Passwords, their importance, and why you should remember them.

Mooncatt

Ambassador
Feb 23, 2011
10,993
707
113
Visit site
Our world is becoming more and more connected. Almost all of our data is now "cloud based," meaning it's stored on a server somewhere. Email, banking info, medical records, you name it. Even somethings as basic as a video game will often use a cloud based backup service to save your progress that allows you to pick up where you left off when you switch devices. This is true even if you don't personally elect to do so, as businesses also maintain customer data on cloud based servers to protect against data loss (such as a tornado destroying their main office). Passwords are used to only allow legitimate users to access cloud based data. You can't even setup a smartphone without a password.

Obviously we don't want just anyone being able to access your info, which is why passwords are so important. They need to be complex and individualized so they they are not easily guessed, but you can not just simply make up a random string of characters and forget about them. Many services will keep you logged in, but what happens when you are logged out? I've seen this situation popping up more often lately on the forums here. A user will have an issue where they need to log into something, but they don't remember their password. Most every service has a password recovery option, but this isn't foolproof. For example, if it's your main Google account and you had to factory reset your phone for some reason, you could be left with a paperweight if you can't enter your info to get through the factory reset protection and don't have another device like a computer to attempt recovering it. Even with using password recovery, I've seen some people having trouble getting into their phone after resetting the password.

So what are your options? I'll run through a few, from the least to most secure.

Since anything is better than nothing, using the same password that you can remember across all accounts will be good for convenience and give you some protection. But what happens if someone guesses that password (so don't use 12345, ABCDE, or anything else easily guessed)? They now have the keys to your kingdom. So this isn't even considered a real recommendation from a security standpoint. You really do need individual passwords that are long (10 characters or more) and have a mix of characters.

One recommendation I use to see a lot was to create mnemonic passwords. Something like Imr34lLyH4pP¥ (I'm really happy) would be an example. It has a mix of upper and lower case letters, numbers, symbols, and is fairly long. Their are a couple of problems with this, though. There are password dictionaries out there on the dark web. When a hacker tries to brute force attack an account (meaning just guessing every possible combination), they write a program that tries password entries automatically. The programs use these dictionaries to make their guesses, and there are dictionaries specific to these types of passwords, only numbers, only letters, etc, and makes guessing such passwords much easier. The other problem is the number of passwords we need keep growing. Some sites are able to use services like Google or Facebook accounts to log you in, but a lot of places don't. As your list of passwords grows, the harder it becomes to remember even these "easy to remember" passwords. I'm up to 76 different password protected accounts. No way I could remember all of these regardless of what tricks I used to remember them.

One of the best methods I've found is using a password manager. This program will help you create and store very complex and individualized passwords for any account you need. Instead of remembering all of them, you create one very strong "Master Password," then you simply log into it whenever you need to retrieve a password for something else. Because you now only have to remember the one password, it can be as strong as you need but more easily remembered.

For a more detailed discussion on Password managers, check out this article.

https://m.androidcentral.com/why-you-and-your-family-should-be-using-2fa-and-password-manager

And for help on choosing the best, check out

https://m.androidcentral.com/why-you-and-your-family-should-be-using-2fa-and-password-manager

Some things to consider are costs of the manager (though many are free), their security measures, if encryption/decryption is done locally on the device you're using, do they have a password generator, cross platform usability, auto-fill options, and general ease of use. I personally use Last Pass, which checks all those boxes and more, and is free (though I subscribe to the paid plan). There are many others that are also very capable, but I don't have any personal experience with them.

One bit of a security vulnerability note with password managers is it's not recommended to use a PIN number to log in. These are often used as a quick login once you've used your master password, but they very easy to break through a brute force attack. Always login with either your master password or a biometric (fingerprint or iris scanning).

If you have trouble remembering your master password, then you will need to take steps to do so. Either by making it a little less secure but easier to remember or writing it down somewhere. Some managers may also have a hardware backed authentication where you use a physical USB key or similar. What I did was modify one of my old common passwords I was already use to, making it both more secure and complex.

I would also suggest you make one more easy to remember but strong password for something like your Google account. Because we are such a mobile based society, you definitely want to remember this in case the worst happens and you have to reset a phone. Remember, a password manager app will not be on your phone by default, nor will it have your info on a fresh install or even be usable until after the setup process is complete. If you can't remember that password to get into your phone, then hopefully your manager of choice is cloud based and you can log in from another device to retrieve that Google password.

Long story short, passwords are not to be taken lightly and making up random ones you don't remember just to setup a phone or other account is only asking for trouble. There are options out there that help you keep track of these while remaining very secure. Use them.
 
Last edited:

Rukbat

Retired Moderator
Feb 12, 2012
44,528
28
0
Visit site
The only thing I don't like is subscriptions. KeePassDroid is safe, uses fingerprint (or password) unlock, creates long random passwords, and lets you keep the data file in the cloud so other devices can use the same password file - with no payment. (True, no 2FA, but important apps, like bank apps, should be doing that on their own.)
 

Mooncatt

Ambassador
Feb 23, 2011
10,993
707
113
Visit site
The only thing I don't like is subscriptions. KeePassDroid is safe, uses fingerprint (or password) unlock, creates long random passwords, and lets you keep the data file in the cloud so other devices can use the same password file - with no payment. (True, no 2FA, but important apps, like bank apps, should be doing that on their own.)
I think that's becoming more of the norm to include all that in free versions. I know Last Pass made that change a while back to include cross device/platform use in the free version now. The paid version offers a few extra features, but the biggest difference is direct customer support access. For the free version, you're pretty much limited to their user forums for help. I also love that I can create form profiles for things like my credit/debit cards, secured notes. For the really security conscious, it also has a built in browser and keyboard to prevent browser based attacks and key loggers from tracking you. I can also analyze my passwords on things like if any are duplicates, age, and complexity to help make sure I'm as secure as possible. There's also a new emergency access feature (which I think is one of the paid options) that lets you grant a trusted person access in case something happens to you.
 

B. Diddy

Senior Ambassador
Moderator
Mar 9, 2012
167,314
7,523
113
Visit site
I also routinely recommend the Stone Age method of just writing down important passwords and keeping them in a safe at home!
 

dlalonde

Trusted Member
Dec 31, 2014
576
0
0
Visit site
I was wondering if Google Password is any good (the one use to autofill by default) or if a proper password manager is better.
 

Mooncatt

Ambassador
Feb 23, 2011
10,993
707
113
Visit site
I was wondering if Google Password is any good (the one use to autofill by default) or if a proper password manager is better.
I'll use browser auto-fill for non-secure data like my name and address, but not for passwords. They are generally seen as vulnerable and often store the passwords in plain text. A good password manager will not store any info in plain text and perform all encryption/decryption locally so your info isn't vulnerable on their servers. Ideally the only time your password is available in plain text is when you let the manager input it into a site's secure password field or you are viewing within the manager itself.
 

chanchan05

Q&A Team
Nov 22, 2014
8,519
1
0
Visit site
Sorry if I'm a bit slow but is this image saying that creating some sort of phrase with random words is more secure than using the usual mix of upper and lower case, numbers and special caracters?
Exactly. Further security stems from the fact that most brute force unlocking software bogs down at around 11 to 16 characters, but pass phrases can reach as many characters as allowed. I know Google passwords can go more than 20 characters.

Also, to even further increase security, you can use upper case and special characters as well. For example, the following phrases as a passphrases:

Android Forums 2018, good times!

!!Batman is Ace Ventura!?
 

Itsa_Me_Mario

¯\_(o_o)_/¯
Feb 19, 2018
1,681
0
0
Visit site
Sorry if I'm a bit slow but is this image saying that creating some sort of phrase with random words is more secure than using the usual mix of upper and lower case, numbers and special caracters?

Yes, that is correct. It's more characters which exponentially raises the length of time to systematically stumble upon it. The words also don't actually have to be random, because pattern recognition only applies if it's an attacker who knows enough about you to guess a phrase.

Example, I can make my password, "Itsa_real-Me;-Mario!" and that's 20 characters, and even with my username, a machine is't going to stumble upon that any easier than if it were "A1Z2fQ*lulz&hooISit?" - because they're all just characters and it has to go through all allowed characters in a sequence determined by a relatively simply algorithm that doesn't have a whole lot of context recognition built into it.

For awhile I literally used, AssassinatedWasTupacSaysYodaRapGod for the password on a site that allowed more than 20 characters and even though it's a logically coherent-ish phrase, I felt like it'd be impossible to "crack".
 

Mooncatt

Ambassador
Feb 23, 2011
10,993
707
113
Visit site
My concern with pass phrases like that are the available hacker dictionaries. So while a 20 character simple pass phrase may have more individual character combinations, a hacker program designed to try word combinations instead of every individual random string of characters is theoretically going to be able to crack the password much quicker. With password managers to handle them, it's just as easy and more secure to make that a 20 character string of random characters. And if you are using pass phrases like that, then I'm guessing you are not using a manager, meaning you are manually typing in your passwords. With an auto-fill ability, now the manager is both easy, more secure, and quicker at logging you in.

There really isn't a reason not to use one in today's world.
 

Itsa_Me_Mario

¯\_(o_o)_/¯
Feb 19, 2018
1,681
0
0
Visit site
My concern with pass phrases like that are the available hacker dictionaries. So while a 20 character simple pass phrase may have more individual character combinations, a hacker program designed to try word combinations instead of every individual random string of characters is theoretically going to be able to crack the password much quicker. With password managers to handle them, it's just as easy and more secure to make that a 20 character string of random characters. And if you are using pass phrases like that, then I'm guessing you are not using a manager, meaning you are manually typing in your passwords. With an auto-fill ability, now the manager is both easy, more secure, and quicker at logging you in.

There really isn't a reason not to use one in today's world.

I use a letters and numbers long phrase type password as my master-password on LastPass myself, they make it too easy to be better than I would be at trying to manage hundreds of passwords myself.
 

pcondello

New member
Nov 11, 2015
3
0
0
Visit site
I've been using Evernote as my password manager for almost as long as it's been around, but I have a system or a "code" whereby if my Evernote account was hacked, the passwords themselves would not be evident without the key that is in my head.

I've considered going to LastPass, but I just have so many, maybe 1000, I dread the transition.

I had a friend that used a standard password policy, something like a combination of a common keyword with upper, lower, numeric and special char, plus the name of the site spelled backwards, plus the number of characters in the site's name. So there was no need for a password manager, as the password was already defined for every site.
 

Mooncatt

Ambassador
Feb 23, 2011
10,993
707
113
Visit site
I've considered going to LastPass, but I just have so many, maybe 1000, I dread the transition.

If you can convert them into a CSV file, you can import all of them into Last Pass. Not sure how it needs things formatted to import correctly, though.
 

pcondello

New member
Nov 11, 2015
3
0
0
Visit site
My entries in Evernote are not a standard format that could easily be formatted to csv. And the passwords anyway in there are not the real password. They're like pnemonics that remind me what the real password is. So I would still have to put them in one by one.
 

chanchan05

Q&A Team
Nov 22, 2014
8,519
1
0
Visit site
I've considered going to LastPass, but I just have so many, maybe 1000, I dread the transition.

Actually transition is easy. You don't have to copy them over one by one. Just add the LastPass extension to your browser. Whenever you enter your credentials to a website, the extension will ask you if you want to save the credentials you just entered to LastPass. So you can just install the extension and forget about it transferring manually. Just click yes whenever it asks you if you want to save the new details to LastPass.
 

Members online

Trending Posts

Forum statistics

Threads
949,854
Messages
6,944,630
Members
3,161,664
Latest member
Roxyghostgirl92