Bitcoin Forum

For every website that we are using especially those required a password, mostly are our email, crypto exchanges, forum accounts, social media accounts, etc. are requiring to make our password strong and secure. Did you follow them? or did you create a password that is too short? Common passwords? Well, that is bad practice. By using a strong password, it will help our accounts more secure against hacker over the internet.

We need to know first some example passwords that aren't advisable or very common one.

A. All of these passwords are very common and you should not use it!

• 123456
• abcdefg
• abc12345
• password
• password123
• More common passwords. (https://www.esquire.com/lifestyle/a25570880/top-passwords-2018/More common passwords)

B. Never use passwords that include your personal information such as:

• Name
• Date of birth
• Place of birth
• Your address

Reason because why you should not ever include some of your personal information on your password because it will be an advantage on the hacker if he/she know some of your personal info, he/she can easily guess your password by using them.

C. Never use common Substitutions:
Examples:

• D0gH0us3
• W33kdays
• IL0v3D0gs

Using of these kinds of password is really obvious, like D0gs , you just replaced the o with a 0. It can easy to brute force attack, just by replacing some common characters with some numbers or letters.

---

Creating your strong passwords
Since we already know what kinds of password that shouldn't be used, we can now proceed now on creating a strong and secure password.

• Make sure your password is long,
  mix of  capital/small A-Z alphabets,
  0-9 numbers,
  special characters such as &^$#
  Like S5#A$B1dpqzM^UMk , but this is very hard to memorize.
  How to memorize these kinds of password? :
   
  
• The sentence method:
  This idea of this method is you will create a password from a random sentence or any sentence created by you.
  Example:
  You will take every first 2 characters on each word from the sentence "I Was Born At 2:35pm In The Country Of Germany"
  Result:  IWaBoAt2:InThCoOfGe
  
  
• Using Passphrase
  Passphrase is consist of multiple words, the randomness of every word for creating a passphrase makes it strong.
  Example:
  "Dog in the dark" -  Word make sense and it is grammatically ordered.
  "hulk touch adjourn omega" - Don't make sense phrase, not in grammatically order.
  You can use this password by capitalized every second character of every word, adding a special character between the words.
  Like hUlk&tOuch$aDjourn@oMega -
  You can use the Sentence Method here, for example, taking every first two characters of every word, capitalized every 2nd character of the word and adding random special characters.
  "hUlk tOuch aDjourn oMega".
  Result :  hU#tO!aD*oM$
  
  
• Using random password generator,
  
  Quote from: whotookmycrypto on April 16, 2019, 07:40:58 AM
  Also, wouldn't feel comfortable using an online tool like Avast to generate passwords. Much more comfortable using an offline tool to generate passwords like a password manager eg. https://keepass.info/ With KeyPass, you can generate strong passwords in 2 simple steps.
  
  Step 1: Select dropdown box
  Step 2: Select the strength required of your password
  Note: You can also customize what characters are allowed / disallowed in your passwords when they are generated which is handy.
  
  https://i.imgur.com/DzWGBkb.png
  
  Lastly, using password managers also solves the problem you mentioned of passwords being "hard to memorize".
  
  
  REMOVED the Avast Random Password Generator, since I found that the offline and open-sourced one is much safer.
  
  
• Password Manager
  Using a password manager will help us to ogranize our different password on different website. I will suggest to use https://keepass.info/, this is open-source project and free.
  https://i.imgur.com/dormpaL.png
  Steps on how to use KeePass password manager:
  1st, Download and install the KeePass (https://keepass.info/), you can use the portable version or the installer.
  2nd, Once the installation is done, you will be asked for the master password and the location path for the KeePass KDBX File (.kdbx) where you can use that as your backup.
  3rd, Fill up the fields.
  https://i.imgur.com/qq2zbC8.png
  You can just easily copy/paste your password in different entry you made, by just double-clicking it on password field. Password will paste on your clipboard and will automatically delete after 12 seconds.
  *Make sure you save your database of KeePass safe and remember your master password on the database*
  Thanks whotookmycrypto (https://bitcointalk.org/index.php?topic=5132378.msg50625166#msg50625166) and OmegaStarScream (https://bitcointalk.org/index.php?topic=5132378.msg50625257#msg50625257) for this.
  
  Android Version:
  KeePassDroid  (https://play.google.com/store/apps/details?hl=en&id=com.android.keepass)
  I just found an android version for password manager/password generator which is also open-source and you can use it offline.
  The good thing here you can import your database file from your KeePass in windows. They are almost the same.
  https://i.imgur.com/o2Faf3v.png
  Read/write support for .kdb and KeePass 1.x.
  Read/write support for .kdbx and KeePass 2.x.
  

---

TIPS

• Do not share your passwords to anyone.
  Be careful who you trust, never share your password.
  
• Use a different password for every account you have.
  Just like on different crypto exchanges, don't use only one password for every exchange you have.
  
• Always create long passwords.
  The most recommends password contains a minimum of 8 characters  or 12 characters
  
• Never upload your passwords to the cloud.
  Avoid storing your passwords online, like storing it on some file hosting services.
  
• Always use two-factor authentication(2FA) or multi-factor authentication (MFA).
  This will help your account more secure, since before you can log-in on a particular website.
  
• Be careful on Phishing websites.
  Even how strong your password is, once you fall in phishing website, it's useless.
  

Some discussion here Creating strong password. (https://bitcointalk.org/index.php?topic=5052209.0).

You got any ideas creating our password strong and secured or any tips? feel free to add by posting it below ;)
Filipino Version: Gabay sa Paggawa ng Malupit at Ligtas na Password (https://bitcointalk.org/index.php?topic=5138376.0)

---

Sources:
How to create a strong password (https://blog.avast.com/strong-password-ideas)
How to Create a Strong Password (and Remember It) (https://www.howtogeek.com/195430/how-to-create-a-strong-password-and-remember-it/)
How to Create a Secure Password (https://www.wikihow.tech/Create-a-Secure-Password)
[must read]Tips on creating a secure password[important] (https://www.mobilarian.com/showthread.php?t=300564)

Good stuff. Personally feel that no password guide would be complete without a section on how to store and use them eg. with a password manager.

Also, wouldn't feel comfortable using an online tool like Avast to generate passwords. Much more comfortable using an offline tool to generate passwords like a password manager eg. https://keepass.info/ With KeyPass, you can generate strong passwords in 2 simple steps.

Step 1: Select dropdown box
Step 2: Select the strength required of your password
Note: You can also customize what characters are allowed / disallowed in your passwords when they are generated which is handy.

https://i.imgur.com/DzWGBkb.png

Lastly, using password managers also solves the problem you mentioned of passwords being "hard to memorize".

Interesting read on how password cracking is done: https://arstechnica.com/information-technology/2013/10/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking/
Helps you gain insights into unsafe sources of generating your password from.

Stay safe.

It has been discussed here in the forum on how to create strong password so I'll just add the thread link in here and also you can read other people's tips on what to do if something happens or if there is a virus/malware in your computer. Here's the link of the thread: Creating strong password. (https://bitcointalk.org/index.php?topic=5052209.0).

Yes, saw that and wanted to link to that too. But having read both threads don't you think OP's post is much more comprehensive than the other thread?

A video to give people a deeper understanding of how hackers crack passwords: https://www.youtube.com/watch?v=YiRPt4vrSSw

As for your suggestion to use Avast, I think it's safer and more secure to use something open source like KeePass  (https://keepass.info/) to both generate and store passwords.

Well, it's not about which thread is much more comprehensive but one thing in common both of them provide an Image where there is an example of strong password on a board. The reason I link that thread is that there are replies there like an app you can use to have a strong password like having a password manager.

What do you think about this the same threads?

Date Created: November 20, 2018, 08:25:11 AM
https://bitcointalk.org/index.php?topic=5072351.0
The image is not that good but still clear anyway.

Date Created: April 04, 2019, 05:16:41 AM
https://bitcointalk.org/index.php?topic=5127958.0

A general rule regarding password security is:

Length beats complexity.


Rather make your password a few characters longer, than using special characters which makes it hard to memorize.

This quote is from a post i made less than 2 weeks ago:


Mathematically it is better to increase the exponent (amount of characters) , not the base (set of characters).
This example was with lowercase letters only.
If you take upper case and numbers into it, you can confidently go without special characters by simply increasing the length by 2 or 3 chars.




You know, what would be an even stronger password ? If you'd take the whole sentence: I Was Born At 2:35pm In The Country Of Germany
You have to memorize the same, but you increase strength by a lot.

Another example for a stronger (and easier to type) password would be: Germany is where i have been born.
Even though it might seem less secure because it is a whole logic sentence, the bit strength considering bruteforce is way better.

And dictionary attacks aren't effective against this either, even though this is against your rule B:


To completely mitigate dictionary attacks which are targeted at you, use random words.

The classical password correct battery horse staple is about 10¹² (= 1.000.000.000.000) times stronger than IWaBoAt2:InThCoOfGe:


correct battery horse staple:
- lowercase + special chars (even tho its just 1 it has to be considered) = charset of 58
- 28 Characters

=> 58²⁸ possibilities => ~ 2.37x 10⁴⁹


IWaBoAt2:InThCoOfGe:
- Lower- + Uppercase + special chars (even tho its just one it has to be considered) + numbers = charset of 94
- 19 Characters

=> 94¹⁹ possibilities => ~ 3.08 x 10³⁷



So, to summarize:

Length beats complexity!

Thanks for this, I added this on the OP, before the Avast random password generator since I found this KeePass is much safe since you can generate password offline and it is open-source.

Done creating a simple guide on how to use a password manager, I used the KeePass since OmegaStarScream (https://bitcointalk.org/index.php?topic=5132378.msg50625257#msg50625257) also found this much safer than Avast.

Oh, Thanks for noticing this thread, no worries, I will also add this on the OP.

Exactly. The more characters on your password will be more secure and make your password stronger.

This rule B is risky if some hacker is the only target is you, they can use some of your personal info to bruteforce your passwords, and yes dictionary attacks for this is really aren't effective.

But this still safety for some scenarios? Like for example, you are on the public and then you type this password and someone is watching you then they can read what you are typing in the keyboard as they can read on what you are typing in the keyboard.

The problem is that if you choose an easy password it is easy to hacks, otherwise it is difficult to remember or people will copy/paste those words "You will be exposed to many risks such as clipboard viruses, impossible to remember without copying/pasting."

The best option is to use some sites like this site -----> https://passwordsgenerator.net/[/b]]https://passwordsgenerator.net/ (http://[b).

you can generate new password:  [ raQyd*UF!E3+PGZkz2kBrp+ ]  and you can save this to remember:  [  rope apple QUEEN yelp drip * USA FRUIT ! EGG 3 + PARK GOLF ZIP korean zip 2 korean BESTBUY rope park +  ]

I never use any password generator, my brain is best generator and paper is for now keep all them safe. It's quite logical to not use common / simple passwords (which most people do), but to make relatively strong passwords. Take for example a 12-character password, it is not easy for the average person to remember such password, but if we divide it in 3 parts (3x4 character) it is very easy to remember such password.

Even if I always create unique passwords and write them down on paper, with time I manage to learn them by memorize part of the password at the time. If I estimate that password need extra strength, I just add 4 character more by password change option. In this way you can very easy memorize even 20-character password, and in same time keep backup on paper.

Really paper? RL opsec isn’t your strong point.

What is wrong with paper? With proper storage paper can last a few hundreds years, quite enough for me. I was never hacked or lost any password in 15 + years of using internet.


https://www.loc.gov/preservation/care/deterioratebrochure.html

Usually password fields do not show what you enter in plain text.

Regarding watching the keyboard.. that applies to anything you enter. I'd even say that it is harder to recognize what you type if you type a sentence fast, than typing a complex password slowly.

But in the end.. we were talking about technical security.
Someone can always just watch what you type or blackmail you to give the password out. No password is protected against that.

I heard about Keepass around two months ago, but still not use it to secure my account. Today, the guide makes me feel more easily to secure my accounts with Keepass. The random apssword genersting feature is amazing.
All those steps presented are very detailed, and tips from whomtookmycrypto makes sense. I appreciated contributions both GreatArkansas and whomtookmycrypto for the topic and for the forum.

I really don't know about this point. While having your password database on the cloud like on your Dropbox account is definitely a security attack vector, I think it should be fine if your master password is also secure enough(as it should be in the first place). I mean, I don't trust my hard drive to not break in the future; and it would be a hassle to update my password db on a flash drive every time I change a password. So using the cloud to store my password db is fine for me. Just my 2 satoshis.

I went to a seminar and they told us how to create a strong password. The person that gave the seminar said that you should create a password by making a phrase . For example, I Ate A Thousand Donuts In 1 Day. The scenario shouldn't be related to you just like my example and you will get the first letter of the words in the phrase. So that would be. IAATDI1D. Or you can try iaatdi1d. Or a combination of it, IaAtDi1d. But I think the best password includes special characters since password hackers will find a hard time hacking it.

You can see bob123's (https://bitcointalk.org/index.php?topic=5132378.msg50625648#msg50625648) post above for a great explanation of why it would be better just to use the whole phrase, rather than just using the first letter of each word. It doesn't make sense to remove so many extra bits of entropy when you have to remember them all anyway.

Still, even with all the advice in this thread about how to come up with good passwords, the best option remains to use an open source, encrypted, password manager such as KeePass (https://keepass.info/) which will generate truly random and very secure passwords.

How about using hash for example: SHA256("not-too-complicated-password"). We could use SHA256 x times, then x also part of the password. Alternatively, we could use a full bible verse since we also only need to know the book name and number, for example, Mark 15:9.

when  you are writing a guide like this you should not think about how YOU can make a strong password, instead you should think about all the people who are going to use that method. in this case (using a sentence with actual words instead of using symbols,...) the example here may be strong but most people are not going to create strong passwords like that. next thing you know they are using passwords that while looking unique are easy to guess even without a dictionary attack. and that is the point of that extra complexity added to the passwords. humans are not capable of making truly random/complex passwords in general.

how about a deterministic password manager?
i don't really know if such thing exists but the basic idea of it is similar to BIP32. you have an entropy that you back up and then each time you need a new password, you derive that password from that entropy by incrementing your step.
it would be very easy to write an app for it too.

Still much safer to use offline password generator, like KeePass.
There's still some pros and cons for storing our password online or offline. Yes, it's okay to use paper to keep them safe. Even in storing our private keys in different crypto-currencies wallets, they are suggesting it write in paper and never store it online.
Yes, you can also use this. It could help you to easily memorize the password, as long as you know the bible verse.

I stored my keys or passwords as a mixture between online and offline methods. However, I always choose the most reliable cloud storage providers or softwares to store my keys or passwords. For offline storage, I usually store them in as safest places as I can, that are water-, fire-resistant.
In my opinion, I don't think we should choose only one method, online or offline, because as you wrote, each of them has its pros  and cons.

Hmm. It can work. Though I don't see majority of the people doing this unless such a feature is implemented on an open-source password manager like KeePass. I'm definitely going to spend a good amount of time thinking of how I can apply this to my current system without adding too much hassle.

Deterministic password manager can't really work for all sites like usual manager do.
There are quite a few problems with deterministic password manager:

• Different password policies for each site
• Password revocation
• You can't store already existing passwords / private keys / etc.

For a more detailed (about 5 minute-)read, look here: https://tonyarcieri.com/4-fatal-flaws-in-deterministic-password-managers (https://tonyarcieri.com/4-fatal-flaws-in-deterministic-password-managers)

I would never store anything crypto related on cloud storage.  You never know who will have access to those files and they will be a much larger target for hackers.  I keep everything offline and I have a different password for every single website/service/wallet I use.

No, but they should. We shouldn't be tailoring or dumbing down good practice to fit people's behaviour; rather, they should be tailoring their behaviour to be in line with good practice.

Better not to use a phrase that appears in popular literature, songs, movies, etc. Also, you would have to remember exactly which version of the Bible, and which edition of that version, you had used, because there are hundreds with very subtle differences.

Why not? Especially if you can secure your accounts with 2FA, for accounts on cloud storage platforms, simultaneously with email confirmations, and email has its 2FA security, too. Only using offline might lead to bad things in worst cases, such as your house got fired, and burnt into ashes.
Surely right, mate. I do the same like you, I never use same passwords for all my accounts on different sites.

Password is very important but mind you that this.could be one of.the reason why one could not access the account for password was forgotten due some.facts that you made it difficult for.you to remember. It is easy to talk about saving password on notes like digital notepad but it will defeat its purpose if note pad will be compromise.

So, I recommend to just use one strong password to all of the accounts for sure one will never going to lose his/her account having one strong password.

the only complication that i can think of is that unlike private keys (HD wallets) in a password manager you have no way of knowing how many passwords you have used because there is no "public key" and "blockchain" to check which one was used. which can be solved if you keep a backup on the cloud only from the "paths" like this:
bitcointalk.org -> path=m/1/3
google.com -> path=m/2/5
...
the first number can be the "account" for different websites and the second number is the number of passwords you have already used like when changing the password every now and then you create the next one.
of course there is the additional risk of not being careful and creating the same thing twice.

easily solvable by treating the derived bytes as the fixed entropy used to derive a password from. or simply use a certain encoding that only gives you the allowed characters! for example if it doesn't allow symbols then use base-62 (10 num + 2*26 letter (lower+upper)!

then you derive the next one. m/1/3+1=m/1/4

the whole point is not storing them but creating them on the fly.

these two are the biggest concerns though:

I just added an Android version of KeePass in the OP. Although the KeePass from windows is not the same developer with KeePassDroid from Android, both are still open-sourced projects and they are almost the same.

Additional tip to keep your password safe:

Be aware of your surroundings. When you are entering your password , make sure you are not getting Shoulder surfed. (https://en.wikipedia.org/wiki/Shoulder_surfing_(computer_security))

More additional tips to keep your password safe. Always check the computer if there is any applications that is installed on the computer like keylogger applications. You can also check the task manager if there is a program that is running. Some keylogger doesn't show in installed program and it is hidden.

This would make it necessary to keep the backup up-to-date with the latest 'version' of your HD password manager file.
Which.. destroys the purpose one want to use a HD password manager (to not having to update all backups after changing / updating a password).




Again, both of these approaches need you to update your backup file regularly after changes.
If you need to do this, you don't have a reason to use a HD password manager.

The whole sense of a HD password manager is to have 1 backup file generated, and not having to update it anymore.
Without this advantage, there is no good reason to use a HD manager instead of a standard password manager.




But you still can't add other sensitive information which you want to be stored inside there.
If i want to store my private key to a specific address there.. i can't. Obviously i do not want to create a new one in this scenario.. i want to save a specific one saved there.
This works in standard password managers, but not in a HD one.


In the end, if you need to update the backup file, you only have disadvantages - and no advantages - using a HD password manager compared to a 'normal' one.

while it may be inconvenient, i find standard password managers such as keepass better for me as i can print out the list on paper, plus store other related things (urls, challenge answer used, notes, whatever) in it. then the list can be copied and stored in different secure locations.


multiple copies of keepass can be used for the various things with varying levels of security.. banking in one, logins on another, whatever on a third.

EDIT: the quote nesting is probably pretty messed up, my apologies.

Great guide!

Just to add to what is already here, another alternative password manager to generate and store passwords is Lastpass (https://lastpass.com) which also has several advantages over existing password managers,for example:

• Its available on PC and mobile platforms with support of most of the popular browsers on Mac,Windows,Linux and (Android + iOS)
• easily syncs your data on different platforms
• Multi factor authentication for that extra layer of security
• better user interface

Thanks for the additional, but I found this password manager is not open-sourced software and they have pricing, which you can avail their premium products. For me, I don't want to pay for this kind of software, it's just password manager, there is a lot of other software which is totally free and open source.

Interesting video on how password managers work, wanted to share: https://www.youtube.com/watch?v=w68BBPDAWr8

Thanks for the video, I watched it and he really explained it well detail by detail. Also heard that he told that using a password manager is not quite risky at all.

Hello everyone, I found another alternative for KeePass Password manager.

Password Safe (https://pwsafe.org/)
They are also look a like KeePass.
Open-source software and totally FREE also.
https://i.boring.host/18DIBLtf.png

Password Safe has also for android phones PasswdSafe - Password Safe (https://play.google.com/store/apps/details?id=com.jefftharris.passwdsafe) and also available in appstore pwSafe 2 - Password Safe (https://itunes.apple.com/us/app/pwsafe-2-password-safe-compatible/id938922963?mt=8&ign-mpt=uo%3D4) Just visit their website  (https://pwsafe.org/)for more information.

Having a password generator or a password application is not a safe option for anyone to have. If you have Notepad++ (Most people have that program pre-installed in their computer) you should just mash long keywords on your keyboard so you could copy and paste whatever you wrote on there and use that as your password for your Bitcoin or Altcoin wallet. Save that file then encrypt it.

You should always encrypt all of your password files inside of a .rar file or something similar to it.

The good thing on using some password application is the management. Like how you manage your passwords, especially you have multiple accounts on a different website and you are required to log in most of the time. Using password managers helps you to organize your different account  and I find it also safe since some password managers have their 'master key' or password for the password database or before you can open the application, one example is KeePass.

This is good way also since it is encrypted, but I find it not convenient, since it's just a normal txt file and once you already decrypred the file and open the txt file, it will show all your all plain passwords w/out masked then it is prone to Shoulder surfing (https://en.wikipedia.org/wiki/Shoulder_surfing_(computer_security)).

Suggestion formulas to create passwords easy to remember

1. last/first 2-3 character of fave goods near you and write with capslock (ball, chair, laptop, etc)
2. last/first 2 digits year for a memorial moment (graduation, resigned, etc)
3. Symbol (choose your favorites)
6. Number of your favorites players on football (caps/low)
7. initial of your fave players
8. end with two symbols (different symbol)
9. another initial for players mix low and caps lock

Example:
Goods: Ball, memorial years: 1991, Fave symbols: %, Fave players number: 03, Initial: mdn (for Paolo Maldini), another 2 symbols: !, another initial, pOl

Passwords you can create like this:
BAL91%03mdn!&pOl

I hope it will be work for you guys. because it works for me  ;D

Just use a password generator and for example Last Pass to remember all the login and passwords.
It is the safest option.

It is A safer option but not the safest since hackers are targeting password managers just like any other software.


Read this:
https://www.komando.com/happening-now/547660/hackers-find-security-flaws-in-5-popular-password-managers-are-you-safe

If you have bad online practices, no software or password manager can help you. They can minimize the treat but most of it is down to the way the individual user is using the Internet. 

I've never had any accounts "hacked" what I have done though is lock myself out with these security options, how ironic right? I have however had people try to get into my accounts. Some is trying to get into my epic games account. My cointiply account has nothing in it even and someone keeps trying to get in. Noone got into either of these though. The password just kept resetting and sending to my email. No attempt has been made to get into my gmail account which I have owned for over 10 years now I think.

I basically just read a guide and used my common sense by thinking from a hackers perspective. So no personal links to anything like birthdays or hobbies just like the OP has said.
I never use the same password over even use partly the same password. Each are unique I use bout 16 characters and use upper and lower case, numbers, symbols. I mix these up so I don't have two numbers together and I I try not to repeat a character.

Here are some examples of a password I would make.

J6f&E1p3%8*G2L*F#7

I also can't understand when I see bounty hunters asking managers to change their address because it was hacked. I think it must be phishing. Always verify any website you want to enter login info on using a whois website. Make sure the websites match up. If they don't then you will lose your account due to phishing. My eth account passwords are very long like a private key and I encrypt the place where I copy-paste the password from. I use nod32 antivirus. I always check and match the clipboard too. I do this at least 3x I also keep 3x backups of my personal info. 1 an usb the other 2 on external hdds. The folder in ecrypted and password protected using 7zip. I keep the password to the 7zip file written down in 3 different places 1 being my safe.

I am not saying I will never be hacked. What I am saying is that it would be very very difficult even with the best social engineering. Since everything is completely random not even I know my passwords or even part of them.

I am also pretty sure that being careful will take care of 99% potential hack attempts.

One last thing I do is I link my accounts with F2A and I link my accounts to my phone number or to IP address.

The IP address works very well. No other IP but mine can login to my website for example. They can try use a vpn it won't work since the need the exact IP.

Very nice guide.

Btw I looked through the posts here and there quite a few nice ones so I gave 3 of you some merits since you deserve them. I try to give them to nice posts I see and help people out.

My advice is that, don't create password all because you want it to be hard for hackers to hack. Create password that will be easy for you to memorize. Always try and create a unique password you can store up in your brain  and be able to login with it anytime of the day

Great Guide mate, I  generate my password by smashing my keyboard with random Small and Capital letters, numbers, symbols and paste it on a notepad. I'm doing the traditional way. I don't trust password managers even if is it an opensource, What if it got hacked my all password will be exposed but I'm not against it, but it is a software maybe someone in the future will discover how to exploit it.

Try to make the password longer which is better. For example- Mix of letters > lowecase/uppercase > symbols > numbers > don't give any personal information or any words of the dictionary.

• Don't use the same password for every platform.
• Don't write your password anywhere keep it with you securely and there are some apps that are there where you can keep your password safely.
• Also, you can use some security tools which you will get it on google.
• Don't share your password with anyone

• At last keeps the password which is unique, easy to remember and hard to guess.

All your advice is good up to this last point, which is the wrong advice to give. A password which is easy to remember is easy to guess and easy to brute force.

It's simple: Humans are bad at being random. This means we are bad at choosing passwords, passphrases, brain wallets, or anything similar. Don't even try. There's a reason that wallets generate a random seed for you and don't let you input your own (or at least, you have to use advanced configurations if you want to input your own, since it is very high risk). Use a proper password manager such as KeePass or Bitwarden to create truly random passwords and store them for you.

I think I won't use any simple numbers to create a strong secure password. Then hackers can easily hack passwords. That's why if we use% *: with numbers when giving strong passwords, it will take a long time for them to hack their passwords. Not easy to do.

I don't think password manager's could be trusted enough to generate a password for use, mostly when it has to be used for some thing very important or financial stuff.

Most of the people around tend to use same password on most of there user accounts online and they carry a risk of loosing all they have at a single cracking incidence so I would just advice not doing so, but its seems to be in human nature.

I think a manual randomly generated password could act in a more secure way than a generator.

Not really. If someone is going to bruteforce your password, then they will likely already being using the full ASCII character set. There's a lot more to a truly secure password than just throwing in a percentage sign somewhere.

That's incorrect. Human beings are very bad at being random, and when we think we are being random, we aren't. You shouldn't be relying on yourself to come up with random passwords, passphrases, seeds, entropy, or anything else. Password managers such as KeePass, which will generate real random passwords for you, are open source, so no trust is needed.

i don't think we can generalize this because it will come down to how the password is actually created. for example if it is simply a couple of obvious words with one or two symbols thrown in there then it could be broken rather easily. but technically adding symbols to the mix is increasing the search space.
if the password consists of only letters:
- no case sensitivity -> each position is only 26 possibilities
- with case sensitivity -> it goes up to 52
- with symbols -> it jumps to 90

I mean, you absolutely should be using the full character set allowed by whatever password or passphrase you are using, but my point was that your password isn't necessarily secure just because you are using the full character set. Many people who use numbers and symbols use them to change a single letter in an otherwise weak password (such as p4ssword or pa$$word), or just append them to the end.

If you want a strong password you need to use the full character set and have a program generate a long and random string for you.

Password managers are open source software used by millions of people. If you don't trust them, you might as well stop trusting all Bitcoin clients, all operating systems, all hardware, all algorithms.

People who misunderstand security tend to weaken themselves by focusing on the wrong things and trying to reinvent the wheel, while lacking the theoretical knowledge to do so.

To me I believe the best password to use is number and alphanumeric with this nobody can easily catch your password expect it was disclose by you and the habit of people send password through any internet miss is very bad. So let try and keep your password save like we do to our money because losing your password is equivalent to losing of your investment on fire blaze...

Plus don’t use logical when you build your pwd

BUMP

Be very careful about these complex methods, it's not as safe as you think, because :

For decades, the advice from information security experts was to change your passwords frequently and use numbers, capitals, and special characters. But we humans are bad at creating randomness, and we’re bad at remembering things. So inevitably people used simple words, names, birthdates, and sayings, swapping out letters with similar-looking special characters. Hackers can crack these kinds of passwords in a matter of seconds.

In an effort to make secure systems, the prevailing password advice actually made the systems less secure. Or, as the user AviD now-famously put it on Stack Exchange, responding to the XKCD comic: “Security at the expense of usability comes at the expense of security.” In other words, if your “secure system” isn’t easy to use, people won’t use it, negating the security benefit.
[...]
When you use passphrases, also keep the following in mind:

Four words should be sufficient. Five words is better.
Don’t choose from the most common words, and don’t choose quotes or sayings. The words should be as random as possible.
Use a unique passphrase for every account you own. That way, if one passphrase is ever exposed, the other accounts remain secure.
https://protonmail.com/blog/protonmail-com-blog-password-vs-passphrase/


https://protonmail.com/blog/wp-content/uploads/2019/03/passwords_blog_protonmail.png

When you want to generate a secure password on Android using Google Chrome

1. Turn sync on in your Chrome
2. Go to a website and sign up for an account.
3. Tap on the password text box.
4. Tap Suggest strong password.

If you don't see this option, tap Password Save your password and then Suggest strong password.
You'll see a preview of the password. To confirm, tap Use password.
Finish signing up for your account. Your password is automatically saved to Chrome.

When you want to generate a secure password on iPhone & iPad

1. Turn on sync in your Chrome.
2. Go to a website and sign up for an account.
3. Tap on the password text box.
4. Tap Suggest password.

You'll see a preview of the password. To confirm, tap Use suggested password.
Finish signing up for your account. And Your password is automatically saved to Chrome.

Source:
https://support.google.com/chrome/answer/7570435?co=GENIE.Platform%3DiOS&hl=en&oco=1#

Turn sync on and off in Chrome:
https://support.google.com/chrome/answer/185277

Someone hacked my common password and stolen my all BTC about 0.5 BTC. Now I am using google's suggestion for creating a strong password.  I do not save the password on my computer or mobile,  Google saves it and provides me whenever I need. I also use 2FA to keep myself tension free. But all times I feel the pain for my losses for a weak password. After all, your suggestions also helpfull for all like me. Thank you.  

How come the hacker able to transfer your BTC from your wallet? What kind of Bitcoin wallet do you use?
It's kinda impossible a hacker can hack your Bitcoin wallet for using a password, unless you are using some centralized Bitcoin wallet that you are not the only one who knows your private keys or you don't have any the private keys of your Bitcoin wallet.

Just beware, don't really trust google for holding your passwords. I think what you mean is their built-in password manager in their browser.
Much better to use some password managers that are open-sourced, just like in the first post; KeePass.

This is the reason why I have told mobile users. Do not use the same password everywhere.
I am sad to hear that your BTC has been stolen

+1. Google invade your privacy. They mine your data. They sell your personal info. They track and log everything you do online, every website you visit, every search you perform, every picture you look at, every email you send or receive, every purchase you make, literally everything, and sell it to anybody who's interested. They also have atrocious security practices, have been caught storing users' password in plaintext for years, and have been hacked for user credentials multiple times. I wouldn't trust them with a single piece of my personal information. The fact people are recommending them as a password manager is concerning, to say the least. If you care at all about your privacy or security (and given that you are currently on a bitcoin forum), you should not even have Chrome installed, let alone be using it as a password manager.

KeePass if you want to keep it simple, or a self-hosted Bitwarden server, are what you should be using to create and manage passwords for you.

DON'Ts:

- Copy & paste your private key to Google search.
- Copy & paste your wallet passphrases to Google search.
- Copy & paste your wallet's seeds to Google search.
- Copy & paste your passwords (for any accounts on any platform) to Google search.
It is applied to all the other search engines, not only Google.

If you unintentionally do it (by mis-click), let's do the following ASAP:
- Move your funds to new wallets, and discard the old wallets.
- Change your wallet passphrases to new ones.
- Move your funds to new wallets, and discards the old ones.
- Change your passwords to new ones (don't reuse any past passwords).

Anyone here using KeyChain of Apple?
Because I recently used some Apple devices such as MacBook pros and mac ipads.
And I saw their KeyChain which is kinda a password manager on your device, which I think can also import/export or sync with other devices as long as you connect in your apple account.

My question is, is KeyChain of Apple is safe to use for different account's passwords in our apple devices?

Yeah you pretty much covered them all. I always like to make sure that I use Letters, Numbers (Caps and lowercase), and symbols!  I hate how alot of websites require that you only use letters and numbers, Some require only lowercase and numbers! I try to stay away from those websites. To me if they do not know how to make a "Strong Password" The security probably sucks anyway and you should just stay away!

Ex. On how I would create my password!

Phrase: WelcomeToTheJungle
How I would create it:    @W3Lc0M32Th3Jungl3??!

I make my E's (3)
I make my A's @
I make my I's !
I add @,#,$,%,^,&,*,(,)! at both the beginning and ends!

But like I said You pretty much covered all the ways!

Although I want to use strong passwords with lots of special characters, what to do if my memory is not good?

I think if you would like to use a stronger password than offline passwords  you'll try 2FA Google Authenticator  it'll not be scared of many secure passwords and hacks because if someone wants to log in together with your ID  then the code are going to be logged without the code Also  you'll keep the password safe on the password notepad in order that your memory strength is low. If you are doing not remember your password here  you'll open the notepad pad again.

Yeah, the same password on some sites will be "Strong", whilst on others will be too weak to even be accepted. Don't rely on websites telling you how strong or otherwise your password is. You have no idea how good or bad their algorithm for calculating that is.

Use a password manager such as KeePass. I don't know my password to pretty much any online site. My KeePass database knows it, and is synced across all my devices and backed up offline too. The only password I need to remember is the one to decrypt KeePass.

2FA is good, but don't rely on it. Google Authenticator in particular isn't great - if someone hacks the connected Google account, they can transfer it to another device or disable it altogether without too much hassle. You should use an open source 2FA app instead.

Don't do this. Never write down your passwords in plain text, either on a physical notepad or a software one.

If you do not have a good memory you will not be able to use your password offline through a generator It would be best to have a small diary using pocket diaries that you can take to the green space. If you do not remember the password you need to remember to open the diary.

I use lastpass (online) and password safe (offline encrypted backups). Do not ever save your master password online/offline, it should only be known to your brain. Yes, Take effort to make one complex password and remember it for the sake of security.

You should write down and store it in a safe place ASAP. Security can backfire and cause you more trouble.

For logging into remote systems like BitcoinTalk, online exchagnes, e-mail and online services, if somebody hacks into their service, you are already fucked. Yes, most of them store passwords in a hashed form, but by then, villains probably have already gained access to your account.

Short passwords with length from 6 to 10 characters are safe enough to use for these. These systems are designed to detect multiple incorrect guesses and to protect the stored passwords properly, but they are not safe to use with encryption systems.

In this case, your methods are good, however, I wouldn't rely solely on one method. I would rather rely on a mix of methods and subsidizing few characters in my passphrase like "this is my passphrase" into "this !s my passp5ra&e" in order to throw off dictionary attacks.

And yes, you can use a password manager like KeePass with a database designated only for storing a password for your wallet. This way you can take advantage from KeePass' key stretching, making it harder for an attacker to steal your Bitcoins. This doesn't mean you can use weaker passphrases - always use passphrases of an entropy of at least 128 bits.

I have them stored in by brain, and have them remembered for like 3 years or so. Unless I get alzheimers I'm fine lmao

If you use a password manager, you should change a master password and then all other passwords every year.

I would say that the risk of forgetting any password/passphrase is much bigger than having it stolen if you store it in a really safe place.

However, if you forget your password, you still be able to remember at least parts of it, so you can guess the rest of it with Hashcat (http://hashcat.net).

Please, don't use Hashcat for illicit purposes.

Bruh, might be ok for master password, but huge no for every password I would literally go mad.

Then change the password for sensitive accoutns and files at the very least.

And if that Bible verse is the your favorite one or the one that you always tell yourself to have some motivation, then there's no struggle in remembering that as a password.

I personally do this one. Before, I'm struggling to think of a password. That's why I just tend to use an important date like birthday of my loved ones. But I figured I should use a stronger one. And a Bible verse is a great idea. But I don't use the whole verse. Just the book, chapter and verse number so I can type it easily. Works just fine with me. Plus, I get to recall the message of the verses which helps me spiritually.

Neither an important date (or any date for that matter) nor a bible verse (or a passage/phrase/saying/sentence/line/quote from any book/song/poem/movie/tv show/etc.) is a particularly strong password, especially now that you have just revealed that this is how you choose your passwords.

The fact that you are struggling to think of a good password (as would almost everybody) is a pretty clear indication that humans are bad at thinking up truly strong and random passwords. You should use an open source password manager such as KeePass, which will not only securely store all your passwords, but will generate long, random, secure passwords whenever you need a new one.

Another thing which i think is worth considering is not only to make a complex password but also to keep it secure. What i have judged that many people create a long complex password but since they cant memorize it, they put it on piece of paper or even as a sticky note on their laptop etc. This is even bigger mistake and there is no use to create a complex password if you can keep it safe from others.

To create a strong password,one has to add both alphabets and numbers coupled with lower and upper cases.

 :-[A mean as far as passwords go, this is the height of it. Sick! Can't believe people have thought of it to this extent. A whole passage! But then, there is going to be a lot of errors as passwords doesn't accept spacing and with the different interpretations of the bibles according to versions, once you forget your Bible version, not you forggeting the password alone, a lot of errors and unable to access are sure to come up.