Too Many Passwords

LK3 writes "A survey of 1700 technology end users in the United States released today reveals some interesting findings about password management habits. 'The results suggest that having to juggle multiple passwords causes users to compensate with risky security techniques and creates a drain on productivity by taxing the resources of IT support centers.' Further, corporate requirements of frequent password replacement further exacerbates the toll on human memory. Is the solution a master password, with all of the potential problems that represents, or biometrics, or are we stuck with post-it notes and a call to the help desk?"

Better than post-it notes

[nizo]

Becoming tired of remembering passwords, I wrote a little perl program to randomly generate a matrix like this:

a-E9 b-?p c-&m
d-6K e-aY f-eP
g-!S h-gn i-D=
j-Hd k-vw l-Cb
m-W5 n-4$ o-R3
p-x% q-7M r-NF
s-+2 t-s* u-Ay
v-fL w-zG x-Zu
y-cX z-Qr

I then print this, laminate it, and put it in my wallet (a backup copy somewhere isn't a bad idea either). Then, for every password I just remember a word (maybe "bank" for my bank for example) which gives me a password of: ?pE94$vw

Hard to guess, easy for me to "remember". If someone gets my paper (say I lose my wallet), it is still not simple to figure out what my passwords are, or even what the heck that little paper is. Shoulder surfing doesn't work too well either, unless you can memorize the whole card and then figure out which word I am using (it would be easier to try to watch me type the password on the keyboard then get it off the paper. Luckily I type fast and get annoyed when people stand over me while I type a password :-) ).

Re:Better than post-it notes

[shis-ka-bob]

The whole point is that you can can be using 'hard' passwords that look like Jibberish(TM), but are easy to remember. You can even do things like build a seperate cheat card for each month and then keep the same mnomonic but have the password change. (This has its own drawbacks - you need to keep 'last month's' card around long enough to change all of your passwords.) It isn't hard to remember 'a few' passwords, but it gets pretty hard when dozens of groups want you to have passwords and everybody warns you that is it bad form to use a single password more than once.

One thing that I did find to be a signficant drawback to this is that some companies are demanding an upper case letter, a lower case letter, a number and a funny character. It is quite possible that the transform of an easy to remember work will not happen to have all of these. One solution, that actually makes this less secure, would be to have all vowels contain a lowercase letter and a funny character and have each consonant contain an uppercase letter and a digit. This really reduces the number of potential passwords, but such is the cost of making the 'powers that be' happy.

Don't forget

[GWBasic]

Don't forget to add that programs use inconsistant rules for passwords. Some programs are case-sensitive, others aren't. Some programs don't allow special charaters, some require them. What's worse are programs that require a numerical password. For example, I refuse to use Verizon's online system because instead of using a username/password combination, I have to use an account number and a randomly-generated PIN.

IT requiring password changes

[ChrisF79]

I can definitely relate to what they're saying in the article. At the company where I work, we are required to change our Windows password every 8 weeks and the password to get into the financial software every 3 months. To make matters worse, we can't use a password we used in the past again. So, you have a bunch of folks here that aren't concerned at all about passwords creating anything they can think of every 2 months minimum, and forgetting it that same day. It's a huge drain on the IT department and it constantly happens. Also, after 3 unsuccessful attemps at getting in the financial software, you're locked out. You have to call a completely different person that the usual IT guys to get the specialist for PeopleSoft to fix the screw up. It really amazes me at how much time gets wasted in our IT department alone, just fixing passwords for people.