Differences

This shows you the differences between two versions of the page.

--- security_presentation [2021.12.02 16:09] – [Remembering Passwords and Associated Issues] Steve Isenberg
+++ security_presentation [2025.02.25 15:43] (current) – [Caveat] Steve Isenberg
@@ Line 1: / Line 1: @@
-~~NOCACHE~~ <fc #a0a0a0><fs small>This page last changed ~~LASTMOD~~</fs></fc>
+~~NOCACHE~~ <fc #a0a0a0><fs small>[This page last changed ~~LASTMOD~~;
+visits {{counter|today| time| times}} today, {{counter|yesterday| time| times}} yesterday, and {{counter|total| time total| total times}}]</fs></fc>
 We all have bank accounts, credit cards, insurance policies,
 healthcare accounts, the list goes on.  Many are online. There are so
-many of these, each with its URL to go to for access, phone numbers,
+many of these to remember, the URL to go to for access, phone numbers,
-account numbers, and requiring a password to access--one that is
+account numbers, and an access login and password--preferably one that is
-complex and hard to guess.  The challenge is how do you keep track of
+complex and hard to guess.
+The challenge is how do you keep track of
 all of this information in a way that is secure, yet easy to access,
 that's stored in multiple locations so it's unlikely to get lost, and
 that you can make available to your next-of-kin if necessary?
 We will discuss a solution that your presenter uses to solve all of
 these challenges in a cost affordable--free--way.
@@ Line 29: / Line 33: @@
   * (Can you think of others?)
-How long to crack: From [[https://www.komando.com/security-privacy/check-your-password-strength/783192/|Kim Komando]]
+Recent from WikiHow: [[https://www.wikihow.com/Guess-a-Password]]
+Gives a set of steps to follow to guess someone's password.
+  - Figure out the password requirements for the site or app
+  - Ask for a hint or security questions (the "hint" may be easy to guess)
+  - Check the list of easy-to-remember passwords
+    - like: 123456, 123456789, Qwerty, Password, Pa$$w0rd, Qwerty123, Iloveyou, etc
+  - Phone screen passwords may be easy to guess (123456, 147258, etc)
+  - Names of family members and pets
+  - What you know about the target's interests (Golfpro, Mathwhiz, etc)
+  - Significant numbers and dates
+    - like: address, birth/marriage/etc dates, lucky numbers, graduation date
+  - Reverse or change the letters
+    - Adlihnurb, tsorfmada
+    - Substituting $ for s, 0 for o, 3 for e, 1 for i, etc  (P@$$w0rd, w1k1h0w)
+  - If you have access to their machine, check for saved passwords in Browsers
+How long to crack: From [[https://www.komando.com/security-privacy/check-your-password-strength/783192/|Kim Komando]] March 2021
 ^Length^numbers only^lowercase letters^U/L letters^Numbers, U/L^Numbers, U/L, Symbols^
 |10|instantly|58 min|1 month|7 months|5 years|
@@ Line 59: / Line 79: @@
 ====Remembering Passwords and Associated Issues====
-|Method|Plusses|Minuses|
+^Method^Plusses^Minuses^
-|Piece of paper|Free, flexible|Loss. Smudges/can't read writing. Processed by washing machine. Someone else can get. You create passwords.|
+|Piece of paper|Free, flexible|Loss. Smudges/can't read writing. Processed by washing machine. Someone else can get. You create the passwords.|
-|Sticky note attached to computer|Free|Can be seen or stolen by others. Fall off/loss. Smudges/can't read writing. Only available on computer its posted. You create passwords.|
+|Sticky note attached to computer|Free|Can be seen or stolen by others. Fall off/loss. Smudges/can't read writing. Only available on computer its posted. You create the passwords.|
 |Spreadsheet|Free, flexible|Where do you store it. Overwrittenable by accident. You create passwords.|
-|Password Manager|Free, or paid. Can produce good passwords|Where are passwords stored. Possible breech if stored online. Loss or theft if stored in thumb drive or your computer.|
+|Password Manager|Free, or paid. Can produce good passwords in one spot. Backupable.|Where are passwords stored. Possible breech if stored online. Loss or theft if stored in thumb drive or your computer.|
+or there's this option,\\ credit to John McPherson of [[http://closetohome.com|Close to Home]]:\\
+{{:20211202solution.jpg?direct&500|}}
 ====How to create hard-to-guess passwords====
-If a human is going to guess the password then make it unhuman.  Consider: a password "safe".  Here are some free alternatives.  From [[https://www.techradar.com/news/software/applications/the-best-password-manager-1325845|Tech Radar, The best free password manager 2019]] with updates I took from the application sites 20211129\\
+If a human is going to guess the password then make it unhuman.  Consider: a password "safe".  Here are some alternatives, many are free or have free options.\\
-Also see [[https://www.pcmag.com/roundup/331555/the-best-free-password-managers|PC Magazine's picks]]\\
+You can also do a DuckDuckGo (or Google if you're still using Google) search for "Best Password Managers" and look for those with recent information.
-Do a DuckDuckGo (or Google if you're still using Google) search for "Best Password Managers" and look for those with 2020 or 2021 information.
-All offer unlimited login and text note storage in a secure vault protected by your master password, and can generate (and store) strong passwords.
+//All of these offer login and text note storage in a secure vault protected by your master password, and can generate (and store) strong passwords.//
+//Following data updated 2/25/2025.  There are MANY other options, these are a few.  You should study all of the features and drawbacks of any option you consider or select as information may change.//
 ^Manager^Free version.  ^Paid version.  ^Cost.  ^platforms^
-|[[https://www.lastpass.com/|www.lastpass.com]] |Access on one device type |1GB Secure cloud storage\\ Multi Factor Authentication\\ Contingency plan (loved one access in emergency) |Free for one device type; $3/month 1 user, $4/month 6 users (group and share items, family manager)|Win, Mac, Linux, Mobile|
+|[[https://www.lastpass.com/|www.lastpass.com]] |Access on one device type (computer or mobile) |1GB encrypted cloud storage\\ Multifactor Authentication (MFA)\\ Contingency plan (loved one access in emergency) |Free for one device type; $36/yr 1 user, $48/yr 6 users (group and share items, family manager)|Browser based. Win, Mac, Linux, Mobile|
-|[[https://www.dashlane.com/|www.dashlane.com]]|Up to 50 passwords, one device|unlimited passwords, unlimited devices, 1GB max| $4.99/mo billed annually, multiple accounts $7.49/mo billed annually|Win, Mac, iOS, Android|
+|[[https://www.dashlane.com/|www.dashlane.com]]|One device, secure sharing|unlimited devices, 1GB max, VPN| Free (1 device, 25 passwords); $48/yr (many devices, passwords, and passkeys)|Browser based.  Win, Mac, iOS, Android|
-|[[https://keepersecurity.com|keepersecurity.com]]|access on one device|unlimited device access|$2.91/month, $34.99 annually|Mac, Windows, Linux, iOS, Android|
+|[[https://keepersecurity.com|keepersecurity.com]]|no free option|(Personal) no limits on storage, devices, sharing; (family) 5 vaults, 10GB secure storage|Personal $35/yr, Family $75/yr|App: Mac, Windows, Linux, iOS, Android; Browser extension|
-|[[https://www.roboform.com/lp?frm=everywhere-offer&rec=TechRadar&dc=TR30&affid=a6277|www.roboform.com]]| |sync across devices, cloud backup, web access, all cost|<del>$23.88</del>$16.68/1yr, <del>$71.64</del>$45.14/3yr, <del>$119.40</del>$69.60/5yr|Windows, Mac, iOS, Android, Linux, Chrome OS|
+|[[https://www.roboform.com|www.roboform.com]]|one device |sync across devices, cloud backup, web access. Family plan is 5 users.|website lists prices in Pounds.\\ Personal: $16.68/1yr, $45.14/3yr, $69.60/5yr\\ Family: $33.40/1yr, $90.20/3yr, $139.30/5yr|Windows, Mac, iOS, Android, Linux, Chromebook, Browsers|
-|[[https://bitwarden.com/|bitwarden.com]]|* passwords file kept online\\ *<fs small>(but you can install it on your own server)</fs>\\ *one file, share w/another | 1GB encrypted storage | $10/yr one user, $39.96/yr up to 6 users |Windows, Mac, Linux, iOS, Android|
+|[[https://bitwarden.com/|bitwarden.com]]|Unlimited pw, passkeys, devices | 2FA, emergency access, share w/1-6 people | $10/yr one user, $40/yr up to 6 users |Windows, Mac, Linux, iOS, Android, Browsers|
-|[[https://keepass.info/|keepass.info]]|* Can run from USB\\ * Many customizable options\\ * A little intimidating? You judge.|FOSS((FOSS=Free, Open-Source Software)) - there is no paid version -- all features in free version\\ Many ports, with different features and UI|Note, no cost. Does not provide place to store the Password Safe, that's up to you|Windows, Android, iPhone/iPad, Mac, Chromebook, Blackberry, Linux, and more|
+|[[https://1password.com/]]|no free version, only paid, 2wk free trial|unlimited pw & devices, 1GB storage, 2FA.|Individual: $36/yr, Families (5 family members): $60/yr|Mac, Win, Linux, iOS, Android, Browsers|
+|[[https://nordpass.com/]]|unlimited pw, notes also, credit cards|emergency access, multiple device access |Premium $20/yr, Family (6 accts) $44/yr|Win, Mac, Linux, Android, iOS, Browsers|
+|[[https://keepass.info/]]\\ [[https://keepassxc.org/download/|KeePassXC]]|* Can run from USB\\ * Many customizable options\\ * A little intimidating? You judge.|FOSS((FOSS=Free, Open-Source Software)) - there is no paid version -- all features in free version\\ Many ports, with different features and UI|Note, no cost. Does not provide place to store the Password Safe, that's up to you|Windows, Android, iPhone/iPad, Mac, Chromebook, Blackberry, Linux, and more|
+KeePassXC is a KeePass port, see Tech Radar's review: [[https://www.techradar.com/reviews/keepassxc]]. It's free but accepts donations.
+Refs:
+  * [[https://www.techradar.com/news/software/applications/the-best-password-manager-1325845|Tech Radar, The best free password manager 2019]]
+  * [[https://www.pcmag.com/roundup/331555/the-best-free-password-managers|PC Magazine's picks]]
+  * [[https://www.pcmag.com/picks/the-best-password-managers]]
+  * [[https://www.cnet.com/tech/services-and-software/best-password-manager/]]
+  * [[https://www.techradar.com/best/password-manager]] a good site for reviews of offerings
+  * [[https://www.techradar.com/reviews/keepassxc]] TechRadar's review of KeePassXC
+====My Recommendations====
+If you're looking for a fast answer...here's my thoughts
+  - KeePass on iCloud or Box.  (You're in full control of your passwords and who can see them and are relatively immune to data breaches.)
+    * You need to be willing to learn to use KeePass and set up cloud storage.
+  - BitWarden.  Free version is a good solution and it's turnkey.
+    * Possibility of a breach, see 'Caveat' below.
+I am interested in your thoughts on these, and other, possibilities you like!
 ====Caveat====
@@ Line 90: / Line 132: @@
 ====What I do====
 //These are my practices for your information. You should make a decision that's best for you.//
-  * KeePass on multiple devices
+  * Use KeePass application on multiple devices
+    * On MacBook: KeePassXC
+    * On iPhone and iPad: KeePass Touch
+    * On Android:
+    * On Windows: KeePassXC
   * Store password file in iCloud
-  * Copy password file to local Documents on each device
+  * Copy password file to local Document storage on each device (so it's available when there's no internet)
-  * Copy password file to Dropbox, pCloud
+  * Copy password file to Box (free cloud storage) and Dropbox, for redundancy.
+To note:
+  * KeePassXC updates the iCloud version whenever I make a change
+  * On iPhone and iPad I need to download a latest version of password file
+  * I added an entry in the password file that tracks latest changes (so I can tell if I have the latest on a given device)
 Benefits:
   * Free
+  * Available on all my devices
   * One password to remember
-  * I can use long and complex passwords
+  * I can use long and complex passwords (and KeePass helps me create them and tells how secure they are)
+  * Can keep a history of past passwords
+  * I can store other information in the vault, like those recovery passwords "what's your father's middle name" so I can use a fake un-guessable answer
 Using a password manager:
-    * you can create quite long and complex passwords
+    * easy to create long and complex passwords
+    * you can use long and complex passwords
     * you can create secure passwords and not have to remember all of them
     * you only have to remember One password
+    * you can store your password file encrypted in multiple places including USB drives so it's unlikely to be lost
     * you have all of your important access information in one spot, the encrypted file
-      * (your next of kin would likely find this useful)
+      * //your next of kin would likely find this useful//
 ====More About KeePass====
 //Note that many of these features can be handled/provided by other password manager software, free and at cost//
@@ Line 120: / Line 176: @@
     * These are all available to download from keepass.info
-===My history with KeePass and password managers===
+===My history with passwords and password managers===
-  * At first, password database on USB stick
+  * At first, one password for all sites
-    * Copy it to/from any computer I'd use
+    * Turns out, it was easy to guess!
+  * Then
+    * Password database on USB stick
+    * Copy database to/from any computer I'd use
     * Not possible on smartphone (and I didn't have one)
     * Risk: loss of USB stick, loss of database synch
   * Then, use Dropbox to hold database
-    * Password control to Dropbox
     * In the cloud, can access from many devices (as I now had a smartphone)
+    * Two levels security: need password to access Dropbox, need password to access Password DB
   * Then Dropbox restricted free access to max 3 devices
-    * So I switched to iCloud, as 5GB free [note, my database is 350KB]
+    * As I have more than 3 devices, I had to seek alternatives
-    * After a change(s), copy DB from iCloud to other places
+    * So I switched to iCloud, as 5GB is free [note, my database is ~350KB]
+    * Most recent version on iCloud
+    * For redundancy, after I make a password DB change(s), I copy DB from iCloud to other places
       * local Documents directory
       * Clouds: Dropbox, pCloud
+    * I share password DB with wife via pCloud
   * I use a DB entry to log changes
-    * Last changed 20211201.2007 (Dec 2, 2021, 8:07pm)
+    * "Last changed 20221009.1817" meaning October 9, 2022 at 6:17pm
-    * Enter change(s) made, eg: "1201: updated CCS entry, new password Kohls"
+    * Enter change(s) made, eg: "0921: updated CCS entry, new password Kohls"
+    * This I do manually
     * Helps me synchronize databases
   * I use KeePass application to create new entries and login passwords
     * Passwords typically 14+ characters (upper/lower case and numbers)
-    * KeePass tells me if a password is/isn't secure
+    * KeePass tells me how secure a given password is
 Here is a possible password I might use: ''cqLbq2NHcuNmgU'' -- 14 characters, upper and lower case letters, and at least one number.  This one has entropy 82.06 which is deemed "good".
 Another: ''M6dehfJRn7dz7lM82K'' 18 characters with entropy 101.60 and is deemed "excellent" by KeePass.
+By comparison
+|password|entropy 1.00|
+|Password|entrypy 2.00|
+|P@$$w0rd|entropy 3.58 (and P@$$w0 has entropy 16.80 !)|
 //There are other capabilities of a KeePass password manager, such as autofill (it'll copy and enter passwords for you) and URL entry (it'll type your site's URL into your browser), and more; but I do not have experience with these.//
+====Next: Live demo of KeePass====
+on smi macbook
+  * open, select PasswordExample.kbdx pw=1234
+  * Save as CSV and look
+  * Save as HTML and look
+  * Database>Reports
+====Questions and Answers====
+----
 ====References====
@@ Line 161: / Line 241: @@
   * [[https://www.komando.com/security-privacy/check-your-password-strength/783192/]]
   * [[https://www.komando.com/safety-security-reviews/creating-the-best-passwords/592778/]]
+  * [[https://www.cnet.com/tech/services-and-software/dont-put-your-online-security-at-risk-get-a-password-manager-now/]]
-<fc #a0a0a0><fs small>[{{counter|today| time| times}} today, {{counter|yesterday| time| times}} yesterday, and {{counter|total| time total| total times}}]</fs></fc>