Is your password listed here?

[hmelton]

There was a password discussion over on the FFML and Lately I've been seen several articles not just about Gawker, but other companies being compromised for the password list. This probably isn't any relation, but if you have a habit of using a single passworkd at several sites or use some the passwords listed in the article below you might want to change some passwords.

Gawker Hack Exposes Ridiculous Password Habits

http://www.pcworld.com/ar...s.html?tk=nl_dnx_h_crawl

I've seen most of the passwords mentioned in the above article before, but from my own personal experience repairing, rebuilding or salvaging computers I'd add in "King", Queen", "god" and "boss". Teachers seem to like these four.

My personal advice I give to my friends is to pick complex passwords and make sure to write them down and keep them.

I also tell them to always assume I or any other tech they leave their computer with will be able to recover all the passwords they use so CHANGE THEM! after each visit to the repair shop.

Usually if their private stuff like address books, billfolds, purses or diary has been stolen or even gone through they will notice and have time to change passwords, especially if they follow my second bit of advice below.

You don't have to make it obvious it's passwords you have written down, for example pick complex passwords that look like contact information that contains such things as names, birth dates, meeting dates, meeting place, and company affiliations then have your own private mental hash pattern that builds the actual password from what was written down. One example I usually give is the extremely simple hash pattern of picking every 4th character making sure to include spaces, dashes, numbers and any other special characters in the generated password.

The passwords generated this way aren't perfect, but they are better than what would usually be used.

howard melton

god bless

[CattyNebulart]

That works until you run into the kind of failure at security planning like I'm currently dealing with, a regular user has to remember 3 passwords that according to policy should be different and have different expiration times (all around 90 days), in addition to two pins. Minimum 8 characters, not one of the last 16 used, uppercase, lowercase and numbers required but symbols are not allowed. There is also supposed to be a disciplinary action if we write down passwords.

In addition if you are actually working with multiple computers (say you work in IT) you usually need to remember a few dozen passwords, or in some cases a few hundred passwords.

Those factors lead me to know the few simple patterns most people follow, the only saving grace is that it locks you out after 3 failed passwords and it takes about a day or two to get it reset. which is about as catastrophic to productivity as you would imagine is to be.

In the above example the individual factors of the security plan are ok (well aside from not allowing symbols in passwords, a bizarre failure), but as a whole it's actually counterproductive. Think about how users will react to a system when desining it, if the password changes once every two years most users will pick a good password if it is important, but if it is a hassle every few months people can't be bothered to.

it doesn't help that throwaway sites require registration and passwords all over the place. especially when such a throwaway site has a 'strong' password policy.
E: "Did they... did they just endorse the combination of the JSDF and US Army by showing them as two lesbian lolicons moving in together and holding hands and talking about how 'intimate' they were?"
B: "Have you forgotten so soon? They're phasing out Don't Ask, Don't Tell."

[Black Aeronaut]

USN's password policies tend to annoy the shit outta me. Must be stupidly long, and have several of everything - letters (both upper and lower case), numbers, and symbols. Oh, and forget about using something you used before. By the time you're able to you'll have forgotten it.

Of course, there is the option of using our Common Access Cards (aka your Military ID Card) with an eight digit pin to log in... but for some reason that's just not good enough for the ITs on my ship.

[hmelton]

What I suggested wasn't perfect by any measure, but it produced better passwords than what they were originally using and let them use complex passwords without to much worry of losing the passwords.

One thing I wish is that sites would email customesr when their passwords comes under attack or just let the customer have access to the record of the login attempts to an account.

CattyNebulart

HUNDREDS of passwords! and they probably get really angry if you confuse or forget your passwords don't they.

Sounds like your almost to the point of asking yourself if the computers holding the data should be on the internet at all.

The only advice I have for working with such a large number of long passwords that change so quickly is to create a private cipher based on rolling dice and write down those numbers so that you can recover the password anytime you confuse or forget it.

Example cipher (don't actually use this one it's not completely defined and did I say it was "simple"

Take 1 to 6 books and a some dice and then roll up 64 random numbers and write them down.

Every 4th number in the sequence of 64 numbers is the book you use and the 3 preceding numbers is the page number in that book with the whole number part of the square root of the 3 digit number being the word count on the page the 3 digits pointed at.

If the number is greater than the word count on the page use the first 3 digits of the square of the 3 digit number in the password.

If the page is blank or has only a picture then square root the number again and if whole part is less than 7 then use that number a dash and a X.

If you can pick a word from the page and that word contains the letters L, I, T or H then you pick the first and last letters of the word only.

If the word doesn't have the above 4 letters then pick the next character in the word and use that.

if the....

you get the idea.

Passwords almost makes me want to use a program that checks the typing pattern for typing a long rarely changing password instead of the password being critical.

hmelton

God bless

[Sofaspud]

A simple scheme that produces very secure passwords, that doesn't require your poor meat brain to remember a thousand different kinds of alphabet soup, is to use a two-key encryption system.  And I'm not talking about something you need a calculator, computer, or even an abacus for.
Benefits: you never have to remember more than one password ever again; password generation is quick, easy, and secure; you don't have to trust anyone or anything else to remember your password for you.
Downsides: if too many sites containing your encrypted password are hacked, and, those accounts are linked to you, someone could puzzle out your encryption scheme and figure out your master password.
Now, the downside isn't something that is going to happen by accident -- especially if you follow basic safety precautions like changing your master password and updating the others as soon as a site is hacked.  You'd have to be deliberately targeted for anyone to figure it out, and if you're being deliberately targeted then you have bigger issues.
Anyway.  The scheme is simple:
1) Create a reasonably secure 'master password' that you can remember, 8 letters or more long (that being the common standard).  You will never write it down, so commit it to memory, and obviously don't fall into the trap of using your SSN, mother's maiden name, birthday, etc.  An easy way is to pick a random word that has meaning to you -- "Lopsided", as an example -- and then convert it to leet-speak.  Vowels become numbers, like so: "L0ps1d3d".  Anything here works, so long as it is something you will remember.
2) For every site/domain/whatever that you need a password for, combine your master password with the name of the place the password is for, by alternating letters from each (or use whatever method you prefer; go down the columns, or a rotate-by-three, or whatever).  Pad the site name with X's, a symbol, or whatever, as needed, or just repeat the site name.  If I were creating a Gizmodo account using my above master password, it would work like so:
L0ps1d3d
Gizmodo
---------
Lipm1d3x
2a) For situations requiring a rotating password, where you have to change it every X days and it can't be part of the previous sequence, incorporate the date.  Alternate which one you start with (top or bottom) every time -- you'll always know, because you know your scheme:
Lipm1d3x
Jun2010
--------
Jinm0d0x
That's it.
You can do the entire process in your head in seconds.  So long as you never forget your master password, you'll be able to create a secure password for every site you visit without exposing any other sites to easy hacking.

--sofaspud
--"Listening to your kid is the audio equivalent of a Salvador Dali painting, Spud." --OpMegs

[jpub]

I use a scheme based on a similar idea, but it generates longer passwords, using a 8-character base appended with a unqiue marker for each site. If someone happens to break through, they get a common base and a possible clue to others, but the marker's are non-obvious and I change the base every 3 months.

[SilverFang01]

For myself I use Keepass to generate my passwords, one for each site I have an account for and keep two encrypted backup copies of the database.  That way I just have to remember the master password which I generate on my own.  Also each password is no less than 15 characters in length. 
Another way is thru the command line if I'm on a Linux box and copy pasting on a text file encrypted with my gpg private key, again with offsite backups just in case.
My family thinks I'm way too paranoid  :p  but I prefer to be prepared. 

[Dartz]

I just use motorcycle/computer manufacturer and model numbers.

Something like ZZR600Kawasaki.

Hard enough to crack. Easy enough to hint at. Easy enough to remember. I use a different source for my gmail password, and that's about it. Anything else is pushing too far. Really, all you want to stop are the opportunists that come along and want to try a simple dictionary-based attack. Anyone who's really going to attack... there're easier ways to get a password than hacking a website and brute-forcing the encryption. Keyloggers/Phishing are usually far more effective and far more insidious.
________________________________
--m(^0^)m-- Wot, no sig?

[Werehawk]

I generally use the scientific latin name (either complete or just part of it) of an animal or plant and a set of numbers and symbols.

An example would be !@Canislatrans12

And my password clues are to animals and plants around my parents home in Guatemala. It can be something obscure like species name of large lizard in wood pile in backyard...
--Werehawk--
My mom's brief take on upcoming Guatemalan Elections "In last throes of preelection activities. Much loudspeaker vote pleading."

[Jinx999]

I don't go to that extreme - secondary characters in obscure anime is generally enough for me. Then again, I don't bank online or be on facebook.

[hmelton]

Another artilce about passwords, but this one provides links to a couple of programs that lets you test your own password and make sure it's actually safe.

The article also mentions that some experts have started to think that it might be better to force the use of a long complex password for each account that isn't changed very often.

These experts think that having policies where people must change passwords every 30 or 90 days is nearly like shutting the barn door after the damage has been done.

From a personal point of view if my password wasn't changed often I would be far more likely to pick a complex and long password that would be much harder to crack or guess.

--------------
http://www.pcworld.com/bu...ml?tk=nl_spx_h_cbstories
--------------

hmelton

Merry Christmas

[Sweno]

I'm a big fan of longer complex passwords

They seriously cut down on the threat of it being brute forced. Which is the only logical reason I have heard for rotating passwords every three months.
-Terry
-----
"so listen up boy, or pornography starring your mother will be the second worst thing to happen to you today"
TF2: Spy

[hmelton]

Mozilla accidentally published 44,000 passwords and user ID's.
The article below talks about it and has good advice about passwords.
article
hmelton
God bless