If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(SeattlePI)   38 percent of adults would rather scrub a toilet than come up with a new online password, which explains why so many accounts get hacked and so many more toilets go unscrubbed   (blog.seattlepi.com) divider line 75
    More: Stupid, Harris Interactive, online banking  
•       •       •

1766 clicks; posted to Main » on 24 Aug 2012 at 12:31 PM (1 year ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



75 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

Archived thread
 
2012-08-24 12:32:32 PM
Mine is 12345, so it's easy to remember.
 
2012-08-24 12:33:02 PM
I just cant stand that every website has completely different password rules. Oh, I need 3 letters and both upper and lower case with a symbol for this one..... fark
 
2012-08-24 12:35:06 PM

Heamer: Mine is 12345, so it's easy to remember.


I have the same combination on my luggage
 
2012-08-24 12:37:30 PM
Ugh. That why God invented housekeepers.

/They always come up with the most secure ones.
 
2012-08-24 12:38:07 PM
In before 'correct horse battery staple'.

When I was at university we had to change passwords every 90 days, and you couldn't re-use any password, plus all passwords had to be minimum of 8 characters including upper/lower case, at least one number and a special characters.

Yeah, mine was written down every time.
 
2012-08-24 12:38:48 PM
I can't recall who posted it but I read it on Fark about using a song line. Use the first letter of each word in a line in your favorite song. Which is easy because my favorite song is All Together Now so it's just 1234
 
2012-08-24 12:40:32 PM
I needed eight characters including a number so I chose Snow White and the seven dwarfs.

/Old, I know.
 
2012-08-24 12:40:37 PM
I keep all my passwords on a file in "My Documents" so no problem coming up with new passwords.
 
2012-08-24 12:41:10 PM
Mine is the same for everything: *******************
 
2012-08-24 12:41:10 PM

Gleeman: In before 'correct horse battery staple'.

When I was at university we had to change passwords every 90 days, and you couldn't re-use any password, plus all passwords had to be minimum of 8 characters including upper/lower case, at least one number and a special characters.

Yeah, mine was written down every time.


I had the same thing at an old job minus the special character. I went with Farkface01 and went up numerically as they expired. I think I stopped when somewhere around Farkface11 I had to tell the password to someone in IT for work on my computer. She wasn't tooo thrilled but she blew it off, fortunately.
 
2012-08-24 12:41:32 PM

Gleeman: In before 'correct horse battery staple'.




imgs.xkcd.com
 
2012-08-24 12:42:02 PM

Alonjar: I just cant stand that every website has completely different password rules. Oh, I need 3 letters and both upper and lower case with a symbol for this one..... fark


Pretty much this. The password recovery button is my friend :( You're not supposed to have your passwords be the same, I get it. I just wish there were easy ways to remember the type of passwords that are the 'safest'.
 
2012-08-24 12:42:44 PM
Scrubtoilet was my password.
 
2012-08-24 12:44:12 PM

rudemix: Gleeman: In before 'correct horse battery staple'.

When I was at university we had to change passwords every 90 days, and you couldn't re-use any password, plus all passwords had to be minimum of 8 characters including upper/lower case, at least one number and a special characters.

Yeah, mine was written down every time.

I had the same thing at an old job minus the special character. I went with Farkface01 and went up numerically as they expired. I think I stopped when somewhere around Farkface11 I had to tell the password to someone in IT for work on my computer. She wasn't tooo thrilled but she blew it off, fortunately.



You should never have to tell someone in IT your password. Their should be an IT user on the machine for maintenance.
 
2012-08-24 12:49:55 PM
Couldn't the computer also be searching for combinations of words rather random assortments of characters? In which case that correcthorsebatterystapler thing wouldn't be very secure at all.
 
2012-08-24 12:50:06 PM
password1

the "1" is to throw them off
 
2012-08-24 12:50:40 PM

rudemix: Gleeman: In before 'correct horse battery staple'.

When I was at university we had to change passwords every 90 days, and you couldn't re-use any password, plus all passwords had to be minimum of 8 characters including upper/lower case, at least one number and a special characters.

Yeah, mine was written down every time.

I had the same thing at an old job minus the special character. I went with Farkface01 and went up numerically as they expired. I think I stopped when somewhere around Farkface11 I had to tell the password to someone in IT for work on my computer. She wasn't tooo thrilled but she blew it off, fortunately.


Forgot to add that you couldn't use any dictionary words, had to be gibberish. Sigh...
 
2012-08-24 12:53:17 PM

Wasilla Hillbilly: Couldn't the computer also be searching for combinations of words rather random assortments of characters? In which case that correcthorsebatterystapler thing wouldn't be very secure at all.


It would be easy to remember, but offer a challenge due to the size/number of 'guesses' required to blunt force crack it. 26 possible characters not including spaces vs your typical 8 character password.
 
2012-08-24 12:57:43 PM

AliceBToklasLives: I keep all my passwords on a file in "My Documents" so no problem coming up with new passwords.


Unfortunately do the same. Only passwords i don't write down is my online banking access and my computer unlock. The latter is simple but the hint requires specific knowledge that i don't have written down anywhere.
 
Zel
2012-08-24 12:59:01 PM

Wasilla Hillbilly: Couldn't the computer also be searching for combinations of words rather random assortments of characters? In which case that correcthorsebatterystapler thing wouldn't be very secure at all.


That's called a dictionary attack, and yes, the computer is very good at breaking passwords like "banana" and even longer ones like "democracy" because the total number of words in a dictionary is Way smaller than the number of possible random combinations.

Similarly, I once had a virus waltz right into my PC because its dictionary had qwertyuiop. so it's not all regular words, but common stuff like p4ssw0rd.

Nowadays I make random long baloney passwords and just do a reset every time I have to type it.
 
2012-08-24 01:00:41 PM
Passwords by themselves are bad enough. My company just instituted two-factor authentication, so we have to use a USB token key as well. Then we have to change the password every 60 days (which is really a very bad security practice, but don't try to explain why to a 24 year old security "expert"). If you forget your token key, which is easy to do, since it is a violation of company policy to store it with your portable computer, you must call the help desk to have them generate a token that you have to manually punch in. That doesn't sound bad, but they also have a 60 minute idle time-out that will kick you out of the network. So if you go to a meeting or lunch, you have to call help desk again.

Now when one considers that most hackers never bother to attempt to get in via the front door, all this password paranoia is really stupid.
 
2012-08-24 01:04:15 PM
Please enter a Password
******
We're sorry. Your password is too short. Please enter a new password
******************
We're sorry. Your password does not contain a number. Please enter a new password
*******************
We're sorry. Your password does not contain a special character. Please enter a new password
********************
We're sorry. Your password contains an unauthorized special character. Please enter a new password
********************
We're sorry. Your password exceeds the allowable number of characters. Please enter a new password
 
2012-08-24 01:04:32 PM

Wasilla Hillbilly: Couldn't the computer also be searching for combinations of words rather random assortments of characters? In which case that correcthorsebatterystapler thing wouldn't be very secure at all.


No. It's mathematically pretty secure even with the full knowledge that you're using four common English words.

You're talking about the equal of an 8-character pure gibberish password.

90 ~= number of ASCII characters you're likely to use in a password

90^8 = 4 quadrillion passwords

90^8 = 8100^4

So, the 'correct horse' example drawn from an 8100 word constrained vocabulary (which is about most people's day-to-day vocabulary) is equal to an 8-character pure gibberish password. Except that you can actually remember the four words but would have to be a savant to remember more than one or two pure gibberish passwords. The point is, most people's 8-character passwords *aren't* pure gibberish or even close.

/ or you could use KeyPass already
 
2012-08-24 01:07:26 PM

Eps05: AliceBToklasLives: I keep all my passwords on a file in "My Documents" so no problem coming up with new passwords.

Unfortunately do the same. Only passwords i don't write down is my online banking access and my computer unlock. The latter is simple but the hint requires specific knowledge that i don't have written down anywhere.


Actually I was joking about the file, but I do use the same password for everything that is not money or work-related. Otherwise, I would have hundreds of passwords to memorize or write down.
 
2012-08-24 01:16:12 PM
correcthorsebatterystapleatthetilkemcisedhockenheimring

And if,for some reason, you have to meet the AKO password standard (minimum 2 each of caps, lowercase, numbers and symbols; and at least 10 total characters):

#3Train@7thAveAndBrooklynExpressExceptNights

/Note that these are useless on systems with a MAXIMUM password size, being 55 and 44 characters long each, respectively
 
2012-08-24 01:22:45 PM

Alonjar: I just cant stand that every website has completely different password rules. Oh, I need 3 letters and both upper and lower case with a symbol for this one..... fark


There are definitely some websites that I wish would put a reminder of their stupid password rules on the login page. I'd actually be able to recreate my thought process if I knew it required at least three uppercase letters, two numbers and two punctuation marks. Those ones I just leave the password in my email inbox, which is I suppose more secure than on a desktop post-it note.

\Passphrases are more secure anyways, but too many places limit the number of characters.
 
2012-08-24 01:25:51 PM

JackieRabbit: never bother to attempt to get in via the front door


Kinky.
 
2012-08-24 01:27:14 PM
The headline should read... and so many toilets are scrubbed. Actually, now that I think about it... People do change their passwords. Nevermind, damn it
 
2012-08-24 01:27:40 PM
*sigh*...didn't we just go over this two days ago?

www.keepassx.org It's free, uncrackable and indispensible. One password to rule them all. One password to find them and in the darkness, bind them.

You're welcome.
 
2012-08-24 01:29:33 PM
I used to come up with different egregiously complicated passwords for every site and then compile those passwords into a microscopic file I had embedded in my shin readable only by a scanning device. I realized later what a monumental waste of effort this was.

Unless you have an incredible memory for random strings of numbers/letters don't bother IMHO. Exceptions made for really important sites related to banking etc. If someone wants to hijack my FARK account be my guest.
 
2012-08-24 01:34:41 PM

JackieRabbit: Passwords by themselves are bad enough. My company just instituted two-factor authentication, so we have to use a USB token key as well. Then we have to change the password every 60 days (which is really a very bad security practice, but don't try to explain why to a 24 year old security "expert"). If you forget your token key, which is easy to do, since it is a violation of company policy to store it with your portable computer, you must call the help desk to have them generate a token that you have to manually punch in. That doesn't sound bad, but they also have a 60 minute idle time-out that will kick you out of the network. So if you go to a meeting or lunch, you have to call help desk again.

Now when one considers that most hackers never bother to attempt to get in via the front door, all this password paranoia is really stupid.



One company I worked for instituted a new password policy, where everyone's passwords were wiped and new rules were put in place: One capital letter, one number, at least eight characters long, set to expire every thirty days. They helpfully reset everyones password to 'Company1' where 'company' was the name of the place we were working.

Every thirty days the password expired for everyone, all at once, since no one had bothered to change them from the default 'Company1'. Since people don't like having to think up new passwords, the first time it expired, everyone simply changed their passwords to 'Company2' Thirty days later, 'Company3' was the standard. A good ninety percent of the company ended up using the same exact password. You could walk up to almost any computer and log on with it.

When I left the company a while later for another job, we were up to Company17 and the 'security' office still refused to admit anything was wrong. Sadly, this wasn't anywhere near the most screwed up thing about the place.
 
2012-08-24 01:37:30 PM
Won't someone think of the toilets?!
 
2012-08-24 01:38:09 PM

Lawnchair: Wasilla Hillbilly: Couldn't the computer also be searching for combinations of words rather random assortments of characters? In which case that correcthorsebatterystapler thing wouldn't be very secure at all.

No. It's mathematically pretty secure even with the full knowledge that you're using four common English words.

You're talking about the equal of an 8-character pure gibberish password.

90 ~= number of ASCII characters you're likely to use in a password

90^8 = 4 quadrillion passwords

90^8 = 8100^4

So, the 'correct horse' example drawn from an 8100 word constrained vocabulary (which is about most people's day-to-day vocabulary) is equal to an 8-character pure gibberish password. Except that you can actually remember the four words but would have to be a savant to remember more than one or two pure gibberish passwords. The point is, most people's 8-character passwords *aren't* pure gibberish or even close.

/ or you could use KeyPass already


Exactly. Randomly trying combinations of 4 out of the 5000 most common English words is already about as hard as trying 8 digit combinations of lower and upper case letters, numbers, and symbols. And no one needs to write it down to remember it.
 
2012-08-24 01:40:41 PM
Yeah. I get upset only when something random makes me come up with some super complicated password instead of my common one I normally use. I understand having a very secure one for things like banking or company security. But, unless I use it often it's getting written down somewhere.

And, I imagine like most thievery there's more than one way in and someone that really wants to get in will find a way regardless of how super secure the password is.
 
2012-08-24 01:43:28 PM

toraque: A good ninety percent of the company ended up using the same exact password. You could walk up to almost any computer and log on with it.

When I left the company a while later for another job, we were up to Company17 and the 'security' office still refused to admit anything was wrong. Sadly, this wasn't anywhere near the most screwed up thing about the place.


Richard Stallman fixed this back in the 70s ... http://www.youtube.com/watch?v=CjaC8Pq9-V0&t=5m5s

When I run into an asnine PW policy, I use something like "ass9 IT admins with no clue suck!" and hope that it gets stored as plaintext and actually looked at by said ass9 admins...
 
2012-08-24 01:49:42 PM
My password is the same for everything I log into, everywhere, all the time.

Because honestly, I could give a rat's ass if someone "hijacks" my Fark account, and real hackers aren't going to be stealing my password to access my bank account anyway; they'll just get the number via a hacker bbs.
 
2012-08-24 02:00:27 PM
I will happily come up with new passwords for anyone who wants to scrub my toilet.

/Difficulty: have teenagers.
 
2012-08-24 02:05:03 PM
I don't remember the password to my toilet...
 
2012-08-24 02:07:03 PM

JackieRabbit: most hackers never bother to attempt to get in via the front door, all this password paranoia is really stupid.


It's actually harmful. Forgetting a password is so common that they have to have a nice, easy to con way to reset it.

Keep control of your farking password hash files and let us use anything we want for passwords. (If the password hash file isn't stolen, then just about anything is fine - its only when crackers get the hash file to chew on that password strength matters.)
 
2012-08-24 02:08:31 PM
Came here for my own password, "correct horse battery staple", leaving satisfied
 
2012-08-24 02:13:21 PM

Gyrfalcon: My password is the same for everything I log into, everywhere, all the time.

Because honestly, I could give a rat's ass if someone "hijacks" my Fark account, and real hackers aren't going to be stealing my password to access my bank account anyway; they'll just get the number via a hacker bbs.


I had my checking account drained by two people physically going into my bank (in another state) and filling out a withdrawl slip.

Four on friday, three more on monday. i was enjoying a four day weekend fishing. tgey used the same teller, and the bank wouldnt reveal to me or the investigator which id document they used.

Best part? The bank blamed it on me and said my computer must have been hacked. No, asswipes, all they needed was your lazy (or complicit) teller and any of the thousand places my checking account number is at. Or actually just a drivers license really.

farking ridiculous. Thank god we live in a socialist nightmare where the banks are insured and i got reimbursed.
 
2012-08-24 02:17:23 PM
Most password policies are asinine and counter-productive. Want your employees to make a 10 character alpha-numeric case sensitive password with inclusion of at least one symbol with a 3 month expiration? Awesome, I guarantee every password in your freaking company is written down somewhere near the computer it's used on, making all of that worthless by creating an even larger security risk than the one you were addressing. And about the only thing they are good against are brute force attacks that focus on dictionary words, hardly the most common or easiest form of system penetration. Your security is far more likely to get penetrated through other less obvious weakness, an employee downloading something (like a keylogger), or just good old fashioned social engineering. In the meantime, you've reduced company efficiency and created a headache for employees in a policy worthy of Dilbert's PHB.

And don't get me started on websites. I have no problem with forums and such having passwords, but they don't need the same level of security as my farking bank, especially when most of them have no personal info. I love it when they tell me a password is too weak, when I couldn't care less if someone else logged in as me most places. Oh no, someone might post as me on Fark, heaven forfend!

/there have been plenty of websites with ridiculous password requirements I've didn't register with and just never went back to as a result
 
2012-08-24 02:23:46 PM
Amusingly, asinine password restrictions make an attacker's job easier by reducing search space. Must have at least one lowercase and one uppercase letter? Great. Now the attacker doesn't have to check for anything with no lowercase letters or no uppercase letters. Must have at least one digit? That culls anything with no digits. Each little restriction on what must or must not be in a password cuts out millions of possible passwords to search for.
 
2012-08-24 02:24:52 PM
I only remember a very small number of passwords:
- The master password to my LastPass account.
- My primary email account.
- A few passwords for TrueCrypt volumes.

LastPass stores all my passwords for everything else (each one is long and random). Need to change the password? Ok. No big deal, just a click or two of the mouse and a new random one is generated.

My LastPass and email accounts are protected with one-time passwords (I use Google Authenticator and compatible TOTP clients). My home computer and laptop are "trusted" and don't require one-time passwords to access my accounts but any other system out there does.

Naturally, I have a backup of all the saved passwords, the seeds for the OTP generator, my LastPass master password, and my email password saved to digital media and printed out on paper and kept in a sealed envelope in geographically remote secure locations. I update the paper copies twice a year. Useful if I ever get hit by a bus and my wife needs to close my various accounts.

Most people pick incredibly stupid passwords that are insecure and hard to remember. Screw that.
 
2012-08-24 02:29:14 PM
Why are we even still using passwords? It seems to me, putting a smartcard in your computer and a simple passcode to use with it is infinitely more secure than a password that you have to change every month.
 
2012-08-24 02:40:50 PM

Wasilla Hillbilly: Couldn't the computer also be searching for combinations of words rather random assortments of characters? In which case that correcthorsebatterystapler thing wouldn't be very secure at all.


The computer doesn't look for "words" in the same sense you do. correct horse battery stapler is more secure for the simple reason that there are more bits to guess at than 034#5!3^. From a brute force standpoint, the former is much harder than the latter.
 
2012-08-24 02:40:53 PM
Oh, is this where we tell people how fark automatically filters our passwords?

Like this: drewisafarkhead

Isn't that cool?
 
2012-08-24 02:46:12 PM

lemurs: Amusingly, asinine password restrictions make an attacker's job easier by reducing search space. Must have at least one lowercase and one uppercase letter? Great. Now the attacker doesn't have to check for anything with no lowercase letters or no uppercase letters. Must have at least one digit? That culls anything with no digits. Each little restriction on what must or must not be in a password cuts out millions of possible passwords to search for.


Hmm, I would argue for a straight brute force attack it probably doesn't matter much (assuming it is truly a "random" string for a password), the combinations are large enough that even with those limitations taken into account it's going to be hard to just push through. Not impossible mind you, but without those restrictions you can bet someone would cleverly pick "password" and then wonder why they got hacked.

Of courses, if we require, say, an 8 character minimum password with caps and numbers, I'd be looking to refine my attack to try capitalizing the first letter of a word and adding either a single number, a two digit number, or a four digit number on at the end (either tacking on a single number or a date for 'YY, MMDD, or YYYY format, likely their birthday) for any combination that gives me 8-10 characters. Still potentially harder to crack than someone using "password", but I'd be surprised if you didn't find many passwords for any group didn't fall within these parameters.

In reality, I'd actually just look to get physical access to the site and either talk a login out of someone or just look surreptitiously under a few mouse pads for the sticky note with a single nonsense word written on it. The weakest point in most security systems are the people, no sense in going through the trouble to break into a box the hard way.
 
2012-08-24 02:52:17 PM

fracto: rudemix: Gleeman: In before 'correct horse battery staple'.

When I was at university we had to change passwords every 90 days, and you couldn't re-use any password, plus all passwords had to be minimum of 8 characters including upper/lower case, at least one number and a special characters.

Yeah, mine was written down every time.

I had the same thing at an old job minus the special character. I went with Farkface01 and went up numerically as they expired. I think I stopped when somewhere around Farkface11 I had to tell the password to someone in IT for work on my computer. She wasn't tooo thrilled but she blew it off, fortunately.


You should never have to tell someone in IT your password. Their should be an IT user on the machine for maintenance.


I was worried about my inordinate amount of browsing getting discovered also so I didn't even consider something like that. I did change it as soon as she left the office.
 
2012-08-24 02:59:11 PM

Surpheon: JackieRabbit: most hackers never bother to attempt to get in via the front door, all this password paranoia is really stupid.

It's actually harmful. Forgetting a password is so common that they have to have a nice, easy to con way to reset it.

Keep control of your farking password hash files and let us use anything we want for passwords. (If the password hash file isn't stolen, then just about anything is fine - its only when crackers get the hash file to chew on that password strength matters.)


Agreed. Let the users select a good password and don't make them change it. If someone from outside gets the hashed passwords, you have a mole on your IT department.

But professional hackers never try to hack using passwords; that's too easy to detect. They usually exploit a known vulnerability and come in via an open protocol.
 
2012-08-24 03:09:41 PM
It is easiest for the incompetent IT departments to make the user do hard stupid stuff. They could just have a 15 second delay to re-try your PW. And 3 strikes, you have to wait 15 minutes, then 5 characters would be over-kill. When I was working with classified stuff, they made us change every 60 days, AND the computer generated random strings for your password. iRFg6^8kQ~ Remember THAT sucker! The problem is not password strength, it is IT weakness. And it is my bank sending me an "important email", saying "Since email is not secure, please click HERE, and log on to your secure account for access to this important message." Honest to Google, it is really from the bank. They are training us to be stupid.
 
2012-08-24 03:18:32 PM
This story reminds me of my old IT manager who told me he would rather be buttfarked in the arse by an elephant over a table of broken glass than fix a got-damm printer. Only his was dirtier.
 
2012-08-24 03:26:02 PM
When I used to work on the help desk, we would ask people their passwords when we worked on their PCs. One guy had 'f*ckyouselena' with a number after it. I think he was up to 30 something. Every time I saw him I feel like asking how Selena was doing.
 
2012-08-24 03:29:46 PM
My foolproof method, haven't had to reset a password for years:

blog.securityactive.co.uk
 
2012-08-24 03:32:31 PM
Mine is the number/letter combos for a couple of my favorite songs on the jukebox at my favorite dive. Its easy for me to remember, and its total monkey type for someone that doesn't know what songs or what jukebox
 
2012-08-24 03:34:26 PM

periboob: And it is my bank sending me an "important email", saying "Since email is not secure, please click HERE, and log on to your secure account for access to this important message." Honest to Google, it is really from the bank. They are training us to be stupid.


That sounds almost too stupid to be to be believed. That just sets their customers up to be phished. I'd change banks. If they are that stupid with something so obvious, you may get a visit from the FBI one day so that they can talk to you about why you are transferring money to al Qaeda. My CU sometimes sends me an email to tell me to go to their site and check my messages for an important, confidential one. But that is all it says. There is no link to the site.
 
2012-08-24 03:35:57 PM

R66YRobo: Most password policies are asinine and counter-productive. Want your employees to make a 10 character alpha-numeric case sensitive password with inclusion of at least one symbol with a 3 month expiration? Awesome, I guarantee every password in your freaking company is written down somewhere near the computer it's used on, making all of that worthless by creating an even larger security risk than the one you were addressing. And about the only thing they are good against are brute force attacks that focus on dictionary words, hardly the most common or easiest form of system penetration. Your security is far more likely to get penetrated through other less obvious weakness, an employee downloading something (like a keylogger), or just good old fashioned social engineering. In the meantime, you've reduced company efficiency and created a headache for employees in a policy worthy of Dilbert's PHB.

And don't get me started on websites. I have no problem with forums and such having passwords, but they don't need the same level of security as my farking bank, especially when most of them have no personal info. I love it when they tell me a password is too weak, when I couldn't care less if someone else logged in as me most places. Oh no, someone might post as me on Fark, heaven forfend!

/there have been plenty of websites with ridiculous password requirements I've didn't register with and just never went back to as a result


I used to intern at a government office where this was the case. Employees couldn't keep up with their password changes, so they were always written on sticky notes either in the drawer or sometimes in some clever secret place like under the keyboard. And the system itself wasn't any big deal, just a scheduling and document-transfer program for employee use only (because who else would want it).

The experience made me wonder how many of Anonymous's "amazing hack jobs" and such were done by initially just going around desks and finding passwords. Anyone can do it if you wear a janitorial-looking uniform and carry a bottle of 409 and now I've said too much.
 
2012-08-24 03:40:23 PM
The problem is that every time you come up with a new password, you have to either memorize it, or write it down. You can only memorize so many passwords, and writing them down is insecure, what other options do you have? The real pisser? I finally came up with one a few years ago that was absolutely PERFECT. It made sense to me, looks like gobbledygook when people glance over at it, the clue is misleading, and anyone I give it to(like my wife) who gets confused about the spelling can look it up.

Then a website that had it stored got hacked. They killed my 'perfect' password. Those bastards.

I now have 2 regular ones, one I use for places where I need the security, such as online retailers and Google, then I have one for sites like this that might get hacked. Seems to be the best I can do without having to remember 4,283 passwords all at the same time.
 
2012-08-24 03:42:01 PM

Gyrfalcon:
I used to intern at a government office where this was the case. Employees couldn't keep up with their password changes, so they were always written on sticky notes either in the drawer or sometimes in some clever secret place like under the keyboard. And the system itself wasn't any big deal, just a scheduling and document-transfer program for employee use only (because who else would want it).

The experience made me wonder how many of Anonymous's "amazing hack jobs" and such were done by initially just going around desks and find ...


I'd wager most of them. The lesson in all of this is that security is not a technology problem, it is a people problem. You start with people, and provide them technology tools to be secure. You do not start with technology and expect that people will conform to fit it's requirements.
 
2012-08-24 03:44:19 PM

Gleeman: In before 'correct horse battery staple'.

When I was at university we had to change passwords every 90 days, and you couldn't re-use any password, plus all passwords had to be minimum of 8 characters including upper/lower case, at least one number and a special characters.

Yeah, mine was written down every time.


We have to do the same at my company, but we can reuse after 3 times, and we can go sequentially, so everyone just tacks a number to the end, and restarts after '9'.
 
2012-08-24 03:48:31 PM

fracto: You should never have to tell someone in IT your password. Their should be an IT user on the machine for maintenance.


Sorry, we don't have issues here logging onto the local machine, it's when we have to log onto specific users' Citrix accounts, or log directly into their email. 'Local machine' was ok 5 years ago, but with all of the virtualization nowadays, the local machines are just a portal. I can't discover anyone's password, I can only reset it, so if someone is out, and I need to log onto their Citrix to make changes, which occasionally happens, or I have to log in with them, and their machine is down, they have to tell me their password, or else I have to change it and find some way to get it to them without using their account.
 
2012-08-24 03:51:23 PM
I just stick my dick in the USB port, and they somehow figure out that it's me trying to log in, every time.
 
2012-08-24 04:04:14 PM

Oldiron_79: Mine is the number/letter combos for a couple of my favorite songs on the jukebox at my favorite dive. Its easy for me to remember, and its total monkey type for someone that doesn't know what songs or what jukebox


now that's CORRECT horse BQ

(beats up a horse and calls the doctor)
 
2012-08-24 04:27:39 PM
I usually either take a quote that I know by heart and use the first letter of each word, and combine it with proper capitalization and/or an associated date and/or some other related piece of info.

e.g.

"Space: the final frontier. These are the voyages of the starship Enterprise. Its five-year mission: to explore strange new worlds

StffTatvotsEIfymtesnwGR1966

Or, I'll use a phone number I know by heart but that's not personal enough for someone to guess, along with some related info.

e.g.

5882300ECwgn
 
2012-08-24 04:28:25 PM
And for the record, neither of those are passwords that I actually use.
 
2012-08-24 04:33:41 PM

JackieRabbit: periboob: And it is my bank sending me an "important email", saying "Since email is not secure, please click HERE, and log on to your secure account for access to this important message." Honest to Google, it is really from the bank. They are training us to be stupid.

That sounds almost too stupid to be to be believed. That just sets their customers up to be phished. I'd change banks. If they are that stupid with something so obvious, you may get a visit from the FBI one day so that they can talk to you about why you are transferring money to al Qaeda. My CU sometimes sends me an email to tell me to go to their site and check my messages for an important, confidential one. But that is all it says. There is no link to the site.


Indeed. It seems like US banks are notorious for being stupid when it comes to such things: I bank with USAA who is one of the more clueful banks around. They decided to "solve" the authentication issue by addressing mail to my full name as it appears on the account and by including the last four digits of my account number in the top-right corner of the message. Stupid, and trivially vulnerable to a replay attack. That, or bad guys could just type in random numbers and assume that nobody ever checks. Until recently, their "two-factor" authentication consisted of asking for my username, password, and a four-digit PIN. Now at least they have a VeriSign VIP one-time-password option which is nice (though I can't for the life of me understand why they don't just use Google Authenticator or a compatible system: it's free for them and the users).

Since I moved to Switzerland for grad school, I've been impressed. When I opened the account in person the bank gave me my login ID number and a little calculator-like device. A few days later I received the login PIN via registered mail. The next day I got my bank card (with a smartcard chip), also by registered mail. The following day they sent me a temporary password. To access my account I have to enter my login ID number and password, then their system presents me with a one-time, 8-digit "challenge" number. I insert my card into the calculator thing, type in the challenge on the site, hit enter, enter my pin, hit enter, and the device computes the appropriate response. I enter the response into the field on the site and I'm in. (The challenge/response digits are derived in part from my card number so only my card can compute the correct response.)

All email from the bank is digitally-signed using S/MIME, even their monthly newsletter. All documents produced by the bank (such as PDF bank statements, payment confirmations, etc.) are digitally signed and timestamped from a third-party, trusted timestamping service. The certificate authority and timestamping service are run by the Swiss post office. *Everything* can be verified to be legitimate and not tampered with.

Why the hell can't US banks have even the most rudimentary security?
 
2012-08-24 04:39:38 PM

Gyrfalcon: R66YRobo: Most password policies are asinine and counter-productive. Want your employees to make a 10 character alpha-numeric case sensitive password with inclusion of at least one symbol with a 3 month expiration? Awesome, I guarantee every password in your freaking company is written down somewhere near the computer it's used on, making all of that worthless by creating an even larger security risk than the one you were addressing. And about the only thing they are good against are brute force attacks that focus on dictionary words, hardly the most common or easiest form of system penetration. Your security is far more likely to get penetrated through other less obvious weakness, an employee downloading something (like a keylogger), or just good old fashioned social engineering. In the meantime, you've reduced company efficiency and created a headache for employees in a policy worthy of Dilbert's PHB.

And don't get me started on websites. I have no problem with forums and such having passwords, but they don't need the same level of security as my farking bank, especially when most of them have no personal info. I love it when they tell me a password is too weak, when I couldn't care less if someone else logged in as me most places. Oh no, someone might post as me on Fark, heaven forfend!

/there have been plenty of websites with ridiculous password requirements I've didn't register with and just never went back to as a result

I used to intern at a government office where this was the case. Employees couldn't keep up with their password changes, so they were always written on sticky notes either in the drawer or sometimes in some clever secret place like under the keyboard. And the system itself wasn't any big deal, just a scheduling and document-transfer program for employee use only (because who else would want it).

The experience made me wonder how many of Anonymous's "amazing hack jobs" and such were done by initially just going around desks and find ...


I've read that several of them were social engineering more so than what most people think of as "hacking", but take that for what it's worth. I'd be willing to bet that most "hacks" are either exploiting know vulnerabilities that an IT dept. hasn't taken care of or are socially engineered. All that said, I'm hardly a computer security expert, so I could be grossly off base on my view of the threat.
 
2012-08-24 04:56:24 PM
As someone who regularly sees errors that effectively mean "Password too complex", it's the alternate verification questions that kill me. The stock questions are usually bits of trivia known or easily guessed by half of anyone's facebook contacts. Some are easily guessed by anyone. I've seen "Where did you meet your spouse? (City name only)", so you are discouraged from using anything actually hard to guess like "A Molly Hatchet concert" or "#lonelypervs on irc". Of course you don't have to and absolutely should never use accurate/correct answers here, but many have character filtering that makes a password-strength value impossible.

My favorites at least let me write in my own question. Those are great when they're used on phone support. "So, OccamsWhiskers, you naughty, naughty boy, what are you wearing?" But I can't bring myself to answer with a real punchline, it's always an attempt at a secure answer like "The fish have tennis".
 
2012-08-24 06:09:14 PM
For extra security, I always use hunter2
 
2012-08-24 06:40:38 PM

Gleeman: In before 'correct horse battery staple'.

When I was at university we had to change passwords every 90 days, and you couldn't re-use any password, plus all passwords had to be minimum of 8 characters including upper/lower case, at least one number and a special characters.

Yeah, mine was written down every time.


Same here at work. Bonus is that we have passwords for:

OS #1
OS #2
The internal bloggy web site that marketing people put their perky shiate on.
A brand new internal bloggy web site because marketing people have a short attention span.
Bug Tracking Tool #1
Bug Tracking Tool #2
(repeat infinitely on bug tracking tools - engineers have short attention spans, too.)

Then, there is the little key fob with the RSA number.

Oh, yeah, they rolled out something to log into all the above with one password and scuttled it within 30 minutes because it was Epic Fail.
 
2012-08-24 06:45:21 PM
Jon iz teh kewl: Oldiron_79: Mine is the number/letter combos for a couple of my favorite songs on the jukebox at my favorite dive. Its easy for me to remember, and its total monkey type for someone that doesn't know what songs or what jukebox

now that's CORRECT horse BQ

(beats up a horse and calls the doctor)


horse BQ? Whats that?
 
2012-08-24 07:21:29 PM
Just goes to show how Farking little imagination most of the brain-dead masses have!
P.S. I ain't touchin' NO toilet!
 
2012-08-24 07:34:17 PM

R66YRobo: I've read that several of them were social engineering more so than what most people think of as "hacking", but take that for what it's worth. I'd be willing to bet that most "hacks" are either exploiting know vulnerabilities that an IT dept. hasn't taken care of or are socially engineered. All that said, I'm hardly a computer security expert, so I could be grossly off base on my view of the threat.


No more am I; but it's just hard for me to imagine serious criminal hackers huddling over their computers and trying to find either known or unknown vulnerable spots when the stuff they need is usually out on people's desks for all to behold. Or at the very least, hanging around free wifi spots with a laptop and just intercepting all the transmissions as they go out, which is what I would do if I knew how. And was criminally inclined; but that's why I don't use wifi.
 
2012-08-24 07:50:35 PM

Alonjar: I just cant stand that every website has completely different password rules. Oh, I need 3 letters and both upper and lower case with a symbol for this one..... fark


Came here to say this. Also: requiring special characters. Pfft. Then there are the accounts you use literally once a year, like to file taxes.
 
2012-08-24 08:37:39 PM
I hate how 'insignificant' websites (blogs, coupon sites, etc.) always require the strictest and strangest of password combinations....uppercase, lowercase, numbers, special characters (I really hate that one), etc. Like come on, I don't care if someone really steals my password to save 50 cents on Cheerios.
 
Displayed 75 of 75 comments

View Voting Results: Smartest and Funniest


This thread is archived, and closed to new comments.

Continue Farking
Submit a Link »






Report