Slashdot Mirror
Ask Slashdot: Changing Passwords For the New Year?
New submitter windcask asks "Every New Year's Day, I assemble and memorize a random collection of seven to ten mixed-case alphanumeric characters and proceed to change every password I have on the interwebs to these characters (plus a few extra characters unique to the site). The problem is I only change them on the sites I visit. Once in a while, I'll come across a site I haven't visited for a few years, and I may end up not being able to guess the password before the try-lockout takes effect. What are your password-changing rituals, and how do they deal with situations like mine? I do use Keepass for work, but it is sometimes impractical for times I'm at other computers."
I use a free implementation of the Stanfard PwdHash algorithm for the Mac called Locksmith (here on the app store). There are also websites that implement PwdHash, and even a Firefox add-on. By changing one master password, all the passwords I generate will automatically be changed when I regenerate them.
"Sufferin' succotash."
What a good way to harvest guessing algorithms... Not giving you mine!
but it's the new year time to change password12 to password1
https://lastpass.com/
I use a different password for each site/service I use. Otherwise, each one of the parties I trust with my data would have the credentials to ALL of my resources instead of just the data I entrusted them with.
Even assuming good faith from all these parties, one of them could get hacked, and my credentials stolen. I want the damage to be limited to that third party in this case.
http://xkcd.com/936/
I don't remember the /. password I created in 1998, it was tied to my netscape email address of which I've forgotten the password. So, several accounts and passwords on, I'm always posting AC now.
Enough said.
Why not use a password manager and skip all that hassle? I use a portable version of KeePass, with both the app and my password database synced through Dropbox so I have them everywhere, including my phone. Random 20+ character passwords for every site and you can set expirations for every one so you don't have to remember when to change them, and all you have to remember is the master password. I don't understand why everyone in the world doesn't do this, it's just so convenient.
"Once in Hawaii I had sex with a 102 year old male turtle. It is difficult to argue that it was consensual." - Steve Ma
I just use lastpass, it has a useful tool that will tell you all of your insecure and duplicate passwords and gives each one a rating. The security tool really forces you to change the insecure password we use for 200 forums.
It may not be sensisble to have everything protected by a master password but I find it better to have secure passwords that even I don't know rather than simple or the same passwords used across multiple forums and sites.
Lastpass also supports dual factor auth using yubikey which I find really useful. The cross browser and platform support also makes it easy to take it everywhere.
It may not be perfect, but its a lot more secure that what I was doing in the past to manage logins to nearly 300 sites.... (crazy isnt it)
I use and highly recommend: http://passwordmaker.org/
No stored passwords; You only need to remember one master password with which it generates a unique password for every account/site.
When the time comes to use new passwords, I just add a number at the end of the URL.
Keepass is available for Blackberry, ios, android. (even Windows 7 Mobile, if that's how you roll.) You can migrate database files between PC and handheld device. (Although you should be careful of having company passwords on a personal device -- there might be a policy against that.)
In your case, I'd spend an hour of quality time in keepass changing your passwords, sync it to work and home PC and whatever device you carry, then make all your websites conform.
As to websites you haven't visited in a long time and have forgotten about, I don't have an answer. I have essentially the same problem with forums that require you to register to participate. I may only visit the forum once, but my login is forever.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
There are versions of Keepass available for both the iPhone and Android (perhaps others as well). I use DropBox to keep my phone and main computers in sync. Works like a champ!
... KeePassDroid on my Android phone and used to have some self-written MIDlet for the same purpose on my old J2ME phone for having my passwords on the go.
I gave up caring a few years ago. I protect my online banking, amazon etc passwords (write them down at home, long and random) but everything else I couldn't care less. If my Slashdot/openid etc ones get guessed or whatever then I'll just create a new account. Don't kid yourself that anyone cares about your online persona - they don't. Friends will get an email from you about your new G+/facebook account. Everyone else will just not be interested in "RandomInternetGuy10248034034" now being known as "RandomInternetGuy23038908343". It's just not worth the mental effort remembering, nor the paper writing down 40 odd passwords. It's just some website.
I even checked on IRC!
I've pretty much never changed a password to any of my online accounts unless I forgot it, and so far I've had 0 issues with people guessing my passwords. I do have different level passwords, for example nowhere uses the same password that my bank uses, and websites that I register on just to comment or something get the weaker passwords so as not to jeopardize my accounts on sites I trust. I don't regularly change them and don't see any reason to.
I completely adopted the strategy described in this article: The Only Secure Password is the One You Can't Remember. Essentially, I have a different password for every single website, service, etc. and all of them are behind a strong master password in a software called 1Password. The encrypted file is saved to DropBox, so it's both online and on several computers (including my smartphone). For more detailed description and reasoning for why that's good, see the article.
The upsides: It's extremely unlikely that my passwords ever get into the wrong hands (I guess it would require someone finding out my master password and stealing the encrypted file. That would be a realistic threat if CIA was after my passwords but now for my needs that's essentially as safe as it gets). Even if one site I use is hacked, I don't use the same password anywhere else. 1Passwords costs a bit (something like 35 bucks, I think) but it's pretty good password vault: There is good dropbox integration, smartphone apps (which also work well with smartphone DropBox apps), browser extensions, automatic backups of the encrypted file, etc.
The downside: If I were to ever lose all instances of the encrypted file (I don't know how that could happen. I currently have it on three computers in two different locations, on my smartphone and in DropBox service) I would lose all my passwords, which would be very bad. I just assume that this risk is unlikely enough to be non-existent.
The ritual is to have a tiered set of passwords:
- very simple passwords for very stupid sites
- a password commited to memory for serious web sites
- Keepass for financial websites (banking, taxes, etc.). These passwords are impossible to memorize. (Eg: JvKE5qKjOb11HdIKWf1E)
Step 1. Crack AES, SHA-256 .KDB files
Step 2. Find
Step 3. ????
Step 4. Something with a cloud
Step 5. Profit
Just write it on a sticky note and put it under your keyboard; this is a time honored practice of millions of users, and that many people CAN'T be wrong!
I use KeepassX on my Linux machines, and KeepassDroid on my phone. This combined with Dropbox keeps it all synced. I have a unique password for every site I use, It's the best way to ensure safety and you never have to worry about forgetting anything.
There are a handful of sites that I visit very infrequently, like my (now closed) student loan site, or my domain registrar.
When I want to log in, I use the "forgot/reset password feature" and wait for a link to show up in my inbox. I "click here" to change it to something random and needlessly complicated, log in and don't bother writing it down.
Nice job reading the summary. Try again with the part that says "plus a few unique characters per site". Now see if what you said makes any sense. Correct! It doesn't.
Why in hell would you give people BETTER odds then ONE in infinity by repeatedly changing passwords. It seems to me that all this does is increase the CHANCES for someone to guess your pass.
Keep your password private, make sure no one ever watches while you type it, and don't use Windows and/or public computers. .02.
My
P.S I DO have unique passes for every site I visit using a formula similar to this:
Sl45h(1st pet's name)(year pet died)(my house number)(3 random characters)
This makes each password somewhat unique but gives me a fighting chance at remembering all of them.
And since it's easy to find out what the make of my first car was, or what year I graduated, I have an alter ego with answers to those questions. I know what year "she" was born, "her" mother's maiden name, etc.
As an extra layer, I don't just answer "What year did you graduate high school" with: 1938.
I say: "year1938". And one more layer:
Since this is likely stored as plain text, I have a site-unique word mixed in:
"year1938banking"
I don't change mine very often. I have a password made of unconnected words that is far more secure than random alphanumeric characters. Far more secure to have a very strong password that you don't change often than less secure ones you change frequently.
I keep passwords in tiers of how important they are to me and how likely they will be compromised;
Tier 1: Money
Tier 2: Reputation
Tier 3: Sites I'm unsure of their password keeping policies
Tier 4: For sites I might have to share access with someone else
Completely separate: Work
Every time I select a new password it gets applied to tier 1 and the old one from tier 1 gets moved to tier 2, etc. in this way its easy to remember all the passwords I use, it still takes a bit of guessing depending on how I originally classified that site but eventually I put the right one in. Makes it much easier to remember passwords when you have used them for years and still be completely random numbers, letters and symbols.
Keepass database on the thumb drive in my pocket, and emailed to myself.
New Years Day is for hangover recovery, not random char memorization.
For sites I don't visit often, I just reset the password every time I go there. Sure it takes a couple of extra minutes, but these are sites that I visit a couple of times a year or less. For sites I visit a lot, remembering the password is not a big deal.
Think of it as poor man's federation with you email password.
What's the point?
I've had the same passwords for up to 10 years.
Considering the length of my passwords, bruteforcing is not a viable option.
I don't access my important stuff from computers other than my own either.
I have sufficiently secure passwords that I see no benefit in changing just because.
I run: Windows, OS X, Linux, FreeBSD. Just because you have a hammer, doesn't mean everything is a nail.
I create a spreadsheet with relevant info (not just passwords) uploaded to Google Docs or other cloud based site(s). At the most I remember 2 sets of usernames/passwords, one set to access the site and the other to unencrypt the cloud docs. Simple and accessible from most devices.
Don't be apathetic. Procrastinate!
write 'em all down, store them in a couple safe places. In general access to people's information, identity theft, and fraud isn't done via passwords, there are much easier ways.
If you have to try so much that you're going to get locked out (surely you suspect something after one or two failed attempts), doesn't the site offer some sort of password retrieval function? I know this doesn't really answer your question directly, but it seems like it would work for the few sites you seem to forget about each year.
R.Mo
The good thing about putting it all on dropbox is that if you forget your dropbox password you can still get in. The bad thing is so can anybody that you've previously given dropbox access even when you think you cut them off (earlier slashdot story) or at times in the past anybody at all (earlier slashdot story), and the dropbox admins can certainly read all your files (earlier slashdot story).
WTF are people suggesting putting anything that you would not want to see the next day in a newspaper on dropbox? Haven't you guys heard how many holes have been found so far and how they were caught out that the service is not as the advertising implies? Even plain FTP (for all it's many faults) is more secure than those losers, which indicates a depressing level of incompetance.
Most websites don't store your password, just a hash of it. When you enter the password, it hashes what you just entered then compares the hashes. Reverse engineering the password when you only have the hash isn't trivial.
Tequila: It's not just for breakfast anymore!
The annual meeting of paranoid geeks?
If you look at all the possible attack vectors and scenarios changing your passwords once a year change your statistical chances of being hacked or losing data very little. The ROI is low enough I wouldn't recommend changing your passwords on a regular schedule.
Picking good (as in hard to crack) passwords is more important. For random web properties using different passwords for each so when one is compromised and caught storing passwords in plain text only one account is compromised is key.
However, that's all not what I want to talk about. This entire question is the result of a huge failure of the industry. Every web site uses a password. Every one has a different idea of what a "good" password is, meaning if you come up with one (or use a generator) it won't always be allowed. Google has taken a step forward with their two factor options (via say, a cell text) but that's not really a practical option for many small web sites.
This is an excellent case for a PKI. Users should generate a public-private key pair, and provide the public key to the web site upon sign up. Extra authentication steps could be done at setup (web of trust a la PGP, known entities, a la X.509, callback texts, whatever). Users would sign a login blob with their private key to authenticate.
Using the same key for many web sites is much less dangerous. Compromising the web sites, and all the public keys, gets the attacker approximately nothing. They can be stored in plain (unencrypted) format on the web server. The only attack is to get the users private key, which can be encrypted on their machine behind passwords, biometrics, or whatever. Getting one user's private key gets you only one user, it's a low value attack.
What's needed is a standard format for this encrypted exchange, and then support by clients (from web browsers to ssh clients) and their corresponding server services. This is where the industry is letting us down.
If the big 15-20 web properties could get together with the big 4 browsers and make this happen it would be huge leap forward.
Far too many websites actually DO store the password (because they're idiots)
Mandylion password management token
"You want to know how to help your kids? Leave them the fuck alone." -George Carlin
Or given the identity all together and join the anonymous.
If what you say is not sufficient, then you are in the wrong group that judge people by their online "handles".
I used to have one password for everything.
Then I progressed to a series of text files (one per website) listing the username/password combination(s) for that site, plus any additional useful info (e.g. routing number and account number). I used a random password generator to make secure passwords (considering so-called "security questions" to simply be additional, also random and secure, passwords). I encapsulated these in a 7-Zip archive (with a "master" password, naturally) and uploaded it to my GMail account (which had a password for which I had a mnemonic for memory's sake, so I'll never forget it). I also carried them on a flash drive when necessary which, though hopelessly insecure, was always in my possession. Had I ever lost the flash drive, my first action would have been to get on GMail, fetch the archive and decrypt it, and change every password for every site (updating the text files and the archive, naturally). I had to put that into action once when not the flash drive but my computer was stolen. Since Firefox remembers my passwords, I played it safe and changed all of them.
Lately it occurred to me that with the "encrypt filenames" option (which I used) it would be a lot less hassle to simply use subfolders in the 7-Zip archive for each website, a subfolder within named for the username, and a 0-byte file named for the password. The only drawback to this plan is that a username or password cannot contain either a forward- or back-slash (any other characters not supported by Windows can still be used if you just rename files within the 7-Zip archive), which forced me to either come up with a different password or use a text file in the archive. But the thing I like about it is that it's not decrypting a text file and possibly leaving it in a temp folder somewhere.
I just keep my keepass databases in a SVN repo which i sync across my computers and thats it. So fucking simple!
do you?
That's exactly what I was thinking. For any site that maters, the most they can do is reset it for you, not tell you what it was. Most sites just don't matter. Other than your Karma, how much damage can be done when they hack your Slashdot password?
But I gotta ask, Why bother changing every year?
Changing a secure password offers no additional security. Its not like they wear out.
If crooks haven't broken into the login during the course of the year, changing it may actually make it weaker.
Those hovering over your shoulder to catch one key today and the next key tomorrow should be pretty obvious after a year, don't you think?
The key loggers would have found you long before the year is up, and the timing routines can be outfoxed by simply typing with only one finger, a different
finger each day.
Most sites that force you to change do so more frequently than a year. And 99.44% of them end up having users simply adding ascending digits
to the key, which becomes pretty easy to guess.
Sig Battery depleted. Reverting to safe mode.
Quit working so hard - use Seed Mapping
Start with a seed that's in front of you as you log on to the site, for instance MicroSoft. A simple seed would be the first four letters "micr". There. You're halfway done.
Now simply expand this seed onto the keyboard in a visually consistent way. Let's use the two keys above the seed key for this example. "m" becomes "Ju", "i" becomes "8*", "c" becomes "de" and "r" becomes "4$" yielding the password - "Ju8*de4$". No, don't try to memorize that mess, just watch your fingers as they move.
See the pattern? THAT is the trick. This password meets the all the standard criteria, yet you don't have to memorize it - just look at the name, then map it visually with your personal method.
Notice I capitalized the first character and had to shift to get the "*" and "$" because I ran out of room moving up the keyboard. That's one way of including special characters and caps. If you don't want special characters, wrap to the bottom of the keyboard instead.
The beauty is, memory was not a factor. It's simply visual. It's best to not even think about what keys you're hitting - just hit the two above your seed character. I honestly have no idea what my passwords are, I just know the pattern that produces them.
It's easy once you define a method. For the above approach:
Gmail would produce "T5juq18*"
Yahoo would produce "6^q1y69("
FaceBook would produce "R4q1de3#"
Again, no memorizing. OK, go ahead and use this example method if you like. It's better than using your dog's name. And you won't need to read any further. But remember you'll have the same passwords as every other person who happen to read this blog and goes to the same sites you do.
Or... You can quickly customize:
http://sierracomputergroup.blogspot.com/search/label/Passwords
What are you basing this on? A guess? Most websites use *nix, and all versions of *nix have built in facilities for storing passwords as hashes. It would take more effort to make them store the passwords as words.
Tequila: It's not just for breakfast anymore!
The strongest password needs to be your email account.
Why? "I forgot my password". Doh!
I do my passwords in tiers and tier one and two never change.
Tier one: Low security for comments on random sites and whatnot
Example: crappypass1
Tier two: Medium security for sites I would be slightly upset if I got my good name besmirched on.
Example: Th1s!s@better
Tier three: High security for email and other more serious online business.
Example: @nysuffici3ntlyRand0mphr@seshoulddo!
Changing a secure password offers no additional security. Its not like they wear out.
If crooks haven't broken into the login during the course of the year, changing it may actually make it weaker.
One measure of the security of a password is the amount of time it would take to compromise it as compared to its useful lifetime. Assuming the password database is stolen today, would someone be able to compromise your password before you changed it?
'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
Based on my experiences working on websites, far too many companies store the password in plain text. Many, many more will hash it, but will hash it ineffectively by not salting it. Lots of the people working on these websites don't even understand the kinds of attacks salting and hashing are intended to block.
As an example, look at mailman, the mailing list manager. Not only did it store the plaintext password, it mails it to you monthly. Fortunately, the current developers aren't idiots and have removed this flaw (as of ~2007) but tons of sites out there are still using the old version since I keep getting the "reminders".
Trust me... Spend a bit of time in industry working on these websites, and you'll understand.
https://www.grc.com/haystack.htm has an interesting approach.
Which of these: D0g..................... or PrXyc.N(n4k77#L!eVdAfp9 is the more secure?
Website users aren't the same as OS users.
Most website developers don't even understand what a hash is. They are simply not capable of using hashes on their sites, even less to do some sane salting. Most of the top used development frameworks also don't help securing passwords, some even make them harder to secure.
That said, I don't care about people harvesting the passwords I use on most sites.
Rethinking email
I can tell you that RCN cable does. I was with RCN for many years, even using their email. Two years ago I moved, and transferred my service. During the transfer process on the phone, they asked me my 'PIN' number for my voicemail. I didn't know it, because I never set one as I never used RCN voicemail. After answering some other questions, they told me over the phone what my 'PIN' was. Lo and behold it was my RCN email password, that I would never have given them as a voicemail PIN!!! It was complicated and hard for the person on the phone to read, and I was thinking to myself "where the f**k did you get that?"...
No. Don't ever reuse passwords, even if you add a suffix like 'rcn' at the end...
Shouldn't you be doing something useful?
Most websites use some kind of scripting language and a database. It doesn't really matter whether it's on *nix or win* or mac* :) If they just insert the password into a database record it will be plain text unless they do something to it first.
Think of the websites you've used. How many at some point or another have actually emailed your password to you rather than just let you reset it with an email link? I know I have several dozen accounts and a few do indeed email me my password when I pick one. That means they have it in their data somewhere at least at some point in time.
What's considered a strong password has changed over time.
Attention zealots and haters: 00100 00100
Congratulations, only a few characters have to be guessed for each site!
Not only that. You say 'hey this is insecure' you have to prove it with an exploit. They will fix the exploit missing the point...
Then you they look at you like you are weird trying to attack the site. Got yelled at once for 2 hours straight by a manager who worked on a different product for doing this. Even though my boss explicitly told me to do it. At that point I realized no one really cares until they are hacked and it is in the news.
So I use a pattern based password for web sites and when I buy things I use a 1 time used credit card number.
For example if you had said 2 years ago that sony would have in the wild their entire db for credit cards people would have laughed at you. Now not so much. Security is an afterthought many times.
I dont even bother mentioning it on my projects anymore. No one cares. Or it is 'something we will fix later'.
So I *know* I am not alone in this and this just a small sample. So I use passwords that match the site one to one. Do not reuse them anywhere. And one time credit card info.
Assuming they know this, which they wont unless they get his plain text password for multiple sites and compare...
Bergen University College in Bergen, Norway store plain-text passwords and will email them to you if you request a reset.
Using a commercial system they pay for as an alumni website... I've tried and tried again to point out how stupid it is for a technical college to have such a flaw but they ignore it.
Hopefully there are no other flaws in the site (hah!) :p
Just a real world example of arse security in what one would hope was a serious site.
I use clipperz. An online personal password locker. Completely free.
XKCD on password security.
http://xkcd.com/936/
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
Exactly! Maybe they're idiots, maybe they're phishing, maybe its a site built in a day that turned out to be useful. Point is your trusting someone you don't know. Use different passwords for sites that matter.
I use a separate random user/password for each online account. If I post comments to "angryITworkers.com" (example), and the uid/password gets compromised, there's little to worry about. It cannot be used to access my bank account or other resources. Invalidate the compromised account, and damage will be very limited.
I keep my Keepass database on dropbox, so I can access it on any computer on which I can run the Keepass program. I then remember 3 passwords: my dropbox password and my Keepass password, of course, and my primary email password in case I lose access to my Keepass database for some reason and need to regenerate all my passwords. Works for me.
Quidnam Latine loqui modo coepi?
"I do use Keepass for work, but it is sometimes impractical for times I'm at other computers."
That's why I lime Last pass. That extra integration and ubiquity make it great for me.
Most websites don't store your password, just a hash of it. When you enter the password, it hashes what you just entered then compares the hashes. Reverse engineering the password when you only have the hash isn't trivial.
Yes, that would be smart. In reality, too many sites can mail you your current password on request. They're obviously storing it in plain text unless they brute force the hash for every request. Besides, it only takes one bad apple at one site to get your password. And if a malicious party get your email password with which they can request new ones from everywhere, you're screwed. So, at least use a unique and damn strong password for your online mail.
On a side note acquaintances often use one single password everywhere, which they cherish like it's their long lost son and never change. That's a recipe for disaster. When I point this out they usually thank me by calling me paranoid :)
Are you a grammar Nazi? I'm trying to improve my English; please correct my errors!
EXACTLY. It might be idiotic, but a large number of websites keep your password in plain text, and some pass it around the browser in plain txt that can be intercepted (how do I know? I've done it)
I have a slightly different reason, but the same question. I'm in the middle of breaking up with my husband (6.5 years) and he knows some of my passwords ... I've decided to go through and change all of them, just to be on the safe side. My current passwords are a huge conglomeration from game level passwords to words to random strings. Some of them I haven't changed since the 1990s :-(
I'm not a fan of password managers, having seen it fail many times (granted those were mostly older people using it). How do you all pick good passwords that you can remember, as well as which sites they are for?
I'm not a bird, I'm a super-advanced flying stealth dinosaur!
Add CrashPlan into that, and you have a way to recover your passwords even if all your machines are destroyed in a tornado. :) I use all of these together, and I never have trouble getting to a password - even my droid phone can get at them.
I call mine the "core plus" system. You start with a 5-6 character core password that is pronounceable yet not a word or acronym. Around it you put special characters and numbers. For instance the word "hosed". You can do that one as "h-oh-sd" or "hohsd" as the core. Then you put @, dot, /, * etc at the end and a number at the start (or vice versa) along with one of the characters in capital form (first or last or middle is easiest to remember).
So your default password for all sites will have upper, lower, special and numbers. That will satisfy most sites. Trick is to pick a core password that is meaningful to YOU. That way you remember it easily. In the example above "#hohsd2" is a fine 7 letter password.
OpenID is also an option but convoluted and not widely accepted.
LastPass is a web-based service that syncs your passwords across your computers, Android devices, iPhone, and Blackberry. Supposedly, it uses client-side encryption so even if the stored data is compromised, it is useless without your password. Most importantly, it supports Google Authenticator so those with Android devices can use it to generate secure keys needed to log in.
A NYC lawyer blogs. http://www.chuangblog.com/
The main purpose of changing your password is to get back into a secure state. So if your password does get stolen, it isn't a lifetime pass. I can't count the number of people who only discover that they had a stalker ex reading through their email and facebook for years. It's not just corporate data I care about.. a lot of people will sign into their services on random phones/computers to send a quick message or kill some time. Sooner or later, they'll sit down on a machine that'll send their creds to a spam network. While google and such do as good a job as you can expect to detect and return accounts, from a good practices point of view, telling people to change their password from time to time is pretty good advice.
Some banks I know, Wells Fargo and Capital One do. Try a simple experiment, try logging in with your password in wrong caps, you would still be able to login. I would be really really surprised if they were using a case insensitive hash instead of storing the text and making a case insensitive comparison.
Hashing is not enough. Proper security is only obtained by salting the passwords before hashing. Without salting, password hashes are only slightly better than clear text, as they are vulnerable to rainbow table attacks. Rainbow tables for 11 character passwords already exist.
Drupal (a popular PHP CMS software) did not salt their password hashes until version 7 (http://stackoverflow.com/questions/5031662/what-is-drupals-default-password-encryption-method), and version 7 came out in 2011. This means most drupal users' passwords have never been secure from attack. And if a popular, widely used have gaping holes like this, all of the home grown websites are probably worse.
Basically, most people are clueless about password security, even if they are know they shouldn't store clear text passwords. Much better to not trust the websites and have different passwords for your "important" stuff.
In Soviet Russia, articles before post read *you*!
What's considered a strong password has changed over time.
Since last year at this time? Please.
Sig Battery depleted. Reverting to safe mode.
I maintain 4 security levels that I assign to various sites.
The top level is for sites on which I do banking, wealth management, and other ultra-high-sensitivity things. These get passwords that are no fewer than 32 characters, having upper and lower case letters and symbols, and get changed every 30 days.
The next level is any site that stores credit card info, like amazon, netflix, and other shopping sites, or other personally identifiable information such as addresses. These get 24+ character passwords with the same mix, and get changed once every 90 days.
The next level is any site that does not contain any financial or sensitive identification information, but where someone might be able to make public comments in my name or otherwise harm my online reputation. These get 16+ character passwords and are changed once every 180 days.
The lowest level are completely anonymous sites that do not collect any personally identifiable information about me. These get 12+ character passwords and are changed once per year.
I've been using this routine for about 15 years and have never been hacked (to my knowledge).
The determination might be that it's unnecessary to change it for a given year, but evaluating the need on an annual basis is not a bad idea.
Attention zealots and haters: 00100 00100
My method has slowly evolved over the years. I grew up on a crappy dial up connection out in the country. Our ISP gave us a generated strong password. Our connection would constantly drop and I would have to enter that password in several times a night. I kept that password and slowly morphed it over time. It kept getting stronger and stronger with every evolution. I did this with 2 passwords. One for secure stuff and one for everything else.
Then not too long ago, I discovered rainbow tables. Pre-generated LM password hashes. My passwords were not in the free tables, but they would be in one of the more detailed collections. Then I started doubling my short passwords by typing them twice. Instant 16 char passwords that were easy to remember and type. Sometimes I would mix it up and use 2 of my old 8 char passwords together. I would think password1 then password2 and type them just as fast.
More recently with smartphones and now tablets, my passwords were just a monster to enter in. One password was lnnLllnnlnnLllnn where l = lower, n = number, L = upper. A total pain when you also have to swap from numbers to letter on the key pad. My current passwords are much simpler, very fast and easy to enter, and even longer than before.
One of the passwords that I just cycled out contained 2 swype-able (dictionary) words and a full 10 digit phone number. My short one was 19 character, easy to remember, and super fast to type on my computer and moble device. Entering the password is much more natural. I can swype on my moble and bounce over to the number pad on my desktop. I work in IT constantly get comments of shock from users when they see me enter my long passwords on systems.
I do reuse passwords on sites more often then I would like to admit. I treat my email as the master password. With that, all other accounts can be reset. I have my financial password, my work password, my social password, and then everything else password. That everything else password is used on all accounts that I don't care about or don't impact me financially. The everything else password never gets changed. I will usually take 3 guesses at a password on a site. If its not my current one, previous one, or the everything password. I then request a password reset and set it to the everything password.
I never know what to put for a password hint on the sites that ask.
Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
I keep my passwords to a minimum.
1) Don't use the password to your e-mail account for anything else. In worst case scenario if my e-mail/password combo leaks, they can't use that to get into my box or my accounts elsewhere, and vice versa.
2) Have a disposable e-mail for sites you don't care about. You don't need it for each site, just have a separate "real" you and "disposable" you. Use a separate simple password for these sites. Who cares if it leaks, at best they can only get your first/last name out of it, and if you put in more info than that into a disposable identity, you're an idiot.
3) Keep a medium-strength login for sites you care about, which is tied to your "real" e-mail. As long as it has nothing to do with $$, reuse the same login/password. Even if that gets leaked, they still need to guess at which sites you have an account on.
4) Use separate passwords for admin use, login use (into other people's boxens), and financial use. If any of those gets leaked, it's very likely you'll find out quickly.
That's 6 password total that you need to remember. E-mail, disposable, regular, financial, login, and admin.
Get this. A school I know of uses a five digit numeric password for all student accounts enabling them to access their grades, financial information, FAFSA info, class registration, and so on. On top of using a standard password that no one changes (the last four of their SSN!) for these accounts some smart smarty thought about security and set a three attempt lockout on passwords. Long story short, this permits a script kiddie attack to lock out every student from their account in a few minutes. This would result in total havoc and there would be no way to stop/recover without consuming every defensive measure in their arsenal for the network. In reality, I don't think their is any way to prevent it without dropping the system off the Internet. At a good university where you have talented students in computer science this system would have already been owned numerous times and subsequently fixed. But as it stands, it is an obscure system so it is not a high-profile target.
Another thing I should mention, according to the state attorney general's office (just a had an in-person training session): per the sunshine laws our school (any school) would have to cough up the email addresses for every student were anyone were to request a list. Most schools might deny it but he (Deputy Attorney General) suggested just complying with any such request to avoid a lawsuit.
I object to power without constructive purpose. --Spock
It doesn't always work, because sometimes somebody's given it a password other than "password" or "passw0rd" or "Passw0rd", and sometimes I want my actual name on an account, but for the most part the worst case is that somebody will start writing letters to the editor of the New York Times or Podunk Gazette with my name on them, or my Yahoo account will get spam advertising sales in zip codes other than 90210.
Bill Stewart
New Fast-Compression-only CPR http://preview.tinyurl.com/dy575ks
Hashing is not enough.
I'd be happy if people at least hashed.
I object to power without constructive purpose. --Spock
MUHAHAHAHAHA is not the best irony flag.
(For the clueless, cracking dictionaries tend to include foreign language words, for whatever matches "foreign" in your world.)
Any way you do it, you need more than one word, preferably at least three, and you have to be careful that the resulting phrase is not common.
Computer memory is just fancy paper, CPUs just fancy pens with fancy erasers; the 'net is just a fancy backyard fence.
This is a decent medium-security method for situations where you have to change passwords frequently (monthly or quarterly, say):
1) Choose a band that you like - no one-hit wonders, though. Foo Fighters, let's say,
2) Take the name of their first album - Foo Fighters, in this case.
3) Do some basic substitutions, both because it's slightly more secure and because the password policy usually requires it: F00Fighters. Or Foo_F1ghterz. There's your password.
4) When you have to change it, go to their next album - The Colour and the Shape, for Grohl and friends. Repeat to get The_Col0ur or ColorAnd$hape or whatever.
5) When you run out of albums, go to a different band. Repeat.
The method also works with actors (R3d_Dawn, D1rty_D4ncing, P0int_Break). Haven't tried it with cast lists (1ngrid_B3rgman, Cl4ude_Reigns,Magor$tr4usser) but might be as good.
Pro: You can quickly end up with a fair number of passwords that you can remember easily - almost look up, even.
Con: Not hugely secure, especially for someone who knows you. There's a natural tendency to pick very obvious substitutions.
Basically the security weakness of the XKCD case, but with a built-in way to remember them more easily.
If they are storing your password in plain text it is a clear indication that the rest of their system is a swiss cheese nightmare. I would venture to say that it is probably possible to obtain a full user list with passwords from such a site. If anything, evidence of such behavior is an invitation to try.
I object to power without constructive purpose. --Spock
all the banks in asia use them
none of the banks in the US do
My dad knows the password to my windows computer and iPad2, so it's no problem for him to change the passwords for me. I would love to change them but every time I start creating a new password, I feel so guilty! Grrr....I don't understand how you can live in a world where no one knows your passwords. Man, that would be very stressful. Now by reading this post you have wasted 30 seconds to 6 minutes of your life! (Yep it takes me 6 minute to read this) So haha!!
You can achieve the best password security by typing naked and using your dick to press the keys for your password.
I use 1Password, for the Mac.
I use a unique password per site. No formula, or just salting a global password...
typically, 14+ characters (site permitting), and non-ambiguous characters.
It's worked for 5+ years.
That being said, it's time we've moved past passwords.
I've never changed my slashdot password. Maybe the next decade.
-- I have a private email server in my basement.
A more likely response: http://www.xkcd.com/538/
Or, they could be converting passwords to lowercase before hashing them.
That's what you do for the only place dumb enough to have a 30 day policy. Work.
Git + GPG + a GPG-VIM plugin.
I use "vim" to edit my password file as if it is plain-text; git pull/commit/push to make changes to it.
If I need to roll back, I check out an older copy of the file.
I keep my Keepass file in my dropbox. That way I can access from any computer.
The problem with changing passwords is they become harder to remember. This leads to people writing them down, thereby decreasing security. Diceware passwords can be VERY secure and easy to remember. Anything beyond 6 words is overkill for pretty much any service on the internet, since very few datacenters have security so good that it would be more expensive to break in than to bruteforce the password.
Not a sentence!
I can't think of a single site that does this. And I forget my passwords all the time. Every single site seems to generate a new 8 character random password, and email *that* to you, or a link where you can click and enter a new password.
Morphing Software
They don't store the passwords in the /etc/passwd file or use any standard unix tech. They just put them into databases using whatever they want, often plain text. They seldom use salt either, even if encrypted. I was surprised too!
By law, many countries mandate that websites hand out the passwords for the accounts to law enforcement on demand. This requires the password to be stored as plaintext. I know this is the case at least in India.
Earlier this year, I switched to a system akin to the password card or the password chart.
When you do this, there is much less to memorize, and you can create random, secure passwords for anything. I don't need any software to make it work, as everything I need is printed on a business-card size piece of paper which I carry in my wallet. If, for example, I am using a friend's computer to log in to a website, I can whip out my card and have my password right away.
The passwords I use are as secure as anything I could possibly memorize, and are different for each website. They can't be stolen all at once by malware. I can't lose them to a hard drive crash. If the card itself is lost or stolen, it's just a bunch of random symbols unless you know the secret of how it works.
Of course they know this, he just advertised it on a the goddamned Slashdot frontpage!
Random Thoughts From A Diseased Mind (Not For Dummies)
My password theory: easy way to make strong passwords go to Wikipedia hit random article till you find something(preferably obscure) with dates eg.http://en.wikipedia.org/wiki/Priotrochus_obscurus make password from it use camel text to make it stronger and easy to remember SoWfI@1828BBd I have one password and one username for all websites that don't have 'real' personal details, as I have not changed this from when I started using the internet 15 years ago this allows me to re stumble upon websites that I don't remember visiting without creating a new account. As for my email, amazon, ebay, bank and paypall ect..... each have a separate password and as I use linux there is small chance that i have a key logger.
Keepass is available as a portable app, that runs from a thumb drive:
http://portableapps.com/apps/utilities/keepass_portable
I highly recommend you try out some portable apps, it's like having your whole computer on a thumb drive!
Just refer to the records kept by keyloggers installed surreptitiously on the "other" computers you use.
As an example, look at mailman, the mailing list manager. Not only did it store the plaintext password, it mails it to you monthly.
That's not because the developers of mailman were idiots. It's because they assumed that the users were not idiots, an assumption that was probably reasonable in the early days of mailman. Mailman has always told users that they should not use an important password because it would be e-mailed to them monthly. The idea was that your mailman account is very low-value, and so it made sense to use a weak password, and it made sense to e-mail password reminders because so many users forgot their low-value passwords.
The reason mailman changed was because the developers discovered that users were, in fact, idiots, and commonly used the same password that they used for, say, their on-line banking account, rather than making up a throwaway password which they didn't even have to bother to remember because it would be e-mailed to them monthly. Thus, mailman has to take pains to secure the user's password, not because the mailman account needs protection, but because all of the other accounts that use the same password need protection.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Changing a secure password offers no additional security. Its not like they wear out.
Yes, they do.
At least, they do if they're actively being attacked. If you assume that someone is trying to brute force your password, even a fairly long, complex password is only likely to stand up for a few months. This is one of the rationales for changing passwords periodically.
However, if you're really worried about that, you absolutely should not use the same password for multiple web sites. Because every site you use it with sees the plaintext password every time you log in, even if they store it properly salted and hashed. So it only takes one unscrupulous admin and your "strong" password becomes known. The OP says he adds some site-specific bits to his common password, but unless that's done very well, it adds nothing. And even when done well it doesn't add very much security, if the unscrupulous admin is clever enough to guess that's what's being done.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Your statement doesn't take several risk factors into account. Ultimately, risk is something you have to assess for yourself: what is the value of your passwords? Are you guarding multi-million dollar corporate secrets, or are you risking a $50 credit card fee? It makes a difference as to how much effort to put into the task.
Long, random character passwords that are written down using actual pen-on-paper are still very secure against network based attacks. I have yet to see the virus that can read the password off a sticky note.
Having them on a piece of paper stuck in to your monitor in your house is going to expose them only to the people you invite in. Now, if you're talking about passwords at work, then you have coworkers, cleaning people, maintenance people, and all sorts of random passers-by that can read the note. Yes, those are less secure. But again, what are you guarding?
Having them inside a locked desk drawer improves the situation by quite a bit. Only someone who is specifically targeting you is likely to go after them. And if someone's targeting you personally, they'll probably do it the easy way with a keyboard sniffer or virus, rather than trying to break in to your office, bribe your janitor, or pick your desk drawer lock.
That said, in all cases you're still better off with an encrypted storage tool like a yubikey. Keep them with you, keep them encrypted. Much harder to leak that way.
John
It's easy to remember.
I'm shocked. It really does work. Username is also case insensitive.
No, you never would.
If you use a different password for every site, there's no reason to think that a password change will increase your security at all except in one very specific case: where an attacker has gained control of your account without your knowledge and not changed anything themselves. In this case (the peeping tom hacker?), your changing of a password will then deny them future access until the next hack.
Personally, for 99% of the random websites I visit, I dump a random password into the password field and don't even bother jotting it down; they all have password recovery by E-mail if and when I ever return.
- Michael T. Babcock (Yes, I blog)
I create a randomized password for every website, stored as a plain text file -- one per website -- in an encrypted directory. When I login to the website, I copy/paste the password from the file. The encrypted directory is not mounted unless I am actively using it. The problem I run into is that many websites only store an unknown few characters (maybe 8) and truncate the password without informing the user of the new password. This means that it will let you login the first time, but when you try to login later, you can't get in because the password isn't what they stored. This is very frustrating.
That would be an intentionally malicious thing to do. At least with case insensitive comparison of plain text it could be just a bug.
Pen and paper and a small notebook i keep in a locked drawer - the notebook has Password log written on the cover and contains all my passwords to every website/computer/device i own, i have never met a hacker who can hack my desk drawer over the interweb and i don't think i'll ever meet one. With this marvellously low-tech solution i never forget a password, can use passwords of near infinite complexity and can change my passwords as often as i like. The main argument against is that if anyone was to get physical access to my desk drawer they would get all my passwords, i guess that is a clear drawback but if they had such physical access they could just take the computer/hard-drive anyway and also if they did i have the advantage of knowing that my passwords had been compromised by virtue to a broken desk drawer, and a large part of the risk is not knowing your account is compromised isn't it?
I write all of my passwords and user names in a google document.
You got the year wrong. Password11 now becomes Password12.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
I keep my passwords on an old Sony Clie using a keyring application which will even generate random passwords for me.
done.
Why would anyone want to intentionally make a password case insensitive? I have never seen anybody else use such a system intentionally.
Use the same 26 pseudo-words to generate passwords. Always pick the same letters from the website, say ST from slashdot:
- Sierra Tango (or mangle it to ierraango)
- Lyndon Truman, as there's no S president (reduced alphabet)
- Street of my friend T. (or day month year phone city app familyname)
For secure password, the hint is used as the generator in case I forget.
Even if I end up using the same 50 words in all my passwords, my list will be different from anyone else's. If you manage to connect me to many of my password, you could start guessing the others. Which is the only reason why the algorithm need to change over time.
ID: the nose did not occur naturally, how would we wear glasses otherwise? (apologies to Voltaire)
Think about it: Changing a password only helps in the small time window
during which the password has been compromised but not yet used.
Of course, if you are incompetent, passwords can also be brute-forced
because they are easy to guess. Select good passwords and changing them
becomes completely unnecessary.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
I keep my passwords safe by not bragging about my selection strategies on slashdot.
Or maybe two different bosses telling you conflicting things on what to do was a setup to get you nailed for insubordination.
Maybe it's to prevent locking out a user if SOMEHOW THEIR CAPS LOCK GETS TURNED ON. It's still pretty idiotic.
I use Password Safe it stores my passwords behind a single master password. It stores URLs and user names and it can generate nice strong passwords. It's fugly but functional. There's one password needed to break everything, but that's what the original poster defined as his requirement.
Sigs. We don't need no steenking sigs.
Changing passwords does not increase security as long as you use a unique password for each site! - It actually decreases security as you're more likely to write them down in order to remember them. It takes a while for your new passwords to settle in your memory and that's why you need help - at first at least.
Brute-forcing a password is often faster than the usual rotation so if anyone wants access they have plenty of time brute-forcing it anyway.
IMHO the best strategy is to create a really good base password. It should be long and filled with all the usual variations. Then 'mutate' it for each site. Add something in front or at the end, or in the middle if your base password affords it. Do not use something simple here like the initials of the site name, the IP or similar. Try to incorporate in into the base password if possible. Many will use the first letter of all the words in a sentence, 'lamerized' for additional symbols, and that's a good way to create something complex that's easy to remember. It's actually in part based on a old library cipher so it's decent in itself.
Here's an example based on the classic (and too short) sentence found in many password texts:
"In my opinion Carthage should be destroyed"
First letters:
ImoCsbd"
Lamerized:
!m0C$bd
Now, in order to adapt this to - say slashdot - add some words to the sentence and then do the same:
"In my opinion /. rules and Carthage should be destroyed"
End result:
!m0/.r&C$bd
Even if you know the base password you wont be able to guess the unique password for each site. You should of course use a less known sentence for the base password and never reveal it. That way predicting the unique password will become as impossible as simply brute force guessing.
"For every complex problem, there is a solution that is simple, neat, and wrong." -- H.L. Mencken (1880-1956) --
He said 30 days, or monthly, so 12 (December's password) becomes 1 (January's password).
Most websites mail me back my plaintext password when I click "forgot password?"
If my password was good so far, it is good in the future. I don't change passwords unless I have a reason to. And yes, I am a security professional with credits and all.
Most people go with security "wisdoms". The problem with those is that they are usually outdated, often backed by no or little evidence, based on hearsay and soundbites and - most importantly - not necessarily adequate to your threat model.
In order to have a good defense, you need to know what you defend against. What is are threats? Regular changes of passwords are basically (I simplify) good if:
a) an intrusion could remain undetected
b) continuous access is of value to the attacker
c) you share it with someone else on a regular basis
Where c), btw., is the secret reason that most companies have a policy of regular password changes. Because we security officers know that no matter how much we tell the average office worker not to, those passwords are getting shared.
For most private uses, neither of these is true. If someone is interested in your PayPal or /. account, chances are very high that whatever he intends to do with it, he will do it soon. Meaning that a) you will notice and b) the damage is done.
Changing passwords has one main effect: Over time, passwords get weaker. Because remembering meaningless digit-number combinations is already hard as it is, constantly re-remembering new ones is something a normal human simply can't cope with. So even if he was initially motivated to pick a good password, over time it will degrade.
For every other security aspect, changing your password does nothing. If I can crack the old one today, I can crack the new one tomorrow. If the website stores the old one unencrypted today, it will store the new one unencrypted tomorrow. If I fetch it from memory with a trojan today, I can do so again tomorrow. etc.
Assorted stuff I do sometimes: Lemuria.org
One measure of the security of a password is the amount of time it would take to compromise it as compared to its useful lifetime. Assuming the password database is stolen today, would someone be able to compromise your password before you changed it?
Yes, because the chances are about 99% that it is stored in either
a) plaintext
b) a cryptographic one-way hash
in case a) time to compromise is zero, in case b) time to compromise is so troublesome that nobody will bother, they'll just hack the next website until a == true.
Well, if they are really determined, and the hashes are not salted, they may throw up the most common 100 or so passwords using a rainbow table, but that's it.
Assorted stuff I do sometimes: Lemuria.org
That's not because the developers of mailman were idiots. It's because they assumed that the users were not idiots,
Uh, doesn't that make the developers of mailman idiots? How stupid would you have to be to make such an assumption about users?
... and then they built the supercollider.
Whatever happened to imagination? There are unlimited easily remembered algorithms no one is ever going to guess, mine are not necessarily easily remembered by you - but you get the idea...: 1) Add your birth weight in kilos to your age at the millennium in months, ignore the decimal points - insert the first 8 digits after the first 8 letters of the name of your hero... or dog, or spouse, or favorite spaghetti sauce... 2) Allocate the numbers 1-10 to the first 10 words of your favorite quotation. Take the sum of each group of 5 words, add your Gregorian birthday in day/month/year format, and add together to get single digits which themselves represent a word, insert the digits in the words they represent (1st 2nd or 3rd position etc...) for extra security translate the words into French/Hungarian etc.... 3) Take the telephone number of the apartment your first lover lived in - mix it with registration number of your first car, birthday of your second wife, and the number of tiles on your bathroom wall.... 4) Take the number of electrical outlets in your house/apartment - multiply by your age in leap years, take the first 4 digits of the resulting number to represent the first four paragraphs of your favorite book - then take the first (or 2nd 3rd etc) word as your pass phrase, but include the digits after every 1st or second letter... 5) Google some random trivia and bookmark it - use the use the fibonacci sequence to generate a pass phrase from the 2nd (3rd etc) para of the bookmark... I could go on like this all night - nobody needs a password keeper or generator - if you give a shit (and mostly I don't) use a a set of personal significant numbers and words in combination with some favorite easy algorithm (even rot13 is fine if the the foundations are inscrutable) And remember that your passwords are safe only insofar as you convince powerful folks they are not worth cracking...
Most website developers don't even understand what a hash is. They are simply not capable of using hashes on their sites, even less to do some sane salting. Most of the top used development frameworks also don't help securing passwords, some even make them harder to secure.
I'm not so sure it's a matter of developers not understanding hashing and salting, from what I've seen a lot of times there are also legacy and policy issues (in corporate environments).
Once you have one system in place it takes time (and thus money) to replace it and it doesn't matter if you have ten competent in-house devs who know there's a security problem, management isn't about to let them "waste" money fixing something that has yet to be exploited just because that contractor the company brought in six years ago was incompetent (not to mention the common corporate delusion that contractors are more competent than in-house developers because, uh, they cost more or something so clearly the in-house guys are just exaggerating or don't know what they're talking about when they say that storing plain text passwords is a bad idea).
Greylisting is to SMTP as NAT is to IPv4
I can't think of a single site that does this. And I forget my passwords all the time. Every single site seems to generate a new 8 character random password, and email *that* to you, or a link where you can click and enter a new password.
Oh, there are plenty of them out there. I recently even came across a domain registrar a client was using, which submitted your username and password in plaintext in the URL of the page request while logging in.
... and then they built the supercollider.
Every year near my birthday I have the same ritual as yourself, But i update a list from a save in my Mozilla cache with URL's and passwords and update it to a Flash Drive that i keep in one of these: http://www.thinkgeek.com/gadgets/security/855d/?srp=1 For 12 dollars over at least 5 years you too can share the same security that I do ;)
Unimportant shit gets a trivial password. Nobody should get help in guessing my important passwords.
Work Stuff is changed in the Interval set by the Rules of the Company i work for.
Websites i need to access get a unique password which i store using a password manager on my phone, which supports device level encryption in addition to the pwd manager encryption.
Root/user accounts on private machines and work machines maintained and used solely by me has a password which is pretty constant but not used on machines which i dont control. The password is not written down anywhere (after a small period in which i need to train it).
Shut up. I always post AC and read at -1. AC posters have a lot of useful things to say.
P.S. I am going to mod you troll for this pointless attack against AC posters.
Signed, an AC with mod points.
clipperz.com is completely anonymised, refuses to link to google authenticator, but does provide one-time-pads for Internet Cafe use, if you want to generate them.
Don't like them hosting it - download the Community Edition, install it yourself at home and install knockd.
I love OpenID, but they were way too slow with PAPE support (two-factor etc), by which time the idea was slated as too insecure to implement. Which was quite correct. But we need to look at (voice) biometrics for password reset to get rid of email reset.... (Percentage of population without their voice for more than 2 days out of the year is very low.)
Check out VoiceCommerce.com, they link voiceprints to KYC and are providing voice payments in 160+ countries with the Nick Ogden ex Founder of WorldPay.
Disclaimer: I meet Nick in May 2009
- Mark Cross www.OpenID.co.uk
But they don't know who s/he is, aliases on other sites, email addresses, etc.
And knowing that part of the password is common to his other passwords still isn't helpful - we still don't know how many chars, how he intersperses the site-specific portion, etc.
You'd have to know his password for at least two websites before you could figure out his method, unless he's just adding a few chars of the website to the end and you can recognize that easily. And even then it would need to be a pretty targeted attack against this one individual - if someone compromises two different website and obtains access to a bunch of logins... they go for the low hanging fruit, and just try what they have elsewhere. It's unlikely that they would go through both datasets, see that an email address appears twice - assuming the same email address was used and that email addresses were also compromised in both cases, could be a username to log in as well - compare the two passwords, and spend time trying to see if the two are related.
tl;dr - it's not the best security practice to advertise how you select passwords, but s/he is still fairly safe until at least one password is compromised, and the whole point of the question is to come up with a better solution and change everything over to that, meaning whatever information is divulged in the question is probably going to become irrelevant soon enough.
I vote based on politicians' actions, unless contrary to my preconceptions. Often wrong, never uncertain. #iamthe99%
Nobody said anything about intentionally...
Here is an article, not-so-old, about Amazon truncating users' password to 8 characters, which were also case-insensitive.
I vote based on politicians' actions, unless contrary to my preconceptions. Often wrong, never uncertain. #iamthe99%
In some countries (Germany for example) law forbids to store the plain password.
On second thought, let's not go to Camelot. It is a silly place.
> At least, they do if they're actively being attacked. If you assume that someone is trying to brute force your password, even a fairly long, complex password is only likely to stand up for a few months.
A fairly long, complex password is likely to stand up for millennia against brute force.
A good example of a high profile site that stores your password in plain text is MSDNAA.
So they claim. But believing them requires trusting them, which gets us back to square one.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
This program is available for Windows, Linux and Android. I keep the master database on my home PC and copy it where needed. You only need to remember one master password.
Do the banks lose anything if their customer's account gets hacked? If not, then they have no incentive to not use such as system. Do they collect fees for cancelling transfers and whatever else can be done to sort out the mess? If yes, then they have plenty of incentive to employ less than good security.
Never attribute to stupidity what can be adequately explained by greed.
Forget magic. Any technology distinguishable from divine power is insufficiently advanced.
$password =~ s/2011/2012/;
Or they could just, you know, go around the whole thing. For an example I bet a lot of guys here have seen spam lately coming from the Yahoo accounts of old friends and are wondering WTF? I can answer that, the malware guys have figured out a way around the XSS protection in FF and whenever your friend looks at a porn "free videos!" site in FF it loads a hidden iFrame and then gets FF to autocomplete and loads the Yahoo email addresses and spams the shit out of them with driveby malware links. Don't ask me how they got out the sandbox as i'm not a browser security expert, fucked if i know, what I CAN tell you is that it works in FF but not Chrome based or IE, and it works in yahoo but not Gmail or Hotmail. Haven't tried it with FF 9 as I'm on vacation but it worked with FF 8. I'm sure there is enough guys off on the holidays I'll know if it still works if I start getting yahoo spam again.
And this is just one nasty and not counting hacking the website itself, which we have seen everything from governments to kernel.org get pwned this year so his little system probably wouldn't work too good if just two of the sites he goes to gets pwned so they can compare. Personally if he wants to go through all that work more power to 'em i say, everybody needs a hobby, but I'd just rather not have data worth giving a crap about on most sites and the few where i spend money at have a really solid password based on the serial along with make and model of one of my basses. i know my basses by heart so whipping that off is easy and the combo of letters numbers and symbols is nice and long and won't show up on a dictionary attack with me capitalizing all vowels. Easy for me to use, easy to remember, hard to hack.
ACs don't waste your time replying, your posts are never seen by me.
If it's a wire transfer, the only thing they lose is customers. Banks know if you're a profitable customer or not. Banks are very bureaucratic and often stupid. But they are interested, somewhat, in reducing transfer fraud if only because of the hassle it causes them, the large amounts involved, and fear of government investigations. The government doesn't care about you getting back your money, just whether it is going to trrrrists.Some banks do have software & statistical models to detect on-line transfer fraud, and perhaps even physical tokens.
Their IT departments are quite divorced from operational commercial bankers ---IT (often overseas/outsourced/not engaged) probably tells the internal people to suck it up and so they say the same thing to the customers with a slightly nicer tone.
If it is a credit card, then the bank takes the fraud loss in most areas. A debit card, possibly, depending on jurisdiction & policy. This means they have a more organized department for dealing with fraud.
That's not because the developers of mailman were idiots. It's because they assumed that the users were not idiots,
Uh, doesn't that make the developers of mailman idiots? How stupid would you have to be to make such an assumption about users?
Because it was a very reasonable assumption up until the eternal September.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
What about Keychain note on Mac? How safe would be that?
V.
So, "A penny for your thoughts?" , with n=1, becomes "Ap4yt". Take n=2: "Ae4oh", The string is pretty much gibberish if you don't know its origin, yet it's still easy to reproduce, at the least, for n=1, it's almost trivial to memorize.
And, of course, feel free to add random numbers or extra details (like initials for the person being quoted) to the beginning or end.
Here's an idea/meme: Create a way to describe both the password rules and storage policy for a web site in a few characters.
Then encourage sites to put those characters next to the "Enter Password" box on their site. The intended effect is to make users
aware of the rules of the site, and ultimately to force them to improve their policy. Here's an example of what I mean:
0 means "we store your password in the clear"
1 means "we encrypt your password using standard techniques"
2 means "we one-way encrypt your password and store only the encrypted value"
3 means "we one-way encrypt your password with salt, and store only encrypted, salted value"
4 means "3 and also we have an effective means in place to prevent repeated guessing by an external agent"
(some sort of time-delay for bad guesses, getting progressively longer, or something similar..)
(Any more needed?)
and maybe use a letter for the password policy:
A means "password has a short maximum length" (8?) and silly constraints on what characters must be present" ....
C means "No restriction on password length, but some constraints on characters"
Z means "Password can be arbitrarily long and include any character you can type."
So 0A would be a disaster, and the goal would be to move sites toward 4Z. And you'd see what the site does
every time you log on (assuming, of course, that they're honest, but this would be easily auditable..) Even people
who didn't understand what the specifics mean could be educated to know that closer to 4Z is better. (This is just
an example... I'm sure a better encoding is possible...)
I keep two classes of passwords. One class for important stuff, email, banks, etc. where my password is strong and changes often. Another for everything else. This password hasn't changed in years but I could care less if you break into my forum account that I've used once in the last 10 years. If the db for that account gets gizmondoed I have no worries because nothing important is protected by that password.
Besides complex passwords don't forget about usernames. I used to use just one username for all my online accounts but then I read some research paper outlining how much information an advertiser or attacker could gather from just comparing the same username across different websites. So now besides changing my passwords I also, where practical and possible, delete old accounts and create new ones with random usernames from a collection of username generators I've found.
Nothing in the world is more dangerous than sincere ignorance and conscientious stupidity.
> At least, they do if they're actively being attacked. If you assume that someone is trying to brute force your password, even a fairly long, complex password is only likely to stand up for a few months.
A fairly long, complex password is likely to stand up for millennia against brute force.
Wishful thinking.
At least by most people's definition of "fairly long, complex" -- but still reasonable to type and to remember -- password cracking is eminently accessible, though not (yet) cheap.
A ten-character password, containing a completely random selection of alphabetic, numeric and symbolic characters has about 61 bits of entropy. That's already beyond what most people are prepared to deal with, so consider this calculation an upper bound and reduce it by two or three orders of magnitude (minimum!) for the average real-world password.
According to this article an Amazon EC2 instance with GPU-based cracking can test 3.488 billion passwords per second. At that rate, it would take just short of 300,000 hours to search the entire password space, about 34 years. That's not trivial, but it's hardly "millenia". And, of course, password cracking scales perfectly, so you can use 34 times the resources to do it in one year, or 408 times the resources to do it in one month, or 300,000 times the resources to do it in one hour.
At the rate mentioned in the article, $2.10 per hour, it would cost ~$313,000, on average, to crack a password. That's substantial, but assuming it declines per Moore's Law (which wasn't about $/cycles, but close enough), in 10 years it'll cost just over $3K, in 15 years it'll cost about $300, and in 20 years it'll cost about $30.
Of course, good systems can make the attack more expensive by iterating the hashing operation to increase the cost of each password tested. But, still, the point is that the most complex passwords that people can readily handle are within the reach of a serious attacker, and this situation is just going to get worse.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
It's "swordfish", isn't it?
We seem to have different definitions of 'fairly long' and complex. According to Wikipedia the Oxford English Dictionary contains descriptions of over 600000 words, randomly picking six of those words will 4.6e34 possible combinations, which would take quite a lot longer to crack than your 10 random characters, and would (for many people) be easier to remember. If you're feeling particularly paranoid you could include a few numbers and symbols in the passphrase, but that's probably overkill. Of course you may want to skip words of only 2 or 3 letters. While this will make the number of combinations slightly smaller, at least you'll be protected against someone who brute-forces all alphabetic characters...
KeePass for your PC (runs fine with Mono under Fedora/RedHat-ish distros) + KeePassDroid for your Android device(s) + Rsync 4 Android to sync it (or just manually pop the memory card in to transfer it).
I have a different KeePass Database file for Personal (high-security items) and Work. I wouldn't trust Dropbox to move the file around as some propose. If you absolutely insist on using an insecure transport like Dropbox, at least add the Key File method when you generate your databases and transport the Key File OOB (not via Dropbox).
I hear from a co-worker that KeeFox is a nice Firefox + KeePass integration. I may move all my low-security sites' passwords to another KeePass database if this works well so that I could also have all of them available on my phone.
For now, I use SyncPlaces (stored to a local file) + Dropbox to keep my low-security sites' passwords and bookmarks synced (as they change and are added to very often).
I have a php page on my https server, it's a not published link, you have to know it to get to it. It has two forms, one for the domain name/website name/whatever identifier and one for my super secret password.
It generates a list of several hashes from the combination of the two inputs for use as passwords. A list in case a site is hacked or password expires or whatever. In that case I have to remember that web site requires the second instead of the first item on the list.
I also should not access the URL from a random virus ridden PC at some friend's place. In that case I could use my phone to generate the password. Though then I probably should not use that PC at all.
I use several hashes in sequence so there are no rainbow tables on google, not that my master password is weak. And I can use several master passwords for different kind of websites (amazon, paypal, etc vs randomtorrent.xxx, slashdot.org).
So, I don't know any passwords of any websites by heart and they are all different. I need to know a specific URL or have a the php file on hand and know the master password to generate the correct password. Kinda 2-factor auth!
It is a bit cumbersome, but I implemented the solution when a website where I used one of my generic passwords was hacked. They script kiddies recorded the passwords of users during logon and later the list username+passwords was published. Changing the passwords on all the websites (and websites I had forgotten I even had a account on) sucks.
I needed a system that I could use from anywhere and any device and used a unique password for each website. So I created a few lines of php. I also have the php file on another ssl server as a backup too.
And yes, should anybody hack the webserver and discover the php file and it's purpose I'll be fucked. They'll record the master password and then I've lost all the passwords. However I thinks it's still a better system than having the same password on many sites.
As for banks, internet voting (we don't have electronic voting, only paper ballot and internet voting, no atm like machines) and communicating with the state, well I live in Estonia which means I have an ID card but I prefer Mobile ID (private keys on a smart card and on a SIM card). Mobile ID rocks. The SIM card acts as a smartcard, so the private keys never leave it. Data exchange works via SMS, so I can use it pretty much anywhere in the world where there's internet and phone reception - and the PC doesn't ever see any passwords.
No, it's time to change password2011 to password2012.
I use Chrome with KWallet to keep all of my passwords for the web. I then keep all the rest of the passwords that are not web, or for sites that don't allow passwords to be saved in a keyring in KWallet in files I create myself. Then I make sure that Chrome sync is enabled to sync my passwords and encryption is turned on. I never have to worry about home/work/laptop. They are all in sync. I also keep an encrypted copy on a microSD card that I can stick in my android phone and decrypt in case of emergencies or if I am roaming away from a computer that I administrate myself and I wouldn't want to do a Chrome sync with.
I still use Strip on a Palm. Why? It works for me & almost nil chance of malware infecting it.
I've tried out a bunch of these suggestions but what I think I really want is a simple file encryptor so that I can just dump a word-doc or similar on dropbox and pack/unpack it easily. Why I want this: - I have 'stuff' that isn't passwords and/or is more freeform than a URL/password pair: including SSNs, bank account numbers, immigration info, phone-access PINs, some sites with public URL, private URL, raw IP address, contact details etc, sites where I have multiple testing accounts, etc.. - I find that a freeform document that I edit at will and use Ctrl-F for search is the simplest and most flexible. - I'd like to have an easily synced respository (eg dropbox) with strong encryption. - I like to get asked the passwork every time I open the respository, but then be able to party on it for a while if I'm making a bunch of updates or collating some info (unlike lastpass which I'm finding a bit too permissive or a bit too rigorous) - I'd like to access this encrypted, synced file from lots of devices if possible. but at a minimum from PC/Mac and then Linux/phones. Does anyone do this? The bit I'm missing is the simple cross-platform encryptor/decryptor piece. -mike.
One benefit (really, the only one I can think of) is that it keeps you from being bitten in the ass from an old mistake. Maybe an old laptop's hard drive has a copy of your password from last year (or last decade)... if you change them regularly, your current accounts won't be vulnerable. Your 48-character line-noise password is insecure if you ever had it in plaintext (yes, just a bit of hyperbole)
salting is not interesting for you as a single user, only for the site admin. unsalted passwords lead to faster finding of weak passwords, once the password file is stolen. so the weakest password can be found very efficiently. But for you as user, its only important if YOUR password gots cracked, and if i want to brute-force your password, it can be salted and my bf is as efficient as it will be when its not salted.
no. you just need to change it to something, your attacker already tried. he does not know you changed the password, so he will not try it again. ;)
There are multiple problems with your proposal.
First, while people can easily remember a half-dozen common words, they're going to have a much harder time remembering a selection of words they've never heard of before. The xkcd suggestion of choosing from a restricted dictionary is more practical, but it drops the entropy from your suggested 115 bits to 66 bits (which is still slightly better than the 10-character password I suggested, but not hugely so).
Second, what you're talking about is passphrases that are 30-40 characters long. Half the web sites I use -- especially the financial ones -- won't accept more than 12 characters, and a good number won't take more than 8.
Third, even if people can remember the words, and how to spell them, and web sites will allow them, how many people can quickly and accurately type them, especially when they can't see what they're typing? I couldn't.
Selecting six words from an extremely large set would provide a great deal of entropy, but it's not very practical.
However, I certainly do concede that it is possible to choose passwords/passphrases that provide long-term resistance against brute force attacks. But few people will do it -- and many web sites won't even allow it. Given the other avenues of attack (shoulder surfing, mistakenly typing a password the wrong place, unsrupulous web admins), the most practical method, at present, is to use unique per-site passwords that are moderately long and complex, unique per site, and change them periodically.
I'm a big fan of OpenID for this reason. It allows me to have one fairly strong password that my fingers can type quickly (because I use it a lot), plus a second authentication factor (OTP generator on my phone), and to use that same login credential at a lot of web sites. But just try to convince your bank that they should trust Google, or Blizzard, to handle their client authentication for them -- in spite of the fact that they do a far better job. Even if Verisign or some similar "trusted" company were to offer strong OpenIDs with multi-factor authentication, it'd still be tough to get the banks and other important sites to trust them.
Something like that is where we've got to go, though. Password-only authentication isn't a viable long-term strategy, and it's not going to be practical to have a different second factor token for every site you use.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
I don't make friends or have contact with people who have active Yahoo accounts.
Of course I don't change passwords. Changing them regularly is a security risk. Good passwords are long and hard to remember. You can't memorize new long passwords all the time, so if you change regularly, you're bound to end up with easier passwords. Or passwords that change systematically. Those provide no security - if they know your last password was qwerty07, they guess the next might be qwerty08.
Anyway, changing the passwords will not make them harder to crack. Lets say I try brute-forcing your password, over a period of years. It won't matter if you change every month - I only need to guess right once. If I do, the fact that you changed the password yesterday won't matter.
And no, I don't bother with sites (or employers) that enforce a regular password change policy. I change passwords that gets compromized - that's it.
All these silly random passwords are not very secure when most users have trouble remembering them well enough to type them out at a decent speed.
Want a good password that easy to remember, easy to type, and scares off anyone trying to spy on it from over the shoulder. Pick a sentence out of a book and rewrite it into your own words (this step is important for memory).
Of course even the best passwords are easily foiled if the circuitry or software can be cracked. Case in point was a laptop I recently worked on, it has a boot password which was stored on a chip that wouldn't lose data if you cut the power. A half hour of circuit tracing lead me to the chip, searching the numbers written on it lead me to manufacturer documentation which included the pin configuration for clear data. Took a little soldering and a push switch to trigger the clear signal at the right time, but it no longer has a boot password.
Regarding the practice of having a default password for important and not so important sites: if you cannot remember which one you used during registration and try out all possible passwords some bozo site may also learn your highly sensitive password...
I think most people are unaware of that fact as they cannot imagine sites actually looking at incorrectly entered passwords... If I ran a large site and was up to mischief, I certainly would look into that opportunity ...
As an added precaution, I never take my luggage out of the house.
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Probably he's asked for a password reset and recognised what was sent to him, rather than it being randomly generated nonesense. That's an educated guess, because I've seen the same thing.
Irrelevant, because an application user is so not an OS user. You seriously think that these Vbullshittin/PHBBB driven sites create a unix user account for every midget porn swapper that signs up? What possible function would that serve?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
Is in possible that on the first day of that fateful month slashdot had 862675 registered users?
Confucius say, "Find worm in apple - bad. Find half a worm - worse."
We (I and mi esposa) share access to several sites, some of them quite important. She has a laptop and an iPad, and so do I. So in these cases, while a long and convoluted password may be justified, it must also be a matter of agreement. No password manager for us, I'm afraid. And we must agree to be together at the time of password change lest the other need access while away.
You don't have to create a unix user for every user in order to use PAM or the other utilities to hash a password, it only has to be PAM-aware. And I wasn't really looking porn sites, I was talking about sites like Slashdot, CNet, NYT, you know, real sites with arguably real programmers behind the scene. If you are dumb enough to get a user account on a porn website (like there isn't enough free porn on the web...) then that is your problem.
Tequila: It's not just for breakfast anymore!
Because it can be inconvenient. Say I want to log in to a particular site on a friend's computer. I don't want to download KeePass on their PC, so I have to read the password off my phone. Reading and typing a 20+ character random string without errors is the opposite of convenience.
I sense a weakness in your system...
Password Safe (pwsafe) + Dropbox. Store enough information to deduce your master key with your final instructions for your spouse or will executor. Don't have final instructions/Will/Life insurance? :( Everyone calls finally() eventually.
There are too many websites to keep changing my password on all of them every year. Plus I have to agree with XKDC's crowbar comic (can't remember the number now), the attackers will probably obtain the password some other way
Its neat to come back to some long forgotten website years later and still be able to figure out your username/password on first try.