FTFY
1 Like
By unattached from a system do you just mean you carry it with you? That's actually a pretty decent idea. I could just throw it on my keys and make some backups for if it dies/I lose it.
I keep it at home actually. I don't sign in too much while I'm out and about being a student, but if I do its something I've either memorized or have saved on my google account which I have the password for memorized. I would carry it if I needed to sign in more though.
Do you know how safe Google's saved passwords are? Obviously if your Google account gets compromised you're screwed, but are Chrome's saved passwords well encrypted?
I know if there is malware on the machine your logging into the passwords saved by your google account can be stolen, which is why I only use this for things that are of minimal importance to me. I also don't haphazardly log into every computer I find in public then use that to log into every other thing I have. My google account is also very well protected. It has a password unique to that account which is 20+ characters, filled with weird characters and symbols. That account also has 2 factor and my phone has the thing that allows me to authorize and de-authorize computers signed into my account.
I have a certain number of passwords that I change from time to time. The simplest and easiest ones are for non-critical and unimportant accounts, and I got unique ones of 20+ characters, following the xkcd thing, for critical accounts (such as emails, that are also protected by second degree identification)
put them all on lastpass.com for hackers to steal :D
I sometimes use passwords sort of like this: "^HYN&JUM8ki,9lo." without quotes. it looks complicated but it is actually pretty simple. first half is with caps last half is without - if you type that out yourself and watch the buttons you press you can see that its just a pattern. The pattern itself is extremely easy to remember compared to the actual content of the password. I have no idea if my comment makes sense.
I just use Lastpass to store my passwords. I do remember a few passwords for accounts I use very often and have personal info inside. I may try keepass if I want an offline solution but so far Lastpass is very convenient for me.
I am a total convert to KeepassX. The auto-type feature is Awesome. On my last passwords cycle i converted all my passwords (35+) to 26 character beasts with all specials. No beating my hashed P@ssw0rd. If a website gets hacked, the passwords don't match other online accounts so no cross hacking; and because KeepassX has a random generater i can roll the dice to get a new one.
my local database password is some what of a salted passphrase. I backup the database and passwords in plan text to an encrypted USB that I regulary update. There might be a chance i cant read my handwriting later on.
If you are specifically targeted, your outright fuck'd. So no point in worrying.
*no cloud stored passwords here.
Same base password with modifiers based on the website.
This is an example (not my way of doing it specifically).
Base phrase: Waffles are delicious.
How many vowels are there in the website name? If odd, swap vowels for numbers. If even, swap consonants for symbols.
Things like that. It's a rule set you remember, then just figure out your password for it each time until you remember it.
Did you even watch the video? dictionary attack beats it quick.
Please watch. This basically means that the human language is no good for password creation.
The guy above has 4 titans, think what a "foreign" super computer can do.
This is was in 2012.
1 Like
You know, you could read my post before assuming I didn't watch your video.
As in, the base phrase Waffles are delicious. would become something like W8ffl0s 5r1 d7l0c433s. Or...
Waffles are delicious. becomes @a{}\e- a%e %e\i^iou_.
The real power comes with multiple rule sets. Meaning, you don't just do the above. You then apply another rule like "the number of letters with curves in the URL decides a hash appended to the above password." which in the "if even" situation would turn @a{}\e- a%e %e\i^iou_. into @a{}\e- a%e %e\i^iou_. c6567fe8. i.e. forums.level1techs.com has 16 letters that have curves in the URL, so we take the first 8 digits of the md5 short of that URL and append it.
Again, these are just examples. I wasn't suggesting direct substition.
A single rule (like direct substitution) is very weak. Multiple rules layered is not. Especially when they aren't that simple.
If I had those rules, GLHF figuring out my password with just basic dictionaries and simple rules.
It's also probably a lot more secure to use things from other languages that you have interests in. English and Chinese are the most generally spoken languages, so they should be the last ones we use for passwords.
Each rule makes it exponentially more complex to get your password.
The purpose in using a base phrase rather than just randomly generating your password? You're more likely to remember the password. It will act as a trigger for that memory. Not guaranteed, but better than a completely random one.
Length is king though. As always.
The nuclear launch codes aren't contained in my emails. I don't think I need to be quite so worried as to go to those kinds of lengths.
But would you use a password manager then?
People look at the rules and assume it's effort. It's only effort if you make it effort.
You can use a password manager. Just produce the passwords yourself so you're more likely to remember them. That's the idea behind it.
If you auto generate passwords, and lose access to the database/list somehow, You're basically SoL unless your recovery email passwords are separate (which they probably should be anyway).
All my passwords are the same.
Or are they???????
I'm honestly not sure. I created this thread in an effort to get me thinking about security and password managers. I'm sort of in the midst of upgrading my tech lifestyle to better reflect my opinions on the topics of security, encryption, data tracking, etc.
1 Like
I have a usb backup duct taped to my back, all the time.
1 Like
Using textfile which is then inside Truecrpt file
Considering making an Owncloud/nextcloud DIY server this year