The new password craze...

[PrinceofWands]

OP needs this.

I could certainly use something like that, especially something without an online requirement. But that just encourages the kind of behavior I'm pointing out as negative.

I'll probably just stick with my impotent protest and let the rest of the world run off and be stupid together while I shout at everyone to get off my lawn.

 

[Red Squirrel]

I used to use a program called "Pins" but it's windows only. I ended up writing my own web based one that runs off my home server. It's rather primitive and the password to access it is the encryption key, so I can't change that password without re-encrypting all the passwords, but it works.

 

[Scooby Doo]

Word dictionary attack should make that one easy.

 

[sourceninja]

Word dictionary attack should make that one easy.

Sure if you are just using a single language and they know the pattern.

It's a lot more to guess just the words in my password. Did I use spaces? Did I punctuate? Are all my words from the same language?

Consider the password: "Ippon wins da match!"

 

[_Rick_]

Worse than all that is the security questions paradigms. 99% of those are either impossible to remember, easily found out with a google search by anyone, and the rest take only the simplest of social engineering to break.

My old workplace switched from two-factor auth/login/everything with a 4-digit code to password-with-question-to-change for login and two-factor for the hard drive encryption - where the token doesn't always come back after going to standby.

Of course, in the former case, if you ever neede your actual password, you were screwed, because you never used it, and thus it was easily forgotten - it helped that it had to be changed every so often.

Gah. Simple is better, when it comes to security, because then at least everyone adheres to it....

 

[Scarpozzi]

I change a bunch of passwords monthly at work. I didn't enforce personal accounts on the systems because the only way you can login is by being on the intranet anyhow (unless you spoof your IP somehow) I was just trying to make it easier on the people who use the system.

Since I have the system locked down physically, it didn't make much sense to expire passwords, but alas....auditors always tell you how to do it better. What's funny is how password complexity and age are such big security goals when the biggest risk is the end user and lacking network/system firewall security. Intruder lockout and HIDS/LIDS with active response go a long way.

 

[sdifox]

soon we shall all submit to instant dna test and people will be sneaking up on you and cut your hair to steal your dna.

 

[sportage]

I agree with the op.
There are some iT people that are totally anal when it comes to password security.
I have one financial site that requires a password change weekly.
Now THAT is just anal.

 

[lxskllr]

The ironic thing is that it's only trivial things that make me have ridiculous passwords, my online banking password is a 5 character numeric code.

I'm not against encouraging long passwords for seemingly trivial pursuits. Sometimes accounts aren't as trivial as they first seem. What bothers me is password restrictions. Some sites can't be too long, other sites can't be too small. Some require special characters, while others forbid them... There should be a reasonable length limit; around 30 characters, and no character restrictions. Put a strength meter next to the password selection box, and call it a day.

 

[sdifox]

I agree with the op.
There are some iT people that are totally anal when it comes to password security.
I have one financial site that requires a password change weekly.
Now THAT is just anal.

IT doesn't decide that... Management does.

 

[Sho'Nuff]

This is why secure and accurate biometric authentication is needed. Very hard to hack (provided the templates are secure), and is based on user friendly 1 factor authentication.

Note that I am not talking about the fiasco that is the fingerprint scanner on the iphone 5s, which was apparently hacked in just a few days.

 

[rudeguy]

complex passwords lead to password files or hand written password

Don't believe me? Hack my Google Docs or my Outlook.

 

[el-Capitan]

what i use. Very easy to memorize, works for 90+% websites

1. take two random words, e.g. Anarchist and Workshop
2. take whatever follows after the www at the website that you need the pw for, e.g. anandtech.com
3. with these these three words, decide to start at first, second, fourth position, and take the following four letters. For our example we choose to start from the third letter. This gives us :
arch
rksh
andt
4. add a symbol and two numbers. E.g. & and my birth month, 11
5. add all above together and capitalize the first letter. This gives
Archrkshandt&11

Note that the only variable is andt here. For citibank.com this'd be tiba, for blogspot ogsp. for a short website you can roll into the .com, .net or start from the beginning of the domain name.

Havent logged into origin since you played DA 3 years ago? Forgot pw? No prob. It'll be the fragments your two words + igin + &11

Sorry, if I'm unclear. It's early in the morning.

 

[Codewiz]

complex passwords lead to password files or hand written password

Don't believe me? Hack my Google Docs or my Outlook.

Why wouldn't you use a password manager with plugins for browsers? I mean lastpass is great. But if you don't want it stored online, look at keepass or 1password.

Additionally, all those tools can generate a complex password of any length with the click of a button.

 

[rudeguy]

Why wouldn't you use a password manager with plugins for browsers? I mean lastpass is great. But if you don't want it stored online, look at keepass or 1password.

Additionally, all those tools can generate a complex password of any length with the click of a button.

Chrome remembers website passwords for me.

Does lastpass do anything besides websites?

 

[Hayabusa Rider]

This is merely a symptom of an increasingly dysfunctional upper management which substitutes what it thinks for what others know. We just had the worst "upgrade" ever and it has "clueless wonder" all over it.

 

[Codewiz]

Chrome remembers website passwords for me.

Does lastpass do anything besides websites?

Lastpass can create secure notes. Attach documents. Pretty much everything you could want when it comes to passwords or things of that nature. You can setup profiles for filling in webforms. I rarely ever type in information on registration forms anymore.

I store all my software registration/licenses in lastpass.

You should not allow Chrome to store your passwords:
http://www.wired.com/threatlevel/2013/08/chrome-password-manager/

 

[rh71]

using full sentences including spaces even as short as 3 words is fine in all aspects.

 

[lxskllr]

using full sentences including spaces even as short as 3 words is fine in all aspects.

Young joined forces with fellow security researcher Josh Dustin, and the cracking duo quickly settled on trying longer strings of words found online. They started small. They took a single article from USA Today, isolated select phrases, and inputted them into their password crackers. Within a few weeks, they expanded their sources to include the entire contents of Wikipedia and the first 15,000 works of Project Gutenberg, which bills itself as the largest single collection of free electronic books. Almost immediately, hashes from Stratfor and other leaks that remained uncracked for months fell. One such password was "crotalus atrox." That's the scientific name for the western diamondback rattlesnake, and it ended up in their word list courtesy of this Wikipedia article. The success was something of an epiphany for Young and Dustin.

"Rather than try a brute force that makes sense to a computer but not to people, let's use human beings because people typically make these long passwords based on things that humans use," Dustin remembered thinking. "I basically utilized the person who wrote the article on Wikipedia to put words together for us."

Almost immediately, a flood of once-stubborn passwords revealed themselves. They included: "Am i ever gonna see your face again?" (36 characters), "in the beginning was the word" (29 characters), "from genesis to revelations" (26), "I cant remember anything" (24), "thereisnofatebutwhatwemake" (26), "givemelibertyorgivemedeath" (26), and "eastofthesunwestofthemoon" (25).

http://arstechnica.com/security/201...eling-the-next-frontier-of-password-cracking/

 

[NikolaeVarius]

Sure if you are just using a single language and they know the pattern.

It's a lot more to guess just the words in my password. Did I use spaces? Did I punctuate? Are all my words from the same language?

Consider the password: "Ippon wins da match!"

Ippon is a defined english word. da is a common replacement for the word "the". Modern dictionary attacks would rip that password apart without breaking a sweat.

That XKCD is so damn misleading.

 

[SKORPI0]

Interesting article I just read... How the Bible and YouTube are fueling the next frontier of password cracking

oops mentioned in post#44.

 

[her209]

Long passwords dun no good if yee e-mail is hacked.

 

[lupi]

Getting tired of the work ones now having to be canged every 60 days, ugh.

 

[Exterous]

but alas....auditors always tell you how to do it better.

I think a lot of people overlook the role auditors have in passwords (or maybe its just my own experience bias). Its like the zero tolerance policies at schools. Closed network thats physically locked down? Too bad - you need complex passwords that change every 60 days for everything regardless of actual need.

 

[sourceninja]

Ippon is a defined english word. da is a common replacement for the word "the". Modern dictionary attacks would rip that password apart without breaking a sweat.

That XKCD is so damn misleading.

Because it would guess that combo with a exclamation and first letter cap? How long would it take? If it's less than 60 days, then yes it's a worry. But if it's more than 60 days, no worries.

Even if it was a concern, you could still write a human relate-able password with the same basic idea.

"Ippon wins 1 match!"

How is that less secure than 5rdxXSW@ ?