A question for the IT wizards out there: I tend to use a small number of passwords for multiple IT systems and sites (yes, I know , but my aging memory doesn't allow for dozens of unique passwords). What gets me is that different IT systems use different rules for what are supposedly "secure" passwords. Must be x characters long; must contain at least one upper case letter; must contain at least one number, etc. No two seem to have the same set of rules .

To make things worse, some systems force you to change passwords every three months, six months, or whenever the IT person's genitals itch.

So my normal workaround is to use a proper noun that means something to me, followed by a number. When I'm forced to change I simply increment the number by one. On one system I'm up to 14. More recently I ran across a new one: the password had to contain a "special" character such as ?!#*, etc.

Now the question: does all this horse manure *really* make things more secure, or is it just window dressing to make the IT geeks look like they're doing something useful???

First, it's equally important to use different usernames.

Second, you are doing better than most based on what you already said but there's always room for improvement.

See this article for greater insight:
�Password� and �123456� Once Again Top Most Popular Password List for 2015 (So Please Change Yours)Above appeared in FBT, where I serve as EdDir.

Yes, I saw that article, which is what started me thinking about it. It's one thing to be just plain dumb about passwords, and another to use rules and passwords that actually improve security. That's my point.

If we want to really improve security, we would get rid of passwords and use something more secure such as biometrics.

Remember what Henry Ford is supposed to have said: "If I had asked people what they wanted, they would have said faster horses."

The problem is that simple passwords are easy to break via so-called "dictionary searches". The horse manure is supposed to address that. But the problem is that "password" and "password1" and "passw0rd" are in the bad guy dictionary. And all of those are short, and thus easier to break than longer passwords.

The most secure approach requires two (or more) forms of authentication, like a password and a fingerprint, or a password and a code sent to your cell phone.

But getting back to how you generate passwords: you should use a better scheme that's easier to memorize. Here's a well explained venerable approach in cartoon form.

I just use a password database program; my passphrase for that is a long sentence I'm unlikely to ever forget (not mine, and a little shorter, but think of "A long time ago in a galaxy far, far away...")

Passwords for important stuff are unique, randomized, and completely unmemorable -- I keep meaning to see if my most secure ones will let me use non-roman characters, to really randomize it. 20-randomly selected printable unicode glyphs is even more entropy.

A few sites where I need to be able to sign in without copy and paste got randomized sentences.

One problem with phrases/sentences is that while from a number-of-characters perspective they're very good, as people use them more they're actually pretty predictable given how standardized languages are... so if you know they're using a passphrase of english words separated by spaces, generating random multiword phrases/sentences is much quicker than generating meaningless strings of characters in between.

I use 1Password on my Macbook, it creates very random passwords for you and stores logons, all encrypted. Just have to use a single memorable passphrase to unlock the 1Password menu, you can also store other sensetive stuff in there and I've had no problems with it so far.

I use a password manager on my iPhone (I use Codebook, by Zetetic), and it allows me to hold numerous passwords/logins/emails/PINs/account numbers (sorted under categories of my choosing, like "travel", "work", "financial") - all under a single password. THAT password is a weird one like it's supposed to be, with a few lower case, a few upper case, a few numbers, and a few symbols (and not a word in any language). That way I can look up different passwords or PIN numbers as I need them.

The program can even generate random passwords if you want it to -- I don't. I use variations of a theme for most everyday passwords (like shopping sites or frequent-user cards), but I know I can easily change a password any time I want or need to, and I can always look up the new one on my iPhone if I forget it. It's particularly helpful for the ones I don't want to use that variation on a theme (like banking), and for passwords I use rarely.

I used to do the same thing, sopwith, and did still at my most recent job where we had to change our passwords every 3 months. But for the last several years I've just used a password manager that generates a unique long random password for me, remembers it, and auto-fills it on the web page for the site in question. There are a bunch out there - 1Password, KeepPass, and LastPass come to mind.

I use LastPass because it syncs online across all my devices and is easy to use. It also encrypts all your passwords on your computer and only passes the encrypted file over the internet. The company has been very open about how their software works, and the security reviews of it I've read all say it seems in order. It's free on on one device and I think $12/year if you want it on multiple devices. The iPhone app is easy to use.

But to answer your question more directly, having a password that includes various character types (letters, numbers, punctuation) and is over 8 or 9 characters in length greatly increases the likelihood that the password won't be vulnerable to a dictionary attack.

I am with Dave on this ^

It does make a difference to security as most folks use a simple word etc. BTW, if any site of yours got compromised and your password was spotted to be "Labrador 8" or some such, you can guess that they would try Labrador 9, 10, 11 etc on that and other sites where you might operate!

Having used LastPass for a few years now I am a happy customer. You are not too old to learn, but learning how to do things efficiently is the most important lesson

For a few dollars a year it makes life very simple for me on a laptop, desktop, ipad and phone.

You can have it set up to change passwords automatically at intervals so that is one less think to have to worry about. You can set the standard "offered" password for new sites to be any combination of letters numbers and symbols, also adjust it for each site. It really is easy. You can, for example, set a standard 15 characters letter/number/symbol combination for each different site that you could never remember and when you are revisiting a site and logged in to LastPass it automatically populates the webpage and logs you in.

My white haired old head is very content with this as I now have a devilishly difficult different password for every site that I use now that no brute force cracking attack is going to get near anytime before I am pushing up daisies!

Bump +1 for 1Password.

I prefer over LastPass because it doesn't sync over cloud. But you can manually sync across various devices regularly....yes, it's a pain in the bxxx but LastPass did get hacked last year!

Everyone gets hacked - and "hacked" is a term that can mean different things. Did the attackers gain access to a database? A thermostat? The TV in the lounge? If they got into a database, did it have sensitive information on it? If it contained user passwords, did they get the data? In what format?

LastPass's response to that particular breach was stellar. They said what happened, they said what they did to strengthen defenses, and they were transparent about it. Even if people got my entire encrypted password store from LastPass, there's very little they can do with it since I use a strong master password.

So I'm not worried, and I like the seamless online transfer and update of my passwords to and from my various devices.

LastPass is great on mobile devices that have fingerprint recognition. No need to enter your long password, just authenticate using your fingerprint, and the passwords autofill.

Principles of mathematics explain the rules of password security pretty well--since they're used both by security personnel and hackers--so that you can understand the rationale for your IT department's rules. Ignoring for the moment the likelihood of use of a popular password--such as "password"--the limit of password possibilities is established by the number of available characters with the number of characters in the password indicating the number of times I multiply the number of available characters against itself. The keyboard I'm using for this post has 92 different possible characters, counting each letter twice for uppercase and lowercase (thus, the rationale for some IT departments requiring at least one uppercase letter in a password).

For the purposes of an example, I'll also ignore normal minimum password length rules for a moment (although the example illustrates the reason for the rule). If my password is 2 characters long and the password contains all characters--no spaces and no nulls, there are 8464 possible passwords. Give me reasonable access to a computer (a weekend) and no lockout program, and I don't need to use a software program to figure out the password--I'll just keep entering character combinations until I happen on the right one. Now, add in insight to the human probability of using something standard, such as the words "an," "on," "at," or even "pm" or "TD" or the number "10," and I may not need a whole weekend to figure out a password. As you can imagine, a hacker using a computer program can figure out that password in much less than a second.

Now you can see why many password security protocols require at least eight characters for a password as well as numbers, uppercase letters, and symbols (since that uses the full character keyboard rather than just the subset of lowercase letters, which yields only 676 possible two-letter password combinations). Under the same assumptions as above, there are now over 5 quadrillion password possibilities (92 to the eighth power as opposed to 92 squared). You've completely taken human interaction to solve a password out of the equation, but computers can still figure this out within an hour. And now, more sophisticated probability programming (lazy users are more likely to use a word than nonsense thus the dictionary attack gfunkdave references and hackers also eventually figure out that folks will substitute a "1" or "!" for "i" or "I") can shortcut the search by promoting certain more likely combinations instead of pursuing a brute force attack--which makes sense because the longer the password, the more complex the password so a more sophisticated method of attack must be employed.

Finally, the requirement for changing passwords recognizes that with enough time to search, there is no secure password, no matter how long or confusing you've made it. Now, most confusing passwords will withstand attack for a very long time, but as an extra layer of security, IT departments, such as my employer's, have made it a requirement that you change your password every 90 days. The random password generators out there take this principle to its logical conclusion: if your password constantly changes, there is an even lower likelihood that it'll ever be cracked.

So yes, this stuff works, but it's just like putting lighting up around your house, installing locks, getting a guard dog, and buying a security service to monitor your home. The principle in both situations is to decrease the likelihood of something bad happening, but there's no way to eliminate the possibility.

From my perspective, my accommodation to these necessary levels of security is to use an organizing principle to generate my passwords while trying to exceed the minimum security rules--in effect, a more sophisticated application of the use of a familiar name, such as your kid's or your dog's, to create a password. I tend to use my personal interests--golf and travel--to generate passwords that are easy to remember while somewhat more difficult to crack. And I try to consider less used characters (I think we know "1", "!", "@," and "3" are pretty well trod) but in a place where I'd expect them to be.

As a result, last fall, I went to the Outer Banks of North Carolina for a week. My password at work leading up to that trip was "OBX--October." Not impossible to crack, but a lot harder than "OBX". I've also used "I loved playing Pebble!" since the security protocol at work allows spaces between words--not all do. Even something as simple as my hometown, "Norfolk, Virginia" becomes a relatively difficult password to crack because I've used a comma and spacing--still two things that aren't as likely to be used in passwords. This is still an easy password (and organizing principle) to remember while creating something harder to crack than "password1." Since I generally have some trip upcoming, I can also change the password more frequently than every 90 days to account for my next trip.

I realize this post was a bit long, but I think it helps to understand the reasons your IT department pushes the rules they do.

What does everyone here think of Keychain?