Marie, I prefer to keep my passwords in a small notebook which I hide. I also delete the passwords from my computer where they are usually saved. I do not store anything on my PC I wouldn't want others to see, especially financials. I do buy online and If anyone stole my PC I would have get a new CC or change my passwords at those sites quickly, just in case. As far as personal stuff goes, my life is so boring no one would be interested anyway.

Putting my passwords on line seems more risky than storing them the way I do.

Like Emma I keep a written record of my passwords, they are on a shelf near the computer. I do not allow my computer to store passwords and I certainly would not allow a web site to store them for me. I only use about 4 anyway.

I lock my doors most of the time and I am sure if thief entered he would likely be looking for stuff other than the password to my Gardenweb account.

I do the same, I think simplest approach is the best. It's certainly the safest.

I use Norton identity safe that comes with Norton security. Have used it for years and never had trouble on any computer withi a password getting hacked but I am carefull too online. Mary

I just looked in my binder. The password page is one and a half pages double spaced of user names and passwords. Some are old, but still valid for that occasional use I don't plan on. Manual storage is the only way to go.

DA

There are programs that can keep passwords for you but no software is foolproof. I use a notebook kept in a safe place.

Password managers are nearly a must once you have transitioned to unique, randomly generated passwords, and you require access to these passwords when your notebook is not available. If you have not yet made this transition, please read the Ars Technica article posted this morning titled, âÂÂAnatomy of a hack: How crackers ransack passwords like âÂÂqeadzcwrsfxv1331âÂÂ.âÂÂ

OP, you may want to look at KeyPass if you are uncomfortable storing password information online. KeePass is very mature, open source, and cross platform. Most security professionals recommend KeePass without hesitation.

Here is the link JustDroppingBy refers to.

Being of simple mind as I am wont to be I do not believe hackers/crackers with good credentials are going to waste time on my computer. They are likely more interested in machines where they can expect to find a useful reward.

As I noted above, I lock the doors to my home but as most doors have a glass panel in them it would not be difficult for a determined person to enter my home.

Question for JustDroppingBy. Btw, you don't mind if I/we call you JDB for short, do you ? :-)

What do you think is a safe password length (assuming all character types included) ? The article mentioned 11 as bare minimum. I've read others suggest nothing less than 20.

Also, what would you take as overkill ? I mean, various email providers (for example) allow passwords over 100 characters. Would one be wise to use LP or other such managers to generate and save such a long password ? Or would 40 characters be sufficient ?

Just curious about your take on this. :-)

Spoiler alert, for those who have not read the article above The next to last couple of paragraphs from the article are really telling:

The ease these crackers had in recovering as many as 90 percent of the hashes they targeted from a real-world breach also exposes the inability many services experience when trying to measure the relative strength or weakness of various passwords. A recently launched site from chipmaker Intel asks users "How strong is your password?," and it estimated it would take six years to crack the passcode "BandGeek2014". That estimate is laughable given that it was one of the first ones to fall at the hands of all three real-world crackers.

As Ars explained recently, the problem with password strength meters found on many websites is they use the total number of combinations required in a brute-force crack to gauge a password's strength. What the meters fail to account for is that the patterns people employ to make their passwords memorable frequently lead to passcodes that are highly susceptible to much more efficient types of attacks.

ISTM the above suggests that we should be more vigilant wrt our passwords and should not be over-confident when a password evaluation site tosses out some astronomical figure of how many bazillion years it would take to crack a password, since other factors might actually make the password fall in a matter of hours !! :-O

JDB is fine not2bright. 20 randomly generated characters from the all ASCII printable characters set (upper/lower/number/special characters like % @ +) is computationally secure against a brute force attack from any technology currently in the public domain. This password would provide slightly over 128 bits of entropy. In addition to the incredible computing power that it would take to brute force a password this size, Landauer's Limit kicks in, so you wouldn't be able to power, nor could you afford to run, this type of hardware with today's technology.

On the low side, I would feel very comfortable with 15+ randomly generated ASCII all printable characters, but that length is still overkill. One of the crackers featured in the article, Jeremi Gosney, said this in a cracking software forum last month: âÂÂIn terms of brute force, an eight character password for example would be 95^8. Except none of us here would be ignorant enough to use brute force with this algorithm, because even with the optimizations, it's still too slow for that.âÂÂ

There is certainly no harm in using excessive characters for additional peace of mind, just make sure you don't ever have to type them. This happened to me when I was transferring mobile providers, and the rep typing my password was not amused. ;)

Thanks, JDB !

Since most of my passwords (esp. for email accounts) are over 35 characters, I was somewhat concerned when the password limit for my Yandex account was 20. But you've put my mind at ease about that. :-)

So you guys think it's important for the folks here to have a very inconvenient 20 character (or more) random mixed character password, to sign onto their AOL mail accounts to get their Joke of the Day emails? Or to sign on to anything else short of their FBI/CIA/NSA terrorist database work accounts? (That's sarcastic). Sorry, I think that's bad advice. Very bad advice.

For anyone concerned, a simple twist or turn in your password along with a misspelling can keep it easy to remember and hard to break. Ex - verrryBIGtree, 8dindinLAAATE.

I agree with Owbist. Passwords, like window and door locks, are to keep honest people honest. Anyone who wants to get in, will get in. For the websites and apps that most people access regularly, there is little to no risk of loss or inconvenience from a break-in. Yes, emails get hacked, and when that happens there's the simple solution of changing your password or getting another account. Few problems in life are so easily fixed.

Justdroppingby, every job or body of knowledge has its own language and terms. Your plumber can easily confuse you with technical terms, so what? No one should have been impressed by your display here and in the other thread. I found it out of place for this audience.

I keep my life very simple, especially this computer. It is here for my pleasure and I am not going to spend my precious time worrying about hackers. My passwords are based on a simple password I have used from the beginning, one that I remember easily. I mix it up with numbers which mean something to me. If I should for some reason forget my password, I only have to try two other ways to get the right one. I do have a paper copy in case I have a serious senior moment.

Emma for President!

(:-))) @ Snidely Notice the chins. LOL

Speaking only for myself, I don't find a 20-character password inconvenient in the least. Most of my passwords, as noted, are over 35 characters. PWs for some accounts are over 60. Though I use LP for general storage of them, I can easily reproduce them manually if I need to do so.

In any case I find it odd that some can treat the email account so cavalierly. (I don't say that as if I'm some kind of expert. My username is most fitting in this whole discussion. Instead, I say it as someone perpetually interested in the whole issue of email and online security.) :-) While some may use email only for getting their AOL 'joke of the day,' an email account is, of course, much more. It's been called the skeleton key to one's online identity. (Didn't mean to rhyme that.) ;-)

E.g. take Amazon. If you go to Amazon to login and click that you forgot your password, Amazon will send a password reset to your back-up email address. Just like that. No further identification or security procedure at all. Amazon assumes you are in control of that back-up account. But what if you're not ? What if that account is the very one that has been hacked because of having too simplistic/crackable of a password ? Then the hacker can easily gain access to your Amazon account while in control of your email account. It may not be an inconvenience for snidely and others to have an email account and an Amazon account compromised. But what if other Amazon account holders do find it so, and what if they even have a gift card credit in that account ? The hacker can now order whatever he wants on your credit.

And while looking through your email account the hacker can see what other services etc. you belong to. And many of those places will allow passwords to be reset just as easily as Amazon will. Imagine the implications, the pervasive compromises, that can result. Maybe during the night while you're asleep. Allll that time to do whatever he wants with your account.

Others' mileage may vary, of course, and I fully respect that. :-) But I personally don't evaluate the importance of my email account by the types of emails I receive or how often I get email, but by the services that require my having that account and that depend for their so-called security on my having access to it. The more of a "junk" account it is, the more likely it's used for those services which, if compromised, would lead to a nightmare of multiple account recovery. And in all this I most definitely prefer the ounce (or two) of prevention to the pound of cure (or would it be "pounding" in this case ?)

IOW, I don't want to be Chicken Little and lose sleep at night over all this (and I don't). But neither do I want to be careless, not if being careful only means making some simple changes (like increasing the size/complexity of my PWs and maybe using an otherwise reputable and reliable password manager).

Just my two cents (or is it cents-less ?) ...

not2bright are you sure Amazon will send you a new password 'just like that'? Don't you have to answer a question you set up with them when the account was created?

Amazon does not use a back up email to my knowledge. I order a lot from there and was never asked to give an alternate email, I don't believe they work that way unless there is something I am not seeing on my account. Yahoo does that though. Here is what the amazon reset password page looks like. It goes to the one email address you have on file for the account. Mary

"Just my two cents (or is it cents-less ?)"

With all due respect my friend, it's cents-less.

Your scenarios are far fetched. You have 20, 35, and >60 character passwords? I'd say those are very unnecessary. A thoughtful 8-10 character password should always suffice. Don't say you don't want to be Chicken Little, you're already there.

Do what makes you happy, but do so knowing that you're in pretty lonesome territory with your attitudes, your fears and your approach.

You could always just take a pill..

"Motorola Mobility's head of advanced technology and projects group, Regina Dugan, unveiled its latest concept at the All Things Digital conference in California on Thursday - and while it's still in the gestation phase, so to speak, it could point to the future.

The pill in question is no ordinary tablet " it contains a tiny chip but no battery " instead it gets its power from the acids in your stomach.

According to Geek.com, the pill will send out an 18-bit authentication signal, which your device will pick up and use in lieu of a password."

Here is a link that might be useful: Indigestion, Anyone?

Thanks for the replies -- even snidely's. ;-)

owbist -- it's not that they send you a new password, but (as Mary's screenshot shows) a simple form with CAPTCHA and the password reset link is sent. So, my point (however paranoid) is that once someone else gains access to your email account, and if he sees that you have Amazon receipts in your account (or guesses that you might have an Amazon account tied to that address) he can go through this process and have a password reset sent to it while he's in it. Click the link and it simply asks you for a new password. The password change is effected without further ado. Presto. you'll be locked out of your account, and he's in. And while he's there (in your Amazon account) he may be able to do some damage, depending on what is available (gift card balance, changing destination address on pending orders, etc.).

Mary -- Sorry. I actually meant that the password reset goes to one's email address associated with the Amazon account. Using the words "back-up email address" was unfortunate and incorrect on my part. :-( But as noted above in my response to owbist, the concern remains the same: an email account is the 'weak link' holding together other online accounts. (Or so it seems.) And as long as one gains access to your email account, one will also be able to gain access to Amazon (and who knows how many others) using a password reset. This does not apply, of course, to those that have some type of security question, as owbist mentioned.

So doing a bit of beefing up of one's email security may help greatly in the long run to avoid unwanted and unnecessary compromises of other accounts (shopping, forums, etc.), esp. where those other accounts don't have the greatest security themselves.

(In my case, I think I'll pass on the authentication pill for the time being. Of course, if it ever does become popular it may at least help boost Pepto Bismol sales.) :-)

snidely -- I anticipated your reply almost word for word. ;-) ;-) But I still appreciate reading it ! As I say, I like getting/reading opinions on all sides so I have good food for thought to chew on. :-)

This post was edited by not2bright on Fri, May 31, 13 at 7:28

snidely, I'm going to respectfully disagree with a few of your claims. I'm going to use some technical terms, but you need a basic understanding of hashing, key derivation, and the method used to create a password in order to make password length recommendations. Otherwise, you are just pulling numbers out of the air or following someone else's horrible advice.

Most passwords stored online are still hashed with antiquated MD5 and SHA-1 hashes. An 8 character password hashed with one of these algorithms will be cracked by any cracker with a pretty good graphics card. Period. End of story.

The assertions that passwords are designed to keep âÂÂhonest people honestâ and âÂÂanyone who wants in, will get inâ are also false. I am specifically referring to leaks where a server has been compromised and the password database has been downloaded. Evernote had over 50 million MD5 password hashes stolen in March, and LivingSocial had over 50 million SHA-1 password hashes stolen in April. While there is no such thing as a hack proof server, you cannot articulate a viable present day offline attack against a random 20 character password generated from the all ACSII printable character set.

Calling a 20 character password âÂÂinconvenientâ is also uninformed. To add or change passwords in LastPass you select: Generate Secure Password, Accept, and then Save or Confirm. Virtually all password managers have a random password generation capability. not2bright should never have to memorize or manually enter any passwords stored in LastPass.

not2bright may referring to Mat Honan's âÂÂepic hacking.â Malicious individuals went after his Twitter account, and then capitalized on mistakes made by himelf, Amazon, and Apple to wipe his Gmail account, iPhone, iPad, and MacBook. He spent about $1700.00 to recover a priceless photo of his newborn.

As far as my replies go, they are based on knowledge, a desire to be helpful, and a genuine hope that I learn something from every lengthy exchange of ideas. Enough said.

I have always enjoyed discussions. Sometimes they confirm what I think is best or they make me see the situation from a different point of view and I change my mind.

I wonder how many newbies and minimally experienced members have this thread causing needless confusion and concern. It's interesting to a degree and no one is claiming "the sky is falling", but it is with certainty that the concept is overly deep and no use to the common user.

Other than my financial accounts which have good passwords, everything else is set for a reasonable convenience.

Why would I care if someone cracked the password for the on-line edition of my newspaper? I do not store my credit card information on any site so why am I concerned about Target, Best Buy, or Amazon? The HP site when I registered my system?

I would be more concerned about the security protection of my personal information which is contained at my bank, credit union, and investment institution. Send an e-mail to them asking them to certify their security. What you will receive in return is a plethora of business-speak and vagueness.

DA

This post was edited by damccoy on Fri, May 31, 13 at 15:31