Passwords: How easy are yours? How often do you change them?
 

My passwords are very well protected. I don't use the same one in all that same places, but really I look at it from a level of security. At TFP, I have a unique password that I don't use anywhere else. At other forums, I use a password that is generic to forums, blogs, newspapers, and other online media where security is in my opinion superficial.

For email, I use a very robust password since that is the nexus of someone being able to gain access to all your other accounts. It's long, has upper and lowercase, and has a number. I'm just missing the symbol and it would be the "perfect" password according to security folks.

Are you the person in the article with the easy to guess password? Why? Why not?

The attack they're describing is a dictionary attack, and it's very common. A simple script, 20 minutes or so and if the website in question doesn't have specific measures in place to counteract it, an account can be cracked.

I do generally follow secure password policy. My only conceit is that I do reuse passwords to some extent. I have a list of them memorized and will select one more or less at random for a new account. One of the benefits of this system is that if I should forget what password goes with which account or website, I only have to guess a limited number of times before I hit on the right one. The monumental downside is that if someone were to somehow obtain a list of all my passwords they'd have access to basically everything.

The principles of a strong password have been understood for a long time. No words, mix of numbers and letters, mixed case, at least 8 characters. If more people followed these guidelines there'd be less cybercrime. It's as simple as that.

Mine aren't very hard to figure out.

I figure if you take the time to hack into anything of mine, you're an idiot and didn't do much homework/background work on me. I have no money, all my credit cards are maxed out, and I don't own anything.

So even if you managed to steal my identity or what have you... You can't do fuck all with it.

My solution is simple use an address which is familiar to you for example Tony Hancocks address in Hancocks half hour:

23 Railway cuttings

or

pick one from somewhere you have visited like a bed and breakfast place:

38 marine drive

They are not likely to pick that out of the blue

The way I do it, so that they're easy to remember for me, but hard to figure out, is;

I have 3 bases which may or may not be real words.

Then I have three strings of numbers which have significance to me but not obvious (not even close to my birthday or license plate).

I then take those and mix them up for each new account I need secured. There are more common ones which I use for things in which I need less security. And rarer/longer password combos which might actually be cracked (like MMO accounts).

So if I forget, I first ask myself the security level, which narrows it down, then usually remember the letter string associated with the account, then its only 3 choices on the number string. So I almost never forget my passwords, yet I have 9 standard + ~3 bonus varying in complexity all the way up to 12 characters.

Yes, I'm quite pleased with myself :D

I used to use passwords, but now I don't anymore.

I either use the same standard (unconventional) letter+number+symbol string, that may or may not also be my favorite titlepiece, or I comes up with a random 21 character key that I promptly 'wand'. If it should ever break (it has happened once), I just use the original e-mail address I provided to obtain a new password.

Besides the above, I shift usernames (and specific throwaway e-mail addys) instead of passwords. No sense in letting one cracked accounted become the gateway to multiples.

I have a long one with Caps and numbers.

I use different ones for different sites.

I can't believe people still use things like password or 123456.

It doesn't matter if you have a 100 digit password, a keylogger with steal in an instant. :)

I just try to keep my passwords long enough and random enough to avoid dictionary and brute force attacks. I change my passwords fairly often even though I probably have far less to lose than other people. I think the only thing connected to my email is my World of Warcraft account and a ton of newsletters which I didn't subscribe to. I don't log into my email and stuff from any computer other than my own because I don't know if they're secure. If I do have to log into one of my accounts from another computer, I change my password when I get home.. It just bugs me if I don't change it.

Type a word you're familiar wit and can touch type

password

As anyone can tell you, that's a terrible password. Move your hands over one row of keys to the right

[sddeptf

Now add a number to the end to make brute forcing a bit harder

[sddeptf0

Now double it

[sddeptf0[sddeptf0

Good luck guessing that. Mix it up, only move your right hand over and leave your left in place; move your right hand up a row, move your left hand over to the left so "a" becomes capslock and makes it even more difficult to brute force.

0AAQ9ES

In a way it's like an old Caesar cypher, but without knowing the 12 letter phrase I use and what permutation of hand position, it makes encryption a lot stronger.

My passwords for important items are usually a variation very tight, for stupid online things i always make it one generic word/number that would be easily guessable if you really wanted to post as me on some online places...go nuts.

What shocks me is the a lot of those people who keep those same strong password, then write them down near there computer. We did a consulting job once found a top level access guy had a freaking Rolex on his desk of all his passwords...even personal bank stuff...he worked for a major company. brutal.

My password's very, very easy. So easy I can't get away with on it on most sites these days...

I don't really care. I don't store private info on the intrawebz.

I used to use v1o9l6k4s which comes from:confused:

v o l k s
1 9 6 4

I used lbc for a hint, which stands for the "little blue car" that I learned how to drive in.
LBC hint changes the case of the letters in the password.

I don't use that pw any more. Obviously works with any five letter word and four digit number.

Lindy

I have aset of passwords that I change depending on the site i"m on, I need to change all of them again as I have a similar password on a lot of sites now. I should think about that today.

My boss sets all the admin passwords for his servers he sets up as 1Password. It's sad.

I use the measurements of former lovers, myself.

+1

I don't worry so much about forums or social networking sites but I've got one email account that I guard pretty rigorously and several disposable accounts that forward everything sent and received back into that one account. All the passwords are different and so nothing is really lost in the event that one becomes compromised.

But even then, it's not like I really need an archive of my emails.

I have a "safe" password I use permutations of, and an easy one for all my nonimportant online activities. The safe password is in the form of 593epd (random numbers and letters), then I add the initials of the website and perhaps an "index" if I need to change my password frequently. If I was working for KFC and was required to change my password often it could be 593epdKFCg. Easy for me, but hard to bruteforce.

At high school I had a 26 character password built with parts of a long phrase translated to leet-speak. Needed a tough one as we tried to hack eachother all the time. I won by creating a program imitating the log on prompt, checking the username and then either steal the password or call the real password prompt if allready snatched. The user got a "Invalid password" message once, then every thing worked fine. Later I collected the hidden files containing usernames and passwords :) Good times!

I use incredibly complex passwords. One time, it got me fired. I was hired as the systems administrator for a very small 60 employee company. I changed the primary domain administrator account password to K@$m1rF@bric$@dm1n

They were not amused

"So the combination is... one, two, three, four, five? That's the stupidest combination I've ever heard in my life! The kind of thing an idiot would have on his luggage!"

Some of mine are easy, some are more difficult. It depends on what they are for.

The problem with that is physical security. If anyone has access to your computer, they can get your passwords.

And in the case of this article, it doesn't matter what your password was because they were storing them in plain text.

I have two different passwords that I use, but both are about the same. One has numbers, the other doesn't.

Is it possible the hack number is so high in the study because some people made an account with a simple, one time use password just to fool around or maybe for some other reason?

It's the story of my life...lol WK, we must be twins.

Like the US state department of intelligence in the movies, I have a text file with all my passwords saved locally in a password protected .ZIP. I am Jason Bourne.

My password is hunter2. I use it for everything. See how it's starred out so none of you can see it?

^^ Yeah, mine is gigolo2sxy4ya ... it's also starred out so none o' y'all can see jack sh*t.

My password is six asterisks. That way I can see it when I type it in.

hunter2 reference was actually from QDB: Quote #244321, kinda one of those interweb memes. In other words, totally irrelevant to most people.

^^ Oh, so we weren't coming up with convoluted ways of making up a password then?

Ahh, bummer.

I paid attention to this thread because I got the "your password is 14,000+ days old" message and was curious what prompted the forced password change.

I have several standard passwords, one for things I don't have to keep protected (TFP) one for banking, and one for things I intend to keep really secure. The last two I rotate.

Same. I read message as "we assume you suck at picking or maintaining passwords, so we're forcing you to change yours." My password is fine. All of my passwords online are just fine. A 15+ digit, random, alpha-numeric password is basically as secure as you can get within reason.

Like World's King & pan, I am,
without the wherewithal to worry
nor any need for secrets.

I find changing passwords confusing & annoying.

>How often do you change it?
Got this message on TFP today: Your password is 14663 days old, and has therefore expired.
That's my oldest password so far. (It's 40.15 years old - older than me and most of the World Wide Web)

It doesn't matter - The Mentalist or any CSI team can guess it just by looking around your room.

Heheheh....I work with an IT major dweeb ( a friend who looks a lot like my favorite high school BF!) and this dude makes us change ours every 4 weeks, on the job. So my newest game is to continually devise the longest & most diversified PW ever. He thinks it's a game and hasn't "broKen it" yet.

Luckily we are very good buds. (I know his deepest darkest secrets!!!)

/Gottya create fun wherever you are!!/Yes!

Until unsalted hashes of everyone's passwords on a given site are acquired and rapidly decrypted with a rainbow table. If password storage on the server side is poor, like stored in plain text (I've seen it), or stored unsalted, there is another attack vector independent of the brute-force strength of your password. From Cyn's post, I assume he had a concern about server-side password security, and forcing users to change passwords is a great way to assuage that concern. It's part of the reason (good) sysdbas and network administrators enforce password complexity as well as forced obsolescence.

My point is that it's as secure as it can be within reason on my end. I can't control how it's kept safe otherwise, which is why I never use the same password in two places anymore.

Anyway, this is a forum so the worst thing that could happen if someone did access my TFP is maybe some trolling or something, maybe deleting some of my old posts or changing settings. I'd be more worried about my online banking and shopping, but those are generally pretty damned secure.

The difficulty of my password goes down the more often I have to change it. And I would trade convenience over security (If LifeLock can monitor stuff, so can my bank without charging me. I think it is a scam), like I get full credit card statements in the mail that has no security, but I have to log in and jump through a bunch of hoops because I use random networks to access my account. My e-mail is far more secure at least for the basic statement.

It would be impossible for me to create new passwords for every bank, credit card, e-mail account, forum, paypal, on-line retailer, and computer every few months and keep them all straight.

i have a couple of passwords I use interchangeably on different sites, but neither are real words and are completely nonsensical to anyone but me.

This analogy would hold if your mail went through about 60,000,000 hands (in other countries) before it go to you. You're looking at about a dozen hops per packet between you and the bank's website. As it is, postal mail usually goes through 3-4 hands and a few machines in secure buildings the US between you and the sender. In directed attacks specifically on you, they're roughly the same security.. wait outside your mailbox / firewall. But in random sniffing attacks like phishers, postal mail seems like maximum security compared to the Internet.

How often do I change my password? Apparently, not often enough:

Attachment 21657

And the horse is now dead. And rotted. And the corpse has been hauled off to the dog food factory.

Can we put a stop to the jokes about the password change requirement? There was a very good reason that we asked everyone to do that (one I'm not about to discuss in a google-crawled area of the board). Yes, it was a pain in the ass. Yes, the message looked a little silly to some of you. The same joke being told in 2 different threads wore thin a while ago though.