do you use the same online passwords for all sites?

In the past i have used the same password (or similar) for logging into different sites like hotmail, internet banking, comsec, and forums. I know people who regularly change their passwords for security reasons but i was too slack to do that.

But i found this site that tests password strength and mine came in at 12% :(
So i made up another one which is now 80% strong and easy to remember.

I found if you put two exclamantion marks (!!) before or after a word it increases the strength a lot. The same if you use a mix of upper and lower case and insert a number in between the letters.

I thought that inserting a character with a high unicode like Chinese character 倫 (20523) would make it stronger but it rates them the same as using a simpler symbol like a !

Both of these passwords rate at 100% if you want to you use them for your internet banking :)

sk8wd9a倫>X

sk8wd9a!>X

http://www.passwordmeter.com/
 
I don't use random symbols as i find them rather hard to remember. But i use a combination of mathematical equations and/or pinyin words. As an example, 10^2=yibai, 2x4-1=qi

I can remember them easy that way.

BTW - i don't use the same password for the various sites i go to.
 

Sim

Administrator
Nope, every site I visit or application I use which requires a password gets a randomly generated complex password. I don't even try and remember them.

I have a secure open-source password tracking program (I use KeePass - http://keepass.info/ ) which has a long password protecting all my other passwords (a password which I never use for anything else and never tell anyone else).

It may seem like a central point of failure - but I figure nobody is going to be able to crack the security on my password program in a hurry, the only real weakness is from keystroke loggers ... but then, the same vector could be used regardless of whether I had secure passwords or not.

The biggest risk you face is from the websites getting hacked, not from your computer getting hacked. You need to be aware that some websites do NOT store your passwords encrypted in their database - if their system is compromised, your password is vulnerable and if you use the same password on every site - access to all your other data and banking and such is also potentially compromised.

vBulletin software does encrypt your passwords (I cannot look up your password in our database), but don't assume every other system does (they should - but I've seen systems that don't).

For sites I visit regularly which I want to be able to remember the password for, I sometimes use a pronouncable password generator - this is a random set of letters which make a pronouncable but meaningless word (importantly, it must not be in the dictionary). I also make them a bit more secure by swapping one of the characters for a number, eg, i => 1 or e => 3 or o => 0, etc. Being pronouncable, they are easier to memorise.

Here are some examples I just generated using an online tool at http://www.multicians.org/thvv/gpw.html (requires Java):

vangunpo
espanomo
humplant
terisern
aderyota

So I might use something like teris3rn or adery0ta for a password that I want to be able to remember. I would still mentally pronounce them "teri-sern" or "ader-yota" ... I just remember that I have to substitute a number for one of the letters when I type it. Works really well.
 
I do use different passwords for differen websites, but i store all in Opera Wand. and the wand has master password which i remember. So i dont hv to remember password and even the username.
 
For most of mine i do, but it has @ * ! stuff like that in them, but the strength is good because i have the characters.

The only ones i don't use the same password for is my banking, and my Hotmail (kept getting hacked) so it's now 26 character's long..surprisingly though it's completely different to all of my others, but i've had it for years and it's never gotten hacked again, and i remember it :)
 
Most of my passwords start out as simple English words but then become more complex over time; Every so often I just change one character in the password.

Eg.

password
pastword
p6stword
p6stw2rd

etc... So the really old ones like my 12-year-old Hotmail account don't look anything at all like what they started as.
 
PassPhrase

Shift your thinking from word to phrase. A few sites don't let you use a long password which screws your passphrase up but that's life.

So move you thinking away from:
passw0rd
Pa55word!

to

BigPassword15Good
Big-password-is-g00d

The low tech password/passphrase storage device is called a diary, very secure against tech based threats, stops the post it note under the keyboard issue and lets you use longer words/phrases because you don't have to remember then.

Cheers
:)
 
I have pretty strong and different passwords for important stuff like banking.

I do repeat-use weak passwords across sites that don't matter so much, though (like forums - especially if they're running software like vBulletin that I know scrambles passwords in the database).
 
I use a different password for every site, i remember the password by remembering the system I use to create the password. So I have rules to create the password for each site.

So as an example the system might be first 2 letters of web address, last 2 letters or web address, number based on the first 2 letters of the web address were A is 1 B is 2 etc. last 2 leters again. So for somersoft it could be Sotf1915tf.

using the same system on theage web site it would be theg2005eg

You can get as creative as you like and it always produces a unique password and all you have to remember is the system you use to create it with the address being the key

I also have a nonsensical word I can remember with numbers in it for my most important accounts like banks and central email account.
 
Passwords may be well encrypted.

But I was quite surprised once, when working on an Oracle DB site (back in my IT days), to be told my password. Apparently there is a utility to decode the "encrypted" password if you have access to the database.
 

Sim

Administrator
Apparently there is a utility to decode the "encrypted" password if you have access to the database.

That might not be unusual - depends on how the security is implemented and the nature of the system. A lot of "encryption" is nothing more than obfuscation, which is easily reversed if you know the forumula used.

If there is no way to access the password without something like root access to the machine via a physical console attached to it - you don't really need to go to that much trouble to encrypt it ... so long as your physical security is up to par :eek:

Passwords in vB are encrypted using themselves as the key. You can only recover the password if you know what the password was in the first place :rolleyes: I can reset a password to something new, but I can't tell someone what they had previously used. There is a random element added as well to prevent someone trying to match a password by checking the encrypted version of someone else's password they've managed to find, against the encrypted version of a password they've entered to see if they match.
 
Lots of good tips about improving your password/phrase, thanks for those, i've taken quoll's suggestion and made a new "passphrase" with lots of characters making it secure.

But most sites prefer between 6-8 characters and a lot of internet banking sites don't allow symbols like !@?*&%$ so i have a new one for these fields with more numbers to make it secure.


..I use KeePass - http://keepass.info/ ) which has a long password protecting all my other passwords (a password which I never use for anything else and never tell anyone else).

Thanks for the link, i have downloaded it and just played with it. I also came across this one http://passwordsafe.sourceforge.net/ which looks similar but with more basic looking interface.

The problem with these programs is they are made to be used on your own PC because you have to run the program and open a file (.kdbx for KeePass) which is saved on your hard drive... but what if you want to use internet cafe for doing banking while travelling? Can you run these programs from a USB stick?
I guess you'd have to have the installed program already installed on the stick as well as the .kdbx file to ensure you get the same passwords?

I've heard security people are warning that you now need a minimum of [a-z|A-Z|0-9] character options and 12 digits to make the password not economically crackable for the next 5 years.

But i don't think using brute force (running dictionary words and numbers) would be used on websites these days as most lock you out after 3 failed attempts. This method works best on a portable hard drive.
 
The biggest risk you face is from the websites getting hacked, not from your computer getting hacked. You need to be aware that some websites do NOT store your passwords encrypted in their database - if their system is compromised, your password is vulnerable and if you use the same password on every site - access to all your other data and banking and such is also potentially compromised.

Here is a horror tale i found on another site:

I agree that good enough is good enough for most applications, but I would add don't reuse passwords on different sites! Here is my Tale Of Horror:

I used to be involved in an open source CMS project. One of the developers was asked to leave for anti-social behaviour, and turned nasty. He managed to break into the project's community website and capture the database for about 30,000 members, including the hashes of the passwords. He used a brute force dictionary attack to against the hashes and was able to recover many passwords (presumably weak ones). We don't know how many passwords he got, but probably quite a lot. That was the the beginning of the nightmare.

At first he was just logging into people's website accounts and trolling with them. Then he discovered that many people had been using the same password everywhere, and he started breaking into people's private email accounts elsewhere. From there, he could use password retrieval services to access other websites and services people had accounts with, messing up their business sites, clients etc.

But the real gem was that one of the passwords he obtained belonged to a developer, who had reused the password on the *software repository for the project*. He managed to slip some poisoned code into the software that gave him a back door. The next time the project released a new version most people downloaded it, installed it and he suddenly had backdoor access to everyone's site, and thousands more hashes to play with. What a mess.

Cleaning it up took about 2 years. We knew fairly quickly that he had recovered passwords, but convincing thousands of people to change their passwords and not to reuse them on sensitive sites was a very painful process. He probably has access to a large number of people's personal stuff to this day, only the individuals he victimised sufficiently would have gone and changed every password to everything they had. The project software now adds a long salt to whatever password people choose to use, to make dictionary attacks on the hashes very difficult.

So personally I used Password Safe. It generates and stores long random passwords, you just have to remember one 'master' password to open the safe. This stops the 'lazy' effect of reuse due to having too many passwords to remember!
 
The problem with these programs is they are made to be used on your own PC because you have to run the program and open a file (.kdbx for KeePass) which is saved on your hard drive... but what if you want to use internet cafe for doing banking while travelling? Can you run these programs from a USB stick?
I guess you'd have to have the installed program already installed on the stick as well as the .kdbx file to ensure you get the same passwords?

I've had a better play with it now and see they have portable versions for running them from USB sticks so that's good to know :)
 
Last edited:
For most of mine i do, but it has @ * ! stuff like that in them, but the strength is good because i have the characters.

The only ones i don't use the same password for is my banking, and my Hotmail (kept getting hacked) so it's now 26 character's long..surprisingly though it's completely different to all of my others, but i've had it for years and it's never gotten hacked again, and i remember it :)

You were hacked? How? By whom? Im curious....I thought hotmail was un-hackable
 
Top