I'm working from multiple locations, 3 computers, 2 tablets, 2 phones. The VPN doesn't even enter into their unhappiness. lol

Sigmonkey, it's a good thing I wasn't drinking my glass of wine yet or it would be all over my keyboard and monitor. That was hilarious! Thanks!

At work, we have to make a new password every 3 months. I basically use the same password but change the symbol at the end. So I went from ! to @ to #, etc.

I can't remember a password that doesn't at least vaguely spell out a word or phrase.

quote:

Originally posted by egregore:
I can't remember a password that doesn't at least vaguely spell out a word or phrase.

I'm a big fan of passphrases, but not every system allows them.

quote:

Originally posted by egregore:
I can't remember a password that doesn't at least vaguely spell out a word or phrase.

<broken record>Password manager application</broken record> Then one need remember only one

I try to remember them. I also try to link the password to the site. For example, a work-related site has a password that is the street address of where I work.

Special characters replace letters that make sense. Ampersand = a, for example.

And, I try to use Bible verses as passphrases. In this way, I can take a reference verse, like John 3:16, and make it J0hn3:16. Often this suffices for the security requirements.

I do also use Dashlane to story all passwords in a journal-like list. One master password, and all are available to me.

I also like Apple, now using "sign in using Apple" as a method. I only have to recall the machine password, to unlock each site. I have no idea what the password really is. Apple does it for me. I just recall the machine password.

What is my machine password again?

You definitely need a decent password vault. Besides generating pseudo random PWs per site rules they have other helpful features too. For each account:
* A username field
* A PW field (of course)
* A URL field
* Arbitrary named fields. E.g., CS phone number
* A Notes field for any useful info. E.g., answers for “Security questions”

If you put the login site in the URL field clicking the URL will launch your browser of choice and automatically log you in (for many accounts).

I’d hate to be without a PW vault. I have mSecure. A reasonable one-time fee rather than an annual subscription. Automatically syncs the mSecure apps on my smartphone and laptop.

Two serious questions about these apps:

What is the likelihood of them getting breached?

And what happens if your phone screws up or isn’t available?

quote:

Originally posted by chongosuerte:

Two serious questions about these apps:

What is the likelihood of them getting breached?

And what happens if your phone screws up or isn’t available?

The Password Manager that I use keeps the data base on the local device (phone, tablet, computer). It does offer the option to sync to other devices via the cloud, but if that option is used, everything that goes through the cloud is encrypted, so even if the cloud server is hacked, the data are still encrypted.

quote:

Originally posted by chongosuerte:
Two serious questions about these apps:

What is the likelihood of them getting breached?

Greater than zero and (probably) less than one-hundred percent?

They're software. Software is imperfect. Can it happen? Of course it can. Will it happen? Maybe. Will you be targeted? Maybe.

quote:

Originally posted by chongosuerte:
And what happens if your phone screws up or isn’t available?

As with anything else you store on only your phone: You're screwed.

Most of these applications keep a copy of your credentials database in cloud storage. (Which is actually the bigger threat, in my mind.) So, if your phone screws up or otherwise becomes unavailable: You're inconvenienced only so long as it takes to fix the phone problem.

The application I use mirrors the database between my phone and my tablet via iCloud storage. I manually download the file and save it on my computer via browser access to iCloud. (The iOS/iPadOS app also allows you to "share" the database via email, text messaging, etc.) I have a desktop app that can then use that same database.

My keyring (another way of saying "password manager") encrypts the database with very strong encryption. It is that encrypted database that's shared to iCloud. iCloud then encrypts it again. I gauge the odds of somebody breaking that doubly-encrypted database as acceptably high.

Is any of this ideal? No. But until the tech world comes up with something better than manually-entered, manually-maintained username/email-address/password credentials: It's the best we have.

I’m planning to switch to a password manager app today. What are the better options? Two or three are mentioned in this thread, but looking for educated opinions. Don’t mind spending a few dollars if necessary.

Zerohedge had an interesting article on password security which stated " A twelve-character password with one uppercase letter, one number and one symbol is almost unbreakable, taking a computer 34,000 years to crack".

With just 26 lower case letters, a password of eight characters has 26^8, so around 209 billion possible combinations. Adding the uppercase, we already arrive at 52^8, around 53.5 trillion combinations. With the numbers in there, it’s 62^8 or 218 trillion combinations.

Symbols add another great potential for security, but since only the handful displayed on computer keyboards are convenient to use, this ups the number of combinations once more to around 90^8 or 430 trillion combinations

quote:

Originally posted by chongosuerte:

I’m planning to switch to a password manager app today. What are the better options? Two or three are mentioned in this thread, but looking for educated opinions. Don’t mind spending a few dollars if necessary.

I use 1Password, but: I bought it way back when it was a one-time purchase, so I'm grandfathered in. Now it is sold rented to you on a subscription basis, so while the product is excellent, the marketing model is not.

If they ever decide not to honor the lifetime purchase that I made and I need to change from 1Password I will most likely go with mSecure or BitWarden.

Thanks to everyone for this discussion. I’ve been thinking of getting a password keeper for quite a while now.

It looks like Bitwarden has a free option and even their upgraded personal version is only $10/year..

Sometime back I read an article about the fellow that invented the password system. He apologized, simply stating that two nonsensical phrases would be impossible to crack. Unfortunately, that is not available on any website I have found.

Yeah, speaking as a former SysAdmin, it really is JUST the length of the password string, not any of that other crap.

To get around the “can’t use dictionary “ words, I have started to use gun companies, cartridges, reloading phrases. Simple to remember and does not get flagged.
I.e. cartridge, grains, powder…add a special character, all good to go.

Making this one up ( I know it is wrong) ... 38special4grV110!!

quote:

Originally posted by Nuclear:
Yeah, speaking as a former SysAdmin, it really is JUST the length of the password string, not any of that other crap.

To some extent that’s right. The difficulty of cracking a PW increase exponentially with its length, but only linearly with the the character set size. But many sites limit the length of PWs, so a greater character set size does help security in that case.

There should be rules on attempts in order to work against brute force attacks.
Usually requiring a time out or a reset.