Are Password Rules Making Us LESS Secure? - Comments Page 1

Category: Security



All Comments on: "Are Password Rules Making Us LESS Secure?"

Comment Page: 1 |  2  |  3 

Posted by:

Steve
21 Mar 2017

I am hesitant to use password managers. If hacked, ALL of my passwords then are available to the hacker. Am I being overly cautious?

Posted by:

Karena
21 Mar 2017

"Many sites don’t even tell you the rules until you violate them" - Yes - this! I hate this. My bank - yes, MY BANK - used to have a LIMIT of 8 characters! (They have finally changed this.) I now have one account that was ticking me off just this morning - it won't allow copy/paste or click/drag from my password manager into the password field. I use HotBits (http://www.fourmilab.ch/hotbits/) to generate my actual random-number passwords - I go up to 32 characters or the maximum allowed by the website. No website should ever make you type that in manually.

Posted by:

David
21 Mar 2017

I use LastPass and it will generate any password requirement. It allows you to decide how long a string and what type of characters to use. I don't understand your statement that these requirements rule out using this password manager.

Posted by:

Karena
21 Mar 2017

Steve - This is true - I keep my password manager encrypted. I think the risk of losing control of my password manager (I use and love KeePass, by-the-way) is less than the risk of using less-secure passwords, and the convenience makes those really secure passwords no more difficult to use than easily-hackable ones.

Posted by:

MikieB
21 Mar 2017

Someone needs to come up with a reverse program that sends message back through the same route the hacker used that will blow up his computer. Not feasible? That's what they said about going to the moon once upon a time.

Posted by:

Karena
21 Mar 2017

From the article you cited: "Knowledge-based authentication (KBA) is out." Agreed. Whenever a website forces me to answer validation questions, I always use another password from my password generator as an answer - and I store these answers in my password manager, of course! (I hate it when sites make you answer multiple questions and won't allow you to use the same answer for each . . . )

Posted by:

Nigel
21 Mar 2017

I use a password generator and a password vault (Password Plus) with a password as secure as I can remember. The advantages of using a password vault installed in my computer are "copy and paste" to enter and it syncs across my PC, my tablet and my phone. So I only have 4 passwords to remember, instead of the 100 or so in the password vault.

Posted by:

JIMeans
21 Mar 2017

Glory be! I can't believe it! A sane suggestion to the age-old password problem. I am so tired of following their silly rules. I spent the greater part of an hour yesterday having to re-sign up for my bank's bill pay program. You didn't know if your chosen password and if any of the other numbers required were correct until you completely filled in the thing. I never got it right. I'd love to see password phrases come into being as you suggested.

Posted by:

bb
21 Mar 2017

4 random words are good password. But if you pick the words they are not random! Humans are terrible at randomness, whereas computers are good at that.

The unfortunate truth is *any* password you can remember is bad, so don't even try. Write them down (and keep the records secure) or use a password manager.

To be scared, read https://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords. Especially look at the cracked passwords; before reading that article, I would have said many of those passwords were good. They weren't. Also look at the comments to that article, the give and take is instructive.

Attacks on security never get weaker, they only get stronger.

Posted by:

Don
21 Mar 2017

I use RoboForm and, like David, I can generate complex passwords according to any scheme required by a site. RoboForm keeps my password list (close to 1000) encrypted and available for any of my devices. My passwords are unique and I only need to remember one to unlock the whole set. Love it!

Posted by:

Hud
21 Mar 2017

We had to change our work passwords every six months. Almost everyone would write their password on a sticky note and attach it to the PC. What did they expect?

Posted by:

Joe
21 Mar 2017

"Your password cannot match any of the last (insert number) passwords you used" is the most annoying.

Posted by:

Oliver
21 Mar 2017

I use the password uncrackable1? on all my devices and I have not been hacked yet. Thanks, Bob for all the tech info.

Posted by:

JP
21 Mar 2017

I used to use an alumni email address, but when the admin decided all users had to create a new password every 90-days -- following the rules mentioned in your article (except the runic symbol) -- I decided it wasn't worth it.

Posted by:

Marj
21 Mar 2017

For a few passwords I need every day, I make up a sentence using first initials of friends (dead and alive!) and scatter a few numbers and symbols in amongst the initials. It's a nice way to think about friends for a few seconds each day. The sentences are easy for me to remember but the passwords are baffling to the bad guys. I also change passwords every few weeks. No big deal.

Posted by:

Charles James
21 Mar 2017

Bob, thanks for this article. It articulates my thinking and experience on the problems with passwords. I teach seniors how to use computers and the Internet. The most common problems I hear over and over: "I forgot my password." This even though they often have written it down...and then can't remember where! I strongly recommend that they have a least one other email address to be able to reset the password on the one they forgot. It's frustrating and I wish more tech support gurus like yourself would keep pressure on the industry to find a reasonable alternative.

Posted by:

Marie
21 Mar 2017

I've been using Dashlane for my password manager for years and love it. But lately I worry about the same thing as Steve: If I need to enter my master password for Dashlane to fill in any of the individual ones, isn't that the same as using the same password for ALL of the places where I need one? Don, Nigel, Karena, please explain to me how it's different. Karena, you said you encrypt your master password - what are you using for that?

Posted by:

Mark
21 Mar 2017

Regarding Steve's comment: Last Pass is a password manager that allows for two factor authentication for the master password. My understanding is that Last Pass encrypts passwords on the computer and stores them in the cloud and on the computer. Without the master password, no data is accessible to anyone. I believe Roboform also has the capability for two factor authentication for the master password.

Posted by:

Mark
21 Mar 2017

Marie, the master password opens your password vault only. the pass cards in the vault are used for the appropriate websites.

Posted by:

Michael
21 Mar 2017

Darn: Now I have to change all my Monkey1! passwords again!

Comment Page: 1 |  2  |  3 

Read the article that everyone's commenting on.

To post a comment on "Are Password Rules Making Us LESS Secure?"
please return to that article.

Send this article to a friend. Jump to the Comments section. Buy Bob a Snickers. Or check out other articles in this category:





Need More Help? Try the AskBobRankin Updates Newsletter. It's Free!

Prev Article:
[HOWTO] Copy Old Hard Drive to New PC
Send this article to a friend
The Top Twenty
Next Article:
Geekly Update - 22 March 2017

Link to this article from your site or blog. Just copy and paste from this box:



Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter


About Us     Privacy Policy     RSS/XML