Password Managers

But you're not storing them in a browser. You're storing them in a password protected encrypted vault. Short of a keylogger on your system no one will gain access to it. And if you have a keylogger on your system nothing you do on it is safe.
 
Given the features being added to Chrome and Firefox, it won't be long before the passwords saved in either browser will be in a password manager provided by said browser. They aren't there yet, but they probably will get there eventually.
 
Sky-Knight said:
Given the features being added to Chrome and Firefox, it won't be long before the passwords saved in either browser will be in a password manager provided by said browser. They aren't there yet, but they probably will get there eventually.
Click to expand...

And while that would be preferable to what's done now, it's still another way to allow people to be lazy about actually remembering their passwords, which is, in my experience, "the root of all evil."

There are methods to allow humans to create passwords that are insanely secure, yet easy for them to remember, and where relying on a password manager is a backup. These days I'd rather my clients who are residential clients use a notebook in their desk as their password manager over using browser-based password memory.

The client I'm currently working with has had to go back through his old notes and try to retrieve passwords for account after account after account because he relied on the browser filling in everything for him, for years, and knew virtually none of them, and he was reusing variants (which was, at least, better than all the exact same password).

Anyone can train themselves to create memorable passwords (to them) while having them be way more than adequately long and complex to be "hack resistant." One such way, The Portmanteau Method of Creating Passwords
 
@britechguy

Or, I can just not think about any passwords at all, I can use that method to make the one password I need to remember to access my vault that's 2FA'd via an independent mechanism that has another password for recovery. For extreme emergencies, the entire vault is printed and stored in my fire poof safe. My current vault has well over 500 unique passwords in it, there's no remembering all that crap.

Though... I will admit... When working with retirees... that little black book is almost as good. There's absolutely nothing wrong with the little black book of passwords, so long as it doesn't get stolen. Which doesn't happen all that often. It's certainly easier for next of kin to use on your behalf in an emergency / end of life scenario.

But a normal person using memory queues can keep track of 20-30 passwords easily enough, and the idea is sound, and is also quite correct. Length is the key to security, not complexity. MaryHadALittleLamb! is substancially more secure than M@ryL_mb!. Boomers and password managers don't really mix, they do much better using the little black book and your methods.
 
  • Like
Reactions: NJW
One of the reasons I came up with the Portmanteau Method is that it makes it easy not only to generate long, complex passwords, but it removes the need to really memorize them once you know "your formula."

I challenge to be able to randomly and quickly hack/break the passwords of someone who used 12497 Orchard as the address part, Pepper as the pet name part, and & as the special character.

12497PepperTechNibbleOrchard&
12497PepperGmailOrchard&
12497PepperjcpennyOrchard&

are all going to be well-nigh impossible for someone without intimate knowledge of a given individual's ancient past, and chosen combining formula, to break. And it becomes very, very easy to type those once the fixed parts are in muscle memory.
 
Or... someone looks at the passwords. These things are lifted when online systems are breached in some way. Machine learning is being applied to mining the data. Right now, I think your method works well enough, but that will all come to an end at some point in the not too distant future.

We've reached the point where passwords are just not going to cut it at all. Which is why all super secure systems are going to security tokens and pins. Eventually that reality will trickled down to the rest of us.

In the meantime I setup M365 with Microsoft Authenticator push notifications, and I show users how they can keep that crappy password. But if their phone starts going nuts, they need to change it.
 
  • Like
Reactions: NJW
In the end, whatever ends up being used MUST be "human friendly."

Part of the reasons passwords are not adequate is that, as commonly used, they're not security-friendly and human-friendly at the same time. And in the early days of computing for "the masses" the kind of threats and technology that is available today for nefarious actors simply did not exist.

No system of security is going to be accepted by the great mass of computer users if it's not something that's easy and convenient for them.

That's something that the security experts constantly forget. If you create something that's not convenient for the people that must use it they will come up with some very clever, and also very stupid, ways around it that completely defeat its intended purpose in the first place. Computers are tools that are meant to serve us, and make our lives easier, not the other way around.
 
@britechguy That's yet another argument for current implementations of MFA. You push a button on your phone to login. That's actually the primary authentication event, the password is secondary. Modern authentication systems are actually moving to abolish the password entirely.

If you're doing MFA via a code you have to type manually in a box... you're using an MFA engine that's not only out of date, but arguably useless in terms of security.
 
Believe it or not, I actually had my first encounter with the "push a button on your phone" to allow login to complete the other day, when I wanted to log in to my Gmail account on a machine that "is not one of my usuals."

This technique is truly convenient, though I still would not want to be having to do that every time I logged in from my own computer.

I can't say that the majority of my clients don't have smartphones, but when you're in a relatively rural area, and senior citizens are a significant part of your client base, many don't. One of my newer clients has his sister pushing him to get a smartphone, which he's been resisting. I have tried to "soften him up" just because of the convenience involved and the fact that the resistance is mostly out of fear of the unknown. I tell anyone that when it comes to smartphones they need only be as complicated as you want them to be. You don't have to use every capability they have, and most of us don't. If you also either clean up your screens yourself, or have someone else do it, such that only your "greatest hits" apps are on display, they become dirt simple to use.
 
There are other devices that can act as a trusted entry point, but they are more expensive.

At this point the only reason MFA via Google or Microsoft platforms is so "difficult" is because of the API that allows 3rd party systems to authenticate. They're trying to make a system that works with all this old junk, and the new junk too.

The goal post is the authenticated device. By default Google and Microsoft both authenticate a given device to no longer need the MFA prompt for 14 days. On M365 I extend that duration to the maximum of 60 days.

But yeah without a smart phone in the home market, your only tool is to disable MFA entirely and use your method to create a secure password and pray you don't get hit. Businesses have similar problems with employees that don't have smart phones. That's why I disable Microsoft's Security Defaults on all my M365 tenants, because I have to have the ability to disable MFA enforcement. But these are now the special cases, fading from use over time not the norm.

But, there are betas from both companies where you go to login to your online portal, get a QR code... scan that with your enrolled authenticator app and BOOM you're logged in. No password required, because the physical token in your hand, your phone, is the password.
 
Sky-Knight said:
There are other devices that can act as a trusted entry point, but they are more expensive.
Click to expand...

Even with the near ubiquity of the smartphone, there are plenty of people who do not, ever, want to be "tethered to" their phone in order to be able to go about their daily business in "an odd spot" when the need presents itself.

I would have been mightily, mightily PO-ed had I not had my phone (and that could have happened, I often leave it in the car rather than carrying it in) and I were to have been forbidden access to my Gmail account. Now, they did give me other options, but I can't imagine a time when "other options" will not be necessary just in case someone is sans phone at a time when they need access.

Heck, I'd be mightily, mightily PO-ed were I not able to log in to do online banking from any computer I so choose to access my accounts, provided it has a currently supported OS and browser. And none of the banks or credit unions where I have accounts are sending codes to phones to allow access. Nor is the bank my partner does business with.
 
That's why all of aforementioned systems have the concept of a trusted device, those things can be exempted from 2FA requirements. M365 does this via what it calls Conditional Access, which among other things can flag your office as a trusted location and therefore only needs the password for authentication.

The rest... well your phone becomes your keys. You can't get in the door without your keys, you can't get in the door without your phone. And why? Because loss of that phone is just as visible as a loss of the keys you use everyday. That visibility is where the trust comes from, and all of this severs your dependence on archaic rituals to remember passwords. Which is by definition, hard.

And don't get me started on the banks... those idiots have been a half century behind everyone else on security standards for my entire lifetime. They're the WORST, because they're financially incentivized via insurance to FAIL on these matters. That situation is a walking example of why I despise left leaning political theory, because it's a perfect example of why it must always fail. But we're getting off track...

No, you can't "forget your phone", it's on your belt with your keys.
 
Sky-Knight said:
No, you can't "forget your phone", it's on your belt with your keys.
Click to expand...

I've seen, and will probably continue to see, way more people forget their phone than their keys, and lose their keys but not their phone (though that happens, too).

There is no perfect system, that's for sure.
 
I've always been a fan of Roboform i've used it for the last 15+ years maybe 20 but it's always done what I needed it to do and it doesn't come with the problems other like services have had.
 
You must log in or register to reply here.

Similar threads

Diggs
Old frustrations with New Outlook
2
Replies
20
Views
2K
John Kennedy
John Kennedy
HCHTech
GoDaddy again - Outlook error 7ita9
Replies
3
Views
183
callthatgirl
callthatgirl
YeOldeStonecat
Gaming rig...help with client computer with vid card issues.
2
Replies
25
Views
2K
Rosco
Rosco
britechguy
Windows Password Reset Utilities - Which still work, and under what conditions?
Replies
19
Views
2K
fincoder
fincoder
britechguy
Comcast/Xfinity and 3rd Party Email Client Access
Replies
1
Views
454
seashore
seashore
Back
Top