General Discussion
Related: Editorials & Other Articles, Issue Forums, Alliance Forums, Region ForumsCreator of Password Rules Regrets His Advice
http://www.msn.com/en-us/money/technology/creator-of-password-rules-regrets-his-advice/ar-AApJ0ps?li=BBnb7Kz&ocid=mailsignoutWas it m@nk3yP@$$w01rd or m0nk3yp@ssw0!rd?
For 20 years, the standard advice for creating a "strong" password that is hard to crack has been to use a mix of letters, numbers and symbols.
It's so ingrained that when you go to create a new email account you'll frequently get praising or finger-wagging feedback from the computer on how well your secret code adheres to these guidelines.
And you're supposed to change it every 90 days.
Now, the man who laid down these widely followed rules says he got it all wrong.
"Much of what I did I now regret," Bill Burr, a 72-year-old retired former manager at the National Institute of Standards and Technology told the Wall Street Journal.
In 2003, the then-mid-level NIST manager was tasked with the job of setting rules for effective passwords. Without much to go on he sourced a whitepaper written in the 1980s. The rules his agency published ended up becoming the go-to guides for major institutions and large companies.
The result is that people create odd-looking passwords and then have to write them down, which is of course less secure than something you can memorize. Users also lean on common substitutions, like "zeroes" for the letter O, which a smart hacker could program their password cracker to look for. Or they pick one "base" password that they can memorize and only change a single number. That's also not as safe.
"It just drives people bananas and they don't pick good passwords no matter what you do," Burr said.
underpants
(182,829 posts)You can have a list of current passwords as well as your history with a given log in.
Give the spreadsheet a good name and hide it in your home drive.
I have about 30 passwords I have to keep track off.
SoCalDem
(103,856 posts)I avoid passwords near the caplock key...for obvious reasons..
favorite animal...a food....period or comma...number ...best friend's birth year..
this is not my password....
zebracookie.21954
volstork
(5,402 posts)plus the year the movie was released: Franklymydear1939. (Not my password)
boston bean
(36,221 posts)What if you can't and then you don't have record of any of your passwords.
underpants
(182,829 posts)And then do letters before and after. I tend to stick with the same special character as well as passwords tend to need changing at about the same time.
Those 4 numbers are my way into the spreadsheet and I have a second simple set off two for the second password to get into the spreadsheet.
Probably not the most secure system using the same core numbers but it works for me.
Yavin4
(35,442 posts)Or what happens when someone hacks into your spreadsheet?
underpants
(182,829 posts)Give it a weird name so they'd have to know what they were looking for.
n2doc
(47,953 posts)with thousands of others, than someone deliberately trying to crack a specific one. (unless you are targeted by a 3 letter agency)
TheBlackAdder
(28,209 posts)Not only that, their employees have access to view them.
Lee-Lee
(6,324 posts)Multiple words stuing together for an extra long one that is still easy to remember.
Something like:
45IsTheWorstPresidentEver!
You get numbers, letters and caps for systems tht demand it and an ultra long password compared to most that is still easy to remember.
The worst site I ever worked with was one US Government one that demanded your password by EXACTLY 8 characters, no more no less, with a number and a special character but only one of 6 allowable special characters. The literally narrowed the possibilities way down for any hackers by being so restrictive.
TexasProgresive
(12,157 posts)I hated coming up with a PW for it.
marybourg
(12,633 posts)using a sentence with personal meaning to me alone, leaving out the vowels for brevity and incorporating an appropriate year or digit
Xipe Totec
(43,890 posts)rpannier
(24,330 posts)I was watching the John Oliver - Snowden interview and they were talking about passwords
Snowden recommended using phrases you could remember and then threw out 'Margaret Thatcher is so SEXY' as an example
Jon Oliver stared and said something like "That's probably a good one because no one would ever use it."
Bernardo de La Paz
(49,007 posts)jimlup
(7,968 posts)thanks
TheBlackAdder
(28,209 posts)Bernardo de La Paz
(49,007 posts)Anything more draconian than that is an error in user interface, notwithstanding exceptional systems with exceptional requirements.
Baitball Blogger
(46,736 posts)Use a phrase that will stick in your mind and use the first letter of each word and allowable exclamation marks. I'm guessing though that the downside of that is that there will be a spike on this password:
hiipthsaINB45itWH!!!!!
How Is It Possible To Have Such an Incompetent Narcassitic Bastard 45 in the White House!!!!!
central scrutinizer
(11,652 posts)Some song lyric or Firesign Theatre line. Use the first letter of each word, throw in a couple of numeric characters and some other special character. I tend to use # since some foreign keyboards are very different. I couldn't check email in Costa Rica since my password used the $ sign.
I learned the first character trick from my sister in law who was a systems administrator. Her office changed passwords often. She would stick a cartoon on her door. Take the first letter of each word in the caption and voila. Her coworkers knew how to find the password if she was out.
Baitball Blogger
(46,736 posts)Thor_MN
(11,843 posts)The sysadmin was a friend and could get what I had set for a password. She told me and I still could not remember what phrase I had used to create that acronym.
Never change your password on a Friday.
Where I work now, there is a system account to be used in the development environment that is needed by all the programmers. They now set them as a random 30-45 character mess of lower case letters, upper case letters, numbers, and symbols. Then share it with 300 programmers....
Baitball Blogger
(46,736 posts)zipplewrath
(16,646 posts)I've come up with "strong" passwords that I can remember. The problem is that I can't necessarily remember what the rules for each site are. Some sites insist on characters that other sites won't accept. When I started, I had a nice 7 character password that could be constantly updated. Then they wanted 8. Some now insist on 12. Some have limited "special characters". Some insist on BOTH upper and lower case. I've given up. I have one "weak" password for sites I don't care if they get hacked. After that, I have to write them down in a small book I keep in the desk. Which of course is a problem if I'm on the road. Then I have to go through the whole "forgotten password" process. Which means I have to remember what email I gave them.
NewJeffCT
(56,828 posts)I used to have a small group of standard passwords that I would use. (standard to me for most sites, not standard in general) Then, when they started requiring symbols, I added a few standard symbols - but, some sites won't accept any symbols, while others require only certain ones or exclude certain ones.
CrispyQ
(36,478 posts)I had my login & password - signed in no problem. Then it told me, "You're password is too old. We've reset & sent the new password it to your email," & it logged me off. Guess what? It's an old email account that I no longer have. I tried to create a new account, it said that policy number already has an account. I have no way to get into my account now because I have no way to update my email.
I inherited an authenticated app from a programmer & he didn't code anyway for the users to reset their password & get a new one. The first day I had three calls from employees who were locked out. I couldn't believe when I discovered what he'd done! Or rather, hadn't done.
zipplewrath
(16,646 posts)I signed up for them in the '90s. Last time I was there they wanted me to update my information. So I did. It immediately sent an email to the original address to confirm the "changes" (info they never had before). Problem is, the original address doesn't even exist anymore.
Bernardo de La Paz
(49,007 posts)Proud Liberal Dem
(24,414 posts)I'm glad that I have a password manager (Dashlane/Last Pass) because I would literally be screwed by the amount of logins that I have to keep track of otherwise.
crazycatlady
(4,492 posts)I remember when passwords used to be 6 characters (which the plate # was). I since added the state in there to make it longer.
It was my current car when I set the password but it died 10 years ago.
mythology
(9,527 posts)It means I can have good long random passwords and not have to remember them myself.
klook
(12,157 posts)I use 1Password from AgileBits for Mac and iOS, and some free app for a work Android phone.
There are only a couple of passwords I have to key in:
* the master password for 1Password, which uses a formula that makes sense to me but would be almost impossible for any human or computer to figure out
* a couple for work systems (recorded in 1Password), where I use a) the initials of a long quote I know well but that most people wouldn't, with a little punctuation and capitalization mixed in; and b) an idiosyncratic combination of letters, numbers, and punctuation that I know well by muscle memory
1Password is great, because it not only stores tons of passwords and secure notes, but it will fill in passwords for me using only a 2-key combination when I'm logged in. Huge time saver and very convenient.
It also generates passwords upon request, using various formulas. One of my favorite is the one with words separated by punctuation, for example: templar-lichen-jaywalk-chancery (totally random example that I don't actually use). I'll take one like that and substitute numbers or symbols for a few of the characters, plus some punctuation and capitalization anomalies, plus a couple of symbols. Doesn't matter, really, since 1Password will remember it for me in an encrypted database no matter wacko it is.
I would never rely on my brain to remember the hundreds of passwords (and usernames, disposable email addresses, etc.) I've created.
Phentex
(16,334 posts)For some reason, I can remember a string of random letters/numbers/symbols easier than I can remember a phrase or word combination. I never use the same password or combo on any site. The times I get confused are for oddball sites like USPS that I rarely use. My library login is my card number and I can remember all 14 digits without looking it up.
The same is true for PIN numbers.
Meanwhile, I can't remember what I ate for breakfast or what's on my to-do list...
Tracer
(2,769 posts)The sites that reject your password because someone else is using it. Gotta think up a new one.
The sites that reject your log-in TODAY, but accepted it YESTERDAY ---- causing me to ask for a new password. (I'm looking at you Boston Globe).
I have 2 sheets of paper covered with current and former passwords. I'll be outta luck if I lose it!
central scrutinizer
(11,652 posts)Coventina
(27,121 posts)Screw it.
Binkie The Clown
(7,911 posts)I pick three random, unrelated words, and within those word I make the letters at certain fixed positions upper case. Those positions are the same for all my passwords. So let's say I always make the last letter of the first word and the second to last letter in the last word uppercase. Then "blue"+"swelter"+"caramel" would become "bluEswektercaramEl". The scattered uppercase letters makes a dictionary search impractical because the number of possible upper/lower case combinations goes up with the factorial of the password length, and that's more nanoseconds than the age of the universe since the big bang.
hunter
(38,317 posts)I generate my own passwords using fragments of the incinerated bones of my enemies. It's a process similar to the rolling dice in Yahtzee. I reject the Yahtzees. Given enough time this makes me vulnerable.
Awsi Dooger
(14,565 posts)Rarely have any problem remembering them, or which ones belongs to each site.
Some of them are obscure sports records or stats from 30 or 40 years ago combined with words or phrases that are significant to me but seldom used.
The only problem is when I'm limited. My credit union somehow still only allows 8 characters. They have some other safeguards built in but those shorties are the only ones I'm somewhat worried about.
The long ones flow from memory. I actually enjoy typing them in because they are so bizarre looking if you don't know what the heck it stands for.