[turtle777]

Ok, so I do a lot of online shopping, and therefore, have to maintain a lot of accounts with different merchants.

I'm not sure if my current strategy for usernames and passwords is really the best out there, so I'd like to share what I do and get some ideas what could be done better.

As far as user id's / usernames are concerned, I have a catch-all account for my email. Every email sent to *@mydomain.com is delivered. For every merchant, I use an email address and username like this: [email protected]. With this, I always know who passed on my information to spammers and I can blacklist the email address with SpamAssassin.

As far as passwords are concerned, I suppose there are different strategies:
1) Always use the same password - not good for abvious reasons.
2) Use a unique password for each vendor, and keep a list of passwords somewhere secure online, on a PDA or offline - disadvantage: makes it somewhat a hazzle to keep the list up-to-date and retrieve the password fast.
3) Generate a unique password by using the vendors URL.
E.g. use the first and last letter of domain name, first and last letter of TLD in CAPS and add a number of your choise that would always remain the same and separate those with special charaters.
For www.amazon.com, this would become "an-CM.777".
This way, you only need to remember your password strategy, and apply it to the domain name.

What do you guys think about option 3) ?
Any better ideas ?

-t

[Tesseract]

You could randomly generate your passwords and use Keychain to store them. (I'm currently transitioning to this strategy.)

[turtle777]

Originally Posted by Tesseract

You could randomly generate your passwords and use Keychain to store them. (I'm currently transitioning to this strategy.)

Yes, but doesn't work when you don't have access to your computer.
Plus, it's far to cumbersome to open up keychain everytime.

I'm more looking for computer independant solutions.

-t

[starman]

I read that there was a solution to this. Umm....check grc.com. I think Steve Gibson has a solution for it.

[turtle777]

Checked it. https://www.grc.com/passwords

How is that of any help and relevance to what I have described above ?

-t

[starman]

Maybe it was his podcast where he mentioned it. He and/or Leo have a strategy for online sites, based on the URL, similar to what you described.

[turtle777]

Originally Posted by starman

Maybe it was his podcast where he mentioned it. He and/or Leo have a strategy for online sites, based on the URL, similar to what you described.

Ah, ok. I'll try to find something with Google.

-t

[esXXI]

I basically have one password that I cut up depending on the site. For really important stuff I used the full size one (25 characters), for forums it's usually the middle or small size if it's nothing important.

The using the URL seems like a nifty idea though.

[Moderator]

You have some good ideas. I basically have a secret password for most places, and a super secret password for anything that involves my bank account.

[andi*pandi]

nm.

[parallax]

I have the same password from like 8 years ago for stuff that doesn't matter.

I have one password for accounts on other computers that matter (school, lab, etc.)

And for everything else that matters (bank, credit card, personal computer), I randomly generate a password.

I keep it all stored on a file on my computer that's AES encrypted with a key I keep written down.

[KeriVit]

Side note I did install Vault to keep track of usernames and passwords and it has helped quite bit. I like the username idea, though I suppose if it is common, like comcast.net- it might be taken...

[Cubeoid]

Have a common password, and only change the last few letters ie. *****amazon or *****ebay or *****macnn that works just fine.

[rambo47]

All my passwords are variations on one theme. I add random numbers into the words just to mix things up.

[isao bered]

heh. seems like y'all have much better "systems" than me. i just do my best to remember the password hint and make new ones almost every time on those sites i visit infrequently.

i'm not sure if it's so much a problem with remembering or a lack of concern about forgetting. :-/

be well.

laeth

[Cubeoid]

Originally Posted by rambo47

All my passwords are variations on one theme. I add random numbers into the words just to mix things up.

Randomness is next to Godliness.

[Chips G]

My only concern with using keychain is that if it loses your data and you don't know the passwords then you will be in for a real hassle.

[scaught]

ive used the same passwords for years for random online crap. i suppose i should keep a closer eye on my email ones (since they possibly contain more important info) but i dont.

any important ones (that are hard to remember or change often (see the dozen or so work passwords)) are kept on my palm pilot in a password protected MDB database. this probably isnt the most secure thing, but who really gives a **** about my stuff that much anyway? noone willl even reply to this post or recognize that i posted in this thread. im a tiny speck in the universe. noone loves me. i am going to die alone and cold in a diner with a cold cup of coffee in front of me waiting for you to show up, but you never do. ill have scribbled on the placemat in front of me "the thing that hurts the most is i bet you dont even miss me"

wait, what?

[rickey939]

Originally Posted by rambo47

All my passwords are variations on one theme. I add random numbers into the words just to mix things up.

Ditto.

[turtle777]

Originally Posted by Chris Gilpin

My only concern with using keychain is that if it loses your data and you don't know the passwords then you will be in for a real hassle.

Well, the other big concern is portability.
What do you do if you are NOT in front of YOUR computer ?

-t

[andreas_g4]

Originally Posted by turtle777

What do you do if you are NOT in front of YOUR computer ?

I never heard those words in that order. What does it mean?

[Stradlater]

Elegant solutions discussed in this thread (thanks, Turt ).

Just redid all my passwords.

[macroy]

Originally Posted by turtle777

Yes, but doesn't work when you don't have access to your computer.
Plus, it's far to cumbersome to open up keychain everytime.

I'm more looking for computer independant solutions.

-t

I hope the "other" computers you're accessing are trusted (like a family members or a good friends) and not the one's at a hotel's business center or a public terminal. There are often way too many of them that have keystroke loggers connected to them. And one passive device can typically keep a minimum of 1 gig of data. That's about 6 months worth.

Otherwise, there's been a good amount of good suggestions already... I always say change them often. Password management is a pain, but security is rarely convenient.

[andreas_g4]

Well, I usually am using my own computer, so I don't have to deal with the mobilityy issue. But when I am going on vaccation or else, I have my encrypted disk image on my iPod. Good thing is I can always use a Mac where I go. It's not that versatile, but works in most situations (for me).

btw, I just checked my main password security:

[turtle777]

Originally Posted by andreas_g4

I never heard those words in that order. What does it mean?

Means: using a different computer than your own.

-t

[turtle777]

Originally Posted by macroy

... at a hotel's business center or a public terminal. There are often way too many of them that have keystroke loggers connected to them. And one passive device can typically keep a minimum of 1 gig of data. That's about 6 months worth.
.

Is there any software or so that can detect that ? I assume if it's a hardware logger between keyboard and computer, than you are SOL. Hmm, I never thought about that too much, but it's something worth keeping in mind.

Oh, just had a thought: what if you use the on-screen keyboard with a mouse to type in the passwords ? Any hardware logger shouldn't be able to pick that up. But how about SW loggers ? If they only go after keystrokes, than a on-screen keyboard should circumvent it...

-t