My feed
Premium

Please
or
to access all these features

Join the discussion and meet other Mumsnetters on our free online chat forum.

Chat

How do you manage passwords?

70 replies

JustGettingStarted · 10/12/2018 11:21

I have trouble remembering passwords for so many sites. I have a password that works for everything (upper case/lower case, numbers, letters and a punctuation character, 8 characters long) but it's not safe to use the same one on everything, so I'm going to be changing them this week. I'm thinking of creating one that has all the necessary characters, but varies by one character, based on the name of the site. Like "F07896a!" for Facebook and "M07896a!" for mumsnet, etc.

I still think someone might figure out the system. What do you do?

OP posts:
CheeseTheDay · 10/12/2018 11:32

I use LastPass, which stores my passwords for all my sites, so the only password I have to remember is my LastPass one.

If I do forget a password for another site, I just log onto LastPass, and it's stored there for me.

DGRossetti · 10/12/2018 11:34

I use a password manager: Lastpass (others are available).

It will create unique strong passwords when you sign up, and automatically log you into sites it knows your credentials for (it learns when you log in and offers to save passwords).

It's cloud based, so you can access if from any device, and has iOS and Android apps you can install to your phone/tablet.

I've set it up with 2FA, so it needs a code to a phone as well as password to access.

Sitranced · 10/12/2018 11:35

I used to keep them all on a spreadsheet stored on dongle keyring in the ye olden days. Now it's all on lastpass.

cjt110 · 10/12/2018 11:36

I use a the first letters of a complex pass phrase and bookend it with the page I'm logging in to. Plus a digit and a character

So for example, My phrase is lollipops are yummy. I'm logging into Yahoo..

This would read YlayO1!

I use this same passphrase for ALL sites and just change the bookends to match the website. It has been an epiphany since I started to use it.

HoustonBess · 10/12/2018 11:38

Use a password manager. Much much much much better.

Tuptup · 10/12/2018 11:39

I used lastpass and use its auto generator for passes so theyre all unique.

JustGettingStarted · 10/12/2018 11:40

I read that lastpass got hacked. If anything goes wrong with the company holding my passwords, I'm screwed.

OP posts:
SleepingBooty · 10/12/2018 11:40

Dashlane password manager and fingerprint recognition on my phone apps.

JustGettingStarted · 10/12/2018 11:41

Cjt, that's my system, too.

OP posts:
Tuptup · 10/12/2018 11:48

I read that lastpass got hacked.

Nothing of importance was stolen because of their solid encryption, as long as you change your master password it's an incredibly safe system to use. Far safer then having a pattern type password system.

SisyphusDad · 10/12/2018 11:58

LastPass with two-factor authentication, which means that in addition to my password I have to use a special USB key or a one time code generated on my phone to access my account. I let LastPass generate very long unique passwords for every log in.

SisyphusDad · 10/12/2018 12:03

P.S. This is the classic XKCD cartoon about passwords: xkcd.com/936/

There are actually web sites that will help you generate passwords using this approach.

DGRossetti · 10/12/2018 12:27

I read that lastpass got hacked. If anything goes wrong with the company holding my passwords, I'm screwed.

I did a lot of digging before I carried on using Lastpass (they bought up the password manager I used before) and they never transmit password in the clear - they're encrypted on your machine before being sent up to the similarly (and uniquely) encrypted cloud version of your database.

So any "hack" is just going to get your encrypted details - of no use to man nor beast.

However, beyond that, you really shouldn't be reliant solely on passwords - certainly not for anything that moves money. So it's 2FA all the way (as nobody ever said). Even if my username and password got "stolen" (bearing in mind you have absolutely no idea how they are stored at "widgetywidget.com" anyway Hmm ) any bad actor would need to have access to my phone and/or authentication token to be able to log into an account.

Personally, I balance the fact that Lastpass allows a strong unique password for every site with the small chance of a hack, against the very real risk of having to use (or even worse re-use) memorable passwords that could be guessed for other sites.

There are other password managers - quite a few tinfoil hatters like Keepass, which never sends the database anywhere (you encrypt it and use it locally). However, I found it's "import" facility from Lastpass pants. And when you have 400+ logins, having to move half manually isn't really fun.

My DB is far more paranoid than I am and uses www.themooltipass.com/ - which is a device that stores your passwords, and you have to plug into a computer where it "pretends" to be a keyboard and types the password for you. For my money ($79 apparently) it's far too fiddly and attention seeking (as a lot of tinfoil hatters are Grin)

JustGettingStarted · 10/12/2018 12:32

Hacking aside, if something goes wrong with their site - they go out of business, their servers go down, etc, aren't you stuck?

I used one of those strong password testing sites to find something that would take 5 years to crack. I can remember the core, then personalise the bookend to each site. There's a chance that someone eyeballing it could see what I've done if everything starts with the first 2 letters of the site's url, but the criminals aren't eyeballing it. I'm worried about fending off the computers.

OP posts:
BadlyAgedMemes · 10/12/2018 12:34

Google remebers most of mine, I guess... I do also have important passwords written down in a notebook (together with DH's) - nowhere particularly obvious or easy to find, but in case one of us croaks or gets very ill and we need access.

DGRossetti · 10/12/2018 12:39

Hacking aside, if something goes wrong with their site - they go out of business, their servers go down, etc, aren't you stuck?

Only if you want to access the cloud bit (i.e. from a new/different machine). Otherwise you have a local database.

As I said, there are purely local varieties of password manager (Keepass) that basically rely on you to do the cloud bit (either by carrying a file on a USB stick, or using Google/MS drives). But to my mind the ballache far outweighs the uplift in security.

Password management - and computer security in general - is really removing the low-hanging fruit, and driving any casual hacker elsewhere. If someone good has really targeted you, then there's holes everywhere. Using SMS for 2FA is a good example, if you're signed up with a numpty phone provider that allows people to request and activate a new SIM with your number. Where possible I prefer non-SMS 2FA like the card reader for my bank, or an app on my phone which generates the linked code for a site.

BadlyAgedMemes · 10/12/2018 12:39

But having written that, I'll definitely look into Lastpass! Password security's one of those things I always think I should put some thought into, and never get round to. Hmm

DGRossetti · 10/12/2018 12:41

I do also have important passwords written down in a notebook (together with DH's) - nowhere particularly obvious or easy to find, but in case one of us croaks or gets very ill and we need access.

Not really conducive to changing them regularly though ...

Fair does to Facebook - they allow you to nominate a friend to help recover your account if you get locked out, and an executor to curate your account if you should shuffle off the mortal coil.

BadlyAgedMemes · 10/12/2018 12:44

Not really conducive to changing them regularly though

You're right. They get changed occasionally (and scribbled out and rewritten), but not as often as it's recommended.

Tuptup · 10/12/2018 12:59

Lastpass offers offline access and you can export all your data so going down/out of business isn't a problem.
Likewise is lastpass isnt thr one you go for most offer similar type thinhs.

There's a chance that someone eyeballing it could see what I've done if everything starts with the first 2 letters of the site's url, but the criminals aren't eyeballing it.

Disagree with this, you can buy passwords and email combos on blackhat sites fairly cheap for crap sites, but they use the info or password pattern to go after more important accounts.

JustGettingStarted · 10/12/2018 12:59

One problem with the easy-to-memorise bookend approach is, if a site ever gets hacked and you have to change your password, then you have to change the memorized core. That has happened to me. I think it was an issue with mumsnet at one point. Now, if I change my core every year then eventually it can revert back to being the standard for all. But in the meantime, one site will have a different core. So long as Chrome can log me in, it's not an issue. But occasionally I have to actually know my password for something and then it's a pain in the ass.

OP posts:
Tuptup · 10/12/2018 13:18

Yes when mn got hacked I remember some idiots people admitting to logging into the peoples emails using the passwords leaked, supposedly under the guise of helping out. Hmm So I wouldn't put it past someone who isn't even your average crim to try your combo on other sites, if for example your password mnpass00! got leaked. I
f your password containing your core got leaked, I'd recommend changing across all sites not just one, have a mooch at password managers, it's far safe then the book ending method and there's lots of different ones out there with different security.

Don’t want to miss threads like this?

Weekly

Sign up to our weekly round up and get all the best threads sent straight to your inbox!

Log in to update your newsletter preferences.

You've subscribed!

JustGettingStarted · 10/12/2018 13:41

I'm going to go with changing the core across everything if one site gets hacked. The mumsnet thing was annoying because I don't much care if someone gets into this account - there's no money involved. But it meant having a lot of hassle and that hassle extended to other sites.

OP posts:
JustGettingStarted · 10/12/2018 13:44

I guess I just don't trust lastpass, etc. But if they're really secure and you can keep the passwords stored somewhere that isn't just attached to their servers (in case they get destroyed by an asteroid) then it could actually work.

This morning I had to send a message on a site related to my work and finances and in order to message via the helpcentre, I had to proved the 3rd and 7th characters of my password. Having something I can easily remember meant that I could message them. Is it possible to look up the password and see it with my naked eye with lastpass?

(Does anyone else hate sites that don't allow you to see what you're typing in? It's hard to know if "35Ff*£$Wp876%" is being typed in correctly if you can't see it!)

OP posts:
SpoonBlender · 10/12/2018 13:48

1password here. It works across Windows/Mac/iThings/Android. I've gone for the subscription version now, in an attempt to help keep them in business. This fancier version checks things like "which sites are saved that have had password compromises" and even "did your creds leak", places you could enable 2FA if you wanted, that sort of thing. It's good, and means I can set 20 character random scruff for everywhere (except dumb places that limit to 8 characters or "only numbers and letters" etc etc, to which I still use random scruff but within those limits)

Please create an account

To comment on this thread you need to create a Mumsnet account.