Are Password Rules Making Us LESS Secure? - Comments Page 1

I am hesitant to use password managers. If hacked, ALL of my passwords then are available to the hacker. Am I being overly cautious?

"Many sites don’t even tell you the rules until you violate them" - Yes - this! I hate this. My bank - yes, MY BANK - used to have a LIMIT of 8 characters! (They have finally changed this.) I now have one account that was ticking me off just this morning - it won't allow copy/paste or click/drag from my password manager into the password field. I use HotBits (http://www.fourmilab.ch/hotbits/) to generate my actual random-number passwords - I go up to 32 characters or the maximum allowed by the website. No website should ever make you type that in manually.

I use LastPass and it will generate any password requirement. It allows you to decide how long a string and what type of characters to use. I don't understand your statement that these requirements rule out using this password manager.

Steve - This is true - I keep my password manager encrypted. I think the risk of losing control of my password manager (I use and love KeePass, by-the-way) is less than the risk of using less-secure passwords, and the convenience makes those really secure passwords no more difficult to use than easily-hackable ones.

Someone needs to come up with a reverse program that sends message back through the same route the hacker used that will blow up his computer. Not feasible? That's what they said about going to the moon once upon a time.

From the article you cited: "Knowledge-based authentication (KBA) is out." Agreed. Whenever a website forces me to answer validation questions, I always use another password from my password generator as an answer - and I store these answers in my password manager, of course! (I hate it when sites make you answer multiple questions and won't allow you to use the same answer for each . . . )

I use a password generator and a password vault (Password Plus) with a password as secure as I can remember. The advantages of using a password vault installed in my computer are "copy and paste" to enter and it syncs across my PC, my tablet and my phone. So I only have 4 passwords to remember, instead of the 100 or so in the password vault.

Glory be! I can't believe it! A sane suggestion to the age-old password problem. I am so tired of following their silly rules. I spent the greater part of an hour yesterday having to re-sign up for my bank's bill pay program. You didn't know if your chosen password and if any of the other numbers required were correct until you completely filled in the thing. I never got it right. I'd love to see password phrases come into being as you suggested.

4 random words are good password. But if you pick the words they are not random! Humans are terrible at randomness, whereas computers are good at that.

The unfortunate truth is *any* password you can remember is bad, so don't even try. Write them down (and keep the records secure) or use a password manager.

To be scared, read https://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords. Especially look at the cracked passwords; before reading that article, I would have said many of those passwords were good. They weren't. Also look at the comments to that article, the give and take is instructive.

Attacks on security never get weaker, they only get stronger.

I use RoboForm and, like David, I can generate complex passwords according to any scheme required by a site. RoboForm keeps my password list (close to 1000) encrypted and available for any of my devices. My passwords are unique and I only need to remember one to unlock the whole set. Love it!

We had to change our work passwords every six months. Almost everyone would write their password on a sticky note and attach it to the PC. What did they expect?

"Your password cannot match any of the last (insert number) passwords you used" is the most annoying.

I use the password uncrackable1? on all my devices and I have not been hacked yet. Thanks, Bob for all the tech info.

I used to use an alumni email address, but when the admin decided all users had to create a new password every 90-days -- following the rules mentioned in your article (except the runic symbol) -- I decided it wasn't worth it.

For a few passwords I need every day, I make up a sentence using first initials of friends (dead and alive!) and scatter a few numbers and symbols in amongst the initials. It's a nice way to think about friends for a few seconds each day. The sentences are easy for me to remember but the passwords are baffling to the bad guys. I also change passwords every few weeks. No big deal.

Bob, thanks for this article. It articulates my thinking and experience on the problems with passwords. I teach seniors how to use computers and the Internet. The most common problems I hear over and over: "I forgot my password." This even though they often have written it down...and then can't remember where! I strongly recommend that they have a least one other email address to be able to reset the password on the one they forgot. It's frustrating and I wish more tech support gurus like yourself would keep pressure on the industry to find a reasonable alternative.

I've been using Dashlane for my password manager for years and love it. But lately I worry about the same thing as Steve: If I need to enter my master password for Dashlane to fill in any of the individual ones, isn't that the same as using the same password for ALL of the places where I need one? Don, Nigel, Karena, please explain to me how it's different. Karena, you said you encrypt your master password - what are you using for that?

Regarding Steve's comment: Last Pass is a password manager that allows for two factor authentication for the master password. My understanding is that Last Pass encrypts passwords on the computer and stores them in the cloud and on the computer. Without the master password, no data is accessible to anyone. I believe Roboform also has the capability for two factor authentication for the master password.

Marie, the master password opens your password vault only. the pass cards in the vault are used for the appropriate websites.

Darn: Now I have to change all my Monkey1! passwords again!