And, hard to remember passwords

From Feb, 2017: https://sites.psu.edu/hacking/2017/02/17/how-to-guess-a-password/

• Use common, easy-to-guess passwords (Password, P@$$w0rd, password123, etc)
• Sequences like 12345
• Dictionary attack
• Social Engineering – things the bad guys can find out about you
  • name of husband/wife/son/daughter/dog/cat
  • birthdays and anniversaries
• Brute Force
• Fake websites
• Phishing email that you respond to
• Password cracking software (ophcrack, cain and able, THC-Hydra, Brutus)
• Using the same or similar password for multiple sites
• (Can you think of others?)

Recent from WikiHow: https://www.wikihow.com/Guess-a-Password Gives a set of steps to follow to guess someone's password.

1. Figure out the password requirements for the site or app
2. Ask for a hint or security questions (the “hint” may be easy to guess)
3. Check the list of easy-to-remember passwords
   1. like: 123456, 123456789, Qwerty, Password, Pa$$w0rd, Qwerty123, Iloveyou, etc
4. Phone screen passwords may be easy to guess (123456, 147258, etc)
5. Names of family members and pets
6. What you know about the target's interests (Golfpro, Mathwhiz, etc)
7. Significant numbers and dates
   1. like: address, birth/marriage/etc dates, lucky numbers, graduation date
8. Reverse or change the letters
   1. Adlihnurb, tsorfmada
   2. Substituting $ for s, 0 for o, 3 for e, 1 for i, etc (P@$$w0rd, w1k1h0w)
9. If you have access to their machine, check for saved passwords in Browsers

How long to crack: From Kim Komando March 2021

Of course technology will improve over time and shorten these brute force crack times.

You should assume that the attacker knows a lot about you: e.g., Facebook. Guessable things like the following have no business being in your password (or as one the answer to any of your recovery questions):

• Your: name, birthday, anniversary, social security number, etc
• Name, birthday, etc of your parents, friends, spouse, dogs, etc
• Sequences like 12345
• Any of the above but combined – adding guessable things together does not make them un-guessable
• Passwords you've used before, they've probably already been breached

• Use a different password for each site you visit
• Use strong passwords
• Use randomly generated passwords
• Treat “security questions” as passwords
• Somehow, remember them all
• Use two-factor authentication
• Protect passwords from compromise
• Provide for next of kin

or there's this option,
credit to John McPherson of Close to Home:

If a human is going to guess the password then make it unhuman. Consider: a password “safe”. Here are some alternatives, many are free or have free options.
You can also do a DuckDuckGo (or Google if you're still using Google) search for “Best Password Managers” and look for those with recent information.

All of these offer login and text note storage in a secure vault protected by your master password, and can generate (and store) strong passwords.

Following data updated 2/25/2025. There are MANY other options, these are a few. You should study all of the features and drawbacks of any option you consider or select as information may change.

KeePassXC is a KeePass port, see Tech Radar's review: https://www.techradar.com/reviews/keepassxc. It's free but accepts donations.

Refs:

• Tech Radar, The best free password manager 2019
• PC Magazine's picks
• https://www.pcmag.com/picks/the-best-password-managers
• https://www.cnet.com/tech/services-and-software/best-password-manager/
• https://www.techradar.com/best/password-manager a good site for reviews of offerings
• https://www.techradar.com/reviews/keepassxc TechRadar's review of KeePassXC

If you're looking for a fast answer…here's my thoughts

1. KeePass on iCloud or Box. (You're in full control of your passwords and who can see them and are relatively immune to data breaches.)
   • You need to be willing to learn to use KeePass and set up cloud storage.
2. BitWarden. Free version is a good solution and it's turnkey.
   • Possibility of a breach, see 'Caveat' below.

I am interested in your thoughts on these, and other, possibilities you like!

From https://sites.psu.edu/hacking/2017/02/17/how-to-guess-a-password/
Lawrence Lee February 19, 2017 at 12:07 am
While I do definitely agree with using a password manager, you also should be careful of who you trust with your information. LastPass recently had a data breach where hackers got away with a significant amount of personal information – thankfully no encrypted passwords were taken, but the fact that they were able to get as much as they did is slightly concerning. You’d think that a company who’s only goal is to increase your online security would be able to defend against intrusions by attackers.

These are my practices for your information. You should make a decision that's best for you.

• Use KeePass application on multiple devices
  • On MacBook: KeePassXC
  • On iPhone and iPad: KeePass Touch
  • On Android:
  • On Windows: KeePassXC
• Store password file in iCloud
• Copy password file to local Document storage on each device (so it's available when there's no internet)
• Copy password file to Box (free cloud storage) and Dropbox, for redundancy.

To note:

• KeePassXC updates the iCloud version whenever I make a change
• On iPhone and iPad I need to download a latest version of password file
• I added an entry in the password file that tracks latest changes (so I can tell if I have the latest on a given device)

Benefits:

• Free
• Available on all my devices
• One password to remember
• I can use long and complex passwords (and KeePass helps me create them and tells how secure they are)
• Can keep a history of past passwords
• I can store other information in the vault, like those recovery passwords “what's your father's middle name” so I can use a fake un-guessable answer

Using a password manager:

• easy to create long and complex passwords
• you can use long and complex passwords
• you can create secure passwords and not have to remember all of them
• you only have to remember One password
• you can store your password file encrypted in multiple places including USB drives so it's unlikely to be lost
• you have all of your important access information in one spot, the encrypted file
  • your next of kin would likely find this useful

Note that many of these features can be handled/provided by other password manager software, free and at cost

• A KeePass database can hold
  • Logins and password
  • Other information you feel useful, such as: Social Security numbers, Secret passwords (answer to “what was your first dog's name”), telephone numbers
  • Past passwords. Date you started to use a given password.
  • And all of the data in the database is encrypted.

• There are many applications that can access a KeePass database, and the same database can be accessed from each of them. You choose one that is available and that you find works for you.
  • On my iPhone, I use: KeePass Touch (and I have used: KeePassium, MiniKeePass)
  • On Windows (a while ago) I was using KeePass2
  • On MacOS I'm using KeePassXC
  • These are all available to download from keepass.info

• At first, one password for all sites
  • Turns out, it was easy to guess!

• Then
  • Password database on USB stick
  • Copy database to/from any computer I'd use
  • Not possible on smartphone (and I didn't have one)
  • Risk: loss of USB stick, loss of database synch

• Then, use Dropbox to hold database
  • In the cloud, can access from many devices (as I now had a smartphone)
  • Two levels security: need password to access Dropbox, need password to access Password DB

• Then Dropbox restricted free access to max 3 devices
  • As I have more than 3 devices, I had to seek alternatives
  • So I switched to iCloud, as 5GB is free [note, my database is ~350KB]
  • Most recent version on iCloud
  • For redundancy, after I make a password DB change(s), I copy DB from iCloud to other places
    • local Documents directory
    • Clouds: Dropbox, pCloud
  • I share password DB with wife via pCloud

• I use a DB entry to log changes
  • “Last changed 20221009.1817” meaning October 9, 2022 at 6:17pm
  • Enter change(s) made, eg: “0921: updated CCS entry, new password Kohls”
  • This I do manually
  • Helps me synchronize databases

• I use KeePass application to create new entries and login passwords
  • Passwords typically 14+ characters (upper/lower case and numbers)
  • KeePass tells me how secure a given password is

Here is a possible password I might use: cqLbq2NHcuNmgU – 14 characters, upper and lower case letters, and at least one number. This one has entropy 82.06 which is deemed “good”.

Another: M6dehfJRn7dz7lM82K 18 characters with entropy 101.60 and is deemed “excellent” by KeePass. By comparison

There are other capabilities of a KeePass password manager, such as autofill (it'll copy and enter passwords for you) and URL entry (it'll type your site's URL into your browser), and more; but I do not have experience with these.

on smi macbook

• open, select PasswordExample.kbdx pw=1234
• Save as CSV and look
• Save as HTML and look
• Database>Reports

• https://www.betterbuys.com/estimating-password-cracking-times/
• https://digg.com/2020/password-difficulty-hacking
• https://sites.psu.edu/hacking/2017/02/17/how-to-guess-a-password/
• https://www.comparitech.com/privacy-security-tools/password-strength-test/
• https://keithieopia.com/post/2017-12-13-passwd-crack-time/
• https://www.komando.com/security-privacy/check-your-password-strength/783192/
• https://www.komando.com/safety-security-reviews/creating-the-best-passwords/592778/
• https://www.cnet.com/tech/services-and-software/dont-put-your-online-security-at-risk-get-a-password-manager-now/