Home Forums Passwords

James and others have given their schemes for passwords in previous posts. I thought I'd just throw this out there.

One of the problems I have when I have to change passwords in an application or web site, particularly one that does not allow me to re-use a password, is making them recoverable. James published his scheme, which I have used, which is <my passphrase> # whatever. That's not too bad, but I can't ever remember which number I am on, and if the phrase changes I have to way to recover it. Also, if I stick the number someplace to remember the iteration, anyone who has ever learned the phrase can hack me. It really reduces the validity of the password to just a 2 digit number.

So, I was helping my middle-school daughter review for a social studies quiz. And, I came up with this.

Pick some fairly obscure event... say the date of the signing of the treaty of Guadalupe Hidalgo on Feb 2, 1848. Now, I make a password with the date and the initials of the event, like 22GH1848. If I need a hint, I can make a stickynote that says "Guad" and that will trigger what I need to look up in Wikipedia.

This gives a non-dictionary, letter and number password that is recoverable. And, I'll bet if you overheard me say "my e-Bay password is the signing of the treaty of Guadalupe Hidalgo" you would not remember it long enough to look it up, even if you knew the underlying scheme.

Similarly, for PIN numbers, pick something like some physical constant like Planck's constant of 6.626 and use those numbers. The numbers may float away like dandelion seeds, but the recovery is but a smartphone click away, and it's a lot more obscure than your daughter's birthday.

Those are good tips david. Are you telling us how to hack your accounts?
Just kidding

Uh oh! I thought Planck and I were the only people using 6626 for a PIN.

I just changed all my PINs to 6626 in case anyone needs access to my accounts...LOL

The whole idea behind the approach I published was to lower the amount of user requests for password changes. In my case, it worked like a charm.

Doctor Grauman's idea is very interesting. Unfortunately, I doubt many of my end users know their history quite that well.

Another approach, and this is what I do for my domain administrator accounts, is to use a mathematical equation. Something like the equation of a line:

Y=2.5x+50

That password has all the things you need. Capital and small letters, numbers, and symbols. And, come password change time, increment one or both of the numbers.

Also, in the case of both approaches I mentioned, you don't have to increment your number by 1. You could go by 10's or 25's if that will make the last number you used easier to remember.

JamesNT

Just thought I would put my $0.02 in about passwords: buy a laptop with a fingerprint reader! I have a Dell Vostro with a reader built in. You just have to input your username and password for EVERYTHING once and then at each website or login screen (such as AC) just swipe your finger.
Password needs to be changed? No worries: change it in the fingerprint scanner program and you are ready to go!

I believe stand alone fingerprint readers are also available-- connect to any computer via USB.

Thanks David and James,

I will refrain from making fun of you.

I use the same difficult password for everything on the web. Most sites don't require you to change your password. Things like Powerchart to the hospital do, so I try to change enough things to count.

As for my users' logins, I use songs or nursery rhymes and take the first letters such as:

Hey you get off of my cloud, becaomes:

H3yygOom3cs

I can remember 10 of these. I never make them change their passwords, and I always make their passwords for them.

I have looked forward to having someone test the fingerprint readers as I have never played with them - I may now.

As far as AC passwords I guess I worry very little about this in the office as I am the only one who logs in via logmein and in the office I set all my staff so they don't even do refills for me.

As to Bert's passwords they sound way too hard for me.

Steven,
I have a fingerprint password on my HP laptop and love it.

I have the same on my Lenovo. I can even turn it on with my fingerprint and completely skip over the login screen.

Many IT professionals recommend the technique I use. Is there a better way of being able to memorize 10 or more passwords on clients that you may not use for weeks? It allows upper case, lower case and numbers to be easily remembered but not easily guessed.

I use sequences of random letters and numbers. Throwing in a symbol increases the strength of your password greatly. If it's a non standard symbol, damn near unbreakable. The number of possibilities you have introduced just skyrockets. Just be careful as most fields don't accept the characters. Probably overkill anyways. You're more likely to get hacked by someone pretending to be you and resetting your password. Or using your security questions against you. I.e. what's your pet's name? Anyone who knows you personally would likely be able to answer that question. You'll have to live a second fake life when it comes to security questions as most of them aren't something you'd think twice about telling another person in an elevator.

This thread started both times with multiple passwords you could remember.

Don't you think a password you can't remember is better?

No. I really don't want to have to pull out a sheet of paper from my wallet to get into every single workstation.

hdD=t4cit4f

is a password which would take hundreds of thousands of years to crack via force, and I certainly am not worried that you would hack it. However, I can recall it in seconds. One of 25 passwords if need be.

I think we are all talking about different things. A password for my server may be longer and more difficult, yet I don't want that complexity for my workstations (even if getting in there is about as dangerous).

IT network specialists who specialize in security tend to recommend eight to nine characters with one uppercase or one lowercase and a number in the middle. This password should be derived by a an easy to remember phrase where the password could only be derived from knowing the phrase, a phrase, of course, that has nothing to do with a user's demographics, hence a phrase made up via the admin. The reason the IT specialist does not want a password such as $%7hYY(82yY is because the only way the user can remember that is to put it on a sticky note behind their monitor.

I did not know you can turn on and skip over the log in screen--I'll have to see if my HP has that capacity. I also have a password as well just in case...

Sorry, Bert...I was being sarcastic and that wasn't clear. There is the ideal password from a security standpoint (a totally random one) and from a practical standpoint (one that you can remember or generate on your own). As you point out, if you can't remember it, then you MUST record it somewhere, which by definition reduces the level of security.
I am about to start using Lastpass.

JBS beat me to it, but I will second the recommendation of LastPass; especially for Internet passwords. Secure, encrypted, and you use a master password to unlock the others. Also has an Android app that is useful for looking things up on the fly without firing up a laptop.

My master password is actually a sentence that uses all character types, and I don't use anything like it anywhere else. Would be verrry difficult to force.

Nice function to auto-generate passwords to your standards, then remember it so that you don't have to write it down or remember it.

http://www.itstactical.com/digicom/security/password-strategy-and-keepass-password-management/

https://www.grc.com/haystack.htm

............... simply doing 15 periods gives you many centuries of password protection, although entropy is extremely weak.

http://www.makeuseof.com/tag/use-a-password-management-strategy-to-simplify-your-life/

With apologies to all the IT guys here, I really think the entire security arena has been taken way beyond rational. We are not talking nuclear weapon secrets here. Is anyone really going to spend days trying to find out what Joe's cholesterol level is? I can show reasonable security precautions, and I think that is good enough. I also take the "back end" approach to computer hacking... just limit the amount of data that is accessible in any one place. Kind of like the old American Express ad that said " never carry more cash than you can afford to lose." I don't put all my money in one account, limit my credit card to what I really need, don't send e-mails that will compromise me; stuff like that.

First, the hacker doesn't know what is in your network. If you have port 3389, they are going to try to get in everyday. And, while you don't need nuclear passwords, you do need to make sure your staff's password isn't 34wonderlane.

Who remembers Mister Mxyzptlk from superman comics ? I think that would be a good password. Unfortunately hard to type - I go along with David - I use a password that is relatively easy to type and remember.

I suppose if you have one PC, and you have one password, then 123456 is fine. If you have 10 PCs and a server, you really don't want someone hacking in, setting up a backdoor, and monitoring your network forever.

If you can use the phrase:

I went to Ocala Vanguard Highschool in 1974 then:

1WtO*Vhsi97. isn't too hard to remember. And, not many hackers will crack it.

Don't forget about those security questions. Those are your enemy. Also, for example, the AC Board uses login over HTTP instead of HTTPS so anyone on the same network can easily sniff your password. Try to use HTTPS whenever possible. There's an add-on called HTTPS everywhere for you Firefox users. I think it's on Chrome and IE as well.

Physical security is important too. Leave me alone with a computer in the same room for 3 minutes and I'll be in your computer. If you had AD and folder redirection, I wouldn't be able to get anything off the computer even if I stole it. I would need to steal the server.

Based on this thread, I will introduce the field of "psychopassology". The concept is that if you know a person's psychological characteristics, you can guess the type of password they will use. Draw your own conclusions from these examples.

David G....reference to arcane historical event
Indy....puts his faith in a high tech program
Sandeep....random number; impossible to "crack"...and impossible to remember or comprehend
Jimmie...no password at all; takes a "hands-on" approach
John R....humorous reference to physical constant
James...a line. A very straight line.
and Bert... proposes multiple different options, winding up with a reference to his high school "glory days"

Its all in jest, guys....

I started to respond, then decided not to bite.

For those who don't want to remember passwords, LastPass means just remembering one. :P

@Jon Is that to be sung to Doe A Deer....?

Jon...."Lastpass, alas!"