Pretty interesting read, In a few companies I have worked with you where required to change your password once every 2 weeks, it was also not possible to use the same password again, so you could not rotate it.

Mack.

Mack, I've worked places where a password had to include upper and lower case letters and digits and symbols (ie at least one of each).

And it had to be at least 8 characters long.

And you have to change it once a month.

And you can't reuse old ones.

Sounds secure?

But you can bet that today a good 75% of those users have a password which is a variant of:

Apr-2004

There aren't many other memorable ways of keep coming up with something that passes all the filters.

Too many rules make for insecure passwords.

Either that or it ends up written on the bottom of a mouse mat lol.

Mack.

Too many rules make for insecure passwords.

Too many rules make for too many sticky notes.

maybe the stick note people are secretly behind IT security departments in an effort to sell more sticky notepads.

The problem with secure passwords (i.e. long, alphanumeric) and especially if they have to be changed often is that people can not remember that. What you end up with is everybody has their password on a sticky or under their keyboard or in their desk. Strict passwords are often not as secure as simpler ones.

Too many rules make for insecure passwords.

I agree.

I'm still using the same password I've used since 1981, with the exception of any public sites (such as my password here) for which I have one from about 1986.

TJ

How to create a password that is hard to guess, but easy to remember:

think of a memorable phrase with 8 or more words containing some numbers, in title capitalization.

Webmasterworld is the Number 1 Site on the Web

Then take the first letter of each word:

WitN1SotW

Of course, forcing people to change their passwords once a month will make even those hard to remember after a while...

About that article: It's absolutely unclear to me how they came to their conclusions. Did they actually collect passwords to prove their point, or did they just ask hypothetical questions? ("if I was asking you for your password...")

I saw a good technique once of using a standard first part of a password followed by a site specific part of at password.

as an example you could always start your passwords 123 and depending on the site you use it could be 123webmasterworld or 123MyBank etc etc

I just use random ones and then keep clicking on forgot password links.

Too many rules make for insecure passwords.

Password management is a huge problem for even motivated people, much less the masses, for whom they are just a pain to deal with at all.

It keep a list. A long one. It's impossible for me not to. I do take the security of the list very seriously, but its existence is essential. (Merely possessing the list would not be sufficient. The list itself is tricked up.) I also reuse usernames and passwords. There are simply too many.

I use the same password for any site which is not a "secure site" or a "security risk" site.

I have a randomizer I use for our "have to have a new one every fortnight and can't reuse old ones" at work. I've also been known to use the randomizer (it's an electronic doohickus for rpgs actually) for short passwords for secure-access sites.

Mostly as far as stuff like this forum, various non-https sites, etc. I use just the same one I've used for years, and with my firewalls, etc. I haven't had any problems.

I do keep close track of things like my credit reports etc. though, since I do a lot of ordering online with credit cards, and regardless that sites of that nature are supposedly secure, and that I use a one-time hashed password on most of them, I'm not really trusting.... I grew up in Las Vegas - guaranteed to make one NEVER trust most people....

It's not the user's fault, it's 1)weak corporate management and 2)sick corporate culture.

1. IT says you have to change your password every month, can't reuse old ones, need to use a minimum of 762 characters, 413 of them high ascii, etc... Whah whah whah whinewhinewhine and everybody complains to management... IT is then told by management to lighten up and let them use the old passwords. Duh. Stupid management.

2. A chocolate bar? Hmm.. I like chocoloate bars. My password? Screw it.. it's not my data, what do I care. As long as I think it will not be a real problem for me, you can have it! (sick corporation - disaffected employees, no ownership of companies future, lack of respect for management, little accountability, etc etc etc)