Knowledge Base
Community

Best practice for passwords and usernames

Started by: gregg_b
On: 27/07/2016 | 12:26
Replies: 49
Reply

by: harrrrrry
on: 28/07/2016 | 22:03

jondav14:

is "password" not safe?

 

No, you have to disguise it -- like p^5$vv0rD -- otherwise people will see you type it and guess that it's a password.

 

That's completely official according to plesk ...

 

Untitled-3.png

Untitled-2.png

 

The paradox is that although weak passwords are supposedly easier to crack, in practice a burglar is more likely to find a strong password written on a post-it note near your computer than a weak one -- and the probability of finding even a weak password near the monitor increases substantially the more frequently the password is changed.

Get a free giffgaff Sim

Message 21 of 50
by: exmember-2018-4735772
on: 28/07/2016 | 23:14

@harrrrrry

 

I should be ok then? there are no post it notes near my puter Smiley Surprised

Message 22 of 50
by: alex_w
community giff-staffer

on: 29/07/2016 | 12:42

jokeyboi77 wrote:

I use the same password for everything, because it's a large password containing Caps, small letters and numbers and it'll be almost impossible for my family members to know never mind strangers, so goodluck to anyone trying to get it! Smiley Wink

All it takes is for one of the sites you use that password on to be compromised, and your single password is no longer secure - no matter how strong it was when you created it. Once your password is compromised, a shadowy figure from the dark web then only needs to be able to figure out potential usernames to try that password against.

 

kath72 wrote:

 

I configure a certain word and numbers with s unique identifier for each account

eg.      pasS1g2i3f4word!    That uses the word password with the numbers 1234 identifier gif interspersed through numbers, capital on 3rd letter and ! At the end. 

And when asked for my mothers maiden name when setting things up I use another relatives just do it can't be hacked too

 

This is going in the right direction. Current password theory is to use 3 or 4 words, and 3 or 4 numbers, that you know you can remember as the seed for you passwords. You then use substitution within each word/number to (shift key is your best friend for passwords, as are symbols) to obfuscate the seed word/number.

 

From there, you can then construst multiple, strong, passwords by simply changing the order for the words/numbers when you need a new password. You could potentially look at have a stock small set of seeds (2 words, 2 numbers) which are then added to with another word that you know you'll be able to remember is specifically for the site you're going to use the password on.

 

Another approach is to take a memorable sentence, and then convert that sentence into a password using an approach you'll also be able to remember. Eg "I need a strong password" might become !n33d@STRONGpwd (which is a bad example, but illustrates). If the sentence is memorable for the specific site, you can create a very complex password that you'll still be able to remember (as long as you remember how you converted it into a password, of course!)

 

The longer the password, the better - so the key (excuse the pun) is about being able to create multiple, long passwords that you can easily remember and thus not need to write them down or use a password manager (which has correctly already been noted in this thread is a single point of failure - someone gets into your password manager and you lose everything).

Community Platform Manager - Powered by coffee.
Message 23 of 50
by: jokeyboi77
on: 29/07/2016 | 13:11
@alex_w

I suppose when it comes to cybercrime you need to be careful and if any site I use becomes compromised then that's not my fault and I'll change my details accordingly, a bit of a hassle I suppose as opposed to having different passwords for different sites, because if one gets breached they all get breached in my case, and with PayPal being hit in recent years we should be more careful, but remembering all the different passwords in my case is torture and my main one the bank is a bit different, so I'll take my chances. Smiley Wink
jokeyboi-v2.png
Message 24 of 50
by: harrrrrry
on: 29/07/2016 | 14:07

 

@jokeyboi77


if any site I use becomes compromised then that's not my fault and I'll change my details accordingly

 

Problem is, you're unlikely to know until weeks or maybe months after it has happened.

 

Criminals typically don't go immediately to the site owner and demand a ransom, as that would reduce the life of the information they have. Instead, they will see if they can use any of the information on other sites first. You'll only know of the problem if they manage to get into another of your accounts.

Get a free giffgaff Sim

Message 25 of 50
by: jokeyboi77
on: 29/07/2016 | 14:18
I'll know when anything dodgy happens on my bank account though @harrrrrry because I've got Experian setup aswell which notices anything dodgy online and alerts me of any credit being taken out on my name and I'll know if it's me or not, and anything going missing from my bank I'd notice because I'm on my banking app daily, and I can deal with these pretty quickly, so unless it's anything other than to fleece me they're after then I can't really stop that, can any of us?
jokeyboi-v2.png
Message 26 of 50
by: gordie10
on: 29/07/2016 | 21:24

alex_w wrote:

 

Another approach is to take a memorable sentence, and then convert that sentence into a password using an approach you'll also be able to remember. Eg "I need a strong password" might become !n33d@STRONGpwd (which is a bad example, but illustrates). If the sentence is memorable for the specific site, you can create a very complex password that you'll still be able to remember (as long as you remember how you converted it into a password, of course!)

My tactic, though I still need a password manager because of all the subtle variations in my passwords across the various sites I use.

Message 27 of 50
by: aequalszero
on: 30/07/2016 | 14:49

Passwords remain on the biggest banes of modern life.  Two factor authentication is helping to relieve the strain put on passwords as the only "lock" on accounts, but I actually really dislike having to remember lots of passwords.

 

Does anyone recommend any good password managers?  Or are they just as flawed?

Message 28 of 50
by: persco
on: 30/07/2016 | 15:06
@aequalszeroto be honest, I don't trust any password manager either. Have used 1password before.

Now, I just use apples keychain autogenerated passwords so I don't even know most of my passwords. But obviously that only works best if you have idevices. Some websites don't recognise them sometimes though as they can be too long and doesn't fit the criteria of password set.

It's all a pain really. I have like 8 different passwords at work for same or different systems and they still demand we change them after every 60days!
Please do set BEST ANSWER for posts that help you. Get a free giffgaff Sim
Message 29 of 50
by: aequalszero
on: 30/07/2016 | 15:31

persco wrote:

It's all a pain really. I have like 8 different passwords at work for same or different systems and they still demand we change them after every 60days!

 

Haha - yeah, same here!  And you can't re-use old ones so it's a process of constantly incrementing a number to keep the password unique...

Message 30 of 50