Wow, you login to every site you use on the internet and change your passwords every 6 days? I’m gonna go ahead and call shenanigans right there, homie.
3 Likes
I only have like 6 logins. Not that hard to do. Takes like 12 minutes.
I literally, only log into maybe 6 websites. The rest I just view without logging in. It’s not that hard.
Edit: I’m thinking of dropping it to 4 since I only really need a couple emails, and these forums. I don’t visit many of them anymore. Too much to do with my kids.
1 Like
Giving the benefit of the doubt, you realize you’re an extreme outlier and that wouldn’t work for anyone else, right?
Well, no. My mom had her bank account hacked back in the 90’s. So I got paranoid. It’s more out of habit now.
I realize my usecase is relatively small. But I’ve learned to keep things simple. At 37, I’ve learned complicated isn’t always better.
But the way I do it, makes me a more active role in my security, which I like.
I used LastPass when I was the IT Manager for my old company a few years ago. I made all the users have it.
It isn’t perfect of course, they have had hacks, but overall they take their security very seriously.
I also use it personally
1 Like
I use 1Password this way, mostly because I support macs and Apple shills love 1Password (extremely important or they won’t use it).
I do like it myself though. Easy to securely send people credentials and platform agnostic browser extension means Linux/BSD support.
I’m excited about the cli tool which is in beta. It should help me automate onboarding/offboarding users and deploying services.
You don’t need to do this. No one does.
2 Likes
He does.
2 Likes
No, I don’t. But it makes me feel better. So its what I do. Is it excessive? Yes. But it is what makes me feel safe.
I second keepassXC and the whole ecosystem for that matter. At this point there are keepass versions even for toasters.
@Eden I knew some folks in the IT field in the military and their password policy is nuts.
Something like it must be 20 characters or more, can’t contain a dictionary work, must be totally random, special chars, etc.
This would also change every 30 days.
What most of them do is memorize a complicated shape or pattern on the keyboard and then trace it out instead of raw memorization of the digits.
Which isn’t every 6 days. Password policy is dependent on the requirements of the system and bone exist which requires changing a password every 6 days for the most sensitive systems out there.
That’s the only reason I mentioned there’s no need to do that. It’s a pointless waste of effort.
30 days is a waste too. What happens there is people write it down on a sticky note, or just increment a number on the end of the password. It’s less secure than letting them keep it longer.
Perhaps the military court-martials people for doing that stuff, but that’s how it works out in the real world.
I don’t change them unless I hear something has been compromised.
As ruffalo said
Is true and understanding how passwords are stored and reverse engineered is more important than changing them frequently.
Security is more of a measurement of time than a method or philosophy.
Using long, unique and random passwords for every login will give you the best possible chance of minimizing or eliminating hacked accounts. Essentially it will take longer than anyone wants to try, and it won’t work on any other account.
I would even say unique usernames are a good idea.
Here’s a bit on just how easy it is to brute force a password from a hash. Keep in mind the tendency to use known words, even sentences which are easy to break.
A password manager is still a single point of failure but with enough care it is worlds better than anything else.
Yes, I use unique IDs also. I own my own domains with catch-all email, so I typically signup as [email protected]. I also use different names on forums and such too. I only call myself Ruffalo on these forums, nowhere else. I don’t even use this avatar elsewhere.
Of course you also need to use good passwords and not reuse them anywhere. But everybody knows that these days.
1 Like
With Gmail at least, you can add a +to the email account and everything after it will be ignored. For instance [email protected] will go to [email protected]. This is helpful for unique login emails but also for email filters.
I’ll typically use a random noun for admin accounts on servers, as well as for their native hostname.
Yeah, the plus trick is good if you don’t own your domain.
Just be warned that not every site allows you to sign up using RFC-compliant addresses.
I used to use this method to identify which companies were selling their mailing lists, but I found that the worst ones would actually strip out those tags before selling it.
Which is why I switched to a unique address for each registration instead.
1 Like
Does KeePass have an Android client? I’m thinking of getting a password manager as I’m getting old and have too many bloody sites to login into.
Yes, there are a mess of them. Back when I was on android I used keepassdroid. It supports reading and writing both keepass formats.
1 Like