I thought with the recent issues due to Gawker, this thread deserved a bump.
The whole Gawker thing highlights (yet again) various security vulnerabilities.
We can talk about Gawker's failures (storing passwords using DES encryption, of all things), but the user failures and how this impacts the wider internet is more interesting to me.
The Wall Street Journal has a fun article that breaks down the most popular passwords in a few different ways. The usual suspects show up with the usual prevalence, but some of the others seem as though they're almost attempts at being secure. "trustno1" for example, seems almost like an effort at choosing something truly secure -- it fails the test, but it seems to indicate that some users are at least thinking about password security.
On the other hand, apparently only ~30% are using passwords of 8 characters or more, which is generally considered to be the bare minimum to prevent simple brute force cracking.
In one of life's grand ironies,
Lifehacker has an article about creating secure passwords that actually isn't that bad. Mind you, none of their methods are preferred (they have a tendency to generate passwords that are too short and/or not random enough) but the basic method of generating secure passwords using an easy-to-remember method rather than using easy-to-remember passwords (or worse, one password) is sound.
One thing that shocks me is when sites themselves prevent one from using a secure password. Financial institutions seem to be fond of this, and they of all institutions should know better, as it were. Magpie's bank only allows passwords of up to 6 characters in length -- including all letters (upper and lower case) and all numbers, that provides a grand total of just shy of 57 billion possibilities. Granted that may seem like a big number, but keep in mind that big numbers are what computers do best and that even modest household PCs today typically possess 2-3 GHz of processing power and that not including the graphics chipset.
So how has the Gawker thing affected you? Has it caused you to think about security more, or to take password security more seriously? Have you changed any of your passwords as a response?
My prior method of password selection was reasonably secure, but lately I've found it's gotten a bit unwieldy. I was getting into a position where I was having to make a choice between using my passwords in too many different places, causing potential insecurity, or trying to remember too many different passwords, causing me inconvenience. As a result and because I honestly can't remember whether or not I've ever signed up for a Gawker site, I took this as a prompt to change my own password policy.
One thing that I've noticed is that password managers have more or less taken over my logins. This means that for anything other than local systems I can safely move to a more secure/less convenient password without making my life that much more difficult. Granted, this introduces a new form of insecurity in that anyone with access to one of my usual machines will have the ability to access everything, but access to my local machines implies much bigger problems anyway (aside from which, they would have to first break into any computer of mine they had access to -- all of them use secure passwords and all of them are set to lock automatically after a short period of inactivity).
I won't divulge my current method of generating passwords, but I will say that it generates passwords of up to 32 characters, random alphanumeric. I can be a bit paranoid sometimes, but I think that's probably good enough.