What's your password policy?

sebna

Member
I think having some elaborate password policies might be a bit of overkill for a personal use. In the end I would imagine on average most people probably use 2-10 important logins. Keep them secure but most importantly stay secure online. Rest logins do not really matter, so who cares.
 

mjn

Distinguished Member
I think having some elaborate password policies might be a bit of overkill for a personal use. In the end I would imagine on average most people probably use 2-10 important logins. Keep them secure but most importantly stay secure online. Rest logins do not really matter, so who cares.
For work, we have 6 domains, each with a regular account and each with a privileged account.

That is 12 logons and passwords to remember! :laugh:
 

sebna

Member
For work, we have 6 domains, each with a regular account and each with a privileged account.

That is 12 logons and passwords to remember! :laugh:
Work is a different thing.
 

RBZ5416

Distinguished Member
From my exercise to date I've so far encountered three sites that have no option to change the password when logged in, & have failed to supply an email in response to "I forgot".
 

imightbewrong

Distinguished Member
I think having some elaborate password policies might be a bit of overkill for a personal use. In the end I would imagine on average most people probably use 2-10 important logins. Keep them secure but most importantly stay secure online. Rest logins do not really matter, so who cares.

With a password manager there is no effort in having strong passwords - just press the 'generate password' button and away you go. I have 200+ passwords stored that I do not know, ranging from 10 to 100+ character random strings. With some sites (like Amazon, Facebook etc) you can even do a one-click change in the password manager and it automatically changes your password on your behalf, so you can rotate 20+ sites with one click.
 

sebna

Member
With a password manager there is no effort in having strong passwords - just press the 'generate password' button and away you go. I have 200+ passwords stored that I do not know, ranging from 10 to 100+ character random strings. With some sites (like Amazon, Facebook etc) you can even do a one-click change in the password manager and it automatically changes your password on your behalf, so you can rotate 20+ sites with one click.
Some will argue password manager is a weak link.
 

BobBob21

Well-known Member
With a password manager there is no effort in having strong passwords - just press the 'generate password' button and away you go. I have 200+ passwords stored that I do not know
In principle a nice idea but...

1) What happens if the Password Manager is compromised?

2) What happens if you have to use a random computer and you don't have your mobile/tablet etc?

As someone without a smart phone who does end up using random computers with moderate frequency I've never seen even the Apple style random strong password + save my password as a practical solution even though I fairly often have my tablet with me and so password managers are even less practical.

Having created my first email account in early 90s I only have evidence of one occasion of any actual hack on any of my accounts despite using the same password for almost everything. 2-3 years ago my email/ebay/paypal was hacked and about £100 spent on software codes. Got it back in about 24hrs.

Since then... email has a unique and complex password as they had covered their tracks by deleting emails. Paypal, Amazon, Deliveroo and a few other sites have a different complex password. Most other basic sites that I don't save payment details on, social media etc I haven't bothered changing the details of.

I have had my details stolen from large well known companies before... three days before one large data breach was announced I was trying to convince them that they'd had a breach because I'd used a unique email and name combination with them and suddenly started getting spam with the fake name
 

jurassicmark

Active Member
I think having some elaborate password policies might be a bit of overkill for a personal use. In the end I would imagine on average most people probably use 2-10 important logins. Keep them secure but most importantly stay secure online. Rest logins do not really matter, so who cares.
There are obviously some websites where the security of your login details are more important, such as your bank, but there are shopping and other websites that I have used which have my name and address and maybe credit/debit card details. I haven't counted all of the websites that have my details but there are definitely more than 10. I wouldn't want anyone to gain access to any of those so security for such websites is important for me, just not as important as it is for my bank.

There's nothing elaborate about using a password manager but it enables me to create a very secure password for all those sites without me having to remember any of them. It may not matter as much if someone cracks my password on AVForums or similar in comparison to cracking my bank login details but it still matters. I don't want the chore of regaining control of my account or having to re-register and losing all my posting history.

Using a password manager is a no-brainer for me with having over 100 logins (all for personal use). It makes things so much easier as I don't have to think of a password when registering with a website. It creates a random password that can be set to your required length with or without letters, digits or special characters. I also don't have to type out any usernames/passwords as it has an autofill feature. It has premium features for a cost but it offers all of the above basics for free.
 

silent ninja

Well-known Member
Not using a password manager is simply irresponsible in my opinion. The risks are negligible, and benefits huge. Use 2 factor authentication on top of it and you're good.

I've used LastPass, but Keeper is so much better. Mobile or desktop, it works like a charm. You can create a family account and share the subscription. Money well spent in this digital word.
 

jurassicmark

Active Member
In principle a nice idea but...

1) What happens if the Password Manager is compromised?

2) What happens if you have to use a random computer and you don't have your mobile/tablet etc?

As someone without a smart phone who does end up using random computers with moderate frequency I've never seen even the Apple style random strong password + save my password as a practical solution even though I fairly often have my tablet with me and so password managers are even less practical.

Having created my first email account in early 90s I only have evidence of one occasion of any actual hack on any of my accounts despite using the same password for almost everything. 2-3 years ago my email/ebay/paypal was hacked and about £100 spent on software codes. Got it back in about 24hrs.

Since then... email has a unique and complex password as they had covered their tracks by deleting emails. Paypal, Amazon, Deliveroo and a few other sites have a different complex password. Most other basic sites that I don't save payment details on, social media etc I haven't bothered changing the details of.

I have had my details stolen from large well known companies before... three days before one large data breach was announced I was trying to convince them that they'd had a breach because I'd used a unique email and name combination with them and suddenly started getting spam with the fake name
1) Password vault data is stored in encrypted form. The password manager employees or any hacker can't access it without the user's master password.

2) You can access your password vault via the password manager's website. I have a Chrome extension for my password manager which makes things easier but it's not essential.
 

imightbewrong

Distinguished Member
1) What happens if the Password Manager is compromised?

2) What happens if you have to use a random computer and you don't have your mobile/tablet etc?

Some good questions.

1 - One of the premises of a Password Manager is that they have One Job - they will be 10x more secure than a random site you entrust your password to. Indeed, if you lose your password manager password, they cannot recover your passwords due to the way the encryption is set up. Their site only stores strongly encrypted passwords which you password is required to reveal.

Secondly, two-factor authentication also ensures that any compromised passwords are useless alone.

Between these two aspects, the vault is secure.

2 - As mentioned above, being at a random computer is no issue - you can log into your vault from anywhere. Personally I cannot envisage a reason I would need to log into my secure accounts from a 'random computer' - which could be compromised with any malware, keyloggers, etc. But some people may have to and they are free to log into their vault to then log into their website of choice.
 

imightbewrong

Distinguished Member
Some will argue password manager is a weak link.

Some will argue the human is the weak link, doesn’t mean we should go round deleting them ;)

Humans are definitely the weak link - my mobile phone account was compromised by social engineering - someone phoned up my phone provider and pretended to be me, using a combination of 'persuasion' and the faux-secret information like my mother maiden name etc. They convinced my provider I wanted a brand new phone number. Thankfully they sent me a text message to 'notify me of my request' which I jumped on and stopped the transfer - I was minutes away from losing my phone number of 20 years. They could not have defeated my online credentials, but the phone help desk operator was another matter.

To this day I don't know what the purpose of this attack was - but there you go.
 

hi robb

Well-known Member
Just found out one of my passwords was hacked on a cookery site today :-(

so I changed it to beefcasserole

the site said it wasn’t stroganoff…
 

imightbewrong

Distinguished Member
Just found out one of my passwords was hacked on a cookery site today :-(

so I changed it to beefcasserole

the site said it wasn’t stroganoff…

If you need a password with at least eight characters I use

snowwhiteandthesevendwarfs
 

BobBob21

Well-known Member
1) Password vault data is stored in encrypted form. The password manager employees or any hacker can't access it without the user's master password.

2) You can access your password vault via the password manager's website. I have a Chrome extension for my password manager which makes things easier but it's not essential.

1) I would be exceptionally surprised if any reasonable site was storing passwords in their database in plain text however passwords have been obtained from companies with much larger budgets to spend on cyber security than the average startup running a password manager site

2) But you don't have your Chrome extension installed when you suddenly "need" to access your account on your first day at your new employers. I fully accept my situation is rather unusual in that I don't have a smart phone and its not uncommon for me to not have any phone with me. If I can access the password manager with a single password and access any other site stored in it then so can anyone else

Some good questions.

1 - One of the premises of a Password Manager is that they have One Job - they will be 10x more secure than a random site you entrust your password to. Indeed, if you lose your password manager password, they cannot recover your passwords due to the way the encryption is set up. Their site only stores strongly encrypted passwords which you password is required to reveal.

Secondly, two-factor authentication also ensures that any compromised passwords are useless alone.

Between these two aspects, the vault is secure.

2 - As mentioned above, being at a random computer is no issue - you can log into your vault from anywhere. Personally I cannot envisage a reason I would need to log into my secure accounts from a 'random computer' - which could be compromised with any malware, keyloggers, etc. But some people may have to and they are free to log into their vault to then log into their website of choice.
But equally as above, if I can log into the vault using a single password and no other form of identification then so can anyone else.

What is the one job you think password managers have? You imply that it is to make the most secure possible repository for passwords rather than make the most money for their shareholders? The weakest link will always be the user but password managers ultimately are a low probability but exceptionally high impact should others gain access to your account.

Lets take a company will billion pound budgets to spend who claim to champion personal privacy... Apple have frequently refused to support law enforcement agencies wanting access to devices/messages etc and yet with very modest budgets, comparatively, law enforcement have found third parties able to access the data with stronger encryption claimed by most password vaults.

2 - as mentioned, I accept I am unusual not having smart nor 4g/5g enabled devices but its not THAT uncommon that when not at home (thinking pre-covid) that I want to order something on Amazon as its cheapest than in the shops or the Mrs asks something so I use my client laptop or a library machine etc. As you say they could have key loggers and other issues which would not just get my password to Amazon but my password to the password manger vault and so access to everything.
 

imightbewrong

Distinguished Member
But you don't have your Chrome extension installed when you suddenly "need" to access your account on your first day at your new employers.
You don't need a chrome extension or any extension - you need your password and two factor facility, which can even be paper based.
 

imightbewrong

Distinguished Member
I would be exceptionally surprised if any reasonable site was storing passwords in their database in plain text however passwords have been obtained from companies with much larger budgets to spend on cyber security than the average startup running a password manager site
Sure you could say it could be compromised, which is why we use two factor everywhere.

The worst password policy is weak and reused passwords, which is typically where you end up if humans try to manage passwords for dozens or hundreds of sites in their heads.
 

imightbewrong

Distinguished Member
if I can log into the vault using a single password and no other form of identification then so can anyone else

If you can log into a vault with a password alone then you are doing it wrong.
 
Last edited:

imightbewrong

Distinguished Member
law enforcement have found third parties able to access the data with stronger encryption claimed by most password vaults
They haven't cracked the encryption - they have got lucky with an unlocked phone or similar.
 

jurassicmark

Active Member
1) I would be exceptionally surprised if any reasonable site was storing passwords in their database in plain text however passwords have been obtained from companies with much larger budgets to spend on cyber security than the average startup running a password manager site

2) But you don't have your Chrome extension installed when you suddenly "need" to access your account on your first day at your new employers. I fully accept my situation is rather unusual in that I don't have a smart phone and its not uncommon for me to not have any phone with me. If I can access the password manager with a single password and access any other site stored in it then so can anyone else.
1) Companies with much larger budgets to spend on cybersecurity don't always do that, unfortunately. A password manager's core function is security so if they can't do that in a competent manner then there's something wrong. The computer code for the password manager I use (Bitwarden) is open source, meaning it's free to review and audit by anyone. That also means it can be seen by hackers who can exploit any security flaws. Bitwarden is not exactly a startup as they've been around for almost 5 years and I'm not aware of any problems with them or their code.

2) It usually takes less than a minute for me to log in to my password manager through their website so I'm not sure what issue you think there is. I've done that on a training course where I had to register with an online training website and use that for part of the course. I could do the same on the first day at my new employers if necessary.

Like virtually all other logins, it's not just a password but a username is also required to login to a password manager. I don't understand what you mean by this: "If I can access the password manager with a single password and access any other site stored in it then so can anyone else." That's only true if someone sees or records your login credentials or if you leave it logged in while not at the computer. I'm sure you wouldn't leave your computer while logged in to online banking where other people are around so similar precautions should be taken when using a password manager. I also wouldn't log in to any website while someone is shoulder surfing but would politely tell them to go away. I can't see a training company having keylogging software on their computers but I would be reluctant to use a computer that I consider likely to be dodgy.

Two-factor authentication makes the above even more secure but that's a bit difficult without a smartphone.
 

BobBob21

Well-known Member
They haven't cracked the encryption - they have got lucky with an unlocked phone or similar.
If you believe the vendor they have brute force unlocked the phone by imaging it first and reinstating the image to bypass the delays/wiping after X failed attempts. Last time I looked was before the security change of physical connections not being activated until the phone is unlocked so don't know if they claim it still works.

A password manager's core function is security so if they can't do that in a competent manner then there's something wrong. The computer code for the password manager I use (Bitwarden) is open source, meaning it's free to review and audit by anyone. That also means it can be seen by hackers who can exploit any security flaws. Bitwarden is not exactly a startup as they've been around for almost 5 years and I'm not aware of any problems with them or their code.
In an article from 2018 it showed LastPass had major vulnerabilities in each year of 2014-2017. Similarly Keeper in 2016 and 2017. The list goes on, most of these were white hat attacks but each case mentioned the vendor didn't detect the vulnerability nor the unauthorised access so its plausible that others could have used the same route before the ethical hackers announced the flaws after the vendor had had time to fix.

Like virtually all other logins, it's not just a password but a username is also required to login to a password manager. I don't understand what you mean by this: "If I can access the password manager with a single password and access any other site stored in it then so can anyone else." That's only true if someone sees or records your login credentials or if you leave it logged in while not at the computer. I'm sure you wouldn't leave your computer while logged in to online banking where other people are around so similar precautions should be taken when using a password manager. I also wouldn't log in to any website while someone is shoulder surfing but would politely tell them to go away. I can't see a training company having keylogging software on their computers but I would be reluctant to use a computer that I consider likely to be dodgy.
If just being careful/sensible was sufficient then there would be no need for password managers. If just being careful isn't sufficient then there is a risk of putting all your details in one place. Yes they'll be more secure than some random e-commerce website that someone has cobbled together using their PHP for Dummies book but they are also more a target.
 

Downinja

Well-known Member
Out of curiosity, am I right in thinking if trying to crack a password, they don't know if they are getting near, they either know the whole thing or they know nothing?

For example, if you used the following long passwords:

"my password for my bank is 123"
"my password for avforums is 123"
"my password for british gas is 123"
"my password for adultdonkeys is 123"

These would all be excellent and unique passwords?
The fact that many aspects of each of them is identical does not matter?

I'd think doing something like the above would be a very easy way to remember passwords
The first part is correct, it's not like lock picking where you get the first tumbler then the second etc.

It's an all or nothing.

Cracking is done in a fair few different ways, a brute force crack would directly be effected by the length of the password.

So a-Z for first character would be 52 attempts (upper and lower case alphabet) for 2 characters 56x56 = 3136

"my password for adultdonkeys is 123" is 35 characters, includes a space and numbers (although no upper/lower), so you are looking at 37 to the power of 35. 7710105884424969623139759010953858981831553019262380893 guesses (max)

All of that of course assumes brute force cracking.

Dictionary cracking would use a dictionary of words all of which are ones you have chosen, this would make it an exponentially smaller number of guesses.

Dictionary cracking will also use previously discovered passwords as part of the dictionary, so once the first one falls, "my password for " becomes part of the dictionary and it's faster to crack the others.

(in my understanding)
 

KyleS1

Distinguished Member
Just signed up to LastPass to give it a try. Free premium for a month, and if I like it, will take the family account. Just need to convince the wife it is worth the effort to import her passwords.
 

The latest video from AVForums

Podcast: Cleer Audio speaker + HiFi Rose Streamer Reviews & Movie/TV Show talk
Subscribe to our YouTube channel

Latest News

Astell&Kern announces AK Solaris X in ear monitors
  • By Andy Bassett
  • Published
Astell&Kern Kann Alpha audio player gets Roon support
  • By Andy Bassett
  • Published
iFi Audio launches the Zen Stream Wi-Fi audio transport
  • By Andy Bassett
  • Published
Ruark R1 Mk4 radio gets summer makeover
  • By Andy Bassett
  • Published
AVForums Podcast: 23rd June 2021
  • By Phil Hinton
  • Published

Full fat HDMI teeshirts

Support AVForums with Patreon

Top Bottom