Password requirements are getting ridiculous

[shmokes]

I just signed up for a website so I can apply for an internship for next summer and the requirements for creating a password were:

- At least 8 characters, up to 20
- A combination of upper case and lower case letters
- Must include both numbers and letters
- Must include at least one of the following symbols: ! @ # $ % ^ & * (note that many common symbols, like the hyphen and question mark, are not on the list)

This is getting obnoxious.  Requirements keep getting more and more complex.  I have already moved to a password that I thought would work pretty much everywhere, as it contains letters, two numbers, and a symbol.  Unfortunately, my symbol isn't on the list, and I don't have any upper case letters in my password.  So, now I have to come up with something all over again, for this one site which I will almost never visit.  This means that I need to write down my password somewhere because there's no way I'm ever going to remember it, WHICH IS NOT ---smurfing--- SECURE! 

[ChadTower]

I have already moved to a password that I thought would work pretty much everywhere, as it contains letters, two numbers, and a symbol.  Unfortunately, my symbol isn't on the list, and I don't have any upper case letters in my password.  So, now I have to come up with something all over again, for this one site which I will almost never visit.  This means that I need to write down my password somewhere because there's no way I'm ever going to remember it, WHICH IS NOT ---smurfing--- SECURE! 

Writing down your password in a physical location is a whole lot more secure than using the same password everywhere... really, who is going to come into your house looking for paper scraps?  With your method if someone cracks your password in one place they have it everywhere.  That makes security guys have aneurysms.

[Ginsu Victim]

In Firefox, what I do is make a bookmark, then go to properties and put my username:password for that site in the comments section.

[ChadTower]

I just write them down on paper in my desk.  Can't hack that.  My desk is such a mess no one would ever find it.  Hell I can't find it sometimes.

[Blanka]

I like the passwordmanager for that.
And now and then I print a screenshot of the list.

[Thenasty]

best example password are:


iforgot
idunno
idon'tremember
whatsmypassword
Ilive@1313MockingbirdLane

[xar256]

Do yourself a favor, get a password manager, and get used to using it.  Such things are becoming quite common and will more than likely be a part of whatever business you go into in future.  Lord knows I'm up to 38 different passwords at my work, most of which have similar requirements as stated above, AND have to be changed every 90 days.  

Check out Password Safe Free, fast, and simple to use.

[ChadTower]

Do yourself a favor, get a password manager, and get used to using it.  Such things are becoming quite common and will more than likely be a part of whatever business you go into in future.  Lord knows I'm up to 38 different passwords at my work, most of which have similar requirements as stated above, AND have to be changed every 90 days.  

Check out Password Safe Free, fast, and simple to use.

If your company were doing it correctly you'd be using your network login to get into all of the internal apps.  Password managers aren't the way going forward - LDAP based single sign on is the way.

[shmokes]

Will Password Safe run in the background and fill out forms automatically, or at least intelligently with a click or two?  The reason I only use a few different passwords is because I don't want to stop what I'm doing and look up passwords for every site I need to log into, of which there are probably at least a hundred by now.  I'm willing to accept a bit of risk in return for a bit of convenience.  The Firefox password manager is awesome, but not something I think to back up when I reformat my computer, so I end up losing all that pretty regularly.

[ChadTower]

Damn how often do you reformat the drive?   

[shmokes]

At least once a year, on my desktop -- depends if I'm tinkering with OSes.  Twice a year on my laptop cos we run this buggy exam-taking software and if it ---smurfs--- up the student has to write in blue books, but doesn't get any extra time.  I type about 90 WPM, so this poses a pretty distinct disadvantage.  The software ---fouled up beyond all recognition--- up (memory leak) during one of my exams last year, so now before exam time each semester, I clean off the computer and load nothing but that one program.  So at least three format/reinstalls per year.  PITA.

Another problem with a Password Manager of any kind is portability.  I do a lot of computing from campus, on campus computers.  I suppose I could put firefox on a USB drive and carry it around.  Maybe eventually I'll start doing that.

[missioncontrol]

Portable firefox is awesome for such situations... Just be sure to master password protect your password bank

[ChadTower]

Another problem with a Password Manager of any kind is portability.  I do a lot of computing from campus, on campus computers.  I suppose I could put firefox on a USB drive and carry it around.  Maybe eventually I'll start doing that.

A thumb drive with the keys to your kingdom on it, carried around with you, seems like a really bad idea.  It may as well be an old parchment with dotted lines leading to a big red X.

[shmokes]

BTW, it occurs to me that we're missing the point of the OP.  Password requirements keep getting progressively more complex.  It started out with passwords having almost no requirements.  Then 5 characters was commonly required.  Then 6.  We skipped 7 and went straight to 8 for some reason.  Then numbers had to be added.  Then symbols.  Then numbers and symbols.  Now numbers, symbols AND lowercase and uppercase letters.  Soon we will need to have uppercase letters surrounded by at least one lowercase letter on each side of it.  Then we will need that, plus at least one space.  Then the password will need to be two words, each conforming to those requirements.  Then three.  

It just gets to a point where I'm like, "---fudgesicle---, can we stop doing this?  ---smurfing--- make biometrics standard on all computers or something, but this is getting absurd!"

[shmokes]

A thumb drive with the keys to your kingdom on it, carried around with you, seems like a really bad idea.  It may as well be an old parchment with dotted lines leading to a big red X.

It sounds like you are finally beginning to appreciate my problem, actually.

[Jimbo]

You have to have multiple passwords these days for the reasons the op stated: everywhere has different requirements as to what is accepted.  Personally, I use a similar password for most stuff, and use a nice little utility called "coolfish" that encrypts text/files with a master password (using blowfish encryption). 

[ChadTower]

It sounds like you are finally beginning to appreciate my problem, actually.

I appreciated it when you first posted it... and I have been suggesting using an old school method to solve a new school problem.  Some things are best kept physically secure and completely separate from the medium.  Things like password managers are only as secure as the hacker's abilities and motivation allow it to be.

[shmokes]

But if I have to have a bunch of different passwords (that are becoming increasingly more difficult to commit to memory because of symbol, case and number requirements), and they are all stored on paper at home, but I do a good deal, if not the bulk of my computing from various public computers . . .

[xar256]

If your company were doing it correctly you'd be using your network login to get into all of the internal apps.  Password managers aren't the way going forward - LDAP based single sign on is the way.

Tell that to the mainframe system running TPF that half those passwards are for.  Not everything uses that kind of technology.  Plus my company does not allow certain password to be the same as others.

Will Password Safe run in the background and fill out forms automatically, or at least intelligently with a click or two?  The reason I only use a few different passwords is because I don't want to stop what I'm doing and look up passwords for every site I need to log into, of which there are probably at least a hundred by now.  I'm willing to accept a bit of risk in return for a bit of convenience.  The Firefox password manager is awesome, but not something I think to back up when I reformat my computer, so I end up losing all that pretty regularly.

I don't use it like that, but supposedly it does have that option. 

[ChadTower]

But if I have to have a bunch of different passwords (that are becoming increasingly more difficult to commit to memory because of symbol, case and number requirements), and they are all stored on paper at home, but I do a good deal, if not the bulk of my computing from various public computers . . .

Then for the most part your problem is the fact that you do the bulk of your computing from public computers.  So long as that is a requirement you're going to have password security issues.  I know you can't fix that, but when you use public bathrooms all the time, you have to use the paper ass gaskets.

[punxrus]

Random password generators are good for people like you. They do all the hard work for you. It sucks that people are making so many requirements for passwords, but it's better to be safe than sorry. Especially if you are prone to using the same password for everything...

[boykster]

There's the flipside of this issue too, password management by the application and database.  a complex password only protects your account from brute force attacks thru the interface, but does nothing to protect your login from a backdoor compromise if the system is storing your password in plaintext or a simple 2-way hash. 

What good is an uber complex random password if a hacker simply dumps the user table and your pass is there in plaintext 

[leapinlew]

I agree. Passwords requirements are becoming a pain. Especially because some apps won't accept more than 8 characters, while others want more than 8 characters, some won't accept numbers, and some force numbers. 1 form of authentication is the culprit here. Security can be accomplished by using any of these 3 metrics:

• Something you know - such as a password
• Something you have - such as a magnetic card or fob
• Something you are - some form of biometrics

Relying ONLY on one is the real issue. You should be forced to have 2 of the 3 and then we could deal away with some of the more complex password requirements.

[shmokes]

Random password generators are good for people like you. They do all the hard work for you. It sucks that people are making so many requirements for passwords, but it's better to be safe than sorry. Especially if you are prone to using the same password for everything...

I don't have a problem generating the passwords.  My problem is remembering them.

[leapinlew]

Random password generators are good for people like you. They do all the hard work for you. It sucks that people are making so many requirements for passwords, but it's better to be safe than sorry. Especially if you are prone to using the same password for everything...

I don't have a problem generating the passwords.  My problem is remembering them.

Do yourself a favor and don't work for any government institutions. Your not allowed to write them down and you'll need to remember a ton of them...

[patrickl]

It's also super annoying when they ask you to change the password often. A client of mine has a policy that every month the password needs to be changed. I don't go there that often so I almost need to change my password everytime I go there. And of course the next time I go there I have forgotten what it was. Well by now I fixed the problem, but still. It was pretty annoying.

I use two programs to overcome the problem.

I use Norton 360 and it keeps a record of all the logins and password I use. When I come on the same page it fills in the passwords automatically. Much like webbrowsers usually do. Only when I start the brower for the first time does it ask me to log in so it can reach the password file. Actually, I wish they would make it a standard feature of webbrowers. These are already able to fill in forms automatically, but that's ridiculously unsafe. Why not ask for a password to protect this functionality?

I also use eWallet to store logins and other personal info. Not so much for websites anymore though. This I also take with me on my smartphone/PocketPC.

[ChadTower]

Do yourself a favor and don't work for any government institutions. Your not allowed to write them down and you'll need to remember a ton of them...

People write them down anyway.  Hell, people write them on postits and stick them to their monitors.

boykster, a lot of enterprise apps use the fact that they are internal only as a layer of security.  Sure, the backdoor may be there, but to use the backdoor you have to have already compromised the network somehow.  That's why they use LDAP - the assumption that if you're logging in you are already in a "secure" location and thus the challenge doesn't need to be all that deep.

[CheffoJeffo]

It sounds like you are finally beginning to appreciate my problem, actually.

I appreciated it when you first posted it... and I have been suggesting using an old school method to solve a new school problem.  Some things are best kept physically secure and completely separate from the medium.  Things like password managers are only as secure as the hacker's abilities and motivation allow it to be.

Let's see ... so far you have suggested writing down passwords on paper and common authentication schemes as good security practices.

I know that you have done a lot of things in your life, but I think that data security, like hauling MDF, ain't one of them.  

I'll put my properly-encrypted password management repository up against both paper and central authentication every day of the week.

[missioncontrol]

Random password generators are good for people like you. They do all the hard work for you. It sucks that people are making so many requirements for passwords, but it's better to be safe than sorry. Especially if you are prone to using the same password for everything...

I don't have a problem generating the passwords.  My problem is remembering them.

Do yourself a favor and don't work for any government institutions. Your not allowed to write them down and you'll need to remember a ton of them...

yeah and they have to be changed every 60 days.

[Dartful Dodger]

If I don't use the site every day or if I can be logged in all the time and lose my cookies I usually have to click on forgot password and have them email a new one.

I think that's happened to me a couple of times with this site.

now all I have to remember is the passwords for my email accounts.

[ChadTower]

Let's see ... so far you have suggested writing down passwords on paper and common authentication schemes as good security practices.

I know that you have done a lot of things in your life, but I think that data security, like hauling MDF, ain't one of them.  

I'll put my properly-encrypted password management repository up against both paper and central authentication every day of the week.

Common authentication is considered good enough when you're already within security - I was specific about that.  If you don't like that then I suggest you take it up with corporations all over the world.

I suggested paper specifically for shmokes - if you don't like that, find a better way for someone who sits in various public labs on a regular basis.

Security is very context dependent, as I'm sure your password management repository is aware.  I'm also sure it doesn't run off a thumb drive shmokes could carry around with him.

[CheffoJeffo]

Common authentication is considered good enough when you're already within security - I was specific about that.  If you don't like that then I suggest you take it up with corporations all over the world.

I think you are mistaking convenient business practice for good security practice.

Security is very context dependent, as I'm sure your password management repository is aware.  I'm also sure it doesn't run off a thumb drive shmokes could carry around with him.

Actually, the file *is* stored on a thumb drive ... my point was that, with proper and secure encryption and authentication, my password repository is far more secure than keeping a list of passwords in his pocket.

[ChadTower]

I think you are mistaking convenient business practice for good security practice.

Not at all.  If the LAN is considered secure then it is accepted practice to consider that in the security model for a given internal application. 

Actually, the file *is* stored on a thumb drive ... my point was that, with proper and secure encryption and authentication, my password repository is far more secure than keeping a list of passwords in his pocket.

I don't really agree... a list of random strings of gibberish without context is pretty damn secure.  Obfuscation and lack of context is powerful.  You may even say it is... encrypted.  Now, odds are extremely low that someone with the ability would ever find that thumb drive should he lose it.  But if they did, and on a college campus those odds are much higher than elsewhere, there are cracking apps specifically designed to do this particular job.  And it's a plug it in, start the process, and leave it there unattended process, which means it is certainly possible.  At best the two methods are a push, IMO, unless he's dumb enough to list URLs next to the passwords on his paper.

[patrickl]

Even if you do your best at protecting everything, a rogue website, virus or a hacker might break your security. An unencrypted password list is then completely open. A properly encrypted password repository is not something that you simply break. It would take a brute force attack that can last decades to finish (if you choose that password properly).

[ChadTower]

Even if you do your best at protecting everything, a rogue website, virus or a hacker might break your security. An unencrypted password list is then completely open. A properly encrypted password repository is not something that you simply break. It would take a brute force attack that can last decades to finish (if you choose that password properly).

Decades if the hacker doesn't have prior knowledge of the repository app.  There are known techniques for most of them that shorten that quite a bit.  Still way more trouble than it's worth and effective enough but not nearly as decades long secure as a blind brute force would need to be.

[CheffoJeffo]

I think you are mistaking convenient business practice for good security practice.

Not at all.  If the LAN is considered secure then it is accepted practice to consider that in the security model for a given internal application. 

You sound like those network admins who figured that blocking port 135 at the firewall protected their networks against Blaster and woke up the following Tuesday morning to massively-infected networks.

You can't consider the LAN secure unless you can consider all equipment connected to the LAN to be secure.

Once Chuckie connects with his laptop that he used to downloaded that donkey porn last night, all bets are off. And that only considers the attack from outside.

I know that you think that I am missing your points, but I'm not.

The reason that we have terms like "accepted practice" is because "best practice" is just too damned inconvenient.

I don't really agree... a list of random strings of gibberish without context is pretty damn secure.  Obfuscation and lack of context is powerful.  You may even say it is... encrypted.  Now, odds are extremely low that someone with the ability would ever find that thumb drive should he lose it.  But if they did, and on a college campus those odds are much higher than elsewhere, there are cracking apps specifically designed to do this particular job.  And it's a plug it in, start the process, and leave it there unattended process, which means it is certainly possible.  At best the two methods are a push, IMO, unless he's dumb enough to list URLs next to the passwords on his paper.

How can you on one hand argue that "a list of random strings of gibberish" is "pretty damn secure", but not see that an "encrypted list of random strings of gibberish" is more secure  ?

It's not a push, although the real effective difference may be negligible -- in his case, he is far (!) more likely to get picked off with a keylogger than to have somebody find his ratty piece of paper or decrypt his password repository.

[ChadTower]

I'd have more comments but it's a ---smurfy--- day at work and I'm probably way too pissed off about that to keep this level.  I'm out.   

[leapinlew]

I don't really agree... a list of random strings of gibberish without context is pretty damn secure.  Obfuscation and lack of context is powerful.  You may even say it is... encrypted. 

YOU might say it's encrypted, but it's not and we aren't allowed to operate in a "pretty damn secure" environment. There are rules to secure systems. Writing down a password and sticking it to the monitor will get you fired in many environments, and it's against the law in others. You may have done some corporate security for your company, but some of us have to work within the confines of DCID 6/3, Sarbanes Oxley, Safe Harbor, or HIPAA where logic need not apply.

[CheffoJeffo]

some of us have to work within the confines of DCID 6/3, Sarbanes Oxley, Safe Harbor, or HIPAA where logic need not apply.

 

Thanks Lew -- that brought a smile to my face ... as I look forward to my impending SOX audit ... 

[xar256]

I'd have more comments but it's a ---smurfy--- day at work and I'm probably way too pissed off about that to keep this level.  I'm out.   

Somehow, I think we'll manage without you on this one.  

Even if you do your best at protecting everything, a rogue website, virus or a hacker might break your security. An unencrypted password list is then completely open. A properly encrypted password repository is not something that you simply break. It would take a brute force attack that can last decades to finish (if you choose that password properly).

That's a part of why I recommended Password Safe.  It encrypts you Password Database using the Twofish encryption algorithm.  Plus there is a U3 version available as well, should you want to keep everything on the key itself.