The "To Keep Up" Wiki

A collection of information we find useful

User Tools

Site Tools


security_topics

This is an old revision of the document!


This is a work-in-progress. If you have suggestions on what to cover (and/or what not to discuss) please let Steve know.
Version 20190817.0930

Care and Maintenance of Secure Passwords

The idea for this started when I heard that someone had someone access their Facebook page. It's possible this happened because Facebook passwords were stolen but it's also that the password was guessed. Let's explore ways that passwords are compromised and how to protect your passwords without causing unnecessary effort on your part.

And is there a way to store all of your account and login information, securely, and easy to access?

How passwords are compromised

Much from How to hack like a pro

  • Guessing
    • Dictionary attack
    • Brute Force (try all combinations in order)
    • Commonly used/easy guess passwords (password123 Password123 password ilovejohn)
    • Commonly used passwords with simple changes(p@ssw0rd !l0v3j0hn)
  • The password is easy to get
    • written down
    • watching over shoulder
  • Password cracking software (ophcrack, cain and able, THC-Hydra, Brutus)
  • The password is stolen from a company

How long does it take to crack a password? (From link)

LengthA-Z,a-z,0-9with special chars @#$%& etc
9 characters2 minutes2 hours
10 characters2 hours1 week
11 characters6 days2 years
12 characters1 year2 centuries
13 characters64 yearsreally long time

You should assume that the attacker knows a lot about you: e.g., Facebook. Guessable things like the following have no business being in your password (or as one the answer to any of your recovery questions:

  • Your: name, birthday, anniversary, social security number, etc
  • Name, birthday, etc of your parents, friends, spouse, dogs, etc
  • Sequences like 12345
  • Any of the above but combined – adding guessable things together does not make them un-guessable
  • Passwords you've used before, they've probably already been breached

How to protect your password

  • Change it often
  • Make it hard to guess - upper and lower chars, digits, special chars. 12 or 13 characters long.
  • Watch the news for breaches and change password

How to create hard-to-guess passwords

If a human is going to guess the password then make it unhuman. Consider: a password “safe”. Here are some free alternatives. From Tech Radar, The best free password manager 2019
Also see PC Magazine's picks

All offer unlimited login and text note storage in a secure vault protected by your master password, and can generate (and store) strong passwords.

ManagerFree version. Paid version. Cost.
LastPassAccess on all devices via their website 1GB Secure cloud storage
Multi Factor Authentication
Contingency plan (loved one access in emergency)
$3/month 1 user, $4/month 6 users (group and share items, family manager)
DashlaneUp to 50 passwordsunlimited passwords $4.99/month billed annually
Keeper Securityaccess on one deviceother features (dark web, etc) cost/month$2.50/month, $29.99 annually
RoboForm sync across devices, cloud backup, web access, all cost$99.50/5 years
KeePass Password Safe* Can run from USB
* Many customizable options
* A little intimidating? You judge.
FOSS - there is no paid version – all features in free version
Many ports, with different features and UI
Note, no cost. Does not provide place to store the Safe, that's up to you

Steve's Opinions

I use a combination of KeePass on my Mac, PC, and iPhone to access, create, maintain passwords and related information in a secure password safe (encrypted file). I store and access the safe using iCloud and Dropbox.

Note that KeePass has different applications you can use to access the password safe, as they differ by device.

While I started using Dropbox as you could access your free 5GB from any number of devices, they have restricted its use to 3 devices unless you pay. Now I am using iCloud to hold the password safe as there is no limit on number of devices.

If you do not want to use the cloud (Internet storage) to save your password crypt, you can store it on your computer and use a USB stick to copy it from machine to machine and as a backup.

On Mac Computer

  • KeePassXC
  • Dropbox, iCloud

On iPhone

  • Strongbox (MiniKeePass)
  • iCloud

on Windows

Comments

  • There are other ports of KeePass for Mac OS X, iPad, iPhone, Android, Windows 10, Chromebook, Blackberry, etc. Visit the KeePass site and choose Download.

To Consider

  • While some apps store passwords in their space, this means it's a SPOF
  • KeePass lets you decide where to store it – on your computer, on USB stick, cloud storage of your choice – and this provides some level of security you control

Glossary

Password Crypt, Password SafeA secure file where passwords and related information are stored and unavailable unless someone has the software and knows the password to access the contents
PortAs in “Application ported from Mac to Windows 10” means that the application has been rewritten from that on (Mac) and is also now available on (Windows 10)
FOSSFree Open-Source Software
SPOFSingle Point of Failure
security_topics.1566162297.txt.gz · Last modified: 2021.12.22 14:19 (external edit)