Passwords

[Clitheroekid]

New guidance from GCHQ says that the best form of password is three random words – https://inews.co.uk/news/passwords-cont ... 140498/amp

I’m a great believer in the What3words app - https://www.bbc.co.uk/news/uk-england-49319760.amp - for identifying a location, and it occurs to me that a good way of creating a password would be to think of a specific location that means something to you, find the W3w combination that applies to that location, and then adopting that combination as your password.

If you were unable to remember the password you could then just use the W3w app to visit the location.

There is no way that any fraudster would be able to guess that you were using this app for the password, and even if they did they would have no idea which location you had chosen.

I would think this is as near foolproof as possible, but having no technical knowledge can any more expert Fools see any problems with the idea?

[Aminatidi]

Apologies if I've misunderstood but you've framed it as if you're picking one good password.

You should use a strong random password for each site or service because regardless of how strong your choice of password is you're screwed if the website you've used it on isn't storing it securely and gets compromised as someone now has your strong password.

[GrahamPlatt]

https://xkcd.com/936/

[scrumpyjack]

Apologies if I've misunderstood but you've framed it as if you're picking one good password.

You should use a strong random password for each site or service because regardless of how strong your choice of password is you're screwed if the website you've used it on isn't storing it securely and gets compromised as someone now has your strong password.

Well only if you use the same password also on a website that matters. But many websites I log in to have no sensitive info, no financial transactions or data etc, so I can't really see it matters if I use the same password on such sites.

Also this stuff about how long it would take a program to keep trying different passwords to get in does not take account that most websites where security matters will suspend your account after 3 incorrect attempts, so good luck to the password breaking software and anyway they will have TFA as well!

[Aminatidi]

Well only if you use the same password also on a website that matters. But many websites I log in to have no sensitive info, no financial transactions or data etc, so I can't really see it matters if I use the same password on such sites.

Also this stuff about how long it would take a program to keep trying different passwords to get in does not take account that most websites where security matters will suspend your account after 3 incorrect attempts, so good luck to the password breaking software and anyway they will have TFA as well!

I think that's a personal judgement depending on how much value you put on your security but use a password manager and it becomes a bit of a non-issue.

Bad guys aren't typically guessing passwords they're hacking websites and stealing all of the usernames (and email addresses) and passwords which is why using unique passwords is so important.

[Lanark]

New guidance from GCHQ says that the best form of password is three random words

This is good advice as long as you manage to choose truly RANDOM words, most people are very bad at understanding what is really random and will naturally tend to choose fairly common words.

Diceware is one way to select them
https://theworld.com/~reinhold/diceware.html

[JohnB]

Password advice never seems to address the practicality of a world where you have hundreds of accounts, only a very few of which you really care about the security of, passwords are stolen rather than guessed, acceptable password rules differ, and you are forced to change passwords by site owners. I keep having different ideas on how to do it, and that doesn't help, but my current policy is

1) Clever unique passwords for the accounts with my savings in and my email service (if the latter is compromised, its a house of cards because of reset requests)

2) A password manager for the hundreds of piddly accounts, each of which uses a clever template where I change one letter based on the site name. Password file in the cloud.

3) Clever passwords and the template written down. I know how likely someone is to steal from my house, and a break in would be obvious.

4) One off rude passwords for websites with anal password policies, written down.

Clever for me is letters, numbers and symbols.

The template method allows me access to piddly accounts on the all too common occasion where the password manager fails. I'd never rely on it to provide random passwords when I was in some hotel, and I doubt any user of a leaked password runs a cracker that spots how guessable my template is. Practicality over security.

[stockton]

As a matter of interest, I have taken to allowing Firefox to generate and keep track of passwords for me. I think a different password for each website is desirable. But I was having problems remembering them all without compromising them in some way. I chose Firefox because it is platform agnostic. Remembering my passwords irrespective of device I am using. I don't know if what I do is good practice or not really.

RVF

This is dangerous as you may not remember a password when you need it.
When boarding a flight a week ago we discovered that some idiot at Ryanair has decided that all 4 pages of a printed passenger locator form have to be checked. We had only printed the first page so had to spend half an hour at the boarding gate finding my emails on someone else"s phone - very fortunately I remembered the correct password.

[Aminatidi]

I see your point. It's simply not possible to remember my passwords. Dozens and dozens of them. I can log into my Firefox profile from any device that has Firefox installed to see any of my passwords. So, I only need to remember a single password. I honestly cannot think of a better solution when I want a unique password for each website I log into. I am open to suggestions though, hence why I mentioned it.

Thanks

RVF

There's always a balance to be struck and it can vary from person to person.

You could look at something like Bitwarden which is a dedicated password manager which removes the reliance on Firefox but that won't help you if you end up in a situation where you need to login to something but for some reason either don't know the password or can't get access to your password manager.

For most people I'd imagine that doesn't happen often but as in the example above when it does happen it's probably at an inopportune moment.

Sometimes there just isn't an easy answer outside of reverting to paper copies with no dependency on tech if you want to balance convenience with security.

[Aminatidi]

From what you've said for your situation what you're doing is entirely sensible.

I was just covering the "spend half an hour at the boarding gate finding my emails on someone else"s phone" scenario where they may not have Firefox.

If that isn't a scenario you're worried about don't worry about it

[Infrasonic]

There is no perfect solution.

The nature of the beast means that being 'practical' compromises security at the user level e.g. mitigating redundancy/single point of failure.

Prioritising 'security' leads to the opposite issue -single point of failure /redundancy - e.g. theft/fire taking out your coded password paper entries because you don't trust 'online' or 'apps'...

In terms of personal data stored on servers accessible from the internet the far bigger issue imho is the amount of ID sensitive information that Govts. and large organisations hold.
We are all entirely reliant on their IT security competence to prevent fraud / ID theft issues around passports, drivers licenses, land registry, NI and tax numbers, CC numbers, DOB, address, telephone numbers et al.
A hacker knitting together a nice collection of compromised photo ID / bills etc. could lead to some very serious financial problems.

I spend most of my IT research time on security focused news/websites/podcasts - the worrying trend is how sophisticated state level hacking knowledge that historically has required considerable budgets is trickling down to previously more amateurish third parties that traditionally have exploited the very low hanging fruit like phishing/social engineering.

All you can do is to try and stay abreast of the most critical current security issues and be as defensively minded as is practically possible (which will vary according to your unique circumstances and tolerance level for inconvenience ).

[Itsallaguess]

From what you've said for your situation what you're doing is entirely sensible.

I was just covering the "spend half an hour at the boarding gate finding my emails on someone else"s phone" scenario where they may not have Firefox.

If that isn't a scenario you're worried about don't worry about it

Fair enough, thanks. Yet if you go the writing down on paper route, you aren't going to have access to the piece of paper you need to refer to at the airport anyway.

(Being a little paranoid even in these days of "e" everything travel related, I always carry paper copies of tickets, visas, insurances etc....... All it takes is one flat battery on my phone when I least need it and the "e" travel stuff is stuck in the ether someplace).

Even as someone who has an extensive list of important passwords in my KeePass password-manager, I can't imagine not memorising my primary email address log-in details though...

Surely this isn't a binary thing, and a mix of approaches should be used, depending on the importance of the individual requirements for each account, and surely, primary email must normally sit in the 'I really need to know this from memory 100% of the time' bucket?

Cheers,

Itsallaguess

[Aminatidi]

Even as someone who has an extensive list of important passwords in my KeePass password-manager, I can't imagine not memorising my primary email address log-in details though...

Surely this isn't a binary thing, and a mix of approaches should be used, depending on the importance of the individual requirements for each account, and surely, primary email must normally sit in the 'I really need to know this from memory 100% of the time' bucket?

Cheers,

Itsallaguess

That's my approach plus 2FA so ignoring password managers I'm slightly screwed if I can't get at my mobile and having a landline as the backup won't help me if I'm at the airport

Outside of a few key ones I couldn't even tell you what most of my passwords are because I don't need to know them.

[Arborbridge]

New guidance from GCHQ says that the best form of password is three random words – https://inews.co.uk/news/passwords-cont ... 140498/amp

I’m a great believer in the What3words app - https://www.bbc.co.uk/news/uk-england-49319760.amp - for identifying a location, and it occurs to me that a good way of creating a password would be to think of a specific location that means something to you, find the W3w combination that applies to that location, and then adopting that combination as your password.

If you were unable to remember the password you could then just use the W3w app to visit the location.

There is no way that any fraudster would be able to guess that you were using this app for the password, and even if they did they would have no idea which location you had chosen.

I would think this is as near foolproof as possible, but having no technical knowledge can any more expert Fools see any problems with the idea?

I've been having the same thoughts. I see the problem that what3words generates longer words than one would like, (I believe three four letter words or similar is recommended for a password) so one would be batting around trying to find a location with shortish words.
Still, it should work well - the only problem being to choose a location which you can remember precisely (they are 3m squares) and one which no one else could guess from your social media etc. I suppose that it is unlikely that any stranger could guess your favourite location easily. Some place were you had had an open air lover's tryst would certainly do it - if one could fix the location to 3metres with certainty. For me, that's trying to remember and repeat from 4 or 5 decades ago
One can add to the security by adding a four or five digit number which you change regularly. Another snag which spoils the simplicity of this idea is that some sites insist on have a capital and special character, whereas others don't like specials!

Arb.

[Aminatidi]

There's loads of little things you can do to make passwords memorable.

Use a special character instead of a space and/or add a number on the start/end.

The point of a password manager is that 99% of your passwords are random crap that you don't even know which leaves you free to use a strong unique memorable password for the few services that you do need to know the password to.

[GrahamPlatt]

As the XKCD strip demonstrates (vide supra), it’s not so much the complexity of the password, but the length that improves the ‘strength’. Then you get the sites that require you to give the 3rd, 7th and 19th letter of your password and end up counting on your fingers.

[JohnB]

Many years ago a government department demanded we have 9 character passwords rather than the OS default of 8, and in a triplet form. We wrote the new routine and left the default password as BUMTITCOC.

[Arborbridge]

As the XKCD strip demonstrates (vide supra), it’s not so much the complexity of the password, but the length that improves the ‘strength’. Then you get the sites that require you to give the 3rd, 7th and 19th letter of your password and end up counting on your fingers.

That's as I understand it: the latest thinking is that long but easier to remember trumps shorter and complex.

[Arborbridge]

New guidance from GCHQ says that the best form of password is three random words

This is good advice as long as you manage to choose truly RANDOM words, most people are very bad at understanding what is really random and will naturally tend to choose fairly common words.

Diceware is one way to select them
https://theworld.com/~reinhold/diceware.html

And using diceware you end up with something like this:-

Your passphrase would then be:

cleft cam synod lacy yr wok

Dead easy to remember (NOT). Maybe What3Words is a practical compromise?

Arb.

[Aminatidi]

Just open a book or switch the Kindle on and pick part of a sentence.

There are loads of ways to over-complicate this but once you get past the basics of not using the same password everywhere and of not using totally obvious pass phrases ("the quick brown fox") you're in a pretty good place.