My password, my choice!

Good point. I have a password manager on my iPhone that has all of my 100 or so passwords. I refer to it daily.

Most people just write them down and put them next to their computer or put em on a sticky, I would guess.

Insanity

This message has been edited. Last edited by: mcrimm,

At work they are going to start a 17 word pass phrase as a requirement.

This has been posted before, but it is appropriate for this topic:

---

Today I opened a new email account, I always use the same password: "cabbage". It's easy to remember. But it seems the computer had other plans...

Please enter your new password:

"cabbage"

Sorry, the password must be more than 8 characters.

"boiled cabbage"

Sorry, the password must contain 1 numerical character.

"1 boiled cabbage"

Sorry, the password cannot have blank spaces.

"50bloodyboiledcabbages"

Sorry, the password must contain at least one upper case character.

"50BLOODYboiledcabbages"

Sorry, the password cannot use more than one upper case character consecutively.

"50BloodyBoiledCabbagesShovedUpYourArse,IfYouDon'tGiveMeAccessnow”

Sorry, the password cannot contain punctuation.

“ReallyPissedOff50BloodyBoiledCabbagesShovedUpYourArseIfYouDontGiveMeAccessnow”

Sorry, that password is already in use!

I'm under the understanding that most 8 character passwords with upper/lower/special/numeric character are able to be brute forced in time.

I was told that you should use pass phrases with at least 17 characters because with today's technology it would take them a couple centuries to brute force it.

So one example could be: Maryhadalittlelamb

The difficulty to brute force a password grows exponentially with each additional character.

It might be insurance requirements dictated to the company.
We're required to change all of out passwords at work every 90 days.

Haha. My yahoo mail account has a 20 character passphrase.
My bank account has a 9 character passphrase.
I should probably switch those.

All my gov’t accounts have long passwords with so many restrictions and I have to change them every 60 days. It sucks.

quote:

Originally posted by Chowser:
All my gov’t accounts have long passwords with so many restrictions and I have to change them every 60 days. It sucks.

The company I worked for back in the 1990's/early 2k did government contract work, primarily for HHS. The password rules specified in their contracts gradually grew more complex, specifying length, complexity, frequency of change, and reuse (not). Based on that evolution, I'd hate to think what the specs are today.
 
Linux (at least back then) would kick back easy to guess passwords when root entered them for a user. One I recall was 'Nosila' plus some numbers, which Linux quickly identified as a word spelled backwards.

The main issue I have with web sites is not the complexity required, but the fact that different rules apply with the characters and length. Some still would permit 'cabbage'. Some 'special characters' are not allowed on some sites, and the ones disallowed vary from site to site. One site requires all the special stuff, but says the pw must begin with a letter. The minimum and maximum lengths vary, from 8, to some topping out at 15 or 20, and some permitting 32 (which I like). And so on.
 
I get that 'iH}9g>L49u.(4JWiVnLY}' is probably more secure than 'cabbage', but, OOPS, the curly and angle brackets are not permitted on this site.
 

quote:

Originally posted by Monk:
My password, my choice!

Then take your business elsewhere?

A service provider of ours decided I had to change my password regularly. So I told them "Ain't playin' that game. It's nonsense. So delete our on-line account access and resume sending us paper billing."

Sites establish minimum password/pass-phrase requirements because people tend to choose very stupid passwords, like "password." People choosing stupidly-easy passwords are also why some places insist users regularly change their passwords.

quote:

Originally posted by Skull Leader:
I'm under the understanding that most 8 character passwords with upper/lower/special/numeric character are able to be brute forced in time.

Well, yes, but...

If the site enforces even a slight retry delay, and makes any effort at all to temporarily blacklist the sources of repeated failed attempts, that could be a very, very long time. As in longer than your lifetime.

This assumes that crack isn't being run against a stolen password database, in which case ev3nVeRYl0n9pa55wrods! aren't safe.

I have had passwords as short a six characters and have yet to have had an account cracked, and I've been on-line as long as there's been an Internet. Had dial-up access to logins before that.

All that being said: I suggest passwords longer than eight characters, mixed-case in non-traditional places, throwing-in the odd numeric and punctuation character, not using any whole words or anything that can in any way be guessed from who you are, what you do, who you know, where you live, your pets' names, etc.

XKCD's take on passwords:

A password at my job requires me to change it every 90 days... I just add an exclamation point to the end every time... I think I’m up to 20 or so now...

What pisses me off are the passwords that won’t let you use one of your last 50 passwords for something dumb like a spam gmail account.. so then I change my password to something else that inevitably I forget because it’s not one of the 3-4 passwords I use... I should definitely get a password keeper but then i’ll Forget to save the passwords in that...

Their computer hacking insurance probably requires it. Why would you want the government involved?

The guy who created the government document on password requirements admitted he was wrong.

The Guy Who Invented Those Annoying Password Rules Now Regrets Wasting Your Time

Most companies still haven't changed based on the guy's realization.

I hate that on one site, I have to use special characters then on another site, no special characters allowed.

I worked for companies that required a new password every 90 days, I simply incremented the number that was part of my password.

I wouldn't log in too often on a site where they require me to change my password every so often. I think if you're stupid enough to use password123 as a password, you're asking for what you get.