Importance of having a written list of all sites you have passwords on.

The importance of having a written list of all sites you have passwords on. Do you have a written list of all the sites you have passwords on?

If not you should it is very important that you be able to have access to that list and keep it updated with sites, so if you need to change passwords you can and you will know what sites you have passwords on, it is almost impossible to have a different password for each site you have you may have 100 sites or you may have thousands and I’m sure there will be a couple of the same passwords on those sites. Some sites policies require users to change passwords periodically, e.g. every 90 or 180 days which is a good thing in my opinion A great reminder to do keep the passwords different not as easy to be hacked. With a list of sites written down you will always be up to date on what sites you have passwords with and you can keep them up to date so you do not miss them. All of the good password cracking programs include foreign words, backwards words, etc. And the easiest way to steal a password is by asking for it, so it’s simpler to “never give it away”. I think this is very important a friend of mine Pierce suggested I write this post and I think it is a great idea with so many sites being compromised and hacked today we have to protect ourselves as much as possible and this will help The next time you are shopping pick up a Notebook to make your list. A lot of people use sites like Lastpass etc.. but I am not sure about those sites how do you feel? How safe are you giving your info to a company to make a password for you?

Thanks

Cleta πŸ™‚

Advertisements

12 thoughts on “Importance of having a written list of all sites you have passwords on.

  1. Thanks for taking the time to explain this to those that might of not thought about this before.

    I use roboform on a USB stick and so it don’t store my passwords on any of my computers or online. I tend to know trust online (cloud) storage for anything personal or otherwise. When I use my Robofrom I just plug it in and mount the app from the USB stick and it loads all my 100’s of passwords that I would never be able to remember bacause every single password is all random and as long as the sites that it letts me log-in to allows. I only have to remember one random password and/or key file to gain access to all my passwords. Some are ~32 digits long. And when I unload my USB stick it automatically erases any and all traces from that computer.

    As for changing passwords every so many days I have alwasy found that silly. For instance if a hacker cracks your password for whatever that password is used for, then he/she would instantly use the password to access that particular account and not wait until you find out that someone has hacked in to that account. So, changing a password every so many days would really not do much for you security wise. Making good strong passwords would be very much enough security as you would really need and maybe never using the same password for more than one account. Even something as simple as E@o(;/ TrE 23 as a pass would take years and years to crack; and how do you remember such a pass? Again you can do like I do and use RoboForm or as you suggested Lastpass which also can be run from a USB stick. There is literly 100’s of password keepers and fillers that don’t need any internet access at all to work. Plus many have a way to print out every single correlated URL with its password. Now Roboform is for Windows users but there is others that work with iOS and Linux systems. Also, if you are going to make a list be very careful where you store that list. I should also state that putting that check mark in the little “Remember me” or “Keep me logged it” means that you have just set a cookie on that computers and browser settings so that latter if some knowledgable person has physical access to that computer they might be able to find enough info to be able to crack the pass.

    It is up to people to want to take the time to learn and make their life online more secure.
    Dear

  2. Password programs like that are fine, as long as you have it backed up. They certainly are better than keeping a notebook full of websites and passwords; but if something were to happen to the USB drive, you just lost everything.

    As of last year, I’m not sure if it’s changed since, but the minimum characters for a strong password were 16. That’s not just for brute-force, but also when a cracker/hacker uses rainbow tables. Rainbow tables allow a password that normally take years to be cracked with brute force and allow them to be cracked in a matter of minutes.

    For me, and probably the best practice since it slightly changes from person to person, is to use l3375p34k (leetspeak) to write a sentence as the password. It could be your favorite quote, and as long as you remember that quote and that you used it with that website, then you should be fine.

    As for changing passwords, you should always change your password when you think someone has found out what your password is. If you use a random password generator with a password program, then you probably don’t even know what the password is. So if you misplace or lose that USB drive, you better pray you had a back-up so that you can go through and change everything.
    Other than that, I would actually recommend it being changed every 30 days, because if somebody wanted your password and were after you, they would research you. While researching you, they would find clues here and there at worst.
    A change every time they thought their password was lost or at risk would be good for the basic, average user.

  3. @TeK. I did leave out that, didn’t I. Yes of course you should have a back-up/Clone of the USB if that is what you are using. Which is very easy to do. Also having the print out of all of them like Cleta suggested in the first place can be your back up.

    Roboform does have a random password generator but when you use it it asks you if you want to store the password and its associated account to the USB stick. So, you will not loose and will know what the password was that was just generated. It will be right on the USB.

    But rainbow tables can be used on leetspeak type sentences also since they basically the same as the example password I said above; Did you notice the ‘spaces’ also? I’m not sure but I think if spaces are allowed characters on the particular account, then they would mess up a lot of rainbow tables. So even using a password like: (with the spaces) would work as a good password and have enough entropy.

  4. I use Password Safe and Dropbox, easy solution that I can access anywhere, if on Linux I use Password Gorilla instead.

  5. @Dear
    A printout of your passwords would still be a horrible way to keep track of your passwords, even as a back-up. You say in your first post, “…if some knowledgable person has physical access to that computer…” which would mean that they are within the very room of your printed passwords, which would just be much easier to get and take much less time to search for.

    As for using leetspeak to type your password, I did say a quote, which is more than one word long, which would include spaces. Now leetspeak is better, because let’s take the letter L and se how many ways people write that in leetspeak: 1, l, |, or even L. Which means a person using a dictionary to crack it would have to have every possible way of writing that word for it to be useful. As a quote that is longer than 16 characters, rainbow table programs won’t work well against, since they are tables and they don’t work past 16 since last year, if you want to prove me wrong, try Ophcrack and go at it.

  6. But they don’t need all your passwords, just 1 password. The only one that matters is, when you press “forgot password” where does it go? Thats right your email account.

    Now every time you use your email you -always- use https? And of course all your devices are setup to use your email account with imap/ssl smtp/ssl pop/ssl? Just because some phones once they have the ssid.. like linksys or netgear with no password (Default), they log in and the first thing they do when they log in is sync email. A bad person could setup a linksys ssid on an android phone, sit in an internet cafe, enjoy a cup of coffee, walk out and have every packet of information that went through it logged…

    Pierce

  7. @Pierce.
    They do, at the very least, need your e-mail’s password to get a rather comprehensive list of the sites you use, but then they most sites need you to answer security questions. Also, you need to go to the site that you signed up at to even press “forgot password”, know which e-mail you use (you do have professional and personal at the very least, right?), and know enough about you to answer any security questions.

    Router companies like Linksys and Netgear do have default passwords. The SSID is sometimes random and the key is also normally random. We won’t get too far into that, as the topic is “passwords”.

    Packet sniffers are an entirely different matter altogether. Yes, a person can crack your wireless router’s key rather easily and in under a few minutes. Yes, you can easily intercept signals from most wires before fiber optics became so widely used. But, packet sniffers are on the matter of total security, not good password creation and usage.

    The average person CANNOT take into account all of the security flaws when creating a password for a website. They do not have the know-how to circumvent what they can from a house, most do not have the money to buy the equipment to cover their asses, and most do not care enough about a Facebook account to spend all of the time and money to do so. Then, on top of all of that, NONE of it is truly 100% secure. If a hacker wants in, they WILL get in. Whether through the internet, physically at their computer, or tricking you into giving them the credentials.

    So, for normal users’ passwords, I stand by my previous points. 16 characters, make them quotes to be able to be easily understand, make it leetspeak so that it has symbols and numbers as well. Some sites, I believe AOL’s AIM is one and Window Live Messenger is another, do not allow 16 characters and stop you before you reach that far.

  8. I almost forgot, some sites actually don’t allow you to use special characters when you create your password. The reasoning behind all that is more security. If they allowed the use of those special characters when signing up, a person would be able to send commands to the server.

    So, the best practice is to take as much as you can from creating a truly secure password and making one that the site allows. Then you can use, as Dear does, a program to keep track of all of those passwords. We both agree on keeping a back-up of those passwords, just in case something hapens to that flash drive or if your hard drive gets messed up, so that you can always get into your accounts.

  9. I don’t agree with writing them down, especially if you…don’t live alone or have people over to your house. Someone’s bound to stumble upon your little sticky notes, eventually. I’d say never write any of them down, never store any of them on any of your computers, and certainly never give them out to a web based password manager. Become a person of memory. Don’t make the passwords anything that’s actually relevant to you in any way. Seems to be a common misconception in movies, people always using their birthdays or the birthday of a loved one, even in reverse (Clear And Present Danger.) Hopefully, no one in real life would be so stupid as to make their password something as simple as “Love, sex, secret, [or] God.” -Hackers Make them complicated, but give yourself time to learn how to memorize them. I also recommend reading up on the subject of proper password construction. “Hacking Exposed: 5th Edition” (or whichever version is the latest) I believe, has a whole section on this topic. The 5th edition just happens to be the version that I have sitting on my bookshelf. I’m sure it’s quite outdated at this point with regards to software that people use to glean passwords from other users, but not out of date with the proper construction of a password that’s hard to crack and the proper methods to store them.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s