Password requirements are getting ridiculous

[shmokes]

I just signed up for a website so I can apply for an internship for next summer and the requirements for creating a password were:

- At least 8 characters, up to 20
- A combination of upper case and lower case letters
- Must include both numbers and letters
- Must include at least one of the following symbols: ! @ # $ % ^ & * (note that many common symbols, like the hyphen and question mark, are not on the list)

This is getting obnoxious.  Requirements keep getting more and more complex.  I have already moved to a password that I thought would work pretty much everywhere, as it contains letters, two numbers, and a symbol.  Unfortunately, my symbol isn't on the list, and I don't have any upper case letters in my password.  So, now I have to come up with something all over again, for this one site which I will almost never visit.  This means that I need to write down my password somewhere because there's no way I'm ever going to remember it, WHICH IS NOT ---smurfing--- SECURE! 

[ChadTower]

I have already moved to a password that I thought would work pretty much everywhere, as it contains letters, two numbers, and a symbol.  Unfortunately, my symbol isn't on the list, and I don't have any upper case letters in my password.  So, now I have to come up with something all over again, for this one site which I will almost never visit.  This means that I need to write down my password somewhere because there's no way I'm ever going to remember it, WHICH IS NOT ---smurfing--- SECURE! 

Writing down your password in a physical location is a whole lot more secure than using the same password everywhere... really, who is going to come into your house looking for paper scraps?  With your method if someone cracks your password in one place they have it everywhere.  That makes security guys have aneurysms.

[Ginsu Victim]

In Firefox, what I do is make a bookmark, then go to properties and put my username:password for that site in the comments section.

[ChadTower]

I just write them down on paper in my desk.  Can't hack that.  My desk is such a mess no one would ever find it.  Hell I can't find it sometimes.

[Blanka]

I like the passwordmanager for that.
And now and then I print a screenshot of the list.

[Thenasty]

best example password are:


iforgot
idunno
idon'tremember
whatsmypassword
Ilive@1313MockingbirdLane

[xar256]

Do yourself a favor, get a password manager, and get used to using it.  Such things are becoming quite common and will more than likely be a part of whatever business you go into in future.  Lord knows I'm up to 38 different passwords at my work, most of which have similar requirements as stated above, AND have to be changed every 90 days.  

Check out Password Safe Free, fast, and simple to use.

[ChadTower]

Do yourself a favor, get a password manager, and get used to using it.  Such things are becoming quite common and will more than likely be a part of whatever business you go into in future.  Lord knows I'm up to 38 different passwords at my work, most of which have similar requirements as stated above, AND have to be changed every 90 days.  

Check out Password Safe Free, fast, and simple to use.

If your company were doing it correctly you'd be using your network login to get into all of the internal apps.  Password managers aren't the way going forward - LDAP based single sign on is the way.

[shmokes]

Will Password Safe run in the background and fill out forms automatically, or at least intelligently with a click or two?  The reason I only use a few different passwords is because I don't want to stop what I'm doing and look up passwords for every site I need to log into, of which there are probably at least a hundred by now.  I'm willing to accept a bit of risk in return for a bit of convenience.  The Firefox password manager is awesome, but not something I think to back up when I reformat my computer, so I end up losing all that pretty regularly.

[ChadTower]

Damn how often do you reformat the drive?   

[shmokes]

At least once a year, on my desktop -- depends if I'm tinkering with OSes.  Twice a year on my laptop cos we run this buggy exam-taking software and if it ---smurfs--- up the student has to write in blue books, but doesn't get any extra time.  I type about 90 WPM, so this poses a pretty distinct disadvantage.  The software ---fouled up beyond all recognition--- up (memory leak) during one of my exams last year, so now before exam time each semester, I clean off the computer and load nothing but that one program.  So at least three format/reinstalls per year.  PITA.

Another problem with a Password Manager of any kind is portability.  I do a lot of computing from campus, on campus computers.  I suppose I could put firefox on a USB drive and carry it around.  Maybe eventually I'll start doing that.

[missioncontrol]

Portable firefox is awesome for such situations... Just be sure to master password protect your password bank

[ChadTower]

Another problem with a Password Manager of any kind is portability.  I do a lot of computing from campus, on campus computers.  I suppose I could put firefox on a USB drive and carry it around.  Maybe eventually I'll start doing that.

A thumb drive with the keys to your kingdom on it, carried around with you, seems like a really bad idea.  It may as well be an old parchment with dotted lines leading to a big red X.

[shmokes]

BTW, it occurs to me that we're missing the point of the OP.  Password requirements keep getting progressively more complex.  It started out with passwords having almost no requirements.  Then 5 characters was commonly required.  Then 6.  We skipped 7 and went straight to 8 for some reason.  Then numbers had to be added.  Then symbols.  Then numbers and symbols.  Now numbers, symbols AND lowercase and uppercase letters.  Soon we will need to have uppercase letters surrounded by at least one lowercase letter on each side of it.  Then we will need that, plus at least one space.  Then the password will need to be two words, each conforming to those requirements.  Then three.  

It just gets to a point where I'm like, "---fudgesicle---, can we stop doing this?  ---smurfing--- make biometrics standard on all computers or something, but this is getting absurd!"

[shmokes]

A thumb drive with the keys to your kingdom on it, carried around with you, seems like a really bad idea.  It may as well be an old parchment with dotted lines leading to a big red X.

It sounds like you are finally beginning to appreciate my problem, actually.

[Jimbo]

You have to have multiple passwords these days for the reasons the op stated: everywhere has different requirements as to what is accepted.  Personally, I use a similar password for most stuff, and use a nice little utility called "coolfish" that encrypts text/files with a master password (using blowfish encryption). 

[ChadTower]

It sounds like you are finally beginning to appreciate my problem, actually.

I appreciated it when you first posted it... and I have been suggesting using an old school method to solve a new school problem.  Some things are best kept physically secure and completely separate from the medium.  Things like password managers are only as secure as the hacker's abilities and motivation allow it to be.

[shmokes]

But if I have to have a bunch of different passwords (that are becoming increasingly more difficult to commit to memory because of symbol, case and number requirements), and they are all stored on paper at home, but I do a good deal, if not the bulk of my computing from various public computers . . .

[xar256]

If your company were doing it correctly you'd be using your network login to get into all of the internal apps.  Password managers aren't the way going forward - LDAP based single sign on is the way.

Tell that to the mainframe system running TPF that half those passwards are for.  Not everything uses that kind of technology.  Plus my company does not allow certain password to be the same as others.

Will Password Safe run in the background and fill out forms automatically, or at least intelligently with a click or two?  The reason I only use a few different passwords is because I don't want to stop what I'm doing and look up passwords for every site I need to log into, of which there are probably at least a hundred by now.  I'm willing to accept a bit of risk in return for a bit of convenience.  The Firefox password manager is awesome, but not something I think to back up when I reformat my computer, so I end up losing all that pretty regularly.

I don't use it like that, but supposedly it does have that option. 

[ChadTower]

But if I have to have a bunch of different passwords (that are becoming increasingly more difficult to commit to memory because of symbol, case and number requirements), and they are all stored on paper at home, but I do a good deal, if not the bulk of my computing from various public computers . . .

Then for the most part your problem is the fact that you do the bulk of your computing from public computers.  So long as that is a requirement you're going to have password security issues.  I know you can't fix that, but when you use public bathrooms all the time, you have to use the paper ass gaskets.

[punxrus]

Random password generators are good for people like you. They do all the hard work for you. It sucks that people are making so many requirements for passwords, but it's better to be safe than sorry. Especially if you are prone to using the same password for everything...

[boykster]

There's the flipside of this issue too, password management by the application and database.  a complex password only protects your account from brute force attacks thru the interface, but does nothing to protect your login from a backdoor compromise if the system is storing your password in plaintext or a simple 2-way hash. 

What good is an uber complex random password if a hacker simply dumps the user table and your pass is there in plaintext 

[leapinlew]

I agree. Passwords requirements are becoming a pain. Especially because some apps won't accept more than 8 characters, while others want more than 8 characters, some won't accept numbers, and some force numbers. 1 form of authentication is the culprit here. Security can be accomplished by using any of these 3 metrics:

• Something you know - such as a password
• Something you have - such as a magnetic card or fob
• Something you are - some form of biometrics

Relying ONLY on one is the real issue. You should be forced to have 2 of the 3 and then we could deal away with some of the more complex password requirements.

[shmokes]

Random password generators are good for people like you. They do all the hard work for you. It sucks that people are making so many requirements for passwords, but it's better to be safe than sorry. Especially if you are prone to using the same password for everything...

I don't have a problem generating the passwords.  My problem is remembering them.

[leapinlew]

Random password generators are good for people like you. They do all the hard work for you. It sucks that people are making so many requirements for passwords, but it's better to be safe than sorry. Especially if you are prone to using the same password for everything...

I don't have a problem generating the passwords.  My problem is remembering them.

Do yourself a favor and don't work for any government institutions. Your not allowed to write them down and you'll need to remember a ton of them...

[patrickl]

It's also super annoying when they ask you to change the password often. A client of mine has a policy that every month the password needs to be changed. I don't go there that often so I almost need to change my password everytime I go there. And of course the next time I go there I have forgotten what it was. Well by now I fixed the problem, but still. It was pretty annoying.

I use two programs to overcome the problem.

I use Norton 360 and it keeps a record of all the logins and password I use. When I come on the same page it fills in the passwords automatically. Much like webbrowsers usually do. Only when I start the brower for the first time does it ask me to log in so it can reach the password file. Actually, I wish they would make it a standard feature of webbrowers. These are already able to fill in forms automatically, but that's ridiculously unsafe. Why not ask for a password to protect this functionality?

I also use eWallet to store logins and other personal info. Not so much for websites anymore though. This I also take with me on my smartphone/PocketPC.

[ChadTower]

Do yourself a favor and don't work for any government institutions. Your not allowed to write them down and you'll need to remember a ton of them...

People write them down anyway.  Hell, people write them on postits and stick them to their monitors.

boykster, a lot of enterprise apps use the fact that they are internal only as a layer of security.  Sure, the backdoor may be there, but to use the backdoor you have to have already compromised the network somehow.  That's why they use LDAP - the assumption that if you're logging in you are already in a "secure" location and thus the challenge doesn't need to be all that deep.

[CheffoJeffo]

It sounds like you are finally beginning to appreciate my problem, actually.

I appreciated it when you first posted it... and I have been suggesting using an old school method to solve a new school problem.  Some things are best kept physically secure and completely separate from the medium.  Things like password managers are only as secure as the hacker's abilities and motivation allow it to be.

Let's see ... so far you have suggested writing down passwords on paper and common authentication schemes as good security practices.

I know that you have done a lot of things in your life, but I think that data security, like hauling MDF, ain't one of them.  

I'll put my properly-encrypted password management repository up against both paper and central authentication every day of the week.

[missioncontrol]

Random password generators are good for people like you. They do all the hard work for you. It sucks that people are making so many requirements for passwords, but it's better to be safe than sorry. Especially if you are prone to using the same password for everything...

I don't have a problem generating the passwords.  My problem is remembering them.

Do yourself a favor and don't work for any government institutions. Your not allowed to write them down and you'll need to remember a ton of them...

yeah and they have to be changed every 60 days.

[Dartful Dodger]

If I don't use the site every day or if I can be logged in all the time and lose my cookies I usually have to click on forgot password and have them email a new one.

I think that's happened to me a couple of times with this site.

now all I have to remember is the passwords for my email accounts.

[ChadTower]

Let's see ... so far you have suggested writing down passwords on paper and common authentication schemes as good security practices.

I know that you have done a lot of things in your life, but I think that data security, like hauling MDF, ain't one of them.  

I'll put my properly-encrypted password management repository up against both paper and central authentication every day of the week.

Common authentication is considered good enough when you're already within security - I was specific about that.  If you don't like that then I suggest you take it up with corporations all over the world.

I suggested paper specifically for shmokes - if you don't like that, find a better way for someone who sits in various public labs on a regular basis.

Security is very context dependent, as I'm sure your password management repository is aware.  I'm also sure it doesn't run off a thumb drive shmokes could carry around with him.

[CheffoJeffo]

Common authentication is considered good enough when you're already within security - I was specific about that.  If you don't like that then I suggest you take it up with corporations all over the world.

I think you are mistaking convenient business practice for good security practice.

Security is very context dependent, as I'm sure your password management repository is aware.  I'm also sure it doesn't run off a thumb drive shmokes could carry around with him.

Actually, the file *is* stored on a thumb drive ... my point was that, with proper and secure encryption and authentication, my password repository is far more secure than keeping a list of passwords in his pocket.

[ChadTower]

I think you are mistaking convenient business practice for good security practice.

Not at all.  If the LAN is considered secure then it is accepted practice to consider that in the security model for a given internal application. 

Actually, the file *is* stored on a thumb drive ... my point was that, with proper and secure encryption and authentication, my password repository is far more secure than keeping a list of passwords in his pocket.

I don't really agree... a list of random strings of gibberish without context is pretty damn secure.  Obfuscation and lack of context is powerful.  You may even say it is... encrypted.  Now, odds are extremely low that someone with the ability would ever find that thumb drive should he lose it.  But if they did, and on a college campus those odds are much higher than elsewhere, there are cracking apps specifically designed to do this particular job.  And it's a plug it in, start the process, and leave it there unattended process, which means it is certainly possible.  At best the two methods are a push, IMO, unless he's dumb enough to list URLs next to the passwords on his paper.

[patrickl]

Even if you do your best at protecting everything, a rogue website, virus or a hacker might break your security. An unencrypted password list is then completely open. A properly encrypted password repository is not something that you simply break. It would take a brute force attack that can last decades to finish (if you choose that password properly).

[ChadTower]

Even if you do your best at protecting everything, a rogue website, virus or a hacker might break your security. An unencrypted password list is then completely open. A properly encrypted password repository is not something that you simply break. It would take a brute force attack that can last decades to finish (if you choose that password properly).

Decades if the hacker doesn't have prior knowledge of the repository app.  There are known techniques for most of them that shorten that quite a bit.  Still way more trouble than it's worth and effective enough but not nearly as decades long secure as a blind brute force would need to be.

[CheffoJeffo]

I think you are mistaking convenient business practice for good security practice.

Not at all.  If the LAN is considered secure then it is accepted practice to consider that in the security model for a given internal application. 

You sound like those network admins who figured that blocking port 135 at the firewall protected their networks against Blaster and woke up the following Tuesday morning to massively-infected networks.

You can't consider the LAN secure unless you can consider all equipment connected to the LAN to be secure.

Once Chuckie connects with his laptop that he used to downloaded that donkey porn last night, all bets are off. And that only considers the attack from outside.

I know that you think that I am missing your points, but I'm not.

The reason that we have terms like "accepted practice" is because "best practice" is just too damned inconvenient.

I don't really agree... a list of random strings of gibberish without context is pretty damn secure.  Obfuscation and lack of context is powerful.  You may even say it is... encrypted.  Now, odds are extremely low that someone with the ability would ever find that thumb drive should he lose it.  But if they did, and on a college campus those odds are much higher than elsewhere, there are cracking apps specifically designed to do this particular job.  And it's a plug it in, start the process, and leave it there unattended process, which means it is certainly possible.  At best the two methods are a push, IMO, unless he's dumb enough to list URLs next to the passwords on his paper.

How can you on one hand argue that "a list of random strings of gibberish" is "pretty damn secure", but not see that an "encrypted list of random strings of gibberish" is more secure  ?

It's not a push, although the real effective difference may be negligible -- in his case, he is far (!) more likely to get picked off with a keylogger than to have somebody find his ratty piece of paper or decrypt his password repository.

[ChadTower]

I'd have more comments but it's a ---smurfy--- day at work and I'm probably way too pissed off about that to keep this level.  I'm out.   

[leapinlew]

I don't really agree... a list of random strings of gibberish without context is pretty damn secure.  Obfuscation and lack of context is powerful.  You may even say it is... encrypted. 

YOU might say it's encrypted, but it's not and we aren't allowed to operate in a "pretty damn secure" environment. There are rules to secure systems. Writing down a password and sticking it to the monitor will get you fired in many environments, and it's against the law in others. You may have done some corporate security for your company, but some of us have to work within the confines of DCID 6/3, Sarbanes Oxley, Safe Harbor, or HIPAA where logic need not apply.

[CheffoJeffo]

some of us have to work within the confines of DCID 6/3, Sarbanes Oxley, Safe Harbor, or HIPAA where logic need not apply.

 

Thanks Lew -- that brought a smile to my face ... as I look forward to my impending SOX audit ... 

[xar256]

I'd have more comments but it's a ---smurfy--- day at work and I'm probably way too pissed off about that to keep this level.  I'm out.   

Somehow, I think we'll manage without you on this one.  

Even if you do your best at protecting everything, a rogue website, virus or a hacker might break your security. An unencrypted password list is then completely open. A properly encrypted password repository is not something that you simply break. It would take a brute force attack that can last decades to finish (if you choose that password properly).

That's a part of why I recommended Password Safe.  It encrypts you Password Database using the Twofish encryption algorithm.  Plus there is a U3 version available as well, should you want to keep everything on the key itself.

[ChadTower]

. You may have done some corporate security for your company, but some of us have to work within the confines of DCID 6/3, Sarbanes Oxley, Safe Harbor, or HIPAA where logic need not apply.

My employer is fully bound by HIPAA and SOX, actually.  Not all internal apps need the same levels of security.  Depends on point of access and content within.

[leapinlew]

I'd have more comments but it's a ---smurfy--- day at work and I'm probably way too pissed off about that to keep this level.  I'm out.   Smiley

My employer is fully bound by HIPAA and SOX, actually.  Not all internal apps need the same levels of security.  Depends on point of access and content within.

LIES! You can't be trusted. 

[SavannahLion]

I feel your pain. The whole password issue is becoming a big PITA. I understand the requirements. I know why it has to be done. I even understand some of the technical issues behind some of the decisions that are made regarding passwords. Still doesn't change how I feel about it though.

About ten years ago, I worked for a company that had the most absolutely insane security method I've ever come across... ever. To this day they were the only company that required a password for exiting the system, but not for entering the system.

Let me clarify. Absolutely anyone could walk right in the front door and look at our computers, launch our software, and go so far as to look at customer accounts (everything except banking information), manipulate any portion of the system involving customer orders, then walk out. All assuming they understood how to navigate our systems. But to get out of the system... at all, required a password. 

In any case, I think I'm up to around 100 or so passwords for all the different systems, tools, and whatever I have to access. The top twenty or so is kept in Firefox or on a small dongle. The rest are kept elsewhere. I tried the same as you, but I found it's impossible to ever satisfy the requirements of every admin and after a backdoor on my old site a few years ago through a different unsecure website, I changed my password creation and storage methods.

[boykster]

Here's what I did to generate fancy passwords without thinking too hard or worrying about remembering them:

I wrote little hash generation program that I keep on my memory stick.  The program generates a hash with length of my choosing based on 2 keywords - I use a common "generic" password that I can easily remember, then I use the name of the site: yahoo, google, etc.  I just need to keep my little program with me on my memory stick and I dont' have "remember" any passwords except for my common generic one.  If I get really creeped out, I can even change the encryption key of the hash - so that gives 3 variables I can change easily to alter what has is generated.

Problem is, I lost the memory stick and am too lazy to re-write the software 

[Ed_McCarron]

Random password generators are good for people like you. They do all the hard work for you. It sucks that people are making so many requirements for passwords, but it's better to be safe than sorry. Especially if you are prone to using the same password for everything...

I don't have a problem generating the passwords.  My problem is remembering them.

Try this:  Pick something you're familiar with.  Take for example, "schmokes"

Look at your keyboard. Type "shmokes", but instead hit each key one up and to the left for this - it becomes "wdyj9i3w"

Easy peasy.

[punxrus]

Ginkobaloba...good for the memoriez 

[shmokes]

Look at your keyboard. Type "shmokes", but instead hit each key one up and to the left for this - it becomes "wdyj9i3w"

The thing about this that just makes me laugh my head off is that it doesn't even begin to satisfy my problem.   

I needed to choose a password that had letters and numbers, AND upper case, AND one of eight specific characters, none of which are covered by that idea.  Again, I have no problem coming up with a password that meets their criteria.  My problem is that the criteria from site to site seem to be on a slippery slope and keeping track of it all is becoming a nightmare.  I think I'd rather deal with the headache of having my security compromised a couple times every ten years or so then this day-to-day, increasingly complex password management tango we're having to deal with.

[Singapura]

I use 9 different systems (excluding safeboot to boot up and my windows password). All systems have 2 passwords and they're all different. To make things "easy", the bank has issued a single sign on system tied to my access pass. I don't get that. First they make you use all those passwords, then they bring it back to one  . Anyway, whenever I need to renew my password (every 3 months or so) I still have to fill in the old one. Off course by then I won't rememember it anymore because I never use it (the single sign on does that for me). 

[Ed_McCarron]

Look at your keyboard. Type "shmokes", but instead hit each key one up and to the left for this - it becomes "wdyj9i3w"

The thing about this that just makes me laugh my head off is that it doesn't even begin to satisfy my problem.   

You sound like a woman.  "But -I'm- not satisfied..."

It was a generic example for the 99% of us that don't need to use an umlaut in our passwords.

[patrickl]

Look at your keyboard. Type "shmokes", but instead hit each key one up and to the left for this - it becomes "wdyj9i3w"

The thing about this that just makes me laugh my head off is that it doesn't even begin to satisfy my problem.   

You sound like a woman.  "But -I'm- not satisfied..."

It was a generic example for the 99% of us that don't need to use an umlaut in our passwords.

Besides you can also choose to press the shift key during this "conversion". Or simply add a number and one of the special characters to the password that you were using before.

I personally often use the trick of replacing certain letters with numbers (o=0, i or l=1, e=3 etc)

[shmokes]

But that puts me in the same boat.  Ed's idea was good, inasmuch as that gives you a nonsense password that you can still remember.  But if I "choose" to use the shift key, I need to remember which letter is shifted.  I suppose that I can remember to always shift the first or the third letter, but that doesn't change the fact that I've already got dozens of previously made passwords that don't have any upper-case letters, so I need to change them all, or remember that this password is special.  And that still doesn't take care of the need for symbols.

Understand that this only illustrates what I'm talking about.  Yours and Ed's ideas are great (I've actually been doing the number/vowel swap since passwords started requiring numbers).  And a year ago, those methods would do the trick, but it's not enough anymore. These password requirements aren't just defeating hackers, they're defeating our own ability to manage them sensibly.

[leapinlew]

I think I'd rather deal with the headache of having my security compromised a couple times every ten years or so then this day-to-day, increasingly complex password management tango we're having to deal with.

I think if your using public computers, your rate of a security breach will be much more than once every 10 years. More like 10 times in a year. Your password(s) will be keylogged and it doesn't matter how complex they are.

You should revise your strategy and avoid using computers that you cannot validate it's security.

[patrickl]

I have a lot of passwords too, but that's because many of those are important and I don't want them hacked when I enter my password on a lot of websites. Or it's passwords which were not mine to choose (passwords for clients etc)

For forums and other non-important stuff I have 2 passwords in use. One old (insecure) and one new (more secure and up to current specs). I simply added some numbers and a special character. So I need to try 2 passwords. That's not such a problem.

The fact that you have dozens of passwords has nothing to do with changed rules. At worst you should have 3 and they could be virtually identical. For instance:
shmokes
shm0kes
Shm0kes#

[shmokes]

You should revise your strategy and avoid using computers that you cannot validate it's security.

Well . . . they're not exactly public.  They can only be used by law students at my school.

The fact that you have dozens of passwords has nothing to do with changed rules. At worst you should have 3 and they could be virtually identical. For instance:
shmokes
shm0kes
Shm0kes#

The scenario you describe only works in hindsight.  For example.  Lets say my first password is smoke.  Then people start requiring 6-digit passwords.  Now I have smoke and shmokes (I'm forward-thinking so I put in an extra letter).  Then they're required to be 8-digit, so I change it to shmookes.  Then they require there be a number in it.  Not immediately thinking of the number/vowel swap idea, I go with shmookes1.  Now, of course, had I known that numbers would be required later-on, I could have just chose shmokes1 way back when they required 8 characters, instead of changing it to shmookes, but I can't foresee the future.  So, now lets say I do try to predict the future.  Let's say that since people recommend using non-alphanumeric characters, I anticipate that eventually that will be a requirement, so I decide to start using shmookes-1, instead of shmookes1.  Pretty clever, eh?  Except that now I'm signing up for a site that requires you to choose from only eight characters, not including the hyphen.  So, I can just replace the hyphen with a tilde, but what about all the sites I've already used the hyphen. 

So, now lets say that my IRL name is Patrick L.  And I go by the handle patrickl on various web forums.  Maybe . . . just maybe, I also use that username on other things.  Let's say, my bank account, or my PayPal account, or my Amazon.com account (which has my credit card stored on file).  Since I know that I'm using the same username for websites with VERY sensitive data, and I know that there's a reasonably good chance that some of the owners of the web forums I belong to have plaintext access to my password, that means I need to have a completely unrelated password for secure websites (and really, I should try to keep each of them different to minimize losses in case one of them is compromised).  But now, at the very least, I'm using the "smoke" derivatives for relatively unimportant sites like web forums, but I need to start a new set of passwords for my bank accounts and other secure sites.  So lets say I decide to start with a secure password right off the bat for those.  Lets say I choose 0bama!sgr3at.  But then I come across a website that insists on capital letters.  Goddamnit.  I didn't think of that one.  Now I need to add capital letters to my shmookes-1 and my 0bama!sgr3at (that's a zero) passwords.  What, my password needs a space in it?  ---fudgesicle---!  That's two more passwords to remember.  Oh, this secure site (0bama) makes me choose from a list of characters that includes the hyphen, while that web forum makes me choose from a list of characters that doesn't?  Great, now I need to go back to my old version of shmokes, before I put a hyphen in it.  Except I actually have to create a new version, with another character in it.  That's okay, I'll just go around to all my forums and change the hyphen to an exclamation point on all my web forum accounts.  What?  Some web forums don't allow characters at all?  Some will allow hyphens, but not exclamation points?

I'm afraid your "worst" case scenario, Patrick, is FAR closer to a best case scenario.

[Ed_McCarron]

Well . . . they're not exactly public.  They can only be used by law students at my school.

Even worse.

[leapinlew]

Well - it seems your best option is to write down all the requirements and go to each website and change your password.

OR

Continue complaining about it here.

Fact is, as corporations and website owners start to realize how important security is they will continue to do what they can to ratchet their security even if it's inconvenient to you. One of the only things they can do is protect your password from a brute force attack. So, you might as well stop complaining about the passwords and start complaining why passwords are needed in the first place. If everyone was honest to begin with, you wouldn't need anything but a logon name.

[Malenko]

I read this entire thread and my prevailing thought was "our passwords are slowly being converted to  l337$p3@k"

n00bz 

[Ed_McCarron]

If everyone was honest to begin with, you wouldn't need anything but a logon name.

He's a larval lawyer.  You're talking to him about honesty?

[punxrus]

But if I "choose" to use the shift key, I need to remember which letter is shifted.  I suppose that I can remember to always shift the first or the third letter, but that doesn't change the fact that I've already got dozens of previously made passwords that don't have any upper-case letters, so I need to change them all, or remember that this password is special.

FAIL...

[shmokes]

If everyone was honest to begin with, you wouldn't need anything but a logon name.

Wow . . . it turns out the answer was right in front of me all along.

[patrickl]

I'm afraid your "worst" case scenario, Patrick, is FAR closer to a best case scenario.

Lol, you must be really unlucky then. I have to admit I wisened up from the first time they indicated you should use save passwords (decades ago actually). So I only have two main passwords. The old one is a lot easier to type in though, so when I can (allowed and non-important password) I still use it today.

Anyway, to solve the problem I use Norton Identity Safe. I'm not a big fan of Norton anti virus stuff, but I got it for free with my notebook. I have to say it works fine. Identity safe is a great. It keeps a list of sites (like a favorites thing) and stores the passwords and logins for them. Go to the site and it automatically fills in the form. Or click on one of the favorites in the list and go to the login form right away. It will ask once for a password when you start your browser (or you can set it to ask more often). Either way you need only one password and the rest is all done automatically.

[RayB]

Requiring use of symbols is pretty ridiculous. Most properly programmed web sites and applications should refuse to accept any symbols, and strip them out of all text entry fields to prevent what's called "SQL injections". Seems quite stupid to allow ? < > & etc which are all reserved characters in PHP, HTML, and even file OS's

[punxrus]

I just don't think there is going to be a simple solution to any of this. Internet security is a forever changing animal and we will only have to adapt. You can choose to make life simpler and use a product to assist you, therefore, you only having to remember one password, but that's not the safest either. There is no sure way to secure your passwords other than your own memory...and lets face it...I have a hard enough time remembering my wife's birthday.

[Samstag]

Requiring use of symbols is pretty ridiculous. Most properly programmed web sites and applications should refuse to accept any symbols, and strip them out of all text entry fields to prevent what's called "SQL injections". Seems quite stupid to allow ? < > & etc which are all reserved characters in PHP, HTML, and even file OS's

Any system that stores the password text you entered in a database deserves to be "injected".

[shmokes]

I have a hard enough time remembering my wife's birthday.

I don't see how that is even comparable.  Here we're talking about remembering important things and you go and throw that in the mix . . .

[boykster]

Requiring use of symbols is pretty ridiculous. Most properly programmed web sites and applications should refuse to accept any symbols, and strip them out of all text entry fields to prevent what's called "SQL injections". Seems quite stupid to allow ? < > & etc which are all reserved characters in PHP, HTML, and even file OS's

Any system that stores the password text you entered in a database deserves to be "injected".

totally agree; at the very least passwords should be stored as a simple hash.  Salted has is better, strong encrypted would be best.  And heck, anybody that uses dynamic SQL anymore is wideopen for a SQL injection attack.  That's easily solved by either using stored procedures with parameters, or parameterized SQL. Either of those will defend against SQL injection.