Slashdot Mirror
Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say
An anonymous reader tipped us to news that Microsoft researchers have determined that reuse of the same password for low security services is safer than generating a unique password for each service. Quoting El Reg: Redmond researchers Dinei Florencio and Cormac Herley, together with Paul C. van Oorschot of Carleton University, Canada ... argue that password reuse on low risk websites is necessary in order for users to be able to remember unique and high entropy codes chosen for important sites. Users should therefore slap the same simple passwords across free websites that don't hold important information and save the tough and unique ones for banking websites and other repositories of high-value information. "The rapid decline of [password complexity as recall difficulty] increases suggests that, far from being unallowable, password re-use is a necessary and sensible tool in managing a portfolio," the trio wrote. "Re-use appears unavoidable if [complexity] must remain above some minimum and effort below some maximum."
Not only do they recommend reusing passwords, but reusing bad passwords for low risks sites to minimize recall difficulty.
My intuition says that most people do this. Though, I could be wrong.
That is just so stupid. Use a password-keeper and use strong passwords everywhere. Then you only need (1) physical access to your password keeper and (2) to remember one strong passphrase.
Using a password manager with one strong master password + randomly-generated passwords unique to each website is better.
That said, the linked paper is long and math-heavy, so I rate it likely the submitter (and the "editor") misunderstood something.
Hail Eris, full of mischief...
E pluribus sanguinem
Or just use a password manager and you can have unique high entropy passwords for every single site and service without taxing your brain.
Portable versions of Firefox, GIMP, LibreOffice, etc
Nothing more needs to be said.
Better to use the same crappy password for web sites that do involve real financial risk.
Of course, if you use that same password for a bank account, or anything that knows a credit card number, SS#, or similar information, you need to have your head examined.
excitingthingstodo.blogspot.com
I have a password, six letters, all lowercase, available in the dictionary, that I use for websites that I care just enough to register my distinct presence on. It matters little to me if this password gets compromised as I use far more secure passwords for the accounts that actually matter, but the password is just secure enough so that I can get where I want to go without having to crack open a password manager.
In other news, researchers in Europe have discovered there is more risk to your data when taking password advice from MS than ever before.
Just bad, every site has different rules, at least one I use restricts the length to something daft like 10 chars. The should at minimum print the requirements (must have uppercase, digits etc) next to the password box, because as soon as I get into the reset-password screen for the umpteenth time and read those requirements I remember which password I used on that site.
Doesn't change the fact that requiring users to somehow remember or securely store a bunch of random gibberish to do anything on any website is just a bad system. Don't blame the users for using post it notes or things like password123 when the SYSTEM is dumb.
If you don't risk failure you don't risk success.
The advocacy for Password Managers and Password Keepers is just utter BS. If some nothing website insists that I have to make an account just to post one little comment, and I might come back 5 years later to post again then they're getting generic username plus generic password. I'm not waisting my time making some uber powerful password, and utilizing something just to remember it. Even then the OpenID solution would have been great but every once in a while I'm presented with the option of logging in with my Google ID and giving some organization full access to my contact list, or full access to my google drive. Screw them, and I'll just create generic account just for their site though their old interface just so they can't read my contacts or documents. If they're so worried that people are using BS passwords on their site that spammers keep hacking to post then maybe they should accept better business practices.
So re-use low complexity passwords for unimportant sites and use high-complexity unique passwords for important sites.
Got it. Low for my bank account, high for World of Warcraft.
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
That's nice. Now, I no longer need to remember "12345" for Slashdot - I can go back to just using "pass".
I apply ROT-13 encryption on my passwords TWICE, and write down the resulting string in a post it note and paste it to the *underside* of the key board. Ha, ha, I am really safe. I can use this technique on all the sites, high value... low value... no value... INBD.
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
I've always done this. I have one short, low-entropy password which I use on ALL low-risk web sites. For example, it's the one I use on slashdot. I don't really care if anyone gets in and starts posting stuff as me. In fact it might be a good thing, since it would give me some plausible deniability for the stupid things I sometimes say :-)
For important sites (e.g. financial), I use long, randomly-generated passwords and manage them in a password manager, which itself is protected with a very strong password. But for everything else, that's too much effort and serves no purpose. And for my "crown jewels" account -- my e-mail account, which if hacked would provide the intruder with the ability to reset most all of my other passwords -- I use a strong password and have two-factor authentication enabled.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
This is why it is infrurriating when low importance sites require high complexity passwords. They create unnecessary exposure for the limited pool of high complexity passwords I can remember. Meanwhile, the bank will take anything.
Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say
This article has been approved by the NSA!
What this world is coming to - is for you and me to decide.
Microsoft researchers have determined that reuse of the same password for low security services is safer than generating a unique password for each service.
This has to be a fucking joke. It has to be. bmo looks at calendar. Huh, it's not April 1.
And what, exactly, is a "low security service?" The only "low security service" I can possibly think of is stuff like Mailinator where you don't even use a password.
Remember when the entire Youporn chat login credentials file was leaked? You know, the one with real names, aliases, emails, and passwords in cleartext? Remember? Nearly every single password was usable on Facebook and the same password was reused in email.
People had fun with that. I was in /g/ when it happened. I laughed at the results.
Yahoo lost control of my fucking credentials twice showing logins from Romania and Sweden. I no longer use Yahoo Mail as a result, except as a throw-away, and the last time pushed me over the edge into using a password manager that holds -unique to every site- passwords that I can't even remember myself at 25 characters of complete ASCII gibberish. And you know what? It's easier on top of being more secure.
Lose control over your login credentials at one place, and the rest is vulnerable if you recycle them elsewhere. Password re-use over multiple sites is fucking bad. Anecdotes aren't data but I don't care about your calculations because my reality trumps your poorly researched paper.
--
BMO
Just forget the username and passwords to most sites and have it reset so often it becomes par for the course.
I forgot the slashdot password and can't be bothered to log in.. Forgetting loads of shit is the brains old age way of dealing with crap.
- ciderbrew.
One major issue I can see with this is the sheer number of websites that have arbitrary password restrictions: capitals, special characters, numbers, etc. The worst ones are those that require multiples of each, so that there is no way you can make something easy to remember - and then expect you to come up with another password in two weeks.
Until website operators realize that putting arbitrary restrictions on passwords doesn't help them to be any more memorable (and likely not any more secure), I can't see this method working.
Using weak passwords for cases when a password at all is unnecessary should be the norm as a defense against phishing, even by a company you presently trust. Mandatory complexity increases are probably being used already to undermine password variety. When a password has to be one thing different each time (another capital letter, another numeral, another punctuation mark) a service of dubious character could very quickly spot patterns that could be used improperly.
Inheritance is the sincerest form of nepotism.
For most websites, I really don't care. Here I use a dictionary word. If someone logs into my /. account the limit to the damage they can do is to pretend to be me. Hell, with this one they don't even get a valid email address.
My bank accounts and email address each have their own password based on out of date information that inexplicably stays in my memory.
I actually use a different password for facebook, nit because I'm particularly concerned about someone haking into that. More because I don't trust facebook with the password Iuse for everything else.
A great way to remember your passwords is to use them often. The more the better.
What kills me is that different sites have different password restrictions that infuriates me. Some force you to use "special characters", others forbid it. Some force you to use a combination of letters and numbers, and many force you to use at least one uppercase letter and one lowercase letter. Some even restrict how long your password can be!!!!
This wrecks havoc with my high-entropy passwords that now becomes useless or needing to be altered, as in capitalizing a letter that I totally forget about later...
My weak passwords aren't actually weak but they're relatively simple, I use them for forums etc, my email has a STRONG password because it's the keys to the kingdom of all my accounts, and if I used online banking that would have a strong password as well.
Something that helps to make a simple password unique and stronger yet memorable is to come up with a way to mix in something from each site. For example you could postfix them with the dominant color on the site, for Slashdot that would be green.
"When information is power, privacy is freedom" - Jah-Wren Ryel
The problem is that once you allow a hacker to penetrate a low value service it could give a hacker the threads needed to start unravelling through social hacking.
If I were some kind of hacker (don't have the time) it would be through the least secure systems and social hacking that I would start. I personally would think that attacking a core server that is most likely locked down solidly and is sat on by an army of paranoid administrators. I would much prefer if someone simply gave me the keys to the system.
Basically the two main hacks that I read about are either the above, or poorly maintained/secured systems with things liked default passwords etc.
For instance I have seen security checks where the admins will send a crude Phishing message to users that even include a warning about phishing attacks and the users proceed to send the data that the admins were phishing for.
So the above Microsoft advice might look good on a spreadsheet but in reality it is plaintext stupid.
that it's trivially easy to create an easy to remember hard password.
Example:
First girlfriend was Sally Mendoza
You lived on 123 Main st
naiM321azodneM_yllaS_A
the A is for rotation.
There are may patterns you could use.
Use the first line of a poem and the birth year of your mom.
In_Xanadu_did_Kubla_Khan_44
or do it backwards.
even
P4ssw0rds_wh0s3_g0t_t1me_f0r_that
The Kruger Dunning explains most post on
A throwaway password tier is something that legitimately increases the casual's security against the obvious (http://xkcd.com/792/) and might actually catch on. Something like "grandma1!" is perfectly fine if she leaves it down at the facetweets and socnets while using something different (hopefully stronger) for her bank account.
But hey, if you think soccer moms and surfers are just as likely to indulge a "Sandbox-contained PW manager in a secure virtual OS" tutorial as the five seconds it takes to tell them "Hey, use a special password for those super important sites, 'kay?" then knock yourself out.
Good luck fitting it on a billboard, though.
Social whatever: I get in, I don't get in; I don't give a shit. My bank accounts? whole different story.
The problem with crazily-complex passwords is that if you can't remember them you write them down, and, at a stroke, have compromised security. One of the worst I've encountered is the U.S. Customs eAPIS web site, for sending advance information when you want to fly a private plane or sail a private boat to the U.S.
The other issue is that you risk locking out legitimate access.
My bank does the password plus security question thing. My security questions (you can make up your own) are more than a little interesting. :-)
...laura
You don't want the same password across multiple sites in case one of them turns into a not-so-low-risk site later.
But you can "mix and match."
Your "throwaway" password can be your 1st nephew's name and the "variable part" could be the first 3 letters of the web site's name.
So if you have "throwaway" MySpace, Google, and Yahoo accounts and your 1st nephew's name is George, the passwords could be MySGeorge, GooGeorge, and YahGeorge respectively.
Apologies in advance to George's uncle - he'll have to pick a different throwaway password now.
> And what, exactly, is a "low security service?"
Slashdot gets my low-security password. If someone gets my Slashdot password and posts as me, I don't much care. I REUSE the same low-security password on Yelp, so if you hack Slashdot, you can post a restaurant review with my name. Whoop-tee-doo.
Its very easy.
I use lines of poetry or songs.
An example of something I might do would be to take this line:
To be or not to be, that is the question.
And I turn that into this:
2bon2btitQ
Anything that could be phonetically interpreted as a number is written as a number. All words are lower case except nouns.
Therefore, all I have to do to remember that password, is to remember "to be or not to be, that is the question" and I remember that password.
Another one might be
"Mary had a little lamb who's fleece was white as snow"
which is:
MhalLwFwwaS
The rules you use are half the password. And they're very easy to remember and you don't have to change them... ever. You can make them up once and then use the same rules your whole life.
Then you just remember different quotes, song lyrics, etc and you have your password.
If you need special characters in your password then you just come up with rules such as & = and etc.
You can even write these rules down.
Lets say a thief gets your rules cheat sheet.
And it says stuff like "every first letter, nouns capitalized, any word that could be phonetically interpreted as a number is written as a number, etc"... what is he going to do with that?
Its useless without knowing the text string its based on.
Mnemonics are awesome. Use them. You can make really nasty passwords that you can change all the time and never forget.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
I just reuse the same password for all free sites, but add a site specific salt tahts teh first few letters of the site.
For example, here the password would be sla45%tq!, and on dice it'd be dic45%tq!
So it's a unique password, and I just need to remember one complex bit (%tq!). If I need to change the password then the 45 becomes a 46, etc.
password reuse on low risk websites is necessary in order for users to be able to remember unique and high entropy codes
Really? Wow, you had to do a study to "prove" what any dingbat(including myself) has known for years, using that rarefied skill called "Common Sense".
We play the game with the bravery of being out of range
I have a few different passwords that meet the various complexity requirements often set out which i use on most low value sites, then for the higher value sites i combine many of my passwords into one very long password with the addition of one special bit i only put in the high value locations.
it may not be for everyone its probably will get flamed here i'm sure but it allows me to keep track of only a few simpler and memorizing the much more complex passwords is simplified
I have performed this strategy, and it is a seemingly good strategy if you don't have a password manager. The real issue is you can use a service that you use that is not deemed to have sensitive data. Later, if you should store sensitive data on that service, you have to change the password to be stronger. People are lazy. They don't do that, and they end up potentially exposing data due to their previously chosen weak password.
Cue the endless prompts I have seen from various web sites telling me to "Please enter a new password". Here are some examples:
Your password must be between eight and sixteen characters.
Your password must contain at least one lower case letter, one upper case letter, one number, and one special character (#, @, or $).
Your password cannot start or end with a number.
Your password contains an invalid character.
You cannot reuse any of your last 24 passwords.
This becomes an even more entertaining game when the web site only tells you the first rule that you have broken.
It very quickly becomes non-trivially difficult to create an easy to remember hard password.
It amazes me to no end that banking sites and similar don't require a dedicated token device that is synced with the server to gain access to the sensitive information. The same goes (and particularly so) for credit card numbers. There is no good reason merchants should be liable for unauthorized chargebacks when it would be simple enough to re-design the system to be bullet proof (or near so). A token device which requires a password would make it so (short of a camera and theft of the device). We should all be getting single purpose numbers that are only useful for one charge at a particular round-about amount. That is if I want to purchase a $432 item online the credit card should make me pre-authorize the transaction via a token for the given amount AND ask 'is the merchant allowed to excede this amount' along with 'if yes, by how much''. Add in wifi and a response to confirm the specific merchant and there isn't even any room for 'i authorized $432, but to merchant x, not merchant y' (this would thwart live interception attacks from spyware/malware). Now- if a merchants site gets hacked and the design of the system is proper the attacker wouldn't get anything of value short of some insanely sophisticated attack, but even that can be easily thwarted. All it would take is a single merchant or customer calling up about missing funds (in the case another person setup an account with the name of another merchant to recieve credit cards and then hacked the site). That type of senario would be easy to guard against as your most likely going to have some sort of evaluation of merchants (it's already mandated by law).
Why would anyone need to "remember" anything other than a handful of passphrases? Let computers remember the 99%. That's the point of them.
..and of course It is completely not in any way in Microsoft's (a.k.a. the sock-puppet of the NSA) actual interest for people to read this then use the same password for everything.
I think you're being quite harsh here; this paper is one of a series on the theme of password usability that Cormac has performed over the years. If I had to summarize his research in a sentence, it would be 'Your IT security policies are dumb.'
Previous research from this group looked at password composition policies, came up with a method of modelling entropy, and pointed out that the groups requiring the most entropy from their users were governments and universities, which were stronger on average than bank accounts. The same paper found that advertising was a strong predictor of entropy requirements: firms with ambitious recruitment goals appear to have relaxed their password strength requirements. The paper suggests that there are other methods of assuring security than simply passwords; if you've used a bank online you may well know them: registering computer IP addresses, using pictures and phrases to authenticate the website, scanning for probable fraudulent transactions, etc.
This paper then, is an investigation of a common IT security policy ('Never reuse passwords') and it's implications. The differential equations you mention in a later comment may prove useful in quantifying other alternatives (and extending the model to model their unique downsides). Alternatives like password managers. The paper in question is already sixteen pages long, but perhaps you can offer your help on a followup analyzing the benefits and pitfalls of password managers.
or maybe PASSWORD
-----
Sorry, I'm only a 1336 h4x0r.
I have passwords for hundreds of services.
You must be joking about memorization. I have three memorized.
Basically if there's no personal or financial information I'll use a low security password. Hasn't caused any problems yet, and I find it easy to remember passwords for forums this way.
Selectively Reusing Bad Passwords Is Not a Bad Idea, Researchers Say
It's the last thing hackers will expect!
systemd is Roko's Basilisk.
The basic problem is that passwords are obsolete. The average person's ability to remember a password has been exceeded by the computational capacity of modern computers / gpu's. It's time to move on to some new authentication technology.
I personally use tiered passwords. Some forum or random website gets my low level password. Something vaguely important like a prominent tech support forum account gets a higher level password. Web servers and those sorts of logins get unique passwords each to avoid mass hacking. Banking passwords get my top tier password. Encrypted archives get my even more top tier and excessively long password. That last one doesn't even have to be good, it just has to be long. Llamasllamasllamas!123 is actually a very good password.
I just checked, it turns out that Slashdot and Yelp have different password requirements. My yelp password is alittlebitofspinach. Have fun reviewing places! Good thing I don't live in France.
Agreed what this paper says is a really bad idea, but the bigger question is why do you need to protect your low value digital assets with equivalent security to your high value ones with strong unique passwords.
The reason is, as is mentioned you will have many more low value assets with apparently insignificant information stores than the few that store critical information. So that if say you reuse a week password on all these low value sites a single break in any of them will potentially give an attacker access to all of the rest as it is known that once an attacker gets a username/email and a password (reversed from a week hash) say they will try that username/email and password everywhere they can. It thus will be not a single tiny piece of information you risk with this policy but every piece of information on all the sites you risk and that may well add up to something very saleable to an attacker.
So what do we do?
0/ We cannot go around with many unique strong passwords in our head for fear of leakage and loss of retention.
1/ We could use a password safe, provided we trust the vendors or our skill to write it and not later make what is now a strong keeper weak by software patch.
2/ We could use a high entropy deterministic password generator e.g: https://www.grc.com/offthegrid... if we have the time to work the manual algorithm each time we want a password.
3/ We could do away with almost all passwords by use of Oauth / SiteID etc. Provided we trust a third party in all logins to not track our use.
4/ We could do away with All but one single pass-phrase that would potentially allow us to pseudonymously identify everywhere like SQRL, but that is early days and will need time to be supported.
What I am saying is there is no single solution but many, but for certain the one suggested in the paper is not one of them...
http://xkcd.com/936
I'm reasonably well known, in the computer security field anyway. If you can't find my email address ... well I suppose you're not particularly interested in computer security.
Seriously, as many people here have already pointed out, there is nothing worse than finding that a website won't take your usual password because of some obscure reason. Usually its either some extremely low risk site where you will only log in once a year which requires your password to be 12 characters long with upper and lower cases, numbers and symbols all in one. Or it will be your bank which requires a 6 letter password but won't take any special characters. We need some sort of ISO or RFC standard which promotes companies to follow a standard requirement/restraint on passwords. As many people have already said in the comments, a sensible system would have your average joe only needing to remember four "levels" of passwords, one for email, one for financial websites, one for sites with personal information and one for throw away/unsafe/log in once websites.
I have about 25 accounts on sites that have things like payment information. About 25% of them have odd password restrictions to the extent where I have no choice but to write them down. Some require a special symbol, some won't allow that, and one requires a 12 character password and nothing else I use will allow that many.
So while I do use the same password for all sites that haven't got any monetary or important personal information (and I've used the same one for 30 years), I have to have 5 other passwords. Since most of the sites also require a unique username and not an email or other username that I could re-use, I also have about 40 user names. So again, have to write it all down.
At some point, I'd like to see the security level of a piece of paper with usernames and passwords written down all over the front and back sitting in a drawer next to the computer vs just being able to use the same username/password on every system without ever changing it. I actually get ticked off when I'm asked for a password without any listed qualifiers, and its only after I put one in that the site tells me what they will and won't allow. And its *MY* password. I'd like to pick whatever the hell I want, how long I want, whether I want upper/lower/numbers/special characters in it, etc.
The greatest concern I have is that the company holding the password will lose it. I've had my account info hacked/lost about 100 times over the years. Number of times someone has gotten into an account I own without the password being simply lost by the holder? Zero over 35+ years.
So sick of all these places. "Please enter your password between 8-12." or 8 - 16. F off. We build the most memory inefficient stuff in the world now but can't spare a few more bytes for passwords? Just make 8-64 the default size everywhere. That way we can easily fit sentence passwords that can actually be remembered.
Well it WAS a good idea but now since you've made it public not so much anymore....lol
Jack of all trades,master of none
It debends from needs, Keepass 1 and KeepassX are very popular ones, and good because they use same database. Also Lastpass. Lastpass is good if you need to use your passwords in different computers.
I used to write passwords to paper, but now I have lost that paper, so not a lot about it. And by the way, on most sites you can recover acces with e-mail so there is no real need to keep copies, just ask for new ones.
It seems pretty obvious. If you don't care about people getting into the account, don't waste time remembering a strong password. And then it also doesn't matter if you share that password across other accounts you don't care much about.
On the other hand, most people probably care about most accounts at least a little bit. So don't go overboard with it...
Any site that requires registration to view content, but always keeps registrations free and open to everyone and never prunes dormant users is run by a moron who is careless of the glut in their user database. I don't even see the point in requiring registrations in those cases, other that trying to pad the membership numbers or, maybe, collect user/pass combos to try on other sites.
In these cases, why wouldn't you reuse the same bad credentials? If I have to waste my time creating an account on some forum to download a zip, why wouldn't I spam the fields? I'm partial to usernames like 'asdf' and 'aaaaaaaaaaaaaaaaaaaaa' and passwords like 'password' and 'stupid'. The email associated is also garbage. It's all garbage. But it's still less retarded than -_-XxX_kEwLSnIpErDuDe_QUICKscopEsXx-42-_-
If only I could throw garbage at people in real life to get what I want...
What a coincidense, Tumblr is forcing me to reset my password due to suspicious activity, and I want to use my generic low security password, which len = 9, and includes both numbers and lower case letters,. It's not strong enough for them though, "Please choose a stronger password." Give me a break.
A lot of security experts (myself included) have been saying this for years. It's nice to have an actual paper out on it, but it is quite trivial and obvious.
Password systems and the core elements of even most modern password policies were developed at a time when you had 3 or 4 different systems you needed to access. And when almost everyone doing it was a geek and could actually remember 65**L;)Y\BLe-A (an actual "secure password" I just generated on a password generator website).
Once you add normal people and 50 or so additional systems to the mix, you would have to be a total idiot to believe that users actually use 50 different 65**L;)Y\BLe-A style passwords, or that it is even within the capacity of the typical human mind to remember those.
In the real world, if your password policy is crazy, people will either break or circumvent it, most commonly by writing their passwords down. Which, of course, does not exactly make you more safe.
Assorted stuff I do sometimes: Lemuria.org
your basic password of "abc123" could be just AlphaBetaCharlieOneTwoThree.
Easy to remember, hard to type, and pretty hard to brute force your way through.
"requiring passwords to be at max 5 characters. MY BANK!!!"
I hope not. Even the worst services I have seen want 8 characters. I'll leave it to my betters how fast a cracker program can bust 5!
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
I'm old school here.
What is all this "banking info"!? I only do about five things with my bank, and 3.8 of them I can do on my phone just *dialing the automated number*.
Check my balance, pay something to my credit card, look to see if a check has been cashed that shouldn't have been (I've hired a bit of house help), and a couple other things.
When it gets a little weird I hit 0 or say "Representative" to do a couple of fancy things.
What I spend is in my head, I don't need a huge online report to tell me. My five bills are on my desk (including last month's late one!)
I have resisted BOA's attempt to get me to go all online-automated. I theoretically set up a couple of accounts to be online to save money, but not because I need a fancy account. When you wanna know what you can spend, you make a 1.7 min phone call - what else do you need to do?
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
"True. I should have said major corporate standards when I said government. But because of the way the payment card industry works, if FEELS like government. Complete with not following its own rules and having rules for the sake of rules."
Sorry, but I find this a bit of a big error to make.
I'm really torn on who I dislike more, but to *confuse* corporate policies and govt policies feels like a big step backwards!
(Your choice of which) one punches me in the gut and one holds me by the throat, but to *confuse* them doesn't feel right!
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Years ago in a weak variant of this whole thread, I designed a system of using some nine passwords for the entire net, and for whatever reasons I am to senile to recall, one email account got a weird password that changed a couple of times until I couldn't get in. (Including one suspicious moment but that's another post.)
But fortunately I made my "security questions" sufficiently strange yet unforgettable that after two hours on hold, I got into Yahoo Customer service and fixed it. (For now.)
But you have a point that, that was a "backup account". If the primary ones ever got hacked, people would have access to tons of stuff.
I'm def of the school of "use your passwords every time so you know them" and haven't looked into password managers that sorta bother me. It's one reason why last quarter's Heartbleed story made me grumpy - is every site in existence gonna make me flip my password system now? I don't have a new one yet.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Quick uninformed guess, sounds like someone's sloppy programming problem.
I'll defer to my betters here but it sounds like when someone slammed out the system they just picked some number like 11 for the password length and then someone else did the best they could by making it require lots of stuff.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
Again a guess, but I bet this is about "how much it costs us to upgrade our system".
Underscore I can see, but Space used to be a character that messed up a lot of systems. And I frankly don't have any 20 character passwords, so maybe people lowered it so that users would have any hope of ever remembering their password, however bad it may be.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
"What sort of moron uses their real name on an internet forum?"
Welcome to Facebook and Google's push!
Reversing 20 years of your type of common sense!
I know, I grew up with too, then it changed about 2007.
My first Journal Entry ever, in 8 years! http://slashdot.org/journal/365947/aphelion-scifi-fantasy-horror-poetry-webzine
High security = online banking
Medium security = Linux logins
Low security = everything else, everywhere else
My low security password has no digits in it. If your web site insists on a digit, I just don't sign up for your web site. My security level is MY choice, not yours. Why should I memorize a special password just to get your daily news feed?
Sites with actual value or that I would be annoyed if they get hijacked get real passwords, unique per site. HuffPo and the New York Times get abc123; if somebody hijacks them then they can start posting letters to the editor as "Anonymous Coward", or whatever name I'm using there.
Remembering passwords is a bad idea. Use a vault.
6-8 alphanumeric characters, no spaces or special characters, must begin with a letter. No, I'm not telling you which institution, just that I have at some points in time had fairly valuable assets with them. That's the worst I've had recently. Significantly less than a quadrillion possibilities, and doesn't allow any high-value scheme I've got.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
random_clown_jetski_explosion_wave
Support my political activism on Patreon.