• We should now be fully online following an overnight outage. Apologies for any inconvenience, we do not expect there to be any further issues.

These password memorizations are driving me crazy

Page 2 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.

DrPizza

Administrator Elite Member Goat Whisperer
Mar 5, 2001
49,601
167
111
www.slatebrookfarm.com
Which ironically makes passwords a lot less secure because now people are forced to write them down.
You really think that the problem is from people breaking into your home so that they can steal your passwords? Last I knew, people in Russia, Nigeria, etc., didn't have the ability to break into your home for your passwords.
 

Red Squirrel

No Lifer
May 24, 2003
70,603
13,810
126
www.anyf.ca
The most important password is your email and domain registrar. As long as you still have access to your email you should be able to save any other account. Also, if your email is compromised they can pretty much take over any other account... including your domain names. In fact one thing to test out is the "forget password" feature of your email and domain name service. Those are two very important services that you want to be very secure. I recently read an article about a guy who pretty much lost everything because of Godaddy and Paypal's lack of proper security practices and handing over info to a con artist/hacker.

If someone has access to your domain names and your email they can pretty much steal all your websites and other net identity. Very very very bad. In fact I'd consider this worse than someone breaking into my bank account. I can make more money or try to get a fraudulent charge reversed, but I will never get my domains back if they're stolen.
 

PowerEngineer

Diamond Member
Oct 22, 2001
3,606
785
136
This thread makes me feel better! I thought I might have been the last person who hadn't started using a password safe (KeePass) to facilitate strong on-line passwords. :D
 

Red Squirrel

No Lifer
May 24, 2003
70,603
13,810
126
www.anyf.ca
Password lists are best kept local. Don't trust cloud stuff. Encrypt your list as well.

When I switched to Linux the "PINs" program I used did not work anymore and I wanted something cross platform, so I ended up coding my own web based one. It's very simple, the password to login is also the encryption key for the passwords.

Eventually I want to make this better though as obviously if I want to change my password it means having to re-encrypt the passwords again.

One way to make mine even better would be to have the DB stored on a USB stick so that it's offline. Only plug it in as required. Though, I would not be able to access any passwords from work. Now I can just VPN in and access the web page. Well, my VPN is down till I get around to redoing the certs due to heartbleed. :p
 

Dolipapskalious

Junior Member
Mar 28, 2014
15
0
0
It is so aggravating when sites don't communicate their requirements well. Please write out the special characters I may/not use, password length limits, minimum requirements! One site let me type in however many characters I wanted, then truncated them!

And if banks were really trying to protect against brute force attack, they'd implement exponential wait times between incorrect entries.
 

lupi

Lifer
Apr 8, 2001
32,539
260
126
Work password requirement updated again at which pointi sent the IT email to my boss asking if it would be ok to write mine on a yellow sticky or should I just fill out a reset form each day. Getting retarded how short the time between resets has gotten and now the different symbols and crap required is going full absurd mode.
 

ultimatebob

Lifer
Jul 1, 2001
25,134
2,450
126
It's nice to see that there are so many different password saving programs out there.

Good thing, too... If a majority of people ever standardized on a single password saving program, it would likely become a malware target.
 

destrekor

Lifer
Nov 18, 2005
28,799
359
126
use a password manager. it's kind of a necessity these days if you take security seriously - this means using good passwords, that are different between different accounts, and don't follow some kind of easy to guess system. i've been using keepass.

i still don't put my banking passwords in there though.

I trust lastpass - every single password, including access gate codes or various real-life secret codes or whatever, I also put there. I pay the $12/yr to get it all on my phone too - and lastpass just added the ability to work on top of every application (at least in Android), which is freaking awesome though it doesn't always work perfectly smoothly just yet.
 

Pandamonium

Golden Member
Aug 19, 2001
1,628
0
76
My personal and financial passwords sit in a text file that's stored on an encrypted disk image- I have a password system and usually am able to guess within a few tries. My work passwords, on the other hand, require changing every 30, 90, or 180 days. Some of them stipulate that the last 10 passwords cannot be reused. Since the logins for these systems is already challenging enough to keep straight (they are issued alphanumerics), my work passwords involve the month, season, and/or year. Far from "secure" from an IT perspective, I know. I'm willing to go the extra mile for my personal stuff when I don't need to worry about unique passwords for an arbitrary rotation. But once that requirement interferes with my work more than once, I'll conform to IT's "security" measures in the easiest way possible.
 

Red Squirrel

No Lifer
May 24, 2003
70,603
13,810
126
www.anyf.ca
The forced password change thing is also 100% pointless from a security perspective.

Let's say someone is brute forcing your password, just because you change it, does not mean you wont pick one that was not tried yet. The best defense is brute force protection. Systems should temporarily boot you out after so many tries. All my online accessible stuff is set to block the IP after 3 bad tries for SSH, I don't open up any other ports as I can just create a tunnel.
 

destrekor

Lifer
Nov 18, 2005
28,799
359
126
The forced password change thing is also 100% pointless from a security perspective.

Let's say someone is brute forcing your password, just because you change it, does not mean you wont pick one that was not tried yet. The best defense is brute force protection. Systems should temporarily boot you out after so many tries. All my online accessible stuff is set to block the IP after 3 bad tries for SSH, I don't open up any other ports as I can just create a tunnel.

Password change policies are for more reasons than simply defense against brute force attacks.

It's more about protecting against unknown intrusions, to put it simply. Think Heartbleed - more often, the holes are far smaller in scope, but sometimes big holes that aren't known by the software/security folks can sit there vulnerable for a while.
Sometimes, someone can get in, find another security flaw, get some password database, all without anyone knowing. Now, they have a snapshot of current passwords, and that database may be held onto for a while, sold wholesale, or blocks sold piecemeal, etc. Russians may only buy such info if it seems likely to lead to credit card data (most likely, but no guarantee they'll resist temptation :p).
In short, the data from a data breach may sit around for awhile, or it may be tried the very next day. Without any warning, the next day usage is difficult to prevent against; if it goes unused awhile, there is a chance you may be forced to change the password before anyone tries the passwords stolen in the previous breach.
 

TwiceOver

Lifer
Dec 20, 2002
13,544
44
91
The ones I hate are when your password has a max length. It's really easy to hit all of the password requirements if you use a sentence.
 

mikeymikec

Lifer
May 19, 2011
21,027
16,279
136
The ones I hate are when your password has a max length. It's really easy to hit all of the password requirements if you use a sentence.

Yup, though the even more irritating ones mention the maximum length but don't enforce it in the password entry text boxes, so a longer-than-allowed password is accepted then truncated. I remember when AOL was truncating passwords without even mentioning a maximum length, then you have to play the game of "what length did they truncate the password to?".