How strong is your MetaFilter password? August 6, 2012 8:41 AM   Subscribe

How strong is your MetaFilter password?

Heretofore, mine has been the same "8 letter English word with a single number-for-letter substitution" that I use for any sign-in that doesn't seem like a tempting takeover account.

But after reading this, a KeePass-managed password with thousands of characters sounds increasingly attractive.
posted by Egg Shen to MetaFilter-Related at 8:41 AM (211 comments total) 2 users marked this as a favorite

hunter2
posted by elizardbits at 8:43 AM on August 6, 2012 [12 favorites]


donutsbeanstaters
posted by arcticseal at 8:47 AM on August 6, 2012 [1 favorite]


Phrases are strong passwords. Mine is elizardbits's password is hunter2
posted by shakespeherian at 8:48 AM on August 6, 2012 [36 favorites]


I use LastPass so it's 16 random jumbled alphanumeric mixed caps with I think special characters.

I couldn't even tell you the first character.
posted by winna at 8:49 AM on August 6, 2012 [4 favorites]


I've asked this before: Why should I care if someone hacks into my Metafilter account? What can they gain from impersonating me here? As I said before, the one thing I can think of is that it would cause some inconvenience for the moderators.
posted by muddgirl at 8:56 AM on August 6, 2012 [4 favorites]


My password is

farrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrt

no one will ever figure it out lol
posted by to sir with millipedes at 8:57 AM on August 6, 2012 [4 favorites]


In 1996, my friend Joey and I were in the college computer lab, and he shouted across the lab:

"Hey Jeff – you want an email account? This website is giving them out for free!"

"Why would I need an email account? What do you use that for?"

"I don't know, but it's free! Come on, I'm sure you'll use it sometime."

"Eh, sure, sign me up."

"What do you want your username to be?"

"I don't really care."

"Okay. You're bobothechimp@hotmail.com."

"Uh. Okay. What's my password?"

"It's the name of one of the Blues Brothers."

For the next eight years, I was bobothechimp@hotmail.com, and my password was elwood. And I used that password when I set up my metafilter account, too. That was the password until five minutes ago, when I finally changed the damned thing.
posted by koeselitz at 9:00 AM on August 6, 2012 [29 favorites]


I told the story before about my first Metafilter password, back before we were allowed to change it. At the time, my handle was "yhbc" and I helpfully explained on my profile page that it stood for "Your Humble and Beloved Commissioner". In no time at all, everyone was calling me "commish". My password was "commish".
posted by Curious Artificer at 9:00 AM on August 6, 2012 [5 favorites]


muddgirl -

You should care if you use the same password for your flickr, twitter, or blogspot address (or any other accounts on major services which share a common userID or are otherwise linked). There's also the risk of someone using your account to memail your 39+64 contacts with, for example, a link to a malicious website.
posted by These Premises Are Alarmed at 9:01 AM on August 6, 2012 [3 favorites]


WEREN'T allowed to change it, that is.
posted by Curious Artificer at 9:01 AM on August 6, 2012


Do you use your Mefi password anyplace else? Because if the bad guys figure your password out here, they might try using it at Amazon, iTunes, etc.
posted by COD at 9:01 AM on August 6, 2012


Strong enough to cry publicly at the end of the movie Armageddon.
posted by Brandon Blatcher at 9:01 AM on August 6, 2012 [22 favorites]


11-character mixed case alphanumeric, unique and managed by lastpass.

I've switched to lastpass for most passwords/passphrases because, left to my own devices, I fall into the bad habit of using variants of the same passphrase on multiple accounts.
posted by CBrachyrhynchos at 9:03 AM on August 6, 2012


I personally have three tiers of passwords:

1. Gets used all the time, is the same, and is on sites where I couldn't care less if it was haxx0red and they used it elsewhere. No personal info attached, etc. Only lowercase letters.

2. Gets used regularly, on sites that I'm slightly more security-aware. Alphanumeric, no specials. MeFi is one of these sites.

3. Single use randomly generated 22 key alphanumeric+specials, almost always entered via lastpass/onscreen keyboard/cut+paste to prevent keystroke theft. This is for banking info, facebook, etc. Often also using special gmail tricks like username+sitename@gmail.com as the username or registration email.

That is all. :)
posted by TomMelee at 9:04 AM on August 6, 2012 [1 favorite]


What can they gain from impersonating me here?

Which was my thinking.

But the people who blanked Mat Honan's stuff gained nothing but lulz.
posted by Egg Shen at 9:05 AM on August 6, 2012


Your mom is so fat she's a big fat woman.
posted by Burhanistan at 9:08 AM on August 6, 2012 [1 favorite]


Damn, sorry. Someone hacked my account again.
posted by Burhanistan at 9:08 AM on August 6, 2012 [2 favorites]


Chuck Norris wishes he were as strong as my password.
posted by DU at 9:09 AM on August 6, 2012


You should care if you use the same password for your flickr, twitter, or blogspot address (or any other accounts on major services which share a common userID or are otherwise linked). There's also the risk of someone using your account to memail your 39+64 contacts with, for example, a link to a malicious website.

Yeah, of course we should never use the same password anywhere, which I don't. And it seems like the hacker would be going through a lot of trouble (to hack into an existing account) to save the $5 it would take to just set up a new account and then memail anyone they wanted with a link to a malicious website.

I am not saying that I do use a weak password for Metafilter. I'm just asking why I shouldn't, beyond being nice to the mods who have to clean up messes.

But the people who blanked Mat Honan's stuff gained nothing but lulz.

(1) I can't even delete my stuff on Metafilter (unlike the iEmpire).
(2) Someone with access to my account can't access any other account like GMail (unlike the iEmpire)
(3) If someone were personally targeting me for lulz, the moderators could see via IP addresses that it was someone else, and hopefully just straight up disable my account, allowing me to pay another $5 for the pleasure of spouting nonsense here. It would probably also increase my work productivity if I decided $5 was a high barrier.

I wonder, though, if this has ever actually happened, and what the moderators did about it?
posted by muddgirl at 9:11 AM on August 6, 2012


My master password is a strong phrase, from which I use a bookmarklet to generate unique passwords for each site including Metafilter.
posted by nicwolff at 9:11 AM on August 6, 2012 [4 favorites]


HANDLE
EFFORT
POINTS
Double
Pencil
posted by griphus at 9:14 AM on August 6, 2012 [12 favorites]


In addition to the whiz-bang fancy passwords I have for "real" stuff, I have two stock not-very-secure passwords I use for all the stuff I don't care about. There's one I use for stuff I *really* don't care about. That used to be the one I had on here. Then I changed it after it got sort-of-public'd in this post to the one I use for stuff I sort of don't care about. If I change it now, I'll have too come up with a tertiary class of password, and I think that's more than I can really handle right now.

The day that I find someone who cares enough about metafilter to actually steal my password and use my account here is the day I find someone more mefi-addicted than me, and really--if that person exists, he needs all the help he can get. Better to make it easy for him to out himself.
posted by phunniemee at 9:19 AM on August 6, 2012 [1 favorite]


Why should I care if someone hacks into my Metafilter account? -- It's just good security practices. If you're careful with your least important online account, you'll be careful with your most important one.
posted by crunchland at 9:20 AM on August 6, 2012 [1 favorite]


The best thing you can do is sign up with a password manager like LastPass or 1Password. At first, they're just handy because they will suck in all your passwords and auto-fill login forms for you. But the longer you use them, the better they are because every new site you join won't get your same low-security password, instead you'll let the tool generate a crazy hard password for you.

I'm about three years into LastPass and it's a killer app. I don't even know my Twitter, Google, or even MetaFilter passwords. I have to pop open the app and copy them whenever I hit a form I can't auto-fill. Additionally, with LastPass, I can't even log into my account unless I'm using a cleared device that gets through only after matching a random number generator that only exists on my phone with the Google Authenticator app.

It's a great system and I've gone back and updated my passwords on every system I use regularly. There are probably a dozen or so very old sites that still have my 1995-era low security password, but I'm pretty sure I would be pretty safe these days and hackers would do minimal damage if they got one of my accounts.
posted by mathowie (staff) at 9:21 AM on August 6, 2012 [37 favorites]

I am not saying that I do use a weak password for Metafilter. I'm just asking why I shouldn't, beyond being nice to the mods who have to clean up messes.
Well, I can't answer as to why you shouldn't. But other people might be concerned about:

1: Having hidden contact information revealed.

2: Potential leapfrogging by using the same password for multiple Web sites. Those sites might have additional personal or contact information that could be used to get around security questions.
posted by CBrachyrhynchos at 9:29 AM on August 6, 2012


It's just good security practices. If you're careful with your least important online account, you'll be careful with your most important one.

Let's say I am at a library with some time to kill, and want to surf the internet. Because I don't trust Cybercafe computers, I don't use a password app (as my master password could be keylogged, and my password file could be intercepted). By the logic of always-tightest-security, I shouldn't log in to any service on the internet - not Metafilter, not Gawker, not Hairpin, not the NYT comment section, not my subscription service to LexisNexus or what-have-you. Do people really do this? Or do they actually go ahead and use their service and reveal their master password which could give access to much more sensitive services than the Gawker comment section?

(I do use a password manager for 99.9% of passwords, possibly including metafilter. I'm just wondering what the harm is in having a low-security (but still unique) password for a minority of sites that I might want to access on the road without accessing my secure-password system.)
posted by muddgirl at 9:29 AM on August 6, 2012 [1 favorite]


Well, you can read all of those sites without logging in. Granted, you lose your 'last read' pointer, and you can't read your memail, but that's the small price you pay for using an insecure machine.
posted by crunchland at 9:35 AM on August 6, 2012


I understand that, crunchland - I'm asking if people actually do this, or if an insistence on super-secure passwords everywhere leads to a different sort of insecurity.
posted by muddgirl at 9:37 AM on August 6, 2012


My serious password used to be a 1337-speak version of the amount of energy expended in North America per year. Now it's a 1337-speak transliteration of a aeronautical term that coincidentally I found misspelled on an AOL floppy almost twenty years ago. I'm thinking of changing it to a 1337-speak version of a physics term used by audio and automotive engineers. Plus a "69" at the end (cue Beavis and Butt-head laughing).
posted by infinitewindow at 9:38 AM on August 6, 2012


My password isn't strong but it has a good sense of humour.
posted by Decani at 9:38 AM on August 6, 2012 [3 favorites]


For most, if not all, of my passwords I use a combination of initials from dead people I know alternated with the disarm codes for various alarm systems in the building I work in. Don't know if that's secure, but I guess if things get figured out, I reckon it will be more tempting to use it rob a credit union than access my Twitter.
posted by Alvy Ampersand at 9:39 AM on August 6, 2012


Decani's password is "David Sedaris."
posted by griphus at 9:41 AM on August 6, 2012 [8 favorites]


By the logic of always-tightest-security, I shouldn't log in to any service on the internet - not Metafilter, not Gawker, not Hairpin, not the NYT comment section, not my subscription service to LexisNexus or what-have-you. Do people really do this?

You type your passwords on public computers?

Ummm...yes, people really do avoid that. Especially as public computers, even if they don't have all kinds of malware all over them, can easily be simply set to remember passwords silently.
posted by DU at 9:42 AM on August 6, 2012 [1 favorite]


Silly question, but it raised up yhbc, so great post!
posted by stupidsexyFlanders at 9:42 AM on August 6, 2012 [2 favorites]


You type your passwords on public computers?

I don't usually use public computers anymore. But until recently I typed passwords onto my phone, which I realized was bad policy after I lost it. For me this is a more general question than a specific one - some people DO use public computers, and public computers may be one of the only ways they can reliably access the internet.
posted by muddgirl at 9:44 AM on August 6, 2012


I don't know what other people do. I use my own tablet when I'm out and about with the lastpass app, even though I assume by default that the wifi probably isn't secure. For the sites that don't offer a secure https connection (like metafilter, hint hint), I go ahead and log on with my long-ass lastpass generated password, and hope no one is sniffing my packets. If someone was, and saw my login info sent in the clear, and then made a mess, I'd sort of figure that the people who run the website aren't particularly concerned about login security anyway. And I wouldn't dream of logging onto anything of real importance without a secure encrypted connection, and even then, I'd think twice before doing it.
posted by crunchland at 9:44 AM on August 6, 2012


What I always get a kick out of are articles that pull up passwords from, say, Gawker, and then lament that they're simple passwords like '12345'. Surely from a security standpoint, you might as well use some bullshit easy-to-remember password rather than relying on said website storing it in a secure manner.

Obviously for important websites you want longer secure passwords, so I use 12345678.
posted by Deathalicious at 9:45 AM on August 6, 2012 [4 favorites]


If I recall correctly, Honan's account was compromised through social engineering, not password cracking. Maybe you should be more concerned about someone plying Cortex with Scotch and doughnuts at a meetup.
posted by Horace Rumpole at 9:46 AM on August 6, 2012 [1 favorite]


I have never found password to be strong enough, so I protect my web presence with kung fu.
posted by Bunny Ultramod at 9:47 AM on August 6, 2012 [1 favorite]


(Another thing you could do, though it's a total hassle, is connect to your own secure server via a VPN connection, and then surf away, knowing that everywhere you go, to secure or insecure logins, your traffic stream is encrypted. Services like GoToMyPC make it easier, but I doubt you'd be willing to pay the $14.95 a month to connect up to Metafilter securely.)
posted by crunchland at 9:50 AM on August 6, 2012


Maybe you should be more concerned about someone plying Cortex with Scotch and doughnuts at a meetup.

Coincidentally, this is also how you get him to not send those photos of me to the press.
posted by griphus at 9:50 AM on August 6, 2012


12345? That's the same combination I have on my luggage!
posted by moammargaret at 9:52 AM on August 6, 2012 [1 favorite]


Maybe you should be more concerned about someone plying Cortex with Scotch and doughnuts at a meetup.

One or the other, as the situation dictates. Never both at once.
posted by cortex (staff) at 10:02 AM on August 6, 2012 [2 favorites]


If you use the same password on MeFi as you do for your bank account then shoot me a MeMail, you idiot.
posted by laconic skeuomorph at 10:03 AM on August 6, 2012 [1 favorite]


Lastpass has multiple mechanisms for dealing with untrusted computers: on-screen keyboards, one-time passwords, grid multifactor, yubikey, sesame, google authenticator, fingerprint, and smart cards. Granted, some multifactor systems have been broken but those cases seem to be the exception given the abundance of low-hanging fruit.
posted by CBrachyrhynchos at 10:07 AM on August 6, 2012 [1 favorite]


My password is 'biscuits.' Because delicious.
posted by Alexander Hatchell at 10:07 AM on August 6, 2012 [1 favorite]


Mine is "romney2012".
posted by MuffinMan at 10:12 AM on August 6, 2012 [1 favorite]


Aha. Sc0tchAn6donUts. Great find...
posted by Namlit at 10:15 AM on August 6, 2012


Who logs out?
posted by adamvasco at 10:18 AM on August 6, 2012 [5 favorites]


cortex: "Maybe you should be more concerned about someone plying Cortex with Scotch and doughnuts at a meetup.

One or the other, as the situation dictates. Never both at once.
"

There has to be a way to make a pseudo-rum-cake by layering doughnuts and pouring scotch over them... (possibly involving more steps/ingredients than just that.)
posted by Karmakaze at 10:28 AM on August 6, 2012


Take the Strawberry Shortcut.
posted by griphus at 10:31 AM on August 6, 2012


Yeah, I don't even know my password because it's been so long since I logged in...
posted by rabbitrabbit at 10:31 AM on August 6, 2012


Decani's password is "David Sedaris."
posted by griphus at 5:41 PM on August 6


Actually it's DFWFTW, because no one will ever think of that.
posted by Decani at 10:37 AM on August 6, 2012


Plus a "69" at the end

69 is ALWAYS funny. When we go to the Staples or wherever (this happens a lot since I need to buy school supplies) if Mr. Pterodactyl leaves me unsupervised I inevitably sneak off and type "696969696969" on all of the calculators unless it's a special occasion in which case on some of them I type "BOOBS". I am profoundly mature and it is super awesome.
posted by Mrs. Pterodactyl at 10:43 AM on August 6, 2012 [11 favorites]


Long ago in the dial up era (and around the time "A League of Their Own" was out) my tech support team would often share amusing user passwords one with the other. This would often prompt a loud "THERE'S NO *BLANK*ING IN TECH SUPPORT" and laughter. Most people would know to mute their headsets but some interesting things got yelled for our customers to hear.

Especially that guy whose password was "10inchcock".
posted by PapaLobo at 10:43 AM on August 6, 2012


Analysis of the Stratfor Password List. A ridiculous number of people used "qwerty", "12345" and other very common passwords. The Tech Herald reported that it took them just 7 minutes to crack 25,690 passwords.
posted by mlis at 10:44 AM on August 6, 2012


HANDLE
EFFORT
POINTS
Double
Pencil

J'accuse!alsoselflink
posted by PapaLobo at 10:47 AM on August 6, 2012


BNDus3r9lives!
posted by Burhanistan at 10:53 AM on August 6, 2012 [1 favorite]


L33tsp34k is unbr34k4bl3 cod3.
posted by Artw at 10:57 AM on August 6, 2012


(slaps 69 on the end just in case)
posted by Artw at 10:57 AM on August 6, 2012


1 2 3 4 5??? That's the passcode on my luggage!
posted by Grither at 10:59 AM on August 6, 2012


Mine is an uncommon english word that I accidentally misspelled but has a sub or two in it as well.
posted by bz at 11:00 AM on August 6, 2012


One Spaceballs reference per thread is more than enough, thank you.
posted by Burhanistan at 11:00 AM on August 6, 2012


Wow hunter2 is kind of a niche meme innit?
posted by Mister_A at 11:00 AM on August 6, 2012 [1 favorite]


hunter2? I've got the same combination on my

wait
posted by griphus at 11:02 AM on August 6, 2012


I can't even delete my stuff on Metafilter

So here's a question for the moderators. Generally speaking, you do not delete comments from threads if the discussion has moved past them, and especially if the discussion has incorporated them. Even in cases of offensive comments you will sometimes say, "We would have deleted that, but now there's a derail and a MeTa and it's less confusing to just let it stand."

Would you make an exception for a hacked account? Let's say somebody hacked into Tom's MetaFilter account, posted a few vanilla comments into threads, and then over the course of a day began posting progressively more racist comments that ultimately resulted in a flamefest, a MetaTalk thread, the works. The next day, you (moderators) and Tom discover that this was all done by a hacker. Unfortunately for Tom, his MetaFilter username is TomBrewsCoffee, a username that is widely linked to him. His official Twitter is TomBrewsCoffee. His coffee store is named Tom Brews Coffee.

Would you cleanse his MetaFilter activity to protect his reputation? Would your decision depend on how the hacker had gained access (leaving a public computer logged-in, brute force, cracked MetaFilter database, etc.)?
posted by cribcage at 11:07 AM on August 6, 2012


On a serious note, my password is weak as I am hoping someone will steal my MeFi account and post a little more often.
posted by Mister_A at 11:10 AM on August 6, 2012


Your password isn't weak, you're weak!
posted by Burhanistan at 11:11 AM on August 6, 2012 [2 favorites]


At the time, my handle was "yhbc" ...

Am I the only one that gets a little frisson of serendipity when a relatively new-to-me user self-identifies as a long-time user? It's weirdly pleasant.
posted by monju_bosatsu at 11:14 AM on August 6, 2012 [3 favorites]


You're not alone monju_.

Hi commish!
posted by carsonb at 11:17 AM on August 6, 2012


Oh, and this is the thread that finally made me change my 11 year-old MeFi password. This new one is shiny!
posted by carsonb at 11:20 AM on August 6, 2012


I use variations on a couple of passwords, with an extremely simple algorithm to tie it to the site the password is for. So, like, my stock password plus the second character in the domain name of the site the password is for. But not that. A SECRET algorithm.

My MetaFliter password is my OLD password, from before I came up with my scheme, but it has an extra letter stuck onto the end of it because when I signed up (or changed passwords) my password was one character too short. I've mentioned this in a previous password thread (or dreamt that I did? I can't find it) but PB said they didn't think there used to be a limit. But there was.
posted by dirtdirt at 11:20 AM on August 6, 2012


I have a Security 101 question. If I use 1Password on my laptop and come up with some awesome passwords that I don't even know, how to I log in to those accounts if I'm on my phone or my tablet?
posted by The corpse in the library at 11:24 AM on August 6, 2012


My password is

farrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrt

no one will ever figure it out lol
posted by to sir with millipedes


What a coincidence! That's my password--no one will ever figure it out lol
posted by weapons-grade pandemonium at 11:26 AM on August 6, 2012


Burhanistan: "One Spaceballs reference per thread is more than enough, thank you"

Dang, I even scanned the thread to make sure I wasn't posting double.

Need to polish up my scanning skills, apparently.
posted by Grither at 11:27 AM on August 6, 2012


I just picture pb doing some serious pince-nez action at the thought of everybody and his brother trying out user names and passwords.
posted by boo_radley at 11:27 AM on August 6, 2012 [1 favorite]


The corpse - they usually have a phone app and a way to sync. I use KeePass and an online folder syncing service to sync my passwords between my home computer, my work computer, and my phone.

You can usually even install them on a thumb drive to use on any computer you want, but as mentioned before, one shouldn't trust ones passwords on a computer they don't control.
posted by muddgirl at 11:28 AM on August 6, 2012 [1 favorite]


cribcage, I've deleted things/temp-banned before on the basis of "either you're drunk/addled in some way, or someone is accessing your account," and the thing to recognize is that at the point that someone's comments become offensive or bizarre, that's the point when they will be flagged and we'll notice, so it's not so much a question of how delicately the hijacker gears up – that doesn't matter to us, because we're not monitoring their comments all day. We see their comments at the point that they become a problem. If the behavior is out of character for a long-time member, we'll suspect it may be a hijack, and be more proactive with a short-term banning or tracking and insta-deleting until we can suss out what's happening. And even if it turns out it's just "this allergy pill didn't react well with this after-work cocktail," deletions or a night off is probably going to be appreciated by that person.

The last time I encountered one of these situations, someone had logged into their account while there was a party going on at their house, and a friendly guest made some doofus comments on their behalf.
posted by taz (staff) at 11:32 AM on August 6, 2012


Would you cleanse his MetaFilter activity to protect his reputation?

Depending on the specifics we'd consider it. Unlikely shit happening that fucks someone's situation up is something we're absolutely going to be down with discussing with that person. This partly presupposes that there'd be anything in the vein of Sudden Jarringly Racist Comments Out Of Nowhere that wouldn't get flagged to death anyway; there's a reasonable chance in such a scenario that the weirdness would be nixed, a note left, and if the hackerly life-ruiner kept going the account would just get a timeout in any case.

But as hypotheticals go this one is pretty hairy, so trying to answer it speculatively in any concrete way seems like a sort of useless idea. We'd deal with it as it came up if it came up.

Would your decision depend on how the hacker had gained access (leaving a public computer logged-in, brute force, cracked MetaFilter database, etc.)?

I cannot imagine that would have much of anything to do with it, no. Getting your ass hacked vs. getting drunk and acting out is about the biggest distinction in even how we'd be approaching someone's bizarro behavior. And from experience, "I was drunk, oh man" has happened a number of times and "I was hacked and someone attempted to sully my name" not so much.
posted by cortex (staff) at 11:35 AM on August 6, 2012


But too bad your ass got haaaaaaacked.
posted by Burhanistan at 11:38 AM on August 6, 2012 [2 favorites]


The last time I encountered one of these situations, someone had logged into their account while there was a party going on at their house, and a friendly guest made some doofus comments on their behalf.

Was it: hope! i'm being held captive in a secret underground artspace

posted by mlis at 11:38 AM on August 6, 2012 [2 favorites]


It's the same as my luggage's combination.

I've been kicking around an idea where your password is a series of four different nouns, say "car bunny sparkle couch." Nothing too fancy. The order is =not= important, and the nouns will be selected for you by the system.

Instead of a password field, you are shown pictures culled from GIS - you click on a bunny if there's a bunny, then another set of images, you click the car, then another set of images, click the sparkle, then finally click the couch in the last set. If you get one of them wrong, it won't tell you until after the last set. If you don't see any of your nouns in a given set, hit "reload" like a captcha - it will show a new set of pictures, but of the nouns in the last set. (No playing "reload until I can see which one stays the same")

The whole deal would take about the same amount of time as typing out a 16-characters-with-numbers-and-symbols-and-upper-and-lower-case password, and will be a hell of a lot easier to remember. While the password images and their attendant clicks could be intercepted, it would require image analysis software at the very least, more likely an actual human to watch the transaction from a recorded screen grab. A lot harder than simple key-logging or trojan browser plug-ins.

There is some risk to brute-forcing if they can nab the encrypted "noun/user list" from the server, and a bigger risk if they can sniff the requests to GIS (unless the server caches a whole bunch of 'em for a whole bunch of nouns, doable if they keep the images thumbnail sized), but the user-end problems with passwords would be greatly decreased.
posted by Slap*Happy at 11:48 AM on August 6, 2012 [1 favorite]


Nthing long but memorable (to you), idiosyncratic phrases with unusual names and/or numbers buried somewhere in the middle, as a natural part of the phrase.
posted by ifjuly at 11:50 AM on August 6, 2012


My MetaFilter password is the complete text of the Treaty of Westphalia.
posted by It's Never Lurgi at 11:51 AM on August 6, 2012 [5 favorites]


but that's the same as the password on Ferdinand III's luggage
posted by elizardbits at 11:52 AM on August 6, 2012 [4 favorites]


While the password images and their attendant clicks could be intercepted, it would require image analysis software at the very least,

Why? Record the image name that was clicked on. You don't need to know that the password was "car buyy sparkle couch". You need to know that it was "img1000", "img12", "img23", "img5010".
posted by muddgirl at 11:52 AM on August 6, 2012


l1k3Bu!!
posted by Eideteker at 11:59 AM on August 6, 2012


...wait, we can change our passwords now?!
posted by vorfeed at 12:09 PM on August 6, 2012


Yes, I just changed yours.
posted by Brandon Blatcher at 12:10 PM on August 6, 2012


I changed all my passwords (and do it often for emails and whatnot) except on Metafilter. I was a)simply too afraid I'd forget it one day and b) who logs out? (as adamvasco put it so well)

I wonder, though, if this has ever actually happened, and what the moderators did about it?

Got cranky but held on to the lifevest long enough for me to come up for air and realize that it was a lulz beyond a simple hack but a social engineering mindfuck by sophomores in computech. Took a year for everything to settle down.
posted by infini at 12:12 PM on August 6, 2012


Wuahahahahahaha!

posted by Brandon Blatcher at 9:11 PM on august 6 [+] [!]
posted by Namlit at 12:14 PM on August 6, 2012 [1 favorite]


Oops. August.
hehe
posted by Namlit at 12:14 PM on August 6, 2012


I also never log out. But that means that I always, always forget my password, and have had to reset it every time I've switched to a new computer/device. It's actually probably my most changed password.
posted by Ragged Richard at 12:15 PM on August 6, 2012


Metafilter: What, can you ever log out from here?
posted by Namlit at 12:16 PM on August 6, 2012


on-screen keyboards, one-time passwords, grid multifactor, yubikey, sesame, google authenticator, fingerprint, and smart cards

Sometimes I feel like I'm being way too cavalier with my online passwords, but how much of this is rooted in legitimate security concerns and not belt-and-suspenders paranoia and tech wankery? I mean, there's gotta be a point where the effort to maintain this kind of protection is more hassle than it's worth to log in to a forum and post lulz.

We've got so much security at work that it noticeably slows down my computer when I log in to the network. Honestly, I feel the best protection we have here is the RSA token everyone gets issued (yeah, they got hacked... that's another story). I (without any kind of validation to back it up) feel that social engineering is a much bigger threat than some l33t haxx0r cracking a hash table or whatever, and the average person is going to be much more susceptible to phishing attacks or someone looking over their shoulder while they're at a public terminal. At least with the token it's much more unlikely that you can a) coax my PIN out of me and also b) steal the token.

Point being that Metafilter should issue RSA tokens to everyone.
posted by backseatpilot at 12:25 PM on August 6, 2012


not so fast.
posted by crunchland at 12:27 PM on August 6, 2012


My password is "strong".
posted by goethean at 12:29 PM on August 6, 2012 [1 favorite]


TedW is a complete jerk, and ugly to boot.

He also has a ridiculously weak password.
posted by TedW at 12:38 PM on August 6, 2012


I don't even know my Twitter, Google, or even MetaFilter passwords.

Doesn't this freak you out a little? I hate to be so dependently at the mercy of a single key site. Also, I'm deeply trusting that they won't get hacked, and fucked if they do.
posted by Miko at 12:41 PM on August 6, 2012 [4 favorites]


Miko-
Lastpass DID have a security breach, pertaining (I think) to a compromised cache, if I remember correctly. They forced two-part authentication until you changed it or turned off the notification. 0 anythings were compromised. They're not foolin' 'round.

And if you're super secure, use KeePass and put the portable app on a flash drive.
posted by TomMelee at 12:45 PM on August 6, 2012


I hate to be so dependently at the mercy of a single key site.

By using a hash nothing has to be stored: http://ss64.com/passwords/
This is based on Nic Wolff's password generator linked above, they will both generate the same codes based on your master password.
posted by Lanark at 12:47 PM on August 6, 2012 [2 favorites]


I wouldn't want to be at the mercy of a single key site, but using Keychain Access on Mac OS X and then backing up with old-fashioned pen and paper works okay. If you have to use multiple computers, I guess that's a different problem.

Thanks to the mods for indulging my hypothetical. Just curious.
posted by cribcage at 12:51 PM on August 6, 2012


Let's lock our passwords inside a metal cage and bang on it with sticks until they become agitated and begin to fight.

THEN WE SHALL SEE WHOSE IS STRONGEST
posted by prize bull octorok at 12:54 PM on August 6, 2012 [7 favorites]


Record the image name that was clicked on.

It's assigned a name by the server on the fly - in the server's image store, the bunny may be "img0123456", but it will rename them for the session to something long and random, like imgJLHUBvCL87vgFdkbG, and it will be different each time it's shown to the client - the server will keep track of what position it's showing what image on the back end. The only thing the client is doing is showing pictures in random order, and sending back which one was clicked.

So -

1) The server decrypts your nouns based on username and short password or PIN sent by the browser.
2) The server selects an image signifying your first noun from its store of cached images, and renames it to something random.
3) It selects seven other images at random, and changes their names to something random as well, and then uploads them in random order.
4) The browser shows the images in random order, and then reports back to the server which one was clicked, or if it needs another batch of images.
5) The server checks to see if the randomly generated image name matches up with the one it generated for the first noun.
6a) If it matches, Lather, rinse, repeat.
6b) If it fails, show three more screens of randomly selected images with randomly selected names. If the user hits reload twice, start over after a timeout.

From the user perspective: "Username and my birthday... now pick the bunny! Oops, I may have clicked the otter. Hmm, I don't see any of my other nouns in the next set, let's reload... nope... reload... Oh! Startover, I guess I hit the otter after all."
posted by Slap*Happy at 1:00 PM on August 6, 2012


Doesn't this freak you out a little? I hate to be so dependently at the mercy of a single key site. Also, I'm deeply trusting that they won't get hacked, and fucked if they do.

Lastpass doesn't have your passwords. What they have is a brick of data encrypted with a strengthened key (PDFBK2) and AES256. If you log in to lastpass, you send an hash of your password, and they send you the brick and the javascript libraries to decrypt the brick. If lastpass gets hacked in the same way as gawker, the attackers get a brick statistically indistinguishable from random numbers.

If lastpass gets hacked in a way that makes that brick unavailable, well, I know all the important passwords and the rest can be reset as needed.
posted by CBrachyrhynchos at 1:03 PM on August 6, 2012 [1 favorite]


Clearly I just don't understand any of this.
posted by Miko at 1:05 PM on August 6, 2012 [1 favorite]


My mother's maiden name is impregnable.
posted by infini at 1:12 PM on August 6, 2012 [3 favorites]


PASSWORD IS STRONG LIKE BULL MOOSE
posted by Sticherbeast at 1:15 PM on August 6, 2012 [3 favorites]


mathowie: "The best thing you can do is sign up with a password manager like LastPass or 1Password. [snip respectfully]"

Okay, mathowie, you convinced me. I've been holding off on doing this for a long time. Just installed LastPass. If I have any trouble with it, what was your home phone number again?
posted by Splunge at 1:16 PM on August 6, 2012 [1 favorite]


My password is ********
posted by jenkinsEar at 1:18 PM on August 6, 2012


My voice is my password.
posted by emelenjr at 1:22 PM on August 6, 2012 [3 favorites]


My password is in song, three notes, high and pure.
posted by griphus at 1:38 PM on August 6, 2012


As of when the LinkedIn leak occurred, I had two weak passwords in my life: LinkedIn and Metafilter. I finally got around to fixing that then...
posted by Zed at 1:42 PM on August 6, 2012


My understanding of how browsers and servers work indicates that you can't just rename an image to something random. An image is stored on the server - the filename of that image is sent to the client. The server would have to copy each set of 7 x 3 images to a unique filename, for every client accessing the server at a particular moment. That's a lot of memory compared to a simple salted hash database which is plenty secure.

How do I know that my "bunny" and the server's "bunny" are the same bunny? This system is potentially very frustrating, similar to 99% of capcha systems.
posted by muddgirl at 1:47 PM on August 6, 2012


ikst╓█·beefular
posted by quonsar II: smock fishpants and the temple of foon at 1:51 PM on August 6, 2012 [1 favorite]


muddgirl: Not necessarily so.

The client asks the webserver for an asset (an image, etc). The webserver can easily provide whatever image data it wants. There can be a direct correlation with a filename, but there does not have to be. It could return different images to different clients irregardless of the requested image name.
posted by zoo at 1:52 PM on August 6, 2012


I just set myself up with KeePass, and now I have no idea what it is other than that it's 178 bits strong.
posted by Scientist at 1:55 PM on August 6, 2012 [1 favorite]


not strong, but I only use it here so the worst that could happen is that some asshole starts posting as me. Which, depending on the asshole, might be a net gain for Metafilter. So there's that.
posted by jquinby at 1:55 PM on August 6, 2012


weak as a newborn kitten
posted by Sebmojo at 1:59 PM on August 6, 2012 [1 favorite]


The client asks the webserver for an asset (an image, etc). The webserver can easily provide whatever image data it wants. There can be a direct correlation with a filename, but there does not have to be. It could return different images to different clients irregardless of the requested image name.

So what's the benefit over an on-screen keyboard (where, say, the letter S was encoded as a random image name, and the letter A, and so on)? I guess most people can remember 4 random words better than a series of letters and numbers, but personally I would have to reset my password every time I was faced with 7 images of dubious relationship to my half-remembered passphrase.
posted by muddgirl at 2:01 PM on August 6, 2012


Needs facial unlocking.
posted by Burhanistan at 2:04 PM on August 6, 2012


Also, is this the right place to complain that the places that really need strong passwords seem to be the ones that have really shitty password rules that almost *require* you to make weak ones? My bank, for instance, has great security measures other than the fact that its maximum password length is a measly ten characters. Why the fuck would anyone think that it was a good idea to set a 10-char maximum on a bank password?

And then my ISP has requirements that are something like, "Maximum nine characters, must contain at least one lowercase letter, at least one uppercase letter, and at least one number. No special characters." Meaning that whatever I pick is going to be both weak and a pain in the ass to remember. And for PayPal it's practically a scavenger hunt just to get to the form where you change your password, virtually guaranteeing that you will never ever do it.

But then good 'ol MetaFilter will just let you bang any old thing into the password form that you like (though I assume there are minimum requirements) such that if you want your password to be 1haer0988w34at.a?>F>AWERFAW,maw40a8w43haw09843;;;ÂÄÙÆiÊÞïBRsïāûçæÒ¾Q? you're totally good to go, no problem.

I really don't understand the world, sometimes.
posted by Scientist at 2:04 PM on August 6, 2012 [2 favorites]


I've been paying careful attention here, and based on so many unreserved recommendations I confidently changed my password everywhere to "KeePass". Thanks everyone!
posted by George_Spiggott at 2:05 PM on August 6, 2012 [4 favorites]


I would implement Slap*Happy's password protocol immediately, if only to make my password:

Badger Badger Badger Badger Badger Badger Badger MUSHROOM MUSHROOM
posted by Debaser626 at 2:05 PM on August 6, 2012 [1 favorite]


(And MetaFilter makes the Change Password option the very first link on the Profile Edit form, which is fucking brilliant. Seriously, the design of this place is crazy good and it just blows my mind that the rest of the internet is so terrible. When I come here from some other place on the 'net it feels like a cool, refreshing breeze is blowing over my face and somebody has just handed me a cold beer.)
posted by Scientist at 2:08 PM on August 6, 2012 [2 favorites]


Burhanistan: "Needs facial unlocking."

Messy, that.
posted by Splunge at 2:11 PM on August 6, 2012


Would you cleanse his MetaFilter activity to protect his reputation? Would your decision depend on how the hacker had gained access (leaving a public computer logged-in, brute force, cracked MetaFilter database, etc.)?

We don't care why your account was hacked, if someone who was not-you was posting shit via your account we'd most likely delete those comments and leave a note though, as cortex says, we don't much like playing the "superman/mighty mouse" game, and we'd deal with it when it came up. My password here is decently secure; I'm much more concerned about making sure I log out when I'm using a computer that is not mine since I log in from all over the place [less so now that we have smartphones that allow us to tether, I hate moderating from a phone] so that someone can't goof around.

My issue is more sites that use unchangeable "security" questions many of which either aren't applicable [marriage, kids, whatever] or can be answered by a glimpse at my Wikipedia page and/or facebook. I just have stock answers that I make up now for things like "town of first school and that sort of thing, but I'm mostly just happy that no one has tried to hack me. Way back in the day I got someone who hacked into my gmail account because they knew my security questions and used that to send me an email telling me to change my password. Nice guy.
posted by jessamyn (staff) at 3:32 PM on August 6, 2012


if you want your password to be 1haer0988w34at.a?>F>AWERFAW,maw40a8w43haw09843;;;ÂÄÙÆiÊÞïBRsïāûçæÒ¾Q? you're totally good to go, no problem

God damn it, Scientist, now I have to change it again.
posted by nicwolff at 3:46 PM on August 6, 2012 [1 favorite]


Yeah my trick for security questions has been to not answer the question, but I realized I've basically been using the same word or sets of words, and I should probably just start treating it like a second password.

Basically security questions are sort of pointless and sites should stop using them, unless they're ungooglable like "the third digit of your grocery store club card". Some sites allow users to write their own, which is minimally better.
posted by muddgirl at 3:47 PM on August 6, 2012


It's also my online banking password, pin number, and Chipotle club access code.
posted by WhitenoisE at 4:06 PM on August 6, 2012


When I'm on a public computer and need to log into gmail or something, I follow these steps:

1. Log out of the last person's gmail account (usually necessary)
2. Type part of my username
3. Find a letter or two of my username that exists on the login page, copy and paste that into the field
4. Type the rest of my username
5. Repeat steps 2-4 for password
6. Use gmail in incognito window
7. Log out of gmail
8. Clear stored browser data

Optional steps:
9. Unscrew the back plate of the computer tower
10. Remove hard drive and RAM
11. Drive to an Indian Burial ground where a new police station is scheduled to be built next week
12. Bury the hard drive and RAM six feet under while saying the Lord's prayer backwards.
posted by Salvor Hardin at 4:21 PM on August 6, 2012 [4 favorites]




Then from now on steps 9-12 are not optional.
posted by Salvor Hardin at 4:27 PM on August 6, 2012 [7 favorites]


(I should note that the link tested 'commercial keyloggers' - I don't really know if there are, like, classes of keyloggers. Maybe starting out with Class M: Licensed to script kiddies only.)
posted by muddgirl at 4:29 PM on August 6, 2012


My password is so strong even I do not know it.

dear god don't let me ever click "logout" by accident.
posted by Reggie Knoble at 4:30 PM on August 6, 2012


One or the other, as the situation dictates. Never both at once.

maybe you should be more open minded, cortex
posted by madamjujujive at 4:31 PM on August 6, 2012


I realized recently that I have absolutely no idea what my MeFi password is, since I'm just logged in on my computers. I tried to get in somewhere else and couldn't remember it at all — then I decided it wasn't that important at all.
posted by klangklangston at 4:31 PM on August 6, 2012


Sometimes I take an old password and change each character to the character on its right. So 'A' becomes 'S.'

Anyone else do this?
posted by hot_monster at 4:58 PM on August 6, 2012


hot_monster: Anyone else do this?

Mp/
posted by gman at 5:00 PM on August 6, 2012


My password can destroy entire galaxies with its eyelashes.
posted by stavrosthewonderchicken at 5:03 PM on August 6, 2012


:p:@
posted by hot_monster at 5:05 PM on August 6, 2012


— then I decided it wasn't that important at all.

story of my life.
posted by philip-random at 5:21 PM on August 6, 2012


I just checked my password, learned that it was the same unimportant-things password I'd been using back in 2005 for everything, and updated it.

Related: I'd needed to change some passwords for other things. They kept asking for numeric strings. Something easy to remember, but not obvious, no birthdays or addresses or phone numbers.

21202, my brain suggested. And I could not figure out why, until -- oh. MeFi has eaten my brain, truly.

I didn't use it, though at this point my finances could only improve if somebody hacked them.
posted by cmyk at 5:27 PM on August 6, 2012


Do people really do this? Or do they actually go ahead and use their service and reveal their master password which could give access to much more sensitive services than the Gawker comment section?

LastPass has a feature for situations like this where it will generate several one-time master passwords for you. If you're on a hideously infected PC, the password may be logged, but it won't work anymore by that time anybody gets their hands on it.

Two-factor authentication is another important feature. I can't get into my LastPass account without entering a six digit code given to me by the Google Authentication app on my phone. Combined with the fact that all my password are unique and insanely strong, I'd like to think I'm decently safe.

In fact, I just ran the LP security check and scored a 94.2%. I'm in the top 2000 "most secure" users.
posted by aheckler at 5:32 PM on August 6, 2012


TIL LastPass has a security check. BRB.
posted by Splunge at 6:35 PM on August 6, 2012


Wow. 58.4 %. I have some work to do.
posted by Splunge at 6:38 PM on August 6, 2012


Burhanistan: "Needs facial unlocking."

Great, now Nic Cage is posting as me. Y'know, I could eat a peach for hours.
posted by arcticseal at 6:45 PM on August 6, 2012


Mine is 9.3%. I'm not sure I even deserve to be using the internet.
posted by jessamyn (staff) at 6:49 PM on August 6, 2012 [1 favorite]


Now that I've made the changeover to lastpass I can safely admit that my password for almost everything for the last ten years has been a minor variation on the title of a Van Halen album that was already a combination of letters and numbers. Still, I think ten years of security through cock rock is a pretty good run.
posted by Divine_Wino at 7:01 PM on August 6, 2012


I know it's not secure, but swordfish would be amusing.
posted by theora55 at 7:05 PM on August 6, 2012


Hmm, I just signed up for KeePass today but am not fully sold on it mostly due to the clumsy integration with Android. Can anybody give an unbiased rundown of the pros and cons of LastPass vs. KeePass, and perhaps speak to their portability and integration with mobile devices such as smartphones?
posted by Scientist at 7:06 PM on August 6, 2012


Scotch whiskey and donuts together? Served aflame, of course. This could be the official MetaTalk cocktail/breakfast food. Research is necessary; I wonder if I can get a grant.
posted by theora55 at 7:10 PM on August 6, 2012


moderating from a phone

And now I must know: are moderation features integrated on the mobile site, or do you have to use the standard site?
posted by reprise the theme song and roll the credits at 7:14 PM on August 6, 2012


We have a lightweight simple mobile admin panel that we can use, but I think most of us just use the regular old admin page from the regular site.

It looks like without LastPass premium, I can't access my LastPass vault from my phone? That makes using it somewhat tough, or costly. But I don't store much stuff in the cloud anyhow and my hard drive backup is only a week or so old so I'm feeling pretty okay.
posted by jessamyn (staff) at 7:20 PM on August 6, 2012


Lastpass doesn't have your passwords. What they have is a brick of data encrypted with a strengthened key (PDFBK2) and AES256. If you log in to lastpass, you send an hash of your password, and they send you the brick and the javascript libraries to decrypt the brick. If lastpass gets hacked in the same way as gawker, the attackers get a brick statistically indistinguishable from random numbers.

If they get hacked, someone will change the LastPass web site so that your password is collected instead of used by JavaScript locally, and I don't think there's an easy way to detect that.

I am not heartened by this.
posted by grouse at 7:46 PM on August 6, 2012


Yeah, the admin front page has an alternate stylesheet that makes it look not particularly fiddly on a phone, and that's where 95% of the backroom site stuff we deal with happens so we haven't bothered substantially adapting the CSS for any of the other admin pages. Pinch and zoom works fine in a fix for the rare situations where we need 'em.

And the in-thread admin tools (delete, edit) are just part of the byline of comments on mobile just as they are in the standard view.
posted by cortex (staff) at 8:01 PM on August 6, 2012


Totally random string of numbers... 4815162342.

I just entered a password that resembles my ubersecurity password into a security checker site, and it said it would take a desktop PC 4000 years to crack. I'm pretty okay with that.
posted by Night_owl at 8:17 PM on August 6, 2012


What makes these programs better than Keychain on the Mac? Wondering if it’s worth it to switch.
posted by bongo_x at 8:23 PM on August 6, 2012


crunchland: "(Another thing you could do, though it's a total hassle, is connect to your own secure server via a VPN connection, and then surf away, knowing that everywhere you go, to secure or insecure logins, your traffic stream is encrypted. Services like GoToMyPC make it easier, but I doubt you'd be willing to pay the $14.95 a month to connect up to Metafilter securely.)"

If you have an always-on computer at home, Lifehacker just posted this tutorial on creating a free VPN with Hamachi and browsing securely through it via Privoxy.

Scientist: "Hmm, I just signed up for KeePass today but am not fully sold on it mostly due to the clumsy integration with Android. Can anybody give an unbiased rundown of the pros and cons of LastPass vs. KeePass, and perhaps speak to their portability and integration with mobile devices such as smartphones?"

The entire internet basically has access to try and hack LastPass. I have KeePass (and multiple backups of my database - in about 7 years I have never lost my database or had any kind of trouble) and no one can even try to hack my database file until they get their hands on it, which would mean coming to my house and stealing the drives it's saved/backed up on. (Or getting through my firewall and stealing the file, whatever.) If you are really paranoid you could even encrypt your KeePass database in a TrueCrypt volume or hidden volume.

When I need to access KeePass on my iPhone, I can upload my database temporarily to my webserver and I use My KeePass to access it. (I don't use Dropbox as they suggest. Don't trust Dropbox.) I don't know if there's a similar app on Android.
posted by IndigoRain at 8:27 PM on August 6, 2012


Can anybody give an unbiased rundown of the pros and cons of LastPass vs. KeePass, and perhaps speak to their portability and integration with mobile devices such as smartphones?

I've used KeePass for the last year or two - storing the database in my Dropbox public folder and accessing it through the My KeePass iOS app. I had no complaints. And the fact that it's open source provides gives it bonus trustworthiness points.

But after reading mathowie's comment, I decided to give LastPass a try. jessamyn is correct that the free version does not have an iOS app - which sucks. But it does have bookmarklets that should work in any decent mobile browser. And if necessary, you can access the LastPass vault by signing in through the web site.

Given its smooth integration into the Chrome browser on my desktops, I think I'm going to stay with LastPass - even if, as IndigoRain correctly observes, it's a larger target for hackers.
posted by Egg Shen at 8:32 PM on August 6, 2012


OK, now I'm curious why I shouldn't trust DropBox. Everything I upload to DropBox is encrypted, right? They never see the plaintext of any of my files, just the encrypted version and a hash. Right? Is there any way that my DropBox files could realistically be compromised other than by someone getting ahold of my DropBox password and using it to log into my account?
posted by Scientist at 8:43 PM on August 6, 2012


Last I checked, Dropbox stores everything on the server in plaintext. (I don't see any other way they'd be able to implement the deduplication feature.) Perhaps you're thinking of SpiderOak?
posted by reprise the theme song and roll the credits at 8:49 PM on August 6, 2012


Yes, Dropbox does no encrypting. KeePass encrypts its own database with AES.

A malefactor would crack your password - or you - before he cracks AES.
posted by Egg Shen at 9:16 PM on August 6, 2012


Wait. We have passwords??
posted by LordSludge at 10:17 PM on August 6, 2012


MetaFilter: refreshing breeze: cold beer.
That is also my password..or my motto...or something I read upthread
posted by a humble nudibranch at 12:59 AM on August 7, 2012


A small child could remember my password.

Every time I need to log in, I head down to the basement and make him type it in.
posted by obiwanwasabi at 2:40 AM on August 7, 2012 [6 favorites]


It looks like without LastPass premium, I can't access my LastPass vault from my phone? That makes using it somewhat tough, or costly.

$12 a year isn't bad IMHO, especially when you consider how convenient it is. I use it on my Android phone, iPad, work laptop, and personal laptop all without issue. Sure, the interface isn't the best in some places, but it's well worth the convenience and money if you ask me.

I suppose if you're a security purist on the usability-security spectrum you would probably go for KeePass considering it's open source and doesn't store anything online (unless you use Dropbox that is). That said, LastPass comes is both decently usable and decently secure, and it seems to work for a lot of people.
posted by aheckler at 4:55 AM on August 7, 2012


The main advantage LastPass has over KeePass is that LP has extensions for about every modern browser replacing their native passwords managers. No need to copy paste from other application.

It looks like without LastPass premium, I can't access my LastPass vault from my phone? That makes using it somewhat tough, or costly.

It has a mobile site but yes, the native apps are locked behind a paywall. The $12 are worth it though, the apps may be ugly but they are easier to use than the site.
posted by Memo at 5:27 AM on August 7, 2012


It looks like without LastPass premium, I can't access my LastPass vault from my phone? That makes using it somewhat tough, or costly.

I dunno, I think if there's anywhere that is worth investing $1 a month, it's in the people holding all of your passwords and allowing you to maximize the security of your data.

I mean, is having a greater trust that your accounts will stay in your control worth less than that to you? It seems like a no-brainer to me. I'm all about free software where I can get it, but really security is something worth paying for (especially to keep them well-resourced in the protection of your passwords), especially when it's the price of a cup of coffee a month to get it.
posted by Rodrigo Lamaitre at 6:30 AM on August 7, 2012


For years, ever since I first joined Metafilter I used a simple, easily crackable password. If figured the damage was slight. If someone got my password, they might post some spam, my account might get suspended by the mods and, well, inconvenient but not the end of the world.

After I got mod priviledges I sort of felt an obligation to tighten that up. I don't know what my password is now. I randomly generated it and keep it in a backed-up KeePassX database.
posted by vacapinta at 6:33 AM on August 7, 2012


Yeah, I was really bad about this for awhile. I used the same 7-character alpha-numeric password for pretty much all my logins, and it worked because who gives a shit about me and my passwords? But then, I think something happened - I think it was that Gawker break-in a few years back, maybe? I don't know. Anyway, I ended up with a copy of 1Password and I've managed over the long months to re-do most of my passwords that way.

I really like 1Password's password generator for the job. I usually leave it on 14 characters with 2 digits and 2 symbols.

Here are some I just had it kick out:
R39rAJv;$KfDiX
QR.Tou/FcM69zo
dDe/23E;QfgQtE
2i4Go+KuNzvC.u
d(fk9cPL6+atUw

Now those are some passwords.
posted by kbanas at 7:32 AM on August 7, 2012


I'm much like mathowie now insofar as I don't even know my passwords for most sites. I go there. I open 1Password. I click.

I like to think this makes me impervious to capture and torture.

Also, and this is probably the Achilles heel of the whole thing - I have the password file stored on my DropBox share. That way, when I setup a new machine I just have to install DropBox, install 1Password, and then I'm off to the races.

Let's not talk about the implications of that.
posted by kbanas at 7:35 AM on August 7, 2012


For passwords, I associate every site with a video clip or song. I then make the youtube video id for that clip the password for that site. Works until it's DMCA'd. XD
posted by Eideteker at 7:47 AM on August 7, 2012


Also, and this is probably the Achilles heel of the whole thing - I have the password file stored on my DropBox share. That way, when I setup a new machine I just have to install DropBox, install 1Password, and then I'm off to the races.

Let's not talk about the implications of that.


I've replaced this process by keeping it on my phone's memory card, which is encrypted and password protected with a password I've never used for anything else, and send it via Bluetooth or USB to the computer I'm working on.

The benefit being that if I lose my phone, not only will a person have to break through the key code I don't use for anything else and the zip file password I don't use for anything else, but they'll have to do it before I remote wipe the thing...which considering how "at the hip" I am with it and how trigger happy I am on that (daily backups of my phone make it easy to restore) that I really don't see a reason to have my password files located anywhere but on my person.

I keep a second copy on a zip drive in my desk at home, which of course because I am a nut is actually a pen containing a zip drive. I tried explaining some of this to my now-deceased grandfather one time and he went on a long spiel about walking uphill both ways to school and whatnot.
posted by Rodrigo Lamaitre at 8:03 AM on August 7, 2012


I keep a second copy on a zip drive in my desk at home, which of course because I am a nut is actually a pen containing a zip drive. I tried explaining some of this to my now-deceased grandfather one time and he went on a long spiel about walking uphill both ways to school and whatnot.

We need another world war. Thin out some of this bullshit.
posted by kbanas at 8:12 AM on August 7, 2012 [1 favorite]


h@m8urger
posted by panboi at 8:37 AM on August 7, 2012 [1 favorite]


We need another world war. Thin out some of this bullshit.

Bring it on. My decorative soaps are actually flashbangs. Every book I own contains a pistol. The butter knives contain smaller, deadlier knives. Nothing is as it seems in my house of dreams.
posted by Rodrigo Lamaitre at 8:52 AM on August 7, 2012 [5 favorites]


OK, so DropBox is not encrypted (good to know) but my KeePass password database is? OK. My master password is well over 30 characters long with uppercase, lowercase, numbers, and punctuation and is hashed with SHA-256. Have fun working that one out.

Is there still any particular reason why I shouldn't store my KeePass database in DropBox? I mean, even if someone hacked DropBox and got access to my KeePass file, all they would have is an impossible cipher -- right?
posted by Scientist at 9:33 AM on August 7, 2012


Keeping your Keepass db in dropbox is all well and good, until such hypothetical time as there is this convergence of events:

1) one of: dropbox is cracked; a dropbox admin goes rogue; your dropbox password is stolen somehow

2) some flaw is found in the Keepass implementation that shaves the amount of brute-forcing it takes to crack it down to a feasible level

Variants on both of these things have happened plenty of times.

(Personally, I would be okay with putting my Keepass db on Dropbox. But it's not foolproof -- nothing is.)
posted by Zed at 10:01 AM on August 7, 2012


So what I'm hearing is that at least two things would have to go badly wrong at the same time, and that while neither of those things are out of the question, they are each unlikely on their own and probably extremely unlikely to happen simultaneously. And even if they did, my passwords would only be vulnerable rather than actually compromised -- I would still have to be unlucky (by dint of having an enemy who wanted my passwords, or having the misfortune to have my db be among those stolen from DropBox in the event that it was hacked) for someone to actually go in and get my individual passwords.

I can live with that. Thanks!
posted by Scientist at 10:49 AM on August 7, 2012


So what I'm hearing is that at least two things would have to go badly wrong at the same time, and that while neither of those things are out of the question, they are each unlikely on their own and probably extremely unlikely to happen simultaneously.

The last time Dropbox was compromised was just a few weeks ago, it's happened before, and I think it's likely that it will happen again. They just don't have a good security track record.

KeePass's security record is a lot better, but you never know what vulnerabilities are waiting for discovery.
posted by grouse at 10:59 AM on August 7, 2012


dropbox is cracked; a dropbox admin goes rogue; your dropbox password is stolen somehow

A wise user of Dropbox treats everything uploaded to it as publicly visible. Encrypt everything yourself first or no crying afterwards.

some flaw is found in the Keepass implementation that shaves the amount of brute-forcing it takes to crack it down to a feasible level

This is where KeePass being open source is a major advantage over LastPass.

Still, I have to imagine that, given most people's habits, the evildoer would try bruteforcing the master password before the algorithm. Which is why it's important to pick an extremely strong one. kbanas's examples - which I calculate at 92 bits of entropy - I would judge barely sufficient.

A 10-word Diceware phrase will get you to the 128-bit threshold - and be a lot easier to type on a phone than a mixture of numbers and symbols.
posted by Egg Shen at 11:10 AM on August 7, 2012


Good point; I was taking a strong password for granted and shouldn't have.

I'm a big fan over a long multi-word passphrase over random gobbledygook, too. As Egg Shen says, if you ever have to type it, it's a heck of a lot easier to get 10 words right than a 32-character mixed-case alphanumeric+symbols string.
posted by Zed at 11:40 AM on August 7, 2012


My password is definitely not the kind of thing an idiot would have on his luggage.

On preview, many others beat me to it.
posted by asnider at 11:54 AM on August 7, 2012 [1 favorite]


which I calculate at 92 bits of entropy - I would judge barely sufficient.


Aw, what a wet blanket, you are.
posted by kbanas at 12:09 PM on August 7, 2012


Every time I need to log in, I head down to the basement and make him type it in.

obiwanwasabi, do you keep a different child for every website, or just one who knows all your passwords?
posted by bendy at 12:22 PM on August 7, 2012 [2 favorites]


I dunno. I haven't had to actually log-in to MeFi in ages.
posted by Thorzdad at 2:32 PM on August 7, 2012


From the "dropbox gets hacked" article:

Our investigation found that usernames and passwords recently stolen from other websites were used to sign in to a small number of Dropbox accounts. We’ve contacted these users and have helped them protect their accounts.

I'm really not sure how it's Dropbox's fault if people are using their Dropbox password on other sites and those other sites get hacked. I mean, if somebody bought all those Gawker IDs that got stolen and then just threw them at Dropbox to see if any of them worked, how is that something that Dropbox can do anything about? I mean, there should probably be a limit on the number of login attempts that can be made from any given IP address, but maybe there is; it seems plausible that someone might use a botnet for that kind of attack, to hide the source and make it harder to shut down.

If someone were using a password manager, for instance, that made it easy for them to use strong unique passwords on every site that they log in at, then they'd be protected from that sort of attack, yes? And what can Dropbox do about the problem of their users using non-unique login information?
posted by Scientist at 4:03 PM on August 7, 2012


I'm really not sure how it's Dropbox's fault if people are using their Dropbox password on other sites and those other sites get hacked.

Because one of those people was a Dropbox employee and he was storing the data of other users in his Dropbox account. I don't blame you for missing this, since Dropbox buried the lede of the results of their "investigation," which is another thing that doesn't inspire trust.

And what can Dropbox do about the problem of their users using non-unique login information?

Again, the "user" in question is a Dropbox employee. One thing they could do is require that Dropbox employees use two-factor authentication.

The previous time Dropbox was compromised, anyone could log into any Dropbox account with any password. That was pretty ridiculous, yet they still haven't gotten serious about security.

Don't get me wrong, I still use Dropbox. But for something sensitive like a password file? Forget about it.
posted by grouse at 4:27 PM on August 7, 2012


Hmm, sounds like there's an opening for someone to come in and eat Dropbox's lunch by putting a stronger emphasis on security. Encrypt everything, offer two-factor authentication, publish your back-end security policies and encourage your user community to point out flaws and potential plans of attack. Heck, host a dummy version of your network with the exact same security systems in place, and encourage people to attack it and publish their results -- provide a reward, even.

Also of course you'd want to make sure that it was at *least* as easy to use as Dropbox (which frankly is a *triumph* of ease-of-use) and then just offer more free storage space and better, cheaper premium accounts. Maybe even implement some of the functionality of cloud-based backup systems, so that you actually *could* use it as a cloud backup (which you currently can't if only because it's too easy to fat-finger delete all your stuff). There might be an opening there to gobble up a piece of Dropbox's market share.

I know that most of the people I know who use Dropbox are at least semi-technical and hence care at least a little bit about security, and lots of people who use it would *like* to use it for sensitive information but either can't because they know better or do it anyway even though they shouldn't.
posted by Scientist at 5:34 PM on August 7, 2012


Password Haystack
posted by crunchland at 5:54 PM on August 7, 2012


Whelp, Mathowie just converted me. Lastpass + a Yubikey for me. And now all my passwords are unique. Even the ones I forgot I had.
posted by CrystalDave at 7:01 PM on August 7, 2012


*furiously backs shit up

-doesn't change password
posted by vozworth at 8:13 PM on August 7, 2012


I just use "password" as my password, though after reading this thread I am considering changing it to "password69".
posted by MattMangels at 9:44 PM on August 7, 2012


p696969d
posted by Artw at 9:58 PM on August 7, 2012


As the one who brought it up, well, it's been pretty well covered why I don't trust Dropbox. I first deleted my (still fairly new) account back when they started that whole "we own everything you upload" controversy in 2011, and then there's multiple security breaches (you can read more about those on Wikipedia. I know my AES-encrypted KeePass database is probably pretty resistant to attacks, but if I'm taking all these security precautions like using randomly generated passwords, why put it out there and take the risk?

There are a lot of Dropbox alternatives out there if you don't have your own webhost, such as SugarSync and even the new Google Drive.
posted by IndigoRain at 1:26 AM on August 8, 2012


I can't believe so many people fell for this transparent social engineering trick.
posted by wierdo at 1:41 AM on August 8, 2012


I can't believe so many people fell for this transparent social engineering trick.
like "the internet"?
posted by Namlit at 3:20 AM on August 8, 2012 [1 favorite]


Let's say I am at a library with some time to kill, and want to surf the internet. Because I don't trust Cybercafe computers, I don't use a password app (as my master password could be keylogged, and my password file could be intercepted)

As an aside, you can still use lastpass, for example, for this. It has the ability to create one time passwords that access your password store; so sometime before you go to the library, you generate a one use password, and store it in your wallet. When you login using the web-interface (which does all the decryption locally in the browser using javascript, so you're only vulnerable to key loggers not MitM attacks for this bit) you use that one time password as your master; if someone keylogs that, you've given nothing away, as they can't use that keylogged password themselves. You will of course have to generate more OTPs later for your own use, as they're a one-shot deal as the name implies.

Now, if you login to a site that doesn't use https, someone could intercept that site password using MitM, but then, you're vulnerable to that no matter how you login.

Another option is to use 2-factor authentication, which you can use in addition to one-time passwords - use a yubikey, the google authenticator app on your phone, or a printed lookup grid - so any device that's not previously authenticated can't login at all without your authenticator. Even if someone has your database AND your master password in cleartext, they still can't login as you on anything other than a device you've declared as trusted.

lastpass themselves can't decrypt your password database as it's encrypted locally before transmission, so they never get the password database itself.


As an entirely different aside, if you want free cloud storage that does the encryption locally - so your files are never passed in the clear to the cloud provider - you could try out spideroak or wuala. Both encrypt everything before it gets uploaded, so lack a web-based interface, but have clients for pretty much every platform to allow syncing between pc-cloud and thus pc-cloud-pc. They also have versioning, so deleting or modifying a file doesn't totally blow away the original.

Sugarsync does encrypt your files using your key, but server side only after transmission AFAICT - so more secure than dropbox which stores the files in the clear, but still potentially exploitable if they ever got compromised. I believe google drive and skydrive work like dropbox, though not certain.

Basically, if it has a web-interface to show your files in the clear, it's likely the cloud provider can do the same thing, and possibly without your permission. The best option of course is to upload a truecrypt volume or the like to the cloud, so there's no way anyone at all will get access to the contents unless they crack both your cloud password AND your truecrypt password. But then that's a bit awkward to use, so you have to be fairly paranoid to go to that level of effort for everything.
posted by ArkhanJG at 3:49 AM on August 8, 2012


I'm too afraid to have one central app that knows my passwords but I don't... I'm pretty sure I'd manage to get around to being locked out of it somehow, and then proving who I am will get painfully complicated as a) I'm definitely not going to be in the same country/time zone as the support folk, b) support calls will probably be spendy, c) I don't have a driver's license of any flavor, d) my name is different on my passport, my credit card, my SS #, and my residency ID, so good luck to me proving I am me, if I have to (...the perils of being a woman who doesn't keep her maiden name – and a pathetic procrastinator who doesn't ever get around to making them all conform), e) I'll forget whatever important thing it was I was supposed to do to keep a-d from being a big hairy problem.

So, I came up with my own system for making different passwords for every site with an algorithm I can remember (no pets, birthdays, mother's maiden names, or personal info involved), so I don't need to rely on a paper list (except for the non-conforming sites that insist on limitations that don't fit my formula). I've been doing this for years, but recently bumped up the complexity. My Metafilter password would take 157 billion years to crack (with a "desktop PC"), according to howsecureismypassword.net, so okay!
posted by taz (staff) at 5:28 AM on August 8, 2012


I am profoundly mature and it is super awesome.

This alone has already made my day better.
posted by psoas at 6:07 AM on August 8, 2012


I build most of my passwords thusly:

1. Start with a favorite scripture reference. Lets say Romans 12:2.
2. Take the first to letters of the website name.
3. Put them together as letter-scripture-letter.

So, my MetaFilter password would be MRom122E.

If the require a non-alphanumeric, I add an exclamation point.

Different for every website, easy to remember, meets most website's password policy requirements.
posted by DWRoelands at 6:07 AM on August 8, 2012


I don't know my password. I let Lastpass handle it for me.
posted by Renoroc at 7:17 AM on August 8, 2012


To make things simpler, my password was also my safeword until there was some confusion as to whether I was screaming caret or carrot.
posted by pracowity at 7:22 AM on August 8, 2012


Another option is to use 2-factor authentication, which you can use in addition to one-time passwords - use a yubikey, the google authenticator app on your phone, or a printed lookup grid - so any device that's not previously authenticated can't login at all without your authenticator. Even if someone has your database AND your master password in cleartext, they still can't login as you on anything other than a device you've declared as trusted.

Some forms of authenticators have been hacked, but they certainly raise the bar a bit and narrow the window of opportunity from days/hours to seconds.

To make things simpler, my password was also my safeword until there was some confusion as to whether I was screaming caret or carrot.

Oh yes! Oh yes! Oh no! Oh no! Alpha Victor Bang Slash Six Charlie Tango X-Ray! Owowow!
posted by CBrachyrhynchos at 8:15 AM on August 8, 2012


My password is a long phrase that has the words "five dollars" in it.
posted by jeffamaphone at 3:16 PM on August 8, 2012


I used to use a password at work that said something rude about the IT department, because I was sick of the poorly thought out password changing enforcement policy. That lasted until the first time I had to give 'em my password to fix a problem.
posted by davejay at 4:33 PM on August 8, 2012


If your IT department ever has to ask for your password to fix a problem, then they deserve rude things to be said about them.
posted by grouse at 4:38 PM on August 8, 2012


QFT: If your IT department ever has to ask for your password to fix a problem, then they deserve rude things to be said about them.
They should be able to fix most things without your pw. And if they need to have it, you should change it, then give it to them, then change it again when they're done. IT should be fiercely enforcing security.
posted by theora55 at 6:49 PM on August 8, 2012


Also, if your password said something rude, and funny, about IT, we'd laugh.
posted by theora55 at 6:50 PM on August 8, 2012


theora55: "Also, if your password said something rude, and funny, about IT, we'd laugh."

ID10T?
posted by IndigoRain at 8:40 PM on August 8, 2012


« Older Pop music mystery   |   How to count favorites. Newer »

You are not logged in, either login or create an account to post comments