10-18-2018 02:00 PM
27 12
tools
  1. Mooncatt's Avatar
    Our world is becoming more and more connected. Almost all of our data is now "cloud based," meaning it's stored on a server somewhere. Email, banking info, medical records, you name it. Even somethings as basic as a video game will often use a cloud based backup service to save your progress that allows you to pick up where you left off when you switch devices. This is true even if you don't personally elect to do so, as businesses also maintain customer data on cloud based servers to protect against data loss (such as a tornado destroying their main office). You can't even setup a smartphone without a password.

    Obviously we don't want just anyone being able to access your info, which is why passwords are so important. They need to be complex and individualized so they they are not easily guessed, but you can not just simply make up a random string of characters and forget about them. Many services will keep you logged in, but what happens when you are logged out? I've seen this situation popping up more often lately on the forums here. A user will have an issue where they need to log into something, but they don't remember their password. Most every service has a password recovery option, but this isn't foolproof. For example, if it's your main Google account and you had to factory reset your phone for some reason, you could be left with a paperweight if you can't enter your info to get through the factory reset protection and don't have another device like a computer to attempt recovering it. Even with using password recovery, I've seen some people having trouble getting into their phone after resetting the password.

    So what are your options? I'll run through a few, from the least to most secure.

    Since anything is better than nothing, using the same password that you can remember across all accounts will be good for convenience and give you some protection. But what happens if someone guesses that password (so don't use 12345, ABCDE, or anything else easily guessed)? They now have the keys to your kingdom. So this isn't even considered a real recommendation from a security standpoint. You really do need individual passwords that are long (10 characters or more) and have a mix of characters.

    One recommendation I use to see a lot was to create mnemonic passwords. Something like Imr34lLyH4pP¥ (I'm really happy) would be an example. It has a mix of upper and lower case letters, numbers, symbols, and is fairly long. Their are a couple of problems with this, though. There are password dictionaries out there on the dark web. When a hacker tries to brute force attack an account (meaning just guessing every possible combination), they write a program that tries password entries automatically. The programs use these dictionaries to make their guesses, and there are dictionaries specific to these types of passwords, only numbers, only letters, etc, and makes guessing such passwords much easier. The other problem is the number of passwords we need keep growing. Some sites are able to use services like Google or Facebook accounts to log you in, but a lot of places don't. As your list of passwords grows, the harder it becomes to remember even these "easy to remember" passwords. I'm up to 76 different password protected accounts. No way I could remember all of these regardless of what tricks I used to remember them.

    One of the best methods I've found is using a password manager. This program will help you create and store very complex and individualized passwords for any account you need. Instead of remembering all of them, you create one very strong "Master Password," then you simply log into it whenever you need to retrieve a password for something else. Because you now only have to remember the one password, it can be as strong as you need but more easily remembered.

    For a more detailed discussion on Password managers, check out this article.

    https://m.androidcentral.com/why-you...ssword-manager

    And for help on choosing the best, check out

    https://m.androidcentral.com/why-you...ssword-manager

    Some things to consider are costs of the manager (though many are free), their security measures, if encryption/decryption is done locally on the device you're using, do they have a password generator, cross platform usability, auto-fill options, and general ease of use. I personally use Last Pass, which checks all those boxes and more, and is free (though I subscribe to the paid plan). There are many others that are also very capable, but I don't have any personal experience with them.

    One bit of a security vulnerability note with password managers is it's not recommended to use a PIN number to log in. These are often used as a quick login once you've used your master password, but they very easy to break through a brute force attack. Always login with either your master password or a biometric (fingerprint or iris scanning).

    If you have trouble remembering your master password, then you will need to take steps to do so. Either by making it a little less secure but easier to remember or writing it down somewhere. Some managers may also have a hardware backed authentication where you use a physical USB key or similar. What I did was modify one of my old common passwords I was already use to, making it both more secure and complex. This is especially important if you opt for Last Pass, which has no option to recover your master password. Because they never get it in plain text (it's encrypted several times over before going to their servers as a data "blob"), they can not reset it. The only thing they can do is let you create a hint to remind you. If you can't remember it, not even the NSA could help you log in.

    I would also suggest you make one more easy to remember but strong password for something like your Google account. Because we are such a mobile based society, you definitely want to remember this in case the worst happens and you have to reset a phone. Remember, a password manager app will not be on your phone by default, nor will it have your info on a fresh install or even be usable until after the setup process is complete. If you can't remember that password to get into your phone, then hopefully your manager of choice is cloud based and you can log in from another device to retrieve that Google password.

    Long story short, passwords are not to be taken lightly and making up random ones you don't remember just to setup a phone or other account is only asking for trouble. There are options out there that help you keep track of these while remaining very secure. Use them.
    07-23-2018 02:34 PM
  2. Javier P's Avatar
    Great write up! Thanks!
    07-23-2018 02:49 PM
  3. B. Diddy's Avatar
    Required reading. This will be on the test.
    Mooncatt likes this.
    07-23-2018 02:54 PM
  4. Almeuit's Avatar
    I agree. I use LastPass and literally can't imagine my life without it.
    07-23-2018 02:57 PM
  5. Rukbat's Avatar
    The only thing I don't like is subscriptions. KeePassDroid is safe, uses fingerprint (or password) unlock, creates long random passwords, and lets you keep the data file in the cloud so other devices can use the same password file - with no payment. (True, no 2FA, but important apps, like bank apps, should be doing that on their own.)
    jaytee likes this.
    07-23-2018 03:05 PM
  6. Mooncatt's Avatar
    The only thing I don't like is subscriptions. KeePassDroid is safe, uses fingerprint (or password) unlock, creates long random passwords, and lets you keep the data file in the cloud so other devices can use the same password file - with no payment. (True, no 2FA, but important apps, like bank apps, should be doing that on their own.)
    I think that's becoming more of the norm to include all that in free versions. I know Last Pass made that change a while back to include cross device/platform use in the free version now. The paid version offers a few extra features, but the biggest difference is direct customer support access. For the free version, you're pretty much limited to their user forums for help. I also love that I can create form profiles for things like my credit/debit cards, secured notes. For the really security conscious, it also has a built in browser and keyboard to prevent browser based attacks and key loggers from tracking you. I can also analyze my passwords on things like if any are duplicates, age, and complexity to help make sure I'm as secure as possible. There's also a new emergency access feature (which I think is one of the paid options) that lets you grant a trusted person access in case something happens to you.
    07-23-2018 04:20 PM
  7. B. Diddy's Avatar
    I also routinely recommend the Stone Age method of just writing down important passwords and keeping them in a safe at home!
    07-23-2018 11:20 PM
  8. dlalonde's Avatar
    I was wondering if Google Password is any good (the one use to autofill by default) or if a proper password manager is better.
    07-24-2018 08:39 PM
  9. Mooncatt's Avatar
    I also routinely recommend the Stone Age method of just writing down important passwords and keeping them in a safe at home!
    Which is fine... Until you need one when away from home.
    B. Diddy likes this.
    07-24-2018 08:59 PM
  10. Mooncatt's Avatar
    I was wondering if Google Password is any good (the one use to autofill by default) or if a proper password manager is better.
    I'll use browser auto-fill for non-secure data like my name and address, but not for passwords. They are generally seen as vulnerable and often store the passwords in plain text. A good password manager will not store any info in plain text and perform all encryption/decryption locally so your info isn't vulnerable on their servers. Ideally the only time your password is available in plain text is when you let the manager input it into a site's secure password field or you are viewing within the manager itself.
    07-24-2018 09:12 PM
  11. chanchan05's Avatar
    07-24-2018 09:32 PM
  12. dlalonde's Avatar
    Click image for larger version. 

Name:	password_strength.png 
Views:	16 
Size:	90.8 KB 
ID:	287108
    Sorry if I'm a bit slow but is this image saying that creating some sort of phrase with random words is more secure than using the usual mix of upper and lower case, numbers and special caracters?
    07-25-2018 09:00 AM
  13. chanchan05's Avatar
    Sorry if I'm a bit slow but is this image saying that creating some sort of phrase with random words is more secure than using the usual mix of upper and lower case, numbers and special caracters?
    Exactly. Further security stems from the fact that most brute force unlocking software bogs down at around 11 to 16 characters, but pass phrases can reach as many characters as allowed. I know Google passwords can go more than 20 characters.

    Also, to even further increase security, you can use upper case and special characters as well. For example, the following phrases as a passphrases:

    Android Forums 2018, good times!

    !!Batman is Ace Ventura!?
    dlalonde likes this.
    07-25-2018 09:48 AM
  14. Itsa_Me_Mario's Avatar
    Sorry if I'm a bit slow but is this image saying that creating some sort of phrase with random words is more secure than using the usual mix of upper and lower case, numbers and special caracters?
    Yes, that is correct. It's more characters which exponentially raises the length of time to systematically stumble upon it. The words also don't actually have to be random, because pattern recognition only applies if it's an attacker who knows enough about you to guess a phrase.

    Example, I can make my password, "Itsa_real-Me;-Mario!" and that's 20 characters, and even with my username, a machine is't going to stumble upon that any easier than if it were "A1Z2fQ*lulz&hooISit?" - because they're all just characters and it has to go through all allowed characters in a sequence determined by a relatively simply algorithm that doesn't have a whole lot of context recognition built into it.

    For awhile I literally used, AssassinatedWasTupacSaysYodaRapGod for the password on a site that allowed more than 20 characters and even though it's a logically coherent-ish phrase, I felt like it'd be impossible to "crack".
    dlalonde and Laura Knotek like this.
    07-25-2018 11:29 AM
  15. Mooncatt's Avatar
    My concern with pass phrases like that are the available hacker dictionaries. So while a 20 character simple pass phrase may have more individual character combinations, a hacker program designed to try word combinations instead of every individual random string of characters is theoretically going to be able to crack the password much quicker. With password managers to handle them, it's just as easy and more secure to make that a 20 character string of random characters. And if you are using pass phrases like that, then I'm guessing you are not using a manager, meaning you are manually typing in your passwords. With an auto-fill ability, now the manager is both easy, more secure, and quicker at logging you in.

    There really isn't a reason not to use one in today's world.
    dlalonde likes this.
    07-25-2018 01:15 PM
  16. Itsa_Me_Mario's Avatar
    My concern with pass phrases like that are the available hacker dictionaries. So while a 20 character simple pass phrase may have more individual character combinations, a hacker program designed to try word combinations instead of every individual random string of characters is theoretically going to be able to crack the password much quicker. With password managers to handle them, it's just as easy and more secure to make that a 20 character string of random characters. And if you are using pass phrases like that, then I'm guessing you are not using a manager, meaning you are manually typing in your passwords. With an auto-fill ability, now the manager is both easy, more secure, and quicker at logging you in.

    There really isn't a reason not to use one in today's world.
    I use a letters and numbers long phrase type password as my master-password on LastPass myself, they make it too easy to be better than I would be at trying to manage hundreds of passwords myself.
    Mooncatt likes this.
    07-25-2018 03:33 PM
  17. pcondello's Avatar
    I've been using Evernote as my password manager for almost as long as it's been around, but I have a system or a "code" whereby if my Evernote account was hacked, the passwords themselves would not be evident without the key that is in my head.

    I've considered going to LastPass, but I just have so many, maybe 1000, I dread the transition.

    I had a friend that used a standard password policy, something like a combination of a common keyword with upper, lower, numeric and special char, plus the name of the site spelled backwards, plus the number of characters in the site's name. So there was no need for a password manager, as the password was already defined for every site.
    07-26-2018 03:18 PM
  18. Mooncatt's Avatar
    I've considered going to LastPass, but I just have so many, maybe 1000, I dread the transition.
    If you can convert them into a CSV file, you can import all of them into Last Pass. Not sure how it needs things formatted to import correctly, though.
    07-26-2018 03:32 PM
  19. pcondello's Avatar
    My entries in Evernote are not a standard format that could easily be formatted to csv. And the passwords anyway in there are not the real password. They're like pnemonics that remind me what the real password is. So I would still have to put them in one by one.
    07-26-2018 03:40 PM
  20. chanchan05's Avatar
    I've considered going to LastPass, but I just have so many, maybe 1000, I dread the transition.
    Actually transition is easy. You don't have to copy them over one by one. Just add the LastPass extension to your browser. Whenever you enter your credentials to a website, the extension will ask you if you want to save the credentials you just entered to LastPass. So you can just install the extension and forget about it transferring manually. Just click yes whenever it asks you if you want to save the new details to LastPass.
    Mooncatt likes this.
    07-26-2018 09:31 PM
  21. Almeuit's Avatar
    I actually just got a YubiKey Neo (2 of them) and now use that for 2FA on important accounts. I setup a main and backup one for LastPass. Now it is locked down / encrypted with my Master Password, encrypted again w/ Yubi, and requires a physical key. I didn't think it did a double but even LP told me to re-log in on devices and such due to it.
    07-27-2018 01:24 AM
  22. dlalonde's Avatar
    I personally use Enpass because of LastPass past issues with hacking and such. With Enpass my database is store on my device or Google Drive which I trust more.

    Exactly. Further security stems from the fact that most brute force unlocking software bogs down at around 11 to 16 characters, but pass phrases can reach as many characters as allowed. I know Google passwords can go more than 20 characters.

    Also, to even further increase security, you can use upper case and special characters as well. For example, the following phrases as a passphrases:

    Android Forums 2018, good times!

    !!Batman is Ace Ventura!?
    That's pretty sweet! I've checked this with several password security checkers (using fake passwords of course) and that proved this. Even the more complex passwords were breakable before long pass phrase.
    07-29-2018 10:07 AM
  23. chanchan05's Avatar
    My concern with pass phrases like that are the available hacker dictionaries. So while a 20 character simple pass phrase may have more individual character combinations, a hacker program designed to try word combinations instead of every individual random string of characters is theoretically going to be able to crack the password much quicker. With password managers to handle them, it's just as easy and more secure to make that a 20 character string of random characters. And if you are using pass phrases like that, then I'm guessing you are not using a manager, meaning you are manually typing in your passwords. With an auto-fill ability, now the manager is both easy, more secure, and quicker at logging you in.

    There really isn't a reason not to use one in today's world.
    The answer to this is, there are more words than characters. There are 171,476 words in the English language. So it's it's still got to go through all of those and put them in combinations.

    Further, that doesn't take into account foreign words. All of us knows at least some foreign words right? That exponentially increases security, especially if we use languages like romanized Japanese words which would vary in spelling depending on which Japanese alphabet you prefer.

    However, I see your point in a password manager. I use one as well. But you still need a single master password that you remember, that is also hard to crack.
    dlalonde likes this.
    07-29-2018 12:34 PM
  24. Mooncatt's Avatar
    An excellent article on password strength, the strength meters you may find, and some surprising numbers on just how quickly a password can be cracked.

    https://nakedsecurity.sophos.com/201...rength-meters/


    And this beast, linked from the prior article!

    https://arstechnica.com/information-...rd-in-6-hours/
    dlalonde likes this.
    07-29-2018 04:21 PM
  25. TraderGary's Avatar
    I too use LastPass and have used it for many years.
    Kate and I use LastPass Families.
    This allows us to share some passwords jointly such as bank passwords.
    We find this invaluable.
    09-29-2018 11:16 PM
27 12

Similar Threads

  1. Replies: 2
    Last Post: 11-07-2018, 06:57 AM
  2. Replies: 5
    Last Post: 07-26-2018, 05:47 PM
  3. why mobile restarts automatically during video call on viber?
    By Android Central Question in forum Ask a Question
    Replies: 1
    Last Post: 07-24-2018, 01:27 AM
  4. Note 5 constantly in and out focus How can this be stopped?
    By Android Central Question in forum Facebook
    Replies: 1
    Last Post: 07-23-2018, 02:20 PM
  5. Note 5 constantly in and out focus How can this be stopped?
    By Android Central Question in forum Ask a Question
    Replies: 0
    Last Post: 07-23-2018, 01:24 PM
LINK TO POST COPIED TO CLIPBOARD