cancel
Showing results for 
Search instead for 
Did you mean: 

What should I do

calyx
Senior Contributor

Re: What should I do


@BrokenCredit wrote:

@calyx wrote:

@BrokenCredit wrote:

Does anyone have any idea why my 2 step verification with google did not work, also what would be the best password manager to use? (If I were to use one not sure if they are good yet) I do see there are a lot of them to choose from.


I like LastPass, and most of my friends either use LastPass or 1Password.

What's really nice about a password manager is that I just have to keep that one password updated in my Durable Power of Attorney - whoever has to pay my bills if I'm incapacitated just has to log in there to get to everything.


I have been researching password managers, and maybe I am just paranoid, but they seem very unsafe. I want to use one because it's not smart to use the same password for everything, but I don't know if that is any safer?


Honestly, I suppose it would be 'safer' to keep a list of passwords in a journal locked in a safe at  home and manually enter everything.   But I think that you can look at password managers and decide if you think it's worth the risk.   I am sufficiently happy with LastPass's security itself to use it.  I also periodically change my LastPass password itself (actually, every 90 days, when my workplace prompts me to change my work PW).

One thing that I've heard suggested is to use something you can easily remember, like using the first letters of a memorable sentence, and then alter that password as needed.
Like - "I like pickled avocados and rocky mountain oysters" (seriously, I just made that up, please don't think badly of me, haha) -    ILPAARMO - so for your Gmail account, you might use ILPAARMOGmail1! and then for amazon ILPAARMOAmazon1! etc (or whatever, I threw the 1! in there for those that need a numeric and special character).   Different, but long enough.




F8 EQ: 799 | EX: 791 | TU: 791 | Accounts: 2/6 3/12 8/24
Happy practitioner of AZE9or10or11or12 | Team Finances > FICO
Message 11 of 15
BrokenCredit
Contributor

Re: What should I do

I have been thinking about a password manager for 3 weeks now I think, and my password was compromised AGAIN 6 days ago during that time. Which  to be fair was my fault, I am not going to pretend like I made my password different, all I did was add 3 numbers to my compromised password. (which I thought would be sufficient) I have come to the conclusion I am way to mistrusting, and I can not use a password manager. I was playing around on word the day my account got hacked the 1st time, and I took my hands and simply mashed them on the keyboard. In the end it was 22 characters in length. It is extremely complex, and I have spent the last 3 weeks studying this password trying to memorize it. I finally memorized it this morning, I have this password ingrained in my memory.

 

Do you think this 22 character password is secure enough to use on all the accounts I don't care about, and then have a different password for the accounts I do care about? (like my bank, google account, and credit card accounts.) I have about 55 to 70 accounts, and I only care about 6 of them. I know it doesn't sound smart to use the same password on 50+ accounts however, I feel like no one is ever going to be able guess a password with 22 unique characters, Maybe I wrong though? 

Message 12 of 15
iced
Valued Contributor

Re: What should I do


@BrokenCredit wrote:

 

Do you think this 22 character password is secure enough to use on all the accounts I don't care about, and then have a different password for the accounts I do care about? (like my bank, google account, and credit card accounts.) I have about 55 to 70 accounts, and I only care about 6 of them. I know it doesn't sound smart to use the same password on 50+ accounts however, I feel like no one is ever going to be able guess a password with 22 unique characters, Maybe I wrong though? 


No. The bar for a script kiddie breaking your password the old-fashioned/l0phtcrack way is much below 22 random/unique characters, provided you aren't doing anything stupid like putting your first and last name together and replacing a's with 4's and that kind of stuff. Rather, most account breaks today are a matter of exploiting a vulnerability that exposes the password in the clear for the kiddie to see. The complexity of the password really doesn't matter when it's right there in front of them.

 

This is also part of why having unique passwords is one line in defense-in-depth. If you re-use the same password, no matter how complex, you're only as secure as the weakest application you access with that password.

 

If you're paranoid about this happening again in the future, you should also go with MFA (multi-factor authentication) on applications that support it, usually with a OTP (one-time pin). This can be either via a text message to your mobile device, or a soft-token such as RSA/VIP. Most financial applications support this.

 

TouchID access is not a replacement for MFA, unless you have to enter your thumbprint in addition to a password. Most applications replace needing to enter the password with the touch, which can actually be less secure. A valid use of Touch ID as part of MFA is E-Trade's iOS app - after touching, you are then additionally required to enter a OTP from a token.

Message 13 of 15
BrokenCredit
Contributor

Re: What should I do


@iced wrote:

@BrokenCredit wrote:

 

Do you think this 22 character password is secure enough to use on all the accounts I don't care about, and then have a different password for the accounts I do care about? (like my bank, google account, and credit card accounts.) I have about 55 to 70 accounts, and I only care about 6 of them. I know it doesn't sound smart to use the same password on 50+ accounts however, I feel like no one is ever going to be able guess a password with 22 unique characters, Maybe I wrong though? 


No. The bar for a script kiddie breaking your password the old-fashioned/l0phtcrack way is much below 22 random/unique characters, provided you aren't doing anything stupid like putting your first and last name together and replacing a's with 4's and that kind of stuff. Rather, most account breaks today are a matter of exploiting a vulnerability that exposes the password in the clear for the kiddie to see. The complexity of the password really doesn't matter when it's right there in front of them.

 

Am I reading that wrong, if that is the case then it doesn't matter what my password is, I am screwed either way?

 

This is also part of why having unique passwords is one line in defense-in-depth. If you re-use the same password, no matter how complex, you're only as secure as the weakest application you access with that password.

 

 

If you're paranoid about this happening again in the future, you should also go with MFA (multi-factor authentication) on applications that support it, usually with a OTP (one-time pin). This can be either via a text message to your mobile device, or a soft-token such as RSA/VIP. Most financial applications support this.

 

Is this 2 step verification or something else? If it is 2 step then I already have that. Google completely failed 2 step verifcation twice now. Wells fargo seems to be the only one with 2 step that works for me (I don't use it on many things, just google and now my bank)

 

TouchID access is not a replacement for MFA, unless you have to enter your thumbprint in addition to a password. Most applications replace needing to enter the password with the touch, which can actually be less secure. A valid use of Touch ID as part of MFA is E-Trade's iOS app - after touching, you are then additionally required to enter a OTP from a token.


I don't know, I might use a password manager, I still need to think about it I guess. In reality, the only 2 things I truly care about are secure now, I recently turned on 2 step for my bank and amazon. (I have to enter a code everysingle time I log in) I would LOVE for my gmail to be secure as well, however google doensn't want that for me obviously, otherwise I would not only be promptly alerted someone has hacked me but 2 step would also work.

 

Side note, I think the main problem I have with password managers is the ones recommended in this thread have been compromised in the past according to google when I look them up. If they are supposed to be so secure, why are they having that problem? Also is there anything I can do to actually make my gmail secure?

Message 14 of 15
iced
Valued Contributor

Re: What should I do


@BrokenCredit wrote:

@iced wrote:

@BrokenCredit wrote:

 

Do you think this 22 character password is secure enough to use on all the accounts I don't care about, and then have a different password for the accounts I do care about? (like my bank, google account, and credit card accounts.) I have about 55 to 70 accounts, and I only care about 6 of them. I know it doesn't sound smart to use the same password on 50+ accounts however, I feel like no one is ever going to be able guess a password with 22 unique characters, Maybe I wrong though? 


No. The bar for a script kiddie breaking your password the old-fashioned/l0phtcrack way is much below 22 random/unique characters, provided you aren't doing anything stupid like putting your first and last name together and replacing a's with 4's and that kind of stuff. Rather, most account breaks today are a matter of exploiting a vulnerability that exposes the password in the clear for the kiddie to see. The complexity of the password really doesn't matter when it's right there in front of them.

 

Am I reading that wrong, if that is the case then it doesn't matter what my password is, I am screwed either way?

 

This is also part of why having unique passwords is one line in defense-in-depth. If you re-use the same password, no matter how complex, you're only as secure as the weakest application you access with that password.

 

 

If you're paranoid about this happening again in the future, you should also go with MFA (multi-factor authentication) on applications that support it, usually with a OTP (one-time pin). This can be either via a text message to your mobile device, or a soft-token such as RSA/VIP. Most financial applications support this.

 

Is this 2 step verification or something else? If it is 2 step then I already have that. Google completely failed 2 step verifcation twice now. Wells fargo seems to be the only one with 2 step that works for me (I don't use it on many things, just google and now my bank)

 

TouchID access is not a replacement for MFA, unless you have to enter your thumbprint in addition to a password. Most applications replace needing to enter the password with the touch, which can actually be less secure. A valid use of Touch ID as part of MFA is E-Trade's iOS app - after touching, you are then additionally required to enter a OTP from a token.


I don't know, I might use a password manager, I still need to think about it I guess. In reality, the only 2 things I truly care about are secure now, I recently turned on 2 step for my bank and amazon. (I have to enter a code everysingle time I log in) I would LOVE for my gmail to be secure as well, however google doensn't want that for me obviously, otherwise I would not only be promptly alerted someone has hacked me but 2 step would also work.

 

Side note, I think the main problem I have with password managers is the ones recommended in this thread have been compromised in the past according to google when I look them up. If they are supposed to be so secure, why are they having that problem? Also is there anything I can do to actually make my gmail secure?


You are not reading that wrong. Some systems store passwords in a reversible hash (bad) that can be broken/reversed. Some systems store the password in the clear on a DB (really bad) so breaking into the DB leaks all the passwords. Sometimes, it's even something more obscure, like a cookie holding a password for automatic login or the password being stored in volatile memory and malware on your host is reading the memory and extracting the password. Keyloggers can get passwords out of people who enter them manually rather than copy/paste. There's a lot of ways to get at data.

 

Two-step verification is arguably a form of MFA, provided it's doing something like texting you an access code. Simply asking you for two passwords or asking two questions isn't true MFA. Without going into the weeds on it, there's three general factors of access:

 

1. Something you know (passwords)

2. Something you have (tokens/phone PINs)

3. Something you are (biometrics/TouchID)

 

Whether you should use it or not is a matter of personal risk assessment.

 

As for GMail, they do have MFA options. Check out https://myaccount.google.com/security after you've logged in to see what you can do.

 

Lastly, before it gets lost in all this - just because there are ways to get around even the most complex password doesn't mean one shouldn't strive for that. Keep your passwords complex. Change them often (several times a year at a minimum for sensitive/financial accounts). Don't re-use passwords across sensitive accounts, but even as a security person I'll give a pass to those who want to use one password for all their forums. If you want to break into my MF account so you can log in and post on FT, be my guest, but don't expect that to get into my email, bank accounts, or credit cards.

Message 15 of 15
Advertiser Disclosure: The offers that appear on this site are from third party advertisers from whom FICO receives compensation.