Like many people, I use the internet for a range of things from banking to Facebook & EF. At the last count I use around 70 sites that require password access. Many of them would not be of much interest to anyone to hack into e.g. travel sites. I wonder why some of these have protected access. The various financial sites suck as banks, eBay and PayPal are more important to protect from hacking into.

What is the best way to remember all of the passwords? Use a common password for as many as possible; use easily memorable words; write them all down; password reminder software etc.

I saw an interesting article that suggests that the usual 'strong' passwords comprising letters, numbers and symbols can be more easily hacked than some more easily memorable combinations.

The Usability of Passwords

It makes interesting reading. I will be changing some of my passwords.

__________________
"I'll say I can't tell you when, But if my spirit is strong, I know it can't be long, No questions I'm not alone, Somehow I'll find my way home" Rod

Which is fine until the company you work for now thinks you need to change the password every 6 months to boost security..!!

I've got about a half dozen passwords that I regularly work with but now at work we're forced (at log in) to create a new password every 6 months. Thought I'd outsmart the login and go back to my original password, it was rejected..! How is someone suppose to remember the new password after the old one has been burned into your memory for the last 6 months!?

I find this the stupidest attempt at bolstering security on our network because now everyone is writing down their latest password and taping it to the underside of their keyboards in case they forget the new one. 3 false attempts at log in and you're locked out of your workstation requiring an embarrassing call to the IT department to unlock it..! To make things a tad easier to remember I've come up with the idea to continue to use our original passwords now except we just added a 01 to it. 6 months later, 02, then 03.. etc. etc. etc. At least now when I sit down in front of my workstation with a blank stare I can at least ask a co-worker nearby which series of password we are now on (01, 02, 03..).

It's a lame article.

It does not factor in account lockout or alarm triggering when a wrong password is entered say 10 times. Most middle tier web apps will block the I.P. after say 10 or more attempts, and a firewall will block the port if a brute force flood is detected.

Also, he quotes

"Note: "sun" has 17,576 possible character combinations. 3 letters using the lowercase alphabet = 263"

"sun" does not have that many combinations.

SUN
SUn
sUN
sUn
SuN
Sun
suN
sun

What he should have said is a 3 letter password has 26^3 (-1) combinations.
If you include uppercase and lowercase , plus numbers and then special characaters such as "_" or "@" etc , then this number becomes much much greater - around 89^3, depending on your character set / keyboard settings.

It is far easier to obtain passwords using sniffers , keyloggers and other trojans. Brute force just isn't used on the web any more. It triggers too many alarms at the hardware and software level.

With the Oracle database (10G and below), I wrote a program to create a dictionary of every possible password and it's hashed value. This means that users who can see the system password table and get the hashed value can reverse lookup the hash value to obtain the real password. I could generate 40K hash values per second, it would take years to run even on a SMP box, but storing them , for passwords less than 10 characters would take up billions of terrabtyes...

My advice ? A 10 digit password using mixed case , numbers and at least one special character. Change every 6 months. You're safe.





http://keepass.info/ has a great utility, you can store long passwords with mixed case, numbers and special characters. Passwords longer than 8 characters will take a longtime to crack unless supercomputing is used. passwords with a length greater than 16 using mixed characters and changed reguarly will never realistically be cracked.

I did a similar thing at work as our passwords were changed every three months. I realised that it would not accept any of the last six passwords so I had a list that I would work through and then repeat.

I use the free version of this. You can just use the portable version on a memory stick and keep it away from your computer when not in use.

If you want to get an idea of how long it would take to crack your password you can use GRC's Password Haystack

Note: It is usually a bad idea to type your password in any kind of checker as it could be used to capture it. This one performs its calculations in your browser and does not send anything back to GRC's servers, however it is best to use a *similar* password rather than your actual one

I'll bet there are people with correcthorsebatterystaple as a password now .

I think I've dated that blonde in Verbier's post. Trying to find the "Windows" button on a Mac keyboard was priceless.

Can't agree more about the idiocy of being told to change your password every couple of months. I had a great password on Paypal, now I have a weaker one that I had to write down to remember!

You only have to change one character!
I have a number in each of my passwords & just update it by 1 when change time comes. Usually when I get to 9 & have to go back to 1 the systems accept it; I think they only keep a few old password versions to check the new one is really new?

I see somebody already posted this idea - Ahem - Back to my corner

Paypal hasn't requested that I change my password at all. You can use any password that you want, as long as it has at least 8 characters and doesn't have spaces. It should be easy to come up with something memorable.

I find it easiest to remember towns with postcodes or street addresses where I have lived, 1001Geneva or 4HighStreet and sometimes I use 4?HighStreet

I also did the +1 trick when I was working.

I suppose travel sites insist on usernames and passwords to keep out anonymous meddlers.

Paypal has also not requested I change my password - have you (1ondon) been phished??

Yes, it should be easy BUT when you have Ebay, banks, emails, forums..... the number of passwords soon add up.
I prefer a different password for every site, hence the problem.

I used a different number on Paypal (ie. password1) but even using this method I couldn't remember which number I was on (as being forced to change other passwords elsewhere meant I had different numbers on different sites!).
I think Paypal have finally reaslised the stupidity of forced password change, as I haven't had to change mine for a year or so now.

Certainly, separate passwords for key sites are important: Bank, Paypal, EBay etc.

For less important sites: social networking, photo sharing, general membership sites, a common password may be acceptable.

I am thinking about one of the password memory software options. I worry about the dangers of losing all passwords in one go with something like this.

I use a little formula for each individual site. For example:

a series of letters from the site name, mixed case + a memorable number + a standard phrase turned into Alpha-Numerics

Example:

Englishforum, always use the first and last letters, 1st upper, last lower case: Em
+
The year they went to the moon: 1969
+
My name changed into letters and numbers with punctuation: j35u5chr!5t

final result: Em1969j35u5chr!5t

So it's an algorithm I never have to remember, I can work it out from the site name.

Very good tips - I actually use a very similar system - but it still means you can forget which number you've added when forced to change a password!

PS. Is your name really Jesus Christ? Wasn't there a fella some years back with a similar name?

I don't have any online logins that require me to change passwords. Some sites don't accept punctuation, strangely enough, so I also have another version of my phrase or name in case.

There was a fella called Jesus, but he lives in California and likes to Bowl. Nobody f**ks with him.