Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

It's World Password Day: Change Your Passwords

Soulskill posted about 5 months ago | from the 123456-becomes-1234567 dept.

Security 116

An anonymous reader writes "Today is World Password Day — a day dedicated to promoting the use of strong passwords and the creation of good habits. However insecure this method of authentication is, it's not going away anytime soon, and people should be educated on how to make the best of it. To that end, last year Intel started an action-oriented campaign to raise user awareness regarding password problems, and this year their initiative has a new digital home. Passwordday.org provides the Password Blaster (a videogame that teaches good passwords using real leaked passwords), the Password Strength Meter, links to McAfee's Heartbleed Test tool, offers animated educational GIFs and tips and tricks for upgrading your passwords."

cancel ×

116 comments

Sorry! There are no comments related to the filter you selected.

Enough "world days" (3, Insightful)

Anonymous Coward | about 5 months ago | (#46942429)

Please.

Re:Enough "world days" (1)

Anonymous Coward | about 5 months ago | (#46942463)

Personally I'm waiting for the "World days awareness day".

Re:Enough "world days" (1)

the grace of R'hllor (530051) | about 5 months ago | (#46942963)

World world day day.

Re:Enough "world days" (1)

quenda (644621) | about 5 months ago | (#46944761)

It is also "World record Post-it Note sales" day.

Re:Enough "world days" (1)

nitehawk214 (222219) | about 5 months ago | (#46942977)

Sorry, we have not filled them up yet. [un.org]

America is out of food days, [tfdutch.com] now there are duplicates.

Re:Enough "world days" (1)

webnut77 (1326189) | about 5 months ago | (#46944043)

hunter2 -> hunter3

Re:Enough "world days" (1, Funny)

flyneye (84093) | about 5 months ago | (#46944427)

World " Change Underwear Day "
  "You! Change underwear with him. You! Change underwear with her. You bring that thong on over here and change with me sweetie "....

OK, but not sure 123456 is any better than 1234 (1)

WillAffleckUW (858324) | about 5 months ago | (#46942441)

Don't see what the point is

Re:OK, but not sure 123456 is any better than 1234 (1)

umghhh (965931) | about 5 months ago | (#46942449)

it is 1234->1235

Re:OK, but not sure 123456 is any better than 1234 (3, Funny)

rasmusbr (2186518) | about 5 months ago | (#46942557)

You're doing it wrong. It's suppose to be something like Hj1pAab5!z21i0lO&sa8q0, on a sticky note attached to the machine.

Re:OK, but not sure 123456 is any better than 1234 (2)

PolygamousRanchKid (1290638) | about 5 months ago | (#46942683)

If you MacGyver the executive secretary's desk drawer, you will find the passwords to all the C*Os of the company on sticky notes, as well.

Re:OK, but not sure 123456 is any better than 1234 (3, Funny)

msauve (701917) | about 5 months ago | (#46942703)

I don't want to know how those notes got sticky.

Re:OK, but not sure 123456 is any better than 1234 (3, Funny)

nitehawk214 (222219) | about 5 months ago | (#46942987)

I don't want to know how those notes got sticky.

She is a big fan of McGuyver.

Re:OK, but not sure 123456 is any better than 1234 (1)

WillAffleckUW (858324) | about 5 months ago | (#46943101)

I put the 123456 on a publicly shared network file called "Passwords.docx" - is that good enough?

And then enabled Bluetooth.

Re:OK, but not sure 123456 is any better than 1234 (1)

jcoy42 (412359) | about 5 months ago | (#46943277)

Probably the best variant of this I've seen was a friend who concatenated md5sums of various kernels he'd compiled into a string and printed them onto a dog tag which he kept on his person.

Based on something he knew about the machines location he started at a certain row and column and typed a certain number of characters off the tag.

Re:OK, but not sure 123456 is any better than 1234 (1)

TeknoHog (164938) | about 5 months ago | (#46943387)

You're doing it wrong. It's suppose to be something like Hj1pAab5!z21i0lO&sa8q0, on a sticky note attached to the machine.

That's the combination^W^W my Bitcoin address!

Re:OK, but not sure 123456 is any better than 1234 (0)

Anonymous Coward | about 5 months ago | (#46942575)

My bank will not accept a password with any consecutive numbers.

But it will accept a password with NO numbers.

Re:OK, but not sure 123456 is any better than 1234 (3, Interesting)

SJHillman (1966756) | about 5 months ago | (#46942617)

My bank assigned me the random PIN of "1234" for my debit card. One of my student loan websites (Citibank) ignored anything past the 8th character of your password anyway. One of my old credit unions had a six character password limit, alphanumeric only. Financial institutions are a little behind the times.

Re:OK, but not sure 123456 is any better than 1234 (1)

sootman (158191) | about 5 months ago | (#46942783)

My bank allows letters and numbers only and is not case-sensitive. This is so the password can be used on phone keypads.

In other security news, AmEx requires a number or special character IN YOUR USERNAME. WTF?

Re:OK, but not sure 123456 is any better than 1234 (0)

Anonymous Coward | about 5 months ago | (#46943189)

In other security news, AmEx requires a number or special character IN YOUR USERNAME. WTF?

So does Chase.

Re:OK, but not sure 123456 is any better than 1234 (1)

Anonymous Coward | about 5 months ago | (#46943287)

What about password length? My bank is similar, only letters and numbers but requires at least on uppercase letter...but a MAXIMUM length of 5 characters!

Re:OK, but not sure 123456 is any better than 1234 (1)

SJHillman (1966756) | about 5 months ago | (#46943559)

That reminds me of the other quirk of my bank.... username is case sensitive. e.g. SJHillman was already taken, but it let's me use Sjhillman

Re:OK, but not sure 123456 is any better than 1234 (0)

Anonymous Coward | about 5 months ago | (#46944689)

Don't do that. That is just asking for confusion and access to your account by someone else. This is especially so because they have to have some way to reset passwords.

Re:OK, but not sure 123456 is any better than 1234 (1)

Maritz (1829006) | about 5 months ago | (#46946575)

If username is the only way they can identify your account to reset it you've got serious issues. Account number springs to mind.

Re:OK, but not sure 123456 is any better than 1234 (3, Funny)

msauve (701917) | about 5 months ago | (#46942649)

Password.2014

Upper case, lower case, symbol, digit, more than 12 chars. Check!

Re:OK, but not sure 123456 is any better than 1234 (0)

Anonymous Coward | about 5 months ago | (#46942831)

Microsoft's "practice" gives a "BEST" to this one: {1aAAAAAAAAAAA

it's supposed to be "world" (1)

swschrad (312009) | about 5 months ago | (#46942671)

so change it, already

Re:it's supposed to be "world" (1)

WillAffleckUW (858324) | about 5 months ago | (#46943115)

Came up with a better one - Death - nobody will guess that one!

Luggage Password ? (0)

Anonymous Coward | about 5 months ago | (#46943805)

Awesome :O 12345 is also my luggage password!

http://youtu.be/a6iW-8xPw3k

i liked to play Password (2)

turkeydance (1266624) | about 5 months ago | (#46942445)

Ludden was the best.

Re:i liked to play Password (1)

Anonymous Coward | about 5 months ago | (#46942767)

Is that you Betty?

And Tomorrow is 'What was my password again?' Day (5, Funny)

Curialis (218588) | about 5 months ago | (#46942447)

IT Workers rejoice!!

Tomorrow (1)

Anonymous Coward | about 5 months ago | (#46942461)

Followed by "Reset Your Password Day" tomorrow.

There's an idea... (0)

Anonymous Coward | about 5 months ago | (#46942469)

A "No More World Days" Day!
Maybe Hallmark will get behind this.

It's World Sniff Your Password Day (1)

Anonymous Coward | about 5 months ago | (#46942477)

What a great time to sniff or keylog, knowing a lot of people will be changing their passwords!

I hope I'm wrong.

No (0)

Anonymous Coward | about 5 months ago | (#46942497)

That is all.

Re:No (0)

Anonymous Coward | about 5 months ago | (#46942911)

Actually, a better version would be: "No. Piss off."

Let's not celebrate passwords (1)

Anonymous Coward | about 5 months ago | (#46942501)

Passwords, and with them password reset questions, need to go away. There are proper authentication mechanisms. Passwords are not among them.

Re:Let's not celebrate passwords (1)

mlts (1038732) | about 5 months ago | (#46942951)

What I'd like to see is a service like the following:

One gets a client cert like how it is done normally... but the cert is used as a CA cert, perhaps stored in a dedicated HSM. Then, when one uses a new computer or gets a new smartphone, the device has a client cert, then it gets signed by one's own CA cert. That way, one has the security of client certs but without the need to manually copy the same certificate to each device (and risk having it stolen.) If a cert is stolen, the CA cert one has can easily revoke the stolen device key.

Realistically, if I were to make a large website, I'd have two-factor authentication mandatory, but flexible (so if someone has multiple phones or dual-SIM phones), it can send a code or use a voice (for POTS lines that can't do SMS) for the authentication code.

Recovery would be done by a number of means... perhaps recovery questions have a place, but they have to be detailed and stored encrypted... and even then, someone going through a mark's background can get access. Having some text one signs with their PGP key and pastes into a box is another method. Perhaps a method similar to Facebook's recovery with a shared secret stored among friends so you get x out of y associates to vouch for someone is another way.

Of course, there is always the option of a hardware device like a SecurID token that one just types the number shown to get access to an account. This makes it easy because physical security is usually a lot more straightforward than network security for some people. Of course the downside is that who gets the token owns the account. (Yes, it can end up PIN protected like the older "calculator" style SecurID tokens... but what happens if the PIN gets forgotten.)

Re:Let's not celebrate passwords (0)

Anonymous Coward | about 5 months ago | (#46944065)

Keep It Simple, Silly. Self-signed client certificates from a user's CA certificate sounds like a great idea, but... (a) how does a non-technical end user install a client certificate on their iOS device again? (b) given that users can't be trusted to have good passwords in the first place how are they going to manage the security of their CA certificate any better, and all of their devices will be compromised when their CA certificate gets lost/stolen.

Re:Let's not celebrate passwords (1)

Darinbob (1142669) | about 5 months ago | (#46944457)

I hate the two factor stuff, since it all wants to be on a smart phone. But I will not use a smart phone for this (more ways for google to spy on me). And many of the sites that want the two factor stuff are fluffy social sites where it's not important whereas the really vital stuff like banks have basic security.

Whirled Password Day (0)

Anonymous Coward | about 5 months ago | (#46942521)

Today is the day you should scramble your passwords by putting them into a blender, tornado, or other device to whirl them sufficiently to mix them up a bit.

WorldPasswordDay1! (3, Funny)

danbert8 (1024253) | about 5 months ago | (#46942565)

Let's celebrate with 8-16 characters that must include at least one capital, one number, and one symbol but not repeat any character more than twice. Ahh screw it, why don't we celebrate World Write Down Your Password On A Post-It Note Day?

Re:WorldPasswordDay1! (1)

rogoshen1 (2922505) | about 5 months ago | (#46942885)

Salem1!

Re:WorldPasswordDay1! (1)

TeknoHog (164938) | about 5 months ago | (#46943397)

hunter2

Re:WorldPasswordDay1! (1)

SailorSpork (1080153) | about 5 months ago | (#46943153)

Or OBLIG XKCD LINK: http://xkcd.com/936/ [xkcd.com]

Re:WorldPasswordDay1! (1)

scdeimos (632778) | about 5 months ago | (#46944071)

I think you meant: W0rldP4assw0rdD4y!

Change your representative too... (-1)

Anonymous Coward | about 5 months ago | (#46942569)

If this was anyone who wasn't a Democrat we would be hearing out it for hours straight on CNN. [twitchy.com]
 
Call immediately for her resignation: 573.751.0100

Re:Change your representative too... (0)

Anonymous Coward | about 5 months ago | (#46942663)

Benghazi, Benghazi, Benghazi, Benghazi. See? Now I'm four times worse than her. But you're still a stupid twit.

Change your passwords... (0)

Anonymous Coward | about 5 months ago | (#46942571)

..so the Heartbleed has a better chance of seeing both your old and new.

I recommend (3, Funny)

BobMcD (601576) | about 5 months ago | (#46942587)

worldp@sswordday14

That way you can remember it until next year!

World Packet Trace Day (1)

jlv (5619) | about 5 months ago | (#46942589)

Change your passwords today, so our new filters can capture them!

Re:World Packet Trace Day (1)

jlv (5619) | about 5 months ago | (#46942607)

Or even better, type your new password into our webpage and we'll tell you if it's secure.

perhaps consider a passphrase. (2)

nimbius (983462) | about 5 months ago | (#46942601)

Ive used passphrases from passwdqc [openwall.com] for quite some time. theyre just as complex and a whole lot easier to remember. The downside being many websites still restrict users to 8 or 10 character passwords whereas phrases can easily consume 17 or more characters.

Re:perhaps consider a passphrase. (0)

Anonymous Coward | about 5 months ago | (#46942741)

And many sites still restrict white space, so "correct horse battery staple" is considered a weak/invalid password.

On the other hand (0)

Anonymous Coward | about 5 months ago | (#46947379)

correct1horse!batteryAstaple is a damn great password. It's so good I even use it myself!

Stop it (0)

Anonymous Coward | about 5 months ago | (#46942615)

This nonsense about numbers and symbols was doomed from the start. Either it's written on a sticky or a simple modification (append a 1, first letter cap, etc) that tables have long since accounted for. It's a waste of time and misleading users.

We should have LONG since been encouraging mixed/abbreviated passphrases. Machine-readable (including horsestaplebatterycorrect) is a recipe for disaster, anything that's can be directly analogous to human thought is.

Something like "hsbcxkcd" is better. Something like "hsbcidgaf" is better yet. Common songs (r3ybgdts is 'row your boat') may seem insecure when tables/DBs start catching up, but it turns out you can blend them (r3ybhyaw is += 'have you any wool') without causing use of stickies under the keyboard. The mental adjustment is minimal, arguably easier than appending a 1, and yet it delivers excellent mutation.

Another advantage is incremental changes. The next line of "row your boat" offers "m3libad", and allows compliance with forced/desired password change without really relearning a new password. As a perk, the gibberish is harder to recognize to human eyes, whether it's an invader skimming crude keylogs/dumps or someone physically observing you.

Re:Stop it (1)

Anonymous Coward | about 5 months ago | (#46943037)

Those passwords suck, and I hate you for even suggesting them.

Better idea, simple passwords. "Pencil".

Then lock the account after a reasonable number of attempts - like 50. How many tries to brute force a single word password? More than 50.

Re:Stop it (2)

Dutch Gun (899105) | about 5 months ago | (#46944549)

Those passwords suck, and I hate you for even suggesting them.

Better idea, simple passwords. "Pencil".

Then lock the account after a reasonable number of attempts - like 50. How many tries to brute force a single word password? More than 50.

Yikes, that's horrible, horrible advice.

You need to stay away far, far from single dictionary word passwords. If the hashed password database is compromised, you need a password that will at least withstand a basic dictionary attack, since obviously it's beyond locking because of failed attempts at that point. If there's any significant amount of time between when the breach occurs and when it's discovered, your only defense is a password long and complex enough to withstand any brute-force attempt within a reasonable period of time.

Incidentally, if everyone took your advice (and many seem to, unfortunately), a significant number of people would still get hacked just because the bad guys happened to guess the correct dictionary word they used. All they have to do is try the first 50 most used words and phrases for every account, and with millions of users, they're bound to guess a few thousand correctly.

My advice: install LastPass or some other password manager, and then have it generate absolutely random noise passwords - you can even set parameters for sites that don't allow symbols or have length restrictions, etc. Those are automatically filled in when you visit the site. Either your browser will remember them in it's password manager, or a plugin, like LastPass uses will fill them in for you. There's very little reason for a typical user to change a password when it's randomly generated gibberish.

Re:Stop it (0)

Anonymous Coward | about 5 months ago | (#46945947)

Salt should solve the breached hash problem (unless I completely don't understand PKI).

Only the worst passwords could be guessed in 50 tries. Disallow the blatantly obvious ones.

I use strong passwords and keep them on a pocket sized notepad in my file cabinet. Thanks to last Wednesday's storms, it ended up under three feet of water. Oops.

Re:Stop it (1)

Dutch Gun (899105) | about 5 months ago | (#46946607)

Salt doesn't necessarily solve the breached hash problem if you're using simple dictionary words. It forces a per-hash computation, so they can't use a rainbow table of pre-computed hashes, but dictionary words will still be the second thing criminals will try (the first thing is a quick-list of top password offenders). Sure, it significantly slows the process down, but once the database is offline, there's plenty of CPU horsepower available to do that sort of thing.

Actually, it may be more accurate to say that there's plenty of GPU power available for that, as cracking software often makes use of banks of high-end videocard GPUs to perform massive amounts of hash calculations per second [arstechnica.com] . GPUs are optimal for this task because of the massive number of parallel processing cores in each card. The only real way to thwart this sort of decoding effort is to use memory-hard hashing algorithms, but I don't think those are in wide-spread use yet.

So, let's assume a worst case of a billion hashes a second, which I don't think is out of line for today's top-of-the-line video cards, easily within financial reach of your typical internet low-life. We'll use a dictionary of perhaps 20,000 of the most common English works, and let's say we'll throw in enough combinations to round it up to a million hashes that we'll try per user (capitalization + common numeric suffixes). That means that even something like "Pencil92" isn't safe. Let's also assume that we've got a million user hashes to check in total. Total calculation time for a first-pass dictionary attack on every entry in the database? About 1000 seconds. That means we've got plenty of time to try even more complex combinations of passwords after the simple first-pass check.

Ultimately, the best defense is password complexity, since no amount of hardware can possibly cover all the combinations of a very long and complex password, since length + variation = a combinatorial explosion of possibilities.

Also, sorry to hear about the storm mess. Never fun to clean up after stuff like that.

Can tomorrow be world English grammar day? (1)

damn_registrars (1103043) | about 5 months ago | (#46942621)

That last sentence in the intro made me a bit ill.

I'll trick 'em all! (2)

jddj (1085169) | about 5 months ago | (#46942625)

12345...7

Can't wait for mooltipass... (0)

Anonymous Coward | about 5 months ago | (#46942627)

the open-source open hardware/software offline password keeper!
https://github.com/limpkin/mooltipass

Okay... (1)

Anonymous Coward | about 5 months ago | (#46942689)

"password02". Done!

Nope. (0)

Anonymous Coward | about 5 months ago | (#46942763)

More like shit websites should change their password policies to prevent small passwords, and have no maximum password length, and update their security system in general because most likely it is terrible and some shit thing they got off some PHP kiddies website.

I am looking at YOU, Microsoft.
Ever since they changed their passwords to have a max length, I have been unable to even login to my hotmail even WHEN I only type the first 16 characters.
And when I tried to recover it, they said "nup, 2bad nerd". Fuck you Microsoft.
Luckily I never used their atrocious service for anything of worth.
Hope you die this decade Microsoft. If not I will be just as happy with the next one.

Re:Nope. (1)

darkain (749283) | about 5 months ago | (#46943289)

This is because Microsoft doesn't change stored passwords on Hotmail when they update policies for the service... Case in point, my dummy account from the '90's still has a password that is well under the minimum number of characters required to login. Very short, sweet, easy to remember, and cannot be brute forced because nobody would think to check a password outside of their "requirements"! (oh wait, fuck, I just admitted publicly there are passwords outside of their requirements)

Not happening. (1)

Cruciform (42896) | about 5 months ago | (#46942805)

I have 400+ unique passwords. I don't think I'll be changing those for password day.
I suppose putting my trust in a password manager could also be considered a risk, but I use a passphrase long enough that even someone with an extensive dictionary attack would take years to get through it.

Re:Not happening. (5, Insightful)

Derekloffin (741455) | about 5 months ago | (#46942857)

Indeed, and I've never understood the advice to change your password frequently. The only thing that would help against is if someone has already compromised your account and has been laying low (rather than what they usually do which is clean it out asap). However, changing passwords constantly highly encourages you to use less and less powerful passwords as you can't remember them all the time meaning you're that much more likely to get that initial compromise.

Password change frequency (1)

knarfling (735361) | about 5 months ago | (#46943765)

Although I do not have proof of this, I believe that the the password change policy came from the way early UNIX systems handled the password files.

Early UNIX systems did not separate the username file from the password file. Both were kept in /etc/password. This file had to be world readable in order for anyone to log in. So if you had any access at all, including guest access, it was easy to copy the password file. Although the passwords in the the file were hashed, it they could be cracked or a rainbow table created if you had access to a powerful enough computer. At the time, only mainframes or mini computers had the power needed, and cracking a password took between three to five months.

The thought process was that if someone did steal the password file, and you changed your password every three months, It was very likely that the password was changed by the time the passwords were cracked. These days, more powerful computers can crack the passwords much, much faster, and the UNIX/Linux systems have broken out the passwords from the password file and placed them in a shadow file that is not world readable.

The danger of the password file being stolen is no longer the same issue as it once was, but the "standard" password policy has never changed. Today, the reason most often given for a change policy is: "This is best practices, so we are going to do it." Few security consultants can give you the real reason for the policy, although many will refer to recent examples of passwords being stolen and tell you that you need to change a password often just in case someone does steal the password. The danger today is not that the person stealing your password will use it, but that they will sell it to someone else. On the one hand, that does give you a little time to change your password, but on the other hand, some people may feel that since their account was not cracked right away that their accounts are still safe.

Re: Password change frequency (0)

Anonymous Coward | about 5 months ago | (#46943949)

So many things wrong with this response.

Re: Password change frequency (0)

Anonymous Coward | about 5 months ago | (#46944841)

So many things wrong with this response.
Is this like a weak version of "everything I say is a lie"?

Re:Not happening. (1)

Unknownus (1438339) | about 5 months ago | (#46944827)

The advice to change passwords frequently is meant to protect against offline cracking: If an attacker gets a password database they can quickly try passwords without restrictions. Given enough time and computing power there is no uncrackable password. But if you change your password frequently, by the time the attacker guesses your password successfully it will already be invalid.

Worst practices (0)

Anonymous Coward | about 5 months ago | (#46942833)

It actually incourages everybody tu user passwords like P@sSw0rd which are the opposite of secure, it is quite known that a simple passphrase is more secure that using one 8 characters word and adding symbols upper and lower case. They might be hard to a human to guess but they are quite easy to brute force.

Ummm (2)

PaddyM (45763) | about 5 months ago | (#46942837)

I thought that regularly changing one's password was unnecessary https://www.schneier.com/blog/archives/2010/11/changing_passwo.html [schneier.com] . I thought that it needs to be changed if found to be hacked, but otherwise as long as its strong, there's no need to change it. So while promoting good password habits is a good idea, I'm not sure that "annually change all your passwords on the same day every year so that any eavesdropper/keylogger can look for possible password change activity on one day" is one of them.

Re:Ummm (0)

Anonymous Coward | about 5 months ago | (#46943455)

Agreed if your threat model doesn't include Advanced Persistent Threats that will quietly use your credentials to continually gain data, password changes are useless.

APTs are a good reason for corporations to require periodic PW changes for employees however.

Great (1)

Anonymous Coward | about 5 months ago | (#46942889)

Now I'm going to post as an Anonymous Coward for the next six months!

Bad idea (1)

SuperKendall (25149) | about 5 months ago | (#46942925)

If you were going to install sniffers all over to collect passwords as people changed them, what day would be better than World Password Day...

I'll let the herds get culled as I watch from the hills above, thanks.

Click here if you have forgotten your password. (1)

Snufu (1049644) | about 5 months ago | (#46942993)

A new holiday will be sent to your email address.

Coincidence (0)

Anonymous Coward | about 5 months ago | (#46943259)

It's same day than Men in the middle attack day too !

Security Tokens (1)

darkain (749283) | about 5 months ago | (#46943265)

I use security tokens instead of passwords, and then external services use OAuth against this centralized service to verify my identity... passwords? What are those!?

Also (1)

geekoid (135745) | about 5 months ago | (#46943281)

if a legit user can hack you systems, the user password isn't your problem.
So many site make you enter a secure password to protect their systems. Ignoring the fact that a malicious person could set up an anonymous account.

Thanks for verbiage suggestion, ideas short (1)

Tablizer (95088) | about 5 months ago | (#46943457)

due to all the past changes. My new password is "It's change your password day"

sponsored by 3M (0)

Anonymous Coward | about 5 months ago | (#46943473)

it looks like you're almost out of post-it notes.

once a YEAR huh? (1)

v1 (525388) | about 5 months ago | (#46943519)

Anything important should be changed more frequently. And anything less important... why do we have a special day for it? Waste of time. *shrug*

Re:once a YEAR huh? (1)

Anonymous Coward | about 5 months ago | (#46943643)

Anything important should be changed more frequently.

Why? If my password isnt comprised, why the fuck would I change it? All that does is encourage people to use shitty passwords because they have to change them all the time.

I hate people like you

You've gotta e $h1+n9 M3. (0)

Anonymous Coward | about 5 months ago | (#46943609)

I don't know how I find the time to post this. I spend often more than an hour a day trying to plough the way through passwords that I have lost or forgotten.

Passwords that the base of existence. I just realized I haven't seen a good movie with meaningful password action.

Back in the day, I was thrilled that the Internet existed: anonymous FTP existed, where one was asked to use his email address for a password. That was very cool, sorrt of a culture of trust. Where is this going?

Open Sez Me.

Easy (1)

sharknado (3217097) | about 5 months ago | (#46943777)

I am celebrating this day by changing my passwords from 'password' to 'password1'.

wrong day, losers (0)

Anonymous Coward | about 5 months ago | (#46943809)

it was on february 1st, all you observers of may 7th are just a bunch of loser wannabe poser copycats

http://gizmodo.com/tag/change-... [gizmodo.com]

This is a perfect time to employ... (1)

Payden K. Pringle (3483599) | about 5 months ago | (#46943919)

passphrases.

Because (ignore quotes) "bob is a dork and i hate my job" is largely easier to remember and more powerful than, "Tr0ub3c43r#$" [insert obligatory XKCD].

I mean really. If a person makes a passphrase as a full sentence (i.e. spaces, punctuation, capitalization, all the things grammar teachers teach), then that will give some part of school you likely never cared about some meaning in your life, and it would make your passphrases much more secure and easier to remember (i.e. it tells you a lot about your passphrase already).

Although the most annoying part (as always) is typos.

I'm changing my password to 'incorrect' (2)

Kittenman (971447) | about 5 months ago | (#46944173)

That way, when I forget it, the software/site will come back and tell me "Your password is incorrect', so I don't have to remember it at all.

Re:I'm changing my password to 'incorrect' (1)

Culture20 (968837) | about 5 months ago | (#46944917)

My software told me "your username/password is invalid". So I entered "invalid" for both. Still didn't work.

Re:I'm changing my password to 'incorrect' (1)

Kittenman (971447) | about 5 months ago | (#46945337)

My software told me "your username/password is invalid". So I entered "invalid" for both. Still didn't work.

You're not doing it right, maybe.

Re:I'm changing my password to 'incorrect' (0)

Anonymous Coward | about 5 months ago | (#46945505)

You're not doing it right, maybe.

That's what she said!

Who am I kidding, this is /. She doesn't even exist.

I hate to admit XKCD was right, but....goddamnit (1)

AbRASiON (589899) | about 5 months ago | (#46945041)

The prevalence of the passwords requiring uppercase, lowercase, punctuation etc is ridiculous as more and more sites and servers I use are requiring it.

I'm going to make an assumption here and I bet I'm I'm right. (I have NO idea!)
The VAST majority of security breaches are due to poorly patched software / bugs / social engineering / angry staff etc.
I'd wager very very few password hacks are due to people having the password
"momspajamas2212" instead of "M0mspaJAMas22!2"

I will say I'm finding the only way to still remember my passwords on sites now is to start using pattern based passwords, example "$RFV%TGB4rfv5tgb" (try typing that) - it's not ideal but I can remember the bastard thing. (I hope this helps someone else out, I gave it out to someone recently and they adopted something similar pretty much instantly and yes, I know you could add patterns to the dictionary)

Re:I hate to admit XKCD was right, but....goddamni (1)

jrumney (197329) | about 5 months ago | (#46945321)

My favorite incident of what I call "security by handwaving" was my bank changing the wording on their site from password to passphrase, but they rejected the space character and limited the "passphrase" to 16 characters.

Re:I hate to admit XKCD was right, but....goddamni (1)

Dutch Gun (899105) | about 5 months ago | (#46946703)

The prevalence of the passwords requiring uppercase, lowercase, punctuation etc is ridiculous as more and more sites and servers I use are requiring it.

I'm going to make an assumption here and I bet I'm I'm right. (I have NO idea!)
The VAST majority of security breaches are due to poorly patched software / bugs / social engineering / angry staff etc.
I'd wager very very few password hacks are due to people having the password
"momspajamas2212" instead of "M0mspaJAMas22!2"

I will say I'm finding the only way to still remember my passwords on sites now is to start using pattern based passwords, example "$RFV%TGB4rfv5tgb" (try typing that) - it's not ideal but I can remember the bastard thing. (I hope this helps someone else out, I gave it out to someone recently and they adopted something similar pretty much instantly and yes, I know you could add patterns to the dictionary)

If you look at those who have analyzed cracked databases to see what passwords people actually used, you'll find that people get hacked because they're using passwords like "password", "123456", "monkey", and so on [cbsnews.com] .

Honestly, I've found that a password manager is really the only sane way to use cryptographically secure (and completely different) passwords on every site without worrying about losing those passwords. I use Lastpass, since it syncs between machines automatically and has a plugin which automatically fills in the username and password for you, and will detect when you change existing passwords or create new ones. There are a bunch of other good ones too if you don't like the idea of your encrypted password database being store online (note: it's encrypted locally, so Lastpass never sees anything but a binary blob).

Buck the trend (1)

RogueWarrior65 (678876) | about 5 months ago | (#46945857)

So what if this is a ruse to get people to change passwords on the one day that security exploits are in place to capture the new passwords? Buck the trend and change them some other day or not at all.

Too many rules.... (1)

knwny (2940129) | about 5 months ago | (#46946783)

Why cannot we force all websites and services to comply with a common password complexity rule? There is a wide variation in the rules that phone companies, banks, utilities and various online services enforce when I create passwords. As a consequence, it becomes difficult to decide on a password-generating algorithm to create and remember passwords across these websites/services. So, coming back to the question, can we not have a standard password complexity rule which every website/service has to stick to? Instead of those irritating, little info boxes near the password field listing different passwords rules for different websites, we could have a URL pointing to the standard password rules which in turn would be maintained by an independent organisation. Obligatory: https://xkcd.com/927/ [xkcd.com]
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?