Choosing more secure passwords

Discussion in 'Mac Basics and Help' started by paieye, Nov 10, 2016.

  1. paieye macrumors regular

    Joined:
    Nov 14, 2008
    #1
    We are regularly told to take more trouble over passwords, if we want to make them more secure.

    A recommended formula is to use (1) both capital and small letters, (2) numerals that are not in some obvious sequence such as 12345, &c. and (3) punctuation.

    In the last week, I have had occasion to attempt to put this into practice with 2 credit-card sites. Both of them rejected my proposed passwords until I eliminated the punctuation.

    I have just now used the formula to change my password for a 3rd website, this time with complete success. The website ? DeliaOnline.
     
  2. Mildredop macrumors 68020

    Joined:
    Oct 14, 2013
    #2
    A fascinating story. Thank you.
     
  3. chscag macrumors 68020

    chscag

    Joined:
    Feb 17, 2008
    Location:
    Fort Worth, Texas
    #3
    Why not just use a password manager app? There are some that are free (check the Mac App Store) and will create a password for you and at the same time remember it.
     
  4. paieye thread starter macrumors regular

    Joined:
    Nov 14, 2008
    #4
    But why do I need such an application ? I use a formula that enables me always to know what password I have devised for a given website, without any feat of memory.
     
  5. chscag macrumors 68020

    chscag

    Joined:
    Feb 17, 2008
    Location:
    Fort Worth, Texas
    #5
    It was only a suggestion. Whatever works for you, use it.
     
  6. paieye thread starter macrumors regular

    Joined:
    Nov 14, 2008
    #6
    I did not mean to sound curt ! My point was simply that the very websites for which one most needs security are in reality obstructing one's attempts to achieve. Thank you again for trying to help.
     
  7. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #7
    If there is some logical order in your passwords that you apply to all websites, then forget it. What if one of your passwords is stored in plain text and then leaked? If you can come up with a general formula to makes it easy to remember for you, chances are high that others can figure it out.

    I have accepted that the human brain is not going to win this battle against computers. Just use a password manager, remember one strong master password (which you never reuse anywhere) and keep backup copies of your password database on other drives. Then you create fully randomised and unique passwords for all of your websites.
     
  8. paieye thread starter macrumors regular

    Joined:
    Nov 14, 2008
    #8
    Thank you, but my formula is somewhat as follows. Take the name of this website, MacForums. I choose a 3-character string of letters, using some of the letters of that name in the order in which they appear, depending on certain factors related to that name, but not apparently so. I capitalise 1 or more of the letters, depending on certain factors related to the name, but again not apparently so. I follow the string with a 6-digit string of numerals, interrupted by punctuation. Which particular punctuation-marks are used also depends on a factor that is related to the name, but again not apparently so.

    Now suppose that my password to MacForums were to be leaked. If that happened, then of course I should be obliged to accept that the security of my access to that website had been compromised. But the password will have been unique to that website. Are you suggesting now that, even so, the security of all websites to which I have access would be compromised ?
     
  9. krazirob macrumors regular

    krazirob

    Joined:
    Oct 8, 2016
    Location:
    Baltimore
    #9
    pretty common practice that should be used by all if you dont want to use an app.

    I use a common statement like: i like to fish

    Now take that statement and throw in numbers: 1l1k3tof1sh

    Now take that statement and throw in a symbol or two: 1l1k3t@f1$h

    Now throw in your capital letters: 1L1K3T@F1$h

    Now you have a solid frame for any password. Now you just put in your variable in the beginning for whatever site you use. Keep the variable something to remember such as first 4 letters of site.

    So for capital one site you would use variable: capi

    So now all you gotta remember is the first 4 letters of the site and memorize your frame.

    So for capital one you would use in this case: capi1L1K3T@F1$h

    Easy right? Works for me and I can have complex passwords for all 100+ sites that I visit without having to use an app or password manager
     
  10. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #10
    Even if it was unique, if you are applying a logic to a password that you apply to other passwords, then you are compromising the security of your other passwords as well. You may think that you are clever and have something that nobody else thought of, but you may also be doing something that hackers already know or can relatively quickly figure out. Account security nowadays focusses a lot on human errors and predictable human behaviour. If you are using a convoluted logic for your passwords, then you also risk that you forget the password someday, perhaps due to stress or an accident. Not to mention that such lengthy passwords will get tiring and you will start to write them down somewhere anyway. A password manager is simply the smart solution.

    In other words, if someone were to get access to two of your passwords, they could reduce your password to just 4 characters. Brilliant!
     
  11. zhenya macrumors 603

    zhenya

    Joined:
    Jan 6, 2005
    #11
    The problem is that as soon as you encounter a site like you mention where it won't accept the password you devise, your formula breaks down you have to venture outside of what you are likely to remember, and then you have the same problem as everyone else trying to remember their passwords. Not to mention what happens when you need to change a password, or gain access to a password you changed a couple of generations ago.

    Really, get a password manager. It's one of the easiest ways to improve your digital life.
     
  12. paieye thread starter macrumors regular

    Joined:
    Nov 14, 2008
    #12
    Thank you, Zhenya, but in fact if I am not permitted to use my higher-security formula, then I use a standard formula that I also do not need to remember. The trouble with the password-management applications is that only relatively proficient computer-users are going to be prepared to use them, in other words, a tiny, tiny minority.
    --- Post Merged, Nov 11, 2016 ---
     
  13. krazirob macrumors regular

    krazirob

    Joined:
    Oct 8, 2016
    Location:
    Baltimore
    #13
    not sure how someone would get your password unless you just tell people your passwords. The point of the formula is to make a complex password thats not easy to crack with a keylogger and that is not predictive. Although it can still be cracked its not as easy as in comparison to simple passwords like PASSword1234, etc. If someone gets any password then your screwed. So if someone getting access to your passwords is your biggest concern then you should definitely use a formula so that you dont have to write them down.

    Plus using a password app or manager, where does those passwords get stored? on a cloud? on someones (the apps) server? thats real secure putting your passwords on some third party app or any app or manager that people (other than you) have access to. and when i say access i mean like someone manages the server or database that your passwords are being stored onto.

    By creating a formula you store those passwords in your head so unless we are reading peoples minds then you should be good to go.
    --- Post Merged, Nov 11, 2016 ---
    thats why you ensure that you pick the formula that every site can allow. Its not hard. The biggest thing is symbols......all site use the basic ones like @# so stay away from ^%&.

    I havent had any issues with my formula and it works on literally 100+ sites.

    and if generations go by then you should still remember the formula. you can always write down the formula just dont write down the variables or how the variables are created.

    Nothing is really different than using a password manager. In my case I am the password manager and its free and more secure
    --- Post Merged, Nov 11, 2016 ---
    on this topic what is the best password manger to use? 1password? I am curious as to which one is really good and the most secure
     
  14. paieye thread starter macrumors regular

    Joined:
    Nov 14, 2008
    #14
    Kallt, thank you again, but let me explain. The logic of my passwords is in several layers, but is not convoluted, and is very easy to remember. I am aiming not at complete security, which I suspect is unattainable, but at simply a reasonably high level of security. What I am hoping you can tell me is this: are you saying that, if a hacker manages to divine the logic of my approach, he would then trawl my other websites and use his knowledge of my logic to hack into them ? Does this really happen to "ordinary" users such as I ? If you say that it does, why is it that, when one's email is hacked -- as has happened to me once or twice in pre-improved password days -- the typical result is that some daft message is sent to everyone in the address-book, but nothing else happens ?
     
  15. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #15
    You do tell people your password, every time you submit it to a website or give it to an application. These websites and applications must store your password somewhere to authenticate you. The same happens when you transmit a password via an insecure connection, such as HTTP. Have you heard about the massive security breach at Yahoo? There are many big websites with breaches like this. Every website can be affected, every website is thus a potential hole in your formula.

    I do not understand what you saying here. A keylogger logs your keys. If you are typing your password, then you will be at risk from keyloggers regardless of the complexity of the password. If you save part of your formula on your disk, then where do you save it? Is it secured somewhere? Why is this good enough for you, but not a password manager which employs local encryption and has other security measures?

    Keyloggers are nog the biggest concern at all. I’ve given you two examples above that involve the transmission of your data and the storage by third parties. You do not know how they store your passwords or how secure their servers and databases are.

    You don’t have to store them on a server at all. I am using 1Password and store everything locally. Even if you are using a cloud-based password manager, they focus heavily on security and may not be the worst option either. LastPass was breached last year, but no password data was stolen, because of their solid security model.

    There are more than 7 billion heads on this planet that nay think just like you. The way you reason and develop your own formula may be the same as many others. You are making a lot of frankly dangerous assumptions.
     
  16. zhenya macrumors 603

    zhenya

    Joined:
    Jan 6, 2005
    #16
    The magic of encryption is what allows you to store passwords in a file in the cloud that is as close to impenetrable as we can possibly get today. With the version I use, PWSafe, it's open source and the file can reside anywhere I want it. Nobody can do anything with the file without the master password.

    I still think at some point I would run into a site that doesn't fit the formula, and then you are back at square 1. And again, I ask, what happens when you have to update your password? How do you remember which version of your password you are on now for that site that maybe you don't log in to that often? I have a fair number of sites that enforce complex password policies where you have to change passwords, say every 90 days, and they won't allow anything similar to an old password.
     
  17. KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #17
    Websites are breached every day. Whenever you send a password to a website or application, you are entrusting them with your password. You don’t know how they store it, you don’t know which security measures they have in place. If just one website is breached and it so happens that they did not store the passwords securely, your password is exposed. You may not even know that they have been breached. Yahoo, for instance, just admitted that they were breached in 2014(!) and that user data, including passwords, was stolen.

    Other people or even just computer programs can analyse your password and attempt to figure out what your logic is. Technology is becoming more and more capable in figuring these things out very quickly and then try to access your accounts automatically. Once your formula is cracked, your other passwords and the accounts they protect are no longer secure.

    I frankly just don’t see why people want to take that risk in the first place. Why spend so much time on a formula that someone else may figure out anyway or that you may forget at some point? Why leave clues in your password about your other passwords? It simply makes no sense to me. Use a password manager, you don’t have to be a computer geek to use one. I use 1Password at it is remarkably simple to use. It has built-in functionality for making separate backups (e.g. on a flash drive). The rest can be handled by system backups, such as Time Machine.
     
  18. paieye thread starter macrumors regular

    Joined:
    Nov 14, 2008
    #18
    Thank you.
     
  19. krazirob macrumors regular

    krazirob

    Joined:
    Oct 8, 2016
    Location:
    Baltimore
    #19
    which password manager do you recommend? 1password? does it matter if its paid or not?
     
  20. KALLT, Nov 11, 2016
    Last edited: Nov 11, 2016

    KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #20
    I can only recommend 1Password, because that is the one I have been using for many years. I trust them, they seem to know their stuff and they focus on Apple platform integration (their Mac and iOS apps work wonderfully). However, it is the most expensive option upfront, though it may pay off over a couple of years. They usually have big sales, perhaps on Black Friday.

    You should look into several of them, read some reviews on technology-oriented websites, determine what works for you. LastPass, Dashlane, KeePass and Enpass are commonly mentioned. If you are completely into the Apple platform, you may also just use iCloud Keychain and the Keychain Access application on OS X.
     
  21. krazirob macrumors regular

    krazirob

    Joined:
    Oct 8, 2016
    Location:
    Baltimore
    #21
    Currently I do use keychain on the Mac. I use all apple platforms with one exception and that's my work computer that my company issued to me.

    So if using keychain then I really don't have a need for any other password manager is what your saying basically correct?

    On that note I still use my formula but I have it all saved on my keychain so it remembers it for the most part. Should I still look into something like 1password. I'm a big fan of you get what you pay for so price isn't a big deal if it does wonders for security
     
  22. KALLT, Nov 12, 2016
    Last edited: Nov 12, 2016

    KALLT macrumors 601

    Joined:
    Sep 23, 2008
    #22
    OS X and iOS have their own key store in the form of keychains, which you can access in Keychain Access on OS X. iOS does not have a way to access keychains on the device, unfortunately. The ‘local’ keychain can also be synced between your devices with iCloud Keychain, which will allow you to manage your iOS keychain as well, but this is optional.

    Safari also uses this keychain to store your website accounts. It will fill in your credentials when you have to log in on a website. Safari can even generate unique, complex passwords for you when you have to type one in on a website (e.g. upon account creation or when you change a password) and then store them automatically in the keychain. For all intents and purposes, it works just like a password manager. The only downsides are that the functionality is bare-bones and you can only use it on Apple platforms.
     
  23. zhenya macrumors 603

    zhenya

    Joined:
    Jan 6, 2005
    #23
    I mentioned Password Safe above. It's not the flashiest of programs, but it's open-source and there are apps for OSx, Windows, Linux, iOS, Android, etc. The iOS app integrates with TouchID.
     

Share This Page