Password Management Methods

[darklord700]

I recently bought the 1password management software which is very good. But now I must find a really good master password that I cannot lose because even the software maker cannot recover it.

In the past, my passwords are variants of the same one like "applecoreXXX", "applecoreYYY" etc. But I want to use a cryptic one this time.

Some suggested phrases like "OscysBdel" (oh say can you see by dawn's early light). You can add a date to it to make it harder to guess.

The big question is how do you recover your password if you don't remember it. The only way I can come up with is to save it in two places, "OscysBdel" in your home and the number in your office. Any other suggestions?

[CaptainCrunch]

Why don't you use the same code as the one that you use on your luggage

[Fuzz]

Write it on a piece of paper and put in somewhere safe. Then don't forget where you put it....

[firebug]

Quote:

Originally Posted by darklord700

I recently bought the 1password management software which is very good. But now I must find a really good master password that I cannot lose because even the software maker cannot recover it.

In the past, my passwords are variants of the same one like "applecoreXXX", "applecoreYYY" etc. But I want to use a cryptic one this time.

Some suggested phrases like "OscysBdel" (oh say can you see by dawn's early light). You can add your a date to it to make it harder to guess.

The big question is how do you recover your password if you don't remember it. The only way I can come up with is to save it in two places, "OscysBdel" in your home and the number in your office. Any other suggestions?

I use a similar system except I add in a couple 'wildcard' digits to give each site a unique password and therefore don't use a password 'locker' site.

Eg. OscysBdel -> Oscys**Bdel

So I might choose for my algorithm the 3rd and 3rd last letter of the website so the password for Calgary Puck would be:

OscysluBdel

Of course I'd also add a number and a symbol to the original phrase so my final password would become something like:

OscysluBd3!

While password for HockeyFuture would be:

OscyscuBd3! etc.

Of course my initial phrase isn't OscysBdel ;-)

[Northendzone]

send your passwords to me as backup. i will store them in a cloud of some type.

no real tips other than suggesting things like your street address where you grew up as a kid, perhaps the liscence plate number of your vehicle.

If your password is going to be crypitic, tie it to something you see every day in your life so you won't forget.

there will likely always be a day when you struggle to remeber - like those days when you come back tot eh office after lunch and you struggle to recall your current network password, even though you used 20 times that week

[photon]

For a master password the longer the better, so a passphrase might be better than just a password. I avoid any kind of pattern based scheme as password hackers have crazy good algorithms for patterns that people think are really obscure, and they all share them. So a 30 character passphrase would be good, and passphrases are usually easier to remember. But don't choose your favorite super hero quote, that'll probably be in the hacker's lists.

https://en.wikipedia.org/wiki/Passphrase

Though the good news is for something like 1Password, they use hashing algorithms that take relatively more time to calculate, so to try a password might take a few milliseconds. This is good because if someone was trying to crack your master password, they could only try hundreds or thousands or maybe tens of thousands of passwords per second. Weaker hashing algorithms take less time and allow for millions or billions of password tests per second.

I use KeePass where I can configure this, I have it set so it takes like a second to try one password, so it's unlikely anyone would ever be able to crack my file with a brute force or dictionary attack. I also have a 25 character password.

As for storing it, if it's the master password you'll probably be typing it every day at least (don't have your browser remember your 1Password password!!), so remembering it really doesn't become an issue.

However if you really want a backup, then written on a paper and put in a safety deposit box maybe (may seem overkill but this would have banking, credit card, email, etc passwords in it). Or pick spot in your house and write it down (like under the stairs on a stud or inside the furnace panel, someone may see it but not know what the heck it means, bonus it will confuse future generations) possibly?

[Flames89]

If you look at 1Password's website, they encourage you to use a phrase with no meaning between the words, for example "Calgarypuck Awesome Time Vortex" wouldn't be good as those words intuitively go together.
Also, since I synced with Dropbox, I gradually determined I needed to remember two passwords, 1password and dropbox. That way if I lost everything and found myself at a computer anywhere in the world, I could still log into my email/life.

[DownhillGoat]

I used a random set of digits/numbers that I wrote down and memorized. Then destroyed the paper. It's literally the only one you have to remember, so an 8-character password that you use every day really isn't too bad.

Secondly, buy a small fireproof safe. Write it down and put it in there.

[FlameOn]

Obviously people are not paranoid enough here. You need to change your master password and then encrypt it using one time cryptographic pads which you commit to memory every time.
https://en.wikipedia.org/wiki/One-time_pad

No one will ever break your password then. :P
/tinfoilhat

[darklord700]

Quote:

Originally Posted by photon

I also have a 25 character password.

A 25 character password is fine on a real keyboard. But don't you find it hard to type on a smart phone keyboard?

[PeteMoss]

Quote:

Originally Posted by darklord700

A 25 character password is fine on a real keyboard. But don't you find it hard to type on a smart phone keyboard?

Not sure what phone you are using or about 1Password, but some will allow a PIN to be used on the phone once you log in, or some will allow the fingerprint sensor (if your phone has it) to be used instead of the master password.

Would also recommend setting up two factor authentication for 1Password log ins.

[darklord700]

Quote:

Originally Posted by PeteMoss

Not sure what phone you are using or about 1Password, but some will allow a PIN to be used on the phone once you log in, or some will allow the fingerprint sensor (if your phone has it) to be used instead of the master password.

Would also recommend setting up two factor authentication for 1Password log ins.

I use Nexus5 and I set 1password to time out every hour so I'll have to re-enter the password every hour. I can also set it not to time out and use a 4 digit pin. But I'm paranoid if my phone was lost, a 4 digit numeric password isn't going to cut it.

Haven't used the two factor authentication yet but will try now, thanks.

[DoubleF]

I've been slowly putting together strings of obscure dates or numbers unrelated to me. Those password requirements are getting crazy. (Oh, hey, 2 letters from your first and last name? Rejected!)

For instance, a password based on parent's phone number, address or birthday or initials vs your own. A completely bizarre and obscure date like the date (or just Month and year of purchasing a laptop or something) could also work I'm guessing.

Another option: Dvorak keyboard. Type in something impossible to forget (ie: Your name + birthday month, day, year.) Look up the characters on a Dvorak keyboard and see what it is. For instance, February2016 could potentially become complete gibberish (EDIT: Output would be U.xpgapf2016). Memorize that string. If you ever forget, you can look it up.

EDIT: For funsies: Darklord700's password = Eaptnrpe700-o laoo,rpe
http://wbic16.xedoloh.com/dvorak.html

I've also on occasion kept offline documents of a riddle that end up with a garbled version of my password that I wouldn't have too many trouble ungarbling without leaving hints on how to ungarble it in the riddle.

But I feel like that is me starting to go through a tin foil hat phase.

Honestly, if someone wants to get at your stuff, they will. Making it annoying for them to get your stuff without keeping yourself out is all you can really hope for.

Agree with Russic below. If you're going that far to keep people out, you have to let them in in the event you can't log in and they have to get in.

[Russic]

This might be a bit dark, but consider a method that your loved ones can get ahold of it in the event of your death. It's likely not a necessity, but it could make things far easier on a spouse should something happen. The safety deposit box probably wouldn't be a bad idea.

As for you, one less secure method might be to tape it to something annoying to get to, but somewhere you'll remember. Perhaps go the walter white route and put it behind the faceplate of a wall socket?

Truthfully I just came up with one that was long but not hard to type. I forced myself to type it about 50 times in a row, and I set 1password to lock every time my screensaver turned on. That ensured that I have to type it out at least 10x a day. It's just muscle memory now.

[mrkajz44]

The Dvorak keyboard idea is genius - might have to do this myself as my "master" password might be getting a bit stale.

[photon]

Quote:

Originally Posted by darklord700

A 25 character password is fine on a real keyboard. But don't you find it hard to type on a smart phone keyboard?

Not hard, but yeah tedious. If the app supports a fingerprint sensor then that can help.

[BloodFetish]

I used a hockey player for my LastPass master password. For example, if your favorite player growing up was Steve Yzerman, the password could be something like SteveYzerman#19

Long, has upper and lower case,symbols, numbers, easy to remember. Dictionary attack wouldn't work.

[darklord700]

Many good suggestions thanks.

Question to the expert: would a password like "applecore2015" or "2015applecore" be easier to brute force crack than one like "a2pp0lec1or5e"?

[Rathji]

Have a super complex password, and then write it down somewhere, but leave off a chunk which makes it impossible to guess.

Like: OscysBdel but then leave the Os off the front, so you just need to remember those 2, or add a bunch on the end that you know is fake (this isn't quite as good) so you can just remove them,like :OscysBdel2016CP.

[Hack&Lube]

Length is everything.

https://xkcd.com/936/



For master passwords, I recommend using something you will never forget but other people could never know or even guess from the internet - like things from your early childhood that are burned into your brain.