Usernames and passwords

I am a paranoid internet user, and as such I take passwords and online security very seriously.

In light of poor @DarthMol’s recent Microsoft store purchase and apparent password breach, I thought I would just give a few of my tips that I found very useful.

DISCLAIMER: Please keep in mind I am not an IT security specialist, so these are just some tips, and don’t hold me responsible if you get hacked :laughing:

The Obvious Ones

  1. Dont share your passwords with anybody. Duh.
  2. Don’t use the same passwords for all your sites and apps. If one gets compromised, they all get compromised.
  3. Wherever possible, use 2 factor authentication. We will cover this further down below.
  4. Mix as many non standard characters into your passwords as possible, like @$&#?!
  5. Never let your browser automatically save your passwords, especially for VIP sites like banking.

Some easy tips

  1. The longer the password, the harder it would be to guess. But it also makes your passwords harder to remember. So try to make an easy to remember formula for your passwords.

For example, use a phrase that you will always remember. Like, Greg Redd wets his bed. This is easy to remember, but hard to guess. So your baseline password can be GregReddWetsHisBed.

Now we can add some other characters. For example change any S to a $, an A to a 4, an I to a 1 or an !. Dont go too crazy, you still need to remember it!

Gr3gReddWetsHi$Bed

But we cannot use this as every password. So we customise it for each situation by slipping in a relevant word. Your Facebook password can be:

Gr3gReddWetsHi$FBBed or
Gr3gReddWetsHi$TWITTERBed

Now we have an easy to remember, very hard to guess password, and all the passwords for every application will be different.

  1. For 2 factor authentication there are generally 3 options.
  • sms code
  • email links or codes
  • code generator apps

They all serve the purpose of asking you to verify a purchase or login to make any password compromise harder to follow through on.

You log in with your username and unique password and then you need to supply a unique code to verify that it is in fact you logging on. These codes are randomly generated and will only last for short periods of time to add to their security.

  1. Too much to handle? Then use apps to help you out.

I use 2 apps for all my security needs. These apps are on my phone and require fingerprint access to open up so should be fairly safe if my phone gets stolen. They also have backups online with a super long randomly generated password, printed out and kept in my safe room in case I need to recover their password.

The first app is LastPass. This is where I store all my passwords in a secure app. You should check it out, and compare to some others. Online storage, and free. You can also choose offline only storage if you feel you dont trust them enough. For some critical apps, it can even generate random passwords that nobody will ever guess. Finally, you can assign groups like Entertainment or Work or Banking to find the password you are looking for that much easier to find.

The second app is Authy, which is a 2 factor code generator. This is compatible with every other code generator used by sites. It supplies a random 6 digit code for every site you add. These codes expire after 30 seconds and then a new code gets generated. I even added an Authy code to my LastPass access.

This turned into a super long post! Sorry about that! I just hope somebody can use this to make themselves a little more secure online and protect their passwords.

If you see anything worng with my post, or want to add some tips, please do so in this thread! Maybe this can turn into a hub for good, safe, online experiences!

8 Likes

This is excellent, more people spreading good security ettiquette is needed in this world. Relative laziness, does not have to mean, you can’t be secure in your online dealings.

The only thing I would like to add is this: Using 2 factor is important, but understand, that your phone becomes an important link in your armour. That is to say, put a decent pin/password on it, if it doesn’t support fingerprint. And if you decide to have your password manager and your 2 factor app, on your phone, you probably should install minimal if any dodgy/fun/unknown author/untrusted applications on your phone.

Personally, I skew away from using my phone with anything other than what is absolutely essential. Fucking covid level 6 essential.

5 Likes

It was just that one time. And besides, you promised you wouldn’t tell. So now I’m going to have to hack your LastPass Master Password and change all your passwords to something more appropriate for you. Something like:

:stuck_out_tongue:

Other than that, darn fine suggestions and advice!

4 Likes

Yea good advice.

i tell people the same thing. With Last pass or a password manager its a bit of a mission to get it up and running. Well with regards to setting it up is easy but then taking the time to login to a account change the password and then save it, but this is a once off thing.

My only issue with last pass is that when you off-line you cant get any passwords but this is also the thing is when are you off-line. Once i started using a password manager i only needed to remember one password.

Its kinda funny i also have a password thing in a safe with my passwords so its good to know im not the only one who did the same thing :smiley:

3 Likes

This is an excellent write-up! Thank you.

I’ve run into some problems with the LastPass browser plugin (especially the Chrome one, if memory serves) so I’ve started switching to BitWarden as an alternative. So far my experience with it has been great.

If I may add one thing: Try to avoid SMS-based two factor authentication / one-time PINs where alternatives like code generator apps are available.

SIM swap fraud is a huge problem in South Africa, and it spread to the U.S. in a big way a few years ago, finally prompting Internet companies to switch away from SMS as their preferred 2FA scheme.

2 Likes

Yeah, SMS is certainly the worst of the 3 options for 2FA. Thanks for that!

I try not to use the LastPass browser plugin and when I do I do not stay signed in. Kinda pointless as my Gmail stays signed in and there is probably more in there than LastPass!

I will look into BitWarden, thanks for the tip!

1 Like

As a counter point:

5 Likes

yes if you can not have to use sms dont. I could not login some of my accounts when I was on holiday, yay no signal or the network i use.

3 Likes

That is my method for the most part, I do use blur as well. I also wont lie I have one common password for forums, one for my banking, one for some games, and one for other games.

I normally have 1 phrase that I just change up.

1 Like

4 Likes

Thats both funny and scary! I am aware of random words being harder for computers to guess due to its length, and thought it would be even harder to then swap common letters for symbols. Double whammy. Still, that graphic is actually very useful!

@Mottamort - congratulations! That was a test and you win! :rofl:

3 Likes

I use this approach. It works well for me and allows me to guess a password I forgot in 2-3 attempts.

3 Likes

Regarding passphrases vs passwords (/cc @MetalSoup):

XKCD is, of course, on the money, however I expect that if you treat passphrases as combinations of words rather than combinations of characters then the cryptanalysis situation will change.

I don’t know if research has been conducted in this regard, but adding capitals, special characters, and spaces to an already strong passphrase certainly wouldn’t hurt.

I’ve also seen some passphrase generators out there recommend that a passphrase should be made up of at least six lengthy words, and not just four.

3 Likes

Personally I just use whatever lastpass generates for me. I’m too lazy to come up with and remember good passwords.

4 Likes

i must say for me the best password is a windows CD key. I used to install windows alot so i just learned the cd key. All i do now is add some caps and a few other things easy and secure

3 Likes

Is this one of them?

6 Likes

Yup, but no one will know if its the one

2 Likes

Gah you lot cursed me! I needed to reset my banking password today cos I hit a blank wall . . . . .

I hate you all

Especially when I reset it and it told me I cant use the current Fracking password. . . .

4 Likes

I admit I had one common password. I then One website wants you to add special characters and then another website wants mixed case and yet another wants numbers in the mix. So I sometimes have to go for three tries before I log in.

Although my Internet banking and SARS are completely different to anything else (I’m not insane)

And rockstar login is also a bugger up. I was so upset once after someone hijacked my account that I made up some stupidly long password along the lines of “Ireallyhaterockstargamesandtheirpassword*”

2 Likes

My issue with these passwords that can be guessed in nanoseconds of computing is this…what happened to anti-brute force. wrong attempts on username X ? oh now you have to wait 120 secoinds (ITS LIKE SECONDS ONLY COOLER) before you try again.
Whats that? It doesn’t matter how fast your processing power is? You’re gonna take 80 billion years to guess my 9 character password now?

Where’s that gone???

6 Likes