RANT: Sites with ridiculous password policies...

[Argo]

2 rants actually:

Site 1: Requires a password that is at least 8 characters long, has 1 capital, 1 digit and one punctuation sign and cannot ressemble any word. The site falls into the category of sites that has financial data but that I access fairly seldomly. So of course I don't want to write down the password, and of course I forget it. To top it all off their "forgot my password" functionality appears to be unavailable. When I try it I litterally get a message saying "This functionality is not available, please try again later".

Site 2: Requires you to change your password once every 3 months. You CANNOT use any passwords that you used in the past. It wouldn't be so bad, it this wasn't another one of those financial data sites that I access once every 2 or 3 months. So of course I constantly keep forgetting the password, causing me to go through the stupid reset password functionality.

Really, the only thing these stupid policies cause is for people to start writing their passwords and sticking them onto a monitor. Btw, both sites are personal financial sites from major institutions.

 

[coldmeat]

All my passwords are in a text document on my desktop.

 

[Exterous]

I hate sites that make you choose off the wall security questions:
"Whats your favorite dinner food?"
"Who was your father's friends third wife's maiden name?"

 

[wyvrn]

Use Word 2007 to encrypt a document and keep your passwords there. Or use Winzip and do the same thing.

If you every forget a password, you can look it up.

Alternately, setup a partition on your hard disk and use true crypt on it. Store your passwords there.

 

[Brainonska511]

Originally posted by: Exterous
I hate sites that make you choose off the wall security questions:
"Whats your favorite dinner food?"
"Who was your father's friends third wife's maiden name?"

Not just off the wall questions, but questions that have variable answers and could easily change over time, like "what's your favorite movie?"

 

[GodlessAstronomer]

I just use 'happiness'. Never let me down.

 

[frostedflakes]

I wouldn't consider either of those to be ridiculous. Both are good policies, at least for something as important as financial info.

Really, though, I'd assume phishing/keylogging/etc. is a much bigger problem with sites like this than people trying to brute-force passwords.

As others mentioned, write down your passwords. And you can use the password manager in your browser to remember your login info so you don't even have to type them in.

 

[Leros]

Originally posted by: Brainonska511

Originally posted by: Exterous
I hate sites that make you choose off the wall security questions:
"Whats your favorite dinner food?"
"Who was your father's friends third wife's maiden name?"

Not just off the wall questions, but questions that have variable answers and could easily change over time, like "what's your favorite movie?"

I could not get into a bank account I opened 6 years ago because the question was "What is your favorite book?"

 

[DayLaPaul]

Fingerprint reader ftw?

 

[Farang]

Originally posted by: Brainonska511

Originally posted by: Exterous
I hate sites that make you choose off the wall security questions:
"Whats your favorite dinner food?"
"Who was your father's friends third wife's maiden name?"

Not just off the wall questions, but questions that have variable answers and could easily change over time, like "what's your favorite movie?"

I hate that and how it is so widespread. It is usually not a problem because I can find at least one choice that will have a constant answer, but lately I ran into a couple that were all questions like that and so I'm screwed if I ever have to answer them.

 

[TridenT]

Originally posted by: GodlessAstronomer
I just use 'happiness'. Never let me down.

OMG U R TWITTER ADMIN LOLOLOLOLOLOL

 

[Locut0s]

A similar question:

Do you feel that company policies that force one to change their login password every x days actually promote insecurity? Most people in such companies probably don't use their computer for much of anything that is very sensitive for the company and most don't understand the reason behind such a rule which is to protect the data of the few who do handle the sensitive stuff. It's best to have a blanket policy since it's hard to say who will be working with sensitive data when and where. However most of the people who are just using MS word and email don't get it and probably end up using some variation of a VERY insecure password like PASSWORD(#++).

 

[yh125d]

Originally posted by: DayLaPaul
Fingerprint reader ftw?

biometrics! *highfive*

 

[Sentrosi2121]

Try having to run a data center where you're watching about 10 different agency mainframes and each agency has a different password scheme.

 

[slayer202]

Originally posted by: coldmeat
All my passwords are in a text document on my desktop.

safe :thumbsup:

 

[FP]

KeePass ftw

I don't know any of my passwords. I simply copy/paste from KeePass. I backup my encrypted password file remotely and have it on a couple of USB keys.

 

[nsafreak]

What I'd like to see is more sites having the option of using that Verisign dongle that generates a password on each login. Very secure and all you have to do is to make sure you keep the dongle handy.

 

[imported_Devine]

ID cards that have encrypted data that can only be unlocked with a 6 digit number. We use it to log on, sign and encrypt emails, and have certs on there to log into secure websites. It's one thing the DoD has done well.

 

[Snapster]

Originally posted by: Argo
2 rants actually:

Site 1: Requires a password that is at least 8 characters long, has 1 capital, 1 digit and one punctuation sign and cannot ressemble any word. The site falls into the category of sites that has financial data but that I access fairly seldomly. So of course I don't want to write down the password, and of course I forget it. To top it all off their "forgot my password" functionality appears to be unavailable. When I try it I litterally get a message saying "This functionality is not available, please try again later".

Site 2: Requires you to change your password once every 3 months. You CANNOT use any passwords that you used in the past. It wouldn't be so bad, it this wasn't another one of those financial data sites that I access once every 2 or 3 months. So of course I constantly keep forgetting the password, causing me to go through the stupid reset password functionality.

Really, the only thing these stupid policies cause is for people to start writing their passwords and sticking them onto a monitor. Btw, both sites are personal financial sites from major institutions.

Pretty similar for working in an IT environment, although it's annoying to remember for loads of sites hence I try use the same password. Having a password list helps greatly (see below).

Originally posted by: FP
KeePass ftw

I don't know any of my passwords. I simply copy/paste from KeePass. I backup my encrypted password file remotely and have it on a couple of USB keys.

Agreed

 

[Pepsei]

Q1nitrusa for anandtech
Q1nitrusw for wachovia
Q1nitrusc for citibank

very easy to remember.... create your own scheme

 

[Howard]

I'd tell you my easy scheme but it'd to pretty easy to figure out mine.

 

[LS21]

if it doesnt take password "password" then i wont use the site

 

[smack Down]

Plus it is frigging retard.
Enter a password it most have 37 Characters no more then two characters can be of the same group in a row.

Enter you magic password recover answer. 4 Letter words are accepted and once you type in the word you get to set a new password.

Can anyone tell me the logic behind that.

 

[ElFenix]

i just l33tsp34|< normal words to come up with passwords. very easy to remember

 

[LS21]

Originally posted by: Howard
I'd tell you my easy scheme but it'd to pretty easy to figure out mine.

i convert the name of the website to pig latin, reverse the order of the letters, trans-numerate the word using order-in-alphabet, then convert that to hexadecimal.


works like a charm