In other news....
66% of people think password policies on websites are a joke, the worst offenders being banking.
I reuse the same password on loads of sites, such as here on the Reg.
Two-thirds of people recycle the same password or use variations on the same basic one, according to LogMeIn. Even though more than 90 per cent of people surveyed by the password manager biz said they knew it was risky to recycle passwords or light variations on a theme, 66 per cent of respondents admitted they "always or …
It sounds like this report is berating humans for being unable to use a system that's basically unsuitable for use by humans.
Most of the people who claim not to regularly re-use passwords are probably liars. Some are probably using password managers, but not a third of the population. Surely no-one is really remembering a completely unique password for every single device, internet shop, social media site and forum they ever used.
"Surely no-one is really remembering a completely unique password for every single device, internet shop, social media site and forum they ever used."
One part of this is sites demanding passwords when they don't need them.
Take, for instance, online shops. If I go into a physical shop - it's already getting to the point where it's a stretch to remember doing that - to make a one-off purchase I don't have to set up an account. So why do I have to set up an account for a one-off purchase online? They get some junk that I'll not remember as a password because I'm not going back there again if I can help it. For a logon ID - they'll insist on en email address - they'll get one that will be deleted after a short while.
The there's iPlayer or sound app as it has become (why?). For no clear reason except possibly they think they can't operate a website without one, they need a userID and password. For a while it worked quite well if this was saved in the browser. The the sound side changed it so that it had to be entered manually. I haven't bothered with the whole thing since then (what pissed me off most is that it stopped working with the iPlayer app on OSMC) but if I had it would have been swapped from the secure password-manager generated random string for the least variation on "password" that I could have got away with.
Another example is familysearch.org. This used to be a perfectly straightforward free genealogy site with a compact UI. Then the UX designers got at it so the actual user experience started the usual downhill progression that I doubt has bottomed out, part of which was to add a login requirement it never had before. At least that didn't need an email address; I think Mickey Mouse was taken but it got an equally contemptuous one.
Basically, if the password is important for me I'll keep it secure. If it's just the site being obnoxious about I'll treat it with the contempt it I think it deserves.
Meantime - RESULT. Whilst writing this I finally got an email confirming the removal of my email address the customer list from a firm of whom I've never been a customer but who insisted on spamming me with their coronavirus updates for customers.
"For a while it worked quite well if this was saved in the browser."
For anything not overly important I store (unique and complex) passwords in the browser, e.g. for El Reg. What really bugs me are sites that won't let me paste in a password. As I always chose long complex passwords it can be a pain in the rear to type them in; so I tend to avoid such sites... I'll often abandon a site registration form if it blocks password pasting and either not bother or go to another site.
Recently tried to register with the National Lottery but they did the password pasting blocking thing so abandoned my registration. I'll probably be a couple of quid a week better off anyway.
As for storing my passwords, I use encrypted documents stored in an encrypted folder on an encrypted drive on my local hardware (not cloud). Backed up to other encrypted drives. While it can be a little tedious accessing my bank login details etc, it does allow me to use long, complex usernames and passwords and I don't need to trust a third party to store them for me. Just a pain if some sites block me from pasting them in.
That's how it was for my car insurance company site. I ended up changing my long complex password to a short easy one because it wouldn't let me paste it in. Their site was also very unforgiving, click the back button and you've got to log in again. Click the wrong item trying to navigate their awful menu system and you can't get back, so end up having to log in again. Don't click anything for a couple of minutes and guess what...
"That's how it was for my car insurance company site."
Well, we all know how big a target a car insurance web site is. They can hack into your account and...... give me a minute.... I'll get back to you, but it could be really bad, that's what I'm saying.
Screw it, I'll just hack the insurance company's server itself and get everybody's info in one big download.
2. ?
3. profit.
What really bugs me are sites that won't let me paste in a password. As I always chose long complex passwords it can be a pain in the rear to type them in; so I tend to avoid such sites...
Sometimes those sites will take a bit longer, since before I leave I'll need to hunt down the contact information and send them a comment on their bad site engineering. And the harder they make it for me to send the message, the more harshly it will be worded.
The real reason that online stores ask you to set up a user account for a single purchase, so they can A) show the number of unique customer accounts they have in their financial and managerial metrics and B) they can better try to get you to come back to make more purchases.
I'm aware of that.
This is the usual thing about marketing. They have one-sided metrics and think one-sidedly in terms of how people will react. They have no insight into the business they lose by this approach except, for those of us who have disposable email addresses, they might, if they bothered to collect the data, see some bounced spam.
“Basically, if the password is important for me I'll keep it secure. If it's just the site being obnoxious about I'll treat it with the contempt it I think it deserves.“
Millennials It’s all about me, me, me, me, me .........
Some of the username password stuff is EU law mandating businesses know their customers/users. If your buying stuff it’s needed for anti fraud and money laundering protections again from the EU. Forums will use email addresses to confirm who you are for anti bullying EU mandates.
That is why Twitter, gmail, Facebook etc want your phone number, it helps them but EU / Government demand those organisations know their users and a phone number reinforces that. I don’t think Twitter, gmail etc would stomach the media backlash otherwise.
Lots of logging going on that most are unaware of.
"Some of the username password stuff is EU law mandating businesses know their customers/users."
Oddly enough, if I go into a real shop either they're flouting this law or it doesn't apply. As another commentard wrote, I've lost count of the number of shops who didn't ask me to create an account.
For very obvious reasons neither Twitter nor Facebook have my phone number unless they've stolen it from someone else's contact list. I have a couple of gmail accounts for whom Google who have nothing resembling a name; admittedly one is on my mobile.
"For very obvious reasons neither Twitter nor Facebook have my phone number unless they've stolen it from someone else's contact list. "
They most certainly have it as soon as they have your email address. It may come down to what they can do with it if they get it from you directly vs some big data company.
You can see why FB and other sites are always pestering you to "share" your contact list with them. They will use it to suggest other people you may know, but that's not the real reason they want it. it's the bribe they are offering.
"Millennials It’s all about me, me, me, me, me"
If you're calling me a millennial you'd better get the right millennial.
For avoidance of doubt, my banking passwords are important to me as I suspect yours are to you.
My password on a site which demands it if I have the temerity to download an information sheet for their product isn't, nor I suspect, would yours be important to you. I doubt such a site would be able to find an explanation of why it would be important to them that would satisfy either of us.
For sites that insist upon a phone number, it depends on what my usage of the site will be. If I feel I'll go back again, I'll use a Google Voice number (which doesn't get answered, and isn't even configured anyplace as a number which CAN be answered). If it's a one-time visit, I'll look up the number of their HQ office, or the HQ of a competitor.
"If I feel I'll go back again, I'll use a Google Voice number "
In the US there are test phone numbers that just ring. For sites that have figured out that dodge and have banned using those numbers, I use a desk number for the state tax office. If you know how most big entities set up phone numbers, it's easy to guess a few that ring directly on somebody's desk. I don't feel bad about doing that but I would not think it good practice to hand out the number of an attorney since it's cruelty to animals. I would love to see the face of somebody thinking they going to scam some schmuck and the line is answered "Law Office". It's just as good if they get "tax office, agent Bob speaking this call is being logged".
"coronavirus updates for customers."
I keep getting loads of those and it's one thing that I will drop them for. If it is important, they can put it on the website and I'll see it if I have a reason to visit their site. Like many people, I'm not doing as much lately so I'm not visiting those sites that I would regularly. Again, I'm going to reach out and check their web site if I think I might need their services/products. I know that many places are shut or on limited availability.
If I could give one piece of advice to web site designers about password policies, it would be this:
Put the password policy on the log-in page.
I come across so many sites that I fail to log in to, have to use the password reset option, wait for the password reset email, go back to the site, try to enter a new password, have it rejected, and only then find out that the reason I couldn't use one of my "normal" passwords was that this site doesn't allow punctuation, or spaces, or swears, or has odd length limits, or wants you to use at least 2 upper case letters, or something equally pointless.
ITYM the registration page, as that's where passwords are created.
But also make sure that pages that deal with passwords (principally the login page, the registration page and the self-service reset page) and the supporting backend processes all implement the exact same policy!
I came across a site recently where this was not the case, so I could reset with a new password that was accepted by the reset page (and it reported success), but would then not work on the login page.
Cue multiple rounds of resets until I found something that both elements were happy with.
ITYM the registration page, as that's where passwords are created
I want it on the login page. That way when I'm trying to login and failing I can look at what stupidly unusual thing it needs. This would "normally" be enough for me to remember it and avoid me going round the password reset route, which would end up with me trying to reset it to to the same password I was forced to choose last time.
"If I could give one piece of advice to web site designers about password policies, it would be this:
Put the password policy on the log-in page."
Let me suggest an even better piece of advice: don't require logins if you don't need them. The fact that marketing want a list to pester people isn't a need - just the opposite because one day that list will be conspicuously toxic when it gets leaked and until then will be quietly toxic when potential customers are put off by it.
If a site requires me to create an account to buy something, I usually don't. I just go elsewhere where they accept Paypal.
At least for me, having an account requirement is kind of like putting your merchandise in a disused basement lavatory with a sign on the door that says: "Beware of the leopard" .
You are protecting your password from being stored in plaintext or weakly hashed in some unsecured database by every site you have an account on.
Certainly it's a far from perfect solution if you care about privacy at all. But if you don't, it has a clear benefit in the context of this story about re-use of passwords.
"Certainly it's a far from perfect solution if you care about privacy at all. But if you don't, it has a clear benefit in the context of this story about re-use of passwords."
So you wind up with a perfect repellent for tigers that attacks every grizzly bear for miles.
"just the opposite because one day that list will be conspicuously toxic "
Yeah, like the time they have to admit that they've been hacked and while no payment information was leaked, all of the usernames and passwords have been compromised. All of the people that are reusing passwords all over the place are now at risk. Especially those that have forgotten they've ever registered and those that never see a notice.
Rather than berate the 7 billion people on the planet into conforming to password requirements, how about companies do a little work and spend a little money to clean up their act. The first time I was confronted with a "your password is too long" error message, I assumed I had fallen through a wormhole and arrived in the before times where 80-columns was enough for anybody.
"correcthorsebatterystaple" has been dismissed unfairly I think. Sure, 48 characters of line noise is safer, but for quite a lot of sites 4 or 5 random words is far better and easier to remember than 7 alpha-numerics and a special character (which is almost always "!"). Sure, if a site gets their password hashes breached evildoers can gigahash through it with a couple of NVidia cards, but if the users are able to have a handful of long, yet easy to remember passwords, they're less likely to reuse them.
In any event, if you're a developer, dropping the $3.50/mo for haveibeenpwned API access is cheap at twice the price. Want to stop password reuse? Let your users know that their sooper-sekrit password is already in the hands of the evil hacker 4chan.
The trouble with "correcthorsebatterystaple" is, it doesn't scale. If we all start using "three or four common words strung together", then attackers will start guessing passwords in that format. There's only about 20,000 English words in common use (of which most people only use about 2000-4000 on a regular basis), so the guessing space there is not nearly as big as you probably imagine.
As long as only a small minority uses it, it's excellent. But when attackers start expecting it, it suddenly becomes much weaker than a randomly generated string of characters.
@Veti
“ The trouble with "correcthorsebatterystaple" is, it doesn't scale. If we all start using "three or four common words strung together", then attackers will start guessing passwords in that format.”
The idea is to increase the number of characters of the password to increase the processing time to brute force it. Doesn’t matter what words are in it, a word attack is a word attack. At least 12 characters With capitals, symbol & number it’ll take long enough to crack to put an attacker off Unless they pay for expensive cracking hardware.
I personally just use the random password which actually looks like it follows a pattern to make input easier. Password is stored and synchronised to my keychain across phone, tablet and laptop.
After 10 plus years I now have no clue what my reg password is but don’t need to. Email is secured with 2FA and backup codes.
The trouble with "correcthorsebatterystaple" is, it doesn't scale. If we all start using "three or four common words strung together", then attackers will start guessing passwords in that format.”
Sure, straight forward dictionary attack. But lets consider a moderate amount of salting:-
correct!1horse@2battery3>staple456
So you now need to do a dictionary attack of every combination of 4 words, plus a special character and a number between every word, plus a few random numbers at the end and the number of possible combinations for just the added entropy are probably greater than most passwords to start with.
"There's only about 20,000 English words in common use"
cd /usr/share/dict
wc -l british*
99156 british-english
341393 british-english-huge
650656 british-english-insane
OK, that includes proper nouns, possessives and borrowed words with diacritical marks although there's no reason not to include them and certainly not to stick to those in common use.
At a conservative estimate an English word must be worth at least 16 bits.
The original research assumes just 11 bits per word, but even with a dictionary that small, it's still better than typical passwords.
But that's an English dictionary. Start using "Romaji" words, and substitute some syllables with the corresponding punctuation mark, for those syllables/words that are visually similar to particular Kanji/Hirigana/Katakana characters. Mix in numbers if there's a particular volume/season you like.
@Loud Speaker
Yes and Google are also looking at you (along with everyone else). Also the unseen password twice so it's more secure thing isn't just them.
Why I can't log into a supermarket (etc.) without always spamming my details to them for the robots thing though...
I will admit that I have a throwaway password for sites that I do not consider important, yet still ask me for a login, or sites that I have no intention to return to after the reason for which I went there in the first place.
But for anything important, I have a system that gives me at least 13 characters, and I have a database to store them in along with the URL that is concerned.
"For sites I have no intention to return to, they get a randomly-generated string that I don't even bother to record anywhere. That's easy."
I try that first to see if they then want to send me a confirming email to set up the account. Now I have to give them one of my pre-made disposable emails from a domain name I have the privacy filter set on so they can't do a simple whois to check up.
In the first case it's just easier to make up a new login than to track and look up one done previously. I only do it properly if I'll be a regular customer or it's a matter of legal consequence such as with a licensing board.
Agreed on banking websites sucking. Just got a reminder to change my password on the website for my work credit card. Password expires every 30 days (yikes). The site does have password crtieria on the pw change page. I use keepass as password manager, and our default password generator profile (including the Administrator profile) didn't meet complexity requirements.
On the flip side, I have a personal account with the same bank. No password expiration. "Two factor" verification includes a typical set of predefined questions that could be answered by anyone creeping your facebook (one of many reasons I have no FB account).
"Two factor" verification includes a typical set of predefined questions that could be answered by anyone creeping your facebook
a) you should not be using Facebook, for anything, ever
b) Never tell the truth - when they ask for "your mother's maiden name" what they actually mean is "the name of the porn star your Dad imagined he was fucking when you were conceived" (hyphenate if more than one). (Names of dogs and sheep are acceptable here).
"have a personal account with the same bank. No password expiration. "Two factor" verification includes a typical set of predefined questions that could be answered by anyone creeping your facebook (one of many reasons I have no FB account)."
The worst thing is when they verify you by the mobile you are calling from. If I were somebody nicking mobes, the first thing I would do is go after bank/financial targets. What does somebody do if they are out and their phone is taken? So many people have all of their information on the phone and have gone paperless so they have to hope they have some sort of statement from the bank with their account information on it at home so they can all in and get the account locked. That delay can be more than enough time to empty accounts and change passwords for others. For these reasons, I don't keep sensitive information on my phone. I don't even keep my complete contact list on it as some people I know are well known and I would feel really bad about exposing their information. A couple are listed with pseudonyms so I know it's them if they call.
Earlier today I have up registering an account (for a software service) because it
a) demanded a complex password (>10 characters, digits symbols upper and lowercase)
b) my browser let me store the password but the site spoofed the browser so it would not offer the password
c) did not allow me to paste the password
I want to play too.
I work for the South Bananistan government (soon to be turned into a theocracy). One of the government systems have an authentication page that uses a "virtual keyboard" for a simple, 8-digit password, but the system 1) asks you to change it every two weeks; 2) blocks you if you don't change it in two weeks and 3) require an authorization from HR to reset it. All this for "security reasons".
The system is used every 2 months to authenticate vacation requests, I never bother to write it down or save it. I just try to log in, fail and send a message to HR.
Must be the most annoying password-based login system in the world (let us know!)
I am of a mind that security that foils the legitimate user is NFG.
A password that I can't remember is NFG to me.
So what I do, is mix and match different (hard) password phrases, so I just have to remember four 8 character phrases. If I forget what I used on some site or service, I know it's a combination of 2 of those 4. I can always get it before exhausting 5 failed login attempts :-)
The end result is pretty strong 16 character passwords.
I reuse passwords as well, but not the ones that I use for banking/finance or sensitive personal information.
If somebody were to hack my credentials here on El Reg, I'd send a message to the admins that my account was compromised and not worry about it. I'm not using the same user name everywhere and I'm not a member of the usual social media data collection sites. I also would never use "Log in with your XXXX account" options.
One of my favorite games is since I have control over my domains, I can create and delete accounts when a site insists on a real email address to send a verification email to add a user. I make a throw-away account, milk the site for what they are offering and then delete the account. Sometimes I leave them active for a few months to see if the original site is selling data as I expect they are. Friends, family and customers get different email account addresses that I don't use for anything else.
"different" works if you do this:
correct-horse
horse-correct
h0r5e+CoRR3ct
etc. (to crack these would require human intervention and some social engineering, and knowledge of one of them, and a good guess as to where the others might get used).
but yeah a password manager to track the HUNDRED or so passwords is probably a good idea. LONG ago I'd write them down. The page got full. Then I discovered KeePassXC [NOT the C-pound one WITHOUT the "XC" at the end, but the C language one WITH the 'XC' at the end, that builds properly on Linux and FreeBSD _WITHOUT_ _MONO_ - the LAST thing I need is MONO DEPENDENCIES on my Linux and FreeBSD systems]
in any case my master password is SO long I often make typing mistakes entering it...
(if the password is long enough, chances are you will NOT be "social engineered" to discover all of your derived passwords based on one that was obtained by cracking some 3rd party web site)
I have a script which generates a list of passwords from /dev/random and a word list of my choosing. I can specify the delimiters, capitalized, number of words/characters, added numbers, etc, that will match any arbitrary password requirements while still being easy to type. I just pick the one I want from the list and since it came from /dev/random, it isn't going to be easy to guess.
I use these for accounts where I have to actually still type the password, but for everything else I use bitwarden.
Since your on-line access to everything is going to be dependent on it, ideally you want the one that guarantees they will never go out of business, bump up the price, or start pissing you off with ads, and will always fully support any new browser or platform you want to browse the web from. Good luck.
"ideally you want the one that guarantees they will never go out of business, bump up the price, or start pissing you off with ads, and will always fully support any new browser or platform you want to browse the web from. Good luck."
No luck needed. The password manager is kept locally. It's also synced to my home Nextcloud server. So unless I go out of business in a very personal manner or lose my marbles to the extent that I can't remember my master password that's not a problem.
I use KeePassXC, because:
- Still in active development
- Fully open source (Peace of mind...)
- Fully offline by default - no internet/cloud required
- Includes a built-in password generator which can be adjusted/altered to match a sites particular requirements
- Integrates with your desktop keyring - useful for apps such as evolution storing passwords
- Not owned by a corporation - Your passwords won't be sold...
- No risk of simply "vanishing" if a business stops operating
- Included in pretty much every distro, so installing is quick and simple - no hunting for binaries.
- Mobile applications exist in f-droid for reading your DB on a mobile device.
- Many other reasons - but if I continue I start to sound like a sales bod.
"Many other reasons - but if I continue I start to sound like a sales bod."
There's the thing. So many people won't use something unless it's sold to them by a sales bod - or even worse - they're allowed to use it free and it's they who are being sold.
Yes, KeypassX.
Hiow about something a) open source and runs on Linux/FreeBSD, b) *NOT* written in C-pound, c) does *NOT* have a boatload of unique dependencies (which is why I don't want something written in C-pound).
keepassXC comes to mind - which is the MAINTAINED open source version of keepassX that builds on Linux and FreeBSD.
I use always the same 3-4 passwords, because else I don't remember them. And also because most of the times I don't care about the site (seriously: what if my account on ElReg gets hacked ?). And for those sites that I DO care, I use a different browser and a unique password. Which means that in 95% of the occasions, I use always 3-4 passwords and a generic browser, so if such a survey only looks at the number of occurrences, it's going to have a very bad representative image of how secure/unsecure my use of passwords and Internet is.
And for me it's still very few passwords to remember.
For 95% of sites, I don't care if someone gets my password. I get those spam emails about once a week where they tell me my "standard password" in the subject line trying to scare me and I just ignore them. I use a real password for banks and other financial stuff, plus a few other places where it matters to me.
For the rest I use the same one or a simple variation to meet rules like punctuation or whatever. Using a password manager so I can have a different password at The Register than I do at a different online forum is stupid, no one wants to steal my account on a web forum.
> they knew it was risky to recycle passwords or light variations on a theme
People reuse passwords on so many sites because it is of no consequence to them if those accounts get compromised.
For example, if you joined, or were forced to join, a website or forum because you ONE TIME wanted some information that was only available to members, it is quite reasonable to use abc123 as a universal password.
The same if you wanted support from a user forum. Join - ask question - get ignored as a noob - leave.
If the account gets hacked and your password is stolen, it's no big deal (you've probably forgotten about it anyway). There is no risk as nothing of value is being risked.
Agreed.
I have a generic password that I know has been compromised but is still in use on a few sites where it really, really doesn't matter. Eventually I'll probably catch up and change them to something equally obvious.
For anything that is important I use totally unique passwords and a password manager.
"For anything that is important I use totally unique passwords and a password manager."
I think a good analogy is putting a $600 lock on your collection of bugs you've found in your garden rather than just fastening the clasp on the box. Then effort needs to match the level of security you really need.
I'm not bothered with spending more time accessing my financial accounts online, but I am when I just want to dash off a witless comment on a forum.
For example, if you joined, or were forced to join, a website or forum because you ONE TIME wanted some information that was only available to members, it is quite reasonable to use abc123 as a universal password.
For those one-time usages I'm forced into, my chosen password is a bit "coarser"...
Is the huge number of online sites that insist on a password login when it is really inappropriate - for example: you want to pay a pencil? Certainly sir, you just need to log in first.
I've lost count of the times I've had to not log in to make purchases in the real world...
I couldn't give a rat's ass about people hacking into, say, my commentard account on The Register
Shirley you're not suggesting that commenting on Reg articles is somehow unimportant? How else will randos know that a bunch of other randos don't trust Google / Facebook / *cloud* / MS / gubmint and that IoT is shit?
Let's not forget that half the problem isn't reuse of passwords, it's reuse of user IDs. That's because so many sites want an email address as an ID - and perhaps reinforce that by sending an email to confirm and most people only have one email address. It doesn't matter so much if your password's Pa$$word when you user ID's UsSnkbi32tGdxTFP or '@"p3a@}%3e%Ngud
OK so the article states:
"The standard password advice, repeated by LogMeIn, is to use a password manager to remember your passwords for you; enable multi-factor authentication (MFA), so if someone else does obtain your password they can't easily log in and steal your account – though 20 per cent of respondents to the survey said they didn't know what MFA was; and stay vigilant."
So where is the MFA for my extremely valuable El Reg account? At present I use a password and e-mail address but anyone could steal my password and instead of my pearls of wisdom start spouting nonsense at this highly erudite and learned audience.
Indeed, there is currently an extortion e-mail going around claiming to have embarrassing video footage of the 'user', the subject line contains an actual password (in my case it was for the BBC iPlayer)*. They wanted USD2000 for 'not' showing a non-existent video of me (there is tape over the lens, even NASA hasn't got the image enhancement tech to get a picture form my computer, not that I do that sort of thing in the lounge anyway). Fortunately I didn't use that password anywhere else (and don't any more).
*If you get the e-mail (courier font, claiming to have installed malware on our computer, with an address for a bitcoin 'donation') do report it to Action Fraud in the UK, they want to know how prevalent it is.
" there is currently an extortion e-mail going around claiming to have embarrassing video footage of the 'user',"
I get lots of those dropping into mostly my spam catcher accounts that I've generated and used to register at dodgy websites and place I know are going to resell every scrap of data they collect.
What these scammers don't know is that my desktop doesn't have a camera at all and my taste in porn is very mainstream. Am I sharing too much?
If they did get my contacts, which would be a feat as I don't use the built in contact manager, I'd probably start getting inquiries about where to find the best "movies" since most the people I know and most certainly my "water brothers" aren't too uptight about those sorts of matters. Mom would just have a good laugh.
If you don't want to be spied on, disable the camera and block the mic. Zuckerberg does on all of his portable devices. BTW, blue-tak works a treat for the mic and is removable if you insulate the mic hole with a bit of cling film first. Put some cello tape over the blue-tak so it doesn't get everywhere.
....I was convinced by friends more ITSec-conscious and I to go beyond the 4-character smartphone passcode and take advantage of the phone OS's option for longer password. So now my fondletoy has a longish password with all the bells and whistles. But the current fondletoy has face recognition, which is much more convenient.... until the days of facemasks arrived. Do I yank down the mask for a couple of seconds so I can NFC my purchase, whilst smiling at the checkout person through the plexiglass, or do I fumble, through my nitrile gloves, at tapping in my now rather inconvenient passcode while the next lucky shopper is stewing 2 m away?
Now what I would do is wait until you've unlocked your phone while out somewhere and set it down to respond to the person doing the distracting for me and have it off you in a jiffy. I'll keep fiddling the screen to keep it alive until I can plug in a little widget to keep the phone charged and active so it doesn't relock.
Use cash. If somebody picks your pocket, all you lose is what's on you. If somebody nicks your phone and can do what I describe above, they have your whole bank account which sort of sucks if yesterday was when your direct deposit posted.
For the record, I don't steal from people, but did sleep at a Holiday Inn last night. Actually, my guilty pastime is watching pen testing vids and hackercon presentations on YouTube/Vimeo. I've had a debit card get cancelled while traveling and never go anywhere without the cash to buy enough petrol to get home and some meals. Having cash in pocket also makes me stick to budgets much better. No cash, no coffee.
The bigger concern is the outfit you are signing into leaving all the private details supposedly secured by said passwords open to the entire e-feeing internet due to stupid, lazy and 'we haven't a clue and haven't really made a profit yet, but next quarter, maybe'.
In my defence the really important sites like my bank are protected with 15 character passwords generated by BitWarden, but the sites like theReg and BBC where I don't give a toss whether someone impersonates me, get the basic password I have used for years which itself is 8 characters with all the bells and whistles. But re-used on all the lesser websites.
These kind of articles are only useful for drumming up business for the password app vendors and I guess giving the rest of us an opportunity to feel smug. We started this saga with passwords of 5 - 6 characters then had to add in upper case and numbers, then special characters and the length has increased each year.
I agree passwords are so 20th century and for god sake lets come up with a better solution soon before we are all having to enter 99 character passwords to access the local news.
In my work fincial personal and domestic live I have close to 100 passwords to rememberer somehow manage.
It’s impossible, I am pretty good about this I use password safe for the important stuff but the rest mostly relies on my fading memory, the browsers memory or the “forgot your password” link.
The banks have forced two factor authentication on me , which is pretty much a good thing ... but I am glad I was not finalising a house purchase when I ( something to do with wine) left my phone in the back of a taxi.
You need to establish a hierarchy of what’s important work, banks and the email where your “forgot your password” gets sent to. Forget about the rest, if you cannot remember a password you made up good luck to anyone else.
P.S, You really need to change and remember your router password. It’s a PITA to do the hardware reset just to change your WiFi password.
I used to use my "standard" password on The Reg, my old dogs name and a bit more,
but it now has a real 10 mixed characters password,
reflecting the respect I have for The Reg (gag),
more likely The Reg's poor security.
Crap sites get my crap password.
I used to use 8 mixed characters, now 10, in the future ?
I'm still generating pseudo random passwords with pwgen.
An article where the people commenting are actually talking SENSE!
These guys have a fiscal interest in selling Last Pass subscriptions! Which is pretty lousy on my smartphone it keeps prompting me over and over again to re-enter a long tens of digits long master password.
A lot of the time password requirements and even WITH password managers like Last Pass there can still be limitations like entering passwords on a phone or tablet inside of apps rather than websites for example or requiring a really long master password to be entered.
Chrome used to be a great solution to sync with Android apps for me until the password sync started not working and Google provide no solution. Although it was also tied to me using Google Chrome.
I'm almost to the point where I'm going back to writing passwords down on paper in a book at home and keeping it to that. The downside is when I'm out and I want to actually be able to buy stuff online.
I don't think there is any silver bullet for password management to be honest.
I always never have the perfect solution whether its KeePass, LastPass, or what I use a lot now Avast Passwords because it has some mobile app password sync capability and doesn't constantly prompt me for a master password on my phone. Each app I've come across has its own limitations which I could talk endlessly about.
I don't think there ever will be I think we need to use different solutions selectively for different situations.
For logging in to sites that are trivial and do not involve money, like a recipes site, or news site, I reuse a fairly simple one. For anything involving transfer of money like shopping or bill paying, it's a password generator and password keeper lodged on my computer only.
As a visual learner, I like using keyboard patterns for passwords rather than the text.
I remember a starting point and some pattern from there... lefts, rights, ups, downs and trailing cap(s)
As my password backup for more serious "stuff"
I use a text file on a local encrypted file, like others have mentioned.
Actually, I write all of my passwords down in a nice notebook I bought form Waterstones, it is bright red and has the words "internet address & password logbook" on the front cover in big friendly letters.
That has got to be ok, hasn't it?
Curiously, it no longer seems to be available on the web site, must have sold out..