[CurtTerror]

Hi guys,

Recently I have moved to a new spot. My home network has always been controlled by my father. I'm finally in control of all the internet security etc.. and it's got me thinking about secure passwords.

Up until now, I've been using made up passwords, recently somehow my bank details were compromised and some money was electronically stolen out of my account. I know there are a myriad of ways they can do this but I have decided to change the way I manage passwords at home.

I'm comfortable saying that I no longer remember any of my passwords. I use a strong password generator with symbols, upper & lower case letters, numbers etc.. up to 16 characters long and use different passwords for every site.

Is there a better way to come up with passwords? I used the diceware system in the past, but found this to be easier and less time consuming, also have checked these passwords with various password checkers that rate the password as excellent.

I'm not asking about the safety rating of " forgetting " the passwords, because I have them stored offline in a location that is not on my home network, at the moment, most of my regularly accessed sites are on " remember me". I'm simply asking how adequate this method is of keeping all my passwords seperate and my home safe & secure.

Thanks guys

 

[Tagkaman]

I use the XKCD password generator quite often. It puts four random words together with spaces in between to make an easy to remember, but extremely long and almost impenetrable password. You can add a couple of symbols around the place to make it even stronger too.

E.G. when I went on the page the password "anyway truck eager major" was there, which is an easy to remember, but 24 character long password.

Hope this helps.

 

[CurtTerror]

Quote:

Originally Posted by Tagkaman

I use the XKCD password generator quite often. It puts four random words together with spaces in between to make an easy to remember, but extremely long and almost impenetrable password. You can add a couple of symbols around the place to make it even stronger too.

E.G. when I went on the page the password "anyway truck eager major"
was there, which is an easy to remember, but 24 character long password.

Hope this helps.

Hmm that looks very interesting, thank you! The problem would be for me there some services don;t allow passwords that long. Definitely useful information. If you don't mind my asking, do you use a pssword manager service or store them in another area? I've grown a bit suspicious and untrusting of password managers as of late

 

[Tagkaman]

I don't really use a password manager, but I have a page *somewhere in my house* with clues to all my passwords.

 

[.:hybrid:.]

Quote:

Originally Posted by CurtTerror

Hmm that looks very interesting, thank you! The problem would be for me there some services don;t allow passwords that long. Definitely useful information. If you don't mind my asking, do you use a pssword manager service or store them in another area? I've grown a bit suspicious and untrusting of password managers as of late

Why are you suspicious of password managers?

Its pretty simple, if you trust your passwords to be stored securely encrypted online, use Lastpass. If you distrust the cloud, use Keepass.

Personally I use Lastpass, however my email, bank and paypal are not stored in the password manager, I have those memorized.

My biggest security risk is loosing my laptop, and then lastpass not logging out. You can manually set the amount of times you want your file encrypted, so that if Lastpass server gets hacked, its logistically impossible that your file is decrypted.

 

[CurtTerror]

Quote:

Originally Posted by .:hybrid:.

Why are you suspicious of password managers?

Its pretty simple, if you trust your passwords to be stored securely encrypted online, use Lastpass. If you distrust the cloud, use Keepass.

Personally I use Lastpass, however my email, bank and paypal are not stored in the password manager, I have those memorized.

My biggest security risk is loosing my laptop, and then lastpass not logging out. You can manually set the amount of times you want your file encrypted, so that if Lastpass server gets hacked, its logistically impossible that your file is decrypted.

I suppose suspicious is the wrong word, I'm actually considering going back to a password manager.

I was looking at using LastPass as I used 1password before but it seems to be more prominent on the mac and I thought I'd try something different. Does Lastpass have the same sort of feautures, including a password generator etc...?

Yea, okay thanks man, I'll have a look. Do you use a password generator in lastpass to get passwords or what? is it secure?

Cheers

 

[.:hybrid:.]

I use the password generator in Lastpass, but the real strength of course comes from the fact that each password is unique.

As for secureness, http://helpdesk.lastpass.com/security-options/password-iterations-pbkdf2/

Realistically there is no current way to bruteforce the file in a reasonable timeframe.

 

[LavishB]

My passwords are never cracked because I change them so often, lowlife's Dsod'ing and port scanning is the real problem with the way so many games have always online features now. In the end who cares about remembering passwords if you remember your secret questions.

 

[Plan9]

Quote:

Originally Posted by Tagkaman

I use the XKCD password generator quite often. It puts four random words together with spaces in between to make an easy to remember, but extremely long and almost impenetrable password. You can add a couple of symbols around the place to make it even stronger too.

E.G. when I went on the page the password "anyway truck eager major"
was there, which is an easy to remember, but 24 character long password.

Hope this helps.

That's less secure than the method he's already using as modern attacks use advanced dictionary cycles to crack passphrases. These dictionaries even take l33t / txt spk, memes and foreign words into account.

The only secure way to use memorable passwords is to have a generator that produces a base64 hash (the encoding doesn't really matter greatly, even just MD5 will do the trick) of the site name and a common passphrase. Thus you only have to remember one passphrase but each and every site will have a 16+ character long mix of 64 symbols. All you need is access to the generator (plenty of them online) and as your password is created each time on the fly, you're not even storing your passwords (so you don't have to worry about loosing your bit of paper, your PC being reformatted or password wallets being insecure).

 

[BiscuitHead]

You shouldn't even be using real words in your passwords. The best way to do it is to think of a phrase, for example "The very first car I owned was a 1998 Chevy Malibu". You then take the first letter of each word, so we have "T V F C I O W A C M". Then all you have to do is substitue in some numbers and symbols, and vary the capitalization (and I'll add on the car year for more numbers), so how about: [email protected] That's a pretty secure password because there are no dictionary words, but it's easy to remember because the phrase is personal to you and not randomly generated.

 

[Plan9]

Quote:

Originally Posted by BiscuitHead

You shouldn't even be using real words in your passwords. The best way to do it is to think of a phrase, for example "The very first car I owned was a 1998 Chevy Malibu". You then take the first letter of each word, so we have "T V F C I O W A C M". Then all you have to do is substitue in some numbers and symbols, and vary the capitalization (and I'll add on the car year for more numbers), so how about: [email protected] That's a pretty secure password because there are no dictionary words, but it's easy to remember because the phrase is personal to you and not randomly generated.

I think my method is easier to remember personally.

 

[BiscuitHead]

To each his own

 

[CurtTerror]

Quote:

Originally Posted by Plan9

That's less secure than the method he's already using as modern attacks use advanced dictionary cycles to crack passphrases. These dictionaries even take l33t / txt spk, memes and foreign words into account.

The only secure way to use memorable passwords is to have a generator that produces a base64 hash (the encoding doesn't really matter greatly, even just MD5 will do the trick) of the site name and a common passphrase. Thus you only have to remember one passphrase but each and every site will have a 16+ character long mix of 64 symbols. All you need is access to the generator (plenty of them online) and as your password is created each time on the fly, you're not even storing your passwords (so you don't have to worry about loosing your bit of paper, your PC being reformatted or password wallets being insecure).

So do you mean it will generate a site name and then followed by a password? What is base hash and md5

I've been using a password generator that uses JavaScript, is that not secure to generate 15+ passwords?

That's a good idea so if you could explain it a bit more to me I could use that perhaps a link to a generator so I could see what your talking about.

What is the best generator method for passwords.. Ie JavaScript based... Or what?

Thanks heaps guys

 

[CurtTerror]

Quote:

Originally Posted by BiscuitHead

You shouldn't even be using real words in your passwords. The best way to do it is to think of a phrase, for example "The very first car I owned was a 1998 Chevy Malibu". You then take the first letter of each word, so we have "T V F C I O W A C M". Then all you have to do is substitue in some numbers and symbols, and vary the capitalization (and I'll add on the car year for more numbers), so how about: [email protected] That's a pretty secure password because there are no dictionary words, but it's easy to remember because the phrase is personal to you and not randomly generated.

I like this idea, however I don't actually need to remember any of them at all, it would become confusing to manage 20 different paraphrases. It's similar to what I'm doing although I don't have to come up with different paraphrases, I just generate them securely. That's a really good idea and I believe I will recommend that to others who might like this method.

 

[Plan9]

Quote:

Originally Posted by CurtTerror

So do you mean it will generate a site name and then followed by a password? What is base hash and md5

I've been using a password generator that uses JavaScript, is that not secure to generate 15+ passwords?

That's a good idea so if you could explain it a bit more to me I could use that perhaps a link to a generator so I could see what your talking about.

What is the best generator method for passwords.. Ie JavaScript based... Or what?

Thanks heaps guys

Yeah sorry, I didn't explain that all that well.

Say for arguments sake that I used the following for my OCN password: FrmYPkU2Co3sY0tsYXyiNg6hoCJ/JLvMwTmeeAltapc=

Basically that was generated from http://hash.online-convert.com/sha256-generator with the convert text as overclock.net and the 'secret key' (or salt, as it might also be referred to) as my secret.

You'll get the same result each time and all you need to remember is your secret key / salt (my secret in this example)

There are other online generators, some which offer you a variable character length (great for those idiot sites that have a maximum character length on passwords). It doesn't really matter that hashing / encryption routine you use just so long as it produces alpha, numeric and a few symbols as output (base64 will do nicely).

 

[CurtTerror]

Quote:

Originally Posted by Plan9

Yeah sorry, I didn't explain that all that well.

Say for arguments sake that I used the following for my OCN password: FrmYPkU2Co3sY0tsYXyiNg6hoCJ/JLvMwTmeeAltapc=

Basically that was generated from http://hash.online-convert.com/sha256-generator with the convert text as overclock.net and the 'secret key' (or salt, as it might also be referred to) as my secret.

You'll get the same result each time and all you need to remember is your secret key / salt (my secret in this example)

There are other online generators, some which offer you a variable character length (great for those idiot sites that have a maximum character length on passwords). It doesn't really matter that hashing / encryption routine you use just so long as it produces alpha, numeric and a few symbols as output (base64 will do nicely).

Ah okay, so really it is quite similar to a password manager and all you need to do is remember one password / secret key. Then you type in your convert text and it will produce a base 64 encoded password?

What are the benefits of using base 64 encoding as opposed to a random password generator? I

 

[B-rock]

Look into Lastpass + Yubikey. That's what I'm currently using for a 2 factor authentication for my online passwords. I also have my passwords stored in Truecrypt container as a "just in case" something were to happen to lastpass service or if it for some reason didn't match up.

https://www.yubico.com/products/yubikey-hardware/lastpass-yubikey/

 

[Plan9]

Quote:

Originally Posted by CurtTerror

Ah okay, so really it is quite similar to a password manager and all you need to do is remember one password / secret key. Then you type in your convert text and it will produce a base 64 encoded password?

It's not similar to a password manager because you're not actually storing any passwords
Quote:

Originally Posted by CurtTerror

What are the benefits of using base 64 encoding as opposed to a random password generator?

The two things are not mutually exclusive.

Base64 encoding is just the same as binary, decimal or hexadecimal, except instead of being values 0-1 (binary), 0-9 (decimal) or 0-15 (hexadecimal), it's values 0-59. As we don't have single character symbols for numbers above 9 (as human language has evolved from decimal), we borrow characters from the alphabet and other characters. So in hex, the characters A, B, C, D, E and F are 10, 11, 12, 13, 14, 15. With Base64, it's all the upper case alpha characters, lower case ones and some (but not many) non-alpha/numeric ASCII characters.

What this means in laymans terms is that anything encoded in base64 should comply with even the most strict of password policies (it's not quite as simple as that as you could end up with a base64 number which is all just number, just like you can have hexadecimal numbers that doesn't have any letters in it, however this method is a good place to start when looking for a memorable strict password).

Random password generators literally just come up with a random sequence of characters and numbers. You could run that output via base64 encoder if you really wanted, but it would be pointless.

The problem with using randomly generated passwords are that they're not memorable, so you need to record them somewhere. Which then means you can only access the secured post-login area if you have access to your passwords and as they will likely be stored at home, it means you cannot log into stuff on your phone whilst visiting your grandma (for example), or quickly check your Gmails at work. With my method you can as you just pump in the site name and your secret key / salt into an online generator.

 

[CurtTerror]

Quote:

Originally Posted by Plan9

It's not similar to a password manager because you're not actually storing any passwords
The two things are not mutually exclusive.

Base64 encoding is just the same as binary, decimal or hexadecimal, except instead of being values 0-1 (binary), 0-9 (decimal) or 0-15 (hexadecimal), it's values 0-59. As we don't have single character symbols for numbers above 9 (as human language has evolved from decimal), we borrow characters from the alphabet and other characters. So in hex, the characters A, B, C, D, E and F are 10, 11, 12, 13, 14, 15. With Base64, it's all the upper case alpha characters, lower case ones and some (but not many) non-alpha/numeric ASCII characters.

What this means in laymans terms is that anything encoded in base64 should comply with even the most strict of password policies (it's not quite as simple as that as you could end up with a base64 number which is all just number, just like you can have hexadecimal numbers that doesn't have any letters in it, however this method is a good place to start when looking for a memorable strict password).

Random password generators literally just come up with a random sequence of characters and numbers. You could run that output via base64 encoder if you really wanted, but it would be pointless.

The problem with using randomly generated passwords are that they're not memorable, so you need to record them somewhere. Which then means you can only access the secured post-login area if you have access to your passwords and as they will likely be stored at home, it means you cannot log into stuff on your phone whilst visiting your grandma (for example), or quickly check your Gmails at work. With my method you can as you just pump in the site name and your secret key / salt into an online generator.

I understand a little bit better now I think.

I fail to see though, why using base64 in order to encode something to produce passwords in any more effective than the method I'm already using. As I specified earlier, the key here is not to have " memorable passwords" and although your method offers an excellent way to do that using base 64, I think it's less efficient than what I'm doing currently. I have no need to encode anything using base 64, although I understand that it'd be much harder to lose passwords as it could be something easily remembered and I could always re encode it to get the password again. Anything I currently generate via a secure password generator already complies with any strict password requirements and to start having to encode & I store the information offline in a secure location & on password protected file.

" Base64 encoding schemes are commonly used when there is a need to encode binary data that needs be stored and transferred over media that are designed to deal with textual data (like HTTP). This is to ensure that the data remains intact without modification during transport "

There's no point for me in even trying to have " memorable passwords " I literally have around 20 services I use frequently and trying to remember which I have used for which is a real hassle. I really appreciate your help and I can see I am beginning to frustrate you with my questions

I don't have the same level of knowledge as yourself & I still don't understand where the " Post Secure Login" is that Im supposed to access, I understand what it means. Nor can I find any base 64 encoding application that I can use a secret key for, I realise this sounds incredibly stupid, but from your explanation of the way this password method is supposed to work, I am rendered obliviously confused!

 

[CurtTerror]

I've actually been wanting to switch which is why I had asked other users what they thought. I am going to store my pw's in an encrypted KeePass file, if I ever need to access passwords on my machines or mobile device, I'll sync the encrypted file via drop box.

Simple & secure. Keepass doesn't store your file in cloud storage though, so therein lies the danger and the benefit, lastpass does, although I'm sure they are safe.