What is 'best practice' for password management?

[ship691]

Hi

What is the 'best practice' for managing one's passwords?

A) HOW SHOULD I STORE PASSWORDS?
Problems:
1. I need to manage a fairly large number (i.e. 50+). So there are too many to remember.

2. Obviously I don't want to keep them inside a simple unencrypted text file, in case my data gets hacked.

3. If I download dedicated password application how can I trust it?(!)

4. I don't trust 'The Cloud' nor any of the big data owners: google, apple, amazon, drop-box et al.

5. I don't want to be tied to anything that I cant migrate with me onto my next hardware, when I come to upgrade my PC(s).

Either way I dont really want to pay anything (certainly not more than a few dollars) for this security.

I was thinking of using something like TrueCrypt to create a virtual drive (that I encrypt robustly) and then storing my passwords in an ordinary text file.
That way I would have a single master password (for TrueCrypt) which would give access to all the other passwords.
[Aside: Obviously if I forget my master password I'm screwed!]


B) PASSWORD CONVENTIONS
As you know many sites require passwords that meet specific rules e.g.
- At least one upper AND one lower case letter
- At least one digit
- No tripplets (three characters the same next to each other) (iTunes!)
- No more than 16 characters

Double-click problems
Some sites allow extended ASCII characters (e.g. £$%^&*) , which give VASTLY better security of course. BUT they are a mighty pain to use regularly because if you double-click using Windows (XP /7 /8), windows doesn't accept extended as being part of 'a word' and ignores the extended ASCII characters in your password. And if you TRIPLE-click, it then selects the entire line! This is a nightmare if you are in and out of passwords all day.

SUMMARY
a) I want passwords that are pretty much secure.
e.g. say 1 trillion years from my desktop to crack according to this site:
https://howsecureismypassword.net
(Not that I trust it not to harvest whatever I put in and use against me!)
This is extremely hard (perhaps impossible) to achieve within 16 characters unless one uses extended ASCII.

b) For day-to-day convenience, I want to absolutely minimize the number of clicks and keystrokes.

c) For low security sites that I dont give a damn about, I just want something easy to type in.


- Any suggestions?

With thanks

J


P.S. For reasons of security I also quite often clear out all cookies.

 

[bigmck]

I have gone through the same thing. Most of mine I don't worry too much about, like this site. If anyone discovered my password here, what harm could come to me, except someone typing messages under my name, no big deal. The only ones I really worry about are my bank, paypal and ones like that where money is involved. I have a word document with Passwords that is buried in a file and is doubtful anyone could find it.

 

[indianacarnie]

This post shames me to a certain extent and prods me in others. I'm one of those dummies that only use a limited number of passwords for all my sites. Been meaning to diversify and will very soon. I am the only person with access to my machine and the passwords I use are fairly secure so I'm comfortable with mine until the end of my season.

Now as to your query and comments ........ I think the TrueCrypt solution you mentioned would be the best. I've used it before in the way you describe and it worked perfectly. Thumb drive for me. Lastpass is a pretty good manager also and I'm sure you'll get other recommendations to it.

 

[ship691]

Double-click selection
After extensive googling I cant find any solution to the double-click not selecting extended ASCII problem. Bl**dy Microsoft :^[

However my partial solution to this double-click selection problem is to store my passwords in an (Excel) spreadsheet, rather then in a text file. A single click on a cell selects it's entire contents, which can then be pasted in to a web page, weird characters and all !

Lastpass
A) it has had security breaches
B) the passwords are stored somewhere in the cloud where they with enough processing power get decrypted.
C) how sure can we be that they haven't coded a backdoor into their system, either deliberately or accidentally.
D) what happens in the event of a war and the state nationalises them?
E) what happens if a trojan/virus installs itself into my system and starts harvesting data e.g. keystrokes
Nice try, but again we cant completely trust it.

Nope - call me old-fashioned by I'd rather store my own passwords thank you.

PW Conventions
Fwiw, some people use a convention that uses the name of the site in question as part of their password. e.g. You might incorporate the first 3 letters of the site in question into the start or the end of your PW. Personally I find that cumbersome and would rather to a control/F to find the PW and copy and paste. Also I have more than one email address which adds to the complication of what needs to be stored...(!)

 

[Boozad]

I use a passworded Excel file that opens with the touch of Macro key. I just hope I never forget the password to that!

 

[ship691]

Just a passworded Excel file, on it's own.... It's a start but, suppose you lost your data on a train would you be happy with that level of security? Really...?

 

[Fr0st777]

I would also suggest you use a TruCrypt file for that. Store a Excel File in it and if you are the only user on your machine or nobody else uses your user account your can create a batch file for Autorun to mount your drive at your login.

However this batch file will be visible when executed and show your master password. To fix that there is a way by using a VBScript to hide the CMD window. Forgot where I read that.

This will make it quite comfortable to use. I think you can also have the batch file prompt you for the password in case you find it unsafe in autoruns.

About Password length I'd choose at least 16 characters of all kinds with numbers and digits and make shure to hit the spacebar 1-2 times in the password aswell. That is not very common but helpful and more secure.

 

[bigmck]

Are you speaking of very important sites that you are protecting such as your bank or is this just everyday sites that you visit?

 

[Boozad]

Just a passworded Excel file, on it's own.... It's a start but, suppose you lost your data on a train would you be happy with that level of security? Really...?

If I lost my data on a train I'd be wondering why I had a 30lb+ mid tower rig with me on a train.

 

[bigmck]

Just a passworded Excel file, on it's own.... It's a start but, suppose you lost your data on a train would you be happy with that level of security? Really...?

If I lost my data on a train I'd be wondering why I had a 30lb+ mid tower rig with me on a train.

I once lost my laptop on a train, but there were some nice folks who helped me find it.

 

[scr]

I use LastPass for every day type passwords like forums, email and the like. I feel that LastPass is safe enough for these.

Financial type are kept in my head and changed often.