Slashdot Mirror
It's World Password Day: Change Your Passwords
An anonymous reader writes "Today is World Password Day — a day dedicated to promoting the use of strong passwords and the creation of good habits. However insecure this method of authentication is, it's not going away anytime soon, and people should be educated on how to make the best of it. To that end, last year Intel started an action-oriented campaign to raise user awareness regarding password problems, and this year their initiative has a new digital home. Passwordday.org provides the Password Blaster (a videogame that teaches good passwords using real leaked passwords), the Password Strength Meter, links to McAfee's Heartbleed Test tool, offers animated educational GIFs and tips and tricks for upgrading your passwords."
Please.
Don't see what the point is
-- Tigger warning: This post may contain tiggers! --
Ludden was the best.
IT Workers rejoice!!
Followed by "Reset Your Password Day" tomorrow.
A "No More World Days" Day!
Maybe Hallmark will get behind this.
What a great time to sniff or keylog, knowing a lot of people will be changing their passwords!
I hope I'm wrong.
That is all.
Passwords, and with them password reset questions, need to go away. There are proper authentication mechanisms. Passwords are not among them.
Today is the day you should scramble your passwords by putting them into a blender, tornado, or other device to whirl them sufficiently to mix them up a bit.
Let's celebrate with 8-16 characters that must include at least one capital, one number, and one symbol but not repeat any character more than twice. Ahh screw it, why don't we celebrate World Write Down Your Password On A Post-It Note Day?
Yes it's an anecdote! Were you expecting original research in a Slashdot comment?
..so the Heartbleed has a better chance of seeing both your old and new.
worldp@sswordday14
That way you can remember it until next year!
Change your passwords today, so our new filters can capture them!
Ive used passphrases from passwdqc for quite some time. theyre just as complex and a whole lot easier to remember. The downside being many websites still restrict users to 8 or 10 character passwords whereas phrases can easily consume 17 or more characters.
Good people go to bed earlier.
This nonsense about numbers and symbols was doomed from the start. Either it's written on a sticky or a simple modification (append a 1, first letter cap, etc) that tables have long since accounted for. It's a waste of time and misleading users.
We should have LONG since been encouraging mixed/abbreviated passphrases. Machine-readable (including horsestaplebatterycorrect) is a recipe for disaster, anything that's can be directly analogous to human thought is.
Something like "hsbcxkcd" is better. Something like "hsbcidgaf" is better yet. Common songs (r3ybgdts is 'row your boat') may seem insecure when tables/DBs start catching up, but it turns out you can blend them (r3ybhyaw is += 'have you any wool') without causing use of stickies under the keyboard. The mental adjustment is minimal, arguably easier than appending a 1, and yet it delivers excellent mutation.
Another advantage is incremental changes. The next line of "row your boat" offers "m3libad", and allows compliance with forced/desired password change without really relearning a new password. As a perk, the gibberish is harder to recognize to human eyes, whether it's an invader skimming crude keylogs/dumps or someone physically observing you.
That last sentence in the intro made me a bit ill.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
12345...7
the open-source open hardware/software offline password keeper!
https://github.com/limpkin/mooltipass
Benghazi, Benghazi, Benghazi, Benghazi. See? Now I'm four times worse than her. But you're still a stupid twit.
so change it, already
if this is supposed to be a new economy, how come they still want my old fashioned money?
"password02". Done!
More like shit websites should change their password policies to prevent small passwords, and have no maximum password length, and update their security system in general because most likely it is terrible and some shit thing they got off some PHP kiddies website.
I am looking at YOU, Microsoft.
Ever since they changed their passwords to have a max length, I have been unable to even login to my hotmail even WHEN I only type the first 16 characters.
And when I tried to recover it, they said "nup, 2bad nerd". Fuck you Microsoft.
Luckily I never used their atrocious service for anything of worth.
Hope you die this decade Microsoft. If not I will be just as happy with the next one.
I have 400+ unique passwords. I don't think I'll be changing those for password day.
I suppose putting my trust in a password manager could also be considered a risk, but I use a passphrase long enough that even someone with an extensive dictionary attack would take years to get through it.
It actually incourages everybody tu user passwords like P@sSw0rd which are the opposite of secure, it is quite known that a simple passphrase is more secure that using one 8 characters word and adding symbols upper and lower case. They might be hard to a human to guess but they are quite easy to brute force.
I thought that regularly changing one's password was unnecessary https://www.schneier.com/blog/archives/2010/11/changing_passwo.html. I thought that it needs to be changed if found to be hacked, but otherwise as long as its strong, there's no need to change it. So while promoting good password habits is a good idea, I'm not sure that "annually change all your passwords on the same day every year so that any eavesdropper/keylogger can look for possible password change activity on one day" is one of them.
Now I'm going to post as an Anonymous Coward for the next six months!
If you were going to install sniffers all over to collect passwords as people changed them, what day would be better than World Password Day...
I'll let the herds get culled as I watch from the hills above, thanks.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
A new holiday will be sent to your email address.
It's same day than Men in the middle attack day too !
I use security tokens instead of passwords, and then external services use OAuth against this centralized service to verify my identity... passwords? What are those!?
if a legit user can hack you systems, the user password isn't your problem.
So many site make you enter a secure password to protect their systems. Ignoring the fact that a malicious person could set up an anonymous account.
The Kruger Dunning explains most post on
due to all the past changes. My new password is "It's change your password day"
Table-ized A.I.
But when I do... http://memegenerator.net/insta...
it looks like you're almost out of post-it notes.
Anything important should be changed more frequently. And anything less important... why do we have a special day for it? Waste of time. *shrug*
I work for the Department of Redundancy Department.
I don't know how I find the time to post this. I spend often more than an hour a day trying to plough the way through passwords that I have lost or forgotten.
Passwords that the base of existence. I just realized I haven't seen a good movie with meaningful password action.
Back in the day, I was thrilled that the Internet existed: anonymous FTP existed, where one was asked to use his email address for a password. That was very cool, sorrt of a culture of trust. Where is this going?
Open Sez Me.
Although I do not have proof of this, I believe that the the password change policy came from the way early UNIX systems handled the password files.
Early UNIX systems did not separate the username file from the password file. Both were kept in /etc/password. This file had to be world readable in order for anyone to log in. So if you had any access at all, including guest access, it was easy to copy the password file. Although the passwords in the the file were hashed, it they could be cracked or a rainbow table created if you had access to a powerful enough computer. At the time, only mainframes or mini computers had the power needed, and cracking a password took between three to five months.
The thought process was that if someone did steal the password file, and you changed your password every three months, It was very likely that the password was changed by the time the passwords were cracked. These days, more powerful computers can crack the passwords much, much faster, and the UNIX/Linux systems have broken out the passwords from the password file and placed them in a shadow file that is not world readable.
The danger of the password file being stolen is no longer the same issue as it once was, but the "standard" password policy has never changed. Today, the reason most often given for a change policy is: "This is best practices, so we are going to do it." Few security consultants can give you the real reason for the policy, although many will refer to recent examples of passwords being stolen and tell you that you need to change a password often just in case someone does steal the password. The danger today is not that the person stealing your password will use it, but that they will sell it to someone else. On the one hand, that does give you a little time to change your password, but on the other hand, some people may feel that since their account was not cracked right away that their accounts are still safe.
Great civilizations have lived and died on false theories. Don't mess up mine with a few facts.
I am celebrating this day by changing my passwords from 'password' to 'password1'.
Awesome :O 12345 is also my luggage password!
http://youtu.be/a6iW-8xPw3k
it was on february 1st, all you observers of may 7th are just a bunch of loser wannabe poser copycats
http://gizmodo.com/tag/change-...
passphrases.
Because (ignore quotes) "bob is a dork and i hate my job" is largely easier to remember and more powerful than, "Tr0ub3c43r#$" [insert obligatory XKCD].
I mean really. If a person makes a passphrase as a full sentence (i.e. spaces, punctuation, capitalization, all the things grammar teachers teach), then that will give some part of school you likely never cared about some meaning in your life, and it would make your passphrases much more secure and easier to remember (i.e. it tells you a lot about your passphrase already).
Although the most annoying part (as always) is typos.
That way, when I forget it, the software/site will come back and tell me "Your password is incorrect', so I don't have to remember it at all.
"The greatest lesson in life is to know that even fools are right sometimes" - Winston Churchill
The prevalence of the passwords requiring uppercase, lowercase, punctuation etc is ridiculous as more and more sites and servers I use are requiring it.
I'm going to make an assumption here and I bet I'm I'm right. (I have NO idea!)
The VAST majority of security breaches are due to poorly patched software / bugs / social engineering / angry staff etc.
I'd wager very very few password hacks are due to people having the password
"momspajamas2212" instead of "M0mspaJAMas22!2"
I will say I'm finding the only way to still remember my passwords on sites now is to start using pattern based passwords, example "$RFV%TGB4rfv5tgb" (try typing that) - it's not ideal but I can remember the bastard thing. (I hope this helps someone else out, I gave it out to someone recently and they adopted something similar pretty much instantly and yes, I know you could add patterns to the dictionary)
My favorite incident of what I call "security by handwaving" was my bank changing the wording on their site from password to passphrase, but they rejected the space character and limited the "passphrase" to 16 characters.
So what if this is a ruse to get people to change passwords on the one day that security exploits are in place to capture the new passwords? Buck the trend and change them some other day or not at all.
The prevalence of the passwords requiring uppercase, lowercase, punctuation etc is ridiculous as more and more sites and servers I use are requiring it.
I'm going to make an assumption here and I bet I'm I'm right. (I have NO idea!)
The VAST majority of security breaches are due to poorly patched software / bugs / social engineering / angry staff etc.
I'd wager very very few password hacks are due to people having the password
"momspajamas2212" instead of "M0mspaJAMas22!2"
I will say I'm finding the only way to still remember my passwords on sites now is to start using pattern based passwords, example "$RFV%TGB4rfv5tgb" (try typing that) - it's not ideal but I can remember the bastard thing. (I hope this helps someone else out, I gave it out to someone recently and they adopted something similar pretty much instantly and yes, I know you could add patterns to the dictionary)
If you look at those who have analyzed cracked databases to see what passwords people actually used, you'll find that people get hacked because they're using passwords like "password", "123456", "monkey", and so on.
Honestly, I've found that a password manager is really the only sane way to use cryptographically secure (and completely different) passwords on every site without worrying about losing those passwords. I use Lastpass, since it syncs between machines automatically and has a plugin which automatically fills in the username and password for you, and will detect when you change existing passwords or create new ones. There are a bunch of other good ones too if you don't like the idea of your encrypted password database being store online (note: it's encrypted locally, so Lastpass never sees anything but a binary blob).
Irony: Agile development has too much intertia to be abandoned now.
Why cannot we force all websites and services to comply with a common password complexity rule? There is a wide variation in the rules that phone companies, banks, utilities and various online services enforce when I create passwords. As a consequence, it becomes difficult to decide on a password-generating algorithm to create and remember passwords across these websites/services. So, coming back to the question, can we not have a standard password complexity rule which every website/service has to stick to? Instead of those irritating, little info boxes near the password field listing different passwords rules for different websites, we could have a URL pointing to the standard password rules which in turn would be maintained by an independent organisation. Obligatory: https://xkcd.com/927/
correct1horse!batteryAstaple is a damn great password. It's so good I even use it myself!
Changing my password today is exactly what the crackers would expect me to do. But I'm going to confuse them by using the same password I've been using for more than a decade.
Does that mean today is World "I Forgot My Password" day?
passwordday.org = password mine?
User: "Here, let me give you my password to check its strength."
user@passwordday.org:~$ 247181bd0bc7$*d8420c_!05ab#!3c97ebfa9b
Server: "BEST. You found a password that is bombproof! Now pick another one."
User: "Gahhhh!"
it's one-thousand-two-hundred and thirty... oh wait.