Divemedic has an outstanding series of posts on passwords and password managers. He is covering this in depth, so I will just point you towards his posts and strongly recommend that you go read all of them.
Also, if you currently use the LastPass password manager, you need to know that Bad Guys compromised LastPass and stole the database of people's passwords. This actually shows the big weakness of password managers - the information is so valuable that it makes them big targets. Divemedic has good recommendations on what to do in a situation like this.
Highly recommended.
Part 1. INFOSEC
Part 2. More on Password Authentication
Part 3. How to store and use passwords
Part 4. Using Password Managers
5 comments:
Been reading them, thanks for the reminder!
I divide websites into those that are important enough to rate some care and those that don't, i.e. the one's involving money and those that don't. Those that don't all get the same password, or some variation thereof if they are persnickety. The import ones get written down in a folder stored in vault buried deep beneath the Mountains of Moria.
+1 for what Chuck said.
+1 for what Chuck said, except that I use pass *phrases*: multi-word sentences that don't provide a common context (e.g. "infinity window tire") and add in some special characters allowed by the site (".", "$", "#", etc). Hence "1nf1n1ty.W1nd0w#t1r3".
Passwords are basically security theater. I guess Divemedic had some people that had a personal animus against him and in that case they might make a difference but every time I have had something compromised which includes several credit cards, my bank account and my health insurance, the problem has been on the other end, that is the corporate server. Why steal one person's data when you can steal hundreds of thousands.
As for the passwords I am required to have, I use a variant of the notebook method. Except my notebook is written in a personal code. I suppose that if someone got physical possession of the notebook, they could brute force the code but that seems not worth the effort. One variant that I have considered is One Ring to Rule them All. Complex passwords on a spreadsheet that exists only on a computer that is not connected to the Internet. The spreadsheet is passworded with a complex formula which can be memorized as there is only one.
I do have several rules.
1. Always suspect fishing. Whenever you get a warning that something has been compromised, don't respond. Call the customer service number on your physical card.
2. Never do anything financial on your phone and especially avoid apps which are just data mining.
3. Turn your router off when you are not using it.
4. Avoid the IoT like the plague.
Post a Comment