Don't Get Hacked: Practice Better Password Management

[kq76]

Occassionally we see long-term legit user accounts start posting spam out of nowhere and I have to imagine it's due to poor password practice. We then have to ban these accounts. You might say, just email them to reset their password. Well, that might work, but oftentimes the spammer will replace all the user's data with spam links so we have no way to contact the user. And even if the email is still legit, we can't wait for them to maybe respond and let the spammer spam more.

Anyway, if you don't want your account to be at risk of being hacked, please make sure you are practicing good password management. There are plenty of sites out there listing what you should do and not do, but here's a list off the top of my head:

• don't use too easy of a password, like password or 12345678
• don't use the same password for different sites
• the longer the better, consider passphrases (I find that 13 characters often gets me the green strength bar)
• don't just use alphanumerics, use special characters too
• use multifactor authentication where possible (I imagine a lot of people choose not to use it as it can be a pain, but one day it might save you a huge headache)
• if something is really important, change at least part of that password every once in awhile (sometimes a site will force you to change a password every 90 days, but once a year or two is better than never)
• use a password manager, like BitWarden or an alternative, to keep randomly generated passwords for sites that wouldn't be a huge headache even if they did get hacked
• and for those most important of passwords, it's probably best to only keep them in your head, with a hints file somewhere, if necessary, that would only make sense to you

[eriqjaffe]

This is all very, very good information.

Quote:

Originally Posted by kq76

use a password manager, like lastpass.com or an alternative

I would advise against LastPass, as they've had a number of data leaks and breaches over the years.

https://www.cnet.com/tech/services-a...eir-passwords/

Personally, I'm a fan of BitWarden which is also free. For the more technically inclined there is KeePass, which is more secure since it doesn't store your data in the cloud, but the tradeoff is that the cloud-based services are a heck of a lot more convenient.

If you opt for a cloud-based password manager I would also strongly suggest enabling MFA (multi-factor authentication) on it. And, honesty, I'd enable MFA everywhere that supports it.

[kq76]

Thanks, eriq! You're right, I should switch. Thanks for recommending BitWarden. I saw some headlines awhile ago about LP and figured I should look into others, but didn't for whatever reason. I'll try BitWarden now.

[Déjà Bru]

Here's the deal with those online password managers: They are accessible to hackers who are just as good at what they do as the security programmers.

So my preference is for Password Safe, for this reason: I control the data file. The program makes an encrypted file of all of your passwords so that you only have to remember one master password. Mine is 18 characters and I could type it out in my sleep.

But the crucial difference is, unless some professional hacks into my laptop, finds this file, and solves an 18-character password, there is little chance of chicanery. Being a small fry, I doubt anyone will take the time and effort in my case.

"Whoa, buster. That's fine for your laptop. What about your phone?"

Well, it so happens that another kind soul, and again for free, has designed an app for Password Safe. The only trick is, when I update my passwords file on my laptop, I must remember to copy the file to my Google Drive. Then I download it from my drive to my phone, overwriting the old file. Of course, the file on Google Drive is immediately and permanently trashed.

I do NOT allow browsers to remember by login data. That's asking for trouble. Yes, it's a minor hassle to need to open Password Safe and copy over the data (it does have a nifty, customizeable auto-type feature, though) but I would rather do that than cleaning up after a data breach. Over the long run, you think BitWarden is going to be any better than LastPass in that regard?

I come across discussions like this in various places. I am surprised that Password Safe gets so little mention. Why is that? Because of the extra little work that is involved. Sad, really.

[kq76]

Quote:

Originally Posted by Déjà Bru

Over the long run, you think BitWarden is going to be any better than LastPass in that regard?

Maybe, maybe not. The way I look at it is password managers are another level of security and if you're using one you're probably doing at least better than you would if you didn't use one or better as you can easily have them remember long complex passwords that you couldn't and wouldn't want to bother remembering. Is it full proof? No, of course not, but I think using them is a lot better than using passwords that can be easily brute-forced.

I don't use them for everything however. For example, my banking passwords I only use long passphrases that are only in my head. I have a hints file somewhere to remind me what they are in case I forget, but only I would be able to make sense of the hints. And on top of it I change part of them every once in awhile. I think those are pretty full proof, but with how many things we need passwords for now (I probably have well over 100 in lastpass) there's no way I would want to do that for everything.

And while your solution sounds great for you, I don't think it would work for everyone. It does sound like it's a bit more work than most people are willing to put in, but if you are willing to put in that extra effort then great. It's like how I use a program VeraCrypt to encrypt some files on my computer. It's great, but I think it's something many wouldn't want to bother with.

My opening post was more meant for those people who aren't past using really simple passwords and using the same password for most of the sites they visit. The user I banned this morning posted in a thread 2 years ago that his steam account got hacked. And maybe he was employing some good password practices, but I'd say it's more likely that he wasn't.

[Cod]

Quote:

Originally Posted by Déjà Bru

Over the long run, you think BitWarden is going to be any better than LastPass in that regard?

I think BitWarden is much better because you can host your own instance locally without any connection to the outside world. Even if you wanted access, you could setup Mac filtering along with other safety mechanisms to avoid potential issues.

Another option is KeePass, which you can keep on a USB stick and store until you need to use again.

[Pelican]

The key here should not be on ranking the best password managers; but recognizing the risks. For many years, I used the same or similar passwords, carrying them around in my head. Then there were enough for me to have to write them down. But that list only helped at home. When away, I could be locked out. And the passwords were still way too simple. After I migrated to Apple products, I eventually discovered Keychain. This is a simple way to store the passwords I choose, accesible on all my devices, with a reasonable degree of security. Now I can use the suggested seventeen-character passwords, and never have to worry about remembering or inputting them. Of course, this amps up the importance of my Apple password - the one I have to remember. But now I can set my phone for facial ID, and my ipad for fingerprint (which works less well). No, I don’t worry over thieves forcing me to access my phone, or cutting off my thumbs. It’s the hidden hackers I’m trying to beat.

[The Game]

"like password or 12345678"
mine is 1234567890 its harder and people dont think to put 0 after 9.

[pauwoo]

Quote:

Originally Posted by The Game

"like password or 12345678"
mine is 1234567890 its harder and people dont think to put 0 after 9.

Yes! Best reply ever.

[Patsy Tebeau]

Who has enough free time to care enough to hack someone's ootp forum account lol

[Cod]

Quote:

Originally Posted by gustav

My problem is that I often forget my passwords

Use a password manager. Then you only have to remember one password.

[The Game]

Quote:

Originally Posted by Cod

Use a password manager. Then you only have to remember one password.

My sister is my password manger. Her ideas for passwords are great. of course i have to put them all on paper and my phone in case i get logged out. the passwords i create all revolve around players in my leagues. You would have to really follow my dynasty threads and know the backstory of the players i use passwords of.Only account i have ever had hacked was FB 10+ years ago and it was a simple PW.

[cake00]

Quote:

Originally Posted by Déjà Bru

...

Your approach with Password Safe seems solid, especially with the emphasis on control and minimizing the attack surface. While online password managers have their conveniences, the trade-off with potential vulnerabilities is a real concern. Your method of managing the encrypted file locally and being mindful of syncing it to your phone via Google Drive provides a good balance of security and convenience. It's a bit more manual, but the added control might be worth the effort, especially for those who prioritize security over seamless integration. It's interesting how some effective solutions get less attention, possibly due to the extra steps involved, even though they offer a robust approach to password management.

[oothomas]

I'm also a long-time fan of Bitwarden, until I start to experience some bugs. I am now using the free version of Proton Pass, and I am pretty happy with it.