It seems like a very common topic. Passwords. As we are currently in the wake of yet another password breach, this time encompassing over 5 million Gmail passwords, it seems like no matter what you do, your password can and will be stolen. What should you do if you are a victim or simply want to see if your password was one of the compromised? Furthermore, how can you pick a safe password?
Check out this list of 6 things to NOT do when choosing or managing your passwords.
1. Use those websites that you type in your password to check if it was one of the compromised ones. Seriously, don’t do it! Can you really trust these websites and what’s the use? If you think for a second that you could be one of the victims CHANGE YOUR PASSWORD.
2. Not using two-factor authentication. Turn on two-factor authentication whenever it’s offered. I know that it can be a pain, but it will help keep your online accounts safer. If for any reason your password is hacked, someone won’t be able to login to your account without the 2nd authentication.
3. Be lazy. If any of these most common passwords are yours, change them NOW.
- 123456
- 123456789
- password
- admin
- 12345678
- qwerty
- 1234567
- 111111
- photoshop
- 123123
- 1234567890
- 000000
- abc123
- 1234
- adobe1
- macromedia
- azerty
- iloveyou
- aaaaaa
- 654321
4. Choose a password that is related to anything that has special meaning to you, ie: your pets name, birthday, address, family members names, etc. We know, we know, it’s easy to remember though! But, these things are easy to find out about a person with a quick search on Google and should not be used for passwords.
5. Not using a string of random words, as suggested by xkcd. A string of random words may seem hard to remember, but this cartoon illustrates how it is actually way easy.
6. Not using a a password manager like Keepass, Lastpass, or 1Password. Once you have your super secure, hard to remember password, it’s just that, HARD TO REMEMBER. These password management programs will help you manage your passwords securely. With most, your passwords are stored behind a master password. You only need to remember one password to access the rest. These programs will even generate safe passwords for you to use.
What tricks to do you use when choosing and creating passwords AND keeping them safe? Was one of your passwords on the most common list?
Have something to add to this story? Share it in the comments.
For those more technically advantaged users you can create your own secure password manager, which is what I have done. It’s not complicated, just lookup the cryptography functions built into your favourite programming language (in my case I use crypt() in PHP.. crypt($inputStr, ‘$1$’.$something_secret_here.$salt.’$’); )…. do a bit of searching for tips and you can easily build a system that accepts a string plus a seed and outputs a very long complex password based on these.
The point being you can create very easy to remember passwords, use the service’s web domain as the seed and so long as you keep your sourcecode secure you can trust that your cryptographically generated passwords of 30+ characters are secure on the sites, different for every site you use and also memorable so long as you have access to your password generating system that you have created.
It’s worth doing if you can.
The biggest mistake in my opinion is using the same password again and again. A lot of people do that. Some even register at a website with an email address and the password for the email itself!
We are using Keepass with a really, really strong passphrase since years for all our Login Data.
And if you install the plugin “keepasshttp” for Keepass and in your Internetbrowser chromeIPass (Google Chrome browser) or PassIfox (Mozilla Firefox) it gets even more convenient as the Login Fields are filled without a single click when visiting a site (and Keepass open of course).
Use KeePass? That’s your advice? Not good.
I use KeePass, but I would not recommend anyone rely on it. What if your computer crashes, or you lose your flash drive, and your passwords are lost forever? Then what?
I know, you can reset every password that you have, and you can call your financial institutions and have then reset stuff for you, etc, but that will literally be hours of work, and even still, people forget their security questions and answers (maybe they put them into KeePass as well for safe keeping) and people might be locked out forever. No, relying on KeePass is not a good idea. It’s good to use, it’s a good backup, but really bad to rely on.
It seems to me that Keepass and other similar sites are a natural target for hackers that want to steal passwords!
Am I missing something?
I admit I don’t do everything recommended, and even do some things that are not recommended. But here’s what I do:
I have all my passwords saved in a Notepad file (none of them are real words). The notepad file is within an obscurely-named encrypted ZIP file in an obscurely named folder on my hard drive, so no one will know what it is if they even find it. The password for the ZIP file is nothing like a real word, so a dictionary attack will never find the password. The password is a combination of letters and numbers. So, if I can’t remember a particular password, I open the ZIP file, open the Notepad file, and look up the password. Let’s hope I don’t forget the ZIP file password!
I just don’t trust any of the password-keeper programs to not have some kind of back door. I may try the cryptography mentioned above by George.
@Balta Yes, you are missing something. You can’t steal passwords from the keepass website or the source code. Passwords are create by users on their own machines using the keepass program and then stored in an encrypted, portable database. Also, if you are willing to trust that your information is secure when you see a verified https website domain, then you should be able to trust keepass since both keepass and the program that creates and runs the https encryption (OpenSSL) have equally public source code.
@Randy I solved that issue by using Dropbox to store my database so I can download it or update it anywhere I have a internet connection and never worry about it disappearing. So I personally would and do recommend Keepass to friends and strangers.
ALIA password manager takes care of the problem. I designed it to be Very easy to use. Free version only as of this writing. Copy it to a USB stick and carry it around with you. Yep it’s a portable app.
I solve the problems you outlined by having not 1, not 2, not 3, not 4, but 5 backups of my KeePass Password Safe database in different physical locations, making sure I manually re-backup the latest database file every once in a while because I do not (and should not) trust the cloud to keep all my eggs in one basket, in sync.
I have one main database file and all others are copies. This means when it’s time to re-backup, all I have to do is get rid of the other 4 and copy the latest over.
However, there is a catch. I once read about the database becoming corrupt for no apparent reason (or for a reason). As such, I always take that into account. Before removing the older KeePass database backup files, I:
1- Close the latest one and re-open it making sure there is no “database corrupt” error upon entering the master password.
2- Delete the outdated backups, keeping only one just in case the copy process failed therefore rendering the file corrupt.
3- Propagate (copy/paste) the updated database file to the remaining 4 physical locations.
4- Open the database file in all 4 locations checking that there are no “database corrupted” errors.
5- Pray that people stop uploading their KeePass database files to DropBox and other cloud services, even if the database file is well-encrypted. It’s a password database and it’s not supposed to be on the Internet.
Cheers!
You really advice people to use 2Factor but do not offer it yourself??
When will noip.com support 2Factor authentication???