Differences

This shows you the differences between two versions of the page.

--- security_topics [2020.12.22 11:01] – [Care and Maintenance of Secure Passwords] Steve Isenberg
+++ security_topics [2021.12.22 10:51] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
+~~NOCACHE~~
 This is a work-in-progress.  If you have suggestions on what to cover (and/or what not to discuss) please let Steve know.\\
-Version 20190817.0930
+<fc #a0a0a0><fs small>This page last changed ~~LASTMOD~~</fs></fc>
+Overview
+We all have bank accounts, credit cards, insurance policies, healthcare accounts, the list goes on.  Many are online. There are so many of these, each with its URL to go to for access, phone numbers, account numbers, and requiring a password to access--one that is complex and hard to guess.  The challenge is how do you keep track of all of this information in a way that is secure, yet easy to access, that's stored in multiple locations so it's unlikely to get lost, and that you can make available to your next-of-kin if necessary?
+We will discuss a solution that your presenter uses to solve all of these challenges in a cost affordable--free--way.
+====Summary, or How I Secure and Use Secure Passwords====
+For what it's worth, I use KeePass and on multiple devices.  I will summarize below.  Note, there are no costs (to purchase or recurring) for any of the following (further down on the page some items may have a cost and it is noted).  //These are my practices and I'm only putting them here for readers to consider when setting up their database security system. You should do what you feel is best for you.//\\
+The major benefit for using a password manager are: (1) You only have ONE password to remember, and (2) You can use Long, Complex, and Hard-to-guess passwords
+  - KeePass refers to both (a) an encrypted database holding information and (b) the name of one application that can access the database.
+  - A KeePass //database// can hold
+    - Logins and password
+    - Other information you feel useful, such as: Social Security numbers, Secret passwords (answer to "what was your first dog's name"), telephone numbers
+    - Past passwords.  Date you started to use a given password.
+    - And all of the data in the database is encrypted.
+  - There are many applications that can access a KeePass database, and the same database can be accessed from each of them.  You choose one that is available and that you find works for you.
+    - On my iPhone, I use or have used: KeePass Touch, KeePassium, MiniKeePass
+    - On Windows (a while ago) I was using KeePass2
+    - On Mac OSX I'm using KeePassXC
+  - When I first started using KeePass, I would keep the database on a USB stick and copy it to/from any computer I was using to access/modify the database.  The risk of course is that the database might differ on different machines or that I might misplace the USB stick.
+  - Then I started using Dropbox to hold the database.  This way I could access the KeePass database from any machine or phone that could access Dropbox.
+  - Then Dropbox started restricting free use to 3 devices.  Then I switched to storing it on iCloud, and periodically copy it from iCloud to: Dropbox, pCloud, and into the Documents directory on the machine I'm using.
+  - I have an entry in KeePass with a name I modify that indicates the last important change I've made to the database.
+    - For example: "Last Changed 2021 1202.1003" so I know the last change was December 2, 2021 at 3 minutes after 10.
+    - This way I can see how current a database is on the other devices and determine whether I need to update it on that device.
+  - I use the KeePass application to create new entries and especially passwords for logins.  My passwords are typically 14 characters or longer (upper/lower case and numbers) and the KeePass application considers them secure.
+    * Here is a possible password I might use (and it's one I am not using): ''cqLbq2NHcuNmgU'' -- 14 characters, upper and lower case letters, and at least one number.  This one has entropy 82.06 which is "good".
+    * This one: ''M6dehfJRn7dz7lM82K'' 18 characters with entropy 101.60 and is considered "excellent".
+    * Using a password manager you can create quite long passwords
+    * Using a password manager you can create secure passwords and not have to remember all of them
+    * Using a password manager you have all of your access information in one spot, the encrypted file
+      * (your next of kin would likely find this useful)
+//There are other capabilities of a KeePass password manager like autofill (it'll copy and enter passwords for you) and URL entry (it'll enter your site's URL into your browser), and more; but I do not have experience with these.//
 ====Care and Maintenance of Secure Passwords====
 The idea for this started when I heard that someone had someone access their Facebook page.  It's possible this happened because Facebook passwords were stolen but it's also that the password was guessed.  Let's explore ways that passwords are compromised and how to protect your passwords without causing unnecessary effort on your part.
@@ Line 19: / Line 52: @@
   * The password is stolen from a company
-How long does it take to crack a password?  (From [[https://keithieopia.com/post/2017-12-13-passwd-crack-time/|link]])
+How long does it take to crack a password?  (From [[https://keithieopia.com/post/2017-12-13-passwd-crack-time/|Keithieopia 2017 link]])
 ^Length^A-Z,a-z,0-9^with special chars @#$%& etc^
 |9 characters|2 minutes|2 hours|
@@ Line 26: / Line 59: @@
 |12 characters|1 year|2 centuries|
 |13 characters|64 years|really long time|
+or this from [[https://www.komando.com/security-privacy/check-your-password-strength/783192/|Kim Komando]]
+^Length^numbers only^lowercase letters^U/L letters^Numbers, U/L^Numbers, U/L, Symbols^
+|10|instantly|58 min|1 month|7 months|5 years|
+|11|2 secs|1 day|5 years|41 years|400 years|
+|12|25 seconds|3 weeks|300 years|2000 years|34k years|
+|13|4 mins|1 year|16k years|100k years|2m years|
+|14|41 mins|51 years|800k years|9m years|200m years|
+|15|6 hrs|1k years|43m years|600m years|15 bn years|
+Yes, there are differences in time to crack, but the key is that it's best to do a 14-character mix of upper/lower letters and numbers.
 You should assume that the attacker knows a lot about you: e.g., Facebook.  Guessable things like the following have no business being in your password (or as one the answer to any of your recovery questions:
@@ Line 36: / Line 81: @@
 ===How to protect your password===
   * Change it often
-  * Make it hard to guess - upper and lower chars, digits, special chars. 12 or 13 characters long.
+  * Make it hard to guess - upper and lower chars, digits, special chars. 14+ characters long.
-  * Watch the news for breaches and change password [This spelling correction for breach courtesy of Carol Levine)
+  * Watch the news for company security breaches and change password
 ===How to create hard-to-guess passwords===
-If a human is going to guess the password then make it unhuman.  Consider: a password "safe".  Here are some free alternatives.  From [[https://www.techradar.com/news/software/applications/the-best-password-manager-1325845|Tech Radar, The best free password manager 2019]]\\
+If a human is going to guess the password then make it unhuman.  Consider: a password "safe".  Here are some free alternatives.  From [[https://www.techradar.com/news/software/applications/the-best-password-manager-1325845|Tech Radar, The best free password manager 2019]] with updates I took from the application sites 20211007\\
-Also see [[https://www.pcmag.com/roundup/331555/the-best-free-password-managers|PC Magazine's picks]]
+Also see [[https://www.pcmag.com/roundup/331555/the-best-free-password-managers|PC Magazine's picks]]\\
+Do a DuckDuckGo (or Google if you're still using Google) search for "Best Password Managers" and look for those with 2020 or 2021 information.
 All offer unlimited login and text note storage in a secure vault protected by your master password, and can generate (and store) strong passwords.
-^Manager^Free version.  ^Paid version.  ^Cost.  ^
+^Manager^Free version.  ^Paid version.  ^Cost.  ^platforms^
-|[[https://www.lastpass.com/|LastPass]]|Access on all devices via their website |1GB Secure cloud storage\\ Multi Factor Authentication\\ Contingency plan (loved one access in emergency) |$3/month 1 user, $4/month 6 users (group and share items, family manager)|
+|[[https://www.lastpass.com/|LastPass]]|Access on one device type |1GB Secure cloud storage\\ Multi Factor Authentication\\ Contingency plan (loved one access in emergency) |Free for one device type; $3/month 1 user, $4/month 6 users (group and share items, family manager)|Win, Mac, Linux, Mobile|
-|[[https://www.dashlane.com/|Dashlane]]|Up to 50 passwords|unlimited passwords| $4.99/month billed annually|
+|[[https://www.dashlane.com/|Dashlane]]|Up to 50 passwords|unlimited passwords| $2.99/mo billed annually, two devices\\ $4.99/mo billed annually, unlimited devices|Win, Mac, iOS, Android|
-|[[https://keepersecurity.com|Keeper Security]]|access on one device|other features (dark web, etc) cost/month|$2.50/month, $29.99 annually|
+|[[https://keepersecurity.com|Keeper Security]]|access on one device|unlimited device access|$2.91/month, $34.99 annually|Mac, Windows, Linux, iOS, Android|
-|[[https://www.roboform.com/lp?frm=everywhere-offer&rec=TechRadar&dc=TR30&affid=a6277|RoboForm]]| |sync across devices, cloud backup, web access, all cost|$99.50/5 years|
+|[[https://www.roboform.com/lp?frm=everywhere-offer&rec=TechRadar&dc=TR30&affid=a6277|RoboForm]]| |sync across devices, cloud backup, web access, all cost|$23.88/1yr, $64.44/3yr, $99.50/5yr|Windows, Mac, iOS, Android, Linux, Chrome OS|
-|[[https://keepass.info/|KeePass Password Safe]]|* Can run from USB\\ * Many customizable options\\ * A little intimidating? You judge.|FOSS - there is no paid version -- all features in free version\\ Many ports, with different features and UI|Note, no cost. Does not provide place to store the Safe, that's up to you|
+|[[https://bitwarden.com/|BitWarden]]| passwords file kept online\\ <fs small>(but you can install it on your own server)</fs> | 1GB encrypted storage | $10/yr one user, $39.96/yr up to 6 users |Windows, Mac, Linux, iOS, Android|
+|[[https://keepass.info/|KeePass Password Safe]]|* Can run from USB\\ * Many customizable options\\ * A little intimidating? You judge.|FOSS((FOSS=Free, Open-Source Software)) - there is no paid version -- all features in free version\\ Many ports, with different features and UI|Note, no cost. Does not provide place to store the Safe, that's up to you|Windows, Android, iPhone/iPad, Mac, Chromebook, Blackberry, Linux, and more|
 ===Has your email been compromised in a data breach?===
-You enter your email address and this site ([[https://haveibeenpwned.com/]]) will tell you if your email address has been picked up during a data breach and which sites.  Note that it also suggests using a paid password manager system; check my advice elsewhere on this page.
+You enter your email address and this site ([[https://haveibeenpwned.com/]]) will tell you if your email address has been picked up during a data breach and which sites.  Note that it also suggests using a paid password manager system; check my advice on password managers above.
 ====Steve's Opinions====
-I use a combination of KeePass on my Mac, PC, and iPhone to access, create, maintain passwords and related information in a secure password safe (encrypted file).  I store and access the safe using iCloud and Dropbox.
+I use a combination of KeePass on my Mac, PC, iPad, and iPhone to access, create, maintain passwords and related information in a secure password safe (encrypted file).  I store and access the safe using iCloud, pCloud, and Dropbox.
 Note that KeePass has different applications you can use to access the password safe, as they differ by device.
-While I started using Dropbox as you could access your free 5GB from any number of devices, they have restricted its use to 3 devices unless you pay.  Now I am using iCloud to hold the password safe as there is no limit on number of devices.
+While I started using Dropbox as you could access your free 5GB from any number of devices, they have restricted its use to 3 devices unless you pay.  Now I am using iCloud (with pCloud as a backup) to hold the password safe as there is no limit on number of devices.
 If you do not want to use the cloud (Internet storage) to save your password crypt, you can store it on your computer and use a USB stick to copy it from machine to machine and as a backup.
@@ Line 65: / Line 112: @@
 ===On Mac Computer===
   * KeePassXC
-  * Dropbox, iCloud
+  * Dropbox, iCloud, pCloud
-===On iPhone===
+===On iPhone and iPad===
-  * Strongbox (MiniKeePass)
+  * KeePass Touch
   * iCloud
 ===on Windows===
   * KeePass2 (download directly from [[https://keepass.info]])
-  * Dropbox or iCloud
+  * Dropbox or iCloud or pCloud
-===Comments===
-  * There are other ports of KeePass for Mac OS X, iPad, iPhone, Android, Windows 10, Chromebook, Blackberry, etc.  Visit the KeePass site and choose Download.
 ===To Consider===
-  * While some apps store passwords in their space, this means it's a SPOF
+  * While some apps store passwords in their space, this means it's a SPOF((Single Point Of Failure)) -- if they close or lock you out, you're SOL((Sadly, Out Of Luck))
-  * KeePass lets you decide where to store it -- on your computer, on USB stick, cloud storage of your choice -- and this provides some level of security you control
+  * KeePass lets you decide where to store it -- on your computer, on USB stick, cloud storage of your choice -- and this provides a level of security, backup, and access you control
 ====Glossary====
@@ Line 85: / Line 130: @@
 |SPOF|Single Point of Failure|
+<hidden page stats> This page has been visited {{counter|today| time| times}} today, {{counter|yesterday| time| times}} yesterday, and {{counter|total| time| total times}} since 8/27/2021. Thank you for your interest! </hidden>