I'm kind of an "enthusiast" about keeping people out of my stuff. I encrypt, I back up multiple places, I don't use offline storage for important items, I don't use the same emails for everything, I have alarms set, hidden cams, "self destruct" software, and about a million other things that I do. I'm at the point now where I don't event trust the crap ware on a new computer. First thing I want to do is replace the drive and install my own OS.

Much of it is because I'm online all of the time and probably read more than I should about threats, vulnerabilities and attacks. And also because I work on at least one hacked website a week and have for about 2 years straight.

When it comes to my devices I don't like anyone touching them. Even just passing a new phone to a friend to let them check it out makes me nervous. I also don't trust other people's computers and would never do anything sensitive on someone elses device. "What do you mean you don't have a VPN? I'm not touching that thing."

I'm also a total privacy nut when it comes to the people vs. the government and don't trust anything until a court rules on this issue. I've seen too many, even local police, violate the privacy of someone's mobile device under the excuse of "suspicious behavior" and it's out of control. I remember when having a pager was suspicious enough to prompt police to put you in cuffs and search. Things haven't changed much depending on who you are. I'd rather destroy it than to have it accessed without a warrant. And honestly, there's nothing on it. Just a regular phone with music and contacts on it. It's just the principle.

I'm also of the opinion that most people have crap security and all of their devices are infected because they don't know what they're doing. I know it's not a correct assumption, but that's just how approach everything.

On the other hand I shop online all of the time, use mobile payment systems, use some public wifi, love NFC and Android bean, and generally trust technology as long as I'm in control of setting it up.

I know I'm just a paranoid freak who thinks if you let your guard down for a second some script or virus is out there ready to get you. If there was an equivalent word for hypochondriac as it pertains to tech security, I probably have that. I accept that as my issue and understand that there is no such thing as completely secure. But it's also kind of fun.

But what about you guys? How well do you practice online and tech security overall? Do you care?
Is it one of those things that you know you need to get around to but never do?

Harold, how do you keep your passwords. I either put them in a text file or a spreadsheet. I use a password generator to give me a strong password. Usually 16 characters. I want them in a file I can copy and paste as long passwords, sometimes with special characters would be a pain to type in.

Harold, how do you keep your passwords. I either put them in a text file or a spreadsheet. I use a password generator to give me a strong password. Usually 16 characters. I want them in a file I can copy and paste as long passwords, sometimes with special characters would be a pain to type in.

In my head. The only place I know can't be hacked. I have about 10 variations of each password that I use of varying lengths, depending on which email address the account is on. I like long passwords. I keep a flash drive for my emergency contact just in case, and back up to my own cloud storage which I have configured as Raid1 in two different locations. There are no passwords or security info on any of my computers.

To be honest if I got hit by a bus tomorrow, most of my stuff would be hard to open and all of my accounts would just go abandoned. There's really just no solution to that when you're single. Not yet.

I don't use password managers. It just seems silly to me to store your online security information, online or on anything connected to the web. And of course printing them out isn't exactly the best idea for most people because they just leave it in their desk behind a crap lock.

I use a lot of different profile, email and account info. I've just gotten use to it. If someone hacks Soundcloud I'm not going to freak out because they know my playlist.

I don't have an actual solution for you. What you're doing is pretty much what we have and a lot of people do. Just lock the file with a really good password.

I still believe that passwords are the best solution because they can be the most random string and allow you to keep a certain amount of anonymity . Finger print readers on phones are good too. But most other consumer level "biometrics" are gimmicky and can be bypassed. Yeah, Windows Hello face rec is great if you want to keep your kids out of your stuff, and for most people that's all they need. But usually the underlying password is weak.

The problem with computers and websites is that humans don't have the ability to create and remember complex ones. Also a lot of places where you need passwords all have the same limitations. So we do what we can within those limitations.

There's a lot of room for improvement and it's a really competitive area.

Most everyone I know uses one email address for everything, and many use the same password or 1 or 2 variations that are very easy to figure out if you follow them on social media. I keep telling them they're sitting ducks, but a lot of people just don't think it's important. That no one is "out to get them".

People want easy, or else they can't be bothered. Unfortunately right now that's not realistic and your security is up to you. Just like the security of your home and your car.

I like your flash drive idea.

You can also do other things like bury passwords in large files (I have a several thousand line excel file I use for contacts). You can code stuff where the username or site is in a diferent place. I would never make a file just for passwords.

Everyone should have dummy email addresses. My password for this forum is really simple, but I don't put anything very personal on here. The info isn't there. My birthday isn't my exact bday, It's not my real name etc.

Unfortunately you, Harold, need to use your real name because you are promoting yourself.

Unfortunately you, Harold, need to use your real name because you are promoting yourself.

And I've been aware to separate my online persona from my personal stuff. The only personal Social Media account I use, I set strict access to friends only and even still don't ever talk about personal things or words that will help someone social engineer even my weakest password or other account info.

Most people who get targeted have made it easy for people. They post pictures of their kids, their birthdays are public, graduation years and so on. And those are the exact things most people use for passwords because they can remember them. Kids name+year you graduated or were married. Or run all of the kids names together+plus a significant year or the dog's name. Most people's passwords are things that other people know about them or they have talked about online and most numbers that they use aren't random.

Combine that with using the same email for everything, and you may as well just make everything "1234". It's shocking how weak some people's security is. I still get clients with "Password123" as their password that someone set up for them YEARS ago and told them to change it and they never did.

It's all still relatively new and we're still learning. Security is just one of those things that people tune out on until some department store is hacked.

I'm online all of the time. But I don't live online freely. I treat online, like it's online.

At this stage of the game I think the only thing I'd trust completely is the Cone of Silence from the old "Get Smart" episodes. And even then I'd be checking for surveillance bugs.

The kicker is that you can be a total freak about it, and still have no control over someone else getting hacked and exposing all of your data. And with financial things, you have no choice, you have to give them your social and address.

As far as I know, the only organizations who have never been successfully hacked in a way that exposed sensitive user data are Google, Amazon, and Microsoft. And to date those are the companies I trust.

The problem with computers and websites is that humans don't have the ability to create and remember complex ones. Also a lot of places where you need passwords all have the same limitations. So we do what we can within those limitations.
Read an article a while back about a security group researching this stuff at Carnegie Mellon. What the article said was that the most secure password was to pick three normal words that were only semi-related but had strong correlation to you. Example is that my son likes Minecraft, but I think it's stupid, so the three words might be "Justin Minecraft stupid" and that's almost impossible to crack (too many possible combinations of letters) but simple to remember because it really is something that is just mine. And easy enough to have different ones for different web sites, because each site could mean something different to me.

But us idiot web programmers are stuck on: 8-14 characters, include one upper, one lower, one number, one special character. Which means I have to invent something that's difficult to remember.

But us idiot web programmers are stuck on: 8-14 characters, include one upper, one lower, one number, one special character. Which means I have to invent something that's difficult to remember.

Or it's the other extreme like with Apple who makes me log in every time I open iTunes, and then log in again to purchase something and makes me reset my password every time the weather changes and won't let me use any of my previous passwords. Ever.

Read an article a while back about a security group researching this stuff at Carnegie Mellon. What the article said was that the most secure password was to pick three normal words that were only semi-related but had strong correlation to you. Example is that my son likes Minecraft, but I think it's stupid, so the three words might be "Justin Minecraft stupid" and that's almost impossible to crack (too many possible combinations of letters) but simple to remember because it really is something that is just mine. And easy enough to have different ones for different web sites, because each site could mean something different to me.

But us idiot web programmers are stuck on: 8-14 characters, include one upper, one lower, one number, one special character. Which means I have to invent something that's difficult to remember.

I usually suggest a mnemonic you can use with a variation that would apply to that specific site.

I.E. Part 1 - Pick a number of importance to you (I.E. Year or Month/Day of your birth,wedding,anniversary or etc), now convert it using the shift+number keys
Part 2 - assign a value to the website your accessing. I.E. Small Business Forum becomes sbf, Facebook becomes fb or facebook
Part 3 - If this is a password that will be changed frequently, utilize the current month/year. I.E. 0416
Part 4 - Pick a word/phrase that you can remember, preferably one with various case.

You now have a complex password that looks like @)!^sbf0416Password, is customized to the site so if one site/password is compromised then others are still secure, however is still extremely easy to remember.

I've only run across a handful of sites in my years of using something similar to this where it wouldn't work due to poor security of the site operator themselves (Limit passwords to 6-10 characters, don't allow punctuation, passwords must start with a character/numeric or etc).

how do you keep your passwords

I use an app called 1Password. I used to think it wasn't worth the money, but after buying it, it's become one of my favorite apps. It works across devices if you choose, which does mean your information is stored online somewhere, but there's end to end encryption. What I like about it is that you only have to remember the one master password for the app. The app will generate secure random and unique passwords, which you don't have to remember. For example, I just used the generate password feature and it came back with "6Mw>C)sBMrC7knFZ" You can change the settings so the password is up to 50 characters long. You can change how many numbers there are and how many special characters there are.

It allows me to use passwords like the one I just mentioned for any site that requires a password. I can create an account for something on my laptop and my login information will be available on my phone and tablet.

Again that does mean your info is stored online somewhere, but it is encrypted and I trust the company.

The master password for the app exists only in my head and I still do the same for other sites. I didn't add my banking login to the app. I keep that info in my head as well. For most things though, I think being able to set a long random and unique password outweighs any risk from placing it online.

What I do like is that there are options. Too many people trying to come up with a standard, and I think that's really dangerous. We all definitely don't need to be doing the same things. That just makes it easier to beat.

I suspect in the future we'll be logging into things using fingerprints, retina scans, etc. Passwords are a bad solution because the stronger the password, the more difficult it is for us to login. That's true of security in general. The more secure, the more difficult for us. We're nearly always the weakest link in the security chain.

I suspect in the future we'll be logging into things using fingerprints, retina scans, etc. Passwords are a bad solution because the stronger the password, the more difficult it is for us to login. That's true of security in general. The more secure, the more difficult for us. We're nearly always the weakest link in the security chain.

Here's my thing with finger prints and retina scans. I don't want those things recorded and stored anywhere. That's probably just me, but I think there's a solution that's both secure, and that doesn't require your physical attributes to be in a database just to log into a computer.

My issue with biometrics is that they fall outside the scope of the Fifth Amendment. Biometrics are something you have, not something you know. You can plead the Fifth to not disclose your passphrase, code, encryption key, or any other information. You cannot plead the Fifth to refuse to provide fingerprints, iris scans, heartbeat scans, etc.

I only know 10 passphrases, and they are all for decrypting devices. I use Keepass for storing generated passwords, but the file is encrypted and stored on encrypted volumes.

If you want my keys, you'll have to send me to T.A.H.I.T.I.

You cannot plead the Fifth to refuse to provide fingerprints, iris scans, heartbeat scans, etc.The 4th amendment restriction against unreasonable searches/seizures comes into play for that and only in certain instances can the "state" get around that.

The 4th amendment restriction against unreasonable searches/seizures comes into play for that and only in certain instances can the "state" get around that.

Fourth Amendment only applies to the contents, and the storage on an electronic device is a closed container. The Fifth protects your right to not open the container or provide the means to open the container to avoid the possibility of self-incrimination. If the container is opened, the Fourth then applies to limit the scope of the search, but other incidentally discovered material can still be used against you depending on how it was incidentally discovered.

I read somewhere that Pi (3.14...) is the most commonly used password.

The 4th amendment restriction against unreasonable searches/seizures comes into play for that and only in certain instances can the "state" get around that.
But they do get around it, or punish you for exercising that right. Think forced breathalyzers, blood and DNA tests. The state can literally hold you down to take blood out of your body and it's not always with a warrant.

Sure you can refuse a breathalyzer, but the punishment (in this state) for refusing is automatic suspension. Automatic. Just for being suspected and exercising your right not to have your body invaded.

Most of us don't have F. Lee. Bailey (or the kind of lawyer that scares police departments) on speed dial to sue for violation of our rights, and these days there are very few lawyers that even take that case unless you can prove you were injured in some way.

I understand the way things are supposed to be, but I live according to the way things are. If they're not scared of your ability to sue them, they don't care. People without resources get violated and searched every day. Telling a cop "I know my rights" just makes them angrier..depending on who you are of course.

So going back to the start, I'd just rather as few bio-metrics as possible on file. One of my phones does have a finger print unlock, but at the moment I trust that it's stored internally on the phone (and the phone is encrypted ) and that Google isn't storing it in the cloud somewhere.


Your fingerprint data is stored securely and never leaves your device. Your data is not shared with Google or any apps on your device.

https://support.google.com/nexus/answer/6300638?hl=en

I usually use the same password. I do not use virus protection - waste of money. I only use Mac products at work and home. I have never had problems with identity theft or got a virus on my computer. How you ask? I only go to website that I can trust and download products that are from the vendor. I think the thing that has mostly helped me avoid these attacks is that I know how to fix most viral attacks as I use fix clients PC's from viruses and my credit/debit card providers provide a refund on unauthorized purchases. Basically, I haven't let it worry my and it hasn't affected me.

Here's my thing with finger prints and retina scans. I don't want those things recorded and stored anywhere.

On the iPhone, your print(s) are only stored on the phone, in a separate location that other software doesn't have access to. Here's what Apple says:


Touch ID doesn't store any images of your fingerprint. It stores only a mathematical representation of your fingerprint. It isn't possible for someone to reverse engineer your actual fingerprint image from this mathematical representation. The chip in your device also includes an advanced security architecture called the Secure Enclave which was developed to protect passcode and fingerprint data. Fingerprint data is encrypted and protected with a key available only to the Secure Enclave. Fingerprint data is used only by the Secure Enclave to verify that your fingerprint matches the enrolled fingerprint data. The Secure Enclave is walled off from the rest of the chip and the rest of iOS. Therefore, iOS and other apps never access your fingerprint data, it's never stored on Apple servers, and it's never backed up to iCloud or anywhere else. Only Touch ID uses it, and it can't be used to match against other fingerprint databases.

That doesn't sound like something that will end up in a searchable database.

Add to that, I'm pretty sure Apple is pissed right now and the next update will make it impossible to break the encryption by anyone except the owner. I'm not an Apple person, but I respect them and love that they are on the forefront of device encryption and security and back them 100% against the crap that's been going on.