~~NOCACHE~~ [This page last changed ~~LASTMOD~~; visits {{counter|today| time| times}} today, {{counter|yesterday| time| times}} yesterday, and {{counter|total| time total| total times}}] We all have bank accounts, credit cards, insurance policies, healthcare accounts, the list goes on. Many are online. There are so many of these to remember, the URL to go to for access, phone numbers, account numbers, and an access login and password--preferably one that is complex and hard to guess. The challenge is how do you keep track of all of this information in a way that is secure, yet easy to access, that's stored in multiple locations so it's unlikely to get lost, and that you can make available to your next-of-kin if necessary? We will discuss a solution that your presenter uses to solve all of these challenges in a cost affordable--free--way. ====Importance of Strong Hard-to-Guess Passwords==== //And, hard to remember passwords// ===How to Guess a Password=== From Feb, 2017: [[https://sites.psu.edu/hacking/2017/02/17/how-to-guess-a-password/]] * Use common, easy-to-guess passwords (Password, P@$$w0rd, password123, etc) * Sequences like 12345 * Dictionary attack * Social Engineering -- things the bad guys can find out about you * name of husband/wife/son/daughter/dog/cat * birthdays and anniversaries * Brute Force * Fake websites * Phishing email that you respond to * Password cracking software (ophcrack, cain and able, THC-Hydra, Brutus) * Using the same or similar password for multiple sites * (Can you think of others?) Recent from WikiHow: [[https://www.wikihow.com/Guess-a-Password]] Gives a set of steps to follow to guess someone's password. - Figure out the password requirements for the site or app - Ask for a hint or security questions (the "hint" may be easy to guess) - Check the list of easy-to-remember passwords - like: 123456, 123456789, Qwerty, Password, Pa$$w0rd, Qwerty123, Iloveyou, etc - Phone screen passwords may be easy to guess (123456, 147258, etc) - Names of family members and pets - What you know about the target's interests (Golfpro, Mathwhiz, etc) - Significant numbers and dates - like: address, birth/marriage/etc dates, lucky numbers, graduation date - Reverse or change the letters - Adlihnurb, tsorfmada - Substituting $ for s, 0 for o, 3 for e, 1 for i, etc (P@$$w0rd, w1k1h0w) - If you have access to their machine, check for saved passwords in Browsers How long to crack: From [[https://www.komando.com/security-privacy/check-your-password-strength/783192/|Kim Komando]] March 2021 ^Length^numbers only^lowercase letters^U/L letters^Numbers, U/L^Numbers, U/L, Symbols^ |10|instantly|58 min|1 month|7 months|5 years| |11|2 secs|1 day|5 years|41 years|400 years| |12|25 seconds|3 weeks|300 years|2000 years|34k years| |13|4 mins|1 year|16k years|100k years|2m years| |14|41 mins|51 years|800k years|9m years|200m years| |15|6 hrs|1k years|43m years|600m years|15 bn years| //Of course technology will improve over time and shorten these brute force crack times.// You should assume that the attacker knows a lot about you: e.g., Facebook. Guessable things like the following have no business being in your password (or as one the answer to any of your recovery questions): * Your: name, birthday, anniversary, social security number, etc * Name, birthday, etc of your parents, friends, spouse, dogs, etc * Sequences like 12345 * Any of the above but combined -- adding guessable things together does not make them un-guessable * Passwords you've used before, they've probably already been breached ===How to Protect Yourself=== * Use a different password for each site you visit * Use strong passwords * Use randomly generated passwords * Treat "security questions" as passwords * Somehow, remember them all * Use two-factor authentication * Protect passwords from compromise * Provide for next of kin ====Remembering Passwords and Associated Issues==== ^Method^Plusses^Minuses^ |Piece of paper|Free, flexible|Loss. Smudges/can't read writing. Processed by washing machine. Someone else can get. You create the passwords.| |Sticky note attached to computer|Free|Can be seen or stolen by others. Fall off/loss. Smudges/can't read writing. Only available on computer its posted. You create the passwords.| |Spreadsheet|Free, flexible|Where do you store it. Overwrittenable by accident. You create passwords.| |Password Manager|Free, or paid. Can produce good passwords in one spot. Backupable.|Where are passwords stored. Possible breech if stored online. Loss or theft if stored in thumb drive or your computer.| or there's this option,\\ credit to John McPherson of [[http://closetohome.com|Close to Home]]:\\ {{:20211202solution.jpg?direct&500|}} ====How to create hard-to-guess passwords==== If a human is going to guess the password then make it unhuman. Consider: a password "safe". Here are some alternatives, many are free or have free options.\\ You can also do a DuckDuckGo (or Google if you're still using Google) search for "Best Password Managers" and look for those with recent information. //All of these offer login and text note storage in a secure vault protected by your master password, and can generate (and store) strong passwords.// //Following data updated 10/9/2022. There are MANY other options, these are a few. You should study all of the features and drawbacks of any option you consider or select.// ^Manager^Free version. ^Paid version. ^Cost. ^platforms^ |[[https://www.lastpass.com/|www.lastpass.com]] |Access on one device type (computer or mobile) |1GB encrypted cloud storage\\ Multifactor Authentication (MFA)\\ Contingency plan (loved one access in emergency) |Free for one device type; $36/yr 1 user, $48/yr 6 users (group and share items, family manager)|Browser based. Win, Mac, Linux, Mobile| |[[https://www.dashlane.com/|www.dashlane.com]]|One device, secure sharing|unlimited devices, 1GB max, VPN| Free; $60/yr or $90/yr (10 accts)|Browser based. Win, Mac, iOS, Android| |[[https://keepersecurity.com|keepersecurity.com]]|no free option|(Personal) no limits on storage, devices, sharing; (family) 5 vaults, 10GB secure storage|Personal $35/yr, Family $75/yr|App: Mac, Windows, Linux, iOS, Android; Browser extension| |[[https://www.roboform.com/lp?frm=everywhere-offer&rec=TechRadar&dc=TR30&affid=a6277|www.roboform.com]]|one device |sync across devices, cloud backup, web access. Family plan is 5 users.|Personal: $16.68/1yr, $45.14/3yr, $69.60/5yr\\ Family: $33.40/1yr, $90.20/3yr, $139.30/5yr|Windows, Mac, iOS, Android, Linux, Chromebook, Browsers| |[[https://bitwarden.com/|bitwarden.com]]|Unlimited pw, devices | 2FA, emergency access, share w/1-6 people | $10/yr one user, $40/yr up to 6 users |Windows, Mac, Linux, iOS, Android, Browsers| |[[https://1password.com/]]|no free version, only paid, 2wk free trial|unlimited pw & devices, 1GB storage, 2FA.|Individual: $36/yr, Families (5 family members): $60/yr|Mac, Win, Linux, iOS, Android, Browsers| |[[https://nordpass.com/]]|unlimited pw, notes also, credit cards|emergency access |Premium $24/yr, Family (6 accts) $60/yr|Win, Mac, Linux, Android, iOS, Browsers| |[[https://keepass.info/]]\\ [[https://keepassxc.org/download/|KeePassXC]]|* Can run from USB\\ * Many customizable options\\ * A little intimidating? You judge.|FOSS((FOSS=Free, Open-Source Software)) - there is no paid version -- all features in free version\\ Many ports, with different features and UI|Note, no cost. Does not provide place to store the Password Safe, that's up to you|Windows, Android, iPhone/iPad, Mac, Chromebook, Blackberry, Linux, and more| KeePassXC is a KeePass port, see Tech Radar's review: [[https://www.techradar.com/reviews/keepassxc]]. It's free but accepts donations. Refs: * [[https://www.techradar.com/news/software/applications/the-best-password-manager-1325845|Tech Radar, The best free password manager 2019]] * [[https://www.pcmag.com/roundup/331555/the-best-free-password-managers|PC Magazine's picks]] * [[https://www.pcmag.com/picks/the-best-password-managers]] * [[https://www.cnet.com/tech/services-and-software/best-password-manager/]] * [[https://www.techradar.com/best/password-manager]] a good site for reviews of offerings * [[https://www.techradar.com/reviews/keepassxc]] TechRadar's review of KeePassXC ====Caveat==== From [[https://sites.psu.edu/hacking/2017/02/17/how-to-guess-a-password/]]\\ Lawrence Lee February 19, 2017 at 12:07 am\\ ''While I do definitely agree with using a password manager, you also should be careful of who you trust with your information. LastPass recently had a data breach where hackers got away with a significant amount of personal information – thankfully no encrypted passwords were taken, but the fact that they were able to get as much as they did is slightly concerning. You’d think that a company who’s only goal is to increase your online security would be able to defend against intrusions by attackers.'' ====What I do==== //These are my practices for your information. You should make a decision that's best for you.// * Use KeePass application on multiple devices * On MacBook: KeePassXC * On iPhone and iPad: KeePass Touch * On Android: * On Windows: * Store password file in iCloud * Copy password file to local Document storage on each device (so it's available when there's no internet) * Copy password file to Dropbox, pCloud (as backup) To note: * KeePassXC updates the iCloud version whenever I make a change * On iPhone and iPad I need to download a latest version of password file * I added an entry in the password file that tracks latest changes (so I can tell if I have the latest on a given device) Benefits: * Free * Available on all my devices * One password to remember * I can use long and complex passwords * Can keep a history of past passwords Using a password manager: * easy to create long and complex passwords * you can use long and complex passwords * you can create secure passwords and not have to remember all of them * you only have to remember One password * you can store your password file encrypted in multiple places including USB drives so it's unlikely to be lost * you have all of your important access information in one spot, the encrypted file * //your next of kin would likely find this useful// ====More About KeePass==== //Note that many of these features can be handled/provided by other password manager software, free and at cost// * A KeePass //database// can hold * Logins and password * Other information you feel useful, such as: Social Security numbers, Secret passwords (answer to "what was your first dog's name"), telephone numbers * Past passwords. Date you started to use a given password. * And all of the data in the database is encrypted. * There are many applications that can access a KeePass database, and the same database can be accessed from each of them. You choose one that is available and that you find works for you. * On my iPhone, I use: KeePass Touch (and I have used: KeePassium, MiniKeePass) * On Windows (a while ago) I was using KeePass2 * On MacOS I'm using KeePassXC * These are all available to download from keepass.info ===My history with passwords and password managers=== * At first, one password for all sites * Turns out, it was easy to guess! * Then * Password database on USB stick * Copy database to/from any computer I'd use * Not possible on smartphone (and I didn't have one) * Risk: loss of USB stick, loss of database synch * Then, use Dropbox to hold database * In the cloud, can access from many devices (as I now had a smartphone) * Two levels security: need password to access Dropbox, need password to access Password DB * Then Dropbox restricted free access to max 3 devices * As I have more than 3 devices, I had to seek alternatives * So I switched to iCloud, as 5GB is free [note, my database is ~350KB] * Most recent version on iCloud * For redundancy, after I make a password DB change(s), I copy DB from iCloud to other places * local Documents directory * Clouds: Dropbox, pCloud * I share password DB with wife via pCloud * I use a DB entry to log changes * "Last changed 20221009.1817" meaning October 9, 2022 at 6:17pm * Enter change(s) made, eg: "0921: updated CCS entry, new password Kohls" * This I do manually * Helps me synchronize databases * I use KeePass application to create new entries and login passwords * Passwords typically 14+ characters (upper/lower case and numbers) * KeePass tells me how secure a given password is Here is a possible password I might use: ''cqLbq2NHcuNmgU'' -- 14 characters, upper and lower case letters, and at least one number. This one has entropy 82.06 which is deemed "good". Another: ''M6dehfJRn7dz7lM82K'' 18 characters with entropy 101.60 and is deemed "excellent" by KeePass. By comparison |password|entropy 1.00| |Password|entrypy 2.00| |P@$$w0rd|entropy 3.58 (and P@$$w0 has entropy 16.80 !)| //There are other capabilities of a KeePass password manager, such as autofill (it'll copy and enter passwords for you) and URL entry (it'll type your site's URL into your browser), and more; but I do not have experience with these.// ====Next: Live demo of KeePass==== on smi macbook * open, select PasswordExample.kbdx pw=1234 * Save as CSV and look * Save as HTML and look * Database>Reports ====Questions and Answers==== ---- ====References==== * [[https://www.betterbuys.com/estimating-password-cracking-times/]] * [[https://digg.com/2020/password-difficulty-hacking]] * [[https://sites.psu.edu/hacking/2017/02/17/how-to-guess-a-password/]] * [[https://www.comparitech.com/privacy-security-tools/password-strength-test/]] * [[https://keithieopia.com/post/2017-12-13-passwd-crack-time/]] * [[https://www.komando.com/security-privacy/check-your-password-strength/783192/]] * [[https://www.komando.com/safety-security-reviews/creating-the-best-passwords/592778/]] * [[https://www.cnet.com/tech/services-and-software/dont-put-your-online-security-at-risk-get-a-password-manager-now/]]