[GUIDE] How to Create a Strong/Secure Password

[tbct_mt2]

I stored my keys or passwords as a mixture between online and offline methods. However, I always choose the most reliable cloud storage providers or softwares to store my keys or passwords. For offline storage, I usually store them in as safest places as I can, that are water-, fire-resistant.
In my opinion, I don't think we should choose only one method, online or offline, because as you wrote, each of them has its pros  and cons.

[1715563413]

1715563413

[1715563413]

1715563413

[mk4]

~would be a hassle to update my password db on a flash drive every time I change a password. ~

how about a deterministic password manager?
i don't really know if such thing exists but the basic idea of it is similar to BIP32. you have an entropy that you back up and then each time you need a new password, you derive that password from that entropy by incrementing your step.
it would be very easy to write an app for it too.

Hmm. It can work. Though I don't see majority of the people doing this unless such a feature is implemented on an open-source password manager like KeePass. I'm definitely going to spend a good amount of time thinking of how I can apply this to my current system without adding too much hassle.

[bob123]

how about a deterministic password manager?
i don't really know if such thing exists but the basic idea of it is similar to BIP32. you have an entropy that you back up and then each time you need a new password, you derive that password from that entropy by incrementing your step.

Deterministic password manager can't really work for all sites like usual manager do.
There are quite a few problems with deterministic password manager:

• Different password policies for each site
• Password revocation
• You can't store already existing passwords / private keys / etc.

For a more detailed (about 5 minute-)read, look here: https://tonyarcieri.com/4-fatal-flaws-in-deterministic-password-managers

[Indamuck]

I stored my keys or passwords as a mixture between online and offline methods. However, I always choose the most reliable cloud storage providers or softwares to store my keys or passwords. For offline storage, I usually store them in as safest places as I can, that are water-, fire-resistant.
In my opinion, I don't think we should choose only one method, online or offline, because as you wrote, each of them has its pros  and cons.

I would never store anything crypto related on cloud storage.  You never know who will have access to those files and they will be a much larger target for hackers.  I keep everything offline and I have a different password for every single website/service/wallet I use.

[o_e_l_e_o]

the example here may be strong but most people are not going to create strong passwords like that.

No, but they should. We shouldn't be tailoring or dumbing down good practice to fit people's behaviour; rather, they should be tailoring their behaviour to be in line with good practice.

Alternatively, we could use a full bible verse

Better not to use a phrase that appears in popular literature, songs, movies, etc. Also, you would have to remember exactly which version of the Bible, and which edition of that version, you had used, because there are hundreds with very subtle differences.

[tbct_mt2]

Why not? Especially if you can secure your accounts with 2FA, for accounts on cloud storage platforms, simultaneously with email confirmations, and email has its 2FA security, too. Only using offline might lead to bad things in worst cases, such as your house got fired, and burnt into ashes.

I would never store anything crypto related on cloud storage.  You never know who will have access to those files and they will be a much larger target for hackers.  I keep everything offline

Surely right, mate. I do the same like you, I never use same passwords for all my accounts on different sites.

I have a different password for every single website/service/wallet I use.

[jademaxsuy]

Password is very important but mind you that this.could be one of.the reason why one could not access the account for password was forgotten due some.facts that you made it difficult for.you to remember. It is easy to talk about saving password on notes like digital notepad but it will defeat its purpose if note pad will be compromise.

So, I recommend to just use one strong password to all of the accounts for sure one will never going to lose his/her account having one strong password.

[pooya87]

Deterministic password manager can't really work for all sites like usual manager do.
There are quite a few problems with deterministic password manager:

the only complication that i can think of is that unlike private keys (HD wallets) in a password manager you have no way of knowing how many passwords you have used because there is no "public key" and "blockchain" to check which one was used. which can be solved if you keep a backup on the cloud only from the "paths" like this:
bitcointalk.org -> path=m/1/3
google.com -> path=m/2/5
...
the first number can be the "account" for different websites and the second number is the number of passwords you have already used like when changing the password every now and then you create the next one.
of course there is the additional risk of not being careful and creating the same thing twice.

Different password policies for each site

easily solvable by treating the derived bytes as the fixed entropy used to derive a password from. or simply use a certain encoding that only gives you the allowed characters! for example if it doesn't allow symbols then use base-62 (10 num + 2*26 letter (lower+upper)!

Password revocation

then you derive the next one. m/1/3+1=m/1/4

You can't store already existing passwords / private keys / etc.[/li][/list]

the whole point is not storing them but creating them on the fly.

these two are the biggest concerns though:

You can’t store randomly selected answers to security questions in such a vault.
Exposure of the master password alone exposes all of your site passwords

[GreatArkansas]

Android Version:
KeePassDroid
I just found an android version for password manager/password generator which is also open-source and you can use it offline.
The good thing here you can import your database file from your KeePass in windows. They are almost the same.

Read/write support for .kdb and KeePass 1.x.
Read/write support for .kdbx and KeePass 2.x.

I just added an Android version of KeePass in the OP. Although the KeePass from windows is not the same developer with KeePassDroid from Android, both are still open-sourced projects and they are almost the same.

[r1s2g3]

Additional tip to keep your password safe:

Be aware of your surroundings. When you are entering your password , make sure you are not getting Shoulder surfed.

[nakamura12]

More additional tips to keep your password safe. Always check the computer if there is any applications that is installed on the computer like keylogger applications. You can also check the task manager if there is a program that is running. Some keylogger doesn't show in installed program and it is hidden.

[bob123]

the only complication that i can think of is that unlike private keys (HD wallets) in a password manager you have no way of knowing how many passwords you have used because there is no "public key" and "blockchain" to check which one was used. which can be solved if you keep a backup on the cloud only from the "paths" like this:
bitcointalk.org -> path=m/1/3
google.com -> path=m/2/5
...
the first number can be the "account" for different websites and the second number is the number of passwords you have already used like when changing the password every now and then you create the next one.
of course there is the additional risk of not being careful and creating the same thing twice.

This would make it necessary to keep the backup up-to-date with the latest 'version' of your HD password manager file.
Which.. destroys the purpose one want to use a HD password manager (to not having to update all backups after changing / updating a password).

Different password policies for each site

easily solvable by treating the derived bytes as the fixed entropy used to derive a password from. or simply use a certain encoding that only gives you the allowed characters! for example if it doesn't allow symbols then use base-62 (10 num + 2*26 letter (lower+upper)!

Password revocation

then you derive the next one. m/1/3+1=m/1/4

Again, both of these approaches need you to update your backup file regularly after changes.
If you need to do this, you don't have a reason to use a HD password manager.

The whole sense of a HD password manager is to have 1 backup file generated, and not having to update it anymore.
Without this advantage, there is no good reason to use a HD manager instead of a standard password manager.

You can't store already existing passwords / private keys / etc.[/li][/list]

the whole point is not storing them but creating them on the fly.

But you still can't add other sensitive information which you want to be stored inside there.
If i want to store my private key to a specific address there.. i can't. Obviously i do not want to create a new one in this scenario.. i want to save a specific one saved there.
This works in standard password managers, but not in a HD one.


In the end, if you need to update the backup file, you only have disadvantages - and no advantages - using a HD password manager compared to a 'normal' one.

[vapourminer]

You can't store already existing passwords / private keys / etc.[/li][/list]

the whole point is not storing them but creating them on the fly.

But you still can't add other sensitive information which you want to be stored inside there.
If i want to store my private key to a specific address there.. i can't. Obviously i do not want to create a new one in this scenario.. i want to save a specific one saved there.
This works in standard password managers, but not in a HD one.


In the end, if you need to update the backup file, you only have disadvantages - and no advantages - using a HD password manager compared to a 'normal' one.

while it may be inconvenient, i find standard password managers such as keepass better for me as i can print out the list on paper, plus store other related things (urls, challenge answer used, notes, whatever) in it. then the list can be copied and stored in different secure locations.


multiple copies of keepass can be used for the various things with varying levels of security.. banking in one, logins on another, whatever on a third.

EDIT: the quote nesting is probably pretty messed up, my apologies.

[roosbit]

Great guide!

Just to add to what is already here, another alternative password manager to generate and store passwords is Lastpass which also has several advantages over existing password managers,for example:

• Its available on PC and mobile platforms with support of most of the popular browsers on Mac,Windows,Linux and (Android + iOS)
• easily syncs your data on different platforms
• Multi factor authentication for that extra layer of security
• better user interface

[GreatArkansas]

Just to add to what is already here, another alternative password manager to generate and store passwords is Lastpass

Thanks for the additional, but I found this password manager is not open-sourced software and they have pricing, which you can avail their premium products. For me, I don't want to pay for this kind of software, it's just password manager, there is a lot of other software which is totally free and open source.

[whotookmycrypto]

Interesting video on how password managers work, wanted to share: https://www.youtube.com/watch?v=w68BBPDAWr8

[GreatArkansas]

Interesting video on how password managers work, wanted to share: https://www.youtube.com/watch?v=w68BBPDAWr8

Thanks for the video, I watched it and he really explained it well detail by detail. Also heard that he told that using a password manager is not quite risky at all.

[GreatArkansas]

Hello everyone, I found another alternative for KeePass Password manager.

Password Safe
They are also look a like KeePass.
Open-source software and totally FREE also.


Password Safe has also for android phones PasswdSafe - Password Safe and also available in appstore pwSafe 2 - Password Safe Just visit their website for more information.

[Neovitadi]

Hello everyone, I found another alternative for KeePass Password manager.

Password Safe
They are also look a like KeePass.
Open-source software and totally FREE also.


Password Safe has also for android phones PasswdSafe - Password Safe and also available in appstore pwSafe - Password Safe Just visit their website for more information.

Having a password generator or a password application is not a safe option for anyone to have. If you have Notepad++ (Most people have that program pre-installed in their computer) you should just mash long keywords on your keyboard so you could copy and paste whatever you wrote on there and use that as your password for your Bitcoin or Altcoin wallet. Save that file then encrypt it.

You should always encrypt all of your password files inside of a .rar file or something similar to it.

[GreatArkansas]

Having a password generator or a password application is not a safe option for anyone to have.

The good thing on using some password application is the management. Like how you manage your passwords, especially you have multiple accounts on a different website and you are required to log in most of the time. Using password managers helps you to organize your different account  and I find it also safe since some password managers have their 'master key' or password for the password database or before you can open the application, one example is KeePass.

If you have Notepad++ (Most people have that program pre-installed in their computer) you should just mash long keywords on your keyboard so you could copy and paste whatever you wrote on there and use that as your password for your Bitcoin or Altcoin wallet. Save that file then encrypt it.

You should always encrypt all of your password files inside of a .rar file or something similar to it.

This is good way also since it is encrypted, but I find it not convenient, since it's just a normal txt file and once you already decrypred the file and open the txt file, it will show all your all plain passwords w/out masked then it is prone to Shoulder surfing.