Security Recomendations for UserNames, SecurityQuestions, Passwords
 

Recommendations from the security department of a utility company as a member of the CNI system (Critical National Infrastructure)

UserNames/email addresses:
Non personal/individual identifying name whenever possible
use business names for a business, not your personal name
have a throw away email account on gmail. . . send grocery store emails there
throw away is not linked to any financial account. . .

Security Questions:
use long general descriptive names or type easy to remember wrong answers
Where did you meet your spouse?
onvacationinabar
What was your first pet's name?
hotdogLarry (dachsund named Larry)

Passwords:
Use maximium length, use an easy to remember phrase or sentence
Use specialcharacters as spaces or word separators
use capitals in the middle/end of the word
use a different password for each financial site and never reuse those anywhere else

thE!quicK!browN!fOx!jumPed!

use a throw away password on non sensitive web sites
easy to remember and throw some numbers and 1 special character in

never save financial passwords on your cell phone or laptop

Good advice except for the password. Encouraging an "Easily remembered" is a doorway to less secure passwords. The imp[ortant part is to be as long as possible, second, it should be random.

Security has spiraled down into an abyss of complications for the average user. We need better. Biometrics would help but aren't ubiquitous enough yet.

There are very good password managers available for all platforms. Everyone should be using one. Password managers are apps that remember the password for you, so you don't have to. And good PW managers will also give advice on potential issues like you are reusing a password at multiple places (another no-no).

Apple has a very good password manager called "Keychain" which meets all those requirements and more.

It would pay users to get and learn and try to always use a good password manager.

Good advice in theory, but very few people will implement it.

I have my passwords listed in an MS Word document that needs a password to open. The document is three pages long. I use it often when I can't remember a password.

Highly recommend a password manager like Dashlane.

Password Manager App for Home, Mobile, Business | Dashlane

I use "Incorrect" as a password for everything...

If I ever forget it, the website tells me "Your password is "Incorrect""... ;)

I use LastPass, but for some sites (that don't really matter) I recommend that people use an old phone number (like maybe their home phone number when they were kids, most people know theirs).

Better tip use caps and small letters . Use a non word . Use a password manager . Use Google add a number sequence to a silly word you know like the last 4 digits of an old phone you remember
Add special characters like a dash or asterisk. In between
Umbrella_3030
My_old_dogs_name_1700
Hot_wheel_1951
2001*fav+Movie

Or use the letters from a ryme . Mary Mary, quite contrary becomes MMqc. . get it?

:bigbow:

Old news. Yawn

I use the web site below as a guide to passwords. You can test what password you are thinking of using and it will give you an approximate time frame to crack the password.
Check this site out:
Use a Passphrase

And you get your news from TOTV?

:ohdear:

This is the last place I go for news

:boxing2:

I’d recommend getting a password manager like Last Pass. It’s foolish and risky to use the same password for everything! If just one site is hacked, and your username and password are available for hackers, then they will start trying the username and password on many bank and retirement sites! If each site uses a different password, you’ll need a password manager to remember the password, since you can’t remember 200 passwords, even if they are hard to guess, but easy to remember passwords. Writing down usernames and passwords in a book is a bad idea. If the book is lost, you have a problem. If the book is over a thousand miles away, you’ve got a problem.

At my former IT job, before I retired, management was very stupid, and used random characters for passwords. They foolishly believed that random characters were more secure. They are actually much less secure, since people had to write down the passwords that were impossible to remember. The passwords on paper could be discovered by someone else.

It’s easy to create a hard to guess, but easy to remember password. For example, V1kingsL0st@gain!
I had to make a password that was about 30 characters long for a backup storage system. I used a modified phrase from a famous book. I could tell co-workers that very long password one time. If the password didn’t change, they would still remember it in ten years after being verbally told the password one time, without writing down the password.

Using intentional wrong answers for security questions, that can easily be remembered is a smart idea. I’ve done that for years.

Two factor logins are also a good idea. The system sends you a text, with a code you have to enter. That system works well if you can copy and paste the code.

For many years, my work retirement system account could only be protected with a four digit password. After many years, they financially protected the users of that financial system with longer passwords that allow upper and lower case, numbers, and special characters.

But I love my 12345678 password.


:cryin2:

You are talking to people who use their real names, give out their addresses, emails, phone numbers and discuss their personal information on a public forum. I am surprised the mods aren't more concerned about that.

Also using a VPN (Virtual Private Network) to mask your IP address is a good idea, especially when you are accessing financial information.This is not a cure-all for hacker proof transmissions but it helps. I use IPVANISH but there are others.

Good humor. My gripe is that I'm told my logon/username OR password is incorrect. There is no clue as to which one or both.

start with username........they will send to your email.
then reset password.

That is a good thing. If it told you which was wrong, it would also be telling the hacker which is wrong, significantly reducing the problem for the hacker, since it will know which is right and can focus on the other.

A good password manager will automatically fill in your user name and password on most (90%) of the logins you do, and on the others, it will show you what your password is. They are safer, inexpensive, and make life easier.

You should probably change your password... Worth the watch...

You Should Probably Change Your Password! | Michael McIntyre Netflix Special - YouTube

I use a password manager called LastPass. It’s awesome. It works on Android, iOS and has plugins/extensions for your browser.

I often use the generate password option. It’s a really handy app.

Many of us probably had a word that we used the first 2 letters as the first part of their phone number. So if you phone number was NI(ghtengale) 1 -2345, a good password would be; Nightengale#1-2345.

Can you recommend a good password manager for a dyed-in-the-wool Windows user?

Pretty sure Google Chrome has one...

I just list all passwords in a Word document that requires another password to open. Then, send it as an email attachment to yourself and store it in a separate email folder. So, I can always access it from any online device. But, my financial passwords are stored in my head. I have never used a password app, but my concern would be that I would become too dependent on it and forget my passwords.

Thanks, but I don't use Chrome.

Holy dating yourself.

LastPass is one of the most popular ones.

I've been using RoboForm for my passwords. At first, I just used the free version, but it didn't automatically sync passwords between all my devices. So I bought the more advanced version and that has been working great for syncing up any new or changed passwords with all my other devices. Go to roboform dot com, price for 1 year is about $24. Well worth it to remember 20-character randomly-generated passwords for you!
I just checked how long it would take to break a 20-character password that RoboForm generated. I used the "Use a Passphrase" link that was posted on page 1. The results for this password (BZfaUHBr.SJYGikf8393) was:
Approximate Crack Time: 31,167,128,343,915,984 centuries. Good enough for me.

And don't forget
 

Enable two step authentication for all major accounts, financial and cell phone

I have had friends have their cell phone go off when peeps trying to break in.

To help me remember passwords, I use lines from songs and use the first letter of each word, throw in special characters, numbers, and random caps. For instance, using a line from Yesterday (Yesterday, all my troubles seemed so far away), I might get: y-Amtss4a. That’s not long enough, but it serves as an example.

I used to work in a Dept. of Energy national lab. They had a project to test the security of all the labs. They sent infected CDs to random people at the labs and some people actually played the programs on them. This allowed them to get into the lab’s network. From there, my understanding is that they cracked passwords by encrypting all possible combinations of valid characters up to a certain length and created a table that they could search for people’s passwords. The more characters used, the longer it takes and the more storage it takes. It takes about 70x the effort/storage to crack passwords for every character more. Because I had a reputation as a power user, they targeted me and cracked my 8-character password. They were hoping I would have programs on my computer they could user to break into more stuff.

One day I saw my mouse pointer move without my assistance. I immediately disconnected my network cable and got a message saying the connection to a computer was broken. I later discovered it to be in Illinois. I called my support tech and our IS department went into action. Not knowing it was a test, I felt very guilty and wondered what I had done to get infected. I tried to clean up my computer and spent two weeks at it until they let me in on the secret. Then, they took my computer and destroyed the hard drive. I had to buy a new computer.

I later found out that I was the only one in all the national labs to catch them. I was just lucky to see them accidentally bump my mouse when I was using my computer. The fact that so many people put a random CD they got in the mail and ran the program on it did not sit well with DOE. After that, lab started testing us on a regular basis. About one in five people failed the tests.

I asked the people who cracked my computer how long of a password I should use. They said they could crack a 14-character password. I figured they were lying, so I changed mine to 16 characters. As this was over a decade ago, I imagine bad people can crack even bigger passwords with modern computers.

The moral of this story is to use long, random passwords. I highly recommend a password manager. I use Keeper and like it very much. It runs on all my computers and mobile devices and shares my passwords amongst them. I also strongly recommend you use two-factor authentication for your most important accounts.

Yeah I had a password manager set up, and then when windows did an automatic upgrade, it logged me out of EVERYTHING -

including the password manager.

And I didn't know the password to the password manager, because I had google auto-fill the password for me.

And then there are all those accounts that require you to change your password every 90 days.

And then there are the few accounts that are left over from the dinosaur days, that finally catch up with the 21st century and tell you that you have to make a new password that's at least 8 characters long, require a special character, a capital letter, and a numeric digit. So all those "orangebaby" passwords now have to be "0rangeB^by"

I understand completely. I tried several Windows Password managers for my wife who runs windows (I run MacOS) and never found one I was happy with.

Since she has an iPad I talked her into using Apples Keychain and now she is a happy camper. She has to type in passwords on windows, but she can always find them on her iPad or iPhone.

I really like Keeper. Not only does it work on Windows, it makes the passwords available on all your mobile devices, too. If you upgrade Windows and get logged out of everything and forget your Keeper password, you can use your phone or tablet to log into Keeper using your face or finger print. Still, Keeper requires me to enter my Keeper password on Windows every time. It’s the only password I need to remember and it’s a good one, but easy to remember.

I just checked on Keeper, it seems to do everything Google already does. Stores my passwords, checks for breaches and warns me of them, saves anything I want to the cloud and syncs with all my devices. I don't pay anything for it though.

When you sign up for this, do you have to change all your existing passwords?

No. It will make suggestions but it will not force you. It's very slick, I use it on my laptop, on my ipad and on my phone. You only need to remember the one password that logs you on to the app and it takes care of the rest.

How does it handle passwords that are required to change every 90 days, and you're not allowed to use the same password you used "x" times prior (each company seems to have different rules)?

There are not many sites that require password changes anymore. I am not subscribed to any but there is an update password ability for any that are changed. The automatic password generator has options you can set.

One more question, if you don't mind. What happens if you pass away and your heirs are handling your estate? I would have left the main password & user name, but would they have to have the RoboForm program in order to access my accounts, etc.?


When we had our trust revised, we were told to put a list of user names and passwords with the trust in the safe deposit box. Getting that list together has been daunting.

Actually I use Lastpass which I am sure is very similar to Roboform in the way it works. It is free for one device and I paid $27 to use on all my devices. It is web based so they could log in from anywhere as long as they had the main password with the premium plan and could easily log in on your main device if you had the free version.