Password Security Best Practices

[nicklmg]

Amazon: http://geni.us/1ZAe

NCIX: http://bit.ly/1OZIqXP

 

How can you keep your online accounts safe? Luke has a few tips to share...

 

[Imabigmac]

Isn't this a little ironic? 

[,,,,,,,,,,,,,,,,,,,,,,,,,,]

hi nick.

[Kenji the Uke]

Hi nick 3:

 

 

 

Also, how do I get my hands on Bitlocker without paying to get the next package of an OS I already have? 3:

[Tedster]

Thanks Nick!

[A93nt47]

I'd like to see a poll of what software, if any, people use to store their passwords......

[ThatOneRussian]

Hey LMG. What did you use to protect our passwords?

[HarmFull]

Edward Snowden was interviewed on his take on passwords. Despite the humorous interview with John Oliver, it does offer some advice and the cold hard truth.

[Freeman]

This video was quite disappointing. While it covered the basics, it really gave poor advice regarding better internet security. While the listed apps could be user friendly, we have learned absolutely nothing about security of the apps themselves. When I was trying to sort my passwords, I found out that none of the "big" password managers are open source and there is absolutely no guarantee that there is no backdoor included. By installing these apps, you could actually jeopardize your security even more.

Unfortunately, with data mining and still better solutions for big data handling, you can´t count on not being important enough for anyone to care. Today, everybody´s personal info is sought for and everybody´s personal info has a value.

If there is some actually safe solution, it would be great and I would like video about that, but trusting your most sensitive information to a closed box you don´t see into is just foolish.

As for myself, I found no solution when I was searching for one a few years back, so I was forced to implement my own solution, which I have been using ever since.

[Mkarasneh]

Luke,

Are you saying that cloud based password services are bad like the one chrome have, because i use iCloud keychain, is it safe?... And if it isn't how can i trust 1password or other services if i can't trust apple or what not? Wouldn't be easy to make different but connected passwords and just remember them?

I would like to see another video because it's an important topic.

And you read this Luke right? Say hello to linus [emoji12]

[Xerohumoris]

For a Dutch person Taran his names where the BEST!! A small translation for all. 18+? No literal translation. Just what the mean.

Taran VanHamburger: Taran of Hamburger
Taran Van Droogkloot: Taran the bloody drag
Taran van Eikel: Taran the Asshole

 

Taran van Hemert: Doesn't have a real meaning. Van Hemert is just a normal surname here. And better then Naaktgeboren (no offense).

[Guest]

I think passphrases are safer than passwords only as long as the cracking software isn't written to target passphrases, especially if the words making the phrase up aren't randomly generated.

Like if a brute force password cracker was set up to go through all combinations of 1 common household object and several adjectives applicable to inanimate objects, I don't think a lot of passphrases would hold up very well.

[yippy3000]

MISINFORMATION.  1Password is NOT cloud based.  They store passwords locally only.  You can sync between devices using WiFi but that is direct device to device and never leaves your network.

 

Some might say the optional Dropbox sync option is cloud based but a) your passwords can not be accessed online, you must have the desktop app to access it and b) 1Password has no knowledge of your passwords or even their existence as they are being stored in a third party location, not theirs.

[IonAphis]

Slick mentioned Chrome's password manager is a big no-no, because they use the windows key to encrypt the data, "an iffy solution at best". But Chrome does offer the option to encrypt the data with a separate key-phrase. From the security point-of-view, is this significantly worst than a 3rd party password manager? I know password managers can be more "portable", but I do like the Android/Chrome integration and for something like passwords, the fewer places the better and Google already has my email password...

[Guest]

LastPass for the win 

[Acy]

https://diogomonica.com/posts/password-security-why-the-horse-battery-staple-is-not-correct/

 

Because of dictonary-based password attacks, I wouldn't reccomend using the password creation method in the video. Everyone should be moving to password manager (preferably ones that store the file locally) anyway, and with those managers create randomly generated passwords. I currently use KeepassX for this, as it stores the file locally and works on Windows, Mac OSX, and Linux.

 

I love LTT, but this is the misinformation that needs to stop spreading about passwords. I'm glad they are actively trying to generate password awareness, but we need to move to password manangers instead of trying to make up ones based off words.

[EposVox]

Slick mentioned Chrome's password manager is a big no-no, because they use the windows key to encrypt the data, "an iffy solution at best". But Chrome does offer the option to encrypt the data with a separate key-phrase. From the security point-of-view, is this significantly worst than a 3rd party password manager? I know password managers can be more "portable", but I do like the Android/Chrome integration and for something like passwords, the fewer places the better and Google already has my email password...

 

Chrome encrypts your data on the whole, but it's only still "safe" if you completely log out of Chrome every time you stop using it. That's where the "Only protected by Windows password" bit came into play: If you stay logged into Chrome - which most people do - then anyone who has access to your Windows OS can get to your Chrome passwords because when logged into Chrome it actually asks for your Windows password to reveal any saved passwords in Chrome.

Weird.

[Aros]

Here is another simple way to create a password.

 

1. Pick 2-3 words. The more random the better. eg. Apple, Cat, Noodles.

 

2. Replace any letters you can with there "l33t" alternative and remove some letters to make them less like words.. eg. Apl3, Kat, N0dl3s

 

3. Place "@", "!" or any other symbols into the password. eg. Apl3@Kat!N0dl3s&

 

4. Use Apl3@Kat!N0dl3s&. Should be pretty damn good.

 

Also, another useful thing to keep your password different for each site is to simple add "@YouTube" or "@email". Eg. Apl3@Kat!N0dl3s&@LTT

[TDP_Equinox]

Hey LMG. What did you use to protect our passwords?

IP board does not store passwords in plain text.

[Builder]

IP board does not store passwords in plain text.

 

Hashed and salted, I hope.

[vanished]

Hashed and salted, I hope.

that sounds like food 

[greigallen]

Quick edit on the video, 1Password stores your data locally, not in the cloud. It has the option for cloud syncing, but this is not mandatory.

[Kirky2k15]

A11 Pa55w0rds 5h0u1d B3 tYp3d L1k3 Th15

[Mkarasneh]

The problem with all good solutions that they're hard and not everyone would do them.... It there was an easy way.

[TetraSky]

Switched to Keepass last week, so far so good.
Since most services/websites remember me when I log in, I don't need to open Keepass everyday so I don't waste much time.

 

The only thing I haven't "converted" to a keepass password, is my email, because, you know, if my SSD end up failing and I lose keepass, I will want a way to recover those accounts. (though I did backup keepass to not only a usb drive that I carry on my keychain, but also on 2 other HDDs, just in case, and yes, there is a master password so even if I lose my keys, no one will suddenly get access to the keepass database on there.)