What do your passwords look like?

[sgt_zim]

What do your passwords look like?

In my mind there are two kinds of passwords you should use.

I probably have more than 400 online accounts...banks, BBS like this one, shopping, etc. I don't know a single one of those passwords.

For most people, there are probably only 2 passwords you should remember off the top of your head - the one you use to log on to your PC, and the one to your password vault. Note that MS Excel does NOT count as a password vault. If a malicious actor breaks into your PC, one of the very first things he's going to do is search for all files with a spreadsheet extension, like .xlsx, and all document extensions like .docx.

There are a number of password vaults (mostly free), but there are 2 in particular I'd urge you to consider, with pros and cons to follow.

Lastpass
there are both a free and subscription version. the subscription version allows you to share account info with other people on your lastpass account (like your spouse). The vault's interface is your web browser

Pros:
inexpensive/free - the paid version is about $20/year, I think, maybe less.
cloud-based - which means it is portable. you can log into their website from anywhere in the world, from any computer in the world, and fetch your account names and passwords
can be used to auto-generate random gibberish for passwords, with passwords as long as 50 characters
auto-fill feature, or copy/paste. this means that even if a malicious actor has installed a key logger on your PC, he won't be able to capture any of the account names or passwords you're using because you never type them

Cons:
cloud-based. malicious actors are constantly trying to break in. but the flip side to this is...these guys actually know what they're doing WRT protecting their data, so they're a much tougher nut to crack than you are

KeePass:
completely free

Pros:
not cloud-based. KeePass is an application you download and install on your PC.
can be used to auto-gen passwords to a very long length, greater than 50 characters as I recall
hackers have been trying to decrypt KeePass databases for years, but the key is randomly generated and very long. The compute power to decrypt the key doesn't exist.

Cons:
not cloud-based - if your laptop dies or is stolen, and you don't have a backup copy of the database, you're going to have to go to the trouble of setting new passwords for all of your online accounts. this can be mitigated by storing a backup copy of the database in OneDrive or Google Drive or DropBox, but that just means you're going to need to remember one more (hopefully very complex) password

so, on to the kind of passwords you should use which you'll actually remember.

I know we're all gun nuts here, but I'm going to make an example out of golf. Suppose you are an avid golfer, and you've got a set of Pings. You might come up with a password to reflect that. "I love to swing my pings" could be done this way as a password: eyeLuv2$w!ngmyPings. That is a VERY complex and long password, 19 characters. Assuming a bad guy knew your password was 19 characters long, and assuming he knew you used UPPER, lower, numerals 0-9, and special characters (there are 32 special characters available on an American English keyboard), there are 94^19 (26 UPPER, 26 lower, 10 numerals, 32 special characters) possible permutations.

94^19 ~= 30,800,000,000,000,000,000,000,000,000,000,000,000 different combinations of characters he'd have to go through to crack your password. Given current normal compute power, it would take longer than the universe has existed to go through every combination.

But more than likely, our bad guy has no idea how long your password is, and he'll probably assume it's only 8 or 10 characters long, and will probably only have UPPER, lower, and numerals, so only 62^8 or 62^10 permutations. For us, that's still quite a large number of permutations, but for a computer with current normal compute power, would probably only take a few hours or maybe a couple days to crack.

Come up with a reasonably long, complex, and memorable password to get into your PC, and another reasonably long and complex password to log into your password vault. For all the rest, use your vault to generate passwords to the greatest length a given website will allow. If a website will allow a 40 character password, then set your vault to generate a 40-character password combo of U, l, n, and spc. Preferably, the passwords for your PC and your password vaults are a minimum of 16 characters.

2-factor or multi-factor authentication (2FA or MFA)
Google and Microsoft, among others, support 2FA/MFA. You submit your account name and password, then they send a one-time passcode to your cell phone that you will need to type into the browser (doesn't matter if there's a key logger present here because this code is usually only good for about 5 or 10 minutes) to finish authentication. Using SMS is not ideal, but for non-corporate accounts, the risk is extremely low; so low as not to need worrying about.

Setting up MFA with reputable vendors like Google and MS is pretty easy, and only takes a couple minutes.

Digital security, like physical security, is a pain in the ass. But it is the world we live in. It would be nice if I didn't need to carry a set of keys with me everywhere I go - one for the house, one for the truck, one for the mail box, one for the office, one for the tonneau cover on my truck, one for my safe, one for my wife's car, one for my parents' house, one for my gun vault, locks for my Pelican gun case...

 

[Mr. Zorg]

Zim,

What are your thoughts on personal VPN's? In my working years employers from year 2000 forward had corporate VPN's for working from anywhere other than your assigned network access point (originally your ethernet connection spot, not sure how this worked with later company wi-fi). However my employers still had issues especialpy with spear-phising attacks aimed at the 3 or so highest tiers of company management (who I never expected to have much technical smarts vs political acumen anyway).

Is there significant value for the average person having a personal VPN?

 

[sgt_zim]

To this and my thread from yesterday, I need to add this. There are no guarantees in security. You can do every single thing recommended by ITSec guys and by physical security guys, and a determined adversary is still going to eventually defeat you. In the digital world, fortunately, making yourself a tough nut to crack is generally enough. The bad guys will move on to easier, softer targets because most targets are easy and soft.

Every security suggestion I'm going to offer up will simply mitigate your risk.

Digital security lines up pretty nicely with physical security. It is fairly well-established that about 80% of all residential burglaries are accomplished by forcing a door. The take-away from that is "secure your doors." It won't keep all burglars out, but it will keep out the ones self-interested enough to not risk getting cut by broken windows.

 

[sgt_zim]

Zim,

What are your thoughts on personal VPN's? In my working years employers from year 2000 forward had corporate VPN's for working from anywhere other than your assigned network access point (originally your ethernet connection spot, not sure how this worked with later company wi-fi). However my employers still had issues especialpy with spear-phising attacks aimed at the 3 or so highest tiers of company management (who I never expected to have much technical smarts vs political acumen anyway).

Is there significant value for the average person having a personal VPN?

Yes. I use Nord and TOR, though not necessarily for the sake of security. They both give me a high degree of anonymity (which is a significant form of security all by itself). Nord runs something like $100/year, and if you catch them when they're running specials, is maybe $100 for 2 or 3 years. Nord is pretty "safe," and TOR is...a gateway to the dark web (among other things). If you travel a lot and don't want to use your corporate VPN when you're surfing (from the hotel's open wifi), you should use a real VPN service like Nord or TOR.

Personal VPN doesn't stop the phishing attacks. Being vigilant for phishing is another topic for another day.

There are a zillion legitimate reasons to use a personal VPN service. yes, malicious actors use them, too. just the same as malicious actors use AR-15s and Glocks for their form of mayhem.

 

[AfricaHunting.com]

Thank you @sgt_zim for sharing this valuable info here.

 

[PHOENIX PHIL]

Mine is like @Wheels .......PaSsworD1945

 

[Mr. Zorg]

Yes. I use Nord and TOR, though not necessarily for the sake of security. They both give me a high degree of anonymity (which is a significant form of security all by itself). Nord runs something like $100/year, and if you catch them when they're running specials, is maybe $100 for 2 or 3 years. Nord is pretty "safe," and TOR is...a gateway to the dark web (among other things). If you travel a lot and don't want to use your corporate VPN when you're surfing (from the hotel's open wifi), you should use a real VPN service like Nord or TOR.

Personal VPN doesn't stop the phishing attacks. Being vigilant for phishing is another topic for another day.

There are a zillion legitimate reasons to use a personal VPN service. yes, malicious actors use them, too. just the same as malicious actors use AR-15s and Glocks for their form of mayhem.

I no longer have access to a corporate VPN (my wife still does) since my health forced my early retirement in 2012 (at least I was able to get my pension, which I of course took as lump sum). My wife will likely retire in the next 5 years.

I have zero interest in accessing the dark web, only in reasonable measures to defend from the dark web and other attack vectors. I'll keep my eyes peeled for one of those multi-year deals from Nord.

While not IT sector workers, engineers like my wife & I are far less productive targets for phishing and spear phishing than high up corporate leadership ever was (empirically demonstrated). Critical thinking skill proficiency and all that stuff y'know.

Thanks again Zim!

 

[Bob Nelson 35Whelen]

What do your passwords look like?

In my mind there are two kinds of passwords you should use.

I probably have more than 400 online accounts...banks, BBS like this one, shopping, etc. I don't know a single one of those passwords.

For most people, there are probably only 2 passwords you should remember off the top of your head - the one you use to log on to your PC, and the one to your password vault. Note that MS Excel does NOT count as a password vault. If a malicious actor breaks into your PC, one of the very first things he's going to do is search for all files with a spreadsheet extension, like .xlsx, and all document extensions like .docx.

There are a number of password vaults (mostly free), but there are 2 in particular I'd urge you to consider, with pros and cons to follow.

Lastpass
there are both a free and subscription version. the subscription version allows you to share account info with other people on your lastpass account (like your spouse). The vault's interface is your web browser

Pros:
inexpensive/free - the paid version is about $20/year, I think, maybe less.
cloud-based - which means it is portable. you can log into their website from anywhere in the world, from any computer in the world, and fetch your account names and passwords
can be used to auto-generate random gibberish for passwords, with passwords as long as 50 characters
auto-fill feature, or copy/paste. this means that even if a malicious actor has installed a key logger on your PC, he won't be able to capture any of the account names or passwords you're using because you never type them

Cons:
cloud-based. malicious actors are constantly trying to break in. but the flip side to this is...these guys actually know what they're doing WRT protecting their data, so they're a much tougher nut to crack than you are

KeePass:
completely free

Pros:
not cloud-based. KeePass is an application you download and install on your PC.
can be used to auto-gen passwords to a very long length, greater than 50 characters as I recall
hackers have been trying to decrypt KeePass databases for years, but the key is randomly generated and very long. The compute power to decrypt the key doesn't exist.

Cons:
not cloud-based - if your laptop dies or is stolen, and you don't have a backup copy of the database, you're going to have to go to the trouble of setting new passwords for all of your online accounts. this can be mitigated by storing a backup copy of the database in OneDrive or Google Drive or DropBox, but that just means you're going to need to remember one more (hopefully very complex) password

so, on to the kind of passwords you should use which you'll actually remember.

I know we're all gun nuts here, but I'm going to make an example out of golf. Suppose you are an avid golfer, and you've got a set of Pings. You might come up with a password to reflect that. "I love to swing my pings" could be done this way as a password: eyeLuv2$w!ngmyPings. That is a VERY complex and long password, 19 characters. Assuming a bad guy knew your password was 19 characters long, and assuming he knew you used UPPER, lower, numerals 0-9, and special characters (there are 32 special characters available on an American English keyboard), there are 94^19 (26 UPPER, 26 lower, 10 numerals, 32 special characters) possible permutations.

94^19 ~= 30,800,000,000,000,000,000,000,000,000,000,000,000 different combinations of characters he'd have to go through to crack your password. Given current normal compute power, it would take longer than the universe has existed to go through every combination.

But more than likely, our bad guy has no idea how long your password is, and he'll probably assume it's only 8 or 10 characters long, and will probably only have UPPER, lower, and numerals, so only 62^8 or 62^10 permutations. For us, that's still quite a large number of permutations, but for a computer with current normal compute power, would probably only take a few hours or maybe a couple days to crack.

Come up with a reasonably long, complex, and memorable password to get into your PC, and another reasonably long and complex password to log into your password vault. For all the rest, use your vault to generate passwords to the greatest length a given website will allow. If a website will allow a 40 character password, then set your vault to generate a 40-character password combo of U, l, n, and spc. Preferably, the passwords for your PC and your password vaults are a minimum of 16 characters.

2-factor or multi-factor authentication (2FA or MFA)
Google and Microsoft, among others, support 2FA/MFA. You submit your account name and password, then they send a one-time passcode to your cell phone that you will need to type into the browser (doesn't matter if there's a key logger present here because this code is usually only good for about 5 or 10 minutes) to finish authentication. Using SMS is not ideal, but for non-corporate accounts, the risk is extremely low; so low as not to need worrying about.

Setting up MFA with reputable vendors like Google and MS is pretty easy, and only takes a couple minutes.

Digital security, like physical security, is a pain in the ass. But it is the world we live in. It would be nice if I didn't need to carry a set of keys with me everywhere I go - one for the house, one for the truck, one for the mail box, one for the office, one for the tonneau cover on my truck, one for my safe, one for my wife's car, one for my parents' house, one for my gun vault, locks for my Pelican gun case...

@Sgt Zim
I got sick of trying to remember one of my passwords that I use with a company ideal with. They would ask for my password and I'd say geez mate I'd don't know because as you say we have quite a few. We changed my password to I don't know to easy.
Yes I am serious
Bob

 

[sgt_zim]

@Sgt Zim
I got sick of trying to remember one of my passwords that I use with a company ideal with. They would ask for my password and I'd say geez mate I'd don't know because as you say we have quite a few. We changed my password to I don't know to easy.
Yes I am serious
Bob

their IT people asked you for your password?

If you use a password vault, you will only need to remember the password to get in your vault.

this is a sample of a generated password created by LastPass
6*oHC449zDRzfTI*WRMHu6avRYVu)S

I couldn't remember that if I tried, but the beauty is I wouldn't have to remember it.

one thing even lots of IT folks don't understand about passwords is that there is an intermediate step between what you type/submit for your password and then the application deciding if you've actually submitted the correct password. application databases (like logging in to africahunting.com, for example) don't actually store your password, they store a version of your password which has been run through a hashing algorithm first. when you click the "submit" button to log in here, way under the covers, the program converts the password you entered to some hash value, then compares that hash value to the hash value stored in its user database. If I used the auto-generated password above and the hashing algorithm SHA256 is what was used to hash the password, what would actually be stored in the database would be "3eab4dae691669f4e6111e9d5e82a340e05c0d36e0a9395faf04f25644f8c2e4".

This is an important security feature, because there is no way to reverse a hash. So if some bad guy manages to hack into and steal the user database from this forum, all he would have would be a lot of hashes. That could still be useful to him, though, because there are several thousand very commonly used passwords. All he has to do is (using a program he wrote) search for the hashes of those known passwords. This is what we call a "Rainbow Table Lookup." A Rainbow Table is just a list of commonly used passwords and what their hash values are. If he finds a match on a hash, then he knows what the password is that was used to generate

This is why it is important to use complex passwords, especially passwords of random characters generated by password vaults like LastPass or KeePass. Random passwords will never be in a Rainbow Table because they're not guessable words; heck, they're not even words.

This is also why you should NEVER use plain dictionary words as passwords. I could write a short little program to hash every single word defined in Oxford's Unabridged, output each word and its corresponding hash to a spreadsheet, steal a password database from some business, then compare the business' hashed passwords to the hashes i generated from Oxford's Unabridged. If I got a match on the hashes, then I'd have the password.

Even concatenating dictionary words isn't complex enough. Suppose you were a devout Christian, and you used "JesusSaves" as a password. The phrase "Jesus saves" is part of the American English lexicon, and is absolutely in at least several published Rainbow Tables. But if you still wanted to use some iteration of "Jesus saves" as your password, you could do something like
$@\/eDBieThebl00duvTh3laMb (saved by the blood of the lamb). Yeah, it would be a LONG password to type (26 characters), but not going to be in a Rainbow Table anywhere. While "Saved by the blood of the lamb" is also a part of the American English lexicon, spelled in the manner above, it's just too random for it to be in a Rainbow Table.

 

[Royal27]

Bump to the top.

If you are reading this and haven't paid heed to @sgt_zim suggestions I strongly suggest that you do. I've just spent days updating all of mine. I wasn't bad compared to most and already had randomly generated complex passwords for my financial stuff, but used similar passwords for most of my other accounts. And, I let google auto fill work for almost everything. But if google was hacked..... So no more! Everything is in the vault and all accounts are accessed through it. No exceptions.

What happened to my friend ?

Well, a financial account was hacked (the company not just his password). They then used the user name and password to start trying to hack elsewhere. They succeeded and locked him out of his email and made it into another financial account. The other account was shut down and it took literally a couple of months to know whether or not he'd lost a SUBSTANTIAL amount of money. Money he didn't have access to during that time. He got VERY lucky and it was recovered. It could have turned out another way though, easily.

An encrypted password vault would have saved him an incredible amount of stress and time.

Get safe and stay that way!

 

[AfricaHunting.com]

If you are reading this and haven't paid heed to @sgt_zim suggestions I strongly suggest that you do.

@Royal27 I could not agree more!

I have for some time used a password manager and this was one of the best decision I've made security wise. If you do online banking such a tool is a necessity, you will not regret it but if you don't you might. Things happen very quickly...

 

[Royal27]

@Royal27 I could not agree more!

I have for some time used a password manager and this was one of the best decision I've made security wise. If you do online banking such a tool is a necessity, you will not regret it but if you don't you might. Things happen very quickly...

Agree!

Here is an article that lists many of the good ones and anything is better than nothing. I use one listed here but not the "best.”

Best Password Managers for 2024 and How to Use Them

Don't let your passwords descend into chaos, or be left vulnerable to hackers.

www.cnet.com

The one I use has "zero knowledge" though which is important to me. This means all encryption and decryption occurs on my device, reducing or eliminating the risk of the vault being hacked at the company end. Nothing is perfect, but not doing anything is no different than living in a high crime area and never locking a door. It's not if, it's when.

 

[Whitebear995]

My password is the most intricate combinations of words that i can remember.

 

[sgt_zim]

My password is the most intricate combinations of words that i can remember.

The password to my vault is fairly intricate, and long at 20 characters. A hacker who is also a hunter or shooter may be able to brute force it, but nobody will every guess it.

One important point to keep in mind WRT @Royal27 's friend...

All it takes is a single person within an organization to have poor internet hygiene and then everybody's accounts become susceptible. This latest vulnerability in the print spooler service in ALL windows operating systems is a disaster in the making. It requires the use of an internal [compromised] account, but any account, even one with the least of permissions in Active Directory called "domain user," the malicious actor can ultimately take over the entire enterprise.

What is good internet hygiene? It means don't be a click-o-potamus.

• If you receive an email containing an attachment (work or private) and you weren't expecting an attachment, call the sender to verify they intended to send the attachment. If they didn't, or you couldn't speak to them, just delete the email (they will resend if it is important). It is easy to imbed malware into a PDF/DOCX/XLSX, and once you try to open, you're executing the malware
• Emails containing hyperlinks should *always* be viewed with a bit of suspicion. A compromised web site (and this happens a lot) can actually send a payload to your PC through your browser. It's not QUITE that easy, but that's how it works. In the biz, we call these kinds of places "watering holes." I'm sure the metaphor isn't lost on anyone here.

Take things at face value. If an email looks a bit off, it probably isn't safe.

Last, when your PC says it's time for an update, or several of them (I'm including you, too, you Apple Fan Bois, don't believe the bullshit marketing from Apple about their invulnerability), install those updates at your earliest convenience. 99% of updates are *security* fixes, meaning installation of the patch reduces the number of known vulnerabilities on your computer.

When I hack for money, the first thing I look for in recon is old operating systems (MS and Apple both stop supporting/patching a given OS after several years), then try and discover any newer, unpatched systems after that. The only difference between Apple and MS on this point is how the payloads are constructed.

Patching eliminates almost everything from being subject to attack. At that point, the only things that can affect you are what we call "zero day exploits," meaning we've known about them for exactly zero days. It takes a special hacker to come up with zero days. I have never developed that skill because I am not patient enough to do the required research. But there are plenty of guys who are. They're a decided minority, to be sure, but they're out there.

 

[Hogpatrol]

Any thoughts on the Norton vault?

 

[Royal27]

My password is the most intricate combinations of words that i can remember.

I hope you mean the password to your vault, and not the same password you use over and over again.

 

[sgt_zim]

Any thoughts on the Norton vault?

Wasn't aware they even had one.

I can tell you their website is locked down as tight as can be done with normal resources. Beyond that, no idea. Depends on how your data is stored, depends on how encryption/decryption is done. Probably it's pretty solid as well.

As mentioned previously, I use LastPass, and the annual subscription for the missus and me is maybe 20 USD. Pretty cheap as such security goes.

 

[sgt_zim]

Since this is an old thread and TL;DR the whole thing again, one of the things you have to keep in mind about using complex passwords, and that's this: a long, complex password of random characters is impossible to brute force, but if you provide your complex password to a watering hole or similar, they now have your password, no matter how many characters you use, and how random the characters are

Brute force = run a script that runs through all permutations for a given password length.

For short passwords, say 4 characters, it only takes modern processors a few seconds to run through all permutations - on the American keyboard, there are about 75 characters used in passwords, so 75^4 possible permutations. In computer world, that's a terribly small number.

Nine is the absolute minimum password length I would ever advise to use. Better still is 15 characters or longer. It has to do with the algorithm used to store the passwords. Short passwords use a simpler algorithm than long passwords. A 15 character password in Windows is really broken down by the OS into a pair of 7character strings, with one extra bit left over in each byte for OS overhead.

 

[Wheels]

I am "the friend". Yes it is hard to believe that Royal has a friend, but we all pay our indulgences in different ways, mine is to be Royal's friend.

I used the same id and password for my email and three financial accounts. I knew that wasn't smart but I was lazy.

A group of hackers took control of a financial institution a few weeks ago. The website was down but the sign in page remained up. I tried to sign in multiple times. That is how the hackers got my id and password. The hackers then started randomly using the id and password on financial institutions and major companies throughout the world. That is how they got into my email and three financial institutions.

While on vacation, another financial institution started sending me texts for password resets. I contacted them to lock down my account. This happened multiple times. I am pretty sure the hackers removed all funds from my account. I had followed up diligently with the financial company and the company was remiss. A new account was established and funds placed into the account, so I am fine but this could have ended very differently. I probably had 50+ hours tied up in getting this worked out.

The original financial institution that was hacked helped in a big way once I was able to get past the initial two levels of gatekeepers/customer service, but hackers had gotten in and sold assets to cash and were trying to get the cash out of the account. I am fortunate the account was a retirement account so the sell didn't trigger a taxable event.

The third financial account was basically empty. I haven't messed with it.

I have had my email for 25-30 years. I noticed while on vacation that some of my emails had been read that I hadn't looked at. After a couple of days, I couldn't even get into my email account. I contacted ATT but they weren't real helpful. They have three questions I had to answer.

1. What is the email address?
2. What is the name on the account?
3. What is the zip code?

The hacker changed the name on the account, even though my name was part of the email address. He also changed the zip code.

I have had the same name all my life.
I have had the same email for over 25 years.
I have had the same physical address and ip address for over 25 years.
I have had the same zip code for over 25 years.

ATT should be able to confirm this, but ATT doesn't care. I talked to 34 people with ATT for 15-15.5 hours. Basically they are saying the email is no longer mine. All my contacts are gone. Communications with family members that held family history are lost since the family members are dead. Personal info, etc. Just think what you may have on your own emails from 25+ years ago when security wasn't as big a deal. You get the idea.

The hackers tried to gain control of my phone and change the sms. Thankfully this didn't happen or they would have had access to change all 2F identification.

2Factor identification is something I did right. If you don't use 2 Factor identification then you should definitely use it. If not for 2F or sms, I would have been out significant amounts of money, at least significant for me. Also whitelist financial accounts so funds have to age a couple of days prior to being removed.

My daughter is in town. She helped me set up a password vault. I now remember one password. The rest are auto generated. I should be in much better shape now than I was before. I only did the main accounts, not everything I log in for. If "Wheels" goes off on AH and starts spouting more nonsense than usual, then you will know my AH account has been hacked.

Hopefully this story will encourage everyone to review their internet security and to improve it if they need to.

@sgt_zim Now that I have a password vault, what happens if there is an emp? Do I need to keep a copy of the random generated passwords in a safe place somewhere or just trust that the password vault company is safe and will come back online when the rest of the internet gets back in service?

 

[Wheels]

@sgt_zim Thanks for all the good information on this thread.