My password is an entirely made up word with >=10 characters in it, which I probably won't ever forget since I've been using it for years. That's at least 3610 possibilities with the information I've given so far. Good luck figuring it out before the sun burns out and collapses on itself.
But...
My password is
My password
password
If that means that you use the same password for (ohidunno) eBay, Amazon, YouTube, Google (if those two aren't the same these days), etc, etc, then when someone gets to know your
one password then (even if you use different login names, because that's even easier to reveal under the same circumstances) they've got your eLife, man....
Well, it's a good enough chance that I wouldn't advise it. Sony network data being compromised and then many people's same-passworded registered GMail accounts, remember..?
Not to say that I haven't re-used parts of passwords (but each version modified for the target) but I also haven't done "abc123eBay", "abc123Amazon", etc, either.
My passwords all look something like a1OAiVU9.
You are a god among men though for memory.
Well, if my advice, when I was in a previous job where I was needed to tell people
worldwide to choose better passwords upon the forced-refresh[1] is to think of a song title that you can remember, or a few lines from a book. Take the initial letters of the title, lyrics or paragraph that you're sure you can remember and then apply your
own morphing algorithm on it. Switch the 3rd and 5th characters, "1337-5p34k" every other 'oh'/'zero' (or every
other, other one, or 1st/2nd/3rd in every three, or 4th out of every 5 letters that
can be morphed), or make up your own morphing routine (not A=1, B=2). Think about reasons why whatever little changes (at least one rule) can be made to mean something to you, inside (e.g. "I always said 'three' as 'free', so instead of '3' in place of an 'E', I'm putting an 'F'"), so that you can just remember this, and the
current lyrics/whatever that you're using.
It's more complex to describe than to do, honest folks.
And as far as remembering the passwords, here was my BIG tip: You'll often get a countdown until you are required to change your password. Depending on the primary server that pesters you about this, a combination of "you have X more logins" or "you have Y more days". Don't
ever give in early and change your password at the end the Friday before you go off on your two-week vacation, because you're almost certainly going to want to call up the support people on the Monday you finally get back and get it reset again. If you're going to be in and out of the system a lot, on that troublesome Friday, then do it first thing and then get your practice in multiple times by locking your desktop even when turning to chat with a colleague/whatever, if necessary.. At least to see if that works for you, the first time...
But obviously, that was my advice for these systems with the extremely sensitive (don't want to lose, don't want to leak!) data. I'm not suggesting that the forum password you use here should be anything like as secure. Online banking, yes. Online shopping sites are also a good idea to have at least a modicum of the above (Correct Battery Horse stuff aside, which I though was a good idea too, when I first saw that XKCD, but I've still got My System working for me happily). The stuff where you only lose reputation, at worst, should be angled to be whatever you value your reputation to be. For several job-searching sites (where there's little change, if any, of anyone linking this diatribe with the accounts being used... not even being accessed on any machine that I access this forum with!), my passwords are loosely based upon body-parts with a pseudo 1337-ish conversion put upon them. And I remember which body part is which because of the order I signed up with the sites (including one that I no longer use). And, no, it's not the list in "Dem bones, dem bones, dem... dry bones".
My forum password, as it happens, is much simpler. Between a dozen and two-dozen characters (I don't wish to give you
that much of a headstart, to some opportunist, by stating exactly which length) of somewhat tamer alphanumeric+punctuation nature. Not unguessable if you know my mind and perhaps have already cracked other low-priority passwords of mine, but you'd really have to know what was going through my mind at the time to get a head-start, unless you're able to bash the server (or get a copy of it to bash onto) with a good old Brute Force method. Having used JohnTheRipper myself[3], and knowing at least some of its full possible range of permutations, I think that would eventually get into it. If you were able to do it in a covert/offline way and not activating any deadlocking or exponentially-increased timelocking of the account in the process, of course, if that's implemented on this particular system.
Anyway, kids, remember: Even if you're certifiably paranoid, They might
still actually be out to get you for real!
And:
http://www.darthsanddroids.net/episodes/0710.htmlOf course, you could always try to use "********" as every password.
[1] We had a lot of legacy data of deeply personal nature to the people being recorded. We didn't want someone digging up an old copy of our server backups/archives or actual old-server-HDDs (despite
all the precautions we took to not just safeguard the data from loss, but to prevent it ever being
leaked... two sides of the "data security" coin) and managing to crack someone's old password and then trying it (or a "standardpassword+highernumbersuffix" variant) on the current system and succeed... And
that's why we insisted that passwords changed, but only had "cannot use any previous password" settings globally across all the different server platforms, not "and don't change 'Foo12' to 'Foo13', you fool!"...
[2] Also, don't ever use "Remember my password for me" options (in the places that our roll-out policies hadn't blocked it in the first place), because you'll never get any practice with it for when you are working on a different machine... Never mind the less-than-total safety of such a record should the machine get 'borrowed' over a weekend.
[3] The legitimate target of the hash-breaking[4] used a TV character name that was within the top 100 of the long, long 'frequency sorted password dictionary' list that had been recommended by the JtR download-site at the time. Too easy.
[4] Or "re-hash with a common set of salts and check for synchronicity", rather.
Author
Topic: Password annoyances. (Read 13175 times)