I can't stand these moronic password rules

[yh125d]

I like to think I have a pretty strong set of passwords. As strong as can be without special characters or ridiculously long or something I guess. 8 characters, case sensitive, multiple numbers and letters, not a word of any type, not using the numbers to replace letters to form a word (1=i, etc), not related in any way to stuff like SS no, b-day, mothers maiden, favorite book blah blah. Not any sort of code at all, and no pattern in the characters, no meaning whatsoever. I could easily expand it to 16 or 24 characters if I needed an even stronger one

 

[Eli]

I also simply increment the last character(a number) in my password at work. We only can't use the last two passwords, so it alternates between 1,2 and 3. I'm back to 1 as of the other day, lol.

 

[FDF12389]

1) We wish we could stop calling them passwords and start calling them passphrases.

2) This overly complex password issue that you describe is still vulnerable to keyloggers, as you noted.

The only method for removing keyloggers (and similar snooping) from the equation is two-factor authentication (RSA). Most companies don't want to spend the time & money to deploy such a solution, so they simple make the passwords overly complex and require changing them so often that the employees and helpdesk get frustrated.

These companies lack competent IT leadership. Chop off the fail at the head.

Entrust. RSA is a rip off, any company implementing two factor for the first time should go with entrust.

 

[Leros]

My workaround was to come up with a single password that I could remember and then use variants when it had to be changed every 3 months.

Password2009_1
Password2009_2
Password2009_3
Password2009_4
Password2010_1
etc

 

[nageov3t]

I've seen some passwords for clients where it's like, there's absolutely no way you're memorizing that 24-character password... having to write down a password on a piece of paper or a text file on your desktop seems way more dangerous than having a weaker password.

 

[ultimatebob]

Yeah... I love the new password policies in Windows Server 2008. It must have at least 8 characters, at least 1 number, at least one capital letter or special character, must not contain your name or account name.

Oh, and it remembers your prior passwords and expires your password every 28 days. If you guess your password wrong more than 5 times, you get locked out.

Best of all... even after all that, a crappy password like Asdfgh12 is accepted.

I disable that policy as quickly as possible on systems that I have admin access on, and set the password expiration to something reasonable. If I can't, I end up having to write down the "password of the month" in order to remember it.

 

[mb]

Biometric readers. Done.

They are set up here so that you still need a text password as backup and that needs to be changed every 90 days or you can't sign in with the biometric reader. So really it only solves part of the problem and creates a bigger problem of trying to remember the PW at the 90 mark if it's not written down because they haven't ever used it.

 

[bobdole369]

The PC logins require 8+ characters, at least one digit, at least one special character, cannot reuse any of the last 24 passwords, good for 3 months. 3 wrong tries, you're locked out until you get IT involved.

I won't let users repeat the last 1 password. This way they can have a set they go back and forth on. Its fine that way IMHO. 8 digits, 1 spec is good enough sec for this small operation we run here.

Main corp application requires EXACTLY 8 characters with EXACTLY 1 digit and NO special characters, cannot reuse any of the last 24 passwords, good for 6 months. 3 wrong tries, you're locked out for an hour.

No reason for that short of trade secrets or finance, in which there should be some 3rd party thing like an RSA fob or physical security. I can't stand exact # passwords. They make no sense to me.

 

[BurnItDwn]

I used to use presidents names for passwords... with embedded multiple special characters, numbers, lower and uppers .... "@Br4|-|aM__L1nco1N" for example ...

 

[spacejamz]

I was okay until the last change in our company that requires at least 1 UPPER CASE, 1 LOWER CASE and 1 number in an 8 byte value.

Plus on some of our applications, if we change a password today, it cannot be changed again for 10 days. WHAT THE HELL IS THE POINT OF THIS??? So if it is password change day and you accidentlly screw up changing this password, life is hell trying to sync them all back up if you want to keep the same password.

 

[Stuxnet]

I agree that lockout rules are retarded. Once you require at least one special character, a number, and mixed case, it would require a brute force attack to crack... and in that case, you could allow 100,000 wrong attempts without even remotely compromising security.

I don't have a problem with complex rules as long as they're reasonable and as long as I don't need to come up with new ones constantly. When you require a new password every 3 - 6 months AND it needs to be complex, you're just begging people to put sticky notes on their desk...

 

[iCyborg]

I use a master password that has a trailing integer that I increment by 1 every time I'm forced to change passwords. They haven't figured out how to prevent that yet.

Same here, except I don't increment by 1, instead I use some other sequences like primes and Fermat's numbers.

 

[oogabooga]

I work with Credit Card data - Our password requirements make sense to me.

For personal stuff: I just wish password systems were universal. I hate that at some places I'm required to have at least one upper/lower case, number, special character, 8+ and that at another place I am limited to max of 7 characters, no special characters allowed.

KeePass takes care of all this though so I guess it's not that big of a deal, I don't know about 90% of the passwords I use.

 

[ViviTheMage]

locking accounts after 3 attempts is the best, help desk can deal with resetting/unlocking passwords...it's the easiest thing in the world to do.

I'd loooove it if I could just have a stupid password for everything, but require a physical token.

 

[GuitarDaddy]

We have crazy difficult password requirements that require me to keep up wiith a half a dozen passwords each that have to be changed monthly and I can't just increment an interger on the end. Our requirement are totally assinine and un needed. Really pisses me off

 

[Drako]

My workaround was to come up with a single password that I could remember and then use variants when it had to be changed every 3 months.

Password2009_1
Password2009_2
Password2009_3
Password2009_4
Password2010_1
etc

LOL, that's similar to what I do, except it's:

Q1password2009
Q2password2009
Q3password2009
etc

 

[pontifex]

what really sucks is that my current employer makes me use like 4 different IDs and passwords to access different things, I don't get why they can't make 1 login for everything. they already use the 1 (what the call a single sign on) for most stuff anyway.

I always use the password but always increment the last digits when i have to change it.

 

[DivideBYZero]

Using a compliant password with a sequential number in it is the best strategy. I have used the same password at work for 11 years, just changing a numeric value by one every 90 days.

I use the same strategy with personal passwords. Makes things very simple.

 

[Nintendesert]

At my work place, we don't pick our own, they get picked for us.

I imagine if you were to look on the monitors or in the desks of most of the offices, you'd find a post-it with a bizarre string of 8 characters.

You have some horrible network security.



That being said a CAC or a one-time password system is far superior despite the morons that lose or forget them. That can be dealt with administratively. It also negates the effectiveness of key loggers.

 

[lord_emperor]

I agree with the OP, give me the requirements and I will come up with something that meets them and which I can remember.

Have it expire and I'm going to not only to choose something stupid but I'll have to write it down because I can't remember the damn thing.