These password memorizations are driving me crazy

[OutHouse]

Welcome to my world, we have at least 30 passwords at work

only 30? lol

use this

passwordsafe

 

[DrPizza]

Which ironically makes passwords a lot less secure because now people are forced to write them down.

You really think that the problem is from people breaking into your home so that they can steal your passwords? Last I knew, people in Russia, Nigeria, etc., didn't have the ability to break into your home for your passwords.

 

[mikeford]

lastpass ftw

Yup, but once in you are stuck. Lose your lastpass password and learn the meaning of fked.

 

[Red Squirrel]

The most important password is your email and domain registrar. As long as you still have access to your email you should be able to save any other account. Also, if your email is compromised they can pretty much take over any other account... including your domain names. In fact one thing to test out is the "forget password" feature of your email and domain name service. Those are two very important services that you want to be very secure. I recently read an article about a guy who pretty much lost everything because of Godaddy and Paypal's lack of proper security practices and handing over info to a con artist/hacker.

If someone has access to your domain names and your email they can pretty much steal all your websites and other net identity. Very very very bad. In fact I'd consider this worse than someone breaking into my bank account. I can make more money or try to get a fraudulent charge reversed, but I will never get my domains back if they're stolen.

 

[PowerEngineer]

This thread makes me feel better! I thought I might have been the last person who hadn't started using a password safe (KeePass) to facilitate strong on-line passwords.

 

[mikeymikec]

I've heard that break-ins for password lists is steadily becoming "a thing".

 

[Red Squirrel]

Password lists are best kept local. Don't trust cloud stuff. Encrypt your list as well.

When I switched to Linux the "PINs" program I used did not work anymore and I wanted something cross platform, so I ended up coding my own web based one. It's very simple, the password to login is also the encryption key for the passwords.

Eventually I want to make this better though as obviously if I want to change my password it means having to re-encrypt the passwords again.

One way to make mine even better would be to have the DB stored on a USB stick so that it's offline. Only plug it in as required. Though, I would not be able to access any passwords from work. Now I can just VPN in and access the web page. Well, my VPN is down till I get around to redoing the certs due to heartbleed.

 

[UnklSnappy]

All my passwords are in a text file that is hidden in a picture using http://sourceforge.net/projects/hide-in-picture/

 

[Dolipapskalious]

It is so aggravating when sites don't communicate their requirements well. Please write out the special characters I may/not use, password length limits, minimum requirements! One site let me type in however many characters I wanted, then truncated them!

And if banks were really trying to protect against brute force attack, they'd implement exponential wait times between incorrect entries.

 

[Dolipapskalious]

I've heard that break-ins for password lists is steadily becoming "a thing".

think I saw on TV one of those "show you how easy it is to break in" shows and instead of stealing anything, he put spyware on the would-be victim's laptop.

 

[CPA]

only 30? lol

use this

passwordsafe

This is what I use.

 

[xanis]

Had this problem and just started using 1Password. Passwords are only stored locally, no cloud stuff.

 

[lupi]

Work password requirement updated again at which pointi sent the IT email to my boss asking if it would be ok to write mine on a yellow sticky or should I just fill out a reset form each day. Getting retarded how short the time between resets has gotten and now the different symbols and crap required is going full absurd mode.

 

[ultimatebob]

It's nice to see that there are so many different password saving programs out there.

Good thing, too... If a majority of people ever standardized on a single password saving program, it would likely become a malware target.

 

[destrekor]

use a password manager. it's kind of a necessity these days if you take security seriously - this means using good passwords, that are different between different accounts, and don't follow some kind of easy to guess system. i've been using keepass.

i still don't put my banking passwords in there though.

I trust lastpass - every single password, including access gate codes or various real-life secret codes or whatever, I also put there. I pay the $12/yr to get it all on my phone too - and lastpass just added the ability to work on top of every application (at least in Android), which is freaking awesome though it doesn't always work perfectly smoothly just yet.

 

[Pandamonium]

My personal and financial passwords sit in a text file that's stored on an encrypted disk image- I have a password system and usually am able to guess within a few tries. My work passwords, on the other hand, require changing every 30, 90, or 180 days. Some of them stipulate that the last 10 passwords cannot be reused. Since the logins for these systems is already challenging enough to keep straight (they are issued alphanumerics), my work passwords involve the month, season, and/or year. Far from "secure" from an IT perspective, I know. I'm willing to go the extra mile for my personal stuff when I don't need to worry about unique passwords for an arbitrary rotation. But once that requirement interferes with my work more than once, I'll conform to IT's "security" measures in the easiest way possible.

 

[Red Squirrel]

The forced password change thing is also 100% pointless from a security perspective.

Let's say someone is brute forcing your password, just because you change it, does not mean you wont pick one that was not tried yet. The best defense is brute force protection. Systems should temporarily boot you out after so many tries. All my online accessible stuff is set to block the IP after 3 bad tries for SSH, I don't open up any other ports as I can just create a tunnel.

 

[destrekor]

The forced password change thing is also 100% pointless from a security perspective.

Let's say someone is brute forcing your password, just because you change it, does not mean you wont pick one that was not tried yet. The best defense is brute force protection. Systems should temporarily boot you out after so many tries. All my online accessible stuff is set to block the IP after 3 bad tries for SSH, I don't open up any other ports as I can just create a tunnel.

Password change policies are for more reasons than simply defense against brute force attacks.

It's more about protecting against unknown intrusions, to put it simply. Think Heartbleed - more often, the holes are far smaller in scope, but sometimes big holes that aren't known by the software/security folks can sit there vulnerable for a while.
Sometimes, someone can get in, find another security flaw, get some password database, all without anyone knowing. Now, they have a snapshot of current passwords, and that database may be held onto for a while, sold wholesale, or blocks sold piecemeal, etc. Russians may only buy such info if it seems likely to lead to credit card data (most likely, but no guarantee they'll resist temptation ).
In short, the data from a data breach may sit around for awhile, or it may be tried the very next day. Without any warning, the next day usage is difficult to prevent against; if it goes unused awhile, there is a chance you may be forced to change the password before anyone tries the passwords stolen in the previous breach.

 

[TwiceOver]

The ones I hate are when your password has a max length. It's really easy to hit all of the password requirements if you use a sentence.

 

[mikeymikec]

The ones I hate are when your password has a max length. It's really easy to hit all of the password requirements if you use a sentence.

Yup, though the even more irritating ones mention the maximum length but don't enforce it in the password entry text boxes, so a longer-than-allowed password is accepted then truncated. I remember when AOL was truncating passwords without even mentioning a maximum length, then you have to play the game of "what length did they truncate the password to?".