I remember my passwords by a "concept." For example, all passwords are names of former pets or former street names. Always substitute certain letters with certain numbers and have a punctuation mark in the same location (end or beginning) of every password. This last bit allows you to use your same passwords even with sites with specific complexity requirements. Even if I don't remember the exact password, it is one of only a few options, and I just try them until I get the correct password. I get a lockout about once per year.

I used to use nonsense words from the Jabberwocky with a number in them. Now I use LastPass, and I'll continue using LastPass. Their probably-paranoid approach has shown that they take security seriously.

Here's an interview in PC World with their CEO:

http://www.pcworld.com/article/22726...ible_hack.html

I use eWallet - can be installed and used on several devices. I have it on all three of my computers, as well as work and on my Android. Been using it for several years and love it.

I use an Ironkey it is a mil grade encrypted usb thumb drive. It is relatively expensive, but I keep stuff on it that needs to be controlled (work, finance). Good when traveling abroad. If the wrong password is inputted wrong 10 times it self destructs. Also it is tough, I have washed and dried it 3 times now. Has Firefox on it and has secured browsing.

I have about a hundred username/passwords. I keep them in Yahoo Mail Notepad. Each "Note" has a title - e.g., "Flyertalk", in which I keep the pertinent data. I have never had a problem and am wondering the wisdom of this method. Thanks for your opinions.

It's only as secure as:

a) Your Yahoo account, which is available 24/7 for anyone to try to get into. I hope you're using a very good password: at least 8 characters, no words from the dictionary, including uppercase letters, lowercase letters, and either numbers or symbols, preferably both.

b) If you use multiple computers that others have access to, be aware that the webpages containing your passwords could be cached on those computers in unencrypted form for anyone to see who bothers to go look at the cache.

c) The security of Yahoo's datacenters. I probably wouldn't worry too much about this one, though it would be interesting to know how they destroy old hard drives. I've seen a video of how Google does it (crush the drive with a steel press, then shred the whole thing into mangled bits), but dunno how Yahoo does.

All in all, I'd say that it's not a terrible method if you use a strong password on Yahoo and are careful to clear the cache on shared computers. But I'd go with something else mentioned in this thread, myself.

One of my customers, who worked with me in the past for a certain company ;-) STILL writes his passwords down in a small notebook that he carries everywhere and then puts in a safe. LONG passwords, letters, numbers, symbols, total gibberish.

That said, I don't really like the 1password or lastpass solutions and as we have seen recently things are getting HACKED. single sign-on is a GREAT concept and another company I worked for had a biometric authentication with a key card AS WELL and the passwords were stored on a chip in the key card. It was pretty solid.

A recent security researcher published an article where he detailed what the highest level of password security was and the result was interesting:

Best possible passwords to USE if your website or company makes it possible is a simple PHRASE of THREE WORDS or more (there was no need to go beyond three) with A SPACE as expected in between the three words.

THIS IS THE PASSWORD type of thing, or MY DOG BITS, or TAKE ME HOME. Compared to a SIX DIGIT with minimum ONE CAP and ONE SYMBOL and ONE NUMBER which could take a super computer with brute force something like eight months to break, this was essentially 1 MILLION YEARS+ with a brute force method and 2300 years with a common dictionary attack.

Seems interesting.

Here is a link to the article that excerpted the study

http://www.baekdal.com/tips/password-security-usability

Pssst - Yahoo mail sucks.

I use Gmail, which has "https" option for reading, so all my mail and notes are "secure". Even Hotmail recently implemented the full HTTPS protocol as well, after lagging for a long time.

Yahoo mail is the only one that does not offer full HTTPS encryption when you read your mail. So your ISP tech can read your notes / mail, anyone sharing a network can read your Yahoo mail and notes. And they can even side-jack your yahoo mail with a very simple tool called Firesheep.

For frequent travelers as those who frequent this site, Yahoo mail is the worst, when you're trying to read email on the road at hotels and open wifi spots.

Just use Keepass - it's free, multi-platform, and works amazing well.

agree 100%. Great link.

just wish the pc interface was as good as the mac version

> A recent security researcher

Not recent; 2007.

Nor is Baekdal a security researcher. Looking at his alma
mater(s); it's not clear that they have ever offered a curriculum
that is relevant to the science of cryptography and the practice
of computer security.

He started out as a fashion designer and now works as a
(new media) publisher of magazines and websites. Those
are hardly the credentials of someone that should be described
as a "security researcher."

> published an article where he detailed what the
> highest level of password security was and the
> result was interesting:

He did indeed publish that bit of irresponsible nonsense in 2007.

Highest level of password security? HIGHEST??? Hawgwash.

> Best possible passwords to USE ... is a simple PHRASE of THREE WORDS or more
> (there was no need to go beyond three) with A SPACE as expected in between the
> three words.

Before using Baekdal's methodology; PLEASE READ:

http://www.grc.com/sn/SN-297.htm

Thanks for the link. I need to listen to more GRC episodes...never find the time. Security needs time though.

this was an interesting read. I will comment though, that the guy Steve Gibson does NOT contradict any of the analysis or even the mathematical computers that Baekdal had done in his original piece (updated to a more recent one a few weeks ago) even noting that it might be an UNDER estimation of the time and method required to break a 3+ words password which includes SPACES or a CHARACTER in between the 3+ words. What Mr. Gibson seems to lack in his analysis is that it isn't just three words, it is three words with a space (or better yet a special character in between) which makes the permutations for a dictionary or brute force attack just that much more exponential. And, again, Mr. Gibson says the "math seems accurate"

The detail that Mr. Gibson seems to go into is what he feels are behavioral or environmental weaknesses of using such a password protocol/type and I find them accurate.

If someone sees you type it, they could know it.
If you write it down, then someone can get access to it.
If someone sees you write or type PART of it they could probably recreate it.
If it is easy for YOU to remember, once someone else sees or hears it, it is easy for THEM to remember too.

All true, all valid, but even though LEO continues to comment on the MATH ANALYSIS of how lets say this algorithm is fundamentally or statistically or technically more VULNERABLE, Mr. Gibson does not.

I'm going to talk to a friend over at checkpoint and see what their analysis of it is, try to put a bit more math behind it.

I'm not throwing out for naught based on this transcript.

To be clear: LastPass was not necessarily hacked. Their database server sent out some encrypted information and they couldn't verify exactly why, so they assumed the worst. In addition, the amount of information sent out was not very large; I believe they mentioned that it wouldn't have been more than a hundred or so users' worth, out of several million.

The information that the server sent out included people's email addresses, the server salt and their salted password hashes from the database. This means that the hackers, if there were actually hackers, got some encrypted information and part of the encryption key (the part that isn't users' passwords). So they can sit around trying to figure out each person's password, which will be proportionally as difficult as the password is complex. If a person had a password of at least 8 characters that didn't include a dictionary word, the hypothetical hackers won't be able to figure it out for years. Changing one's password re-encrypts the data in Lastpass, and removes the threat.

This is why one should use strong passwords.

Furthermore, I disagree that programs like Keepass are any better. If anyone gets access to your computer and downloads the Keepass file (or if you contract some malware that sends it to someone), then you're vulnerable to the same attack. In fact, you're doubly vulnerable, because you can't simply change your master password. That would only re-encrypt the password file on your computer, not the one that the hackers took.

I choose to have the more convenient approach and put my passwords where I can get them any time.

Did you check the source code of the implementation? Are you certain that it was correctly implemented?

Sure, I didn't mean to infer that lastpass was totally comprimised, just that THINGS are getting hacked, companies with credit cards, companies with emails and their associated passwords, etc. It would appear for the time being at least that if one wants to have essentially absolute security for documents, information, privacy, etc., it is best NOT to put it IN THE CLOUD as the cloud (which is just another word for INTERNET IMHO) has been shown to be vulnerable in many different ways. Direct access to servers, collocation breaches and hacking, third party CDN and application provider networks, etc.

to the point above about keepass and other locally stored master files, I have seen where people will LOCALLY ENCRYPT that file, which requires a constant direct LOCAL authentication when it requires access, but if the laptop or local file is compromised then it cannot be used by a third party. This can be done with services as well like the dropbox master file, the dropbox master storage location, etc., which means that even if it is compromised or they choose to turn it over to an authority organization via subpoena that it cannot be recovered or read.