Lol, I hate cell phones. I carry one for emergencies but I don't feel the need to be reachable at all times. I have a pay-as-you-go phone and don't have data. Definitely in the minority, I know. As long as there was the ability to access lastpass.com, I guess that would be a workaround but still not ideal. I'll have to give it a bit more thought.

I mean, how else would you expect to access your passwords if not via the web or on a mobile device? It would defeat the point to print them all out and carry a sheaf of papers with you.

If you're worried about keyloggers, LastPass's website has an onscreen keyboard you can use.

Well the way I do it now is I have a fairly random core password (letters and numbers) that I use for everything, adding a few letters for each different website, tailored to that site. If one had access to even a few of my passwords and knew which sites they were for, it wouldn't be that much of a stretch to break my code but it would hopefully slow down anyone who hacked into just one account as that same password wouldn't work anywhere else.

For example if my core password is finkface10 (it isn't, don't worry), then for flyertalk, it might be FTalkfinkface10 or finkface10FT or something like that. They all follow the same pattern so I can remember them. Not sure that's secure enough because, as I said, if someone got hold of a good enough sample of them, the pattern is pretty easy to figure out. Like if I were using the second example, if they had a couple of my passwords and figured out the pattern, it wouldn't be too much of a stretch to guess that the password for United would be finkace10UA.

So, great minds, secure enough? Or since most hacks are a one-off, they likely wouldn't guess the pattern? Or should I go with LastPass? My email passwords, BTW, don't use the same pattern so if my email was hacked, it wouldn't get them much.

Passwords are stronger when they have higher complexity and entropy. Complexity is determined by the password's length and use of all possible character types. Entropy is the randomness of the password - if all your passwords include "finkface10" then they have low entropy.

https://xkcd.com/936/

Your problem and your working solution creates some further additional security issues - but you probably guessed that!

Essentially you may mainly log in from anywhere but not using your own devices, presumably either belonging to friends or just public computers? You probably realise that the thought of using an internet cafe/public computer to access your "crown jewels" will give most folks a fit of the vapours

There is a way around it that protects the master password (but not protecting against a screen grab as far as I can see). The way round it is a "one time password" for logging in.
LastPass explains it here:
https://helpdesk.lastpass.com/your-l...ime-passwords/

You could just carry a short list of one time passwords which you could use on any machine not under your own control.

Using a friend's machine would depend on how much you trust them eg are their machines "safe" and not affected by malware/keyloggers etc if you were to log in using your master password ... but if you are going to carry a list anyway just use them here too for added security.

Thats my 2c for now - other than recommending never to conduct some of this stuff from public machines

Yup. This is a great use case for Master Password: visit https://js.masterpasswordapp.com/ and be done.

I generally don't use public machines, although do so occasionally at a hotel to print a boarding pass, that type of thing. And while I do trust my friends, their machines could be compromised without them knowing.

Thanks for the explanation of complexity vs entropy. But doesn't lastpass just generate a random password for each site you give it, logging into it for you via the app or the browser extension? That satisfies entropy/complexity for sure, but if on a public machine or wifi connection (assuming not using the master password for lastpass and just using a one-off as described by antichef) there is really nothing to protect you from being hacked on whatever site you are using, is there? We all need to use public wifi at times so I guess the theory is that the hacker is only going to get that one, random password? They can drain your UA account but they won't get anything else, is that it? In which case, if I toughen up my system a bit to add in symbols etc, am I really at that much more risk than using Lastpass? If they are only going to get that one password, is there that much chance of them breaking my system?

I'm not being deliberately obtuse here, and not trying to argue the point, I am truly trying to learn. 99% of my internet use is on my home wifi. Am I not as secure as I could be using lastpass for those times I am using public wifi/friend machines? If they are going to get my UA password anyway, does it matter if it is a random one (lastpass) or a seemingly random one (mine) as both are used only for the UA site and they don't know that I have some type of a system by that one password?

That's a pretty good summary. The risks are minimal, unless someone gets a lucky break and starts to methodically work through all of your online life. To do that, there would have to be a need.

Top tips for you:

• Avoid public computers
• Reset passwords ASAP if forced to use them on public terminals (one reason a password manager helps)
• Invest in a free or cheap VPN when using public wifi
• Use second-factor authentication wherever you can - this may be a phone, a usb key or a list of codes

YEah, you've got the jist of it. MAN Pax's input is also helpful. The main point of a password manager is to let you have a different, complex password on each site you visit so if one of them is compromised you don't give access to the hackers to all sites you visit. There comes a point where your passwords get complicated and long enough that it's easier to have a password manager to remember them instead of doing so yourself.

You are also trying to make yourself less attractive to a bad guy. If a site gets compromised and the bad guys get themselves a dump of email addresses and passwords they know they have to act fast before the compromise gets detected, publicly known and people start changing passwords.

They are going to start with the easy ones. Even though info about such things becomes public good old humans continue to make the same mistakes, see here. If the muppet has used on the compromised site "123456" or "password" as his password then you can probably guess they are lazy enough to do the same on other sites - and probably reuse the same password. The bad guy then tries to sign into the email disclosed using the password and if they get in they change the password immediately to lock the muppet out.

They then try to sign in to common accounts using the email and password. If they get in they go to work. If they get a prompt for a "forgot password" they go that way as it will be sent to the email they now control. They then go through the emails looking for financial information to exploit.

You will avoid that by having different passwords for everything. But not if they are relatively easy to work out, dont think that "Passw0rd" is any more secure

The bad guy then has to work out how much effort to devote to cracking passords using brute force (I am simplifying here for ease of explaining). This is where long and obscure passords come in. If the bad guy sees that you have a simple password and appear to take no effort on your own security he will probably devote more of his limited time to that task. If he sees that your password is something like "iD2$38j6hANV!2KW0&rQ" he will probably conclude that you use a password manager and that you will have different passwords at every site
Consequently the bad guy will probably conclude he will waste his time and move on to the next easy one. Job done

I want to thank you guys for inspiring me to stop being pretty bad about passwords. I'm in the process of adopting LastPass and feeling considerably less vulnerable.

Wow, thank you all so much for the huge help. I get it now. I think, since the vast, vast majority of my online use is from my own wifi, I am best off using LastPass and their random, generated passwords. I now have to teach Mr. Fink how to use it. For those times I am forced to use public or other wifi/machines, it is really almost always for email and maybe one or two other sites (like FT ). For email and those one or two sites, I am going to use different, but more complex passwords that I can remember without having to use LastPass. I'll also keep a few one-off master passwords for LastPass with me in case I do need to access my vault when out and about.

Many, many thanks to those of you who took so much time explaining this to me. I used to be one of those who had the same password for everything and figured it would never happen to me. I recently moved to my 'system' but realize now that still isn't much better. This is something I've been really worried about for a long time and finally addressed thanks to this thread and your help.

Now, what do I do about all those pesky pins? ATM cards, credit cards (chip and pin cards in Canada), keypad door locks, ipad/phone lockscreens, voicemails, etc, etc??

+1

You use masterpassword :P

Reading up on masterpassword now. But it seems I would still always need to use my own devices as all sites must be entered via the app.

And for pins, I meant all those places you physically go where you have to enter a pin. ATM, credit card terminal (for chip and pin cards), voicemail retrieval, keypad lock on a door. Typically a 4 digit pin. How does one remember all those different pins? I have a million credit cards, 4 bank cards, 3 voicemails, 2 keypad door locks etc.