Topic: Why oh why!

[RossRoy]

I like the approach using short sentences, but I seem to remember programs/sites often dislike a space in the password

An easy way around that is to use a special character insread of a space..

To use his example of "this is fun", you could make it "this#is!fun", or if you're comfortable with l33t 5p3@k "th1$-1$-fun"

[Dragonfire]

At work for years, it was set up to put in a password after the screensaver was stopped...so we had to constantly put in the passwords.  A few years ago the password was set up as something so complicated that no one could remember it.  All sorts of symbols in it that made no sense.  Someone had papers sitting all over the office with the password on it... just laying out where anywhere could see them.  So it sort of defeated the purpose.  The district office finally changed the password.

I started having trouble with one site because it made me pick a new password every so often..ok whatever.  But I couldn't reuse anything I had ever used before.  There are only so many passwords I can remember.  I kept getting locked out of that place.

[MEJHarrison]

I like the approach using short sentences, but I seem to remember programs/sites often dislike a space in the password

I use sentences too, but turn them into acronyms.  So for this site, I may start with something like: I need a secure password for DVD Collectors Online.

Then I just take the first letters.  So that turns into: Inaspfdco  As long as I can remember the phrase, I can remember the password.

Then if security is a concern, I turn letters to numbers or symbols.  So if I wanted that more secure, I would change it to: 1n@$pfdc0

That system has served me quite well over the years.  What kills me of course is the fact that I've been using the same acronym for every site for the past 10-15 years!    

It's only this past year that I've started worrying more about sites.  Particularly things with credit cards like PSN or the App Store.  And now with the PSN fiasco, I'm even re-considering having credit card information anywhere and I'm considering other methods of buying online.

[MEJHarrison]

I started having trouble with one site because it made me pick a new password every so often..ok whatever.  But I couldn't reuse anything I had ever used before.  There are only so many passwords I can remember.  I kept getting locked out of that place.

We have to change our regularly at work too and can't use one we've used the past two times.  So I do like everyone else.  I have one password and just keep cycling through different variations.  One time I'll use i, the next time I use 1 instead of i and so on.  I'd be completely lost if it had to be unique every single time.  That would just kill me!

[Dragonfire]

I started having trouble with one site because it made me pick a new password every so often..ok whatever.  But I couldn't reuse anything I had ever used before.  There are only so many passwords I can remember.  I kept getting locked out of that place.

We have to change our regularly at work too and can't use one we've used the past two times.  So I do like everyone else.  I have one password and just keep cycling through different variations.  One time I'll use i, the next time I use 1 instead of i and so on.  I'd be completely lost if it had to be unique every single time.  That would just kill me!

I use a few variations for things too...but they do get reused.  The completely unique thing was horrible.

I've had another password issue this year... Just about every day I went to log into something - that covers the program for appointments and a few other things - I had to reset my password.  There were times I had to do it 3 times in one day.  It drives me nuts.

[Najemikon]

Just read a very interesting article about passwords in regards to complexity vs usability, and how IT guys strive towards complexity, when they really should fix things to improve usability instead. It makes some great points about passwords.

http://www.baekdal.com/tips/password-security-usability

It is a good article, and I do agree with some of it, but I don't like his tone in which he seems to suggest IT departments insist on complexity for their own satisfaction. He writes from an odd position, where he's suggesting that those who give IT support don't sympathise with users, yet he's giving advice himself. Don't worry! He's there to make it all better!

Anyway, he misses three vital points from my perspective. One, the average user is ignorant of IT in general and will complain about using passwords at all. I advise them to use complex passwords to try and instil in them the idea that data is sensitive and needs to be protected. By making it a little bit difficult, it forces them to take notice. I suppose it's blinding them with science and they're impressed that they can actually use the word "password" if they spell it "p4$5W0rD". It gives them something to think about.

Second, he concentrates too much on the time it takes to hack, where the main problem with IT security is internal, from the same network. I support a lot of schools. I'm sure you can imagine the fun some kids would have if they could get hold of their teachers password! Hacking isn't an issue when you know the person and can second guess what they use. Stopping them writing the damn thing on a note in their drawer (get the movie reference, people! ) is the first hurdle. Next, it's handy for them to realise they could use easy to guess words, like pet names and mother's maiden name, so long as they throw symbols in there too. Links back to my first point.

The final point is that the IT department is ultimately responsible for network security. If the password policy is "Make it bloody hard", then everyone is on the same page. Lets say the boss demands an explanation from IT as to how a users account was compromised, because that user is refusing to accept responsibility for sensitive data being leaked. If IT can take it for granted that user was officially told the company policy of "8 characters, alpha-numeric, translate to Russian, times by the first number you thought of and spell it backwards", but the user went with "ilovedogs" and that's what the hacker used after guessing it, then the company is rightfully absolved and no-one is questioning the firewall.

It's not about needless complexity, it's about responsibility and perception.

[goodguy]

I like the approach using short sentences, but I seem to remember programs/sites often dislike a space in the password

Well, it isn't too hard to just omit the spaces in a sentence. Another approach is to compose the password just from the first one or to characters in an easy to remember sentence, e.g. "You won't guess my password" -> Yowogumypa.