Is Your Password Hacker Proof? - Comments Page 1

In a past article about password security, you mentioned Last Pass. Do you still feel this is a good option?

If you don't want a program such as LastPass to generate and save a password, Microsoft has some mostly good password advice at
http://www.microsoft.com/security/online-privacy/passwords-create.aspx

Great article!

I have had my children use complex passwords since they were old enough to use a computer. 10 characters, upper and lower case, numbers and special characters. Pretty impressive for a six year-old!

I have used RoboForm U3 for several years and love it. Now I am moving to Roboform Portable. I try not to use the same password twice for anything. RoboForm helps with that and even has a random generator as part of the product.

Even with strong passwords and RoboForm, I still try to change my password every 90 days, or whenever I feel like one might have been compromised.

There is something on everyone's computer that is of interest to a hacker, even if you don't think you do anything important, or don't keep secrets on your hard drive.

For awhile I was using old phone numbers (999zz9999) for my passwords, but have moved on to historical initials, a significant year, and 3-4 site identifier (HST1945ebay).

yeah, sure.....and how are you supposed to remember all these. I have seven pages, double spaced, of sites and accounts and the corresponding passwords. If I had to look up each one each time I went to a site or an account, I'd never get anything done. Also,I don't carry my list of passwords around and making sure I always have a certain memory stick around is something else that can be left behind. Keeping it with my car keys would not work. I don't always have my keys. My home has a digital code...don't need keys.

maybe I'm asking for trouble, but I need my sanity in the meantime.

I'd be interested in what you think about LastPass too. I've been using Keepass synced with Dropbox but I like LastPass better. It's better at saving new passwords as I enter them in websites.

Using Lastpass for everything other than banking sites which live securely on my PC.

A great source for long comples passwords is https://www.grc.com/passwords.htm

What is your opinion of online password generators such as http://www.angel.net/~nic/passwd.html

In addition to the above-mentioned apps one may also want to try Keyscrambler. It is a Firefox and IE plugin which scrambles characters as you type on your computer's keyboard. Everything is ScRaMbLeD including those all-important passwords!

All information that is inputted and leaves your computer to go to an online bank for example is encoded while in transit. Thus, if someone with ill intent decides to intercept your information he/she will see only scrambled information. However, when the information reaches its intended destination (online bank) then the inputted information is UN-Scrambled.

I love this Software - - and so will YOU!

TheRube

Kee Pass for me. Love it.

My policy is to combine the date with the company/organization - i.e. I sign up on eBay on the 10th of December 2010. A possible password might be eB121010.

My favorite movie character (there are a bazillion of them, so no way you can guess) and a number combination I can remember that I change every six months - started out with 1.... won't tell you where I am now.

I'm using LastPass (for about 5 months now) and am happy with it. It's great for organizing and upgrading my password format and styles. It's also helping me find sites I registered on and don't use.

As to the master password, (this is the only one I have to remember), yes; upper/lower case, digits/special characters, at least twelve characters plus I toss in a couple of ASCII characters. I'm just starting to convert to LastPass' encrypted passwords for minor sites. For my important sites, I generate an encrypted password then toss in a couple ASCII characters. ALL generated passwords are stored and locked on LastPass so I don't have to remember them. I change my master pw every two months and my minors less frequently.

For security question(s), one word, by my master password rules and the same question(s) everywhere. All this is actually pretty simple to maintain so I do maintain it.

I'm wondering how many passwords for financial sites have actually been hacked by brute force techniques. My experience is that nearly all, if not all, of these sites lock your account after 3 or 4 attempts. The site may auto-unlock after a period of time or only by your calling and identifying yourself. Either way, wouldn't this make it extremely difficult for a brute-force attack to succeed, even with the weakest of passwords?

I use Roboform and 15 character passwords, using all 4 character types.

I have been using KeePass for many years now (at least four, probably more). I highly recommend it. I like it because:
o it is portable (it can be carried on an USB stick and runs on Windows systems without being installed).
o it doesn't store anything on your system. The program doesn't create any new registry keys and it doesn't create any initialization files (INI) in your Windows directory.
It is available in two versions, KeePass 1.x which runs on Windows 98, 98SE, ME, NT, 2000, XP (Home & Pro, 32-bit & 64-bit), 2003, Vista and 7 without requiring any additional libraries and KeePass 2.x which requires .NET framework or Mono.
I use KeePass 1.x (currently 1.8) because I can keep it on a flash drive which I can take to the office or when I go on vacation and run it without needing any additional software or leaving any footprints. While the 2.x version has additional capabilities and is updated more frequently I opted for 1.8 because it is so very portable and requires no external libraries.
I recently installed a version of it on my Windows Mobile phone, so now I can have it with me even if I forget to bring my flash drive.

I've used KeePass for many years. Password managers clearly improve security, compared with manual methods. However, there are still two weak links: The master password, and backups.

As you say, if you can remember your master password, it's too weak. And now your master password is guarding ALL your family jewels. With KeePass, I keep the master password in a file (a "keyfile") which lives only on a secure Sony Puppy fingerprint identity token, a USB flash drive locked by an on-board microprocessor. My fingerprint causes the microprocessor to unlock it. No attacks on or from the PC can unlock it.

If the USB device containing your encrypted password file is eaten by the dog, you've lost everything. That's why you need to back up the password file. Full disclosure: I'm the author of Another Backup Plugin for KeePass.

Just recently I tried to access an online account and I couldn't remember the EXACT password. Two failed attempts and the account, itself, was permanently closed. I had to start all over again to create a new account. Some sites allow 3 or 4 failed attempts before locking the account from future attempts. So, brute force crackers are not the boogeyman. It's one thing to leave your "car keys" in plain sight, but quite another to hiring a full contingent of highly trained commandoes and layered vaults to protect your keys.

Contrary to what is being protrayed, bad guys are NOT sitting in county dumps sifting each piece of paper from among the coffee grounds and rotting leftovers to find some information. They're pretending to be the company asking you to verify your account info and password, and many are willingly giving it.

howsecureismypassword.net is a (very safe) tool which tells you how long it would take to hack your password. Mine takes about 2 trillion years!

Really surprised you didn't include "Perfect Passwords" from Steve Gibson's site. https://www.grc.com/passwords.htm

(Jeeze, got a little scripting on this page?)