Some of those ‘tertiary’ accounts are relatively benign if they get owned. But you and I are in similar positions, our password/key database is effectively a ‘bearer token’, so the implications of that (for me at least) is if my gmail account gets compromised, or my dropbox account gets compromised then I could be in trouble. Or, if enough hints about my recovery questions are mined from secondary accounts, this could appen http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/
so no, i am not going to worry about my eGullet account or the 70’s muscle car forum i have an account on either. but my gmail password sure has changed 
I had to set up a Win8 machine for the guy I work for, and it asked for his fucking phone number. Phone number. To switch the computer on. Phone. Number.
Simple question: How much is two-factor auth helping to mitigate these problems? And like @japhroaig, I think the username/pwd process has become far too easy to crack.
1 Like
uhm, they have had them for seven months. So unless you just change every password you have every month. Yes.
Unless your password is “password” or some such stupid thing the most common hack I hear about is folks just stealing password data, so if your password is impossible to remember or guess it really only makes your life harder and not criminals…
Frankly, I think even identity theives use the questions to break your password more than password guessing.
My guess is that its best to keep your passwords easy to remember. Rotate email and any financial related passwords with some frequency and with out overlap to lower security passwords and set all your recovery questions to some insane impossible to guess set or random numbers and letters.
Do you worry about Keepass being compromised and having all your eggs in that one basket?
unless you’re being hunted by the mafia, a safe is probably overkill. i just keep mine in my wallet. (except for “one weird trick” which makes it a little bit harder.)
the back of a filing cabinet is just fine for most people.
2 Likes
“are you affected?”
Am i affected?
AM I affected??!?!?!!!
You imply that you’re going to provide an answer!
How do I find out???
sure, but that takes either breaking three 16-24 char passwords and two layers of AES, stealing my laptop while crygenically freezing the RAM, or a previously unknown vulnerability in AES. It would be muuuch easier just to continually hit me with a hammer while asking, “what’s your password”
no doubt. it’s so much better than weak passwords it is a shame that the practice was laughed at for so long.
Send me your username & password and I’ll check for you.
2 Likes
or password re-use. once i had two accounts compromised due to database hacks i had no control over, i started thinking. the idea of not writing down passwords came from the office environment, where most computer security is. of course it’s a bad idea (at least sort of) there, because coworkers (or even industrial spies) can find your post-it notes.
however nowadays the threat comes from database compromises by anonymous attackers, the analogue of a smash-and-grab rather than an inside operation, and so password reuse is the bigger threat. there’s practically no danger in writing down your instagram password and putting it in your wallet. if your wallet is stolen, 1) who cares about the instagram password and 2) the thief is probably not savvy enough to use it anyway.
1 Like
If password data is stolen from a site that used salted hashes as it should, it is much, much easier to decrypt short, common passwords than long, uncommon ones. If some dipshit was storing your password in plaintext, you’re screwed either way, but otherwise complex passwords are definitely not useless.
Also, I think you may not be clear on how LastPass works. I don’t have to remember any of my 200+ individual passwords, I just have to remember my single LastPass password. Therefore, there’s no reason not to use large, unique, high-entropy passwords for individual sites.
Of course, if LastPass gets hacked I am completely fucked, but they take their security extremely seriously (as they should!) and are pretty open about what they use and how they audit it. I’m confident that they’re as secure as anything is.
Actually, I have one password that I recycle for one-shots. I am fully aware that if it is cracked, then the other sites with my CrapWord are then open to someone spoofing me, but these are the fringe sites. No personal information at all is involved, and if I do move deeper into that site, then I replace the CrapWord with a PasswordCardWord.
Interesting. But if you ever sit down at another person’s computer or want to log on from your phone doesn’t that put you in the camp of having to write down passwords?
One strategy I read about, was to use the same password but add the name of the company (or site) as a suffix. Maybe not too much harder to guess, but it typically adds 8 - 12 characters to the password length.
For one thing, you can log into your LastPass account through any web browser and copy-paste the relevant passwords. There’s an Android version if you want to use it on your phone, although it’s not free like the desktop version. There’s really only a couple of sites that I log into on my phone, and I’m kind of uncomfortable having even brief access to my entire global password store on something so stealable, so I just entered them each by hand once and had the browser save them.
As for “someone else’s computer,” aside from logging into the LastPass website and copy-pasting, I carry a laptop and a phone with wireless tethering pretty much everywhere. I don’t really have any reason to need to use someone else’s machine.
Given how awful nearly everyone I know, and probably all the people I’ll ever meet are at even basic security, I wouldn’t log onto anything I gave a shit about on other peoples’ machines anyway.
1 Like
