Password restriction stories?

Been away for a short while so here is a topic, anyone is welcome to share their stories on password restrictions.

I'll start one:
I wanted to use the same password for two accounts at two different sites. One allows special characters (nothing special, just not alphanumerical) and evaluated my password as super secure and the other won't allow special characters. So I ended up with two very very similar passwords for these two sites. I'm sure I'll forget which one I used on which site since I don't use them everyday. XD

I would change one PW so they are both the same.

While not the same I hate the way passwords are displayed as dots, a stupid "security" measure that just makes it difficult for me to see what I'm typing. I have noticed lately that some programs allow the PW to be displayed either normally or as dots, I think that's a good idea.

I also hate long minimum lengths, say 10 or 12 chars, as the few things I can think of for PWs are all shorter than that.

Rob

I hate passwords with a passion, and here's why:

1. If they are long enough to be secure, you won't remember them, so you have to write them down. So, all someone has to do is find where you wrote them.

2. Most sites have a way of "recovering" passwords (eg. your bank). So they ask you a series of questions hopefully only you know, eg.

• Your birthdate (your parents would know that, and your friends)
• Your address (your friends and businesses you deal with would know that)
• Your telephone number (same problem)
• Your bank account number (hardly private information)
• Your mother's maiden name (hardly a secret to your entire family)

So they have replaced a (possibly secure) password with the need to know the answers to a few simple questions.

I know you can keep passwords in a "password file" on a computer, but when you are in a shopping center trying to activate a mobile phone, and they say "what's your telephone access password?" I just say "I don't know" (which is true).

3. Even assuming you can remember one secure password you certainly shouldn't use it for every site, in case one is compromised (eg. by hackers). So you don't have to remember a single password, these days you have to remember hundreds.

4. Again, you can use a "password chain" but if you were using one, that is where I would concentrate my cracking efforts. Break that, and I have the lot! And it's hardly rocket science to crack it. Just insert a "keystroke logger" (dongle) between the keyboard and CPU, and come back a day later and harvest the password(s).

There was a funny photo on a website recently, where someone was being interviewed for some TV sports program, and clearly behind him on the wall was taped all their network passwords! Mind you, I've seen exactly that done in offices where I have been called in to assist.

Back to the original topic more precisely, I logged into Windows 7 recently, on a computer I hadn't used for a while. It said I had to change the password before I could do anything. Grrrrr. So I changed it to "foo". Too short. OK, "foofoo" then. Accepted. First thing I did was change the password back to the one I remembered. So what did that achieve?

Nick,

I feel your pain. There is a government website that I have to access (being a part of tax-dollar-supported institution) to see my stuff. They have very strict rules or password expiration and won't let you use expired or past passwords. I exhausted my brain's password capacity and got in a loop where I will have to recover password every time I try to log on after guessing the wrong ones. Now I develop a fear every time I change a password, I think I will lose it and have to recover it later. And you are right about those security questions, not only are they not secrets, they are also very not creative and not born in the USA gave a lot of disadvantages of not having answers to 70-80% of the questions about my fav this or fav that or my school teacher name or something seemingly every American would have an answer to. Sometimes even if I had an answer, I would fear I would spell it differently when I try to recover it since it's not straight one-to-one translation. I should probably adopt an American Joe's identity so I have answers to those questions next time.

Maybe someone can invent something as brilliant as password to create-remember-update password. There are a lot of accounts I don't use often. If I forget to update one of their passwords, it's stuck with a very old password that I have long forgotten. For someone that might use a birthdate of a now-ex, you may have to force yourself to remember what you want to forget when you get into this situation of old stuck password

I once heard of a guy who used something on his monthly wall calendar as that month's password- was the photographer's name or some such. Then he went away for a while only to find when he got back that someone had had nicked his calendar because it had such wonderful photos so his password clue was gone...

Your birthdate (your parents would know that, and your friends)
Your address (your friends and businesses you deal with would know that)
Your telephone number (same problem)
Your bank account number (hardly private information)
Your mother's maiden name (hardly a secret to your entire family)

I reckon they should use your inside leg measurement, almost nobody else will know that and if you always carry a tape measure around you can easily re-acquire the value.

And if your accounts are ever breached you can direct the police straight to your tailor.

Rob

Yes, I can just see that ... you are in the Telstra store, and the young female sales assistant asks you for your password.

"Just a tic, I just have to measure something" you say, and reach for your crotch.

Still waiting for a better way to hide your password. Maybe a device that totally has no computer or internet connectivity (no way to steal its content remotely) and will hold the key to reconstruct your various passwords? Only you can operate it (fingerprint?).

Gosh, wow. So many things to comment upon.

Well, just recently I was intending to create an account at Cheaper Than Dirt, and it has nice little ballon help thingies which pop up for the password and confirmation text boxes, saying, 'Please enter a strong password'. Well, I was entering my password into Keepassx, which told me I had 167 bits of entropy, which is quite good, and pasting that into the boxes. It wouldn't let me proceed. I assume there's some validation which was kicking out my password due to an unacceptable character, but it wasn't telling me that, so I assume there's an idiot programmer involved there.

I ran into another site that would let me enter fairly long answers in response to the 'security' questions, but when actually using them, truncated the values. So the compare failed. Again, idiots.

Displaying passwords in cleartext is a bad practice. There are at least two ways for this to be snooped. "Shoulder surfing", where someone physically observes your screen, and Van Eck Phreaking. Well, I don't know whether or how well Van Eck phreaking works on an LCD display, since it originally monitored RF from CRTs. Maybe there's a version that works with LCD too. Wikipedia says so.

Good security relies on multiple layers. Dismissing the need for strong passwords -- actually, it's better to use passphrases -- because someone could use a keystroke logger is not a good idea. For example, a cracker in Estonia is in no position to install a physical keystroke logger. And why should he bother, if people are using easily cracked or guessed passwords.

Those "security" questions? Never answer them with anything other than nonsense phrases. While I understand the intended function, they are a big huge security hole for anyone who uses truthful responses to them. Also, I not that most websites display them as plaintext. Another horrible security practice.

Bruce Schneier recommends using a password tool such as Keepass. I use the X-window version of it, and my master passphrase has very high entropy, and I did keep it written down until I had it memorized. Long phrases you can remember, even if they contain only letters, digits, and spaces, are better than short combinations containing special characters. Most people don't understand how this works, but xkcd has an explanation:

Of course, there's this problem: xkcd: Security

If you run into a site where their password policy doesn't allow embedded spaces, and you really to want to use that site, then refer them to that xkcd comic, and tell them they're idiots.

Password policies which require changing a password at intervals are just stupid. If the password file hasn't been compromised, there's no reason to change the passwords it holds. And, such policies just encourage people to use poor passwords, to avoid the fatigue of trying to remember the new one every 3 months or whatever.

Also, remember that all security is a tradeoff. What is it you're protecting? My banking passwords are strong. The ones I use to log on to a web forum aren't as strong. I can recall one banking password simply because I've used it so much. What is the risk of exposure? Considering that question will help you place some value on your security and password practices.

Oh, fingerprint readers can be spoofed. Actually, anything can be cracked, given enough time and resources. The question is whether whatever is being protected is worth it.

Also, never, EVER, reveal any password. That's one of the oldest rules in the world of computer security.

justjed:
Of course, there's this problem: xkcd: Security

I think that happened in England recently. Gangsters kidnapped the bank manager's wife and children, took photos of them with guns to their heads, and explained that if he didn't go to his bank, and use all his passwords / devices to unlock the safe and give them a lot of money his family would die.

Not much you can do against that.

Also, never, EVER, reveal any password. That's one of the oldest rules in the world of computer security.

Time and again people I am trying to help just hand me a bit of paper saying "here are all my passwords" (without me even asking).

I prefer to pass the keyboard to them and let them type it in.

Sometimes it can be funny though. They say "my banking password is Fluffy (the cat's name). And my email password is Fluffy. And my Facebook password is Fluffy."

And so on.

So not only is it obvious the password is incredibly insecure and obvious, but they are using the same one for everything.

Of course, there's this problem: xkcd: Security

It's called rubber hose decryption.

my gf recently tried to access her e-mail from my tablet and we couldnt get the keyboard to type all the special and unusual symbols she uses for her password. For some reason copy-pasting didnt work either... eventually she gave up... it was a quite amusing experience for me

a completely unrelated experience with data-security:

I travel a lot, so I have bank accounts in various countries. One of the banks I am customer with (and its a big, well known bank) would not accept the password I usually use, as it exceeds the maximum amount of allowed digits. I eventually forgot the password I chose for that account. Months later, I called them (from a foreign continent) and told them I had forgotten my password.

They asked for the bank account number & for my e-mail address and sent me a new password. In the situation I was simply relieved to have access to my money. It was only about 10 minutes later that I realized how outrageous their lack of security is... I still don't really know what to think of it.

fkeel, I'm pretty sure that if you need so many bank accounts, you have too much money and that's not fair.....

im a student. im broke most of the time. its just if you spend some time in a foreign country and work there, you are often forced to get an account as your employer usually does not transfer to a foreign bank.

Here's my password restriction story...and my solution. I have been using this system for 3 years now, and it works great. How to Manage Passwords