Do you save your email passwords in your web browser?

EQ Admin

EQ Forum Admin
Staff member
When I was creating my Hushmail account I was prompted by Firefox asking me to save my nice new passphrase in Firefox.

Of course many users probably do which only decreases your password / passphrase security a little bit.

Do you save your email passwords in your web browser?
 

Big Dan

EQ Forum Moderator
Yes, I do. It's another security trade off for convenience decision as with Gmail. I do use KeePass too which I like but it's still tedious to copy/paste for the all sites I log into especially with the frequency that I clear my cache and cookies.

I've been looking at LastPass which gets rave reviews in the tech community but I'm not sure adding a 3rd party service to the mix is wise either.

Lately, I've been using Firefox Sync to sync history, bookmarks, and passwords across Firefox installs on all platforms. It's been great.
 

foggy

Valued Member
I have been using the LastPass extension for FF and like it, though I do have concerns like Big Dan said about 3rd party stuff.

For some sites I do just use the FF manager. I also have KeyScrambler extension for FF and only toggle it on when I'm entering password/login information manually.
 

CarlS

Valued Member
I'm a Hushmail user, have bought an account. And yes, I use Firefox and have my 64 character passphrase saved in Firefox. I don't consider that to be a security problem unless I get a password dropper trojan in my computer. And if I get a trojan it will steal the password anyways.

My system harddrive is encrypted using Truecrypt and I never leave my computer out of sight so the risk of anybody logging into my account without my consent is basically zero.
 

foggy

Valued Member
I'm a Hushmail user, have bought an account. And yes, I use Firefox and have my 64 character passphrase saved in Firefox.

64-character ?! Wow ! :eek:

My maximum allotment for passwords with FM is 20, as I recall. And for Hotmail it was around 16 I believe. Ironic that one of the most hacked providers out there (Hotmail) has such a low maximum. They should offer passcode length up to at least 32 (as Gmail does).

I know there is always disagreement about this among the experts, but is there some minimum passcode length for acceptable security ? I mean, I know most places (email, forums, etc.) say that a password/passcode should be at least 6 characters, but I think I remember reading a few years ago where someone said that even 6 is too short and that hacking is much less likely with a passcode of at least 8 characters. Some say 10. Has that figure been 'upped' to something else ? I realize longer is safer, but what is a really safe minimum ?
 

EQ Admin

EQ Forum Admin
Staff member
I recommend passwords that are 8-12 characters, easy for you to remember, hard for others to guess, and have a nice mix of upper, lower, numbers, and punctuation. More detailed thoughts here - http://www.emailquestions.com/email-articles/97-why-you-need-strong-passwords-protect-them.html.

Once you get a password at that strength level I think it's more important to be aware of securing your computer and connection. Writing down your password, using public computers, not keeping your computer up to date, visiting low quality web sites, and following random facebook links becomes the greater concern at that point.

There was a time that having a multiple of 7 was best for Windows domain based passwords. A password length of 7 or 14 was better than 8 or 12 I think due to the way that Windows encrypted the passwords. That may or may not still be true for Windows domain passwords.
 

foggy

Valued Member
I recommend passwords that are 8-12 characters, easy for you to remember, hard for others to guess, and have a nice mix of upper, lower, numbers, and punctuation.

Thanks for your input !

I have been using LastPass of late to generate and store passcodes and using whatever maximum character allowance provided by the site (for email, that is). Before using LP I was doing it on my own by taking a sentence, quote, song line, etc. and taking the first letter of each word in it and transforming it to something passcode quality. Use symbols for look-alike letters and some words ($ = s; @ = a, + = t; & = and; # = the, etc.), then change remaining letters to numbers, capitalize verbs, don't use any symbol more than twice and so forth.

So, for one account I no longer have I took the first line from The Brady Bunch theme: Here's the story of a lovely lady Who was bringing up three very lovely girls. All of them had hair of gold, like their mother, The youngest one in curls.

So,

h t s o a l l w w b u t v l g a o t h h o g l t m t y o i c became the passcode

h#$0@llwWBU3vlg@0+Hh0gl+m#y01c

A 30-character passcode that was very strong, yet easy to remember and reproduce. :D


In that thread you (Ray) said:
The stronger the password the longer it takes to crack it. A strong password, combined with regular password changes, significantly reduces the chance that it can be cracked by a determined person with reasonable resources before your next scheduled password change.

Ah, so it is better to have a longer passcode (more than 12) if one is able to manage to remember it and keep it private. And thanks for the example you gave in that thread of the time it would take to break a 10-character passcode. That's the kind of thing I was trying to say that I had read about before. :eek:

Re: Passcode changes: I've always been curious about this. I'm not sure why it's the norm for so many password discussions and how-to pages to suggest frequent changes. :confused: If a passcode has been 'working,' and an email account has been so far unpenetrated, why change the passcode ? How exactly does that keep the hackers at bay ? It sounds (to my very ignorant, amateurish mind) like saying "change the locks on your doors several times per year." We would only change our locks if/when we suspect that someone else has a key (stolen or homemade).

In the case of an email account, someone would either already have the key (i.e. know our passcode) or would be trying to get it. But the example you gave would suggest that it would take soooo long to crack a long 30-character passcode that I don't understand what changing it would do. How can a hacker know that they have part of one's passcode cracked ?

There was a time that having a multiple of 7 was best for Windows domain based passwords. A password length of 7 or 14 was better than 8 or 12 I think due to the way that Windows encrypted the passwords. That may or may not still be true for Windows domain passwords.

Interesting ! I'll try to research this a bit (just to satisfy my curiosity).

Thanks again for the information !! :)
 

EQ Admin

EQ Forum Admin
Staff member
So,
h t s o a l l w w b u t v l g a o t h h o g l t m t y o i c became the passcode
h#$0@llwWBU3vlg@0+Hh0gl+m#y01c
so it is better to have a longer passcode (more than 12) if one is able to manage to remember it and keep it private.
It depends. How well is it protected? What platform is the password stored within? An email or other service may let you create a password that is 30 characters long, but are all of those characters required? There are still services out there running on older servers where you'll be allowed to create a 16-32+ character length password but only the first 8 characters are significant. Meaning that you might have a password of h#$0@llwWBU3vlg@0+Hh0gl+m#y01c, but h#$0@llw and h#$0@llwWBU3 and h#$0@llwWBU3vlg@ could also be used to successfully login to the account.

I'm not sure why it's the norm for so many password discussions and how-to pages to suggest frequent changes.
What is frequent? I think it's tough to get people to change and remember their passwords. If you have to keep changing and remembering several passwords you'll start to forget them. I deal with this by using a key or sorts to generate passwords for different sites and purposes. Changing passwords once a year for your important passwords makes sense. Change them at new years or your birthday if that makes it easier to remember to change them. Not all hackers will make it obvious they have access to your accounts by sending spam, changing your password, etc. How do you really know if someone who has been careful not to reveal themselves has access to your accounts?
 

EQ Admin

EQ Forum Admin
Staff member
Interesting ! I'll try to research this a bit (just to satisfy my curiosity).

source: Ten Windows Password Myths | Symantec Connect

Myth #3. 14 Characters is the Optimal Password Length


With LM, password hashes were split into two separate 7-character hashes. This actually made passwords more vulnerable because a brute-force attack could be performed on each half of the password at the same time. So passwords that were 9 characters long were broken into one 7-character hash and one 2-character hash. Obviously, cracking a 2-character hash did not take long, and the 7-character portion could usually be cracked within hours. Often, the smaller portion could actually be used to assist in the cracking of the longer portion. Because of this, many security professionals determined that optimal password lengths were 7 or 14 characters, corresponding to the two 7-character hashes.

NTLM improved the situation some by using all 14 characters to store the password hash. While this did make things better, NT dialog boxes still limited passwords to a maximum of 14 characters; thus the determination that passwords of exactly 14 characters are the optimal length for the best security.

But things are different with newer versions of Windows. Windows 2000 and XP passwords can now be up to 127 characters in length and so 14 characters is no longer a limit. Furthermore, one little known fact discovered by Urity of SecurityFriday.com is that if a password is fifteen characters or longer, Windows does not even store the LanMan hash correctly. This actually protects you from brute-force attacks against the weak algorithm used in those hashes. If your password is 15 characters or longer, Windows stores the constant AAD3B435B51404EEAAD3B435B51404EE as your LM hash, which is equivalent to a null password. And since your password is obviously not null, attempts to crack that hash will fail.

With this in mind, going longer than 14 characters may be good advice. But if you want to enforce very long passwords using group policy or security templates, don't bother - neither will allow you to set a minimum password length greater than 14 characters.
 
Top