebest1112
Sorry to be thick, but why not just have Hoofyisthebest1111 for them all? If someone gets hold of one, then they're going to be able to guess the rest pretty easily?website name - special phrase - number
So you could have yours as
PistonHeadsHoofyisthebest1111
For google:
GoogleHoofyisthebest1111
Facebook:
FacebookHoofyisthebest1111
If you are forced to change the password then:
PistonHeadsHoofyisthebest1112
audi321 said:
Sorry to be thick, but why not just have Hoofyisthebest1111 for them all? If someone gets hold of one, then they're going to be able to guess the rest pretty easily?
That is the case if a human gets hold of the plain text password, but it will thwart most automated attacks, as well as most attacks involving password hashes.Although a truly unique password for all accounts has many benefits, you can get a lot of the benefits with a single character difference.
anonymous said:
[redacted]
I use one of a number of certain combinations of characters, coupled with something derived from the website's name/url to generate a password which has an infinitesimally small chance of being the same as that of anyone else on the planet. If I write one down, it is further disguised in a way which is only meaningful to me.But I have a real issue with your scenario above, even though I recognise it as a simplistic description. Do sites nowadays really only hash the password to encode it ? Surely it should be hashed together with the username, so that anyone with a hashed value cannot have a hope of using it on another account unless of course they have the hashing algorithm which would also have to be reversible - in which case we're all doomed.
gothatway said:
I use one of a number of certain combinations of characters, coupled with something derived from the website's name/url to generate a password which has an infinitesimally small chance of being the same as that of anyone else on the planet. If I write one down, it is further disguised in a way which is only meaningful to me.
But I have a real issue with your scenario above, even though I recognise it as a simplistic description. Do sites nowadays really only hash the password to encode it ? Surely it should be hashed together with the username, so that anyone with a hashed value cannot have a hope of using it on another account unless of course they have the hashing algorithm which would also have to be reversible - in which case we're all doomed.
It should be a salted hash, i.e. one-way.But I have a real issue with your scenario above, even though I recognise it as a simplistic description. Do sites nowadays really only hash the password to encode it ? Surely it should be hashed together with the username, so that anyone with a hashed value cannot have a hope of using it on another account unless of course they have the hashing algorithm which would also have to be reversible - in which case we're all doomed.
anonymous said:
[redacted]
I cannot really buy that - hash the password together with email address (or username if a site doesn't have email address - is there any such site ?), then if the user changes email address (or username), require them to define a new password. My email address has a lot more characters than any password of mine, so plenty of scope for nice complex hashing algorithms.gothatway said:
I cannot really buy that - hash the password together with email address (or username if a site doesn't have email address - is there any such site ?), then if the user changes email address (or username), require them to define a new password. My email address has a lot more characters than any password of mine, so plenty of scope for nice complex hashing algorithms.
That is adding extra burden on the user to support something less secure, you email address may have lots of characters but it is far from random so has little entropy and is reused so effectively has no entropy.ging84 said:
That is adding extra burden on the user to support something less secure, you email address may have lots of characters but it is far from random so has little entropy and is reused so effectively has no entropy.
It's also publicly visible. It would be easy to knock up a script to collect all unique PH usernames - and now you have a database.I don't trust any type of honey pot which is exactly what a password manager would be for hackers. I also don't want to trust any third party or company's continued existence.
For the important sites I remember all my individual passwords just fine. The rest I couldn't care less about so they get variations on a few themes. If any were accessed by someone else it would be no loss to me.
For the important sites I remember all my individual passwords just fine. The rest I couldn't care less about so they get variations on a few themes. If any were accessed by someone else it would be no loss to me.
Sometimes there's a topic where you just think "thank you OP for asking that" and for me this is just one such topic..
I have often wondered how everyone else copes with remembering 101 passwords for various site without them being xyz01, xyz02, where xyz02 is where you forgot xyz 01 having switch to xyz from abc because abc was too obvious.
But I always thought perhaps it was too silly of me to ask.
So, thank you OP for asking this silly question (that I wasn't brave enough to ask).
In reaction to this topic I now have gone with 1password, my thoughts being as it's American and they're paranoid both of being hacked and of being sued an american site which claims to be secure is going to be a lot more secure than my abc or xyz!
I've been using it for a few days now and am quite impressed i just need to remember to not let google save any passwords when they're updated with "a random sequence 25 letters and symbols"!
I think it works quite well and for $36 a year good value!
I have often wondered how everyone else copes with remembering 101 passwords for various site without them being xyz01, xyz02, where xyz02 is where you forgot xyz 01 having switch to xyz from abc because abc was too obvious.
But I always thought perhaps it was too silly of me to ask.
So, thank you OP for asking this silly question (that I wasn't brave enough to ask).
In reaction to this topic I now have gone with 1password, my thoughts being as it's American and they're paranoid both of being hacked and of being sued an american site which claims to be secure is going to be a lot more secure than my abc or xyz!
I've been using it for a few days now and am quite impressed i just need to remember to not let google save any passwords when they're updated with "a random sequence 25 letters and symbols"!
I think it works quite well and for $36 a year good value!
Marcellus said:
In reaction to this topic I now have gone with 1password, my thoughts being as it's American and they're paranoid both of being hacked and of being sued an american site which claims to be secure is going to be a lot more secure than my abc or xyz!
Canadian (small but arguably important, certainly to them ). If you go via their .eu site you'll be hosted in the EU too.AW111 said:
ging84 said:
That is adding extra burden on the user to support something less secure, you email address may have lots of characters but it is far from random so has little entropy and is reused so effectively has no entropy.
It's also publicly visible. It would be easy to knock up a script to collect all unique PH usernames - and now you have a database.anonymous said:
[redacted]
... always assuming that the hashing algorithm hasn't been hacked.Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff