|
I have issues with online password managers. Besides having a single point of failure for a ton of important data, I really don't like not having absolute control over my auth for services (in this case, not actually knowing the password [Yes, I know you can look this up, but while the length they employ makes them exceptionally secure, it also makes them exceptionally impossible to actually commit to memory]). A lot of people are OK with Magic Software™ managing their passwords. I am not. The strategy I employ is to have a common string that is then modified based on the website I'm logging into. It's not perfectly secure, but it also means that any attempt to mass-attempt logins will fail. So, for example, say my base string is '5mm3XXX7w!nt3r'. I'd then replace the XXX with an identifier for the website. So, for Something Awful, it might be '5mm3SA7w!nt3r'. Now, that is a monster to memorize, but in reality, you only need to memorize the base string once and then understand how you internalize your identifiers. Hell, you can ever keep a spreadsheet with your site identifiers and it still would mean nothing to anyone. This system protects against the most common types of attacks and incidents of lax security on a service provider. Pairing your email and a password for a given site is totally useless unless someone actually takes the time to figure out how you generate your particular password, which is never going to happen. If someone gets a hold of your password ID spreadsheet, it's useless without the base string. Anecdotally, Ive used this system for about 10 years now and while individual auth information has been compromised, no one has ever made a cross-site attack on my accounts. The only attack that can realistically compromise this kind of system is a keylogger, which is extremely unlikely with even intermediate Internet know-how. I have an additional layer of security, where all my accounts are based from, and recovered from my gmail account. My gmail account has an entirely unique password as a final layer of security in case the worst would happen. At the end of the day, I have to effectively memorize 2 passwords and I enjoy a level of security that is very nearly equivalent to the kind provided by a password manager. I do have a spreadsheet that contains the IDs for sites I don't use much and I don't care much about, but again, compromising that spreadsheet is both extremely unlikely and not useful unless you have the base string of the passwords as well. I personally think this is the 'best' way to handle password management if you don't want to put all your trust in a software solution.
|
#
¿
Dec 28, 2016 21:50
|
|
|
|
| # ¿ Apr 27, 2024 03:19 |
|
|
Forgall posted:That only means you have been lucky so far. How do you figure? To compromise my passwords, you'd need two pieces of information in two different locations, and the attack would have to be a personal attack, not a widescale attack. That's not lucky, that's just a basic understanding of the nature of auth attacks: They are done en masse and without discrimination.
|
|
#
¿
Dec 29, 2016 14:49
|
|