piper28

My biggest problem with the sites that use more obscure rules and force you to change the password frequently is that I'm not convinced it's really making things more secure because I find the harder it is for someone to remember their password, the far more likely it is that they'll write the password down somewhere, and frequently that somewhere will be easily located from where the computer is. This is something that I frequently have to harass my users about (among other things, we had a security audit a number of years ago, and this is one thing they specifically were looking for in the building). I have a few users that have pages of notes of sites and passwords sitting next to their computers. Thankfully, they're not generally the same faculty members that leave their office door wide open and wander off for hours at a time (in a building that has had occasional thefts occur in it). We do have one annoying piece of software in our department that makes you change the password every 6 months, and with the last update we had, they went from remembering the last 10 passwords to the last 50 (and I'd consider the last 10 to be excessive).

I was pretty resistant to it myself for a long time, but I've ultimately gone to using lastpass for things. I'm still kinda transitioning to it, but so far it's been pretty reasonable for me. We've also used keepass for stuff that we didn't really want stored online (although note, if you store the file for that on a network drive, when you can't access said network drive it becomes very difficult to retrieve the passwords you need from it in an emergency ).

Buster

Sadly, my employer blocks the use of password managers like lastpass. The also require an extremely long & complicated passphrase with multiple numbers, symbols and capitalized letters. It means that everyone just has a post-it with their password affixed to their monitor.

nkedel

So use a local password manager like Keepass on your personal phone, and just copy it over from there.

Calliopeflyer

So why not use a password manager on your phone, and use that to access your password? Certainly more secure than a Post-It beside your monitor!

dtsm

Good for you!

^^

gqZJzU4vusf0Z2,$d7

http://arstechnica.com/security/2013...our-passwords/

For less than $5US, it is possible to purchase a GPU rig that can do ~80 Billion guesses per second. Hint: Right now, a guaranteed-good (stolen) credit card can be purchased for $4.80US.

OracleOfTravel

Great answers so far, great question, great thread.

First I'll comment on "does all this junk I'm asked to do really make a difference." Let's look at how to make a hard-to-guess password, and start with some EASY math.

If you could only use digits 0-9 for a password, the number of different passwords for a given password length is (10^3) -- OK stop stop stop, math is scary. No, let's say you could only have 3 digits -- 10 to the 3rd power, or 10 * 10 * 10 - picture this -- 0-9 (10) TIMES 0-9 (10) TIMES 0-9 (10). 1000 combinations.

If you make that more complicated and have 0-9 plus a-z plus A-Z, you have 10 + 26 + 26 = 62 different characters, to the power of whatever the length is.

Obviously, however complicated (what characters are allowed) and the length of the password both factor in here. (OK, giggle ladies, length is important ha ha)

What's not obvious is that length is more important than variety; 10^5 (100,000) is bigger than 5^10 (9,765,625; that's 97 TIMES more complex, get a calculator out and check).

So ... making people use crazy letters and symbols is basically stupid. Using a "passphrase" is basically really smart. In other words "Oy, my aching left foot" is way better than "#4fTTg6Q$%" and it's a lot easier to remember.

Here's another thing that may make IT people mad. Forcing you to change your password is STUPID. The only "attack" that helps against is if someone steals the password file. They should KNOW if the system was compromised, then force everyone to change their password. Unless someone gets the password file and cracks it, your 14 year old password is just as secure as it was when you created it. It's math.

What does this all mean?

Use a password generator anyway, and if your employer blocks things like 1Password and Lastpass (I prefer lastpass), they're stupid and oh well, find a way to work around it, like copying and pasting on your phone, or using Pushbullet, or some of the other GREAT ideas people have shared.

Now go make your passwords LONGER and easier to remember, or use a tool to make them equally long and impossible to remember.

jspira

Yes, my password life revolves around variations of passphrases (plus my user names are different and unique to a specific site.

The passphrase I use is a variation of "ourcomputernevercrashesdoesit" and for ..... and giggles I insert a few random numbers in, such as "our1computer2never3crashes4does5it" . This is just an example and don't try to log into my FT account with it please.

eyeNina

I cosign the greatness of 1Password and 1PasswordAnywhere lets you log in via browser after you've set it up. But you can also just have the app on your phone and then type in the password as others have said.

dtsm

Listen to Edward Snowden's suggestions on better passwords: http://www.cnet.com/news/margaret-th...o-john-oliver/.

Makes sense....

antichef

Whilst Mr Snowden's advice is good, the need is usually for different passwords for multiple sites and remembering that is hard. But other ways can also significantly alter a 'known' word, such as adding punctuation - so Flyertalk (9 chars) becomes F.l.y.e.r.t.a.l.k. (18 chars) or Flyer;;;;;talk (14 chars). Unguessable and not going to work as a brute force attack anytime this century. This Steve Gibson explanation of needles in haystacks is fun:
https://www.grc.com/haystack.htm

Whilst handy for extending and complicating an easy password it only gives you one example and if a site gets compromised and you have used that password elsewhere you have a problem. Many sites store your email address and password and it is if that single site is compromised that causes problems as you probably use the same email address for all your logins - hence why different passwords for each site are important.

But the password manager advantage is that it will give you a randomised 20 character password that is different for each site. If one site ever got compromised the email address and that password does not help the hacker get in anywhere else.

Even if you keep those passwords encrypted on your phone and have to manually input it to keep an employer happy it is way better than the post-it beside the monitor!

lwildernorva

The New York Times had an article on password managers today, http://www.nytimes.com/2016/01/21/te...an-region&_r=0. Not necessarily endorsing the conclusions but adding this here because of its timely relevance to this thread.

gqZJzU4vusf0Z2,$d7

All the gimmicks mentioned for passphrases, are already used by crackers, and for which hashcat rule sets already exist.

Use long, random machine generated passwords ... Kinda like my username. Use Nothing from a dictionary. Among the passwords I have cracked using hashcat, my favorite stupid password: You w!ll n3v3r b3 abl3 t0 brut3 f0rc3 th!$ l3ngthy passw0rd!

Hashcat cracked it in the first 24 hours using an 8-GPU rig, street price: $4.80US

lwildernorva

And thus the rationale for frequently changing passwords (and although not always emphasized, usernames as well) and not reusing passwords. Your suggestions certainly increase the security of a password, but given enough time, any encoded information can be deciphered. There is no 100% safe solution--only best practices.

Your post, though, does demonstrate that the tools for decryption continue to evolve, and the best practices from five years ago or 2013 or even last year may no longer be safe.

glob99

Sites are dumb if they allow brute force attacks. It's easy to allow only 3 attempts and then block further attempts for 5 minutes. Then a billion attempts would take over 3000 years!