Soli said: The only problem with that security answer is that many still limit the field to just alphanumerical, and some with just letters and spaces. But you can make this answer long enough that it's also sufficiently complex.
Additionally, they also usually need to know your email address or username to gain access. For the reason, I use random usernames and email aliases whenever possible to make it hard for say, one website to have a breach and then have that cross over to another website where a hacker may hope that my email address or username is the same. I used to use a standard alias for the email, like [email protected]*, but now I just use something random, like [email protected]*.
I even use random birthdays for the sites that require it, which can also be used for regaining access. Since I store all this data securely in 1Password there's absolutely no reason for me to not to do these simple things once and save it.
Finally, I have a calendar reminder for me to copy my 1Password vault to a flash drive which I save to a safety deposit box 4x a year. At this point I could probably move that to twice a year since I add so few sites or even change the data too often these days, but every 3 months isn't inconvenience and I do other things whilst at the bank, so it's fine. I don't know if a bank vault and the metal boxes would be a sufficient shield from an EMP, but I figure if that ever happens I'll have bigger things to worry about at that time, and the convenience of burning an optical disc every three months is definitely an inconvenience.
PS: To get friends and family to slowly adopt the seemingly overwhelming task of setting up a password manager to the levels that we have done I have created some easy-to-follow steps in multiple stages that will make it simple and fairly anxiety free, and allow for repetition to create the pathways needed for them to help remember how to do it (and help others).
* If you think that any part of these emails will lead to an account in my name, then you're sorely mistaken. These are just examples.
Great stuff there!
I'm just trying to get people to start using a password manager at all (and a unique password in every place). Even that would be a huge help.
I hadn't really thought of the email thing, but I guess I'm trusting having a unique, strong password in each place kind of does enough that I don't much care if they have my email... but yes, I suppose it gives an easier way for alternate unlock routes (which shouldn't be done like that to begin with).
And, absolutely... back up the password wallet! (Not just trust that they have it archived, backed up, in their cloud, etc.)
I'm just trying to get people to start using a password manager at all (and a unique password in every place). Even that would be a huge help.
What I call STEP ONE is simply having people save a single username, password, and URL to a password manager each day until they start to run out of new ones to add.
I see people who jump in trying to get them all saved at once and they soon burn out at this. Also, doing just one a day builds that repetition of how the app works and helps those less technical to understand what and why they're doing.
After they get most of their accounts added, STEP TWO would then be to do a single password change per day so something complex, long, and random. This gets them familiar with the password generator.
Months later, after all that is done I have many other steps (that can be done out of order) that involve cleaning up URLs to remove all the irrelevant bits, adding the secret questions and answers, changing those answers, adding enrollment dates, email addresses, and really any other data for each password saved. Additionally, there are STEPS (that can be done out of order) for saving non-internet account data, like WiFI info and backup configurations, data on household items (especially if they have a warranty). Then there is credit and debit card, and auto and mortgage loan info which includes their phone numbers if you have an issue (I also include all my APR data, etc.). Then there's data for your family and pets, and your health data like immunizations with expiry dates, family history, and current and past lists of medications.
All of that seems overwhelming so I just do a single step at a time. Now it's all there and I never have to struggle to remember some detail because I know where to find it.
“Never memorize something that you can look up.” — Albert Einstein
* The worst part about changing passwords are that most websites aren't very good about telling you what the complete requirement are. They'll give you the minimum, but many won't tell you what the maximums are so you go to change a password and it fails… and it fails again. Or, worse, it takes it without issue but the server cut off the end when it reached the maximum characters allowed so your saved password doesn't work the next time you try to log in. For this reason, I have people logout and then test their password right away as a habit. This way it's fresh in their mind that they saved it and it was fine a minute ago. I also teach them that it's not working because there is at least one character that was removed from the end and to systematically start removing one at a time until they have the magic number. To make this easier I have them copy the password to TextEdit so they can see and edit, and then save it easier.
Soli said: What I call STEP ONE is simply having people save a single username, password, and URL to a password manager each day until they start to run out of new ones to add.
I see people who jump in trying to get them all saved at once and they soon burn out at this. Also, doing just one a day builds that repetition of how the app works and helps those less technical to understand what and why they're doing.
After they get most of their accounts added, STEP TWO would then be to do a single password change per day so something complex, long, and random. This gets them familiar with the password generator.
Months later, after all that is done I have many other steps (that can be done out of order) that involve cleaning up URLs to remove all the irrelevant bits, adding the secret questions and answers, changing those answers, adding enrollment dates, email addresses, and really any other data for each password saved. Additionally, there are STEPS (that can be done out of order) for saving non-internet account data, like WiFI info and backup configurations, data on household items (especially if they have a warranty). Then there is credit and debit card, and auto and mortgage loan info which includes their phone numbers if you have an issue (I also include all my APR data, etc.). Then there's data for your family and pets, and your health data like immunizations with expiry dates, family history, and current and past lists of medications.
All of that seems overwhelming so I just do a single step at a time. Now it's all there and I never have to struggle to remember some detail because I know where to find it.
“Never memorize something that you can look up.” — Albert Einstein
* The worst part about changing passwords are that most websites aren't very good about telling you what the complete requirement are. They'll give you the minimum, but many won't tell you what the maximums are so you go to change a password and it fails… and it fails again. Or, worse, it takes it without issue but the server cut off the end when it reached the maximum characters allowed so your saved password doesn't work the next time you try to log in. For this reason, I have people logout and then test their password right away as a habit. This way it's fresh in their mind that they saved it and it was fine a minute ago. I also teach them that it's not working because there is at least one character that was removed from the end and to systematically start removing one at a time until they have the magic number. To make this easier I have them copy the password to TextEdit so they can see and edit, and then save it easier.
Again, great info. Heh, we're a lot alike in how we eventually use the password manager, too. I also started using TextExpander to date-stamp notes in the notes section or such to keep track of when I opened an account (or purchased that new computer, hard-drive) or changed something about an account, or serial numbers, etc.
You're right, it's so great when you can just search your password wallet and come up with that valuable info.
Another app that is really, really great if you want to keep encrypted more loose-form content, is: https://thevault-app.com
It is less structured than a password manager, but quite useful for keeping all sorts of other info, documents, diary, medical records, etc.
Another app that is really, really great if you want to keep encrypted more loose-form content, is: https://thevault-app.com
Out of curiosity, do you believe iOS Notes is less secure, while that's being protected by tID/fID?
Yes, though I'm not sure about in terms of pure security.
The problem with iOS Notes is that the OS has access and they are also cloud-based. With The Vault, it's an encrypted file under my control. While it can be unlocked with touchID/faceID, it is independent of the OS being able to see the contents. You can even turn off spell-check or auto-correct so that the OS isn't analyzing what you're typing. The encryption tech/implementation used is quite sophisticated, and it's much more secure in how it locks and thwarts hacking attempts.
Another app that is really, really great if you want to keep encrypted more loose-form content, is: https://thevault-app.com
Out of curiosity, do you believe iOS Notes is less secure, while that's being protected by tID/fID?
Yes, though I'm not sure about in terms of pure security.
The problem with iOS Notes is that the OS has access and they are also cloud-based. With The Vault, it's an encrypted file under my control. While it can be unlocked with touchID/faceID, it is independent of the OS being able to see the contents. You can even turn off spell-check or auto-correct so that the OS isn't analyzing what you're typing. The encryption tech/implementation used is quite sophisticated, and it's much more secure in how it locks and thwarts hacking attempts.
Comments
I'm just trying to get people to start using a password manager at all (and a unique password in every place). Even that would be a huge help.
I hadn't really thought of the email thing, but I guess I'm trusting having a unique, strong password in each place kind of does enough that I don't much care if they have my email... but yes, I suppose it gives an easier way for alternate unlock routes (which shouldn't be done like that to begin with).
And, absolutely... back up the password wallet! (Not just trust that they have it archived, backed up, in their cloud, etc.)
I see people who jump in trying to get them all saved at once and they soon burn out at this. Also, doing just one a day builds that repetition of how the app works and helps those less technical to understand what and why they're doing.
After they get most of their accounts added, STEP TWO would then be to do a single password change per day so something complex, long, and random. This gets them familiar with the password generator.
Months later, after all that is done I have many other steps (that can be done out of order) that involve cleaning up URLs to remove all the irrelevant bits, adding the secret questions and answers, changing those answers, adding enrollment dates, email addresses, and really any other data for each password saved. Additionally, there are STEPS (that can be done out of order) for saving non-internet account data, like WiFI info and backup configurations, data on household items (especially if they have a warranty). Then there is credit and debit card, and auto and mortgage loan info which includes their phone numbers if you have an issue (I also include all my APR data, etc.). Then there's data for your family and pets, and your health data like immunizations with expiry dates, family history, and current and past lists of medications.
All of that seems overwhelming so I just do a single step at a time. Now it's all there and I never have to struggle to remember some detail because I know where to find it.
“Never memorize something that you can look up.” — Albert Einstein
* The worst part about changing passwords are that most websites aren't very good about telling you what the complete requirement are. They'll give you the minimum, but many won't tell you what the maximums are so you go to change a password and it fails… and it fails again. Or, worse, it takes it without issue but the server cut off the end when it reached the maximum characters allowed so your saved password doesn't work the next time you try to log in. For this reason, I have people logout and then test their password right away as a habit. This way it's fresh in their mind that they saved it and it was fine a minute ago. I also teach them that it's not working because there is at least one character that was removed from the end and to systematically start removing one at a time until they have the magic number. To make this easier I have them copy the password to TextEdit so they can see and edit, and then save it easier.
Heh, we're a lot alike in how we eventually use the password manager, too.
I also started using TextExpander to date-stamp notes in the notes section or such to keep track of when I opened an account (or purchased that new computer, hard-drive) or changed something about an account, or serial numbers, etc.
You're right, it's so great when you can just search your password wallet and come up with that valuable info.
Another app that is really, really great if you want to keep encrypted more loose-form content, is:
https://thevault-app.com
It is less structured than a password manager, but quite useful for keeping all sorts of other info, documents, diary, medical records, etc.
The problem with iOS Notes is that the OS has access and they are also cloud-based. With The Vault, it's an encrypted file under my control. While it can be unlocked with touchID/faceID, it is independent of the OS being able to see the contents. You can even turn off spell-check or auto-correct so that the OS isn't analyzing what you're typing. The encryption tech/implementation used is quite sophisticated, and it's much more secure in how it locks and thwarts hacking attempts.