Using the same password at multiple websites is a huge security risk. How can I have unique passwords and remember them, too?
With more webapps popping up every day, many of us now have accounts at hundreds or thousands of sites. How can we remember passwords for all of these sites while maintaining security?
you can set a cron file to send reminder about passwords.
you can send reminder by sms to user's mobile for sending sms you can use Spring Edge Messaging.
you while login itself you can check for password strength and ask to change the same
One simple way to do it is by using a pattern in your keyboard.
For example, for Facebook password you can use FtgY1! (adding '1!' for complexity purposes)
For Gmail password, start from the letter G, which would be GyhU1!
For LinkedIn password, start from the letter L, which would be Lp;{1!
By using this method you now have passwords that are:
1. easy to remember
2. hard to guess
3. hard to hack using bruteforce (depending on how many characters you use)
4. no need for any password keeping tools.
Hi Chris,
I would follow the advices of the security expert Bruce Schneier:
"Passwords: You can't memorize good enough passwords any more, so don't bother. For high-security Web sites such as banks, create long random passwords and write them down. Guard them as you would your cash: i.e., store them in your wallet, etc."
Source: https://www.schneier.com/blog/archives/2004/12/safe_personal_c.html
if so ,I suggest you to go for voice Based password ,which is 100% secured .No one will hack your account.If you want more details I am ready to help you out
cheers
Karthik
This may sound very simple and not even good but i always choose a a username that i can think of and relate my first thought too. No one can read your mind but i have always found using robots risky . Example : Username - TheGirls143 Password: Blessings@620 . No one has a clue but me .i know way over my head right now .
Tips
If you say the letters or numbers to yourself as you type them you will begin to get a rhythm; this will help you to memorize it.
The most secure passwords contain lowercase letters, capital letters, numbers, AND symbols. Make a standard of holding down shift for the first four characters, or characters three through seven, or whatever you like. You won't have to stop and remember where you inserted that pesky exclamation point or whether you replaced the 's' with '5' or '$' this time.
When coming up with a mnemonic sentence, try and make the sentence funny or relevant to yourself. That way you will find it easier to remember the sentence and the password.
You might combine several of these methods and still come up with a truly memorable yet very strong pass phrase.
First off, you are correct, using the same password for more than one site is a risk you need not take. We have many sites and literally hundreds of passwords to remember. We use a product called RoboForm. It stores all your passwords and all you need to remember is one master password. They have industry-leading encryption technology to protect access to your passwords. It has a mobile component so you can share it across your PC, Mac, Smartphone or Tablet. It has saved us huge amounts of time, energy and headaches. It is also quite inexpensive. We highly recommend it to our clients.
A method I read about was to generate a one-time password based on the site itself. For example, a formula could be take first, third and fifth letters of the site’s name, add a meaningful number, and then capitalise the first three letters of your username there. So, my Gmail password would be gal13GEN.
You can substitute or even add special characters if you want to add additional security. If the number is an issue, since you want randomness us something like g = 7 a=1 and l-12 (their placement in the alphabet)
I'm not a big fan of 3rd party applications. I know several IT folks that do use them, but I prefer not to be bound by a company.
Another method is to use a something of a combination fo a phrase or song and the site. For example.... the Beatles song "Will you still feed me, will you still need me when I'm 64" For Windows log in the site begins with a W so I would go to the phrase, locate a word starting with W and begin the password sequence....resulting in wHeniM64, capitalizing each 2nd letter. The key here is to have a song, phrase, sonnet, bible passage, shakespear play etc. memorized well enough to utilize often enough.
Hope those help.....
This is a great question Chris. The password managers are OK and you could have them generate a password for you. The only drawback is if you somehow lost access to that, you would lose access to everything.
Using an oAuth provider like google, twitter, OpenID, etc. is OK. Just be aware that if youuse FB, Google, etc, you are also allowing that site to track your activity everywhere you use it and, if that is compromised, everything is.
The so called "multi-factor" (2-factor) systems that use a username/password (uhm... same issue, huh) and send a code to your phone are only marginally better than a uname/pass alone and don't address your question because you still need the password. They are also not really multi-factor - just sequential single factor because you have to pass the username/password before you get the code and, if I compromise your SMS system, I can get the code too.
One solution would be to have a multi-part password system. For example, if you had a 4 part password, you could have one part that fulfills the complexity requirements of sites that enforce that. A word or short phrase that has at least one capital letter, one numeral, and one special character like '!' or '-' (some sites severely restrict the special characters or even disallow them - so you should have a backup letter or number). Suppose you love Niagra Falls, you could have this 'common' part = n1@grA-fall5. The second part might be the domain of the site (eg. "IBM", "Amazon", "Google"). The third part would have a limited number of possibilities, like 'to', 'too', or 'two'. The final part could be the year and quarter... 2013-4.
So, an assembled password might be "n1@grA-fall5IBMtwo2013-12". Since "n1@grA-fall5" is constant, "IBM" is provided (by being at that site), and the year/quarter is easy to remember, that leaves you with only "Which 'too' did I use?" and has a maximum of 2 wrong guesses.
There! You have unique, easy to remember, difficult to crack, complex passwords that allow for all requirements, including changing your password every x days with no reuse allowed.
Of course, the best solution is to eliminate passwords altogether using true multi-factor biometrics. We are not far from this reality... ;)
Thanks Paul! A ton of great points. One other thing that's irritating about passwords that you allude to is some sites require lower, upper, number, and non-alphanumeric while others only allow you to have alphanumeric. You shouldn't use the same password everywhere but it'd be nice if places were consistent. And definitely agreed on biometrics. They might not be as far away as we think either. But then we might have to worry about literal hacking of "biometric factors". :) Hopefully I've seen too many sci-fi movies.
First these webapps should be tying into an API of a current client you use i.e. LinkedIn, Google/Gmail account, etc..Even Yahoo mail works with a GOOGLE GMAIL account.. Takes Microsoft single sign on to a better level.
This should bring down you statement of 100's to 1000;s of sites to a hand full.
Really interesting idea to cut down on your number of passwords. But I think there's an issue here for websites that implement social login/join. Say Yahoo allows you to login/join with Google. I still think Yahoo almost definitely has to ask for your email and password anyway. The reason for this is if Google decides to stop allowing Yahoo to use social login/join or if Google has technical issues. Yahoo could be left with a bunch of members that don't have a way to login to their site.
its not an idea its a solution in place. Yes! you establish a password for yahoo but the question was: reducing the amount of passwords for web applications. For example I only need to know my google gmail account to get into 20 web applications all from different sources. Its just a single sign on API- nothing new. Its like having the same master key that opens your backdoor, frontdoor, shed, gate etc on your house.
Try it out for your own proof .
I've very familiar with it being available now. I'm just wondering how many sites will truly allow me to do this without requiring a password for their site. If so, this is a very intriguing thing to consider. But to all the site owners who have to implement social signin, I definitely wouldn't recommend not asking for a password. If a social service ever cuts you off or has tech issues, you might be out of luck.
its pretty standard to use a social network signin of your choice (linkedin, twitter, facebook, etc...) when interacting with other applications. i.e http://mashable.com/ read an article there and if you want to interact with a comment then see what happens. Social sign in is just using the API of the social networks security. The security is passed on, authentication. Its up to the user to supply the password of SOCIAL network there interfacing to gain access. If you get cut off use another social network site. If all of them are down then the world has ended.
This is a huge concern for me as well. I have been using http://roboform.com... It is amazing. You just need to remember 1 password and you can set all other passwords to one that are unbreakable. Try it out works for me!
Thanks for the insight, everybody. I'll just add one more idea I was thinking about: two-factor authentication. e.g Requiring your phone or some other device along with a text password.
Stock brokers and banks have been offering this for a while now, often in the form of a keychain or a card. And now we're starting to see mobile phone two-factor authentication become very popular. The downside is logging in becomes slower and more annoying and you might get locked out if you don't have your other auth device.
You're right about the downside if you don't have your device. Additionally, making sure that device can be wiped remotely (or automatically after 3 failed attempts).
As far as password managers - if you stay logged in and get malware then you still have to change everything. But at least you have a record of how to login. Lookup ars technic q's website and search for "passwords" "cracker" and etc - they have a great article on what passwords are easiest to crack.
Speaking of login records, one controversial record-keeping service is Google Chrome. They literally store your passwords unencrypted on your computer, viewable by this url: chrome://settings/passwords -- I guess the rationale is if somebody has physical access, you're in trouble anyway. But definitely something everybody should know.
Well - call me paranoid but even though I use lastpass and have used roboform, to me the most convenient thing to do is to create passphrases with the number of characters based on the security level you want. So, for example a forum like this is mid-level and has a shorter passphrase with fewer caps/special characters. Part 2 is adding a number. Again, length depends on what info I'm putting on the site. Then I tack on an identifier - ex. MosaicHub = MOS. You can do the site specific code based on just about any pattern but you *must* stick to the formula or you'll get confused. Then I put it all in a spreadsheet, on paper, etc for reference. The shortest passphrase = Ns. Longer = NS; I use x's instead of writing down the actual #'s of part 2 because the character count will let me know which code it is. Then I add an identifier. A pw for a bank account such as citizens bank, however, would be (Secure) Ss or SL (secure, long passphrase) & special characters, +xxxxxxx, + CB. If I think I'll forget a really long login, I will write down numerals in modular arithmetic form.
To clarify, a low-level security concern on a site that will not have personal or CC info would be written down as: Alphadeltalambda.com, email address used, password Ns + "Ps - XxXxXx" + MOS with "Ps" = pin # in Mod six. (which means 7=1, 8= 2, etc. It's hard to show without sub-characters. But I prefer writing it down VS the cloud. Especially with viruses etc. Save the spreadsheet on your devices and keep the cypher code you developed somewhere safe.
I think you bring up a great point about basing your password on the type of site. There are certain sites that I'd recommend having a strong, highly unique password for: financial sites (banks, etc), any sites that have you credit cards saved, email addresses where you can send password reset requests to, and any accounts that have confidential or sensitive information. But for other sites, I might use an ultra-simple, horrible password with the thought being, "Feel free to hack into my account here."
I use a "black-book". That is a physical notebook in which I record all security credentials: user names, emails, passwords, IP addresses, serial numbers, etc. They're written in a simple translation code, so typing what you see won't work. Like my mobile phone I always have it with me when I'm working. If someone wants to steal my password, they're going to have to fight me for it. Giving my credentials to a third-party to look after would just be plain madness.
Interesting. This is actually something I've done as a stopgap until I can find a solution I like. I also use a technique so that the stuff I'm writing down can't just be typed in verbatim. The reason I'm looking for another solution is it requires a decent amount of updating. And it's kind of like the nuclear briefcase the president carries around. Losing it would be painful.
If you treat your black-book like your house/car keys and wallet then you should be okay.
Yes losing any of them would be seriously painful, not to mention downright embarrassing for a 'security-minded' person such as myself. The way I see it is that I only have to remember one thing - keep my black-book near and safe - it's more valuable than my wallet.
Chris, it's interesting that you say you've done this as a stopgap - usually I find any stopgap that's hard to replace often only needs a little bit of formalization to become an indispensable asset.
Great points. I used similar ideology when trying this out. I always make sure to remember my wallet, keys, and phone. And I think digital security is worth remembering one more additional thing. And there's definitely ways to avoid issues involved with losing it. And another rule I've heard about hacking is if they have physical access to your devices/equipment, you're in trouble anyway. There'll always be risk.
Hi Chris, LastPass is great, but here are some alternatives you might want to consider also:
Keepas
1password
Keeper
Roboform
Using a mnemonic device that relates to the name of the service or webapp can help. As an example, a good mosaicHub password might be: t1mapfM0s41chub@@ (translated to "this is my awesome password for mosaichub"). You'll still need to remember the full sentence and any capital letters or punctuation, but it's much better than using the same password everywhere.
Another option is a service like LastPass (https://lastpass.com) which lets you use even more complex and secure passwords because they don't have to be remembered at all. You will, however, need to run the LastPass program on your laptop to store your passwords.
Good ideas. I don't know a ton about LastPass but I think most if it sounds what I'm looking for. I assume they create unique passwords for each site and then then just require you to have one LastPass password, which is easy to remember.
The only concern I would have is what if the LastPass application has a bug, is hacked, etc. Do they only store the encyrpted passwords locally? Do they store them on the cloud? Each presents its own challenges. And it would also require that I would need to have LastPass on all of my devices. Laptop, tablet, phone, etc. I think these questions have held me back from actually using it.
As I understand it, the LastPass application you install on your device(s) encrypts the keystore with AES-256 and syncs that encrypted keystore with LastPass. That way, all of your devices can share the same keystore. When you need to retrieve a password, you provide a single passphrase (along with optional multi-factor authentication) to temporarily decrypt the keystore.
I think the bug/hacking/intrusion is a legitimate concern -- you have to evaluate whether or not the risks associated with it are worth the potential reward of using very strong passwords.
Thanks Gene. Another great take. Seems like a common thread is try to create your a formula that's easy to remember but relatively hard for people to figure out. I'll have to try something like this.