How do you manage passwords?

[JustGettingStarted]

I have trouble remembering passwords for so many sites. I have a password that works for everything (upper case/lower case, numbers, letters and a punctuation character, 8 characters long) but it's not safe to use the same one on everything, so I'm going to be changing them this week. I'm thinking of creating one that has all the necessary characters, but varies by one character, based on the name of the site. Like "F07896a!" for Facebook and "M07896a!" for mumsnet, etc.

I still think someone might figure out the system. What do you do?

[putthesneckon]

JamieVardysHavingAParty
Not exactly as posted and other features so game not given away

[AllTakenSoRubbishUsername]

I have a little book that I write them all in (hidden, of course!)

[ReflectentMonatomism]

Although Google also allow you to use the Google Authenticator app, which doesn't need connectivity

As do Facebook and Twitter.

I leverage that by using Facebook, Google or Twitter to login to services which I think need 2FA but which don't offer it, or only offer it via SMS. It's marginal, as those oauth-based services aren't without their own considerable risks, but on balance I think it's slightly better (but not clearly better enough to advise other people to do the same).

Lastpass's authenticator is Google-compliant, but also backs up the secrets to your Lastpass vault. That's also not risk-free, but having dealt with recovering from a wiped phone which had all my 2FA secrets on it, I think the risk is worth it. My ultimate backstop for Lastpass 2FA is a Yubikey in a safe at work.

[DGRossetti]

This thread is weird - is it written by a bunch of people working for Lastpass? It certainly reads like it. Reporting.

Report away. MNHQ will tell you (if they haven't) that I'm a regular poster.

Also, it's hard to comment on how many times I said other solutions were available ???????

I just happen to use Lastpass, happily, and I know it's probably a bit old fashioned these days, but as a satisfied customer (I have a paid for version) they deserve the praise on the basis that I will quite happily name shit products and companies too.

[DGRossetti]

We don't get mobile reception in my building. So a 2-step encryption system with phone would require waiting around outside to get a msg.

A good 2FA system will be designed for offline use. Facebook and Google both allow you to generate some codes which you can write down/print out and keep in your wallet/wherever and use when challenged for 2FA without mobile coverage. (Although Google also allow you to use the Google Authenticator app, which doesn't need connectivity).

(Bear than in mind when people start whinging about banks forcing 2FA on people for large/unusual purchases).

[JamieVardysHavingAParty]

^I use my postcode plus the website name. so for Mumsnet it would be
"M first part of postcode ** second part of postcode T"^

I would recommend you change your username, tbh.

[Tuptup]

This thread is weird - is it written by a bunch of people working for Lastpass?
Well I can't comment for others but I don't, was just answering questions that the op asked as its the one I use. Most people are probably answering from the perspective of lastpass as its one of the most used ones.

[happyclutterchucker]

I write them down in a book

^ me too

(And no, I don't work for Paperchase)

[Stupomax]

This thread is weird - is it written by a bunch of people working for Lastpass? It certainly reads like it. Reporting.

This post is weird.

[Spagyetti]

This thread is weird - is it written by a bunch of people working for Lastpass? It certainly reads like it. Reporting.

[Scallywag1903]

fairplay *@mastertomsmum * I agree....tbh I am talking passwords to libraries, Whistles, Tesco etc. Not anything financial IYSWIM. But yep - discretion is key I agree

[mastertomsmum]

Never tell people stuff like this on an ope forum

[ragged]

It's funny reading this.

I need to login my desktop machine at work. So I can't use a lastpass system to get on them. My fingers need to know what to do.

We don't get mobile reception in my building. So a 2-step encryption system with phone would require waiting around outside to get a msg.

My current phone is truly crap & can't install any more apps (no room). This may change, tbf.

I don't actually turn my phone on very often, tbh, but obviously I could choose to have it on all the time if super useful to me. After phone has been off, it takes about 35 minutes to start receiving texts quickly. Until that initial period ends, texts sent to me just don't arrive within 2 minutes. Anyway, I'd have to coordinate the phone being on at right times in right places. Wifi... well, let's just say sometimes I can connect devices to it at work, and sometimes I can't.

We hotdesk at work, so could be using any of many computers to login to other sites from.

I HAVE resorted to taping passwords for some sites to documents at work. Typically p'wds allow me to read an encrypted pdf sent only to me. Colleagues can knock selves out trying to find a way to use that.

[Scallywag1903]

I am most probably going to get slammed for this, but I once read a comment from Stephen Fry that your chances of being burgled were tiny compared to being hacked. Sooo in the spirit of OLD SKOOL, I have a box with cards and I write all my passwords down. Only exceptions are ofc bank accounts and credit cards. I remember all of those and change regularly. It has been invaluable I have to say.As I have sooo many and work ones too.

[justaperson]

I use KeePass which is pretty good, you can store it locally and back it up to wherever you store your backups normally. It's free and open source, no need to be online to use it, you can also run it from a USB stick too if you want to.
I'd second the 2FA advice though, many more places do it now so no real excuse not to use it at least for email and other important accounts.

[MeetOnTheSIedge]

Thanks all. I guess the thing to do is start an account and add one thing at a time until I'm happy with how it all works.

[putthesneckon]

I do similar to cjt110

I use my postcode plus the website name. so for Mumsnet it would be
"M first part of postcode ** second part of postcode T"

Never forgotten one since :-)

[Tuptup]

Meet, you don't need to download, you can just log in, bottom menu item on the site.

[DGRossetti]

but what really annoys me is sites that insist on me using their format, but they don't prompt you as to what that format is

In a world drowning in standards, you'd think password management would have an ISO or IEEE standard somewhere ?

[LadyinLavende]

I have a bookend system but what really annoys me is sites that insist on me using their format, but they don't prompt you as to what that format is if you can't remember the password: like the ones which insist on passwords at least 12 elements long. If it said "hint" your password is at least 12 letters long I would know what I'd used.... but my standard password is "only" 11 digits.

I'm totally paranoid about entrusting my passwords to a password manager.....

[Stupomax]

Well, I had a good look at the lastpass website - it seems you do have to download either a browser extension or an app, so that is a problem if you want to log in to anything on a device that isn't your own, eg work laptop. I suppose you could look up a password on your phone then type it into the website manually though.

There's no need to download an extension. Just log in from a browser window on whatever device you're using at the time. If Lastpass doesn't recognise the device or location it'll email you to check you're really you.

[MeetOnTheSIedge]

Well, I had a good look at the lastpass website - it seems you do have to download either a browser extension or an app, so that is a problem if you want to log in to anything on a device that isn't your own, eg work laptop. I suppose you could look up a password on your phone then type it into the website manually though.

[SisyphusDad]

And another small but nice thing on the LastPass mobile app. If you ask to see your password in plain text, it shows upper and lower case letters, numbers and symbols in different colours so you can tell your lower case L from the number 1 etc.

[JustGettingStarted]

I saw they have an automatic password change feature that has dozens of major sites participating.

[DGRossetti]

Just signed up to a new site today, and had Lastpass remember it for me. Which reminded me of another feature (again others may offer this) where it sends you an email whenever any of your login details is changed.