Password requirements are getting ridiculous

[ChadTower]

. You may have done some corporate security for your company, but some of us have to work within the confines of DCID 6/3, Sarbanes Oxley, Safe Harbor, or HIPAA where logic need not apply.

My employer is fully bound by HIPAA and SOX, actually.  Not all internal apps need the same levels of security.  Depends on point of access and content within.

[leapinlew]

I'd have more comments but it's a ---smurfy--- day at work and I'm probably way too pissed off about that to keep this level.  I'm out.   Smiley

My employer is fully bound by HIPAA and SOX, actually.  Not all internal apps need the same levels of security.  Depends on point of access and content within.

LIES! You can't be trusted. 

[SavannahLion]

I feel your pain. The whole password issue is becoming a big PITA. I understand the requirements. I know why it has to be done. I even understand some of the technical issues behind some of the decisions that are made regarding passwords. Still doesn't change how I feel about it though.

About ten years ago, I worked for a company that had the most absolutely insane security method I've ever come across... ever. To this day they were the only company that required a password for exiting the system, but not for entering the system.

Let me clarify. Absolutely anyone could walk right in the front door and look at our computers, launch our software, and go so far as to look at customer accounts (everything except banking information), manipulate any portion of the system involving customer orders, then walk out. All assuming they understood how to navigate our systems. But to get out of the system... at all, required a password. 

In any case, I think I'm up to around 100 or so passwords for all the different systems, tools, and whatever I have to access. The top twenty or so is kept in Firefox or on a small dongle. The rest are kept elsewhere. I tried the same as you, but I found it's impossible to ever satisfy the requirements of every admin and after a backdoor on my old site a few years ago through a different unsecure website, I changed my password creation and storage methods.

[boykster]

Here's what I did to generate fancy passwords without thinking too hard or worrying about remembering them:

I wrote little hash generation program that I keep on my memory stick.  The program generates a hash with length of my choosing based on 2 keywords - I use a common "generic" password that I can easily remember, then I use the name of the site: yahoo, google, etc.  I just need to keep my little program with me on my memory stick and I dont' have "remember" any passwords except for my common generic one.  If I get really creeped out, I can even change the encryption key of the hash - so that gives 3 variables I can change easily to alter what has is generated.

Problem is, I lost the memory stick and am too lazy to re-write the software 

[Ed_McCarron]

Random password generators are good for people like you. They do all the hard work for you. It sucks that people are making so many requirements for passwords, but it's better to be safe than sorry. Especially if you are prone to using the same password for everything...

I don't have a problem generating the passwords.  My problem is remembering them.

Try this:  Pick something you're familiar with.  Take for example, "schmokes"

Look at your keyboard. Type "shmokes", but instead hit each key one up and to the left for this - it becomes "wdyj9i3w"

Easy peasy.

[punxrus]

Ginkobaloba...good for the memoriez 

[shmokes]

Look at your keyboard. Type "shmokes", but instead hit each key one up and to the left for this - it becomes "wdyj9i3w"

The thing about this that just makes me laugh my head off is that it doesn't even begin to satisfy my problem.   

I needed to choose a password that had letters and numbers, AND upper case, AND one of eight specific characters, none of which are covered by that idea.  Again, I have no problem coming up with a password that meets their criteria.  My problem is that the criteria from site to site seem to be on a slippery slope and keeping track of it all is becoming a nightmare.  I think I'd rather deal with the headache of having my security compromised a couple times every ten years or so then this day-to-day, increasingly complex password management tango we're having to deal with.

[Singapura]

I use 9 different systems (excluding safeboot to boot up and my windows password). All systems have 2 passwords and they're all different. To make things "easy", the bank has issued a single sign on system tied to my access pass. I don't get that. First they make you use all those passwords, then they bring it back to one  . Anyway, whenever I need to renew my password (every 3 months or so) I still have to fill in the old one. Off course by then I won't rememember it anymore because I never use it (the single sign on does that for me). 

[Ed_McCarron]

Look at your keyboard. Type "shmokes", but instead hit each key one up and to the left for this - it becomes "wdyj9i3w"

The thing about this that just makes me laugh my head off is that it doesn't even begin to satisfy my problem.   

You sound like a woman.  "But -I'm- not satisfied..."

It was a generic example for the 99% of us that don't need to use an umlaut in our passwords.

[patrickl]

Look at your keyboard. Type "shmokes", but instead hit each key one up and to the left for this - it becomes "wdyj9i3w"

The thing about this that just makes me laugh my head off is that it doesn't even begin to satisfy my problem.   

You sound like a woman.  "But -I'm- not satisfied..."

It was a generic example for the 99% of us that don't need to use an umlaut in our passwords.

Besides you can also choose to press the shift key during this "conversion". Or simply add a number and one of the special characters to the password that you were using before.

I personally often use the trick of replacing certain letters with numbers (o=0, i or l=1, e=3 etc)

[shmokes]

But that puts me in the same boat.  Ed's idea was good, inasmuch as that gives you a nonsense password that you can still remember.  But if I "choose" to use the shift key, I need to remember which letter is shifted.  I suppose that I can remember to always shift the first or the third letter, but that doesn't change the fact that I've already got dozens of previously made passwords that don't have any upper-case letters, so I need to change them all, or remember that this password is special.  And that still doesn't take care of the need for symbols.

Understand that this only illustrates what I'm talking about.  Yours and Ed's ideas are great (I've actually been doing the number/vowel swap since passwords started requiring numbers).  And a year ago, those methods would do the trick, but it's not enough anymore. These password requirements aren't just defeating hackers, they're defeating our own ability to manage them sensibly.

[leapinlew]

I think I'd rather deal with the headache of having my security compromised a couple times every ten years or so then this day-to-day, increasingly complex password management tango we're having to deal with.

I think if your using public computers, your rate of a security breach will be much more than once every 10 years. More like 10 times in a year. Your password(s) will be keylogged and it doesn't matter how complex they are.

You should revise your strategy and avoid using computers that you cannot validate it's security.

[patrickl]

I have a lot of passwords too, but that's because many of those are important and I don't want them hacked when I enter my password on a lot of websites. Or it's passwords which were not mine to choose (passwords for clients etc)

For forums and other non-important stuff I have 2 passwords in use. One old (insecure) and one new (more secure and up to current specs). I simply added some numbers and a special character. So I need to try 2 passwords. That's not such a problem.

The fact that you have dozens of passwords has nothing to do with changed rules. At worst you should have 3 and they could be virtually identical. For instance:
shmokes
shm0kes
Shm0kes#

[shmokes]

You should revise your strategy and avoid using computers that you cannot validate it's security.

Well . . . they're not exactly public.  They can only be used by law students at my school.

The fact that you have dozens of passwords has nothing to do with changed rules. At worst you should have 3 and they could be virtually identical. For instance:
shmokes
shm0kes
Shm0kes#

The scenario you describe only works in hindsight.  For example.  Lets say my first password is smoke.  Then people start requiring 6-digit passwords.  Now I have smoke and shmokes (I'm forward-thinking so I put in an extra letter).  Then they're required to be 8-digit, so I change it to shmookes.  Then they require there be a number in it.  Not immediately thinking of the number/vowel swap idea, I go with shmookes1.  Now, of course, had I known that numbers would be required later-on, I could have just chose shmokes1 way back when they required 8 characters, instead of changing it to shmookes, but I can't foresee the future.  So, now lets say I do try to predict the future.  Let's say that since people recommend using non-alphanumeric characters, I anticipate that eventually that will be a requirement, so I decide to start using shmookes-1, instead of shmookes1.  Pretty clever, eh?  Except that now I'm signing up for a site that requires you to choose from only eight characters, not including the hyphen.  So, I can just replace the hyphen with a tilde, but what about all the sites I've already used the hyphen. 

So, now lets say that my IRL name is Patrick L.  And I go by the handle patrickl on various web forums.  Maybe . . . just maybe, I also use that username on other things.  Let's say, my bank account, or my PayPal account, or my Amazon.com account (which has my credit card stored on file).  Since I know that I'm using the same username for websites with VERY sensitive data, and I know that there's a reasonably good chance that some of the owners of the web forums I belong to have plaintext access to my password, that means I need to have a completely unrelated password for secure websites (and really, I should try to keep each of them different to minimize losses in case one of them is compromised).  But now, at the very least, I'm using the "smoke" derivatives for relatively unimportant sites like web forums, but I need to start a new set of passwords for my bank accounts and other secure sites.  So lets say I decide to start with a secure password right off the bat for those.  Lets say I choose 0bama!sgr3at.  But then I come across a website that insists on capital letters.  Goddamnit.  I didn't think of that one.  Now I need to add capital letters to my shmookes-1 and my 0bama!sgr3at (that's a zero) passwords.  What, my password needs a space in it?  ---fudgesicle---!  That's two more passwords to remember.  Oh, this secure site (0bama) makes me choose from a list of characters that includes the hyphen, while that web forum makes me choose from a list of characters that doesn't?  Great, now I need to go back to my old version of shmokes, before I put a hyphen in it.  Except I actually have to create a new version, with another character in it.  That's okay, I'll just go around to all my forums and change the hyphen to an exclamation point on all my web forum accounts.  What?  Some web forums don't allow characters at all?  Some will allow hyphens, but not exclamation points?

I'm afraid your "worst" case scenario, Patrick, is FAR closer to a best case scenario.

[Ed_McCarron]

Well . . . they're not exactly public.  They can only be used by law students at my school.

Even worse.

[leapinlew]

Well - it seems your best option is to write down all the requirements and go to each website and change your password.

OR

Continue complaining about it here.

Fact is, as corporations and website owners start to realize how important security is they will continue to do what they can to ratchet their security even if it's inconvenient to you. One of the only things they can do is protect your password from a brute force attack. So, you might as well stop complaining about the passwords and start complaining why passwords are needed in the first place. If everyone was honest to begin with, you wouldn't need anything but a logon name.

[Malenko]

I read this entire thread and my prevailing thought was "our passwords are slowly being converted to  l337$p3@k"

n00bz 

[Ed_McCarron]

If everyone was honest to begin with, you wouldn't need anything but a logon name.

He's a larval lawyer.  You're talking to him about honesty?

[punxrus]

But if I "choose" to use the shift key, I need to remember which letter is shifted.  I suppose that I can remember to always shift the first or the third letter, but that doesn't change the fact that I've already got dozens of previously made passwords that don't have any upper-case letters, so I need to change them all, or remember that this password is special.

FAIL...

[shmokes]

If everyone was honest to begin with, you wouldn't need anything but a logon name.

Wow . . . it turns out the answer was right in front of me all along.

[patrickl]

I'm afraid your "worst" case scenario, Patrick, is FAR closer to a best case scenario.

Lol, you must be really unlucky then. I have to admit I wisened up from the first time they indicated you should use save passwords (decades ago actually). So I only have two main passwords. The old one is a lot easier to type in though, so when I can (allowed and non-important password) I still use it today.

Anyway, to solve the problem I use Norton Identity Safe. I'm not a big fan of Norton anti virus stuff, but I got it for free with my notebook. I have to say it works fine. Identity safe is a great. It keeps a list of sites (like a favorites thing) and stores the passwords and logins for them. Go to the site and it automatically fills in the form. Or click on one of the favorites in the list and go to the login form right away. It will ask once for a password when you start your browser (or you can set it to ask more often). Either way you need only one password and the rest is all done automatically.

[RayB]

Requiring use of symbols is pretty ridiculous. Most properly programmed web sites and applications should refuse to accept any symbols, and strip them out of all text entry fields to prevent what's called "SQL injections". Seems quite stupid to allow ? < > & etc which are all reserved characters in PHP, HTML, and even file OS's

[punxrus]

I just don't think there is going to be a simple solution to any of this. Internet security is a forever changing animal and we will only have to adapt. You can choose to make life simpler and use a product to assist you, therefore, you only having to remember one password, but that's not the safest either. There is no sure way to secure your passwords other than your own memory...and lets face it...I have a hard enough time remembering my wife's birthday.

[Samstag]

Requiring use of symbols is pretty ridiculous. Most properly programmed web sites and applications should refuse to accept any symbols, and strip them out of all text entry fields to prevent what's called "SQL injections". Seems quite stupid to allow ? < > & etc which are all reserved characters in PHP, HTML, and even file OS's

Any system that stores the password text you entered in a database deserves to be "injected".

[shmokes]

I have a hard enough time remembering my wife's birthday.

I don't see how that is even comparable.  Here we're talking about remembering important things and you go and throw that in the mix . . .

[boykster]

Requiring use of symbols is pretty ridiculous. Most properly programmed web sites and applications should refuse to accept any symbols, and strip them out of all text entry fields to prevent what's called "SQL injections". Seems quite stupid to allow ? < > & etc which are all reserved characters in PHP, HTML, and even file OS's

Any system that stores the password text you entered in a database deserves to be "injected".

totally agree; at the very least passwords should be stored as a simple hash.  Salted has is better, strong encrypted would be best.  And heck, anybody that uses dynamic SQL anymore is wideopen for a SQL injection attack.  That's easily solved by either using stored procedures with parameters, or parameterized SQL. Either of those will defend against SQL injection.