How paranoid should you be when you want to devise methods of defending passwords?
If someone accesses your computer (with malware or otherwise) and can now read off the RAM it is possible to read the password manager stream of data as it comes off/or on.
So what is the best way to handle passwords?
Should you just have a written password list(offline) on pen and paper?
It seems to me that to get into the password manager you need a complex password.
I just set up Dashlane password manager to see what the standard is, and they make you enter at least an 8 digit password, upper case, lower case , and a number.
So the example in xkcd above would not work: correcthorsebatterystaple is 25 digits and is easy to remember, but does not have a number or caps. It would be very hard to guess this number with brute force password guessing programs. But Dashlane has the old method of creating a password(complex but shorter). the reason these passwords do not work is that over time, one forgets the complex passwords, and resetting the password periodically may be good if you want to do it (like 2x per year), but if you forget 6x per year than this system is no good.
This is why everyone has to figure out their own password management system.
In my estimable opinion, it is wise to have an entry in both systems (offline and online). Keep the offline with a date next to it so you can decide when to change it.
The problem with password managers is that you are using less of your memory. The more of your memory you use, the longer you will keep it. Of course one has to be capable of learning new things and remembering a number of passwords without writing them down.
So make it relatively easy to use for some passwords like certain locations (like games or other items that are not monetized). Then for bank sites, other financial websites, one could keep those offline.
When I set up Dashlane it imported 500 passwords into the software from the browser storage. I looked through the list, and many of those sites are defunct or I no longer use them. So realistically a good 100-200 sites are now in Dashlane. And a bunch of useless passwords that are no longer being used.
So which is my most important password? The one that can unlock all of them? Or my email? Using my email and phone a thief can re-create my digital world. Unless there is no digital setup. My phone reboot password is not in Dashlane, since one has to be booted in to use Dashlane. So there are a few passwords that can’t or should not be on Dashlane.
Keep your offline passwords in a spot that says passwords in big letters (just kidding). Obviously do not make it easy to see what it is.
I am sure Dashlane or any of the other password management softwares are good and will not succumb to consistent hacker attacks (hmm maybe – maybe not). Should we take that risk? It depends on your net worth and what you are defending. How paranoid are you really?
If you want to discuss this with someone else, let me know.
Contact Us to review your situation