UKC

 Like most people, I suspect, I use a a few variations on a few passwords for most websites, excluding financially sensitive sites. This is obviously not super secure and involves writing them down somewhere. The passwords provided by browsers don't seem to synch across devices.

  What is the best ie. most secure but also convenient, way to create and store passwords for multiple websites?

I used to do more or less that, but it was getting ridiculous.  And because I had a kind of a 'system', someone who found out my password for one site wouldn't have had a particularly difficult puzzle to solve to figure out my passwords for loads of others.

I'm using Bitwarden now.  (Just the basic, free, personal account - accessed via the website on my laptop, or via the app on my phone.)  I remember one proper password, and just about all of the others are randomly generated.

https://bitwarden.com/

I use Keepass. It's just a file where you store all your passwords and you only have to remember the one password to open it. You can get plugins so that it enters the passwords into websites for you if you want. I keep the Keepass file on Dropbox so I can get to it from anywhere.

There are solutions like LastPass where everything is stored in the cloud, but I'm suspicious of these.

Take a phrase, modify it, put a bit in the middle somewhere that you'll add a couple of letters such as initials of the business.

E.g.

Phrase:

Skoda Octavia For The Win

Modified:

Sk0da0c4v!a4TW#

Password for UKC:

Sk0daUk0c4v!a4TW#

Password for NHS: 

Sk0daNh0c4v!a4TW#

Password for HSBC:

Sk0daHs0c4v!a4TW#

You've now got a mixture of upper and lowercase letters, numbers, and symbols so all pretty strong passwords, all unique, all easy for you to figure out when you go back to the website, but all looking pretty random in isolation so nobody is likely to figure out your system unless they've already cracked multiple accounts

As per others password manager. I also use keepass which is more of a pain to keep in sync since you have to either send the file across manually or use a storage site but I am not a fan of the cloud based managers since those are a hackers wetdream and several have been successfully hacked (such as lastpass last year)

This isn't quite as bad as it sounds; you don't have to outrun the bear....
A robot who finds out your password in a list of passwords will still fail in trying it blindly against a load of other websites, which is realistically what you're worried about. Especially if you use the plus trick to log in with a different email address for each site too. If someone's willing to go to so much effort that a human is trying to guess your passwords manually then there are much easier things they could do and you're definitely going to lose. https://xkcd.com/538/

Still though, the only sane advice is to use a password manager. 

Well ... what I don't do is post my password strategy on an open forum on the internet. 😆

Keychain on iPhone. I couldn’t tell you what any of my passwords are. But my phone knows ;-(

To create countless unique passwords that you will never forget and always remember then pick a simple word and then add it to the website name.

An example could be the word "sprouts". Say you visit Amazon. Your new password could be sproutsamazon.

Another could be sproutsukclimbing.

Or sproutsnetflix.

Works for me, or did till I got a Password Manager app. Keepass.

  You’d better warn Michael McIntyre! 😣

youtube.com/watch?v=aHaBH4LqGsI&

That seems to combine pretty low security with being tremendously hard work. You're obviously better than me at both remembering and typing passwords, because I don't think I could make that work at all.

But you're keeping it in the cloud anyway. And it's not like Dropbox hasn't had security breaches in the past. I don't think it's a terrible solution, but I'm not convinced it's really superior to most other cloud-based password managers.

Exactly this, you're far more likely to have a weak password stolen than one of these hacked. The key is to use device based MFA, then it doesn't matter if somebody manages to get one of your passwords, but you'll know they attempted to log in and can change it.

I read an article that stated as well as a password manager another layer of security  to add is to have different emails for different areas of online activity. Such as 

• Banking
• Social media
• Shopping
• Personal Comms 

That way if one gets hacked not everything is immediately compromised. Your also less likely to get spam in a dedicated banking email account which means less likely to click malicious links. 

I've used a combination of Google Chrome and Lastpass for the last few years but Lastpass had a big breach and isn't really recommended any more due more to the crap transparency with users since it happened. 

The single best thing you can do is enable multi factor authentication on anything you can using an authenticator app on your phone. Your banking probably insists on this anyway but I have it with all my Google logins, Amazon etc. 

Dropbox security is irrelevant. The file is secure enough that I don't need to worry who has it.

Reduce the number of different devices you access the internet on. Assess the damage that will happen on each site. If its not dangerous then let the browser do the password remember, if it's more serious download the app for your phone and let the phone manage the password having set up a biometric sign in. If it's serious and has to be accessed from a computer then store the password on an encrypted USB stick and only use in extremis.

Most serious risks are managed with two factor authentication anyway so loss of a password isn't too worrying 

Sure, you can look at it that way, but the same argument applies to many of the cloud-based password managers. I'm not saying don't use a password manager, or don't use Keepass with Dropbox. I'm just saying that it's contradictory to caution against cloud-based password managers and also recommend a solution that involves storing your passwords in a slightly different cloud. Either way, you're relying first on access to the cloud storage being properly secured and if that fails then on the security of the encryption on the actual data.

In reply to Postmanpat:

At my work we have a lot of AWS and cloud related stuff, we manage over a petabyte of extremely precious and sensitive data.  The passwords to everything, including the secret access keys to our AWS cloud estate are kept here https://www.keepersecurity.com/en_GB/ 

Keepass synced via Google Drive or similar (and the Kypass app on my Apple devices, there's also an Android one of some sort).

Even if someone got hold of the file they can't do anything with it, which to me makes it more trustworthy than one of the password manager sites.

I often use the first letters (plus upper case) of weird but memorable sentences, sometimes obscene, with numbers thrown in. Some of my favorite are sentences about experiences on climbs anywhere in the world with the alphanumeric climbing grade included. To make these passwords really cryptic, the grade is not the universally accepted one, but what I thought it was at the time. e.g. TNRoJN10c@mic. These make the Enigma codes look like child's play.

Some people are so dumb. They use "123456789". "987654321" is obviously immensely safer 

I use LastPass for convenience, it does work easily but was a concern when I got their data hack email last year. However nothing seemed to come of that - was there any real implication/outcome? Maybe there are tech websites that analyse it in detail, but I probably wouldn’t understand them

TPSisDEFINITELYhvs?

https://haveibeenpwned.com/

This reminds me of the time when someone pointed out that the door codes on our uni halls had been the same for so long that the relevant buttons were obviously more worn, which given that they were three digit codes meant that there were literally only six combinations that a reasonably observant intruder had to try in order to brute-force the code for any given building. The Accommodation Office took these comments onboard, had a bit of a think, and announced that they were going to update the keycodes but that to make the new keycodes easier to remember, they were going to be the same as the old ones were but backwards.

I have been known to use hex code representing machine code as a password as it represents quite a long and difficult string to guess but is very very easy for me to remember.

I do keep a paper record of my passwords but refer using veiled obfuscated speech to the site it is for and to the make up of the passphrase or passclause content using a coding system I have developed over the last 20+ years. If I lose my marbles things will be awkward but that will be the least of my worries. 

The worst thing is the stupid web developers who compromise security by insisting on short passwords that must include silly nonsense characters that help security not one jot.

The forced use of nonsense characters is likely to make more people write down the cleartext of their passwords.  Best defence against brute force is the length of the password, NOT enforced inclusion of stupid nonsense substitutions.

Nothing against your method being used voluntarily but I like the length of mine to be up to 20 characters or so, easily regenerated by me personally as they don't require remembering special characters but intimate knowledge of quirks of my personal memories

I was working at a major defence site in the 1980s and discovered we connected our terminals to the mainframe through a certain model of data concentrator exchange.  As I had experience of this device in the oil industry I called up the device with a certain sequence and attempted to log in as administrator to the data concentrator using the manufacturer  default password (123456, unbelievably)

Uncannily it let me straight in.  This was a site making iconic British hardware, no names no packdrill and it no longer exists

As others have said, using a password manager is the only correct answer to that question just now. It's not as convenient as using the exact same password for everything and it's not as secure as remembering a unique set of complex passwords for each account you hold.

Keepass if you're geeky and/or want more control, 1password or bitwarden if you're not. I use 1password, mainly for the secret key which adds a layer of security others don't seem to have.

I also use different email addresses for different things and having 2 factor enabled wherever it's an option.

Richard Feynman used to break into safes at Los Alamos. He said his first method was to pull the safe owner's desk drawer open: half the time the combination would be written in there on a slip of paper. He would then open the safe, put in a funny note for the owner, and relock the safe

Swapping symbols for letters - making passwords impossible to remember yet easier for brute force cracking...

I use randomly generated passwords stored in a password manager with a ridiculously long master password that I will never forget (barring brain damage). I used to use custom passwords for every website that mattered, by writing long surreal plain English sentences related to what the password is for, silly enough to not forget. I bit the bullet and moved to the password manager once too many websites with no real clue as to how to enforce entropy started introducing password rules without taking length into account. I can easily remember a made up surreal sentence made up of 10 English words*, but I sure as hell can't remember letter substitutions, numbers, and symbols added at that length.
 

Edit: I still use *super* long plain English for passwords I need to be able to recall no matter where I am and what device I have in my hands, which is usually on systems I control.

* There is a lot of misinformation about plain English lowercase somehow being magically easy to crack with a dictionary attack. It's true for single words and common phrases, but the search space becomes absolutely astronomical very fast once you increase the length, far beyond a shorter password with no dictionary words in it.

For good or bad I basically use 4 different passwords.  All alpha numeric with symbols. All different but all mean something to me and easy to remember and I don't do things like replacing A with @ or i with !  Like a lot of people do. I have a system for them but if I divulge the system it would make it easier for people to work it out. 

1 for banking and my NHS log in, government gate way etc. 

1 for shopping with regular websites I use. 

1 for forums and whatnot that I regularly use. 

1 for random websites that need a password but I hardly use. 

Doesn't that mean that, hypothetically speaking, if the NHS's top notch security was to suffer a data breach and your password was leaked then any attacker would quickly have access to all your important accounts at once? i.e. they would be able to take over your email, google account, remotely wipe your phone, clone it to another device, take over your phone number, steal all your money and assets and blackmail you for whatever you had left? Reusing passwords is fine until it's not, particularly so with anything important.

For everyone on this thread who has a "system". If your system is non-random, then even if it's secure now, it wont be long before breaking it is trivial for a piece of software. Just use a password manager.

The planners at Kishorn used to leave their system passwords sellotaped "Securely!" under the keyboards of their terminals

I just put posts on Facebook asking people to tell me their stripper name (mothers maiden + first pet name) or their rockstar name (favourite food + name of the street they were born on) and I have all the passwords I need

I'm baffled by the dislikes this has attracted as well as the accusation that it's low security.  I now do something a bit similar, based on letters selected from easily remembered (for me) phrases (although I use more than one base phrase) including any upper case letters or punctuation, combined with (for me) logical variations.

This method is recommended by our cybersecurity group for high security applications.

Important but rarely used passwords are unhackably written inside the cover of a random book on my bookshelf.  Supposedly the least secure way, but a significant challenge for a Russian AI bot however clever it thinks it is.

For a lot of sites (where it would be inconvenient but but not disastrous if the password was lost) I just use the 'suggest strong password' function and get Windows/Google to remember it for me.

There seems to be a bit of a move now towards using "secure link sent to your email" rather than a password for account verification. This seems pretty good? It's essentially the same from a security point-of-view as coming up with a long, unique, cryptographically random string every time you need to create a password, not bothering to remember it and just asking for a password reset every time you need to use the service, except that the "reset your password" workflow is now just one click. It obviously relies on your email being secure, but that's true of anything with a password reset option.

It seems like this would be a really good pattern for things like online climbing shops, where I buy stuff often enough to want them to remember my details but not often enough to actually want to try to remember a secure password.

  Thanks for all the replies. The KeePass option sounds quite attractive but I am not quite sure how it works. 

If I download the app, does it just download and encrypt all my existing passwords or do I need to set up entirely new passwords which it will then encrypt?

How does something called a "keyfile" play into all this?

Is there anything wrong/risky just using Chrome password manager? It seems to be what a lot of people do, and the whole 'suggest strong password' makes it very easy.  

This is a as close to perfect as it can get. 

KeePass is amazing at storing and encrypting password and Google Drive gives you ability to access them from your mobile phone or anywhere in the world for that matter (it syncs both ways too).

Only thing, if you do have KeePass on you Google Drive please MAKE SURE you do use 2-step verification (using Google auth application or 3rd party app ie: "Authy").

In fact, regardless if you use KeePass, Google Drive or something else. ALL your online accounts should be protected by 2-step verification/MFA (if supported).

MFA is a great idea and I do use it, but if you have a strong key on your KDB file then there's literally no problem at all if someone gets hold of it.  Ideally use a full sentence to make it really hard to brute-force.  And definitely not the same as your password for anything else!

I would recommend using a Windows PC initially to create a KeePass file. Simply install the software and then upon opening it creates an encrypted file on your PC (you can call it "MyPasswords.kdbx" or whatever you like). During creation of such file it also asks you to create a master password (which you obviously cannot forget!).

Then every time you open this file it asks you for that "master password", once authenticated anything you store inside it is encrypted by default. In simple terms it's like an advanced version of Excel spreadsheet protected by password. Obv more advanced that that as you can create folders inside for easier organization (ie: emails, banking, web services, etc).

Then all you need to make sure is you do not loose that "MyPassword.kdbx" file. You can store in on Google Drive if you want (but make sure it's protected by 2step verification).

If your computers goes bust. You simply install the KeePass software on it, and that allow you to open/edit that "MyPasswords.kdbx" file again).

Nope, that's the security verification questions 😃

Lukasz answered most of it but for the existing passwords. You can manually add them into it as new entries. Personally I would recommend taking the opportunity though to create new passwords for the sites using more complex rules.

That's my approach. The random number/letter sections are writte down, together with a cryptic hint at the four word string that makes up the totality of the important passwords. There's also nothing written down to link the password with what it accesses

For all the rest of the million and one not very important passwords needed I use the iPads random password generator along with the hide my email function that generates a random iCloud email address for each account. I'm not too fussed about my Screwfix account with random password and email address being hacked, as it doesn't link to any other passwords or email accounts.

I tend to keep clear of password managers for important accounts. If it's on a server somewhere it's vulnerable, IMHO.

If you can remember Sk0da0c4v!a4TW# from the hint Skoda Octavia For The Win. You don't need to click on this thread. 
I'm crying.

E

Any responsible cloud password manager only ever sees your data in encrypted form, which means your protection is pretty equivalent between the two approaches. In either case, if there's a breach of the storage, your final line of protection is the strength of the encryption and the password you chose. The choice of encryption can vary between providers, and can often be tweaked to your preferences on a particular provider, but I don't think the architecture makes a huge difference in the sense you're suggesting.

It's 16x safer? lol

987654321 - 1,093,723 data breaches
123456789 - 16,660,079 data breaches

I use Chrome on my desktop, laptop and mobile. The saved passwords are completely random and are synced just fine across devices but Chrome's not great if you're privacy conscious.

He even got the password wrong on the substitution of a 4 for the 'ta' in Octavia. Everyone knows it should be '7@' to be really secure.

The problem is that it's hard to tell just who's responsible and who isn't, and I believe Lastpass had a breach which vindicated my approach.

For rarely used sites i don't bother remembering them, i just do a password reset. For my main email account i have memorized a random alphanumeric password.

I just use Password1234, not been hacked yet

Thing is, even with the LastPass breach, the actual password databases leaked were encrypted. The master passwords were not stored anywhere in plain text, so Luke90's point stands. The main concerns are around the default encryption on older accounts being potentially weak, which can be the case with your approach too if you pick weak encryption.

Sorry but your password didn't include a digit, please choose again

May I suggest you use a zero perhaps?

The long and the short of it is:

0. The perps got a full copy of the encrypted data. If you were a customer at the time, and had an easily guessable, short password, you need to change all your passwords in the manager.

1. If on the other hand you had a good password (at least 8 letters including numbers and preferably punctuation), you *should* be ok. The crypto techies got very excited about discussing how vulnerable people were and how few thousands of years it would take to crack your master password, but there was a lot of hot air to impress their bosses and readers.

2. Change your master password anyway, and anything like banking etc where access would lead to serious loss.

3. Everyone will pile in with LastPass is a dead duck and you will be pwned; you can form your own opinion.

Critique this:

I use awallet as a free local ecrypted password manager on my phone. Backup encrypted files on a non-networked hard disc from time to time. One master password + the phone's security. 

Unfortunately being a crap Pixel 6a it doesn't have a functional fingerprint reader so no biometric security.  

This. Same for sites with excessively stupid password complexity rules.

Apple keychain. Works best if you're in the apple ecosystem, with an iPhone and Macbook. 

I have no idea what any of my passwords are, apart from my apple account password. On my macbook, I use thumb print to log into sites. On my phone, FaceID.

It's so easy. 

I just use the same password for everything that isn't my bank account or paypal. I have a unique password for these two, which I use for both of them. 

masterfulpasswordinossareeitherhvsore1butnevere0asktpk

You can forget about brute forcing anything of that length, even if it's all lower case without numbers, with any dictionary in existence.  Extra points for containing made up words that only make sense in your head.

8 characters isn't a length I would ever consider for a master password, with or without numbers and symbols, plus you don't tend to type master passwords in often enough for the length to be a pain.

I find Bitwarden perfectly adequate.

You can use Apple keychain with windows too and an Apple browser plug-in 

I was listening to a security expert on R4 and he argued against password managers and recommended two factor authentification combined with writing passwords down in a book. His argument was that any form of digital storage can be compromised but a book can only be accessed by someone with physical access. 

I don't think he's wrong, but it's not just a question of what's most secure, it's a question of finding the right balance between security and convenience. A book probably makes sense for a handful of your most critical accounts if you don't need access to them outside your home, but most people will have dozens of accounts at the very least, and need access to some of them regularly when they're away from the book. Even when the book is around, copying out a genuinely secure password is going to be way more of a hassle than a password manager that pastes the password in automatically. I'm sure it works for some people, or for a handful of key accounts, but I doubt it's a complete solution for many people these days.

The book is easy as it contains not the cleartext passwords or even site names but hints that immediately point to the site and the way to regenerate the phrase or sentence based on set patterns in my mind and memories of life.

I'm sure we all have our own personal idiosyncratic abbreviations for things based on decades of making notes etc.

So there is NO copying of long and involved passwords out from a book.  It is easy, provided I remember the daily changing sequence of locations where I hide the book

I started using this method long before anyone was advocating this and the passwords can be over 20 characters (the only short silly ones are where the webidiots have set that as a requirement.  They also then reduce security further by giving you the required format of the password!!!)

Stupidity has no limits.  I am not a web developer but I did ask our web team years ago how they were storing the security questions and answers in the database.  Would you believe actual text and answer!   As you will guess I made a rapid suggestion that they mend their ways (and designs)

Seems security from cold war radio practice also works for IT

Not entirely trusting password managers, I use a long (a few thousand lines long) poem which I know more or less by heart, and deploy certain lines from it in a certain way. References, and the poem, I have in print and on my phone.

Congratulations! You've managed to get quite a few people to reveal their password locations on an internet forum! This is all grist to the dark-web mill...

Impressive! I was happy just memorizing Ozymandias by Shelley, all 14 lines of it.

passwords are the bane of modern living!!!!

A necessary evil I know, but still…

So all of my passwords and generated randomly by the manager and are 30 plus characters of random numbers, letters and characters. I wouldn't want to write one of these out let alone put it in each time reading from a book.

The only way this is pheasble is to weaken the passwords or duplicate them. And that's ignoring what did you do if you need to login on your phone when you are out.

Sure you are mitigating one (minute) risk, but introducing far more and actively exploited risks. Breaching password managers is not a common attack, but password stuffing and cracking weak passwords is happening constantly.

Get Dashlane app 

Use Bitwarden - www.bitwarden.com.  It's free, open source and has apps & extensions for most major platforms.  Turn MFA on.  Ideally, change all passwords as you're entering them in to bitwarden.  Write the master password down and keep it somewhere with other important documents, such as your passport/birth cert etc.

A better alternative would be keepass with the kdb file synced up using syncthing.  Keepass is a piece of software that reads a file (.kdb) that has all the passwords in it.  You use a piece of software called syncthing (https://syncthing.net/) to sync the file between devices.  There are android apps for the phone as well.  This is more complex and error prone, so only for the technically savvy.

WRT lastpass, I would avoid them.  The recent breach isn't the first in fact, they have had quite a few issues over the years.  It is however the worst so far.  Also the UI is terrible and it's just not as nice to use as bitwarden.

For those of you complaining about the people giving ideas for password schemes, then a quick google will show you that there's literally 100s if not 1000s of articles espousing the same thing. 

I've been considering using a password manager but I'm wondering if putting my passwords in an encrypted .zip or .rar with a random filename and storing it on my cloud storage would be a good 'DIY' alternative to using an app. Does anyone know if password manager apps do any more than that? 

Yes they give the passwords in a more organised manner which is easier to use.

Keepass for example gives you the option to save the url with right click to open it in whatever browser (including private modes) you fancy.

If you use the rightclick for the username/password it also has a countdown before clearing the copy out.

Plus the option to generate complex passwords (with whatever set of special characters etc) as needed.

There are also options for keyfile support and so on.

So I think generally worth it.