NationStates Jolt Archive


Passwords

Posi
30-08-2007, 05:20
Is anybody else starting to be bugged by websites and softwares rules for passwords? Most started out with a 4 or five letter minimum, but many hove moved on to requiring a letter and a number, or 8 letters or even a letter a number and a non-alphanumeric character. It's becoming something of a pain in the ass as I basically have to come up with a new password to meet the requirements of allot of sites, and that means I am basically going to forget the password in a week.
Fleckenstein
30-08-2007, 05:22
Or you could use the same password for everything and have IE/FF remember them all. . .
Posi
30-08-2007, 05:25
Or you could use the same password for everything and have IE/FF remember them all. . .The problem is, I can't use my old password for the new site, and I cannot remember all the sites using the old password to change to a new one. I'll miss a site, and by the time I go to it again, I won't be able to remember the password anymore.

If I where to ever have to reinstall FF, I'd be fucked.
Barringtonia
30-08-2007, 05:26
Is anybody else starting to be bugged by websites and softwares rules for passwords? Most started out with a 4 or five letter minimum, but many hove moved on to requiring a letter and a number, or 8 letters or even a letter a number and a non-alphanumeric character. It's becoming something of a pain in the ass as I basically have to come up with a new password to meet the requirements of allot of sites, and that means I am basically going to forget the password in a week.

Totally - actually it's testament to the brains ability that we remember so many, especially if you include PIN numbers and the like.

I cheat by having a simple system that allows me many passwords and I just have to remember which variation I used per login - if someone broke my password to any one login they could get into about a quarter of all my logins but the rest would be safe.

For example - I might make my passwords all variants of laptop names with a simple number so:

Sony555
Acer555
Apple555

I use this pretty much for convenience against threat.

*note - the above system is markedly different from what I actually use so don't bother :)
Jeruselem
30-08-2007, 05:30
I think they do it because a lot of stupid users have really simple passwords like "password" and then complain they've been hacked.
Posi
30-08-2007, 05:35
Totally - actually it's testament to the brains ability that we remember so many, especially if you include PIN numbers and the like.

I cheat by having a simple system that allows me many passwords and I just have to remember which variation I used per login - if someone broke my password to any one login they could get into about a quarter of all my logins but the rest would be safe.

For example - I might make my passwords all variants of laptop names with a simple number so:

Sony555
Acer555
Apple555

I use this pretty much for convenience against threat.

*note - the above system is markedly different from what I actually use so don't bother :)My user password (Linux) is only one digit long, and auto login is enabled. My Vista computer doesn't even have a password. My root has a proper password which was the same as my sign-in password at work, and my NS nation. I then have a password for my email which is also used for the vast majority of other websites. Then there is my Facebook password which I use for any site that rejects my email password. Then I have my pin number, which is the only unique one.

I liked it when sites and junk only cared that you had a password so I could use the same password for everything.
Posi
30-08-2007, 05:36
I think they do it because a lot of stupid users have really simple passwords like "password" and then complain they've been hacked.Well, there is a solution: learn from your mistakes.
Sarkhaan
30-08-2007, 07:24
my school requires 4 capital, 4 lowercase, one number. Within that, no word can be found in the dictionary, and no consecutive letters or numbers (ABCD, 1234). It also cannot be stored to the browser.

Mine is my old stereo model number with 4 random letters added in lower case to the end.
Barringtonia
30-08-2007, 07:30
my school requires 4 capital, 4 lowercase, one number. Within that, no word can be found in the dictionary, and no consecutive letters or numbers (ABCD, 1234). It also cannot be stored to the browser.

Mine is my old stereo model number with 4 random letters added in lower case to the end.

See - that's ridiculous because it almost guarantees that people will write down the password and keep it on their person.

Therefore you're increasing risk not decreasing it.
Sarkhaan
30-08-2007, 07:31
See - that's ridiculous because it almost guarantees that people will write down the password and keep it on their person.

Therefore you're increasing risk not decreasing it.

the biggest redeming factor is that, after 4 years, you tend to remember it just because of how often we need to use studentlink (every course has readings posted there, it is how we register, etc)

I really have nothing on there that is so personal and vital that it needs that much protection...the worst someone could do is add me to random classes (which I would autodrop after a week) or drop me from my classes (which is easily corrected in class)
Alexandrian Ptolemais
30-08-2007, 07:54
Fortunately for me, I have used 7 character passwords for a very long time now, and I have just added in a new character to my standard password. I am finding it increasingly irritating though, and it gets really annoying when I forget the password that I have used.
Kyronea
30-08-2007, 07:56
They're doing it to ensure more secure passwords so they're freer of liability than they might have been before.
Adzze
30-08-2007, 08:01
Yeah, the growing number of websites that require you to "register" (why?) actually bugs me a lot more than having longer passwords.
Posi
30-08-2007, 08:08
Yeah, the growing number of websites that require you to "register" (why?) actually bugs me a lot more than having longer passwords.That is a pain too. When you can use your pre-existing password with one of your common usernames, you can usually take a few guesses.
Ruby City
30-08-2007, 09:56
I always leave a site as soon as it asks me to register unless it has convinced me before then that I really like that site.

When a new password is needed I pick a random word in the dictionary so it's more random then any word I'd come to think of, I mean who would use for example trolley or sublimes as a password. Then I write it in leet-speak like 7ro1l3y so it doesn't match the dictionary. I have 4 passwords for junk sites, fun but unimportant, semi important and very important sites.


Don't use the same password for everything. What if some lame nerd makes an online game or forum and you register with your email address and the same password you use for everything? The nerd can log into your email and find mails from other sites you're registered to and log in to them as well! Thats a bad thing if you do anything important at all on the computer. Use a separate password for important stuff.
ColaDrinkers
30-08-2007, 10:06
It's very annoying, but I never saw any reason to choose unique passwords for all of them. For random websites I use the same few passwords everywhere. It's not like I care if someone "hacks" a login I have for anidb, or NSG for that matter. For things I care about, like my computer, I use longer and more complex passwords, usually of mixed case and with some numbers thrown in.
The Infinite Dunes
30-08-2007, 11:10
For my logins that I actually care about I use my mother's maiden name and I've made some letters capitals and some letters numbers. And for really picky sites I have a bit of punctuation added on the end.

And before my last reinstall the root user had no password and no problems for the three years it was like that. And the default login was the root user... :eek: But it was never a problem. So meh.
Turquoise Days
30-08-2007, 11:40
Star and asteroid ID numbers often provide easily memorable strings of numbers. And if you forget, you can just look the star up!

http://en.wikipedia.org/wiki/Smithsonian_Astrophysical_Observatory_Star_Catalog
Kryozerkia
30-08-2007, 12:17
Complex passwords and the requirement to register are part of a world-wide conspiracy to piss off the average human. It's part of the greater plot by the Bush-al Qaeda-Putin conglomerate to bring the world to its knees sobbing uncontrollably! :)
UpwardThrust
30-08-2007, 12:30
Is anybody else starting to be bugged by websites and softwares rules for passwords? Most started out with a 4 or five letter minimum, but many hove moved on to requiring a letter and a number, or 8 letters or even a letter a number and a non-alphanumeric character. It's becoming something of a pain in the ass as I basically have to come up with a new password to meet the requirements of allot of sites, and that means I am basically going to forget the password in a week.

There has actually been some talk in the security community on the NEGATIVE security impact of this

Before some users had weak passwords that were easily cracked

NOW sense the complex rules are in place, and published they are actually narrowing the field a password cracker has to look for in some cases rather then having a wide open field they know that it has to contain letters and numbers (and in some cases letters before a certain point)

So in essence the argument goes that while they are bringing the minimum up they are also bringing the top down a bit.
UpwardThrust
30-08-2007, 12:33
I always leave a site as soon as it asks me to register unless it has convinced me before then that I really like that site.

When a new password is needed I pick a random word in the dictionary so it's more random then any word I'd come to think of, I mean who would use for example trolley or sublimes as a password. Then I write it in leet-speak like 7ro1l3y so it doesn't match the dictionary. I have 4 passwords for junk sites, fun but unimportant, semi important and very important sites.


Don't use the same password for everything. What if some lame nerd makes an online game or forum and you register with your email address and the same password you use for everything? The nerd can log into your email and find mails from other sites you're registered to and log in to them as well! Thats a bad thing if you do anything important at all on the computer. Use a separate password for important stuff.

Dictionary searches + "Leetafied" text is among the first things that most cracking software trys as such its not really all that secure BUT the using separate passwords is a good procedure for sure
Romanar
30-08-2007, 12:47
My gripes about passwords are:

1. There are too many! I've got a dozen passwords at work! Every website wants a password. How can you remember 50+ passwords?

2. I have to change many of the passwords. The work passwords have to be changed every month or 3. And I can't reuse any of my old words.

3. Some passwords are seldom used. Whenever I order something online, the business site wants an account with password. When I return to that site 200 days later, I barely remember that I've been there before. I surely DON'T remember the password. Even if I used my "standard" password, I won't remember just what variation of it I used.
UpwardThrust
30-08-2007, 12:55
My gripes about passwords are:

1.Snip

2. I have to change many of the passwords. The work passwords have to be changed every month or 3. And I can't reuse any of my old words.
Snip

This one I agree with the administrators. Personal online stuff forced password changes don't make sense but work passwords are a must and any competent security admin will force a change
Miller18
30-08-2007, 13:51
2. I have to change many of the passwords. The work passwords have to be changed every month or 3. And I can't reuse any of my old words.



Sounds like you work where I work.:headbang:
Ruby City
30-08-2007, 14:16
Dictionary searches + "Leetafied" text is among the first things that most cracking software trys as such its not really all that secure BUT the using separate passwords is a good procedure for sure
But the only things that are more random then that are a sequence of characters with no meaning or a passphrase with 3-4 passwords in sequence. I bet the list of all leet variations of all words is 10 times longer then the list of what passwords 90% of the users come up with.
Khadgar
30-08-2007, 14:32
Had a computer here at work that required a password atleast 10 characters long, had to be changed monthly, and had to be sufficiently "random". Whatever the hell random means, basically I had to try about 30 passwords before it finally let me use one, then it was so complicated I had to write it down.
The Infinite Dunes
30-08-2007, 14:52
My gripes about passwords are:

1. There are too many! I've got a dozen passwords at work! Every website wants a password. How can you remember 50+ passwords?

2. I have to change many of the passwords. The work passwords have to be changed every month or 3. And I can't reuse any of my old words.

3. Some passwords are seldom used. Whenever I order something online, the business site wants an account with password. When I return to that site 200 days later, I barely remember that I've been there before. I surely DON'T remember the password. Even if I used my "standard" password, I won't remember just what variation of it I used.I remember when I had a university email account like that. I simply set up my webmail account to send and receive from the uni account. As I was only prompted to change my password whenever I tried to log onto my uni email from a uni computer on their special email software, it meant I never had to change my password.
Smunkeeville
30-08-2007, 14:57
I have a spreadsheet that I keep track of them with, it's encrypted, and it's not actually on a computer that has internet access. Also, I remember most of them, I have a system, I won't reveal it.
Smunkeeville
30-08-2007, 14:58
Had a computer here at work that required a password atleast 10 characters long, had to be changed monthly, and had to be sufficiently "random". Whatever the hell random means, basically I had to try about 30 passwords before it finally let me use one, then it was so complicated I had to write it down.

there are like password generators online. It's not much harder to remember one of those than it is to remember one that you make up yourself.
UpwardThrust
30-08-2007, 15:45
But the only things that are more random then that are a sequence of characters with no meaning or a passphrase with 3-4 passwords in sequence. I bet the list of all leet variations of all words is 10 times longer then the list of what passwords 90% of the users come up with.

10 times longer is hardly worth mentioning in todays world of password cracking with the cpu power available. You are looking for large powers harder. As far as it goes doing the transformations on a dictionary word are rather simple and they are systematic rather then just guessing combinations which is why it is usually done first (that and its rather common to do).
UpwardThrust
30-08-2007, 15:47
I remember when I had a university email account like that. I simply set up my webmail account to send and receive from the uni account. As I was only prompted to change my password whenever I tried to log onto my uni email from a uni computer on their special email software, it meant I never had to change my password.

Most of them do not require password changes for students ... we only force Fac Staff to do such as they theoretically have access to a much greater amount of confidential information.
Remote Observer
30-08-2007, 15:50
10 times longer is hardly worth mentioning in todays world of password cracking with the cpu power available. You are looking for large powers harder. As far as it goes doing the transformations on a dictionary word are rather simple and they are systematic rather then just guessing combinations which is why it is usually done first (that and its rather common to do).

Personally, I wish someone would market a smartcard and reader that plugged into your PC - if you wish to interact with a website or system you use the smartcard. We could then dispense with the password bullshit, and use RSA to handle our authentication.

Or, we'll be stuck with this:

http://upload.wikimedia.org/wikipedia/en/f/f3/Dilbert-20050910.png
Nation States II
30-08-2007, 16:29
Is anybody else starting to be bugged by websites and softwares rules for passwords? Most started out with a 4 or five letter minimum, but many hove moved on to requiring a letter and a number, or 8 letters or even a letter a number and a non-alphanumeric character. It's becoming something of a pain in the ass as I basically have to come up with a new password to meet the requirements of allot of sites, and that means I am basically going to forget the password in a week.

* Use always the same password for low security sites and applications
* As a password, use the name of your favorite book, movie, song or whatever phrase you'll never forget and use the first one, two or three characters of each word and add your year of birth.

By instance:
"Interview with the vampire"

The pass could be:
"Inwithva1970"

Not even your wife could guess your password and you're sure that you'll never forget it.
Law Abiding Criminals
30-08-2007, 16:34
The problem, though, is that everyone has different rules for how often you have to change passwords as well. You can't use the same password consistently to log into your work PC as you do for your PayPal account...or if you work for my company, you can't, since they make us change our passwords every 45 days.

Granted, work passwords are a different animal altogether, but if you want to use one for everything, it's a bit tricky.

That and, after a while, you run out of good passwords to use. I'm lucky in that I have several animals and can use their names for passwords.
UpwardThrust
30-08-2007, 17:13
Personally, I wish someone would market a smartcard and reader that plugged into your PC - if you wish to interact with a website or system you use the smartcard. We could then dispense with the password bullshit, and use RSA to handle our authentication.

Or, we'll be stuck with this:

http://upload.wikimedia.org/wikipedia/en/f/f3/Dilbert-20050910.png

You use both in a lot of cases ... the mantra is "something you have and something you know"

Theoretically you would be able to then reach a similar security level overall with a lighter password but a lot of places rather then using two things to achieve the SAME level of security like to bump it up

Sort of like desktops and the reason they are not completely disappearing ... you could use the more compact power available now to have the same machine in a smaller case ... or a more powerful machine in the same case

A lot of people choose the latter. The same with security
UpwardThrust
30-08-2007, 17:17
The problem, though, is that everyone has different rules for how often you have to change passwords as well. You can't use the same password consistently to log into your work PC as you do for your PayPal account...or if you work for my company, you can't, since they make us change our passwords every 45 days.

Granted, work passwords are a different animal altogether, but if you want to use one for everything, it's a bit tricky.

That and, after a while, you run out of good passwords to use. I'm lucky in that I have several animals and can use their names for passwords.

And that sort of quick password turnaround times leads to sloppy habits such as incremental password (Ex. Dog1 Dog2 Dog3) personally the magic date for me is 90 days ... for the most part brute force on non windows hash systems is above the 90 day mark .
Law Abiding Criminals
30-08-2007, 17:17
And that sort of quick password turnaround times leads to sloppy habits such as incremental password (Ex. Dog1 Dog2 Dog3) personally the magic date for me is 90 days ... for the most part brute force on non windows hash systems is above the 90 day mark .

I don't think my workplace allows passwords that are too similar, so people have to get un-lazy...
UpwardThrust
30-08-2007, 17:22
* Use always the same password for low security sites and applications
* As a password, use the name of your favorite book, movie, song or whatever phrase you'll never forget and use the first one, two or three characters of each word and add your year of birth.

By instance:
"Interview with the vampire"

The pass could be:
"Inwithva1970"

Not even your wife could guess your password and you're sure that you'll never forget it.

Never ever EVER under-estimate social engineering and the ability to find out passwords

In either case letters consecutively and numbers consecutively is way weaker than alternation and words are never a good thing ...

If it is something not important fine but I personally work a lot harder then that.
UpwardThrust
30-08-2007, 17:23
I don't think my workplace allows passwords that are too similar, so people have to get un-lazy...

It gets hard to write those rules ... people are ingenious at being lazy lol they will find a way ... and better not to piss them off more then you have to, a 3 month change should be secure enough.
Nation States II
30-08-2007, 17:33
Personally, I wish someone would market a smartcard and reader that plugged into your PC - if you wish to interact with a website or system you use the smartcard. We could then dispense with the password bullshit, and use RSA to handle our authentication.

Or, we'll be stuck with this:

http://upload.wikimedia.org/wikipedia/en/f/f3/Dilbert-20050910.png

In Belgium we already have this one. Our ID cards are containing a chip. Over a few years all Belgians will have their e-ID

It comes with a 4 digit code, similar as the code for an ATM machine.

It's already used for lots of (web) applications.

The only thing you need is a card reader. Lots of keyboards contain already one and separated devices are sold cheaply.

By instance, children can enter more safely a pedophile-free chatroom. If you don't have the right age, access is blocked. Yepz, a pedophile could borrow an eID and the code, but in such case there is a trace...

I use my eID to check my salary slips on the web.

Link:
http://eid.belgium.be/en/navigation/12000/index.html
Damor
30-08-2007, 18:13
Yeah, the growing number of websites that require you to "register" (why?) actually bugs me a lot more than having longer passwords.I have to agree; and then they often also require you to have a name of 6 or more characters, blegh. I don't really want to register in the first place, and then they take away my name as well.

Long passwords I don't mind so much; I have a handful 8-character standard passwords, and a few longer ones for specific important sites (like my bank).
Seathornia
30-08-2007, 18:31
my school requires 4 capital, 4 lowercase, one number. Within that, no word can be found in the dictionary, and no consecutive letters or numbers (ABCD, 1234). It also cannot be stored to the browser.

Mine is my old stereo model number with 4 random letters added in lower case to the end.

Wow, I just realized...

...my Uni gave me that exact type of password! :p

It's easy to remember when you use it as often as we do though. Every single day, basically.
Demented Hamsters
30-08-2007, 18:53
what I hate is trying to remember PINs. I now have 8 bank accounts, all with different PINs - and all but 2 of them are 6 digit long.
Add in the PhoneBanking PIN (3 of those) and it gets awfully hard to remember them all.
I once forgot all but one. Reason I didn't forget the last one was because I'd forgotten it previously. I was waiting at the ATM machine when it suddenly popped into my head. In so doing it managed to knock all the other ones out. I was lucky I had some money in that account as I needed it to catch the ferry home.
I V Stalin
30-08-2007, 18:56
My gripes about passwords are:

1. There are too many! I've got a dozen passwords at work! Every website wants a password. How can you remember 50+ passwords?

2. I have to change many of the passwords. The work passwords have to be changed every month or 3. And I can't reuse any of my old words.
Yeah...I have four I need to regularly use at work, I have to change each one every 60 days, and I can't re-use a password within a year (well, 360 days).

Mind you, I have a few short phrases that I anagramise and "leet-ify" to use as passwords, so it's never really a problem.
Lex Llewdor
30-08-2007, 19:49
Or you could use the same password for everything and have IE/FF remember them all. . .
That's not going to work for much longer. I have found a site that uses a bot to wander the internet trying to access other sites using the username and password you have with them. If any of them work it declares those unsecure and demands you choose a new one.

If every site did this, you would need a unique username/password combination for each one.
Damor
30-08-2007, 20:16
That's not going to work for much longer. I have found a site that uses a bot to wander the internet trying to access other sites using the username and password you have with them. If any of them work it declares those unsecure and demands you choose a new one.

If every site did this, you would need a unique username/password combination for each one.You could just add the site-name to each password.