Slashdot Mirror

← Back to Stories (view on slashdot.org)

Ask Slashdot: Changing Passwords For the New Year?

Posted by timothy on from the just-use-2012-and-your-initials dept.

New submitter windcask asks "Every New Year's Day, I assemble and memorize a random collection of seven to ten mixed-case alphanumeric characters and proceed to change every password I have on the interwebs to these characters (plus a few extra characters unique to the site). The problem is I only change them on the sites I visit. Once in a while, I'll come across a site I haven't visited for a few years, and I may end up not being able to guess the password before the try-lockout takes effect. What are your password-changing rituals, and how do they deal with situations like mine? I do use Keepass for work, but it is sometimes impractical for times I'm at other computers."

6 of 339 comments (clear)

  1. Lastpass by Anonymous Coward · · Score: 5, Interesting

    https://lastpass.com/

  2. Keepass for everything! by John+Bresnahan · · Score: 3, Interesting

    There are versions of Keepass available for both the iPhone and Android (perhaps others as well). I use DropBox to keep my phone and main computers in sync. Works like a champ!

  3. Re:I do not use the same password for multiple sit by omglolbah · · Score: 3, Interesting

    Bergen University College in Bergen, Norway store plain-text passwords and will email them to you if you request a reset.

    Using a commercial system they pay for as an alumni website... I've tried and tried again to point out how stupid it is for a technical college to have such a flaw but they ignore it.

    Hopefully there are no other flaws in the site (hah!) :p

    Just a real world example of arse security in what one would hope was a serious site.

  4. Re:The answer is still keepass by omglolbah · · Score: 3, Interesting

    1. Buy domain.
    2. Set up *@domain to forward to your real email account, optionally apply a label (I do this with gmail labels)
    3. Register with sitename@domain as email address.
    4. Check real email and verify account.

    Unique email for each site. No need to guess.

    A bonus is that if you start getting spam you can see where it originated by what email it starts coming in on.

    I noticed a year or so ago that curse got hacked as I started getting wow phising emails to the email I registered for curse with ;)
    Just redirect to /dev/nul when it happens :p

  5. Re:I do not use the same password for multiple sit by datavirtue · · Score: 3, Interesting

    Get this. A school I know of uses a five digit numeric password for all student accounts enabling them to access their grades, financial information, FAFSA info, class registration, and so on. On top of using a standard password that no one changes (the last four of their SSN!) for these accounts some smart smarty thought about security and set a three attempt lockout on passwords. Long story short, this permits a script kiddie attack to lock out every student from their account in a few minutes. This would result in total havoc and there would be no way to stop/recover without consuming every defensive measure in their arsenal for the network. In reality, I don't think their is any way to prevent it without dropping the system off the Internet. At a good university where you have talented students in computer science this system would have already been owned numerous times and subsequently fixed. But as it stands, it is an obscure system so it is not a high-profile target.

    Another thing I should mention, according to the state attorney general's office (just a had an in-person training session): per the sunshine laws our school (any school) would have to cough up the email addresses for every student were anyone were to request a list. Most schools might deny it but he (Deputy Attorney General) suggested just complying with any such request to avoid a lawsuit.

    --
    I object to power without constructive purpose. --Spock
  6. Re:http://xkcd.com/936/ by plover · · Score: 4, Interesting

    Be cautious. If www.poorlysecuredforum.com keeps your password in the database, and I hack them and see someone with the user name of DMUTPeregrine and the password of 1CorrectHorseBatteryStaple+poorlysecuredforum.com? I'm going to try logging in here as DMUTPeregrine / 1CorrectHorseBatteryStaple+slashdot.org. And I'll try logging in to wellsfargo.com and citibank and usbank and chase all the same way.

    Your suggestion of using a hash as the password is much more secure, assuming you actually use it. But next time you create a hash, try a little trick: google for it. Google is like the world's largest and fastest distributed rainbow table. Last time I checked, googling for the MD5 digest of "12345" returned something like 11,000 hits, all of which said "12345" right there on the search results. Time to go change the hash on my luggage.

    --
    John