New UK Security Guidelines: Password Re-Use OK, Frequent Changing a Waste

← Back to Stories (view on slashdot.org)

New UK Security Guidelines: Password Re-Use OK, Frequent Changing a Waste

Posted by timothy on Thursday September 10, 2015 @09:03AM from the tell-that-to-every-company's-it-department dept.

isoloisti writes: New UK government guidance on how to handle passwords (PDF) "advocates a dramatic simplification of the current approach." "Unlike previous guidance, this doesn't focus on trying to get ever more entropy into passwords." For example: "Regular password changing harms rather than improves security, so avoid placing this burden on users." And "given the infeasibility of memorising multiple passwords, many are likely to be re-used. Users should only do this where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system."

148 comments

Min score:

Reason:

Sort:

They want us to make it easier for them? by PrimeWaveZ · 2015-09-10 09:04 · Score: 0

yeah
1. Re:They want us to make it easier for them? by Anonymous Coward · 2015-09-10 09:40 · Score: 5, Insightful
  
  The simple fact of the matter is that when it comes to secure passwords, size matters and little else does. If you have a 12-char password made up of random upper/lower/numeric/punct chars, then you're good (assuming that the other end is using proper salted hashes). There is little benefit to routinely changing such a password because it will only encourage one to do something insecure like write it down somewhere to try to keep track of what the last 12 passwords were so that the monthly forced rotation doesn't reject your new password because you've used it before.
2. Re:They want us to make it easier for them? by thinkwaitfast · 2015-09-10 09:44 · Score: 1
  
  So what exactly can "they" do with my /. password?
3. Re:They want us to make it easier for them? by sudden.zero · 2015-09-10 09:46 · Score: 5, Insightful
  
  Someone mod this up. This is totally correct! Until my work started making us change our password once every 60 days, and required that the last five passwords can't be reused, I had a very secure password memorized. Now that they implemented these "security" protocols I have to have a list to keep track of what five passwords were used last, and what the current password is. It's the most retarded requirement ever!
4. Re:They want us to make it easier for them? by Anonymous Coward · 2015-09-10 09:50 · Score: 2, Interesting
  
  Here's the problem in a nutshell:
  When I work for , initially I only have 1 password to memorize. As I gain tenure, more systems I gain access to, which have their own password rules. By the time I'm eligible to "move up" to another position I may have 23 different username and password combinations, of which some have rules that contradict others.
  So there is a huge loss in productivity having all of these passwords be unique. I wound up keeping the lesser-used passwords in a PDA. So if that PDA was ever lost or stolen, I'd still be able to do work, but if one of those unique-cases came up, I'd have to lose the productivity then.
  Other people keep passwords on stickynotes on their PC.
  The problem, is, that passwords are bad.
  With the advent of smartphones/watches, it should be possible to just start having PC's have NFC built into the computer screen, and placing the phone near the screen leaves the PC unlocked and all accounts accessible until the phone is moved two meters away from the monitor. Forget your phone at home? Did it get smashed? Then your boss can issue you a NFC ID card and temporary/permanently revoke the phone.
  This also prevents password sharing because taking the phone or NFC card to another machine kicks out the previous login.
  Good luck getting Google and such implementing a common NFC card access.
5. Re:They want us to make it easier for them? by ShanghaiBill · 2015-09-10 09:59 · Score: 2
  
  So what exactly can "they" do with my /. password?
  Not much. But if your /. password is also your Citibank password, they can do a lot.
  Password reuse is dumb, and they should not be saying it is ok.
6. Re:They want us to make it easier for them? by Anonymous Coward · 2015-09-10 10:04 · Score: 1
  
  Writing a passphrase down is not necessarily insecure. It depends on where you keep it and who your adversary is (if there is one).
  Considerations and recommendations about passphrases only make sense in the context of their use and with the overall security system and its purpose in mind.
7. Re:They want us to make it easier for them? by Godwin+O'Hitler · 2015-09-10 10:13 · Score: 1
  
  I wonder if that's why they are saying "Users should only do this where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system."
  
  --
  No, your children are not the special ones. Nor are your pets.
8. Re:They want us to make it easier for them? by mlts · 2015-09-10 10:37 · Score: 1
  
  The This is what AD and LDAP are for. This at least reduces the amount of passwords to a manageable level, mainly to environments. Of course, there are exceptions [1], but in general, SSO tends to be useful.
  It isn't NFC card access, but the closest thing that comes in mind for this was something Blackberry offered back in 2008/2009, where the Blackberry device could function as a CAC/PIV card via a Bluetooth adapter.
  What I'd be happy with would be a card that took the place of both a SD card and a SIM, and dual-SIM phones. This way, I'd have the ability to store stuff on each card, and each card would have an OTP generator with its own seed. An ideal would be some method of communication similar to client certificates for authentication, but it would have to have a robust mechanism of not being able to be MITM-ed or attacked during transit.
  [1]: You want production boxes on their own AD domain, for example, so they can be locked up tighter than internal AD is done.
9. Re:They want us to make it easier for them? by Bert64 · 2015-09-10 10:38 · Score: 4, Insightful
  
  They're not saying its ok, they're saying you should only reuse passwords for similar systems, which makes sense... Your slashdot password gets compromised its not a big deal, use the same password on some other news site its also not a big deal, just make sure you use a different password for your bank.
  
  --
  http://spamdecoy.net - free throwaway anonymous email - avoid spam!
10. Re:They want us to make it easier for them? by NicBenjamin · 2015-09-10 10:53 · Score: 4, Insightful
  
  I have a simple password. I increment. I use the same one at both jobs. They're actually incremented to the exact same digit at the moment.
  I doubt it's secure, but it allows me to avoid hassles.
11. Re:They want us to make it easier for them? by Anonymous Coward · 2015-09-10 11:16 · Score: 0
  
  I have a simple password. I increment. I use the same one at both jobs. They're actually incremented to the exact same digit at the moment.
  I doubt it's secure, but it allows me to avoid hassles.
  Pretty much what everyone does at my work as well. Eventually you end up back at the start of the cycle so the "last 5 passwords" thing is avoided. I just wish now that they wouldn't start nagging us to change it 2 weeks before it expires.
12. Re:They want us to make it easier for them? by Anonymous Coward · 2015-09-10 12:09 · Score: 0
  
  At this point I think writing it down is the most secure method of storing a password. At least then the attacker has to have physical access. They also need to know what account/machine/device the credentials they found belong to.
13. Re:They want us to make it easier for them? by PopeRatzo · 2015-09-10 12:55 · Score: 1
  
  I hope there's not some serious vulnerability to KeePass that I haven't heard about. That little program is a lifesaver for me. Unfortunately, the Mac version is rekt so I can't run it on any of our Apple hardware.
  
  --
  You are welcome on my lawn.
14. Re:They want us to make it easier for them? by thinkwaitfast · 2015-09-10 13:47 · Score: 1
  
  It's not and I've posted my password here before and nothing happened.
15. Re:They want us to make it easier for them? by Anonymous Coward · 2015-09-10 14:10 · Score: 0
  
  Another bit of assistance in identifying 'anonymous' internet users :)
16. Re:They want us to make it easier for them? by Anonymous Coward · 2015-09-10 16:27 · Score: 4, Interesting
  
  I was an admin for a small company (~50 users) that was owned by a bigger company. I had all of the users make their network password something that they could remember; they were not allowed to write it down. I also recommended that they change it periodically but it wasn't required. Periodically I would suspend the account locking and attempt to crack users passwords. Any users were notified that they needed to change theirs immediately. If it happened again, I would have to get their supervisor involved, It never happened. Life was good.
  Then the parent company hires a new seagull manager and he comes in and demands that we update our password policy to have passwords expire after 30 days and a password history of 12. They also needed to be complex and be 8 characters. He claims the change was taken word-for-word from Sarbanes-Oxley requirements. I told him that I had read Sarbanes-Oxley and it stated only that a sufficient password policy needed to be in place, which is what we currently had. I even pointed it out to him. It made no difference.
  Within weeks, you could find post-its with passwords on them under about half of the keyboards in the office. I knew it would happen.
  The parent company also never had account locking enabled because "it just causes more calls to the helpdesk". I at least got that changed when I showed him how easy it was to brute force with a rainbow table. The look on his face was like I was doing magic. When a junior admin is teaching the supposed director of information security how to do their job, there is a big problem.
  I left not long after that. I heard that he got fired a few years later, so at least there is a god.
17. Re:They want us to make it easier for them? by Anonymous Coward · 2015-09-10 16:27 · Score: 0
  
  Password reuse is dumb
  So is commenting on something you haven't read.
18. Re:They want us to make it easier for them? by Alumoi · 2015-09-10 18:19 · Score: 1
  
  Wow, you mean something like the smartcard I've been using for the last 15 years? Yeah, we really need some new and (more) insecure technology.
19. Re:They want us to make it easier for them? by sociocapitalist · 2015-09-10 18:33 · Score: 1
  
  They're not saying its ok, they're saying you should only reuse passwords for similar systems, which makes sense... Your slashdot password gets compromised its not a big deal, use the same password on some other news site its also not a big deal, just make sure you use a different password for your bank.
  If your bank hasn't provided you a token then find another bank. No excuse for forcing users to use using password logins at this point.
  
  --
  blindly antisocialist = antisocial
20. Re:They want us to make it easier for them? by Alioth · 2015-09-10 19:49 · Score: 1
  
  Hmm. Relevant XKCD https://xkcd.com/936/
  
  --
  Oolite: Elite-like game. For Mac, Linux and Windows
21. Re:They want us to make it easier for them? by Anonymous Coward · 2015-09-10 20:54 · Score: 0
  
  The simple fact of the matter is that when it comes to secure passwords, size matters and little else does. If you have a 12-char password made up of random upper/lower/numeric/punct chars, then you're good
  No you're not. The first time the camera pans across the sticky note on the monitor, anyone can see your password. As several TV stations have found out, when they did exactly that.
  In the real world, that's how a user stores "a 12-char password made up of random upper/lower/numeric/punct chars".
22. Re:They want us to make it easier for them? by Anonymous Coward · 2015-09-10 21:07 · Score: 0
  
  I'd go further... they're not saying it's ok, it reads like they're saying it's going to happen regardless of what you tell the users, so just try to minimise the damage...
23. Re:They want us to make it easier for them? by Anonymous Coward · 2015-09-10 21:36 · Score: 0
  
  because it will only encourage one to do something insecure like write it down somewhere to try to keep track of what the last 12 passwords were
  If having access to written down notes also means having physical access to the hardware then it doesn't really create a security hole that didn't really exists.
  You can generally not trust people on site to not make mistakes, but if you think that you have to protect the computers from malicious access locally then you are pretty much screwed.
  Having a complex password written down on a post-it is better than having a simple password. With the password on the post-it you have a situation where anyone on site can access the computer while the simple password means that anyone wherever can access the computer.
  The policy should be something along the lines that written down passwords should not be immediately visible. Otherwise someone will take accidentally take a selfie where the password is visible and post on facebook, but if you have to open a notebook, flip the keyboard or open a drawer to get the password then your data is just as safe as if the computer didn't have any remote login at all, that is, you have to get on site and grab the hard drive.
  If you have a malicious attack on site then you will have to take into consideration that your servers need to be locked behind a door that can't be brute forced with a crowbar ore a fire axe, because if someone intends to grab the hard drives then forcing a door is just a minor inconvenience.
24. Re:They want us to make it easier for them? by Anonymous Coward · 2015-09-10 22:35 · Score: 1
  
  You should only be changing passwords when you think you might be compromised.
  And your good password is good because it is unmemorable, there's no shorter way of remembering it. So it gets written down. After a while you can sort of remember it and after some time more, you CAN remember it. But if you ever have to change it, you have to write it all down again and relearn.
  So your good password should only be used when you think the resource locked by it worth that.
  Otherwise MAKE UP A WORD. ginwitfanstable. No mix of case, since you have to remember which case you have, and if that is memorable, it's has no extra entropy. No numbers for the same reason. 1337 is only a simple substitution cypher that only helps if your cracker software is someone else's brain. Computers don't give a flying fuck.
  So make up a word. You can remember that much easier, but there's a hell of a lot of ways of putting 5-8 phonemes together, and the programming isn't easy to make work.
  If you speak a second language other than English, use that.
25. Re:They want us to make it easier for them? by Anonymous Coward · 2015-09-10 23:49 · Score: 0
  
  > The simple fact of the matter is that when it comes to secure passwords, size matters and little else does.
  Then a very long password like "passwordpasswordpasswordpassword" must be incredibly secure... ;)
  > There is little benefit to routinely changing such a password because it will only encourage one to do something insecure like write it down somewhere to try to keep track of what the last 12 passwords were so that the monthly forced rotation doesn't reject your new password because you've used it before.
  It only forces that if you don't use a password manager (which would also let you use longer than 12 characters, which are not considered secure by all experts). And routinely changing a password arguably has at least one benefit, in the case that the password hash table was stolen and someone is doing offline long-term bruteforce cracking.
26. Re:They want us to make it easier for them? by Anonymous Coward · 2015-09-11 00:43 · Score: 2, Insightful
  
  But that's the idea behind "frequent changing passwords a waste". I don't even know why changing your password is more secure than keeping a password. Normally you only get a limited amount of tries before your account gets locked anyway. So what does it matter when you keep the same password for the couple of years you use a particular service? And most service you keep for a longer time have better build in security anyway. Like the requirement to verify an e-mail when you log in on a new computer, or sending SMS codes that need to be entered after logging in x-amount of time.
  I think login/password to authenticate a user was the first thing the first computer scientists came up with, but they never tried to find a better solution. The businesses who profited most from the IT-boom where never interested in security or privacy and only implemented it as an afterthought. Now x decades later we still use the first authentication system that was implemented and nobody questions its validity or user friendliness.
  
  Especially now with the rise of smartphone usage, difficult password become a nightmare. How many people are able to type those difficult passwords on such a small screen without making a mistake? And how many people to really remember all different passwords? If you don't want to carry a paper notebook where you write down your passwords, than you will probably save them in the notebook app on your smartphone. That's even something I do, passwords I only need occasionally are on a notebook that is synced with my smart phone. Someone who has access to my smart phone (like at the work floor when you put your phone down after a call, without locking the screen yourself) also has access to all my password in my notebook, including the puk-codes of my cell chip, the sets passwords of my work account, the passwords for the download area of expensive software, etc...
  I know I have this problem. I personally do not care about loosing access to any of those services, the loss can be repaired and it has no emotional value. But my employer probably thinks different and that's why they require us to remember 16 passwords with at least 2 numbers, 2 lower case, 2 upper case, 2 special chars, no repetition of characters and at least 16 characters long that have to be changed every month. Of course nobody remembers them. Of course you write them down. Of course you no longer use a paper notebook, but a notebook on the cloud. Of course that difficult password is only as secure as the password of my notebook which is only as reverse secure as my trust in my colleagues and friends, who might have a peek in my notebook when I leave my desk without locking my screen. I do not lock my screen when I have to reenter those annoying passwords that I never can remember and need to save in my notebook which is now on the cloud...
27. Re: They want us to make it easier for them? by Anonymous Coward · 2015-09-11 01:32 · Score: 0
  
  KeePassX should work on mac!
28. Re:They want us to make it easier for them? by tmosley · 2015-09-11 02:25 · Score: 1
  
  I would just drop all the other requirements and force them to use a 30+ character password. I would advise them to make it a phrase and throw in a word of |337speak somewhere.
29. Re:They want us to make it easier for them? by blincoln · 2015-09-11 03:16 · Score: 1
  
  If you have a 12-char password made up of random upper/lower/numeric/punct chars, then you're good (assuming that the other end is using proper salted hashes). There is little benefit to routinely changing such a password [...]
  It depends. If you use the same password on multiple systems, then it's only as secure as the least-secure of those systems. If you never change it, for all you know, someone has compromised one of the weaker links in that chain and been able to log on as you for months or years.
  
  --
  "...always new atoms but always doing the same dance, remembering what the dance was yesterday." -Richard Feynman
30. Re:They want us to make it easier for them? by Anonymous Coward · 2015-09-11 03:41 · Score: 0
  
  >Password reuse is dumb, and they should not be saying it is ok.
  
  It sure is. Password reuse is the reason I had to change all my passwords last weekend when someone tried to log into my gmail with my password from China, but was stopped by 2-factor authentication. I now have random passwords everywhere, stored in a secure password app on my phone, backed up to an unconnected PC at home. It's a little bit of a hassle to have to look up passwords, but it sure beats having my accounts compromised.
31. Re:They want us to make it easier for them? by Anonymous Coward · 2015-09-11 03:52 · Score: 0
  
  >They're not saying its ok, they're saying you should only reuse passwords for similar systems, which makes sense.
  
  It doesn't really make sense. It's what I did. It didn't stop my medium-security password from being exposed, leading to a day of password changes. I now use random passwords everywhere. It's worth the hassle.
32. Re: They want us to make it easier for them? by PopeRatzo · 2015-09-11 04:34 · Score: 1
  
  KeePassX should work on mac!
  Yeah, it should. I've been using KeePass 2.x for over a year and KeePassX won't import or access those databases. And, of course, KeePass 1.x won't read my 2.x database either, so I can't move it over.
  I keep watching KeePassX for KeePass 2.x support. Then, I'm golden.
  
  --
  You are welcome on my lawn.
33. Re:They want us to make it easier for them? by wwphx · 2015-09-11 08:01 · Score: 2
  
  As ubiquitous as smartphones are, especially in IT staff, I'd like to see a proximity tie. You walk in to your office, you sit down at your computer, the computer has already identified your phone and is waiting for a password that can be simple since your phone must be proximate -- it does not fully unlock until you do something at the keyboard. Maybe have a certificate exchange, or in the case of later model iPhones, add a fingerprint swipe. (Yes, I saw the Myth Busters on spoofing fingerprint scanners). Require an additional, stronger, password for out-of-normal-hours access.
  
  I'm not sure what to do about a lost/stolen phone or how to prevent sniffing and spoofing (snoopfing?), but I think it has the potential to be a beginning.
  
  I'd LOVE to see a crypto tie-in for laptops where I have to enter a code in my phone to open my laptop, though it could be a huge problem if your phone died or were lost while you were on the road.
  
  --
  When you sympathize with stupidity, you start thinking like an idiot.
34. Re:They want us to make it easier for them? by wwphx · 2015-09-11 08:07 · Score: 2
  
  I've always wanted to create 'red alert'/honeypot account names and passwords that I could put on sticky notes and any use of those would immediately disconnect the system in question from the network, shut it down, and trip security alarms. I'd frequently put such on the bottom of server console keyboards just to screw with people who bothered to look.
  
  --
  When you sympathize with stupidity, you start thinking like an idiot.
35. Re:They want us to make it easier for them? by wwphx · 2015-09-11 08:09 · Score: 1
  
  Don't forget to double ROT-13 for even more protection!
  
  --
  When you sympathize with stupidity, you start thinking like an idiot.
36. Re:They want us to make it easier for them? by Gliscameria · 2015-09-11 15:51 · Score: 1
  
  Why limit at 12? Why not let people use full sentences, also compatible with symbols and case sensitive?
  
  --
  X
37. Re:They want us to make it easier for them? by Anonymous Coward · 2015-09-11 19:30 · Score: 0
  
  The simple fact of the matter is that when it comes to secure passwords, size matters and little else does. If you have a 12-char password made up of random upper/lower/numeric/punct chars, then you're good (assuming that the other end is using proper salted hashes). There is little benefit to routinely changing such a password because it will only encourage one to do something insecure like write it down somewhere to try to keep track of what the last 12 passwords were so that the monthly forced rotation doesn't reject your new password because you've used it before.
  I suppose the idea is that somebody could crack your password and routinely have some sort of access to your device unless and until you change it, and might have some sophisticated scheme that would never let them know they were compromised and yet would cause significant damage and requires repeated access over long periods of time.. If they get access to my work, they'll just get a combination of bad code and code I found via Google. Hardly seems worth the effort.
38. Re:They want us to make it easier for them? by gzuckier · 2015-09-11 19:37 · Score: 1
  
  I was an admin for a small company (~50 users) that was owned by a bigger company. I had all of the users make their network password something that they could remember; they were not allowed to write it down. I also recommended that they change it periodically but it wasn't required. Periodically I would suspend the account locking and attempt to crack users passwords. Any users were notified that they needed to change theirs immediately. If it happened again, I would have to get their supervisor involved, It never happened. Life was good.
  Then the parent company hires a new seagull manager and he comes in and demands that we update our password policy to have passwords expire after 30 days and a password history of 12. They also needed to be complex and be 8 characters. He claims the change was taken word-for-word from Sarbanes-Oxley requirements. I told him that I had read Sarbanes-Oxley and it stated only that a sufficient password policy needed to be in place, which is what we currently had. I even pointed it out to him. It made no difference.
  Within weeks, you could find post-its with passwords on them under about half of the keyboards in the office. I knew it would happen.
  The parent company also never had account locking enabled because "it just causes more calls to the helpdesk". I at least got that changed when I showed him how easy it was to brute force with a rainbow table. The look on his face was like I was doing magic. When a junior admin is teaching the supposed director of information security how to do their job, there is a big problem.
  I left not long after that. I heard that he got fired a few years later, so at least there is a god.
  we just got yet another system added to our list of systems we need passwords for; this one expires after 90 days, with no warnings, and locks you out so you can't change it once it expires without going through the help desk. I think they'd be happiest if they could just keep everybody from accessing the system.
  
  --
  Star Trek transporters are just 3d printers.
39. Re:They want us to make it easier for them? by gzuckier · 2015-09-11 19:40 · Score: 1
  
  Here's the problem in a nutshell:
  When I work for , initially I only have 1 password to memorize. As I gain tenure, more systems I gain access to, which have their own password rules. By the time I'm eligible to "move up" to another position I may have 23 different username and password combinations, of which some have rules that contradict others.
  So there is a huge loss in productivity having all of these passwords be unique. I wound up keeping the lesser-used passwords in a PDA. So if that PDA was ever lost or stolen, I'd still be able to do work, but if one of those unique-cases came up, I'd have to lose the productivity then.
  Other people keep passwords on stickynotes on their PC.
  The problem, is, that passwords are bad.
  With the advent of smartphones/watches, it should be possible to just start having PC's have NFC built into the computer screen, and placing the phone near the screen leaves the PC unlocked and all accounts accessible until the phone is moved two meters away from the monitor. Forget your phone at home? Did it get smashed? Then your boss can issue you a NFC ID card and temporary/permanently revoke the phone.
  This also prevents password sharing because taking the phone or NFC card to another machine kicks out the previous login.
  Good luck getting Google and such implementing a common NFC card access.
  Here's the thing; when you forget your password, or it locks you out, you can just call the help desk, or go through some web page; and they ascertain your identity by a few different pieces of data; your social security number, your date of hire, your mother's maiden name, etc. So, basically, the insertion of a password into the chain of events grants you no extra security than just having you answer these questions when you want to log in. So come up with a slate of such challenge questions of which you have to answer a random three or four, if biometrics isn't an option.
  
  --
  Star Trek transporters are just 3d printers.
40. Re:They want us to make it easier for them? by gzuckier · 2015-09-11 19:43 · Score: 1
  
  Writing a passphrase down is not necessarily insecure. It depends on where you keep it and who your adversary is (if there is one).
  Considerations and recommendations about passphrases only make sense in the context of their use and with the overall security system and its purpose in mind.
  every once in a while, a password writer downer realizes that instead of writing down the password they can write down the keys to the left of the actual ones in the password, or some such.
  
  --
  Star Trek transporters are just 3d printers.
Makes sense by AuMatar · 2015-09-10 09:08 · Score: 4, Insightful

The fact is, most of the accounts I have passwords for don't really matter. I don't give a shit if someone gets access to my slashdot account. Or if they get access to an old video game forum or two. So there's no reason to give those things really secure passwords. The things that need secure, unique passwords are your email, your bank/broker, and anything that would truly upset you if you lost access to. Give the rest some default password and stop caring.

--
I still have more fans than freaks. WTF is wrong with you people?
1. Re:Makes sense by Qzukk · 2015-09-10 09:19 · Score: 1
  
  Yeah, I think if I had to rate in order from most secure to least secure I'd have to say it's something like:
  brokerage account
  SSL certfificate account
  bank account
  steam account
  gmail account
  ~~~
  various forum accounts
  ~~~
  slashdot account
  electric company account (please break in and pay my bill for me!)
  
  --
  If I have been able to see further than others, it is because I bought a pair of binoculars.
2. Re:Makes sense by Anonymous Coward · 2015-09-10 09:30 · Score: 5, Insightful
  
  Your email account should be the top of the list as access to that typically allows someone to reset all of your other accounts.
3. Re:Makes sense by dpidcoe · 2015-09-10 09:33 · Score: 2
  
  I'd advocate having a "default" password but making it unique to the site or service by adding some string to the end based on the name of the site (or some other easily memorable thing). e.g. your shashdot password might be "DefaultPassword1234Slashdot" whereas your reddit account might be "DefaultPassword1234Reddit". It's basically zero cost to remember yet still gives some protection against someone running a script on a compromised username/password database.
4. Re:Makes sense by DaphneDiane · 2015-09-10 09:35 · Score: 4, Informative
  
  electric company account (please break in and pay my bill for me!)
  You might want to move electric company account up the list. Utilities bills are often used as proof of address when verifying identity.
5. Re:Makes sense by DaphneDiane · 2015-09-10 09:39 · Score: 1
  
  electric company account (please break in and pay my bill for me!)
  You might want to move electric company account up the list. Utilities bills are often used as proof of address when verifying identity.
  Since the article is talking about the UK guidelines here, check out this list.
6. Re:Makes sense by khasim · 2015-09-10 09:52 · Score: 1
  
  Now imagine that one of those junk sites gets cracked. They now have:
  1. your email address
  2. your password for that site
  3. the "security" answers you've provided
  Using #1 & #2 they can try to access other sites to collect more of #3.
  Have you used the same email address (#1) and security answers (#3) on critical sites? If so, they can potentially bypass the password (#2) that they do not have for those critical sites.
  So, unique passwords AND unique email addresses (with unique passwords) for critical sites.
7. Re: Makes sense by Anonymous Coward · 2015-09-10 10:03 · Score: 0
  
  electric company account (please break in and cancel my supply)
  You might want to move it up the list.
8. Re:Makes sense by Anonymous Coward · 2015-09-10 10:45 · Score: 0
  
  I do this but I don't use the actual site name for instance slashdot is: trollsLiveHerePassw0rd
  BTW, WTF is it with sites that can't figure out how to allow special characters in passwords...that instills confidence
9. Re:Makes sense by Harlequin80 · 2015-09-10 11:06 · Score: 1
  
  I have memorised 3 alphanumeric passwords which are the basis of all of my passwords. Basically I rotate two of those three passwords through all the crap I don't really care about. Worst case scenario is it takes me 2 log in attempts to get the right password on any given site
  When it comes things I care about it gets all three passwords combined making a stupidly long alphanumeric that is really easy to remember.
10. Re:Makes sense by AuMatar · 2015-09-10 11:41 · Score: 2
  
  You provide real answers for security questions? That's you being fucking stupid. Just mash the keyboard.
  
  --
  I still have more fans than freaks. WTF is wrong with you people?
11. Re:Makes sense by fisted · 2015-09-10 11:47 · Score: 2
  
  If you meaningfully fill in the 'security answers', then you're already doing it wrong
  
  --
  CLI paste? paste.pr0.tips!
12. Re: Makes sense by Anonymous Coward · 2015-09-10 16:29 · Score: 0
  
  I think it's web gurus scared of bobby tables and shellshockers rolling their own problems.
13. Re:Makes sense by Hognoxious · 2015-09-10 16:33 · Score: 1
  
  That works until you need them.
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
14. Re:Makes sense by AmiMoJo · 2015-09-10 20:51 · Score: 1
  
  You should have 2 factor auth on your email account, minimum. As you say, once someone is in there you are screwed.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
15. Re:Makes sense by AmiMoJo · 2015-09-10 20:57 · Score: 1
  
  When I recently opened a new bank account all they wanted was details of my other bank account, with another bank. I was moving my payments over anyway, but they didn't ask for any proof of ID. I did the whole thing online, the account was set up in minutes.
  I wonder how much information I'd have to change, e.g. putting a different address on the new account, before they would start to worry...
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
16. Re:Makes sense by CrimsonAvenger · 2015-09-10 22:26 · Score: 2
  
  A password manager usually has a comments block to be filled in by the user.
  Insert the "secret question" and its (made up) answer into the comment block. Then you don't have to bother to remember them, and there's basically no way to guess them, since they have no bearing on reality - "what was your first pet's name? Ford Prefect"....
  
  --
  
  "I do not agree with what you say, but I will defend to the death your right to say it"
17. Re:Makes sense by Anonymous Coward · 2015-09-11 05:07 · Score: 0
  
  This is where 2-factor saved me from being totally screwed last weekend. Never store anything important in an account that doesn't have 2-factor authentication, either with Authy, Google Authenticate, or at least text messages to a phone you control. If not for 2-factor, I would have lost access to every account I have, and all my software keys. It would have been very expensive and time-consuming.
18. Re:Makes sense by Cederic · 2015-09-11 06:10 · Score: 1
  
  My bank gets confused every time my answer to, "What's the first school you went to?" is "I don't know"
  I have stopped using 'fuck off' as my mother's maiden name though. Even I found that one awkward over the phone.
19. Re:Makes sense by Anonymous Coward · 2015-09-11 06:51 · Score: 0
  
  I use different emails for different websites. I've my own domain name and *@mydomain.com catches all logins. This also makes it easy to see what websites have sold my email information to a third party.
20. Re:Makes sense by Anonymous Coward · 2015-09-11 09:59 · Score: 0
  
  What you can change the address your electricity is supplied to, by simply logging in and modifying the details ? Or maybe the attacker can change the bill payment name to the entity they have of themselves and claim to be at your address ?
  Which utility companies do this ?
  At best all they can do is get a copy of you bill (which any hijacked postbox or postman has traditionally been able to provide). Then they claim to be you at your address. That isn't that useful as usually proof of address is needed for things relating to the address.
  Sure many things are tried by the attacker, and shit does happen, but being able to login to my utility company to see my bills isn't that much of a problem in the UK.
21. Re:Makes sense by Hognoxious · 2015-09-11 20:43 · Score: 1
  
  Ford Prefect is unlikely to arise by mashing the keyboard.
  And if you aren't using a password manager, or you didn't note down that your mother's maiden name was FHGFHGFHA?
  
  --
  Confucius say, "Find worm in apple - bad. Find half a worm - worse."
This matches how people function by WillAffleckUW · 2015-09-10 09:09 · Score: 5, Interesting

If you make it too hard for them, they either use weak passwords or they tape them next to the monitor so that you can human engineer the security with a camera enabled pen or purse or water bottle you "forget". Or they type into the notes feature on their easily guessed cell phone.
(caveat: I used to be the acting regional security officer for a military region, so I have absolutely no idea what security measures get defeated and will deny knowing such information)
(extra caveat: facial recognition is pretty useless and easy to defeat, as are most biometrics)

--
-- Tigger warning: This post may contain tiggers! --
1. Re:This matches how people function by dpidcoe · 2015-09-10 09:40 · Score: 5, Interesting
  
  Yep. When I worked in IT, security kept enforcing stricter and stricter password guidelines. Eventually it boiled down to basically every. single. user. picking a password in the format of [Kids name][kids birthdate]![number representing how many times they'd had to change their password]. It got to the point where if I had to fix someones computer but they weren't at their desk I'd just check their hire date and multiply number of years worked by 4 (for the end number) examine whatever family pictures they had framed there and have the password in 3-5 guesses.
  
  This is the same security that disabled ability to use attachments over webmail, took down our secure FTP server, revoked contractor access to our version control system, made it extremely hard to obtain VPN access, and then was completely surprised when users started sending files via personal e-mail and dropbox.
2. Re:This matches how people function by dplong · 2015-09-10 09:52 · Score: 1
  
  Re facial recognition. I worked in the video-surveillance industry for a few years, and video analytics, especially facial recognition, is a big joke. False positives render it near useless.
3. Re:This matches how people function by purple_cobra · 2015-09-10 11:30 · Score: 1
  
  Another agreement here.
  I work in the NHS and we have to change passwords on OS login and most applications every 28 days (passwords must be 8+ characters (IIRC), must contain at least one number amongst those and must also contain at least one upper case letter). This results in either a) people writing their passwords down and keeping them handy or b) using the same password every month and changing two digits to account for the month (I use option B as it should be marginally more secure, assuming our IT staff have a clue (they don't, for the most part; most of those IT staff are either relatives of someone else who works there and couldn't get a job elsewhere but can program a PVR (rank and file staff) or are ex-nurses who couldn't manage the hand-washing instructions (managers, and I *know* you'll think I'm joking here. I assure you that I am not))).
  I've suggested quite a few times that being too secure is actually being less secure, namely that because if it's too complex to have an allowed password then people will just circumvent/trivialise it, but as I'm not working in IT these days (long story, and despite attempts by former colleagues to convince me to go back, it is not happening) then I'm just ignored. The entire hospital trust is rapidly circling the pan anyway, so I'm just doomg what I'm paid to do until it goes under and the rest can go to hell. Whether we get all our patient records cloned and sold in the meantime is no longer my concern; I've done my bit and no-one cares.
4. Re:This matches how people function by sociocapitalist · 2015-09-10 18:38 · Score: 1
  
  This is the same security that disabled ability to use attachments over webmail, took down our secure FTP server, revoked contractor access to our version control system, made it extremely hard to obtain VPN access, and then was completely surprised when users started sending files via personal e-mail and dropbox.
  Let me guess - you work at the white house supporting Hillary?
  
  --
  blindly antisocialist = antisocial
5. Re:This matches how people function by squiggleslash · 2015-09-10 23:33 · Score: 1
  
  I've had at least two occasions where my usual secure password, over eight characters, mixture of letters and digits, no words whatsoever, and with an algorithmic change per site/entity, wouldn't work but "Password123" did.
  Guess what I used as my password with those locations.
  
  --
  You are not alone. This is not normal. None of this is normal.
What happened to British security? by Falconnan · 2015-09-10 09:10 · Score: 0

As an American, I have longed viewed our tendency to be unconcerned with security as a bit odd. The British seemed to take it more seriously, and be smarter about it. This is part of why their human intelligence generally seemed superior to ours. Today, the new British government seems keen on sacrificing the security of its people on the altar of the false religion of national security. This will clearly leave the government in charge of the people if taken to its full conclusion. It is hard to reconcile the best interests of the citizenry with the current behavior of their authorities.
Password reuse? by YrWrstNtmr · 2015-09-10 09:14 · Score: 5, Funny

Let's ask former Ashley Madison members.
1. Re:Password reuse? by bughunter · 2015-09-10 09:26 · Score: 1
  
  Not to mention the Gawker hack victims.
  I had dozens of sites I had to go change passwords on. Good thing I keep a list of what username/password combinations I use where, and the one I had used for Gawker was the one I use for "throwaway" comment board registrations.
  Unfortunately, it was also very close to passwords I use for slightly more security, like work and email, so I had to change those, too.
  
  --
  I can see the fnords!
Portable one-time key password generator .. by nickweller · 2015-09-10 09:19 · Score: 3, Insightful

A portable hardware device that generates one-time-only passwords. The master keys never leave the device and can be revoked in the event of the device getting lost. Hacking any individual device provides no clues that can be used to hack the other devices.
1. Re:Portable one-time key password generator .. by Anonymous Coward · 2015-09-10 09:41 · Score: 0
  
  So... RSA SecurID, then?
  It's a PITA, but it works. (I've only ever had to use one as a third-party contractor logging into a hospital's building management system from off-site. That was over a decade ago.)
2. Re:Portable one-time key password generator .. by WillAffleckUW · 2015-09-10 09:57 · Score: 2
  
  that's how really secure systems get hacked, because the generals tend to attach it to the secure laptop case along with the key, making it a one stop security breach waiting to happen.
  "it will never happen to me" - can't tell you how often it happened, walk into the insecure lunch area, grab the case, pop the top, use the hw device, and home free and they haven't even finished their first cup of tea or coffee. return it to them and they assume if you have a valid uniform you must be ok, nobody ever checks.
  ever.
  
  --
  -- Tigger warning: This post may contain tiggers! --
What about keepass? by Anonymous Coward · 2015-09-10 09:24 · Score: 0

It generates complex and long passwords and it stores them in an encrypted form on your computer.
My bank is the worst. by jtownatpunk.net · 2015-09-10 09:26 · Score: 4, Insightful

Must have a mix of upper case, lower case, numbers, and special characters. And it can't be any of my last eleventy-six passwords. "It's been a while since you've logged in from the mobile application. Please change your password." What the flying fuck?!? I just wanted to check my balance and now I have to change my password.
1. Re:My bank is the worst. by Anonymous Coward · 2015-09-10 11:07 · Score: 0
  
  When it comes to mobile applications having to log in at all is enough to weaken passwords given how clumsy it can be to type.
2. Re:My bank is the worst. by Harlequin80 · 2015-09-10 11:12 · Score: 1
  
  You could have the opposite. My bank requires a 6 character password no special characters and no capitalisation allowed with the username being printed on all your bankstatement. And with their new update once you have got access to the account you can transfer the entire balance of the account to anyone who has received a payment before. Their argument is that you needed to do an sms verification the first time, so that kid you paid to fix your pc? he can now receive the entire contents of your bank accounts including all the redraw funds in your homeloan.... Alternatively if you were like me and went to the effort of getting an RSid token they have removed the memorised password component so now all you need is the actual token number. Retarded.
  I will be leaving them very soon.
3. Re:My bank is the worst. by TeknoHog · 2015-09-10 11:25 · Score: 1
  
  What the flying fuck?!? I just wanted to check my balance and now I have to change my password.
  I remember in the past some online banking sites did this right. You could log in to check balances with the basic password, but you'd need stronger credentials to make payments. Now they want me to use up numbers from the one-time pad both for the initial login, and again for the payment.
  I understand the balance and transactions can be sensitive information to many people, but losing money directly should be a more immediate concern. As many other commenters are pointing out, the level of crypto should correlate with the value of the service.
  
  --
  Escher was the first MC and Giger invented the HR department.
4. Re:My bank is the worst. by Anonymous Coward · 2015-09-10 11:43 · Score: 0
  
  This is the real problem--every @#$*! site has its own idiosyncratic rules that make it even harder to use a password system.
  I have a system, where sites are "tiered" based on their importance to me. Things at the top get really difficult unique passwords, things at the bottom are easier passwords that I reuse.
  The problem is that every damn site has their own idiosyncratic rules about what has to be included, so even if I have a password that's much more difficult to crack than what's allowable under their rules, I still have to use their stupid rules. Typically this is because they have some strangely short limit on the number of characters--we're really not talking something that long really--and the weird permutations of character types only add to the misery.
  What I prefer are sites that have some measure of how good the password is, let you make it arbitrarily long (or at least ridiculously long enough that it won't be a problem), and don't require you to change it. You need to make it easy for people to use difficult passwords, not harder.
  The password system is broken anyway, but this nonsense is full of crap.
5. Re:My bank is the worst. by Anonymous Coward · 2015-09-10 12:02 · Score: 0
  
  That reminds me of how Bank of America prints the full credit card number on your monthly statement. Not exactly secure.
6. Re:My bank is the worst. by jrumney · 2015-09-10 17:05 · Score: 1
  
  no capitalisation allowed
  
  The bank's response: How can a 4 digit number have capitals anyway?
7. Re:My bank is the worst. by The+Phantom+Mensch · 2015-09-11 03:06 · Score: 1
  
  For a brief period of time I thought Diceware style passphrases would be the answer but I found that a lot of places don't accept space characters in a password and as you observed, they all have random, undisclosed length limitations and the usual special characters requirement, Most of my low risk forum site passwords are based on one I was assigned about 15 years ago that had "good enough" length and was not guessable based on personal details like dog names and such.
Reflexive, symmetric, transitive... by Okian+Warrior · 2015-09-10 09:28 · Score: 3, Interesting

Users should only [reuse passwords] where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system.
So if I have access to a highly sensitive system, it's OK to reuse that password on a system with lower value data.
OK - got it.
1. Re:Reflexive, symmetric, transitive... by Goetterdaemmerung · 2015-09-10 09:40 · Score: 1
  
  Users should only [reuse passwords] where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system.
  So if I have access to a highly sensitive system, it's OK to reuse that password on a system with lower value data.
  OK - got it.
  I am pretty sure (hoping) you are being sarcastic because that is not what the quote says at all. It is only ok to re-use a password when both systems have equivalent levels of data value.
  To provide a car analogy: It is perfectly fine to use the same key for both my Toyota Corolla and my Ford Focus. However also using that key for my Aston Martin would be unacceptable.
2. Re:Reflexive, symmetric, transitive... by Anonymous Coward · 2015-09-10 09:53 · Score: 0
  
  He thinks he's being sarcastic. What he's actually doing is proving that way too many people don't understand the difference between being clever and being a pedantic douchebag.
3. Re:Reflexive, symmetric, transitive... by Anonymous Coward · 2015-09-10 13:53 · Score: 0
  
  In that case, the compromise of one password (for the system with low-value date) would result in the compromise of more valuable data.
4. Re:Reflexive, symmetric, transitive... by sociocapitalist · 2015-09-10 18:41 · Score: 1
  
  Users should only [reuse passwords] where the compromise of one password does not result in the compromise of more valuable data protected by the same password on a different system.
  So if I have access to a highly sensitive system, it's OK to reuse that password on a system with lower value data.
  OK - got it.
  Funny but the re-use logic goes in both directions.
  
  --
  blindly antisocialist = antisocial
5. Re:Reflexive, symmetric, transitive... by rastos1 · 2015-09-10 18:42 · Score: 1
  
  No. But it is OK to use a strong password and well secured system to store your lower value data and then reuse the same password on equally or better secured highly sensitive system.
that's what I do now. Better might be algorithmic by raymorris · 2015-09-10 09:29 · Score: 4, Interesting

That's what I do now, I basically classify things as low, medium, or high security. I don't want to remember a thousand different passwords and don't care to use a password manager for sites like Slashdot or other news sites I comment on. So low-impact sites all get the annual password when I register.
I change passwords every year or two, generally adding complexity (length) to the previous password. By now, they are pretty good passwords, but I've memorized them a piece at a time.
For a while I did something that might be better. I had an algorithm and a little utility program which generated a unique password based on my master password and the domain name. So something like sha1(mypassword, 'slashdot.org'). That gave me different passwords, without remembering them all, and without being tied to one specific password manager. I could "recall " my password on any device at any time. Actually, I chose an algorithm that I COULD compute in my head, though with considerable difficulty.
Probably the movies by Okian+Warrior · 2015-09-10 09:34 · Score: 2

The British seemed to take it more seriously, and be smarter about it. This is part of why their human intelligence generally seemed superior to ours. Today, the new British government seems keen on sacrificing the security of its people on the altar of the false religion of national security.
I think it's the movies.
British intelligence had a string of high-profile successes, culminating in dropping that evil guy into the smokestack.
At least, that's what the public was led to believe.
In the modern world, the internet has a way of making the reality of the situation more plain.
Perceptions change.
less password01? by sims+2 · 2015-09-10 09:34 · Score: 4, Insightful

Does this mean I won't have to change my password from password01 to password02, password03 ect?
You require people to change it every 90 days and expect them to remember it what do you think people are going to do? It is going to be S!mp1e as can be.
Simple1! fulfills most companys password requirements.
If you insist on my password looking like: 6B=1X8Vg+Bxqfs=2oPEy
It will have to stop changing on a arbitrary basis.

--
Minimum threshold fixed. Thanks!
1. Re:less password01? by Calydor · 2015-09-10 11:00 · Score: 1
  
  6B=1X8Vg+Bxqfs=2oPEy
  Isn't that the proof to Fermat's Theorem?
  
  --
  -=This sig has nothing to do with my comment. Move along now=-
2. Re:less password01? by 93+Escort+Wagon · 2015-09-10 12:01 · Score: 1
  
  6B=1X8Vg+Bxqfs=2oPEy
  Isn't that the proof to Fermat's Theorem?
  It's also the combination to my luggage, dammit!
  
  --
  #DeleteChrome
3. Re:less password01? by sociocapitalist · 2015-09-10 18:44 · Score: 1
  
  Does this mean I won't have to change my password from password01 to password02, password03 ect?
  You require people to change it every 90 days and expect them to remember it what do you think people are going to do? It is going to be S!mp1e as can be.
  Simple1! fulfills most companys password requirements.
  If you insist on my password looking like: 6B=1X8Vg+Bxqfs=2oPEy
  It will have to stop changing on a arbitrary basis.
  At least some authentication systems can stop you from using a new password that is too much like your old password.
  
  --
  blindly antisocialist = antisocial
4. Re:less password01? by Anonymous Coward · 2015-09-10 20:06 · Score: 0
  
  By storing the plaintext?
5. Re:less password01? by andrewbaldwin · 2015-09-10 21:01 · Score: 1
  
  They have this at my employers and it has always worried me.
  For this to work they'll have to store the password in clear somewhere so they can make comparisons.
  If they used the conventional approach of passing the given text through a few iterations of SHA then even just bit difference in given passwords would make a huge change to the encrypted one - so how could they tell if the new one was similar to the older one?
6. Re:less password01? by Nemyst · 2015-09-11 03:20 · Score: 1
  
  Now guess what happens when the system not only asks for a new password three times a year, but also restricts the password to never have been used before and to be exactly eight characters? People find a short 5 character password and append NYY (N = password number, YY = year).
  
  Yes, I have to use such a system. Yes, it's as awful as you'd think it to be.
7. Re:less password01? by JesseMcDonald · 2015-09-11 10:31 · Score: 1
  
  They shouldn't be able to check against all your old passwords, but at least for the most recent one you generally need to enter both the old and new passwords together in order to implement a password change, to prove that you're the rightful owner of the account. Thus they don't need to have the old password on file to check for similarity, they can simply compare against what you just sent them.
  Of course, a really secure system wouldn't include sending them the password at all—it should be used on the client to complete a zero-knowledge proof, and only the proof sent back to serve as authentication. Any similarity checks in that case would need to be done on the client, and could thus by bypassed by a determined enough user. But in practice the password is generally sent to the server for authentication, and if you're really lucky the connection is reasonably well encrypted and the server avoids storing the password in plaintext (or a functionally-equivalent weak cipher).
  
  --
  "The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
8. Re:less password01? by sociocapitalist · 2015-09-13 22:25 · Score: 1
  
  They have this at my employers and it has always worried me.
  For this to work they'll have to store the password in clear somewhere so they can make comparisons.
  If they used the conventional approach of passing the given text through a few iterations of SHA then even just bit difference in given passwords would make a huge change to the encrypted one - so how could they tell if the new one was similar to the older one?
  By decrypting them? :-)
  
  --
  blindly antisocialist = antisocial
Most rotated passwords are... by xxxJonBoyxxx · 2015-09-10 09:38 · Score: 2

RootPassword!1
RootPassword!2
RootPassword!3
and so on.
you can trust your government's advice ! by swell · 2015-09-10 09:41 · Score: 0

This just in ...
Governments around the world agree; just use your name or '1234567'. It is estimated that governments (and taxpayers) will save billions on expensive technology used to decrypt worldwide communications. Garth Grunt (not his real name), representing an anonymous spy agency in an anonymous country says "Do the patriotic thing. Loosen up your security so that we can protect you better."
That's today's headline, now for the rumors behind the news...

--
...omphaloskepsis often...
Microsoft Research and Their Password Policies by HannethCom · 2015-09-10 09:46 · Score: 4, Informative

Microsoft Research found that the maximum times people could change a password and have it secure is twice a year. This was the absolute limit where they suggested that a more realistic limit was once a year. Any more than twice a year and people had to start writing them down, or use insecure passwords that were easy to remember. A common one being an easy to guess word with an incrementing number after it.

The irony is that Windows Server defaults to having you change your password every 42 days. 8-9 times a year.

How do I know this? I studied for the Microsoft Security Test. They had one required book for studying and one recommended book for studying. The required book would help you pass the test. The recommended book was written by Michael Howard, Microsoft's top secure code specialist. In the book, Writing Secure Code, he would reference the research division's work. Basically the book said that everything on the test and the other book was wrong. I have taken courses in security which matched what Microsoft Research and what Michael Howard said. I would highly recommend reading Writing Secure Code, as even with taking courses on it, I learned a lot from that book.

For the record, I didn't pass the security test. I got 1 question "wrong." I don't know about now, or if the test still exists, but you used to have to 100% it.

--
Microsoft, Apple, Google, Amazon what's the difference? All steal money from devs and control with walled gardens.
1. Re:Microsoft Research and Their Password Policies by Anonymous Coward · 2015-09-11 04:33 · Score: 0
  
  Microsoft Research found that the maximum times people could change a password and have it secure is twice a year.[...]
  Did you have a link to the particular study? MR has done a bunch of stuff on the topic, so it's hard to find the exact one that you may be referring to.
Yes, re-use passwords... by Anonymous Coward · 2015-09-10 09:47 · Score: 0

...so the authorities don't have to bother with warrants.
Here is my advice for passwords:
1) Two-factor authentication for everything that matters;
2) Your e-mail account matters a lot, because it can be used to reset passwords;
3) But nothing important should have a password resettable by clicking on an e-mail link;
4) When I say "password", I mean passphrase. Less of th15_$h1t and more of "and your husband wants to be a girl be glad there's one place in the world where everybody knows your name";
5) With some per-site adjustment for insignificant sites by remembering a simple algorithm, e.g. derived from first letter of the domain name, to prevent automated break-in attempts when passwords are stolen from one site;
6) If you have trouble remembering passwords, WRITE THEM DOWN rather than simplifying them. But with pen and paper only. The least likely way you'll have anything stolen (by public or private entities) is physically;
7) If you're going to change passwords regularly, see 5;
8) For fuck's sake don't use federated login e.g. Facebook.
its all gone to shit anyway by Anonymous Coward · 2015-09-10 09:54 · Score: 0

Things are monsterously bad out there. Individuals here often personally talk about their chosen steps. Thats fine. But real world the asshats handling your data very likely don't do a good job of it. At work the directors and senior money people won;t be doing a good job with your personal shit. They won't be putting your passport picture, number, and other stuff in suitable safe places with correct treatment. They all thing security is irrelevant.
And in the rest of the world - huge sites and business hoover up creds and then store them like asshats in poorly designed, badly secured DBs and systems with either old, broken, poor or non existent salting and encryption. Even if they do initially protect it well, the devops bullshit thats raping the world will mean the smart guys who originally did stuff are long gone and some useless goon who doesn't care about sec or isn't trained in it ends up 'administrating it'.
I used to lean towards the idea of full disclosure. But I've moved away from that. All thats actually done is blown open the pandora's box. The vendors now, and the users are left trailing in the fucking infosec tornado wars between the releasers, the vendors, the underresourced IT people and victims. Every lunatic has their own arsenal in their backpocket now and metasploit and its ilk mean the automation of attacks and footprinting is legion. And thats just the bedroom amataurs. The middle layers, goons, gangsters, crims, gov and the rest are way ahead.
I fucking work at a PLC. When I went into a sub company I found 19000 viruses. Machines updates wrecked by said viruses. OSs unplatched and out of support. The PLC goons originally blamed the last guy - and from what I see he was just hugely under resourced. But it just kept getting better and better. They had 6 years ago opened a Chinese office. I'm not even gonna say how rancid that is. And the PLC itself has inbound malware and viruses on a scale I'd not seen before. it was at that point I found the much vaughted PLC IT 'dept' had inbound mail scanning, and the scanning was so bad that they allowed mail in from internet domains that had no fucking MX record. WTF.. I rolled F-secure into the whole desktop environment, and I at least put something in on mail (Sophos pure message) and I'm scrambling back towards what I would say is desperately average and certainly no better.
The guy who left and I have taken over from is about to take a new job at the Parliamentary Standards bunch. While I can see he was wayy understaffed, the idea he would get a billion miles inside anything requiring securty pretty much speaks volumes.
Fuck this new advice. Protect yourself however you can. Stay away from what you can, where you can and good fucking luck!
I got a different password for every site by future+assassin · 2015-09-10 09:58 · Score: 4, Insightful

Now I don't always remember it 99.9% of the times but what I do is have a pattern that I use to extract 4 letters from a sites name and use 4 or so selected 4 number combos which I combine into a password. At least it gives me different passwords for different sites.

--
by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
1. Re:I got a different password for every site by Anonymous Coward · 2015-09-10 11:04 · Score: 0
  
  Essentially similar, but with groups of words and numbers.
  It is trivial to give services and periods of TIME a unique password.
  I feel sorry for those that find it hard. It must suck being slow.
2. Re:I got a different password for every site by Anonymous Coward · 2015-09-10 12:40 · Score: 0
  
  Now I don't always remember it 99.9% of the times but what I do is have a pattern that I use to extract 4 letters from a sites name and use 4 or so selected 4 number combos which I combine into a password. At least it gives me different passwords for different sites.
  I did see an Ashley Madison password:
  A1984s42h69l007
  
  So, your current slashdot password would be: Slas 1984, 42, 69, 007, giving:
  S1984l42a69s007
  
  Nice. I'm expecting an "interesting" reply from your account soon...
3. Re:I got a different password for every site by future+assassin · 2015-09-10 14:59 · Score: 1
  
  Did you log in yet? I just got home so you had 2+ hours to log in.
  
  --
  by TheSpoom (715771) Uncaring Linux user here. I have nothing to add to this but please continue. *munches popcorn*
4. Re:I got a different password for every site by houghi · 2015-09-11 00:43 · Score: 1
  
  You are not the person at risk. The person at risk is your spouse or your kid or your cow orker or you grandma.
  The weakest link is what is important. And still most IT departments still do is cover their asses by demanding to change your password every 36 minutes, not write it down and different have 5 different ones just to log in.
  They know nobody will be able to follow it, but they can say "He did not follow security procedures. Fire him, not me."
  Security is a social problem, yet they still want a technical solution. It is a social problem, because people forget things. People want to have it easy. People do not understand the risks. ...
  And as long as you do not take that into account, it won't work and saying 'I have a good system for ME' does not solve anything.
  
  --
  Don't fight for your country, if your country does not fight for you.
Hunter239 by Bender+Unit+22 · 2015-09-10 10:12 · Score: 1

Indeed, I have reached Hunter239 on my password now. It sucks having to change it every week.
Bad idea. by hilather · 2015-09-10 10:27 · Score: 1

Changing your passwords every so often is important, most password breaches go undisclosed, not all 'crackers' are releasing their findings.
1. Re:Bad idea. by Mouldy · 2015-09-10 23:23 · Score: 1
  
  most password breaches go undisclosed, not all 'crackers' are releasing their findings.
  [citation needed]
Is that why.. by s.petry · 2015-09-10 10:39 · Score: 1

Your Karma sucks so bad?

--
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Obligatory xkcd reference by Anonymous Coward · 2015-09-10 10:42 · Score: 2, Informative

https://xkcd.com/936/
Re:The slashdot headline is WRONG by Anonymous Coward · 2015-09-10 10:58 · Score: 0

Right, they are absolutely not saying password reuse is okay for sites that have "valuable data." Whoever wrote the slashdot post really distorted the meaning.
Re:that's what I do now. Better might be algorithm by fisted · 2015-09-10 11:45 · Score: 1

I change passwords every year or two, generally adding complexity (length) to the previous password. By now, they are pretty good passwords, but I've memorized them a piece at a time.
That's actually a nice idea

--
CLI paste? paste.pr0.tips!
Or.. by s.petry · 2015-09-10 11:46 · Score: 4, Insightful

You memorize a single strong password for a key storage program like Keepass, and only bother with 1 strong password being changed at your recommended frequency. I can change all of my other passwords randomly as often as I want and don't need to remember them all. I keep the encrypted DBs on a Thumb drive in my pocket, and a backup in a safe.
While not perfect this setup is safer due to the lack of a keylogger picking things up. No system is perfect so I go for "better" and "best practices". I would much rather have a 20+ character password for my DB I change every 9-12 months than try and remember dozens and dozens of various passwords I have for everything else.
Oh, I should add that I use multiple databases for multiple purposes. I don't mix business and pleasure.

--
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
1. Re:Or.. by sociocapitalist · 2015-09-10 18:32 · Score: 1
  
  You memorize a single strong password for a key storage program like Keepass.
  I've always wondered if the password storage programs are targets for attack and if so how secure they actually are. They seem vulnerable to keyloggers, for example, or password attacks on the master password.
  
  --
  blindly antisocialist = antisocial
2. Re: Or.. by Anonymous Coward · 2015-09-10 18:44 · Score: 0
  
  Yeah, because the clipboard had heavy security, or even functions properly in these vm days..
3. Re: Or.. by Anonymous Coward · 2015-09-11 00:02 · Score: 0
  
  The main thing to be aware of is the difference in attack mechanism on your password db versus an account on some service.
  The password db will most likely be an offline attack against the file, so the attacker can brute force attempt passwords as fast as they have CPU power.
  Most (properly configured) servers will rate limit password attempts and lock out an account if it detects a brute force attempt.
  This means that you need a much more complex password to keep the password database secure. They're still a good idea, but while 8 mixed characters is fine for most account purposes, I wouldn't use less than 20 for a password store.
4. Re:Or.. by s.petry · 2015-09-11 08:17 · Score: 1
  
  You memorize a single strong password for a key storage program like Keepass.
  I've always wondered if the password storage programs are targets for attack and if so how secure they actually are. They seem vulnerable to keyloggers, for example, or password attacks on the master password.
  Yes they are vulnerable, and the people coding them know they are vulnerable. I won't used closed source code for that reason, it would be too easy for someone to build in back doors.
  Everything is vulnerable to a key logger, which is why you don't use devices you are unsure of. Mid stream, the password manager is safer because it uses memory only, not input devices.
  
  --
  -The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Bad State by Cammi · 2015-09-10 11:50 · Score: 0

You know the IT state is pretty bad when they still require passwords in 2015.
Too similar by Jumunquo · 2015-09-10 12:18 · Score: 4, Interesting

They caught onto us at our workplace. Now passwords have to be significantly different by some secret algorithm and incrementing a number is not different enough. Of course, that just means people think up other schemes.
1. Re:Too similar by Applehu+Akbar · 2015-09-10 12:48 · Score: 4, Insightful
  
  "Think up other schemes?" No, they just start writing passwords down. Behavior becomes less secure.
2. Re:Too similar by jrumney · 2015-09-10 16:59 · Score: 5, Insightful
  
  Or they frequently forget their password, and after getting sick of all the support requests for password reset, an automated password reset system is put in place that has more security holes than the passwords they are trying to block. Even if the system is not automated, think about the potential for social engineering attacks when forgotten passwords are a daily annoyance for helpdesk staff that they just want to get out of the way as soon as possible.
3. Re:Too similar by rtb61 · 2015-09-10 17:30 · Score: 1
  
  So go with minimum three word pass phrases, only three things to remember and you really run up the number of characters. It is not just three words to decrypt because you do not know word length, so the entire phrase must be decrypted. Even longer phrases really mean it is only one thing to remember the phrase but from the other side it can be 20 or more characters to solve, you can require even longer phrases, it is still really easy to remember.
  
  --
  Chaos - everything, everywhere, everywhen
4. Re:Too similar by sFurbo · 2015-09-10 20:40 · Score: 1
  
  It also means they store the passwords in plaintext (or something so close to plaintext as to not matter, or they use a far too easy hashing function).
5. Re:Too similar by godefroi · 2015-09-11 02:51 · Score: 2
  
  Not necessarily. Most password change schemes require you to provide the old password and the new. They don't need to store the plaintext, you hand it to them with the new one.
  
  --
  Karma: Poor (Mostly affected by lame karma-joke sigs)
6. Re:Too similar by Anonymous Coward · 2015-09-11 03:50 · Score: 0
  
  to change a password you usually have to enter the old password. they could compare at that time to enforce the policy, while still storing the passwords securely.
  of course i don't know if that is what they are doing in the gp's case.
7. Re:Too similar by wwphx · 2015-09-11 07:49 · Score: 1
  
  1st change: prefix & suffix & number
  
  2nd change: number++ & suffix & prefix. Vary as needed. Nothing written down.
  
  I've been doing this successfully for ages. Easy to remember, produces reasonably high entropy passwords. But as has been pointed out, everything depends on how robust a system is that's storing it on the other side.
  
  --
  When you sympathize with stupidity, you start thinking like an idiot.
8. Re:Too similar by Anonymous Coward · 2015-09-11 19:24 · Score: 0
  
  "Think up other schemes?" No, they just start writing passwords down. Behavior becomes less secure.
  Our IT Preventers haven't tumbled onto the concept of the physical layout algorithm password system yet; i.e. every third letter in the top row, then next time you are forced to generate a new password, you bump them one char over, etc. because there is a finite limit to the number of quasi-random passwords you can come up with and remember. Of course, they don't read things like this, so they won't ever discover this scheme.
9. Re:Too similar by gzuckier · 2015-09-11 19:34 · Score: 1
  
  1st change: prefix & suffix & number 2nd change: number++ & suffix & prefix. Vary as needed. Nothing written down. I've been doing this successfully for ages. Easy to remember, produces reasonably high entropy passwords. But as has been pointed out, everything depends on how robust a system is that's storing it on the other side.
  One kicker is the requirement for a nonnumeric nonalpha character, # or $ or whatever. The problem is that different systems have different sets of such chars that they will accept, and the intersection that all will accept is small, and therefore it's hard to avoid repeats. (I try to keep my passwords to my work system the same at any given time, since it's hard enough to remember even just one).
  
  --
  Star Trek transporters are just 3d printers.
Re:Passwords are for cows. by Anonymous Coward · 2015-09-10 12:58 · Score: 0

You, sir, are the least annoying troll in history. That one was actually pretty good.
Oh, and btw: don't encrypt! by Anonymous Coward · 2015-09-10 18:32 · Score: 0

UK Govt: "Use less passwords. And BTW: don't encrypt things'n stuff. It just makes a mess of the data".
Yeah, right.
Re:that's what I do now. Better might be algorithm by sociocapitalist · 2015-09-10 18:35 · Score: 1

That's what I do now, I basically classify things as low, medium, or high security.
Me too so I set all my passwords to 'low', 'medium' and 'high' depending on security level so I won't forget which is which.
Damned websites keep complaining that my password has to be longer than three characters though - and I have no way to say 'but your site doesn't matter to me so three is just fine'.

--
blindly antisocialist = antisocial
Re:that's what I do now. Better might be algorithm by Anonymous Coward · 2015-09-10 19:42 · Score: 0

PassHash
Re:Passwords are for cows. by OolimPhon · 2015-09-10 22:11 · Score: 1

Hey! That's the combination to my luggage!
Am I Wrong? by Anonymous Coward · 2015-09-11 02:13 · Score: 0

I've been saying this for years... by frequently forcing people to change their passwords, they're going to be way less secure. I could train myself to remember a decent-sized random mix of letters and numbers, but if I had to change it every 30 days, I'd much rather stick to something more basic, or just toss an incrementing number at the end.
A standard would be nice by nehumanuscrede · 2015-09-11 02:49 · Score: 1

Some sort of minimum security standard across the damn board would be greatly appreciated.
Set minimum password strength, length, type requirements. Set standards for hashing and storing login credentials, etc. You adhere to the standard and become certified to do business out on the web. No certification, no web business for you. Though, we sorely need the same standards applied to corporate networks that carry customer information as well. ( Eg: Home Depot, Target, etc )
Every site has different requirements. Password length, characters used, characters that cannot be used, password reuse, etc. etc. Password change day absolutely SUCKS because the password I choose to use for site X may or may not work for site Y. Like most of you, I have to keep a list of all the sites that are on the password rotation schedule because there are so damn many.
Related:
Passwords and encryption keys can be pretty strong but upon reaching a certain strength, will no longer be the focus of an attack. Keyloggers and the like pretty much negate the strongest encryption key or passwords you can come up with ( if using single factor authentication ) so I'm not sure what the charade by the government is about decrying strong encryption when all they have to do ( and they know it ) is exploit a bug or deploy malware into the software that drives your keyboard.
Encryption by default on the latest $smartphone is nice, but when the NSA's greatest buddy is responsible for updating your software ( say . . . AT&T ) then it's a pretty good chance your device is nowhere near as secure as you might like to think it is.
Not about security- it's shifting liability to you by Matt_Bennett · 2015-09-11 03:00 · Score: 1

With all the password hacks/cracks/thefts, my cynicism has led me to believe that password policies are not about protecting the user, they are about protecting the company. With every damn website and store loyalty program asking you to create an account, it's to the point of absurdity. But they tell you that you need to create a unique password, of course. The uniqueness is not there to protect the user, it's to protect the company from liability when their crappy data policies (storing passwords in plain text in a file protected by changing the robots.txt rules, etc) lead to a data breach. "Oh, the password that was stolen from our yahoo storefront for customized puppy faced iphone cases, and allowed Elbonian hackers to drain your bank account and charge child porn to your credit card? We told you not to reuse passwords- it isn't our fault you're now a felon on a sexual predator list."
Re:Not about security- it's shifting liability to by Anonymous Coward · 2015-09-11 09:30 · Score: 0

ding ding ding.
I have sat in meetings where precisely this was discussed as part of our password policies.
Of course it works both way, We also don't want a PuppyFacePhone.com breach to grant access to our systems. C.Y.A coming AND going.