I keep the Dropbox pwd in the PasswordSafe, just like all the rest.;-) I use Dropbox just to sync the file; I wouldn't need to login there to access it in the event of a loss because I have other copies.
There are two basic ways hackers can get at your e-mail and private documents. One way is to guess your password. That's how hackers got their hands on personal photos of celebrities from iCloud in 2014.
How to protect yourself from this attack is pretty obvious. First, don't choose a guessable password. This is more than not using "password1" or "qwerty"; most easily memorizable passwords are guessable. My advice is to generate passwords you have to remember by using either the [Diceware password] scheme or the Schneier scheme, and to use large random passwords stored in a password manager for everything else.
Second, turn on two-factor authentication where you can, like Google's 2-Step Verification. This adds another step besides just entering a password, such as having to type in a one-time code that's sent to your mobile phone. And third, don't reuse the same password on any sites you actually care about.
You're not done, though. Hackers have accessed accounts by exploiting the "secret question" feature and resetting the password. That was how Sarah Palin's e-mail account was hacked in 2008. The problem with secret questions is that they're not very secret and not very random. My advice is to refuse to use those features. Type randomness into your keyboard, or choose a really random answer and store it in your password manager.
Just to update the discussion, on March 15, Bruce Schneier's newsletter contained a mention of the same advice described above:
"First, don't choose a guessable password. This is more than not using 'password1' or 'qwerty'; most easily memorizable passwords are guessable. My advice is to generate passwords you have to remember by using either the XKCD scheme[*] or the Schneier scheme, and to use large random passwords stored in a password manager for everything else." https://www.schneier.com/crypt...
* Note: The "XKCD scheme" is more of a vague concept than a true system and could be done in a way that results in a not-very-secure password. A more rigorous system based on the "XKCD scheme" is described by Diceware passwords: http://world.std.com/~reinhold...
Nice, how do you protect from disk failure/stolen phone?
The beauty of a reputable password manager (e.g., PasswordSafe) is that the password database file is protected with strong encryption and a master password. Therefore the file can be copied many times and saved/shared anywhere, even publicly. You can back it up on USB sticks, cloud storage, even post it on a URL of a domain you own. I have many offline and online backups that I keep in various places in case of a data loss. (External hard drive backups, cloud backups, safe deposit box.)
Also, as I noted, sync tools like Dropbox are very useful for keeping the current version of your password database file available on all your devices.
HAH! We were just talking about this on the Ask Slashdot thread about password generators.
YES, password composition rules are bullshit!
EVEN WORSE, are website that block you from pasting in your password. This again penalizes the ideal security model... you are pasting in a long and ridiculously hard to type random password from a password generator.
ALSO BAD, websites that have short password length limits and/or can't support certain characters. All these require workarounds again for password generator users.
Small plug for PasswordSafe on this point... they include a keyboard that allows you to avoid putting the password ever on the clipboard for this reason.
http://world.std.com/~reinhold... "Entropy of 64.6 bits is breakable with a thousand or so PCs equipped with high-end graphics processors. (Criminal gangs with botnets of infected PCs can marshal such resources.) 77.5 bits may be breakable by an organization with a very large budget, such as a large country's security agency."
And, as someone else noted, this is based on TRUE RANDOMNESS. Everyone I referred to was using the opposite of a random generation scheme; they were describing a decidely specific and NONRANDOM method for generating a password that *looked* random:
https://treskal.com/kha/blog/2... How Much Entropy in That Password:: "This means that there are two ways to make a secure password: use a template the password crackers don’t know about (or don’t bother to try, because so few people use it for their passwords), or use any old template and feed it with enough random bits. The former strategy relies on outwitting smart people who spend much of their time coming up with better ways to crack passwords; the latter just takes more coin flips. It’s security by obscurity vs. real security."
Admittedly, 30 is overkill. =) But you know it's enough! And the beauty of a password manager is that it's no additional cost or effort or difficulty to generate a 72 character or 30 character password versus a 5 character one. You just click a button. And you never have to type it; you just paste.
Thank you for the Schneier post. That was a very interesting read. I included the XKCD comic to explain the critique of pseudo-random password templates, and I noted that Schneier linked to an article that explained very eloquently the point I was trying to make about using the weakness of using elaborate "templates" to generate random seeming passwords:
"This means that there are two ways to make a secure password: use a template the password crackers don’t know about (or don’t bother to try, because so few people use it for their passwords), or use any old template and feed it with enough random bits. The former strategy relies on outwitting smart people who spend much of their time coming up with better ways to crack passwords; the latter just takes more coin flips. It’s security by obscurity vs. real security."
Then, Schneier recommended the use of his own tool PasswordSafe to generate random passwords, as did I. So far, we are on the same page. =)
Finally though there is the question of how to generate a good, secure master password for your password manager. Note that I did not include XKCD in order to recommend their passphrase generation method! (This is the method that Schneier criticized.) Instead, I included a link to an article about Diceware passwords. Diceware uses the philosophy just described in the snippet about whereby even if the attacker knows you used it, there is still too much guaranteed entropy for them to successfully attack it.
"A five-word Diceware passphrase has an entropy of at least 64.6 bits; six words have 77.5 bits, seven words 90.4 bits, eight words 103 bits. (Four words only provide 51.6 bits, about the same as an 8 character password made up of random ASCII characters. Both are breakable in less than a day with two dozen graphics processors.) Inserting one extra letter at random adds about 10 bits of entropy. Here is a rough idea of how much protection various lengths provide, based on updated estimates by A.K. Lenstra (See www.kelength.com). Needless to say, projections for the far future have the most uncertainty.
Five words are breakable with a thousand or so PCs equipped with high-end graphics processors. (Criminal gangs with botnets of infected PCs can marshal such resources.)
Six words may be breakable by an organization with a very large budget, such as a large country's security agency.
Seven words and longer are unbreakable with any known technology, but may be within the range of large organizations by around 2030.
Eight words should be completely secure through 2050."
This is interesting to me because of the addition of the hash process. Otherwise, since you must reasonably assume eventually some of your passwords will be compromised in plaintext, your homegrown password generation routine would be relatively trivial to solve for anyone targeting you individually.
Yes. Very good context to add to the discussion. Passwords are only one layer of the overall picture. Password managers are an excellent solution to operate securely *at that layer*. But in the larger context, there are still huge vulnerabilities.
Yes, and not only is the clipboard at risk, but the entire decrypted contents of your password manager are in RAM at some point. If your platform isn't secure, your passwords aren't. PERIOD
BTW. Use full disk encryption. Practice safe computing. Hope you aren't targeted by a nation state.
I can totally understand that sentiment. And yet the idea behind the strong encryption used to secure the psafe3 file is that, as long as your passphrase to secure it is strong, this file is as good as worthless even to someone who has physical access to it.
I wonder about the desktops and phones being subject to swap reads. At some level the plain text will be in memory
Absolutely! I didn't mention it, but full disk encryption is employed on all my devices. Security requires a consideration at all layers. You are correct.
Such [Diceware] passphrases are EXTREMELY weak. The words are easily predictable (just use a few different language dictionaries, and the usual uppercase/lowercase/substitution combos) and concatenating several of them doesn't increase the amount of entropy enough to resist brute force attacks on a cheap GPU.
I provided references you can review regarding the security of Diceware passwords. Do you have any references to share for your "alternate" facts?
Salting negates [the rainbow tables] threat.
Very true. Now you just have to make sure all of the 100s of sites you log into know this and employ strong hashing and salting procedures. As LinkedIn proved, you cannot rely on even large, "reputable" companies to employ even a modicum of secure password storage, sadly. Therefore, if you want to be secure, you must plan that individual site passwords will eventually be compromised due to bad website coding. In addition, there are myriad other attacks against websites that will inevitably lead to some passwords you use being compromised in plaintext.
AND, even if you managed to memorize all this, it's a goddam PAIN IN THE ASS to type these passwords in, especially on phones.
Any half way good password manager will copy them for you. Keepass on Windows and Android does, for example, and it's implemented in a secure way.
We are 100% in agreement here, and that's exactly what I was advocating. (So, I think you misread me.)
Totally agree! I am consistently pissed off by these few websites that think they are HELPING security by preventing you from pasting into the password field. In other words, they are preventing you from using the most secure password scheme out there... a super long, random password that you don't ever type or memorize but paste in from a tool.
Well, in every system there are exceptions. And unfortunately, for these few sites, you are stuck using a shorter, less secure password so you can type it in. oh well
Thanks for filling in a few details I left out, guys.:)
Yes, individual sites with poor password support are a problem (short max length, or not allowing special characters). In response, PasswordSafe (or similar quality tools) allow you to override the password generator policy for a particular site to have a particular length and require or exclude certain character classes.
I totally forgot to mention the notes field! Yes, you should use it to store the secret questions and answers required for some sites. AND, use the password generator feature to generate random answers to these questions. These should be thought of as just additional passwords. DON'T USE REAL ANSWERS TO REAL QUESTIONS! And the length policy should be extra long because these answers are usually not case sensitive. For example: "What was my first pet?" Answer: klihyrseet4rslchvlajyt2565zfx trdrzoij nxvk52juzhf ygvzhxdjvw 34ncolsd2k jlgcda52sufiogxciuyfu
Having just read through these comments, my forehead hurts from banging it against the wall and I better flush this explanation out a bit more...
First of all, I'm amazed NO ONE mentioned the classic xkcd comic on memorized random password security: https://xkcd.com/936/
Second, forget about it all you people with your **genius** schemes for generating unique 8-11 character passwords. Congratulations, you've just been hacked. Look up rainbow tables, people!
You are all reinventing square and pentagonal wheels here. It's not working against the threat profile you face, and it's a pain in the ass for you compared to the painless solution that is already out there and explained if you just knew about it...
OK, so here is the true situation you face if you actually want to be secure: 1) You have hundreds of passwords to store. 2) Each one better be 25+ characters of RANDOM data. Otherwise, you face a very realistic threat from brute force / rainbow tables cracking you in trivial amounts of time now or in the near future. 3) You better not be reusing any of them anywhere, cause, you know, hacking.
3a) If you use a standard root and "permute" it, you are relatively safer until one of your sites storing it in cleartext gets revealed, and then guess what, literally *everyone* uses the first character or two of the site name, or one or two letters more than the first characters to permute. So if you are ever an actual individual target as opposed to a mass script kiddie attack, you're toast. I know, and you thought you were so clever!
AND, even if you managed to memorize all this, it's a goddam PAIN IN THE ASS to type these passwords in, especially on phones.
Here is a solution that is 1) easier to remember, 2) faster to access your websites and login, and 3) order of orders of magnitude more secure:
Stesps: 1) Generate a SINGLE 6-7 word diceware PASSPHRASE. https://theintercept.com/2015/... 2) Memorize it. This should take you all of two minutes. 3) Download passwordsafe or keepass or another trusted OFFLINE password manager. I'm not going to press my personal preferences here. But it should have an automatic password generator feature. 4) Lock the password manager with your diceware passphrase and start generating 30+ character random, unique passwords for each site you use.
If you have a good tool (I use passwordsafe), you can store the URL, username, and password and with a combination of 3 hotkeys open any website, and login in under 2 seconds for any of the hundreds of TRULY SECURE passwords you store.
You can sync the encrypted pwd manager file to your mobile and other devices and access from there with equal security.
And a passphrase with all lower case letters to unlock your pwd manager is even faster to type on a computer or phone than a single one of these insecure, short, alpha-symbol-numeric jokes people are advocating the genius of here.
OK. Now you know. So spread the word and forget all this elaborate security theater nonsense.
Use a passphrase made up of the first letter from a phrase, such as: MGai4meO... is "My Gmail account is for my eyes only" (the periods are simply extra fluff which add to the complexity
And congratulations, you high "complexity" 11 character password has just been solved by a rainbow table in less than 3 seconds.
Actually using the phrase instead you would have been literally a million times safer.
I have 1,200+ passwords in PasswordSafe. Each one is generally 25 (for the oldest) or more characters randomly generated by password safe itself. URL is stored for each one so that with three hotkeys, I have opened the website and pasted the username and password in under 2 seconds. The passwordsafe itself is secured with a 6-7 word diceware passphrase. Can be synced to my android device which has a password safe port, including a keyboard integration that keeps the password off the clipboard memory.
I am shocked by the number of slashdot users who think an 8, 12, or 16 character random password or one they permuted off a common root structure is secure.
Bush league pscyche out shit, man. Hah! Laughable!
99% of the time it ends up no where near a dictionary word and they are all 8+ characters long.
And they're all a fucking joke to crack in 3 seconds! Seriously, the comments of people here who have these complex schemes but don't understand their "genius" password is going to be cracked by a rainbow table, not brute force. You need to just use a combination of diceware passphrases (truly long enough to avoid guessing, we're talking 30+ characters here) to unlock a trusted, non-service-based password manager app that generates unique and ridiculously long and impossible to even want to try to remember passwords. So much simpler than your mental gymnastics and ACTUALLY SECURE.
Also DICEWARE! Any passwords you are remembering or entering manually, use passphrase generators instead of making up some wonky hard to type and remember system for yourself that is orders of magnitude less secure than easy to quickly enter and very secure strings of dictionary words.
I am surprised no one has endorsed PasswordSafe yet! Written originally by Bruce Schneier, open source, and ported to Android which lets me sync my pwd database files between devices via Dropbox. I've been using it for years and plan to continue.
Since starting to use it on my mobile, I've segregated my database a bit to prevent a total breach in case my phone were compromised. I have my "lower security" internet website passwords that I need on the go in one file. And I have my financial passwords (which also stores account and credit card numbers that I might need in an emergency) in another file. And then on my PC there is a master file that has all these plus a ton of other accounts I've collected over the years but don't see the need to take on the road in my phone. Each database has a different unlock password, and those are all I have to remember.
Slashdot Mirror
I keep the Dropbox pwd in the PasswordSafe, just like all the rest. ;-)
I use Dropbox just to sync the file; I wouldn't need to login there to access it in the event of a loss because I have other copies.
From Bruce Schneier today:
https://www.schneier.com/crypt...
There are two basic ways hackers can get at your e-mail and private documents. One way is to guess your password. That's how hackers got their hands on personal photos of celebrities from iCloud in 2014.
How to protect yourself from this attack is pretty obvious. First, don't choose a guessable password. This is more than not using "password1" or "qwerty"; most easily memorizable passwords are guessable. My advice is to generate passwords you have to remember by using either the [Diceware password] scheme or the Schneier scheme, and to use large random passwords stored in a password manager for everything else.
Second, turn on two-factor authentication where you can, like Google's 2-Step Verification. This adds another step besides just entering a password, such as having to type in a one-time code that's sent to your mobile phone. And third, don't reuse the same password on any sites you actually care about.
You're not done, though. Hackers have accessed accounts by exploiting the "secret question" feature and resetting the password. That was how Sarah Palin's e-mail account was hacked in 2008. The problem with secret questions is that they're not very secret and not very random. My advice is to refuse to use those features. Type randomness into your keyboard, or choose a really random answer and store it in your password manager.
Just to update the discussion, on March 15, Bruce Schneier's newsletter contained a mention of the same advice described above:
"First, don't choose a guessable password. This is more than not using 'password1' or 'qwerty'; most easily memorizable passwords are guessable. My advice is to generate passwords you have to remember by using either the XKCD scheme[*] or the Schneier scheme, and to use large random passwords stored in a password manager for everything else."
https://www.schneier.com/crypt...
* Note: The "XKCD scheme" is more of a vague concept than a true system and could be done in a way that results in a not-very-secure password. A more rigorous system based on the "XKCD scheme" is described by Diceware passwords: http://world.std.com/~reinhold...
Nice, how do you protect from disk failure/stolen phone?
The beauty of a reputable password manager (e.g., PasswordSafe) is that the password database file is protected with strong encryption and a master password. Therefore the file can be copied many times and saved/shared anywhere, even publicly. You can back it up on USB sticks, cloud storage, even post it on a URL of a domain you own. I have many offline and online backups that I keep in various places in case of a data loss. (External hard drive backups, cloud backups, safe deposit box.)
Also, as I noted, sync tools like Dropbox are very useful for keeping the current version of your password database file available on all your devices.
HAH! We were just talking about this on the Ask Slashdot thread about password generators.
YES, password composition rules are bullshit!
EVEN WORSE, are website that block you from pasting in your password. This again penalizes the ideal security model... you are pasting in a long and ridiculously hard to type random password from a password generator.
ALSO BAD, websites that have short password length limits and/or can't support certain characters. All these require workarounds again for password generator users.
Small plug for PasswordSafe on this point... they include a keyboard that allows you to avoid putting the password ever on the clipboard for this reason.
http://world.std.com/~reinhold...
"Entropy of 64.6 bits is breakable with a thousand or so PCs equipped with high-end graphics processors. (Criminal gangs with botnets of infected PCs can marshal such resources.)
77.5 bits may be breakable by an organization with a very large budget, such as a large country's security agency."
And, as someone else noted, this is based on TRUE RANDOMNESS. Everyone I referred to was using the opposite of a random generation scheme; they were describing a decidely specific and NONRANDOM method for generating a password that *looked* random:
https://treskal.com/kha/blog/2... ::
How Much Entropy in That Password
"This means that there are two ways to make a secure password: use a template the password crackers don’t know about (or don’t bother to try, because so few people use it for their passwords), or use any old template and feed it with enough random bits. The former strategy relies on outwitting smart people who spend much of their time coming up with better ways to crack passwords; the latter just takes more coin flips. It’s security by obscurity vs. real security."
Admittedly, 30 is overkill. =) But you know it's enough! And the beauty of a password manager is that it's no additional cost or effort or difficulty to generate a 72 character or 30 character password versus a 5 character one. You just click a button. And you never have to type it; you just paste.
That's because that very old advice is obsolete. The XKCD password scheme considered dangerous by security experts..
Thank you for the Schneier post. That was a very interesting read. I included the XKCD comic to explain the critique of pseudo-random password templates, and I noted that Schneier linked to an article that explained very eloquently the point I was trying to make about using the weakness of using elaborate "templates" to generate random seeming passwords:
"This means that there are two ways to make a secure password: use a template the password crackers don’t know about (or don’t bother to try, because so few people use it for their passwords), or use any old template and feed it with enough random bits. The former strategy relies on outwitting smart people who spend much of their time coming up with better ways to crack passwords; the latter just takes more coin flips. It’s security by obscurity vs. real security."
Then, Schneier recommended the use of his own tool PasswordSafe to generate random passwords, as did I. So far, we are on the same page. =)
Finally though there is the question of how to generate a good, secure master password for your password manager. Note that I did not include XKCD in order to recommend their passphrase generation method! (This is the method that Schneier criticized.) Instead, I included a link to an article about Diceware passwords. Diceware uses the philosophy just described in the snippet about whereby even if the attacker knows you used it, there is still too much guaranteed entropy for them to successfully attack it.
For metrics on the *lower bound entropy* (thanks, Schneier) of Diceware, here is a link:
http://world.std.com/~reinhold...
"A five-word Diceware passphrase has an entropy of at least 64.6 bits; six words have 77.5 bits, seven words 90.4 bits, eight words 103 bits. (Four words only provide 51.6 bits, about the same as an 8 character password made up of random ASCII characters. Both are breakable in less than a day with two dozen graphics processors.) Inserting one extra letter at random adds about 10 bits of entropy. Here is a rough idea of how much protection various lengths provide, based on updated estimates by A.K. Lenstra (See www.kelength.com). Needless to say, projections for the far future have the most uncertainty.
Five words are breakable with a thousand or so PCs equipped with high-end graphics processors. (Criminal gangs with botnets of infected PCs can marshal such resources.)
Six words may be breakable by an organization with a very large budget, such as a large country's security agency.
Seven words and longer are unbreakable with any known technology, but may be within the range of large organizations by around 2030.
Eight words should be completely secure through 2050."
Not random... permuted off a common root structure.
I should have been clearer, meaning these schemes "look" random at a glance.
This is interesting to me because of the addition of the hash process. Otherwise, since you must reasonably assume eventually some of your passwords will be compromised in plaintext, your homegrown password generation routine would be relatively trivial to solve for anyone targeting you individually.
Yes. Very good context to add to the discussion.
Passwords are only one layer of the overall picture. Password managers are an excellent solution to operate securely *at that layer*.
But in the larger context, there are still huge vulnerabilities.
Yes, and not only is the clipboard at risk, but the entire decrypted contents of your password manager are in RAM at some point.
If your platform isn't secure, your passwords aren't. PERIOD
BTW. Use full disk encryption. Practice safe computing. Hope you aren't targeted by a nation state.
I can totally understand that sentiment.
And yet the idea behind the strong encryption used to secure the psafe3 file is that, as long as your passphrase to secure it is strong, this file is as good as worthless even to someone who has physical access to it.
I wonder about the desktops and phones being subject to swap reads. At some level the plain text will be in memory
Absolutely!
I didn't mention it, but full disk encryption is employed on all my devices.
Security requires a consideration at all layers. You are correct.
Such [Diceware] passphrases are EXTREMELY weak. The words are easily predictable (just use a few different language dictionaries, and the usual uppercase/lowercase/substitution combos) and concatenating several of them doesn't increase the amount of entropy enough to resist brute force attacks on a cheap GPU.
I provided references you can review regarding the security of Diceware passwords. Do you have any references to share for your "alternate" facts?
Salting negates [the rainbow tables] threat.
Very true. Now you just have to make sure all of the 100s of sites you log into know this and employ strong hashing and salting procedures.
As LinkedIn proved, you cannot rely on even large, "reputable" companies to employ even a modicum of secure password storage, sadly.
Therefore, if you want to be secure, you must plan that individual site passwords will eventually be compromised due to bad website coding.
In addition, there are myriad other attacks against websites that will inevitably lead to some passwords you use being compromised in plaintext.
AND, even if you managed to memorize all this, it's a goddam PAIN IN THE ASS to type these passwords in, especially on phones.
Any half way good password manager will copy them for you. Keepass on Windows and Android does, for example, and it's implemented in a secure way.
We are 100% in agreement here, and that's exactly what I was advocating. (So, I think you misread me.)
Totally agree!
I am consistently pissed off by these few websites that think they are HELPING security by preventing you from pasting into the password field. In other words, they are preventing you from using the most secure password scheme out there... a super long, random password that you don't ever type or memorize but paste in from a tool.
Well, in every system there are exceptions. And unfortunately, for these few sites, you are stuck using a shorter, less secure password so you can type it in. oh well
Thanks for filling in a few details I left out, guys. :)
Yes, individual sites with poor password support are a problem (short max length, or not allowing special characters). In response, PasswordSafe (or similar quality tools) allow you to override the password generator policy for a particular site to have a particular length and require or exclude certain character classes.
I totally forgot to mention the notes field! Yes, you should use it to store the secret questions and answers required for some sites. AND, use the password generator feature to generate random answers to these questions. These should be thought of as just additional passwords. DON'T USE REAL ANSWERS TO REAL QUESTIONS! And the length policy should be extra long because these answers are usually not case sensitive.
For example: "What was my first pet?" Answer: klihyrseet4rslchvlajyt2565zfx trdrzoij nxvk52juzhf ygvzhxdjvw 34ncolsd2k jlgcda52sufiogxciuyfu
Having just read through these comments, my forehead hurts from banging it against the wall and I better flush this explanation out a bit more...
First of all, I'm amazed NO ONE mentioned the classic xkcd comic on memorized random password security: https://xkcd.com/936/
Second, forget about it all you people with your **genius** schemes for generating unique 8-11 character passwords. Congratulations, you've just been hacked. Look up rainbow tables, people!
You are all reinventing square and pentagonal wheels here. It's not working against the threat profile you face, and it's a pain in the ass for you compared to the painless solution that is already out there and explained if you just knew about it...
OK, so here is the true situation you face if you actually want to be secure:
1) You have hundreds of passwords to store.
2) Each one better be 25+ characters of RANDOM data. Otherwise, you face a very realistic threat from brute force / rainbow tables cracking you in trivial amounts of time now or in the near future.
3) You better not be reusing any of them anywhere, cause, you know, hacking.
3a) If you use a standard root and "permute" it, you are relatively safer until one of your sites storing it in cleartext gets revealed, and then guess what, literally *everyone* uses the first character or two of the site name, or one or two letters more than the first characters to permute. So if you are ever an actual individual target as opposed to a mass script kiddie attack, you're toast. I know, and you thought you were so clever!
AND, even if you managed to memorize all this, it's a goddam PAIN IN THE ASS to type these passwords in, especially on phones.
Here is a solution that is 1) easier to remember, 2) faster to access your websites and login, and 3) order of orders of magnitude more secure:
Stesps:
1) Generate a SINGLE 6-7 word diceware PASSPHRASE. https://theintercept.com/2015/...
2) Memorize it. This should take you all of two minutes.
3) Download passwordsafe or keepass or another trusted OFFLINE password manager. I'm not going to press my personal preferences here. But it should have an automatic password generator feature.
4) Lock the password manager with your diceware passphrase and start generating 30+ character random, unique passwords for each site you use.
If you have a good tool (I use passwordsafe), you can store the URL, username, and password and with a combination of 3 hotkeys open any website, and login in under 2 seconds for any of the hundreds of TRULY SECURE passwords you store.
You can sync the encrypted pwd manager file to your mobile and other devices and access from there with equal security.
And a passphrase with all lower case letters to unlock your pwd manager is even faster to type on a computer or phone than a single one of these insecure, short, alpha-symbol-numeric jokes people are advocating the genius of here.
OK. Now you know. So spread the word and forget all this elaborate security theater nonsense.
Use a passphrase made up of the first letter from a phrase, such as: MGai4meO... is "My Gmail account is for my eyes only" (the periods are simply extra fluff which add to the complexity
And congratulations, you high "complexity" 11 character password has just been solved by a rainbow table in less than 3 seconds.
Actually using the phrase instead you would have been literally a million times safer.
Finally! Other people doing security right!
I have 1,200+ passwords in PasswordSafe. Each one is generally 25 (for the oldest) or more characters randomly generated by password safe itself. URL is stored for each one so that with three hotkeys, I have opened the website and pasted the username and password in under 2 seconds.
The passwordsafe itself is secured with a 6-7 word diceware passphrase.
Can be synced to my android device which has a password safe port, including a keyboard integration that keeps the password off the clipboard memory.
I am shocked by the number of slashdot users who think an 8, 12, or 16 character random password or one they permuted off a common root structure is secure.
Bush league pscyche out shit, man. Hah! Laughable!
See above comment. ;-)
You have a totally solid ILLUSION of security going here.
99% of the time it ends up no where near a dictionary word and they are all 8+ characters long.
And they're all a fucking joke to crack in 3 seconds!
Seriously, the comments of people here who have these complex schemes but don't understand their "genius" password is going to be cracked by a rainbow table, not brute force.
You need to just use a combination of diceware passphrases (truly long enough to avoid guessing, we're talking 30+ characters here) to unlock a trusted, non-service-based password manager app that generates unique and ridiculously long and impossible to even want to try to remember passwords.
So much simpler than your mental gymnastics and ACTUALLY SECURE.
Also DICEWARE!
Any passwords you are remembering or entering manually, use passphrase generators instead of making up some wonky hard to type and remember system for yourself that is orders of magnitude less secure than easy to quickly enter and very secure strings of dictionary words.
I am surprised no one has endorsed PasswordSafe yet! Written originally by Bruce Schneier, open source, and ported to Android which lets me sync my pwd database files between devices via Dropbox. I've been using it for years and plan to continue.
Since starting to use it on my mobile, I've segregated my database a bit to prevent a total breach in case my phone were compromised. I have my "lower security" internet website passwords that I need on the go in one file. And I have my financial passwords (which also stores account and credit card numbers that I might need in an emergency) in another file. And then on my PC there is a master file that has all these plus a ton of other accounts I've collected over the years but don't see the need to take on the road in my phone. Each database has a different unlock password, and those are all I have to remember.