Are Password Rules Making Us LESS Secure? - Comments Page 2

how bout the sites that force you to pick FOUR different security questions from a list of ten and i can only find TWO of them that i know the answer to.
THANKS Bob finally someone is recognizing the most tortuous problem on the internet. it's just INSANE.
you hit the nail on the head. password paranoia has long since passed the point of diminishing returns.

Alzheimer's disease runs in my Mom's family. For whatever reason I have been getting more forgetful lately - like standing at the checkout lane at Target with a cartload of food, debit card in my hand, drawing a total blank as to the pin number.

The second time this happened I changed all my bank cards to the same pin. I also went from having 10 passwords to 2.

If I were wealthy, or an elected official. I might be more concerned. But I'm a nobody in the big scheme of things. Understanding that, and accepting it, brings a degree of freedom...

Or, as Janis Joplin sang: Freedom's just another word for nothing left to lose.

"Many sites don’t even tell you the rules until you violate them". It is extremely annoying, but it's done so that hackers won't know the 'rules' beforehand.
I generally use Last Pass, but for shorter character password rules (like banks), I use 'Password Card'.
I also change my passwords every 30-90 days - depending on the site.

I haven't yet found the answer to the following question : is "My horse is named Ed" more, or less secure than "Xv6Tu!kL", assuming brute force attack for the latter, but dictionary attack for the former (of course) ?

I would assume less secure. Of course, this would need to be proved mathematically, as well as experimentally, but I don't understand the appeal of passphrases such as this one, given the possibility of dictionary attacks.

Even worse than your joke about what has to be included in Your password are the ones that state that your password will be changed every 60-90 days and you con not use any of your last 25 passwords. This means that you have to have a list of 30 or so passwords with you all of the time so that you know what the current one is and what you have to enter as your new password. ARG!!!

One of my favorite programs -- LASTPASS.
It generates PWs automatically and perfectly.
I've dumped banks that require a new PW ever so many months.
LastPass does it fine but I hate changing my hard copy PW each time.

I open a text document, turn my head and randomly peck out a jumble of letters and numbers, and insert a special character if they want it. Then I write in down in my password book, so not to forget it. Simple, random, and a pain to retype. I never let my browser save passwords on sites where it concerns my money, and used different passwords on every site. Oh, the pain, the pain.

@mike Another tip is not to use security question answers that other people might know or are able to find out. For example if a security question is "name of your first pet" I put some made up answer like "Yellow94" and store that in my password manager (I use Keepass)

CtPaul: Many debit card issuers allow you to use your debit card like a credit card. Doing so, eliminates the need to enter a PIN number at all. All you do is swipe your card, tell the terminal you want to use credit card then, when approved, just sign.

Also, when used as a credit card, there still are no interest charges added for the transaction (that I know of).

I do this all the time with my bank debit or check cards and it works just fine.

I endorse Joe's comment "Your password cannot match any of the last (insert number) passwords you used" is the most annoying" but another which annoys me is that my bank won't ALLOW any special symbols which would strengthen my passwords.

@Robert: Many small businesses no longer accept credit cards because of the high fees. I got rid of that facility when then credit card numbers/month dropped to the level that with the base monthly fee + % commission it was costing over $10/transaction. I only accept Debit Card transactions now. I have not lost any sales due to this.

I'm cancelling all my yahoo email accounts so I don't have to create a new password every time I log in. First they get hacked and don't know it for 2 years...then they go into overkill mode to pretend they have a handle on it. Bye bye YAHOOOOOooooooo.........

More and more people are starting to keep a cheat sheet near their PC as well. That seems to make passwords less secure to me as well.

Marie: I use KeePass - it automatically encrypts the database (I'm sure other password managers do this as well).
Each website still uses a unique password - you only have to remember the master password for your database. Truly, it would be just as secure to make a simple text list of websites and passwords then encrypt that text file - or even keep a printout in a safe location in your own home. It is the convenience of the password manager that I love - I can copy and paste, click and drag, or even auto-fill web-logins. As long as you have one really good secure password (phrase?) to secure your database, you don't really have to worry about it being hacked. Of course, people have different sources of risk - are you at work where someone could literally look over your shoulder? The odds of someone gaining physical access to my home computer are miniscule, and the odds of someone hacking my master password are also. But if you left your password manager open and someone came looking . . . (I know mine can be set to auto-lock after a certain period of inactivity).
One of the big considerations is that if a website gets hacked, a hacker could potentially get your password to THAT site alone, but would not gain anything else (such as your dashlane master password, or any of your passwords to other sites). You can only control security from your end.

Banks usually have small print telling you not to write down your password; to do so would mean they would not accept liability if accounts were hacked. Presumably they would consider password manager programs as being 'written down'. And then, of course, they tell us to make a complicated password, and change it regularly. Easier said than done.

Your article states: "And of course, these rules make it impossible to use password manager tools like LastPass..." I don't understand your thinking. I've been using LastPass for years, and I can stipulate the password length, use of special characters, etc. It seems to me that a password manager would be ideal in this case. My bank's online site won't accept automatic password insertion, but that's fine. I have a secure note in LastPass that I use to copy and paste. It's worth the extra security to do this for a site I only access once occasionally.

Bob the statement "And of course, these rules make it impossible to use password manager tools like LastPass, Roboform or Dashlane that automatically generate and remember secure passwords." is simply false. I've been using Lastpass for years and it generates great passwords based on all said rules. I notice Ralph has had similar results.

Using the usual rules in various combinations, I have remained reasonable secure by including at least one word from a different language. Not a crossover word, like Taco, or a commonly know word like Gracias, but something unusual like tomentosa, (describing the fuzzy nature of some plants, in Latin. If you have a specific ethnic background, use a word from a different language to confuse hackers. So far, I don't believe that hackers have programs that will crack several languages at once in the same password.

Bob,

I continue to be troubled by your advice regarding the use of common words (even many of them strung together) as virtually all password cracking tools are salted with dictionaries which make passwords made up of words very ineffective to prevent brute force hacking. Particularly since there is an equally easy and far more effective method for creating very secure, very hard to brute force, lengthy passwords that are equally easy to remember. Instead of using the actual words of a phrase My_horse_is_named_Ed, instead use the first letter of each word in the phrase - MhinE add a year for example 1970 and then add another phrase I_Dream_of_Jeanie (IDoJ) for example and to maintain a continuity with your phrase or and_no_one_can_talk_to_a_horse_of_course (anocttahoc) so you end up with a password like MhinE_1970_IDoJ or MhinE_1970_anocttahoc.

Now I personally would use two completely unrelated phrases or song lyrics (the more obscure the phrase and/or song the better) and a historical quote and a number unrelated to either for further obscurity and I end up with an easily remembered by me password and yet one that is virtually impossible to end up in any salted Password Breaking Software Dictionary or for anyone else to guess.

I believe password security best practices support this technique far more than the one you mentioned. I realize this may seem overkill, but Password Cracking Software when combined with salted phrases can reveal many passwords by brute force much quicker than most people imagine possible. 20 Characters is a lot but not when the software can search for recognizable or preloaded patterns or words. Using a common special character to separate words makes the task even easier.

Just to clarify, when I say makes the task easier, I mean makes cracking the password easier. And when I say using a common special character, I mean repeatedly using the same special character to separate words or phrases.