Keeping usernames & passwords safe

[Ceefer]

I have numerous online accounts with banks and other online businesses. There is no chance of me remembering all the different usernames and passwords so I have put them into a Word document which is password-protected (this now runs to 6 pages - a lot of accounts!). Is Word's password protection system secure? I use a 15 character password utilising letters, numbers and symbols for access to this Word document but if someone was to get hold of the document how easy would it be to by-pass or crack the password?

Is there a super-secure way of storing my usernames and passwords?

[Larkspeed]

http://howsecureismypassword.net/

that will tell you how secure it is

for example when I put in one of my passwords I get this:

It would take a desktop PC
About 47 trillion years
to hack your password

[mycarsavw]

I use LastPass but there's other password managers out there

[smargh]

Store it in a non-passworded Word or text file inside a TrueCrypt archive.

The passwords in old versions of Word, with its default encryption options, can easily either be cracked or bypassed depending on the version. Office 2010 is a better option, but still a bit crap.

[ik9000]

From what I hear, microsoft office passwords are not safe. You can download free password crackers for not too much/nothing depending on the type. You can pay $40 and get commercial ones. Get something with proper encryption. An encrypted USB with secondary encrypted files within it perhaps. You can even get encryption software that sets up hidden partitions within the drive which never show themselves unless the right password is entered. If you're still worried then you could encase it a concrete bunker with armed guards, watch-towers and razor wire patrolled by hungry dogs and with automated laser guided missiles.

[MaddAussie]

I use LastPass but there's other password managers out there

+1 on lastpass

[Ceefer]

Thanks for the replies. My password seems OK according to 'howsecureismypassword' but I'm worried about the password-protection of my Word file being cracked/bypassed. I've looked at TrueCrypt and it seems very good indeed but sadly my wife would never cope with this method of accessing a file.

I'll take a look at LastPass next.

[Flibb]

I use keepass, solved my quandrey of wanting my passwords available while on the move. I keep the encrypted folder in dropbox, so I can access it from my phone or any computer I lay my hands on. Plenty of other pw tools offer this feature.

[peterb]

Store it in a non-passworded Word or text file inside a TrueCrypt archive.

The passwords in old versions of Word, with its default encryption options, can easily either be cracked or bypassed depending on the version. Office 2010 is a better option, but still a bit crap.

True, but the key to unlock the password is still vulnerable.

It isn't somuch that the encrypted file that is at risk as the password, which is vulnerable to a brute force attk.

So the risk then is whether an attacker could get access to the computer to conduct that attk, or download a protected attack so that it can be attacked at leisure.

The other form of protection is some form of token, like a private key in public/orivate key pair, where the private key is stored in something like a UISB drive, and a strong password protecting it, so access to the file needs both the token and the password. GPGP gives that level of protection.

Set against that is the convenience in use, do you want to have to get out a USB key everytime you want to look at the file, and if you are doing that, and can gurantee the physical security of the UYSB stick, you might argue that keeping the word file on that with a password is secure enough.

It comes down to your risk assessment. What is the effect of compromise? What is the liklyhood of compromise in vious different security configurations, and what level of inconvenience are you going to put up with the mitigate the risk to an acceptable level.

Effects of compromise - unauthorised access to all accounts stored in the file

Liklyhood - depends on determined attack, or casual, and the countermeasures on the computer

Security measures. Unprotected file - OK on a standalone non networked computer that only you have physical access to - convenient to get to

At the other end of the scale, a GPG encrypred file on a memory stick held in deposit box a branch of your bank, with the password held in a deposit box in another branch.

Very secure, very inconvenient - and still the risk of compromise by an online attacker when the file is opened for reading.

So there isn't one security measure, you need to look at them all , but against the background of the likliehood of an an attack.

Buit if no-one can easily get to your computer (physically of through a firewall, a password protected file is probably good enough, better still if you keep it in some offline storage, better again if you keep it in a hidden truecrypt repository (in case it falls into the wrong hands)

[freedomzero]

I use keepass, solved my quandrey of wanting my passwords available while on the move. I keep the encrypted folder in dropbox, so I can access it from my phone or any computer I lay my hands on. Plenty of other pw tools offer this feature.

+1 for Keepass and dropbox. Using this method gives a balance between security and portability. Password manager like Keepass also sort your login details into different groups, eg, emails, banks, shops etc. Much more efficient than a word document in my opinion.

Of course all of us have our own method that suit our needs. You just have to try it out yourself.

[cookie365]

+1 for Keepass and dropbox. Using this method gives a balance between security and portability. Password manager like Keepass also sort your login details into different groups, eg, emails, banks, shops etc. Much more efficient than a word document in my opinion.

Of course all of us have our own method that suit our needs. You just have to try it out yourself.

And exactly what I do too.

[hnosyalnif]

I use LastPass but there's other password managers out there

I use this as well. Very useful. Also use Xmarks (in partnership with Lastpass) so everything - bookmarks and passwords - is sync between all my computers, which helps. That being said I can remember all my passwords anyway, so it isn't really needed but still helps a lot.

[Lucio]

Personally, I'd go with a print out stored near the computer, don't record which accounts go with which passwords and change your passwords so that they're primarily word combinations rather than letter/number combos. A common format would be aaaa5£bbbb

Only password you shouldn't store like this, is the one to actually get into the computer in the first place

[ERU]

I use LastPass but there's other password managers out there

Same here - works great!

[watercooled]

Another vote for LastPass - it's a fantastic all-in-one solution to your problems. I also like KeePass but it does lack some of the selling features of LastPass. Word's password protection varies from a useless hindrance to unknown - but I don't reckon it's been well tested by actual cryptographers and was never designed for this purpose really, it's more of an afterthought in the software.

A full sentence makes for a far stronger passphrase than a short one made up of random characters when subjected to an exhaustive search, and you're much less likely to forget it.
Oh and capitalising the first letter and adding two random characters to the end of a password might seem great but it's actually very common and there are rainbow tables (method of cracking passwords much faster) designed with this in mind.

And of course, password strength only tells part of the story - if the encryption is poorly implemented or non-existent it doesn't matter. For instance, you can have an incredibly long Windows password but the data is still stored unencrypted on the HDD.

[shaithis]

WinRAR with a strong password is ridiculously difficult to crack.

I have used eWallet in the past, worked well, although no idea of it's security flaws.