How do you create your passwords?
Hello good folks,
I am a past owner & user of 1pass for the OS X operating system on mac. I was pleased with your service in the past, however chose to migrate my passwords away. I have read your guide on creating secure passwords and even used the diceware system in my own methods.
Anyway, for whatever reason, I recently built my own powerful pc, and have been running windows 8 as it stands I'm not paying to use 1pass again because I paid for it on my iphone too. Don't get me wrong I do love the software. Anyway down to the reason I am talking to you guys:
Recently, my bank details were compromised, and I understand there are a myriad of ways they can do this, I decided to change all of my passwords and I am no longer using the diceware system, it's quite easy to come up with random passphrases without the use of the dice. However, I don't actually need to " remember " any of my passwords anymore. I have started using a password generator ( one like that on 1pass ) a strong one that includes upper case letters, lower case letters, punctuation & symbols, most of my passwords are 15 characters long also. Currently I am thinking of migrating back to 1pass to manage these passwords, however I am storing most of my passwords offline & away from my home network in a password protected file that is inconspicuously named. My question to you guys is how do you create your passwords?
I feel pretty secure using 15 character passwords that have been randomly generated, although it might sound like I'm some freak living in a foil covered basement, I'm actually a pretty normal guy, whos recently moved to a new area and I'm in charge of my home network security for the first time so it's forced me to think about how I create & manage passwords.
Cheers
Comments
-
You are absolutely correct that for passwords you don't need to remember, a random password generator like 1Password's Strong Password Generator is the correct tool. The strongest passwords are not things that can be remembered.
As for length of these I tend to go for around 20, but 15 is also fine. Basically, there is no reason to not use the longest that the particular system will allow, unless there is some chance that you might have to type it in someday. The old advice of "8 characters" is now dangerously outdated.
As you can imagine, I would encourage you to come back to 1Password. Your home-grown system for password management may work out well for you, but I'd advise you to take a look at the kinds of mistakes people can make when rolling their own password management systems. You may still wish to continue with what you have after reading that, but it will be a more informed decision.
One thing you might notice is that in our documentation we are vague about what our own password strength meter calls "weak", "good", "fantastic" etc. That vagueness is deliberate because we modify this over time. What was "good" a year ago may not be "good" today.
So personally, I use Diceware for the few passwords I need to remember, and use 1Password's Strong Password Generator for everything else, typically around 20 characters. I tend to go with just letters and digits, because different sites reject different symbols.
I hope this helps,
Cheers,
-j
–-
Jeffrey Goldberg
Chief Defender Against the Dark Arts @ AgileBits
http://agilebits.com0 -
Jim, I can't speak for Jeffrey, but I generally start with 50 characters and a "healthy" mix of digits and symbols. It really depends on the site. I only lower the length when the site requires it, and I generally move the digit and symbol sliders around each time I generate a new password. (I guess that's a case for allowing a "random" option for digits and symbols rather than a set amount, however, many websites do have "exactly n" requirements for digits and/or symbols.)
You may be interested to read Jeffrey's post from back in August about the difference in entropy between "at least n digits" and "exactly n digits". It may surprise you.
0 -
It is my pleasure to help. :)
With regard to 50 character passwords, it's never been a problem for me yet. Between the 1Password browser extensions on the desktop, the 1Password mobile apps, and 1PasswordAnywhere in every other case, I can think of perhaps only a handful of times I've ever had to manually type a password. Either that or I've used Diceware passwords for ones I need to remember or type with any regularity.
0 -
It would be an interesting exercise. I wonder if Jeffrey is up to it. :)
0
