Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Ask Slashdot: Changing Passwords For the New Year?

timothy posted more than 2 years ago | from the just-use-2012-and-your-initials dept.

Security 339

New submitter windcask asks "Every New Year's Day, I assemble and memorize a random collection of seven to ten mixed-case alphanumeric characters and proceed to change every password I have on the interwebs to these characters (plus a few extra characters unique to the site). The problem is I only change them on the sites I visit. Once in a while, I'll come across a site I haven't visited for a few years, and I may end up not being able to guess the password before the try-lockout takes effect. What are your password-changing rituals, and how do they deal with situations like mine? I do use Keepass for work, but it is sometimes impractical for times I'm at other computers."

Sorry! There are no comments related to the filter you selected.

I like to use the uncrackable password... (-1, Offtopic)

Anonymous Coward | more than 2 years ago | (#38543808)

...of f1r5t_P0s+

Re:I like to use the uncrackable password... (-1)

Anonymous Coward | more than 2 years ago | (#38544508)

Amazing! I've got the same password on every fucking story that gets posted!
*exasperation*

Pwdhash (4, Informative)

Overly Critical Guy (663429) | more than 2 years ago | (#38543812)

I use a free implementation of the Stanfard PwdHash algorithm for the Mac called Locksmith (here on the app store [apple.com] ). There are also websites that implement PwdHash, and even a Firefox add-on. By changing one master password, all the passwords I generate will automatically be changed when I regenerate them.

Congratulations (-1, Troll)

Anonymous Coward | more than 2 years ago | (#38543814)

.. all your accounts are compromised if one of them is compromised. Smart move.

Re:Congratulations (1)

Anonymous Coward | more than 2 years ago | (#38544006)

Nice job reading the summary. Try again with the part that says "plus a few unique characters per site". Now see if what you said makes any sense. Correct! It doesn't.

1st (-1)

Anonymous Coward | more than 2 years ago | (#38543816)

:D

Ahem (5, Insightful)

Anonymous Coward | more than 2 years ago | (#38543824)

What a good way to harvest guessing algorithms... Not giving you mine!

Re:Ahem (2)

postbigbang (761081) | more than 2 years ago | (#38544342)

Yeah, if ever there was a phish attempt, this is it. Makes me wonder the common sense of those nominating posts like this.

one a year?? what about places where it's 30 days (4, Funny)

Joe_Dragon (2206452) | more than 2 years ago | (#38543834)

but it's the new year time to change password12 to password1

Lastpass (5, Interesting)

Anonymous Coward | more than 2 years ago | (#38543838)

https://lastpass.com/

I do not use the same password for multiple sites (1)

Anonymous Coward | more than 2 years ago | (#38543844)

I use a different password for each site/service I use. Otherwise, each one of the parties I trust with my data would have the credentials to ALL of my resources instead of just the data I entrusted them with.
Even assuming good faith from all these parties, one of them could get hacked, and my credentials stolen. I want the damage to be limited to that third party in this case.

Re:I do not use the same password for multiple sit (3, Informative)

Pharmboy (216950) | more than 2 years ago | (#38544156)

Most websites don't store your password, just a hash of it. When you enter the password, it hashes what you just entered then compares the hashes. Reverse engineering the password when you only have the hash isn't trivial.

Re:I do not use the same password for multiple sit (5, Insightful)

CapOblivious2010 (1731402) | more than 2 years ago | (#38544284)

Far too many websites actually DO store the password (because they're idiots)

Re:I do not use the same password for multiple sit (0)

Pharmboy (216950) | more than 2 years ago | (#38544516)

What are you basing this on? A guess? Most websites use *nix, and all versions of *nix have built in facilities for storing passwords as hashes. It would take more effort to make them store the passwords as words.

Re:I do not use the same password for multiple sit (4, Informative)

Alan Shutko (5101) | more than 2 years ago | (#38544592)

Based on my experiences working on websites, far too many companies store the password in plain text. Many, many more will hash it, but will hash it ineffectively by not salting it. Lots of the people working on these websites don't even understand the kinds of attacks salting and hashing are intended to block.

As an example, look at mailman, the mailing list manager. Not only did it store the plaintext password, it mails it to you monthly. Fortunately, the current developers aren't idiots and have removed this flaw (as of ~2007) but tons of sites out there are still using the old version since I keep getting the "reminders".

Trust me... Spend a bit of time in industry working on these websites, and you'll understand.

Re:I do not use the same password for multiple sit (5, Insightful)

icebike (68054) | more than 2 years ago | (#38544466)

That's exactly what I was thinking. For any site that maters, the most they can do is reset it for you, not tell you what it was. Most sites just don't matter. Other than your Karma, how much damage can be done when they hack your Slashdot password?

But I gotta ask, Why bother changing every year?

Changing a secure password offers no additional security. Its not like they wear out.

If crooks haven't broken into the login during the course of the year, changing it may actually make it weaker.
Those hovering over your shoulder to catch one key today and the next key tomorrow should be pretty obvious after a year, don't you think?
The key loggers would have found you long before the year is up, and the timing routines can be outfoxed by simply typing with only one finger, a different
finger each day.

Most sites that force you to change do so more frequently than a year. And 99.44% of them end up having users simply adding ascending digits
to the key, which becomes pretty easy to guess.

Re:I do not use the same password for multiple sit (3, Insightful)

Fnord666 (889225) | more than 2 years ago | (#38544586)

Changing a secure password offers no additional security. Its not like they wear out.

If crooks haven't broken into the login during the course of the year, changing it may actually make it weaker.

One measure of the security of a password is the amount of time it would take to compromise it as compared to its useful lifetime. Assuming the password database is stolen today, would someone be able to compromise your password before you changed it?

http://xkcd.com/936/ (5, Informative)

Anonymous Coward | more than 2 years ago | (#38543862)

Re:http://xkcd.com/936/ (4, Funny)

kurthr (30155) | more than 2 years ago | (#38543910)

I only use correct_horse_battery_staple now that I know how hard it is to guess!

Re:http://xkcd.com/936/ (1)

rubycodez (864176) | more than 2 years ago | (#38544136)

now I don't even need the xkcd $5 wrench to get yours.

Re:http://xkcd.com/936/ (2)

Whiteox (919863) | more than 2 years ago | (#38544656)

Yeah but there are no numbers in that and underscore may not be accepted on some sites. Also it's more than 12 characters.
Best solution I came up with is to change the keyboard layout to include diacritical marks and make a password to include some of those characters.éíáý

Re:http://xkcd.com/936/ (1)

grumbel (592662) | more than 2 years ago | (#38544194)

That sadly fails on like 40% of the services out there, as they don't allow passwords longer then 20 or so characters.

Re:http://xkcd.com/936/ (0)

Anonymous Coward | more than 2 years ago | (#38544558)

And/or require some combination of uppercase, lowercase, numbers, and symbols.

Others disallow some symbols.

Re:http://xkcd.com/936/ (1)

hedwards (940851) | more than 2 years ago | (#38544222)

Ultimately, even that isn't enough to really solve the problem. If you have 2 or 3 sites that you need to track, it's probably not a problem, but these days just about every site demands a log in to use, even free sites, good luck keeping 20 or 30 sites straight even with a simplifier like that. At that point you might as well just use 30 or 40 random characters as you're not going to remember 20 or more unique log ins.

Re:http://xkcd.com/936/ (3, Funny)

Ambvai (1106941) | more than 2 years ago | (#38544228)

I use a variant of that: Pick a line from a song you know well. It also works well with monthly rotations: Just pick the nth line from the song. Admittedly, last time I had a problem with that when I needed somebody else to use my account and they couldn't spell Ipanema...

Re:http://xkcd.com/936/ (1, Redundant)

Edis Krad (1003934) | more than 2 years ago | (#38544400)

Password length is not enough. The reason they ask you to add numbers and punctuation signs is that common words for passwords are susceptible to dictionary attacks

Forget & create new ones (0)

Anonymous Coward | more than 2 years ago | (#38543868)

I don't remember the /. password I created in 1998, it was tied to my netscape email address of which I've forgotten the password. So, several accounts and passwords on, I'm always posting AC now.

1Password (2)

chrisgeleven (514645) | more than 2 years ago | (#38543870)

Enough said.

Re:1Password (1)

Krishnoid (984597) | more than 2 years ago | (#38543992)

Or Lastpass. I've heard good things about 1password as well.

Re:1Password (1)

Ethanol-fueled (1125189) | more than 2 years ago | (#38544110)

I don't really care about my personal online accounts, because I'm not rich or important (or even visible thanks to my rejection of social networking) enough to be worth compromising.

But work requires me to change my password on a regular basis. Each password requires at least an upper-case letter and a number, so I started with 1Password. Then 1Passnord. Then 1Passgord. Then 1Passhord. Then I repeat as necessary, unless the workplace policy doesn't allow any previously-used passwords. Then I start using 1Passwerd. Then 1Passwird. Then 1Passward...

Re:1Password (5, Funny)

Anonymous Coward | more than 2 years ago | (#38544440)

To whoever stole my account, please give it back.

Re:1Password (2)

Fnord666 (889225) | more than 2 years ago | (#38544494)

The problem with 1password is that they want you to buy a license for each platform. If you have both a OSX and a Windows machine, an iPhone and an iPad you are looking at shelling out $85 - $90 in licensing costs. Base cost for just the Mac app is $49.99. I think the only reason a lot of people have it is because 1password seems to be in most evey mac app bundle out there. It's a good app, but I don't know if it's $50 good.

Password manager? (4, Informative)

OttoErotic (934909) | more than 2 years ago | (#38543880)

Why not use a password manager and skip all that hassle? I use a portable version of KeePass, with both the app and my password database synced through Dropbox so I have them everywhere, including my phone. Random 20+ character passwords for every site and you can set expirations for every one so you don't have to remember when to change them, and all you have to remember is the master password. I don't understand why everyone in the world doesn't do this, it's just so convenient.

Re:Password manager? (3, Insightful)

artor3 (1344997) | more than 2 years ago | (#38543932)

Because it can be inconvenient. Say I want to log in to a particular site on a friend's computer. I don't want to download KeePass on their PC, so I have to read the password off my phone. Reading and typing a 20+ character random string without errors is the opposite of convenience.

Re:Password manager? (1)

OttoErotic (934909) | more than 2 years ago | (#38544004)

That makes sense, I guess I just never have that need myself. Although in that case I would think something similar but browser-based, like LastPass would work well.

Re:Password manager? (1)

Anonymous Coward | more than 2 years ago | (#38544020)

There's not going to be a better way other than remembering what your password is. For the use case described in the opening question, Keepass should only need to jar your memory for this years old password anyway.

Re:Password manager? (2)

FoolishOwl (1698506) | more than 2 years ago | (#38544220)

If there's a password you're actually expecting to need to type yourself now and then, use a passphrase or something similar. Even if you aren't concerned with memorizing the passphrase, five or six randomly selected words are usually much easier to type quickly and accurately, and you just need to look at your password vault for a reminder.

Re:Password manager? (1)

Krishnoid (984597) | more than 2 years ago | (#38544374)

Lastpass is pretty popular and works in exactly this case. In particular, it makes it easier to have longer, unique passwords for different sites.

Re:Password manager? (0)

Anonymous Coward | more than 2 years ago | (#38544550)

Because the Linux and Android versions suck llama dong.

Lastpass (0)

Anonymous Coward | more than 2 years ago | (#38543882)

I just use lastpass, it has a useful tool that will tell you all of your insecure and duplicate passwords and gives each one a rating. The security tool really forces you to change the insecure password we use for 200 forums.

It may not be sensisble to have everything protected by a master password but I find it better to have secure passwords that even I don't know rather than simple or the same passwords used across multiple forums and sites.

Lastpass also supports dual factor auth using yubikey which I find really useful. The cross browser and platform support also makes it easy to take it everywhere.

It may not be perfect, but its a lot more secure that what I was doing in the past to manage logins to nearly 300 sites.... (crazy isnt it)

PasswordMaker (0)

Anonymous Coward | more than 2 years ago | (#38543886)

I use and highly recommend: http://passwordmaker.org/
No stored passwords; You only need to remember one master password with which it generates a unique password for every account/site.
When the time comes to use new passwords, I just add a number at the end of the URL.

The answer is still keepass (4, Informative)

roc97007 (608802) | more than 2 years ago | (#38543894)

Keepass is available for Blackberry, ios, android. (even Windows 7 Mobile, if that's how you roll.) You can migrate database files between PC and handheld device. (Although you should be careful of having company passwords on a personal device -- there might be a policy against that.)

In your case, I'd spend an hour of quality time in keepass changing your passwords, sync it to work and home PC and whatever device you carry, then make all your websites conform.

As to websites you haven't visited in a long time and have forgotten about, I don't have an answer. I have essentially the same problem with forums that require you to register to participate. I may only visit the forum once, but my login is forever.

Re:The answer is still keepass (1)

KingofSpades (874684) | more than 2 years ago | (#38544022)

For very old websites I just click on "I forgot my password". It usually works !

Re:The answer is still keepass (1)

roc97007 (608802) | more than 2 years ago | (#38544076)

True, especially if you always use the same login name, or it requires an email address for login and you've had the same email address since like forever.

Re:The answer is still keepass (1)

KingofSpades (874684) | more than 2 years ago | (#38544568)

True, especially if you always use the same login name, or it requires an email address for login and you've had the same email address since like forever.

I use spamgourmet as an email proxy for such websites (I recommend it!).
This means that you don't really need to track or remember all those emails. You just need to change the spamgourmet forward address when you change your primary email. The last time for me was 5 years ago or so...

Re:The answer is still keepass (0)

Anonymous Coward | more than 2 years ago | (#38544108)

"keepass"? Couldn't they have named it so that it doesn't sound like some kind of porn site?

Re:The answer is still keepass (2)

hedwards (940851) | more than 2 years ago | (#38544238)

Because that wouldn't be a malevolent portmanteau, or as I call them malamanteau.

Re:The answer is still keepass (0)

Anonymous Coward | more than 2 years ago | (#38544406)

Bugmenot could be an option to one-time-only-visits.

Re:The answer is still keepass (1)

lakeland (218447) | more than 2 years ago | (#38544482)

I use 1Password. It has a feature of providing an interface with all your passwords, the sites they are for and the last time you changed that password. I have never done so but it would be fairly painless to sort by last modified date and update all of your old passwords.

I don't know Keepass but a quick google search shows this information is stored, so you could always export the data and process it that way if there is no GUI feature.

Keepass for everything! (3, Interesting)

John Bresnahan (638668) | more than 2 years ago | (#38543900)

There are versions of Keepass available for both the iPhone and Android (perhaps others as well). I use DropBox to keep my phone and main computers in sync. Works like a champ!

Re:Keepass for everything! (0)

Anonymous Coward | more than 2 years ago | (#38544410)

Is that name supposed to mean "Kee pass" or "Keep ass"? The first doesn't sound right, since kee isn't a word. And the second doesn't sound right either, since I don't think ass is the word you want to use when you name a piece of software.

I use... (1)

flohuels (1920394) | more than 2 years ago | (#38543906)

... KeePassDroid [keepassdroid.com] on my Android phone and used to have some self-written MIDlet for the same purpose on my old J2ME phone for having my passwords on the go.

I don't care (4, Insightful)

Threni (635302) | more than 2 years ago | (#38543908)

I gave up caring a few years ago. I protect my online banking, amazon etc passwords (write them down at home, long and random) but everything else I couldn't care less. If my Slashdot/openid etc ones get guessed or whatever then I'll just create a new account. Don't kid yourself that anyone cares about your online persona - they don't. Friends will get an email from you about your new G+/facebook account. Everyone else will just not be interested in "RandomInternetGuy10248034034" now being known as "RandomInternetGuy23038908343". It's just not worth the mental effort remembering, nor the paper writing down 40 odd passwords. It's just some website.

posting as an anon just to make a point (0)

Anonymous Coward | more than 2 years ago | (#38544340)

Or given the identity all together and join the anonymous.

If what you say is not sufficient, then you are in the wrong group that judge people by their online "handles".

Re:I don't care (4, Insightful)

Dwedit (232252) | more than 2 years ago | (#38544538)

This only applies to people who don't have Moderator or Admin privileges on websites. Otherwise, you need to keep your account safe.

As a regular user, the worst someone can do is a Joe Job, make the compromised account send nasty things to other users, or send a ton of spam.

But if you've ever been a Moderator or Admin, you need to keep your password safe.

Why? People can't see my password... (0)

Anonymous Coward | more than 2 years ago | (#38543928)

Never (0)

Anonymous Coward | more than 2 years ago | (#38543934)

I've pretty much never changed a password to any of my online accounts unless I forgot it, and so far I've had 0 issues with people guessing my passwords. I do have different level passwords, for example nowhere uses the same password that my bank uses, and websites that I register on just to comment or something get the weaker passwords so as not to jeopardize my accounts on sites I trust. I don't regularly change them and don't see any reason to.

1Password + Dropbox (1)

F69631 (2421974) | more than 2 years ago | (#38543952)

I completely adopted the strategy described in this article: The Only Secure Password is the One You Can't Remember [lifehacker.com] . Essentially, I have a different password for every single website, service, etc. and all of them are behind a strong master password in a software called 1Password. The encrypted file is saved to DropBox, so it's both online and on several computers (including my smartphone). For more detailed description and reasoning for why that's good, see the article.

The upsides: It's extremely unlikely that my passwords ever get into the wrong hands (I guess it would require someone finding out my master password and stealing the encrypted file. That would be a realistic threat if CIA was after my passwords but now for my needs that's essentially as safe as it gets). Even if one site I use is hacked, I don't use the same password anywhere else. 1Passwords costs a bit (something like 35 bucks, I think) but it's pretty good password vault: There is good dropbox integration, smartphone apps (which also work well with smartphone DropBox apps), browser extensions, automatic backups of the encrypted file, etc.

The downside: If I were to ever lose all instances of the encrypted file (I don't know how that could happen. I currently have it on three computers in two different locations, on my smartphone and in DropBox service) I would lose all my passwords, which would be very bad. I just assume that this risk is unlikely enough to be non-existent.

Re:1Password + Dropbox (0)

Anonymous Coward | more than 2 years ago | (#38544064)

How do you login into dropbox? :-)

Re:1Password + Dropbox (1)

rubycodez (864176) | more than 2 years ago | (#38544116)

it's hardly the end of the world if you lose all your passwords, you can go through the hassle of "I forgot my password" on four dozen sites.

Re:1Password + Dropbox (0)

Anonymous Coward | more than 2 years ago | (#38544154)

The problem with exclusively using Dropbox to store your password file is that it automatically updates every other instance when you log in. If you accidentally or if someone purposefully deleted it, that change would cascade to all of your other online computers. Plus since Dropbox is generally set to start when you turn on a computer, you would have to be aware that it was deleted and purposefully start a computer with networking turned off to retrieve it.

Of course the solution to this is to store it somewhere else offline in addition to Dropbox, or on a web host somewhere.

Re:1Password + Dropbox (1)

hedwards (940851) | more than 2 years ago | (#38544252)

Dropbox isn't a back up service. If you're backing up your data you should be able to recover most if not all of the entries from a backed up copy of the database.

Re:1Password + Dropbox (1)

Anonymous Coward | more than 2 years ago | (#38544264)

The problem with exclusively using Dropbox to store your password file is that it automatically updates every other instance when you log in. If you accidentally or if someone purposefully deleted it, that change would cascade to all of your other online computers. Plus since Dropbox is generally set to start when you turn on a computer, you would have to be aware that it was deleted and purposefully start a computer with networking turned off to retrieve it.

Of course the solution to this is to store it somewhere else offline in addition to Dropbox, or on a web host somewhere.

Dropbox does versioning. Just restore the old version.

My method (1)

KingofSpades (874684) | more than 2 years ago | (#38543974)

The ritual is to have a tiered set of passwords:
- very simple passwords for very stupid sites
- a password commited to memory for serious web sites
- Keepass for financial websites (banking, taxes, etc.). These passwords are impossible to memorize. (Eg: JvKE5qKjOb11HdIKWf1E)

KeePass all over. (0)

Anonymous Coward | more than 2 years ago | (#38543978)

Step 1. Crack AES, SHA-256
Step 2. Find .KDB files
Step 3. ????
Step 4. Something with a cloud
Step 5. Profit

My sure fire technique (1)

amorpheous (733409) | more than 2 years ago | (#38543980)

Just write it on a sticky note and put it under your keyboard; this is a time honored practice of millions of users, and that many people CAN'T be wrong!

Re:My sure fire technique (2)

Bing Tsher E (943915) | more than 2 years ago | (#38544524)

Why under the keyboard? If someone breaks into my house, the last thing I will worry about is them stealing my passwords. Really, complex password schemes for trivial website and blog registrations is just an exercise in vanity. Guess what? Nobody cares!

KeePass(X|Droid) + Dropbox (1)

Azelphur (2000262) | more than 2 years ago | (#38543986)

I use KeepassX on my Linux machines, and KeepassDroid on my phone. This combined with Dropbox keeps it all synced. I have a unique password for every site I use, It's the best way to ensure safety and you never have to worry about forgetting anything.

Bad advice: dropbox files can be seen by many (1)

dbIII (701233) | more than 2 years ago | (#38544148)

The good thing about putting it all on dropbox is that if you forget your dropbox password you can still get in. The bad thing is so can anybody that you've previously given dropbox access even when you think you cut them off (earlier slashdot story) or at times in the past anybody at all (earlier slashdot story), and the dropbox admins can certainly read all your files (earlier slashdot story).
WTF are people suggesting putting anything that you would not want to see the next day in a newspaper on dropbox? Haven't you guys heard how many holes have been found so far and how they were caught out that the service is not as the advertising implies? Even plain FTP (for all it's many faults) is more secure than those losers, which indicates a depressing level of incompetance.

Re:Bad advice: dropbox files can be seen by many (1)

LordVader717 (888547) | more than 2 years ago | (#38544616)

Which is why the KeePass file is encrypted.
I would worry more about the machines you use themselves being compromised. A simple keylogger might expose all your passwords. Getting your hands on the KDB file is the easy part.

Re:KeePass(X|Droid) + Dropbox (1)

Anssi55 (729722) | more than 2 years ago | (#38544164)

I have exactly the same setup.

When I'm at some other computer and need some seldom-used password I can't remember, I just look it up on my phone.

Some I Use only once (1)

dmomo (256005) | more than 2 years ago | (#38543996)

There are a handful of sites that I visit very infrequently, like my (now closed) student loan site, or my domain registrar.
When I want to log in, I use the "forgot/reset password feature" and wait for a link to show up in my inbox. I "click here" to change it to something random and needlessly complicated, log in and don't bother writing it down.

Ridiculous and useless (0)

Anonymous Coward | more than 2 years ago | (#38544010)

Why in hell would you give people BETTER odds then ONE in infinity by repeatedly changing passwords. It seems to me that all this does is increase the CHANCES for someone to guess your pass.

Keep your password private, make sure no one ever watches while you type it, and don't use Windows and/or public computers.
My .02.

P.S I DO have unique passes for every site I visit using a formula similar to this:

Sl45h(1st pet's name)(year pet died)(my house number)(3 random characters)
This makes each password somewhat unique but gives me a fighting chance at remembering all of them.

Technique for security "questions" (2)

dmomo (256005) | more than 2 years ago | (#38544036)

And since it's easy to find out what the make of my first car was, or what year I graduated, I have an alter ego with answers to those questions. I know what year "she" was born, "her" mother's maiden name, etc.

As an extra layer, I don't just answer "What year did you graduate high school" with: 1938.
I say: "year1938". And one more layer:

Since this is likely stored as plain text, I have a site-unique word mixed in:
"year1938banking"

Re:Technique for security "questions" (1)

Anonymous Coward | more than 2 years ago | (#38544134)

This is a great idea in addition to strong password methods.
Have an alternate "persona" who answers all these questions.
Same goes with passwords as well, in fact.

Better yet, leave clues to passwords IN your security questions if possible, so you don't need to change it. (works with most sites you can write your own questions on.)
And of course, the sites that don't let you write your own questions, just answer your own questions with your own answers anyway. Something nobody will ever know.

I memorized a simple cipher
A 4x4 square, vertical axis has 4 letters, horizontal has 4 numbers.
For a website, say, Slashdot, I'd match up the number combinations, then the letter combinations for Slashdot and use that in the password.
So someone would both need to know my password phrases I use, the word I choose to describe sites, in addition to the letters and numbers on the 2 axes.
Ultra secure for the ultra paranoid. Can't be too careful when it comes to security.

Password Ritual (0)

Anonymous Coward | more than 2 years ago | (#38544040)

I don't change mine very often. I have a password made of unconnected words that is far more secure than random alphanumeric characters. Far more secure to have a very strong password that you don't change often than less secure ones you change frequently.

Different tiers of paswords (0)

Anonymous Coward | more than 2 years ago | (#38544042)

I keep passwords in tiers of how important they are to me and how likely they will be compromised;

Tier 1: Money
Tier 2: Reputation
Tier 3: Sites I'm unsure of their password keeping policies
Tier 4: For sites I might have to share access with someone else

Completely separate: Work

Every time I select a new password it gets applied to tier 1 and the old one from tier 1 gets moved to tier 2, etc. in this way its easy to remember all the passwords I use, it still takes a bit of guessing depending on how I originally classified that site but eventually I put the right one in. Makes it much easier to remember passwords when you have used them for years and still be completely random numbers, letters and symbols.

Keepass (1)

Anonymous Coward | more than 2 years ago | (#38544048)

Keepass database on the thumb drive in my pocket, and emailed to myself.
New Years Day is for hangover recovery, not random char memorization.

Reset the password everytime you visit (1)

Nkwe (604125) | more than 2 years ago | (#38544050)

For sites I don't visit often, I just reset the password every time I go there. Sure it takes a couple of extra minutes, but these are sites that I visit a couple of times a year or less. For sites I visit a lot, remembering the password is not a big deal.

Think of it as poor man's federation with you email password.

Never (0)

Anonymous Coward | more than 2 years ago | (#38544056)

What's the point?
I've had the same passwords for up to 10 years.
Considering the length of my passwords, bruteforcing is not a viable option.
I don't access my important stuff from computers other than my own either.

I don't (5, Insightful)

smash (1351) | more than 2 years ago | (#38544066)

I have sufficiently secure passwords that I see no benefit in changing just because.

Cloud Docs (1)

Whiteox (919863) | more than 2 years ago | (#38544072)

I create a spreadsheet with relevant info (not just passwords) uploaded to Google Docs or other cloud based site(s). At the most I remember 2 sets of usernames/passwords, one set to access the site and the other to unencrypt the cloud docs. Simple and accessible from most devices.

Re:Cloud Docs (0)

Anonymous Coward | more than 2 years ago | (#38544188)

First i saw the short version of you comment. When u said to upload all the passes as a spread sheet into Google's cloud. I laughed so hard
Then i opened it and read the full comment, where u mention additional layers of security which is more reasonable.
Still, imo, i prefer to write everything down on paper, and two have two full copies. One in my wallet, another in a safe place.
Should 1 of the two be compromised, hopefully i can change them before the attackers have a chance todo anything.

-HasHie

p.s. why does it have to be a cloud site, regular file storage accessible from the internet dont cut it?
p.p.s. Cloud == new buzzword == evil computing architecture that is being pushed

Re:Cloud Docs (1)

Whiteox (919863) | more than 2 years ago | (#38544502)

You are right. For 'cloud' read any file site. In fact I can't see any difference between a web based email service with a doc buried somewhere in 1000 sent items or a highly encrypted dedicated service. It doesn't matter. But the info I upload isn't mission critical, just user/passwords for junk forums, DNS, a contacts list backup and stuff that is totally pointless to keep, like activation codes of games/software, download site passwords and masses of other stuff. etc.
I don't consider myself worth hacking and if anyone manages to hack these docs it's no great loss.
Mission critical stuff like CP passwords, FTP etc are never digitized and only exist on paper in a secure office environment.
Anyway, GP seemed to be more concerned about login info for old sites, not mission critical stuff.

it's easy (1)

rubycodez (864176) | more than 2 years ago | (#38544084)

write 'em all down, store them in a couple safe places. In general access to people's information, identity theft, and fraud isn't done via passwords, there are much easier ways.

Changing condoms for the new year (-1)

Anonymous Coward | more than 2 years ago | (#38544112)

Your mom deserves a fresh one ;)

-HasHie

Lockout? (1)

R.Mo_Robert (737913) | more than 2 years ago | (#38544140)

If you have to try so much that you're going to get locked out (surely you suspect something after one or two failed attempts), doesn't the site offer some sort of password retrieval function? I know this doesn't really answer your question directly, but it seems like it would work for the few sites you seem to forget about each year.

Re:Lockout? (0)

Anonymous Coward | more than 2 years ago | (#38544178)

Posting AC, but I meant retrieval or reset (and of course, I prefer the latter). Oops.

What's this? (1)

Exitar (809068) | more than 2 years ago | (#38544168)

The annual meeting of paranoid geeks?

There is extremely little value in changing. (5, Insightful)

Above (100351) | more than 2 years ago | (#38544184)

If you look at all the possible attack vectors and scenarios changing your passwords once a year change your statistical chances of being hacked or losing data very little. The ROI is low enough I wouldn't recommend changing your passwords on a regular schedule.

Picking good (as in hard to crack) passwords is more important. For random web properties using different passwords for each so when one is compromised and caught storing passwords in plain text only one account is compromised is key.

However, that's all not what I want to talk about. This entire question is the result of a huge failure of the industry. Every web site uses a password. Every one has a different idea of what a "good" password is, meaning if you come up with one (or use a generator) it won't always be allowed. Google has taken a step forward with their two factor options (via say, a cell text) but that's not really a practical option for many small web sites.

This is an excellent case for a PKI. Users should generate a public-private key pair, and provide the public key to the web site upon sign up. Extra authentication steps could be done at setup (web of trust a la PGP, known entities, a la X.509, callback texts, whatever). Users would sign a login blob with their private key to authenticate.

Using the same key for many web sites is much less dangerous. Compromising the web sites, and all the public keys, gets the attacker approximately nothing. They can be stored in plain (unencrypted) format on the web server. The only attack is to get the users private key, which can be encrypted on their machine behind passwords, biometrics, or whatever. Getting one user's private key gets you only one user, it's a low value attack.

What's needed is a standard format for this encrypted exchange, and then support by clients (from web browsers to ssh clients) and their corresponding server services. This is where the industry is letting us down.

If the big 15-20 web properties could get together with the big 4 browsers and make this happen it would be huge leap forward.

Used to have one password for everything (0)

Anonymous Coward | more than 2 years ago | (#38544396)

I used to have one password for everything.

Then I progressed to a series of text files (one per website) listing the username/password combination(s) for that site, plus any additional useful info (e.g. routing number and account number). I used a random password generator to make secure passwords (considering so-called "security questions" to simply be additional, also random and secure, passwords). I encapsulated these in a 7-Zip archive (with a "master" password, naturally) and uploaded it to my GMail account (which had a password for which I had a mnemonic for memory's sake, so I'll never forget it). I also carried them on a flash drive when necessary which, though hopelessly insecure, was always in my possession. Had I ever lost the flash drive, my first action would have been to get on GMail, fetch the archive and decrypt it, and change every password for every site (updating the text files and the archive, naturally). I had to put that into action once when not the flash drive but my computer was stolen. Since Firefox remembers my passwords, I played it safe and changed all of them.

Lately it occurred to me that with the "encrypt filenames" option (which I used) it would be a lot less hassle to simply use subfolders in the 7-Zip archive for each website, a subfolder within named for the username, and a 0-byte file named for the password. The only drawback to this plan is that a username or password cannot contain either a forward- or back-slash (any other characters not supported by Windows can still be used if you just rename files within the 7-Zip archive), which forced me to either come up with a different password or use a text file in the archive. But the thing I like about it is that it's not decrypting a text file and possibly leaving it in a temp folder somewhere.

KeePass and SVN (0)

Anonymous Coward | more than 2 years ago | (#38544426)

I just keep my keepass databases in a SVN repo which i sync across my computers and thats it. So fucking simple!

You dont get invited to many parties (1)

Osgeld (1900440) | more than 2 years ago | (#38544462)

do you?

Quit working so hard - use Seed Mapping (0)

Anonymous Coward | more than 2 years ago | (#38544478)

Quit working so hard - use Seed Mapping

Start with a seed that's in front of you as you log on to the site, for instance MicroSoft. A simple seed would be the first four letters "micr". There. You're halfway done.

Now simply expand this seed onto the keyboard in a visually consistent way. Let's use the two keys above the seed key for this example. "m" becomes "Ju", "i" becomes "8*", "c" becomes "de" and "r" becomes "4$" yielding the password - "Ju8*de4$". No, don't try to memorize that mess, just watch your fingers as they move.

See the pattern? THAT is the trick. This password meets the all the standard criteria, yet you don't have to memorize it - just look at the name, then map it visually with your personal method.

Notice I capitalized the first character and had to shift to get the "*" and "$" because I ran out of room moving up the keyboard. That's one way of including special characters and caps. If you don't want special characters, wrap to the bottom of the keyboard instead.

The beauty is, memory was not a factor. It's simply visual. It's best to not even think about what keys you're hitting - just hit the two above your seed character. I honestly have no idea what my passwords are, I just know the pattern that produces them.

It's easy once you define a method. For the above approach:

Gmail would produce "T5juq18*"
Yahoo would produce "6^q1y69("
FaceBook would produce "R4q1de3#"

Again, no memorizing. OK, go ahead and use this example method if you like. It's better than using your dog's name. And you won't need to read any further. But remember you'll have the same passwords as every other person who happen to read this blog and goes to the same sites you do.

Or... You can quickly customize:

http://sierracomputergroup.blogspot.com/search/label/Passwords

Re:Quit working so hard - use Seed Mapping (1)

backspaces (747193) | more than 2 years ago | (#38544574)

Er..what about keyboards that have different geometry? Phones differ, for example.

Mail Account (1)

backspaces (747193) | more than 2 years ago | (#38544526)

The strongest password needs to be your email account.

Why? "I forgot my password". Doh!

Tiered passwords (0)

Anonymous Coward | more than 2 years ago | (#38544570)

I do my passwords in tiers and tier one and two never change.

Tier one: Low security for comments on random sites and whatnot

Example: crappypass1

Tier two: Medium security for sites I would be slightly upset if I got my good name besmirched on.

Example: Th1s!s@better

Tier three: High security for email and other more serious online business.

Example: @nysuffici3ntlyRand0mphr@seshoulddo!

Haystack (1)

backspaces (747193) | more than 2 years ago | (#38544632)

https://www.grc.com/haystack.htm [grc.com] has an interesting approach.
Which of these: D0g..................... or PrXyc.N(n4k77#L!eVdAfp9 is the more secure?

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?