Lesson Learned - Secure Your Logins

[Growltiger]

I just finished going through that. It led me to The World's Best Password Advice:

https://www.michaelhorowitz.com/BestPasswordAdvice.php

I think that is excellent advice on managing passwords. It convinced me to give up on LastPass. I don't use it anymore anyway since I much prefer KeePassX.

So I want to get rid of LastPass. If I just drop the app in the trash does that remove it completely?

You need to delete the database too. This should help (scroll down for the Mac):
https://support.logmeininc.com/last...-lastpass-data-stored-on-my-computer-lp070008

I use KeePass as well. Good security and simple. Despite trusting it I never transfer or sync the data across the internet.

 

[Butlerkid]

I just finished going through that. It led me to The World's Best Password Advice:

https://www.michaelhorowitz.com/BestPasswordAdvice.php

I think that is excellent advice on managing passwords. It convinced me to give up on LastPass. I don't use it anymore anyway since I much prefer KeePassX.

So I want to get rid of LastPass. If I just drop the app in the trash does that remove it completely?

WOW! Thanks so much for that link!!!!

 

[Butlerkid]

I just finished going through that. It led me to The World's Best Password Advice:

https://www.michaelhorowitz.com/BestPasswordAdvice.php

I think that is excellent advice on managing passwords. It convinced me to give up on LastPass. I don't use it anymore anyway since I much prefer KeePassX.

So I want to get rid of LastPass. If I just drop the app in the trash does that remove it completely?

WOW! Thanks so much for that link!!!!

After reading this, I will clean up a few of my passwords which are duplicates.

But, my question is.......Which browser should one use? They only talked about Chrome as being "bad". Is there a "good" browser"? Should I never allow the browser to save passwords?

 

[Growltiger]

I have scanned it and I don't see anything about Google Chrome itself being "bad". The weaknesses are all about plugins, permissions etc. This is why you should never allow any browser to save passwords, except passwords you don't care about in the least. That is the rule I follow. There are just too many potential vulnerabilities in browsers.

I strongly agree with him about using KeePass. I have about 600 current passwords stored in it.

 

[Butlerkid]

OK

I have scanned it and I don't see anything about Google Chrome itself being "bad". The weaknesses are all about plugins, permissions etc. This is why you should never allow any browser to save passwords, except passwords you don't care about in the least. That is the rule I follow. There are just too many potential vulnerabilities in browsers.

.....I didn't understand. The extensions I have with Chrome.....are:

Ad Blocker Plus
Bookmark Sidebar
Google Docs Offline
Search Bar
Tab Activate

 

[Pa]

You need to delete the database too. This should help (scroll down for the Mac):
https://support.logmeininc.com/last...-lastpass-data-stored-on-my-computer-lp070008

The folder structure seems to be different in MacOS Big Sur from what is shown on that web page.

It's not in ~/Library/Containers/com.lastpass.LastPass/Data/Library/Application Support/LastPass/

It's in ~/Users/(username)/Library/Containers/com.lastpass.LastPass/Data/Library/Application Support/LastPass/

I guess I need to delete that whole folder.

 

[Pa]

This is why you should never allow any browser to save passwords, except passwords you don't care about in the least. That is the rule I follow. There are just too many potential vulnerabilities in browsers.

I strongly agree with him about using KeePass. I have abou 600 current passwords stored in it.

So do you open KeePass every time you need to retrieve a password you don't remember?

 

[Walter Rowe]

I just finished going through that. It led me to The World's Best Password Advice:

https://www.michaelhorowitz.com/BestPasswordAdvice.php

I think that is excellent advice on managing passwords. It convinced me to give up on LastPass. I don't use it anymore anyway since I much prefer KeePassX.

So I want to get rid of LastPass. If I just drop the app in the trash does that remove it completely?

I have AppCleaner installed. It reads the BOM (Bill of Materials) used to install the software and removes all the cruft in hidden places. More thorough than just dragging the app to the Trash. The app stores its data somewhere and you want to make sure that is deleted too.

https://freemacsoft.net/appcleaner/

 

[Growltiger]

So do you open KeePass every time you need to retrieve a password you don't remember?

I have it open on my computer, and it locks after a certain time that I set, or I can lock it instantly. That way it only takes a moment to enter the password to open it.

Just in case I need it when I don't have a computer, I also have it on my phone, so I can always look things up. It's called KeePass2 Android. There are versions of KeePass for pretty much every platform, and the databases are all compatible. I have also used KeePassX on my Mac and it was happy to work with the same database.

I hold more than just passwords in it. It has reminders of how to access various systems as well. They are in categories like Computers, Finance, General, Internet.
I have a category called "Other people". That has an entry for each local person I help, so each entry will have info about various accounts they have that they need help with. For example how they can order a repeat prescription online when they can't make it work on their iPad (real example).

 

[Growltiger]

OK

.....I didn't understand. The extensions I have with Chrome.....are:

Ad Blocker Plus
Bookmark Sidebar
Google Docs Offline
Search Bar
Tab Activate

The issue is that someone might write an evil extension which has the hidden function of stealing your passwords.

 

[Pa]

I like the idea of password formulas mentioned in the Michael Horowitz article.

 

[Pa]

A few thoughts about password formulas:

1) Many web sites have minimum requirements for passwords: at least one UC and one LC letter, one number, and one non-alphanumeric character;

2) Some web sites or e-mail services require that passwords be changed annually;

3) Are blank spaces allowed in passwords?

#1 is fairly easily satisfied through one's choice of the root word and suffix. To satisfy #2, I plan to incorporate the year number in my scheme so it can be easily changed and remembered annually. As for #3, I know that is allowed by some services, but possibly not by others, so I guess I will avoid it. (I do use spaces in my KeePass master PW. I think spaces make it harder to crack.)

 

[Growltiger]

A few thoughts about password formulas:

1) Many web sites have minimum requirements for passwords: at least one UC and one LC letter, one number, and one non-alphanumeric character;

2) Some web sites or e-mail services require that passwords be changed annually;

3) Are blank spaces allowed in passwords?

#1 is fairly easily satisfied through one's choice of the root word and suffix. To satisfy #2, I plan to incorporate the year number in my scheme so it can be easily changed and remembered annually. As for #3, I know that is allowed by some services, but possibly not by others, so I guess I will avoid it. (I do use spaces in my KeePass master PW. I think spaces make it harder to crack.)

1) All mine have UCs, LCs and numbers, all my important ones (ones that matter) have special characters as well.

3) I think it simplest to avoid spaces, they can lead to trouble in some cases such as when you see them expressed as %20. There is nothing special about them and there are so many fun characters to choose from instead - I won't tell you my favourites but they are somewhere in this lot:
¬ ` " $ % ^ & * ( ) - _ = + [ ] { } ; ' # : @ ~ \ | , . / < > ?

 

[Pa]

I won't tell you my favourites but they are somewhere in this lot:
¬ ` " $ % ^ & * ( ) - _ = + [ ] { } ; ' # : @ ~ \ | , . / < > ?

I use some of those too.

 

[Walter Rowe]

Spaces are permitted and do not make it harder to crack a password.

 

[Butlerkid]

I use some of those too.

Any reason not to use special characters like the degree symbol......other than several keys strokes are required to create it?

 

[Growltiger]

Any reason not to use special characters like the degree symbol......other than several keys strokes are required to create it?

The characters you can be fairly certain will be accepted are the original ASCII character set:

Subscribe to see EXIF info for this image (if available)

You may get away with also using the second half, with the extended characters, and this includes the degree symbol, here is the whole lot:

Subscribe to see EXIF info for this image (if available)

All of the above are represented internally by one byte per character.

But where you are far more likely to run into trouble is if you start using other symbols which are from the Unicode character set, where each character is represented by two bytes.

Unicode is a most wonderful thing, a massive database of every symbol ever used by humans, with every language ever used included in it. Plus lots of useful symbols and the entire collection of emojis. It is one of the finest example of international cooperation and standardisation. If you write a doument encoded with Unicode, it will appear the same on every device in the world that supports unicode, with any of the characters being changed. Many of the fonts used in Word. for example, contain large portions of the Unicode character set. So you can use hieroglyphs for example.

The full answer is that it entirely depends on the programming of each individual website or program. I stick to what I know works.

 

[Butlerkid]

The characters you can be fairly certain will be accepted are the original ASCII character set:
View attachment 1688342

You may get away with also using the second half, with the extended characters, and this includes the degree symbol, here is the whole lot:

View attachment 1688341

All of the above are represented internally by one byte per character.

But where you are far more likely to run into trouble is if you start using other symbols which are from the Unicode character set, where each character is represented by two bytes.

Unicode is a most wonderful thing, a massive database of every symbol ever used by humans, with every language ever used included in it. Plus lots of useful symbols and the entire collection of emojis. It is one of the finest example of international cooperation and standardisation. If you write a doument encoded with Unicode, it will appear the same on every device in the world that supports unicode, with any of the characters being changed. Many of the fonts used in Word. for example, contain large portions of the Unicode character set. So you can use hieroglyphs for example.

The full answer is that it entirely depends on the programming of each individual website or program. I stick to what I know works.

Thanks, Richard. I have always used the degree and copyright symbols. But I noticed that one of your special characters is from the second set, and didn't know how to create it. So a little research did the trick, but caused me to ask about other symbols in the second half above! LOL!

 

[Walter Rowe]

Thanks, Richard. I have always used the degree and copyright symbols. But I noticed that one of your special characters is from the second set, and didn't know how to create it. So a little research did the trick, but caused me to ask about other symbols in the second half above! LOL!

My rule of thumb is if I can type it with or without the SHIFT key, it is likely acceptable. Some password change forms have input validation that will limit it further (like SHIFT+top row numbers and punctuations, but perhaps not curly / square braces, forward and back slash, less / greater than, etc).

 

[Growltiger]

Thanks, Richard. I have always used the degree and copyright symbols. But I noticed that one of your special characters is from the second set, and didn't know how to create it. So a little research did the trick, but caused me to ask about other symbols in the second half above! LOL!

Which one was it?