WEDFan wrote:The one I've seen that can actually decrease security is the requirement to change passwords monthly or quarterly. The studies I've seen on that basically indicate that frequently changing (and not allowing repeats) means more people write them down and tuck them somewhere around their workstation. As long as you have no reason to suspect a breach, and you vary your passwords by site, you are better off keeping the password you remember.
Quite a few of these policies started because strict password requirements were not enforced, and people were choosing poor passwords. Keep in mind that most of these polices are set because of the lowest common denominator in a company, such as Tammy from accounting, who can crunch numbers like there is no tomorrow, but will also open up every attachment sent to her, and visit every website that comes across her email. She also loves hockey, and decided that to fool hackers, her password would be hockey1. There is a bit of truth to this story, a friend asked me to look at something and gave me his password, which was hockey1...
Complex password requirements also come out of everyone's desire to have faster computers. Back in the "day", it could take days to crack a simple md5 hashed password. Now, those are cracked in seconds. Thus the need for more characters, and more randomness. The cracking programs start with dictionary words, and they even know about characters to replace letters! Which is why I said that p@55W0rd, which 8 characters and adhering to the requirements, it still not a good password.
Yes, you are always going to have people not recall their passwords. That could be true even if hockey1 was allowed. That's why there are great programs out there that people should use if they need to keep a list of passwords. Lastpass, 1password, iCloud Keychain. I keep a PGP encrypted file (2048 to 4096 length key should be chosen) on a secure device that has passwords I seldom use, or other important data that I need to secure. It's said that 1024 length keys have been cracked, but no one has demonstrated it, but out of paranoia, 2048 should be the minimum you choose. You'd need to be well funded to crack PGP, and if a Government is going to try and get your passwords, you either have a really cool job, or you have much bigger things to worry about :)
I actually use GPG,
http://www.gnupg.org. There are good resources out there for Windows, Mac, and linux (BSD, etc) that won't cost you a dime, and will increase your security over a post-it :)
TiggerHappy wrote:
I'd be more open to creating a pass phrase (without symbol requirements) rather than a complex password. I don't like being unable to remember a password to the point I write them down somewhere (on the computer or on a Post-It). I understand you want to help us all keep our accounts secure, but when there are other websites (like banking and loan sites) that require the same kind of password, the average person simply isn't able to remember all those complex passwords without writing them down somewhere. I'm fine with having letters and numbers in my passwords, but when you require symbols on top of that, that's when I resort to writing down the passwords because I cannot remember those kinds of passwords for the life of me.
Nothing is stopping you from making a passphrase! The maximum number of characters in your password is 100. You'll just need to add a symbol in there, maybe like "Damn you ktulu for making us more secure and maybe changing how we approach passwords in the future!"
BTW, that is 100 characters (without the quotes), please don't use it, it's been put in public and compromised ;)
I prefer a passphrase, they are way more secure, but is everyone going to use one? Nope. Most people will do the bare minimum (back to hockey1). Security is a balance of making it harder, not impossible, but harder for a hacker, while still trying to make sure that Tammy in accounting can do her job without a bunch of hoops to jump through. Now there are times when you have to go for impossible, but hackers are like street criminals, they want quick and quiet. You make it really hard on them, and they will move on. Unless there is a huge payoff, then they will find a way to cover up their activities.
BRWombat wrote:
Now this is scary -- twice in one day we think alike. I've been using LastPass for ages and love it. I'm also curious what someone better versed in tech security (ktulu!) thinks of it.
Any service like this is going to have risk. They want to sell you this service. They are going to take great care in making sure that it works as advertised. However, nothing makes up the most secure storage facility available to you, your brain.
This xkcd sums up the state of passwords quite well. If I thought that I could get all ~1700 users of SGT to do this, I would. But, we want users from the computer newb to the kernel hacker. Thus, a balance must be struck.
