Slashdot Mirror
It's World Password Day: Change Your Passwords
An anonymous reader writes "Today is World Password Day — a day dedicated to promoting the use of strong passwords and the creation of good habits. However insecure this method of authentication is, it's not going away anytime soon, and people should be educated on how to make the best of it. To that end, last year Intel started an action-oriented campaign to raise user awareness regarding password problems, and this year their initiative has a new digital home. Passwordday.org provides the Password Blaster (a videogame that teaches good passwords using real leaked passwords), the Password Strength Meter, links to McAfee's Heartbleed Test tool, offers animated educational GIFs and tips and tricks for upgrading your passwords."
Please.
Ludden was the best.
IT Workers rejoice!!
You're doing it wrong. It's suppose to be something like Hj1pAab5!z21i0lO&sa8q0, on a sticky note attached to the machine.
Let's celebrate with 8-16 characters that must include at least one capital, one number, and one symbol but not repeat any character more than twice. Ahh screw it, why don't we celebrate World Write Down Your Password On A Post-It Note Day?
Yes it's an anecdote! Were you expecting original research in a Slashdot comment?
worldp@sswordday14
That way you can remember it until next year!
Ive used passphrases from passwdqc for quite some time. theyre just as complex and a whole lot easier to remember. The downside being many websites still restrict users to 8 or 10 character passwords whereas phrases can easily consume 17 or more characters.
Good people go to bed earlier.
My bank assigned me the random PIN of "1234" for my debit card. One of my student loan websites (Citibank) ignored anything past the 8th character of your password anyway. One of my old credit unions had a six character password limit, alphanumeric only. Financial institutions are a little behind the times.
12345...7
Password.2014
Upper case, lower case, symbol, digit, more than 12 chars. Check!
"National Security is the chief cause of national insecurity." - Celine's First Law
If you MacGyver the executive secretary's desk drawer, you will find the passwords to all the C*Os of the company on sticky notes, as well.
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
I don't want to know how those notes got sticky.
"National Security is the chief cause of national insecurity." - Celine's First Law
I thought that regularly changing one's password was unnecessary https://www.schneier.com/blog/archives/2010/11/changing_passwo.html. I thought that it needs to be changed if found to be hacked, but otherwise as long as its strong, there's no need to change it. So while promoting good password habits is a good idea, I'm not sure that "annually change all your passwords on the same day every year so that any eavesdropper/keylogger can look for possible password change activity on one day" is one of them.
Indeed, and I've never understood the advice to change your password frequently. The only thing that would help against is if someone has already compromised your account and has been laying low (rather than what they usually do which is clean it out asap). However, changing passwords constantly highly encourages you to use less and less powerful passwords as you can't remember them all the time meaning you're that much more likely to get that initial compromise.
I don't want to know how those notes got sticky.
She is a big fan of McGuyver.
I'm a good cook. I'm a fantastic eater. - Steven Brust
That way, when I forget it, the software/site will come back and tell me "Your password is incorrect', so I don't have to remember it at all.
"The greatest lesson in life is to know that even fools are right sometimes" - Winston Churchill
Those passwords suck, and I hate you for even suggesting them.
Better idea, simple passwords. "Pencil".
Then lock the account after a reasonable number of attempts - like 50. How many tries to brute force a single word password? More than 50.
Yikes, that's horrible, horrible advice.
You need to stay away far, far from single dictionary word passwords. If the hashed password database is compromised, you need a password that will at least withstand a basic dictionary attack, since obviously it's beyond locking because of failed attempts at that point. If there's any significant amount of time between when the breach occurs and when it's discovered, your only defense is a password long and complex enough to withstand any brute-force attempt within a reasonable period of time.
Incidentally, if everyone took your advice (and many seem to, unfortunately), a significant number of people would still get hacked just because the bad guys happened to guess the correct dictionary word they used. All they have to do is try the first 50 most used words and phrases for every account, and with millions of users, they're bound to guess a few thousand correctly.
My advice: install LastPass or some other password manager, and then have it generate absolutely random noise passwords - you can even set parameters for sites that don't allow symbols or have length restrictions, etc. Those are automatically filled in when you visit the site. Either your browser will remember them in it's password manager, or a plugin, like LastPass uses will fill them in for you. There's very little reason for a typical user to change a password when it's randomly generated gibberish.
Irony: Agile development has too much intertia to be abandoned now.