News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Tasks for the weekend – July 17 – what’s your password?

    Home Forums AskWoody blog Tasks for the weekend – July 17 – what’s your password?

    Viewing 4 reply threads
    • Author
      Posts
      • #2378422
        Susan Bradley
        Manager

        (Youtube here) Just the other day I was reminded to be careful with any of the social media “game” questions that try to make you build a name from va
        [See the full post at: Tasks for the weekend – July 17 – what’s your password?]

        Susan Bradley Patch Lady

        1 user thanked author for this post.
      • #2378439
        Pepsiboy
        AskWoody Lounger

        Susan,

        This is a SIMPLE with a SIMPLE solution ! ! Pick ANY of the questions, and give an answer that has NOTHING to do with the question. What is so HARD about that ? ? ? I have always used this method since getting one of my STUPIDLY CORRECT answers guessed many years ago. No correct guesses after that.

        Just MY stupid solution to the SIMPLE problem.

        K.I.S.S. (Hopefully you know what that means.)

        Dave

        • This reply was modified 2 weeks, 3 days ago by Pepsiboy. Reason: Spelling error corrected
        2 users thanked author for this post.
        • #2378444
          oldfry
          AskWoody Plus

          Yes.   To follow-up…

          To make this easier, store your random answers to these security questions in the notes section of your password entry within your password manager.

          Just like passwords, no two accounts should have the same answers to these questions.

          Teaching end-users about this security vulnerability is a challenge.

          The Windows 10 OS asks for three security questions as well.  Will Windows 11 fix this old security problem?

          I loose respect for any vendor who depends upon these “secret” questions to reset your password to the vendor’s account.

           

          1 user thanked author for this post.
          • #2378454
            Mele20
            AskWoody Lounger

            To make this easier, store your random answers to these security questions in the notes section of your password entry within your password manager.

            You rely on a Password Manager? That is CRAZY. They f**k up and anyone relying on them is not living in real world.

            • #2378486
              Ascaris
              AskWoody MVP

              You’re entitled to your own opinion on the matter, but it does not mean that anyone who disagrees “is not living in the real world” or that what they’re doing is “crazy.” There’s no need for the arrogance or the nasty tone.

              Many of us out here in what you believe is not “the real world” find password managers indispensable, and some of us (me, for example) would say there is no other reasonable choice for keeping track of passwords on the web.

              I can’t remember hundreds of randomly-generated strings of 12 or more characters, along with various user IDs, let alone remember which site each one belongs to. Why do you think so many people use “qwerty” or “password” or “1234” or something easily guessed, like the name of their spouse, not just on one site, but on all of them?

              The odds of an offline password manager “giving up the goods” by virtue of a security bug is quite low. If you’re going to write off any software that might possibly have a security bug in it, well, that’s all of it.

               

              Group "L" (KDE Neon Linux 5.22.4 User Edition)

              3 users thanked author for this post.
            • #2378504
              Susan Bradley
              Manager

              The wonderful thing about technology is that we can all use different platforms to perform our tasks. There are password manager programs that can be relied on.

              Susan Bradley Patch Lady

              • #2378753
                kstephens43
                AskWoody Plus

                Which password managers do you consider reasonably secure?

              • #2380579
                Tom-R
                AskWoody Plus

                kstephens43:  My personal choice is KeePass 2.x.  By default it does AES 256-bit encryption of the entire database file.  It’s open source, and has been extensively examined and audited by the open source community to ensure there’s no backdoor way of bypassing that encryption.  It is completely self-contained; so it doesn’t rely on any cloud storage (although you can choose to store it on a cloud drive if you want).  Since it resides on your local hardware (by default) no third-party company has access to your database file; you have complete control over it.

                So basically, the only way in to the database is via your master password, which only you know (unless you choose to disclose it to someone else).  If your master password is long and complex enough; no one is ever going to be able to get into your KeePass database.

                Just for reference, I use a master password that’s almost 30 characters in length with upper and lower case letters, numbers, and symbols.  With that complex a master password and KeePass’ AES 256-bit encryption, I say good luck to anybody trying to break into my KeePass database — assuming that they can even get access to the database file in order to attempt a break-in.

                Oh, and you get that level of security with KeePass at no cost — without any monthly subscription fee.

              • #2380620
                Kobac
                AskWoody Plus

                I second the use of KeePass. I have been using it for years on our Windows PCs and use KeePassXC on our Linux Mint PC.

                KeePassXC is a cross-platform community-driven port of KeePass, which is a Windows program.

                Both programs use the same format for their databases, so you can copy the database from one program and use it with the other one.

                Both programs are open-source and free to use.

          • #2378496
            Kobac
            AskWoody Plus

            I do exactly this (fake answers having nothing to do with the question and different ones for each site) and keep track of everything in a password manager. I’ve been doing it for years.

            1 user thanked author for this post.
            KP
        • #2378537
          KP
          AskWoody Plus

          Pick ANY of the questions, and give an answer that has NOTHING to do with the question.

          It becomes very hard to guess.

          Misspell something and it adds another level of difficulty.

          1 user thanked author for this post.
          • #2378954
            Pepsiboy
            AskWoody Lounger

            KP,

            A level that is nearly IMPOSSIBLE to crack ! ! ! !

            Dave

      • #2378453
        Mele20
        AskWoody Lounger

        You are relying on data and how things were re passwords THIRTEEN YEARS AGO. You are saying nothing has changed in 13 years?

        Looks to me as though you were hard up for a topic. 🙁

        I don’t do social media period and never have. Using social media is a sign of low intelligence.

        • #2378476
          Susan Bradley
          Manager

          I’m showcasing that vendors are still using the same processes as 13 years ago and we’re helping to make them more insecure.   I still see these SAME security questions.

          Susan Bradley Patch Lady

          7 users thanked author for this post.
          • #2378516
            plodr
            AskWoody Plus

            One of the banks I use, not the main one, still uses this method. Once a year I have to pick 3 questions and 3 answers.

            Needless to say, I’ve been giving fake answers for years. As long as I write down a site, what question I picked and what answer I came up with, I’m okay.

            Got coffee?

      • #2378570
        anonymous
        Guest

        I don’t understand some of the harsh responses I’m seeing to this post. I think it’s very much worth discussing the actual security of these “security questions”, as they’re still in active use on many sites. My bank and my government website logins all make these security questions mandatory. For me, I treat them like a second password, and pick responses that are bizarre enough that even my mother couldn’t guess them, but are familiar enough for me to remember them. And yes, I do store them in a reputable password manager, because it’s always worth having a backup in case memory fails (and memory will eventually fail—not a matter of ‘if’, but ‘when’).

        As an example, say a security question asks, “Where did you go on your honeymoon?”. I often pick this question even though I am not married and thus have never been on a honeymoon. Someone who knows me well would be utterly baffled by the question, and thus their attempt at resetting my password or otherwise gaining access by guessing the answer to this question would be thwarted. As for me, I pick answers that are not how you would directly answer the question, such as “It could have been Ibiza”, or “Let me think… Ibiza?”, rather than “Ibiza”. So even if I was married and even if my honeymoon was in Ibiza, you couldn’t swipe my account even if you knew this information.

        1 user thanked author for this post.
        • #2378581
          Kobac
          AskWoody Plus

          When giving a false answer, get creative. For example, don’t give a fake city—give an answer that is not even a city.

          Q: “Where did you go on your honeymoon?”

          A: “Mayonnaise.”

          1 user thanked author for this post.
          • #2378628
            Pepsiboy
            AskWoody Lounger

            Kobac,

            EXACTLY what I was getting at in my first post replying to Susan. NEVER give the correct answer, and get creative with your answers. The chances of some HACKER guessing your answer are next to ZERO ! ! !

            Dave

            1 user thanked author for this post.
          • #2378735
            Ascaris
            AskWoody MVP

            The only trouble would be remembering what the nonsense answer you gave was when it asks again later. (Back to the password manager thing then, of course.)

            Group "L" (KDE Neon Linux 5.22.4 User Edition)

            2 users thanked author for this post.
            • #2378771
              Kobac
              AskWoody Plus

              Right. If you use a password manager, no problem.

              There are currently 329 entries in our password manager, complete with usernames, passwords, URLs, notes, challenge questions and answers, etc. There is no way to safely manage all that without such a program.

              We also have multiple backups of the password database, both local and off-site, since if that database is ever lost, corrupted or whatever, it would be, shall we say, inconvenient.

              1 user thanked author for this post.
            • #2378957
              Pepsiboy
              AskWoody Lounger

              Kobac,

              Or do as I did, Create a  database similar to what I have and record ALL the information there, then encript  (sp) it with a multifactor password for security.

              Yes, I know, lots of work, but simple to look up.

              See attachment.

              Dave

              MWSnap002-2021-07-20-09_30_50

              • #2379083
                Kobac
                AskWoody Plus

                Sure, that’s one approach. At a former employer, they used to use a password-protected Excel spreadsheet until I eventually convinced them that a password manager would be more secure and easier to use. A password manager is also expressly designed from the ground up for its intended purpose. Why reinvent the wheel?

      • #2380639
        Alex5723
        AskWoody Plus

        Never used a passwords manager. I remember all the passwords I use.

        • #2380643
          Kobac
          AskWoody Plus

          I’m glad that works for you, but I have over 300 entries in my password manager, which includes different random answers to challenge questions and notes. It would not be practical or manageable without such a program.

    Viewing 4 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: Tasks for the weekend – July 17 – what’s your password?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.