Password strategies and tips

[MaidOfStars]

No AIBU, clearly here for traffic.

This thread might be good for people to share/learn about good password strategy on the Internet. I know that I have zero strategy and get by a collection of auto-inserts, failed attempts, "Forgotten password" buttons and so on.

From another thread, posted by Puntastic
I know a bit about this stuff, and I suggest the following: forget all the standard password advice. It sucks. Do this instead:

1. Install good security software AND KEEP IT PATCHED. This is the single most important thing you can do to protect yourself online. And when you get those boxes popping up saying "Er, I think this website is a bit dodgy actually", don't just ignore them and click through anyway!
   

1. Don't create passwords by doing simple number/character substitutions, and don't use a simple scheme such as password = username+sitename, maybe with a 1 on the end, and increasing the number by 1 every time you have to change it. These are all strategies that attackers are very well aware of, so they don't really protect you at all.
   

Instead, try a password generation scheme such as sticking three random words together - this is reasonably memorable but (as long as the words aren't obviously linked eg cat-sat-mat) not straightforward to guess.

1. Don't worry about making a password strong enough to withstand a brute force attack - this is effectively almost impossible these days, due to the wide availability of cheap computing power, and brute force is not even the most significant attack vector - as we've seen here, stealing credentials via phishing or malware is far more prevalent and with those, password strength doesn't make a blind bit of difference.
   

1. Do not re use passwords between systems/websites you care about. Sure, use a single, weak password for sites you don't care about eg one where you just go to buy one thing then never return to, or which don't protect valuable personal information. Because if that one does get nobbled, you don't need to care. Put your effort into making sure the info you DO care about is better protected.
   

1. Writing passwords down isn't the worst thing in the world, and is probably inevitable for passwords you don't use regularly - most people just can't retain these in memory no matter how hard they try. Writing them on a bit of paper and then protecting that paper accordingly is a reasonable way of doing this. Alternatively, there are loads of software password managers available so you could use one of those - just bear in mind that these will have weaknesses, just the same as any other piece of software, and attackers will attack them if they can.

[ChristmasZombie]

OK, this may or may not be useful, but a suggestion for creating a "strong password" that I heard a while ago is to pick your favourite line from your favourite song, then use the first letter of each word, then add a memorable number or two.

Example:
Favourite song might be the Miley Cyrus classic, and favourite line is
"I came in like a wrecking ball, I never hit so hard in love."
Password becomes: Icilawbinhshil
Then you add 1982 because that's the year you got married or whatever.
Ridiculous password is now: IcilawbInhshil1982

[HawkEyeTheNoo]

Great tip!! My password is now yltlfftg1987 - I don't think anyone will guess that!!! in all seriousness that is a really good tip

[Thurlow]

I went to a talk on internet security and the guy (ex-FBI, it was very exciting!) was saying you should only need 3 or 4 passwords. Bank accounts and anything storing personal info need strong passwords, obviously, but yes - for sites that don't contain any personal or payment info, you can use the same password.

He also said that nearly everybody in the world writes their passwords down somewhere, and that a piece of paper inside your desk drawer at home is probably safer than anywhere else

[Mrsmorton]

But some of the passwords on the list are very complex. Didn't stop them being published though. I don't see how a better password could have helped.

[PuntasticUsername]

Zombie that's a good idea, but attackers know about it too - there are lists on the internet of passwords created from the first lines of popular songs, and these will be among the first things brute force attackers try. So the important bit is what you do to make the password unique to you - add some extra information (something not trivial for anyone to guess) at particular points in the password and yes, if you can't remember all the variations of these that you use across all your passwords, writing them down and storing them securely is fine.

[PuntasticUsername]

MrsMorton - quite right, strong passwords make no difference when they are nicked via phishing, but they do give you better protection in other scenarios.

[tabulahrasa]

Mrsmorton - but it stops anyone from accessing other sites because someone's used the same password or because it's something similar or they follow an obvious theme.

[happygirl87]

OP, I posted a related thread in chat here www.mumsnet.com/Talk/_chat/2452161-Technology-wizards-please-come-and-chat-about-what-makes-a-secure-password
The OP and next post in this thread sum up my query perfectly- which approach is safer (complicated acronym or random words) and why?? And does it matter if I can't use spaces between the words (as often not allowed in passwords)? If you would usually use something like "battery staple horse" (as per the XKCD pic!) but your bank requires an 8 digit password with no spaces or special characters, no common words and at least 1 number and 1 upper case letter, what do you do?!

[PuntasticUsername]

Ooh I didn't know about the thread in Tech, thanks, I'll look there.

If you look at my 1159 post on this thread: www.mumsnet.com/Talk/am_i_being_unreasonable/2452085-To-ask-you-to-take-responsibility-for-your-own-internet-security hopefully that will answer your question about complex vs memorable passwords.

Re what you do with accounts that require complex passwords - firstly, your banking details are probably the most important thing for you to protect online, so don't begrudge making that password as strong as you can. Don't bother with simple number/character substitutions; they don't fox attackers at all. Same goes for putting random numbers and ! on the end of your pw.

My short advice is to get good security software and keep it patched, make your banking password the best you can, then write it down and store it securely.

[ItsAllGoingToBeFine]

Also, securing your email is critical, as that is where all of your account info is likely to reside, and where password resets are sent to.

If a site offers two-step authentication use it! (Gmail, PayPal, twitter are three I can think of)

[Collaborate]

I use a Mac and other apple products. I have an app called OnePassword that links all my devices, and creates impossible to guess passwords. I only need to remember one password to access all the others,

Also Safari on Mac will also generate (and remember for you) a random password.

I've just been spending this morning doing that with all of my accounts. A PITA, but when i'm one of the 3000 it's something I needed to do.

[happygirl87]

So (C & P from another thread to catch traffic)
Is "clothesswimminGperpenDicular" is better than "Itaw1aw!"?
Would "clothesswim1nGperpenD1culer" (ie random real words with number replacements and misspelling) be better still?
Thanks!