News, tips, advice, support for Windows, Office, PCs & more. Tech help. No bull. We're community supported by donations from our Plus Members, and proud of it
Home icon Home icon Home icon Email icon RSS icon
  • Remedies for common password pains

    Posted on Tracey Capen Comment on the AskWoody Lounge

    Home Forums AskWoody blog Remedies for common password pains

    Viewing 19 reply threads
    • Author
      Posts
      • #2110504 Reply
        Tracey Capen
        AskWoody MVP

        SECURITY By Michael Lasky Security company SplashData recently published its yearly list of the most abused passwords. The bad news? “123456” still to
        [See the full post at: Remedies for common password pains]

        1 user thanked author for this post.
      • #2110510 Reply
        EspressoWillie
        AskWoody Plus

        I’ve noticed that the newsletter writers of this site seem to skip KeyPass as an option for storing passwords.  Is it because it doesn’t store the passwords “in the cloud”?

        If you could fill me in on your suggestions vs. KeyPass, I’d be grateful.

        Cheers!!
        Willie McClure
        www.datarim.com
        Talk's cheap, takes money to buy whiskey.
        • #2110523 Reply
          Kirsty
          Da Boss

          I’ve seen KeePass discussed frequently here and on ghacks – is this different to the software you are discussing?

          I thought KeyPass was ransomware that wasn’t to be confused with KeePass, but now I’m getting confused!

        • #2110537 Reply
          Paul T
          AskWoody MVP

          (Just a guess) I suspect products have to be commercial-ware to qualify for inclusion in some people’s writing.

          cheers, Paul

          • #2111501 Reply
            woody
            Da Boss

            “Commercial-ware” in what sense? We write about – and discuss, and dissect – all kinds of software.

            If you were to list all of the available password managers (soon to include Windows 365, I’m told), the list alone would take a page.

            It isn’t a question of identifying all available products. It’s a question of pointing out products that, in the author’s experience, solve the problem. If a poster’s experience with KeePass is good, this is definitely the place to talk about it.

            2 users thanked author for this post.
            • #2111875 Reply
              Paul T
              AskWoody MVP

              It seems to me that software reviews don’t often include free software, except where it’s a version of a paid for product. It’s not a criticism, just an observation from my probably biased perspective.

              cheers, Paul

        • #2110543 Reply
          Tom-R
          AskWoody Plus

          Willie, I’m thinking that you’re confusing “KeyPass” (ransomware) with “KeePass” (the password manager).   Assuming that’s the case, I agree with you that many writers/reviewers — not just on this site, but elsewhere too — seem to ignore KeePass when discussing password managers.   I’m not sure why that is.  But cloud storage shouldn’t be a reason for omitting it from their articles and reviews.

          KeePass can easily be used with cloud storage if that’s what the user wants.  As an example, one client of mine uses a Win 10 desktop PC at home; but relies on an iPhone and iPad when traveling.  He has KeePass installed on his PC, and the KeePassium app installed on his iPhone.  Both the PC and the iPhone read and write to a common .kdbx KeePass database file, which he stores on his iCloud drive.  All secure with multiple layers of encryption, easily backed up to his desktop system and additional cloud accounts (e.g., Google Drive), and best of all … completely free!

          Yeah, I don’t understand why tech writers seem to always ignore KeePass.

          4 users thanked author for this post.
        • #2111247 Reply
          rc primak
          AskWoody_MVP

          It is KeePass. And there’s a cross-platform, open-source version. Open Source software often gets passed over in tech articles. There is a real bias in the tech press against anything Free (Libre) and Open Source.

          -- rc primak

          • #2111760 Reply
            dmt_3904
            AskWoody Plus

            And there’s a cross-platform, open-source version. Open Source software often gets passed over in tech articles

            Are you referring to Strongbox? Or a different app?

      • #2110513 Reply
        Kirsty
        Da Boss

        Do not use words that can be found in any dictionary of any language.

        This goes against other password advice, previously discussed here:

        I wish more sites and services would allow long passwords with spaces.  BTW:  All Windows OS editions allow spaces now, but you have to turn complexity rules OFF if you want to use sentences as a password.  Counter-intuitive to admins, but if you allow for long non-complex passwords then your systems are actually safer!

        For a brilliant explanation, see XKCD’s password comic:

        Password Strength

        and on HowToGeek

        As explained:

        Using four random dictionary words as a password may be OK

        Before we talk about the math, we’ll talk about the method. Grab a book. Turn to a random page. Pick a word. Repeat three times. Those four words are your password.

        That shouldn’t make a good password. But the math works.

        PS

        @m8urnett‘s work is behind a great password-strength testing site, which really does bust some complacency about passwords.
        It’s worth checking this out:
        https://howsecureismypassword.net/

        howsecureismypassword

        • This reply was modified 2 months, 1 week ago by Kirsty. Reason: Updated info
        4 users thanked author for this post.
        • #2111250 Reply
          rc primak
          AskWoody_MVP

          The comic has been debated in tech circles ever since it came out. Some security folks think it’s very bad advice, while others advocate using something similar, but in the form of long passphrases with real words in nonsense combinations. Overall, passphrases with real words are more likely to be used and remembered, and seem to be potentially as secure as the random nonsense generated by password managers.

          Where passphrases are allowed, they are a better solution than traditional passwords. But two-factor authentication or non-password authentication are still better solutions. Some sites are already moving away from passwords. This transition will take time.

          -- rc primak

          1 user thanked author for this post.
        • #2111536 Reply
          wavy
          AskWoody Plus

          input
          some complacency about pass
          output

          It would take a computer about
          
          343 septillion years
          
          to crack your password

          And yet I remain skeptical… 😯

          🍻

          Just because you don't know where you are going doesn't mean any road will get you there.
          • #2111644 Reply
            Kirsty
            Da Boss

            Healthy scepticism is to be encouraged, but I do think it’s got to be better than a password-like combination that it will tell you can be cracked in less than a minute, or an hour… No?

            1 user thanked author for this post.
            • #2111685 Reply
              wavy
              AskWoody Plus

              Ok I’ll buy that!

              With a GRC.com generated password
              61 quattuortrigintillion years

              Even better 😁
              And what the heck would that be in scientific notation? A really really BIG #

              Actually 61 x 10^105 😵

              🍻

              Just because you don't know where you are going doesn't mean any road will get you there.
              • This reply was modified 2 months, 1 week ago by wavy.
        • #2111765 Reply
          dmt_3904
          AskWoody Plus

          @m8urnett‘s work is behind a great password-strength testing site, which really does bust some complacency about passwords.
          It’s worth checking this out:
          https://howsecureismypassword.net/

          Yeah but, how safe is it to be putting my passwords in this website? Who knows where it goes or who sees it? I don’t trust it. I am using a pw manager to generate 24 character random pws and have memorized my financial pws- not stored anywhere except in my head, as long as I can remember them.

      • #2110542 Reply
        anonymous
        Guest

        For what it’s worth I use KeePass on a USB stick which is Bitlocked. So far so good!

        2 users thanked author for this post.
        • #2110554 Reply
          Paul T
          AskWoody MVP

          I hope you backup the database regularly – what happens if you lose the stick?

          cheers, Paul

          1 user thanked author for this post.
          • #2110555 Reply
            anonymous
            Guest

            Backed up to second bitlocked usb stick and put in safe!  You make a good point though. David

            1 user thanked author for this post.
        • #2110770 Reply
          anonymous
          Guest

          Same, but since bitlocker isn’t on all platforms, I lock it in an encrypted 7zip file, plus the data even if you get it needs one more little step before you can figure out what it is. I also have it named something really stupid so that if anyone gets it they’ll wonder why “Household_Expenses_2019.docx” doesn’t open or look like a docx file. I have the 7zip file set to back up to a cloud host that encrypts files with a really big RSA key.

          I’d like to do 2FA, but they either want a Smart Phone (which I don’t have), or Google Chrome (which I don’t want).

          • #2111037 Reply
            Paul T
            AskWoody MVP

            This is too much paranoia IMO. One password database with a strong master key is all you ever need, unless you use it on 3rd party machines. Then all bets are off.

            cheers, Paul

            1 user thanked author for this post.
            • #2111074 Reply
              dmt_3904
              AskWoody Plus

              Ok I am dense and need an explanation ; )

              What do you mean by ‘third party machines’?  I have my password db on a cloud provider (e.g google, Dropbox, iCloud) but I control it   I know there is a possibility of breach at the cloud provider or for an employee to access my data (which seems to be is happening more and more).

              Is any cloud service what you mean bc of what I mentioned above or are you referring to paid password providers where they control your dB?

              Doesn’t my db key protect me?  It has strong encryption.

               

              • #2111078 Reply
                jabeattyauditor
                AskWoody Lounger

                What do you mean by ‘third party machines’?

                Machines that you don’t own or control – for example, client-own/operated machines.

                1 user thanked author for this post.
      • #2110616 Reply
        grandma78633
        AskWoody Plus

        Having read about hacks of cloud based password managers, I have stuck with Linkesoft’s Secret! which is a simple encrypted database file that has apps that sync for everything.  I have used it on Microsoft and Android for over 20 years and now on iPhone also.  It takes a little bit of effort to make up your OWN passwords and to remember to sync since that is a manual process not cloud based.  But it is MY file, on MY machine and NOT out in the cloud where it may be vulnerable!  And since I also use Carbonite Backup – – it is “in the cloud” for back up, but encrypted with MY password.

      • #2110630 Reply
        bbearren
        AskWoody MVP

        I use a password-protected Excel spreadsheet to store my long passwords which I generate by poking the keyboard randomly and using the shift key randomly during the process.  That spreadsheet is in turn copied to my OneDrive.

        My banking website has a three login attempt limit, and then locks my account for 24 hours.  After 24 hours I have to call the bank, identify myself t0 their satisfaction in order to get my account unlocked.  After that, I get three more attempts.  My credit card online-access is setup in pretty much the same way with a three-try limit.  If I login from a different PC, it automatically triggers two-factor identification for all my financial sites.

        The odds against guessing my password are way up there, and a brute force attempt will only lock the accounts.  I’m unconcerned about any of my passwords being compromised, or relying on some third-party app, paid or free.

        Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
        "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
        "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

        1 user thanked author for this post.
        • #2110631 Reply
          jabeattyauditor
          AskWoody Lounger

          It’s not a difficult thing to break into a password-protected Excel sheet.

          2 users thanked author for this post.
          • #2111081 Reply
            bbearren
            AskWoody MVP

            It’s not a difficult thing to break into a password-protected Excel sheet.

            It’s pretty much impossible if you don’t have access to the spreadsheet.  The name of the spreadsheet is not “Passwords”, and I have literally hundreds of Excel spreadsheets from pre-retirment.  I’m unconcerned.

            Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
            "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
            "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

        • #2110862 Reply
          dmt_3904
          AskWoody Plus

          I had been using excel on an encrypted usb for years and it worked well for me.  But I cannot use it on my iOS devices (I don’t have an adapter and iOS cannot read the encrypted file) and it’s really not portable.  Enter Strongbox!  A really great app open source keepass/password safe format.  I store my pw file in cloud of my choice (yes it’s still the cloud, but i have more control) and the database has very strong encryption.  You can auto enter pws.  Lots more features –  I don’t use them all. It generates passwords too.  I do not reuse any passwords.  This makes it easy. And the developer is very helpful and responsive.

          • This reply was modified 2 months, 1 week ago by dmt_3904.
      • #2110638 Reply
        tonyl
        AskWoody Lounger

        What’s the point? According to every movie I’ve seen, all you have to do is type *override password* and you’re in…

      • #2110654 Reply
        berniec
        AskWoody Plus

        Why is it that no survey of password managers ever includes PasswordSafe?  I’ve been using it since long before all the “new” ones appeared.   I don’t trust password managers the use the cloud [in fact, I avoid “trusting” anything that is cloud based.   I have over 200 passwords in pwsafe.  all 16-20 random characters and no two sites share the same password.

        I don’t know about the other password managers but pwsafe also has an area for “Notes” that I find incredibly handy.  in particular I use that area for the answers to the “security questions”.  I can’t believe that many people just use *real*answers* to the security questions [where did you go to high school? and they give their actual high school].  I treat the security questions as an extension of my password.   I make them all different and all whimsical. I could make them random strings, but I don’t [I confess to being lazy about that.   “what was your first pet’s name”  “Gilgamesh” or maybe “Scylla” or..  something else random.

        [where did you go for your favorite vacation? … narnia…   What is your favorite pet’s name

         

        1 user thanked author for this post.
        • #2110848 Reply
          Michael432
          AskWoody_MVP

          I agree that the ability to add notes is critical for a password manager. Using this for security questions is a great application of the feature.

          Get up to speed on router security at RouterSecurity.org

          1 user thanked author for this post.
      • #2110727 Reply
        tonyl
        AskWoody Lounger

        Keepass can create passwords for you. In fact, you never need know what they are yourself,  even; I like that.

        • This reply was modified 2 months, 1 week ago by tonyl.
      • #2110738 Reply
        Kirsty
        Da Boss

        Michael Horowitz published a Best Password Advice 6 months ago – it’s a continuing work in progress, and well worth checking out. It includes his detailed analysis of various methods of creating and storing passwords.

        1 user thanked author for this post.
      • #2110847 Reply
        Michael432
        AskWoody_MVP

        I disagree with almost everything in this article. Would love to debate it some time. Lastpass in particular seems a really bad choice based on the recent history of the software and the company.

        Then too, there is whats missing from the article.

        I hardly ever use a password manager but when I do, on Windows, I use Keepass. My reasons for doing so are here

        https://www.michaelhorowitz.com/BestPasswordAdvice.php#whatido

        Also missing from the article is the concept of using a formula for deriving your password. More on this at the same link above.

        Get up to speed on router security at RouterSecurity.org

        7 users thanked author for this post.
        • #2111503 Reply
          woody
          Da Boss

          Please debate, sir!

          I don’t claim to have any hard-and-fast answers. I expect that passwords, as we know them, will become less and less important over time.

      • #2110866 Reply
        Wheel_D
        AskWoody Plus

        Lastpass in particular seems a really bad choice based on the recent history of the software and the company.

        Given Lastpass’ recent acquisition by private equity firms, I heartily agree.

        • This reply was modified 2 months, 1 week ago by Wheel_D.
        1 user thanked author for this post.
      • #2111121 Reply
        Paul T
        AskWoody MVP

        Doesn’t my db key protect me?  It has strong encryption.

        Yes it does. For an attacker to break into your database (assuming the password manager has implemented encryption correctly) they need to try all combinations of possible characters until they find the correct one. Here password length is king because it massively increases the number of password attempts.

        cheers, Paul

      • #2111411 Reply
        ibe98765
        AskWoody Plus

        (Just a guess) I suspect products have to be commercial-ware to qualify for inclusion in some people’s writing.

        cheers, Paul

        Perhaps it has something to do with whether the company does or can buy site advertising?

        1 user thanked author for this post.
        • #2111506 Reply
          woody
          Da Boss

          Perhaps it has something to do with whether the company does or can buy site advertising?

          Look around you. See how much advertising we have?

          I, personally, lost a whole lot of money on AskWoody last year. I’m considering advertising for the new Free Newsletter, whenever we get it off the ground. But there’s no advertising here.

          Either we raise enough through donations to keep AskWoody going — or it dies.

          Advertiser money doesn’t influence any decisions.

          4 users thanked author for this post.
          • #2111507 Reply
            jabeattyauditor
            AskWoody Lounger

            Woody, I think they’re talking about the site mentioned in the original posting, not AskWoody.

            2 users thanked author for this post.
            • #2111549 Reply
              woody
              Da Boss

              Sorry, but this is a real hot button for me. I must’ve taken it out of context. Many people don’t realize how much it costs to keep the ship afloat — and that I’m on the hook.

              4 users thanked author for this post.
              • #2111561 Reply
                dmt_3904
                AskWoody Plus

                Well, I think it’s good you posted that, although it may be out of context.  People need to know that you are not making buckets of money and you are trying to uphold a standard of not accepting advertising money, but if subscribers don’t pay, then you have to do something, we all gotta eat!   And, for this subscriber, AskWoody would be an incredibly useful resource to lose.  I really depend on the info, help, guidance I can get here.  thanks.

                4 users thanked author for this post.
              • #2111818 Reply
                Wheel_D
                AskWoody Plus

                Sorry, but this is a real hot button for me. I must’ve taken it out of context. Many people don’t realize how much it costs to keep the ship afloat — and that I’m on the hook.

                Woody –

                You perform an essential service, and I believe you and your team are truly among the best in the business. My income may be “fixed”–I have a disability–but you are one of the few causes to which I’m always glad to put my money. Really.

                Thank you!

                5 users thanked author for this post.
          • #2111713 Reply
            ibe98765
            AskWoody Plus

            ibe

            The point I wanted ot make and wasn’t clear was that I do not know if your writers are exclusive to Woody or sell their writing elsewhere.

            Still, rather than all the back and forth here, it would be nice if the writer would chime in as to why he was not familiar with Keepass and/or why he didn’t see fit to include it in his article and why he did include Lastpass, which has been in the news over the years for being acquired by Logmein and for a number of security incidents.  See:

            https://en.wikipedia.org/wiki/LastPass

            • This reply was modified 2 months, 1 week ago by ibe98765.
            4 users thanked author for this post.
      • #2111786 Reply
        berniec
        AskWoody Plus

        @m8urnett‘s work is behind a great password-strength testing site, which really does bust some complacency about passwords.
        It’s worth checking this out:
        https://howsecureismypassword.net/

        Yeah but, how safe is it to be putting my passwords in this website? Who knows where it goes or who sees it? I don’t trust it. I am using a pw manager to generate 24 character random pws and have memorized my financial pws- not stored anywhere except in my head, as long as I can remember them.

        You don’t.  You just use your password manager to generate a bunch of password and have them evaluated.   It is *very* unlikely that if it generates great random passwords in your testing that’ll it’ll generate a clunker for real use

        2 users thanked author for this post.
        • #2111817 Reply
          dmt_3904
          AskWoody Plus

          well, if the tester is right- 297 octillion years for a generated password to be cracked. I’m good with that ; )

          i figure criminal ability to crack passwords with brute force will get better and better so today’s minimum password standards will  change – but 297 octillion years should cover me!

          1 user thanked author for this post.
      • #2124439 Reply
        WSRangerRickT
        AskWoody Plus

        There is also KeePass for the Android phone.  I am old school and distribute updates to all the family devices (3 PCs and 2 Android phones) and my work PC via e-mail.  The file is encrypted and small.

        1 user thanked author for this post.
        • #2124467 Reply
          Paul T
          AskWoody MVP

          KeePass does not run on Android, but there are 3rd party compatible apps that do.

          cheers, Paul

      • #2137871 Reply
        Fred
        AskWoody Plus

        If a poster’s experience with KeePass is good, this is definitely the place to talk about it.

        Keepass or Keepass2 is good, and as far as I have read it is not the most easy one to integrate and automaticly fill in the password. That seems to be possible too.
        As Kirsty states, this is discussed in ghacks.net and also on: eff, Bitsoffreedom etc.
        To make this keypassmanager more safe, one may choose to use a extra unlock-file for unlocking the kbd/kbdx passwordfile, and this ofcourse  is never to be kept alongside the other software, but on a extra usb-stick etc
        In contradiction to Paul_T ‘s statement: here Keepass2 runs perfectly okay on my smartphone Android-One (a bit small that screen) and Linux Mint/Cinnamon 19+
        regards Fred

        After all.. Just because we're paranoid doesn't mean they aren't out to get us.
        • This reply was modified 1 month, 4 weeks ago by Fred.
      • #2138328 Reply
        Paul T
        AskWoody MVP

        Keepass2 runs perfectly okay on my smartphone

        It is not KeePass you are using. It might be KeePass2Android, which is a 3rd party port.

        cheers, Paul

        1 user thanked author for this post.
      • #2138481 Reply
        Fred
        AskWoody Plus

        Keepass2 runs perfectly okay on my smartphone

        It is not KeePass you are using. It might be KeePass2Android, which is a 3rd party port.

        cheers, Paul

        thank you Paul_T, ofcourse you are right, and as you wrote, it’s always best to type-in the password with/through the keepass-keyboard.

        As for now I am less worried by the Intel-bugs, but more worried by the “Backdoor” use of Microsoft themselves.

        Today on my laptop I wittnesed the Browser-Highjacking and Searchbar-Highjacking by Microsoft , so right now my trustlevel is coming close to a sub-zero-level  ‘-(

        After all.. Just because we're paranoid doesn't mean they aren't out to get us.
        • #2138503 Reply
          dmt_3904
          AskWoody Plus

          Are you suggesting that MS would be able to obtain passwords when using a windows machine? I don’t trust them either.  I had the search bar issue and find it very disturbing to know what they were doing, as reported on Askwoody.  Another event in a long series of disturbing events!

          I am using strongbox (supports keepass format) on my iOS devices and typically manually put  in passwords on my windows machine.  I didn’t realize using pw manager on windows could be a problem – I just didn’t load the app there.  I try to practice safe computing habits, but I am not savvy enough to protect myself from MS. I think I have updated default privacy settings appropriately, but they still have more access than I would like to give!

          • #2138509 Reply
            Paul T
            AskWoody MVP

            I’m sure MS won’t be collecting your passwords – they’d need to collect all typing and clipboard to do that.
            I’m sure they’re collecting information about how Windows performs on your PC and searches on Bing, but they are only following Google’s lead.

            cheers, Paul

            2 users thanked author for this post.
        • #2138527 Reply
          b
          AskWoody Plus

          Today on my laptop I wittnesed the Browser-Highjacking and Searchbar-Highjacking by Microsoft , so right now my trustlevel is coming close to a sub-zero-level  ‘-(

          I don’t think we’ve heard about hijacking. Care to enlighten us?

          Windows 10 Pro Version 2004: Group ASAP (chump/pioneer)

      • #2138584 Reply
        Fred
        AskWoody Plus

        Today on my laptop I wittnesed the Browser-Highjacking and Searchbar-Highjacking by Microsoft , so right now my trustlevel is coming close to a sub-zero-level  ‘-(

        I don’t think we’ve heard about hijacking. Care to enlighten us?

        Woody wrote about it in his blog

        After all.. Just because we're paranoid doesn't mean they aren't out to get us.
        • #2138592 Reply
          b
          AskWoody Plus

          Today on my laptop I wittnesed the Browser-Highjacking and Searchbar-Highjacking by Microsoft , so right now my trustlevel is coming close to a sub-zero-level  ‘-(

          I don’t think we’ve heard about hijacking. Care to enlighten us?

          Woody wrote about it in his blog

          No hijacking has been mentioned by Woody.

          Windows 10 Pro Version 2004: Group ASAP (chump/pioneer)

    Viewing 19 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, and politics/religion are relegated to the Rants forum.

    Reply To: Remedies for common password pains

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.

    Cancel