Hacks - what are users to do?

[MiniMatt]

So, ignoring for the time being whether hackers are scum of the earth, new age anarchists shining a shit beacon on crap corporate security or both - what is the ideal method for end users to maintain security given that this sort of thing is always going to be with us.

In the olden days the stock advice was seperate passwords, all changed regularly. With so many different online venues all requiring of personal logins this is now no longer viable - or at least it's only viable if you keep a post-it note of passwords, or a password pattern like "password1, password2, password3" - which is kind of defeating the object.

So, lately I moved into "low, medium and high" passwords. I only have to remember three passwords - one for forums, facetube etc, one for "middling" security (generally games), and one for super duper high security that's only used for bank + credit card. This worked for a while but I'm now constantly changing my low and medium security passwords as forums and now games are hacked daily.

I've tried utilising the fact that the username forms one half of the equation and using different email addresses for each site - this obviously is easiest with your own domain such that anything@domain.com gets sent to you. Trouble with this approach is that when I forget passwords and have to use the remind-me service I can never remember if I signed up with RPS@domain.com or RockPaperShotgun@domain.com.

So - given that hacking will always be with us, given that someone learning your email address and password for Obscure Forum X will likely then try that same combination against Facebook, Steam, Amazon, Paypal, banks, credit agencies, MMORPGs etc - what are folks preferred strategies for keeping their junk secure?

[Lilliput King]

Bit low-fi, but maybe just keep different passwords for everything and put them down in a notebook or something.

[Lacero]

One really good way is to use different dates of birth on different websites (if legal), that way you've got far fewer problems with identity theft.

You would need some kind of pattern to remember them though, if someone calls you on the phone and you have to answer the security questions getting the dob wrong can be awkward :D

[Dubbill]

You can use LastPass to generate random passwords for you and store them so you never need to remember them. It's ideal for forums and sites that require registration but don't store any valuable data. You can then reserve your super secret personal passwords for sites for online banking, MMOs, etc.

[8-bit]

I have always had a notepad with all my passwords written down and they are all completely random and long, the ones I use regularly (like this site) I memorize. problem is having a good password doesn't make much difference when some jerk decides to, for example, hack the psn which means you have to change all of them.

what I want to know is what happens if the kids who are holding this information get their server hacked into by someone who will actually use it in the way everyone is afraid of.

[ColOfNature]

@8-bit: if your passwords are all different, why would someone hacking any one account mean you need to change them all?

[8-bit]

just being overly cautious, I don't really know much about what these sort of people are capable of and if my psn account is tied to my email I guess there was a chance they could get to that too.

[DigitalSignalX]

I have a sort of internal algorithm for passwords based on the website name involving switching the letters around in a pattern and adding numbers based on the URL or title length. I use it for games too and to my knowledge have never had account issues. That way if I ever go back to a really old login (my yahoo account and Ultima Online logins are both over 10 years old now) I'll always be able easily deduce what my password is. Unfortunately, what ends up happening is I sometimes forget the actual account name then which makes me feel all kinds of stupid.

[Lacero]

what I want to know is what happens if the kids who are holding this information get their server hacked into by someone who will actually use it in the way everyone is afraid of.

The same thing that usually happens in these cases, no one ever hears about it except the people with odd charges on their credit card bill or loans in their name. Or the people arrested for having cp website payments on their credit card. There's an incentive to take it seriously!

I really, really, wish I could go to visa or whoever and get an authorisation key I give to the website I want to be allowed to take payment. So instead of giving out enough information to them to buy things from anywhere I only give out enough for that merchant account to charge me. It's stupidly insecure the way it works right now.

[MiniMatt]

I have a sort of internal algorithm for passwords based on the website name involving switching the letters around in a pattern and adding numbers based on the URL or title length. I use it for games too and to my knowledge have never had account issues.

Oooh - I kinda like that. Sufficient to stop a sub-six month brute force crack, stops dictionary attempts in their tracks yet individually memorable and more importantly stops wide radius single attempt logins dead (ie. RPS forum gets hacked, that email/pass combo then tried once against a long list of more juicy targets - which is essentially where the realistic threat now lies). Hmm, I like that a lot.

[soldant]

I use LastPass. The more secure passwords are ones I haven't got a hope in hell of remembering. Some common websites I have an easy to remember password for but there's so little information attached that it's entirely useless. Main thing to remember with LastPass though is to ensure you have a strong master password.

[Cooper]

The simplest solution:

Keep important & money-involved accounts on a different email address than you would forums & other logins.

I have one basic email & password combo (and use the same pseudonym and false DoB) for all sites like RPS, forums etc. where -all- you need is an email & name.

So if my email for Bethesda gets snatched, big deal.

My Steam etc. are all on seperate email accounts & passwords.

Pretty much the same method as OP

Thing is, if your 'throwaway' details get nabbed, you -don't- have to go about changing it. Put simply, the chances those email details are going to be used to try and login somewhere like here are nil. So far, most of what has been nabbed (bar the PSN thingy) has been pretty low-level stuff.

[OctaneHugo]

I used three passwords as well (occasionally tacking on numbers and capitalization if I have to/want to), but don't specifically assign them to anything - which occasionally leaves me spending 3 minutes typing all kinds of different words and numbers into a text box if I forget which one I used for that site.

I store most of my passwords for forums and anything more important is one of the many variations that I forget myself. Problematic sometimes, but I like to think I'm less stupid and more really, really good at securing my accounts.

I also have about 8 different Gmail accounts, and if I ever feel like it 2 old Yahoo accounts. And for anything temporary I use GuerrillaMail. And on sites that for whatever reason require a name and DOB I use a fake combo. Which technically means I live a double life.

[Kablooie]

LastPass looked interesting, but data is stored online . . and they had a potential breach already.

Me, I'm not comfortable handing my data to anyone out there.

As for passwords, I won't divulge what method I use. There's always a compromise between security and convenience, yeah.

[solipsistnation]

After the Gawker Media Embarassment (whoops, my usual low-security password was in there, and I'd used it for medium-security stuff too. derp.) I usually use a base password with something specific to the web site tacked on. Even if somebody managed to retrieve my RPS password, they'd have to figure out which piece was the base and which was site-specific (not too difficult, honestly), but ALSO the site-specific part I use on any other sites that have a similarly-formed password.

I have a high-security password which is a little more complex and which can vary in a few ways. I may forget which way was used on which site, but I can usually figure it out.

PayPal can be set up to use your cell phone as an authentication token, so if a naughty person gets your password, they would still need your actual phone in order to log in as you.

[Dirtyboy]

The Usability of Passwords

[Maralinga]

Here's a few offline password managers for those that may be interested.

There's pros and cons to whichever method of storing passwords you might use, though using something like a password manager potentially allows you to use stronger passwords overall as you only really need to remember the one for the manager itself.

[Ezhar]

• Use complex (random letters and digits) passwords with 10+ characters.
• Use a different password for everything
• Use a different email address for every signup (Gmail's plus hack is great for this)
• Use a password manager (e.g. KeePass) to keep track of them (and avoid typing them in)
• Keep your personal data on a need to know basis:
  
  • Do they really need your actual birthdate or does any 18+ work?
  • Are you expecting them to ship you something? No? Then don't put in your real address.
  • Why even use your real name, unless you're signing up for a service where that matters for credit card verification or so your friends can find you.
  • Few sites will ever need your phone number.

And whilst these break-ins are annoying to users, they're actually beneficial in the long run: Companies that have been neglecting security for far too long are now spending some time and money to fix their shit. At least a little bit. DDOS attacks however are just plain stupid.

[JamesG]

@Kablooie

Lastpass data is stored online, but it is encrypted and decrypted locally using your master-password, which is never passed on to lastpass except as a cryptographic hash. Basically that means even with a complete dump of the lastpass servers, hackers would still need to brute force your master-password. If you have a strong master-password you have little to worry about (server side at least). I suppose someone could hack the lastpass site and install a malicious version of the client that syphoned off passwords, but in practical terms client side compromisation is probably more likely.

Still, my lastpass account does not contain my E-mail, paypal or banking passwords. It is also protected by two-factor authentication, as is my Gmail.

Oh, and any passwords that I might want on the move are memorised to avoid needing to log in to Lastpass on an untrusted system.

[Cooper]

Worth necro-ing, I think?

Thing is, the Steam hack fazed me if I'm honest.

The passwords are 'hacked and salted' (which nicely got explained in the comments) so I assume, along with Steam Guard, I have little to worry about. (Billing address, name and email are always annoying to lose together. Though address and name are available to anyone with the cash to buy the voting list in the UK...)

But it did make me realise I use the same password (now changed!) for other places.

I've been meaning to overhaul my password system ever since the spate of attacks earlier in the year. And considered a manager -BUT- don;t like the idea of having my passwords stuck 'in the cloud' like LastPass.

Thinking of using KeePass
http://keepass.info/
And putting it on a portable (tough) USB.

Any experience for anyone using something like KeePass which encrypts and stores the passwords locally?