Which password manager? Depending on the one you used, you should have a way to unlock it and get back in.

This is a good idea and i use it

so if i was to use this website my password would be

GroovyPost!!99

facebook would be

FaceBook!!99

and unless you know my login name too you won’t guess it or get in.

If a password contains dictionary words, then brute force can be used to guess it eventually correctly. I could write a program easy enough to try millions of passes until I finally get in. But I thought the stop to that is to only allow only up to 3 tries of password guesses. Do all password entries enable you to try millions of combinations of tries? I’ve seen examples that if you enter a wrong password three times in a row, your account is closed for a certain amount of time like 12 or 24 hours. Allowing only a fixed amount of tries I thought was the greatest defense against using brute force, yet even after scanning the article I never came across this feature.

Yeah – it’s a great tip. I’ve been doing this a long time and never thought of it (or heard anyone mention it)… Love it! I’ll have to add that to the article.

Thanks Steve. It’s very simple but effective. Even the password manager cannot know that last word added, neither can their rogue employee! And the word added can be different for different sites, just so long as you remember which word is for which site. You can even use foreign words!

Excellent idea Leo. Honestly, that’s new to me and I really like it!

Passwords generated by password managers can be made stronger by adding another word known only by you after the password. You download your password from your password manager, then enter that extra word… even if your password manager gets breached/hacked/whatever you are protected because the passwords stored (however strong) are incomplete, need that extra word to be complete. Choose any word that you will remember that must be added to the downloaded password… it will be very difficult, if not impossible, for any person(s),group(s), computer(s), whatever to crack that password.

Take a phrase that you will always remember
Have a standard insert of at least 1 numeric and 1 punctuation character
then you can write down the clue as to the password
start at character number ‘s’
the selecting every ‘n’th character
create a string of m characters

Put the block in after the x’th character

Now – without knowing the phrase it will very very difficult to work out the password from the 4 numbers
So – you can (with reasonably safely) write down the numbers the 4
s n m x

as the password generated is based on 2 strings of characters you will have a great deal of certainty remembering, yo should never need to write them down.

You can take that concept and modify it for your use- Maybe
Use one of the numbers to indicate which in the generated string should be a capital
Use one of the numbers to indicate which in the generated string should be a number –
count through the alphabet, move up the keyboard, whatever –
Position your block as a single set – or merge it in, or use it as part of the string from which you select characters

Once you have the basic process – then modifying it by applying whatever process you can remember to always use will make things easy

And – making easy to remember, and enter, but not easily guessed or worked out is the major consideration

The frequent recommendation from ‘Consultant’s that passwords should be random strings should (in my opinion) get that consultant, and those employing them blacklisted. add to that the frequent requirement that passwords be changed every month is one of the surest ways to get passwords written down with a clear indication as to what they give access to.

Imagine = having, say 20 facilities that need passwords
12 character long pass codes for each – changed monthly

That’s 2880 characters to remember throughout the year, and having to log into each facility each month – even if there is no need to

A hackers dream – every month a system will be accessing 20 secure sites – so just lay in wait with a store and forward facility
store and forward – what you type or select gets passed on to the site and then their response gets displayed on the screen for you to see and respond to.

So – your transaction with the bank happens OK, but was monitored, and how many sessions need monitoring until enough of the access key is known for a try at accessing the facility is likely to succeed.

Hi John – Thnx for the note. I’m glad you liked the article.

You should take a look at Two Factor Auth (2FA) – https://www.groovypost.com/unplugged/two-factor-authentication-guide-secure-online-accounts/. In 2017, if you don’t have 2FA setup on all your accounts… it’s only a matter of time before your accounts will get hacked again.

Granted 2FA is not perfect but, it does add a VERY strong layer of security between your data and the internet.

Pasted below is section A3 from https://pages.nist.gov/800-63-3/sp800-63b.html#appA

“A.3 Complexity

As noted above, composition rules are commonly used in an attempt to decrease the guessability of user-chosen passwords. Research has shown, however, that users respond in very predictable ways to the requirements imposed by composition rules. For example, a user that might have chosen “password” as their password would be relatively likely to choose “Password1” if required to include an uppercase letter and a number, or “Password1!” if a symbol is also required.

Users also express frustration when attempts to create complex passwords are rejected by online services. Many services reject passwords with spaces and various special characters. In some cases the special characters that are not accepted might be an effort to avoid attacks like SQL Injection that depend on those characters. But a properly hashed password would not be sent intact to a database in any case, so such precautions are unnecessary. Users should also be able to include space characters to allow the use of phrases. Spaces themselves, however, add little to the complexity of passwords and may introduce usability issues (e.g., the undetected use of two spaces rather than one), so it may be beneficial to remove spaces in typed passwords prior to verification.

Users’ password choices are very predictable, so attackers are likely to guess passwords that have been successful in the past. These include dictionary words and passwords from previous breaches, such as the “Password1!” example above. For this reason, it is recommended that passwords chosen by users be compared against a “black list” of unacceptable passwords. This list should include passwords from previous breach corpuses, dictionary words, and specific words (such as the name of the service itself) that users are likely to choose. Since user choice of passwords will also be governed by a minimum length requirement, this dictionary need only include entries meeting that requirement.”

Or rather I should specify: two-factor authentication by *SMS* is (potentially) insecure.
Other two-factor authentication methods may still be secure.

Makes sense thankyou

Yes… Password or just as bad, P@$$W0RD….

PPL think it’s creative and secure. It’s not secure. :)

Well sure. You can’t lock a door if the door has no lock on it. In that case…. What do you suggest?

True- However, my PW Database is backed up w/Crashplan. It watches my files and backs them up each time there is a change. With Unlimited revisions, I don’t worry about it.

So worst case, I restore a previous version of my PW Database w/Crashplan.

The same goes for Ransomware… If my box is ever owned from a Ransomware standpoint, oh well. Wipe the box and restore from Crashplan. It’s not free but, it’s cheap insurance at $60 a year. It’s the one product I tell ALL my readers to buy no matter the platform (Windows/Mac).