[cincyflygrrl]

After reading this article I thought, "Ya know, I probably ought to do something with my investment account seeing as I'm retired and pretty much on a fixed income." So off I went with the intent of coming with a long and memorable, but random appearing password. As the article suggests, 14 characters seemed reasonable so after a little brain scratching I came up with something that works for me. I logged into the investment company Web site then went in search of the password change utility -- took some time but I eventually found it.

The investment company only allows 12 characters, symbols are prohibited. I complied with their restrictions; now my password appears to be slightly more random then it was 20 minutes ago.

The bottom line in this article for me is that random characters that are easily remembered are best and it will be a cold day in Hell before you'll find me trusting a third-party password manager.

[bastion]

windlasher, on 27 November 2012 - 04:17 PM, said:

Quote

The broad message here is fine, but a couple of the specific assertions are bogus. "However, it’s very hard for a human to create a truly random password, but it’s easy for a computer to do." Both halves of that are false. Strictly speaking, today's computers are incapable of generating "truly random" values. Contrarily, all a human has to do is close their eyes, then poke and mash on the keyboard several times as the mood suits them. In light of that, the claim that, "[a]nd that’s for passwords randomly generated by a computer. Passwords you create by hand must almost always be longer to have the equivalent strength," is obviously false. The strength of a password is entirely about the collection of characters. It doesn't matter how that collection was generated. One addition: Every copy of Mac OS X installed includes a utility that can generate and securely store (but not auto-enter) passwords. Keychain Access is an eminently reasonable first step.

That is the dumbest thing I have ever heard. My cat can generate a password by walking on my keyboard, but lets see her do it twice and get the same result as is usually required when creating an account.

Before deciding that this was the dumbest thing you have ever heard, did you stop and notice that if the active application when you're doing the blind poking and mashing is your password storage tool rather than your web browser you don't have to type it twice?

[mikegriffin]

Last Pass generates my passwords ,puts them in the form, auto loads them when I go to the site, and I never know what they are unless I show them in my vault. Just be sure the master password won't be hacked, and you're good to go into cyber space.

[mad48]

Quote

What's really stupid is my bank as well as an investing site, of all places, only allows numbers and letters. A place where you want the most security using some crazy characters they don't let you. Yet I know dozens of mindless forums that allow more secure user passwords than accounts involving money and your social security number. No logic.

I agree totally. But I wonder whether it's just a lack of logic, or total laziness on the part of the institution and/or its Web developers.

[bastion]

mad48, on 28 November 2012 - 10:19 AM, said:

Quote

What's really stupid is my bank as well as an investing site, of all places, only allows numbers and letters. A place where you want the most security using some crazy characters they don't let you. Yet I know dozens of mindless forums that allow more secure user passwords than accounts involving money and your social security number. No logic.

I agree totally. But I wonder whether it's just a lack of logic, or total laziness on the part of the institution and/or its Web developers.

Another option is unreasonable or ineffective requirements imposed by federal and state auditors.

Or just utter cluelessness. I have one bank account at a large institution that I opened just a few years ago to handle international transactions. A couple of weeks after I opened it they sent me e-mail with a link to get to their site where I could sign up for an additional service. When I got to the page I was prompted to log in using my SSN. Now as it happens the mail and the site were completely legitimate. But I was baffled that they felt it was a reasonable thing to ask given high profile phishing cases of recent years. Worse, when I contacted them to point out how bizarre this was their response was simply to assure me it was real and safe to go through. Completely missed the point I was trying to make.

[MacLuvin]

I have a question that keeps nagging me when I read articles like this.
I have 1Password. 1Password, in theory, is great.
I create 1 password that allows me to access ALL my passwords, and get randomly generated passwords for various sites. Great.
My issue is: Now I type 1 password for everything, how hard is it for a keystroke logger or some other 'something'-I-know-nothing-about to get my ONE password and then have access to Everything. How hard would it be for some group like anonymous to hack 1Password and then leak my entire password list?
I haven't been able to talk myself into using this program yet. I feel like my passwords are fairly safe. I don't use Any password twice.
Sites like this I don't stress so much about because I use a "made up" email acct that is strictly used for sites like this. It doesn't have my real name, I have no credit card info attached to the log-in acct. so these end up jotted down on a piece a paper near the computer. If I posted my user name and password in this comment, no one would have any idea where I live, who I am, not would they be able to use the password I used here to 'guess' what other passwords I may use. Even my security questions aren't 'real'
I will use this acct for 6 months or a year and then delete the entire email acct and make another one and re-register to comment.

That is something I did want to suggest to others out there that maybe haven't thought about doing this.
Create a 'fake' email using gmail, yahoo etc. Don't use one piece of Real info when creating the acct. then use that email for anything unimportant like registering for blog sites and such. That way, if you start getting spam email, or you get anything that says "you password has been compromised, please reset asap" (lame example, but you get the idea) simply delete the email acct and start over.
Keep your email address that can be used to reset password on bank accts and important stuff completely separate and Private.
Then create a 3rd email address to use for friends, family and all around general purpose. That way, the email address my bank has on record, isn't used for other things. To me, this seems safer than using 1Password, but maybe I'm just overly paranoid hah!

[Guissey]

I like the XKCD method. http://xkcd.com/936/. Just for added security I add a code at the end that is different for each password.

Is that out of date now?

[dedanna1029]

Quote

After reading this article I thought, "Ya know, I probably ought to do something with my investment account seeing as I'm retired and pretty much on a fixed income." So off I went with the intent of coming with a long and memorable, but random appearing password. As the article suggests, 14 characters seemed reasonable so after a little brain scratching I came up with something that works for me. I logged into the investment company Web site then went in search of the password change utility -- took some time but I eventually found it. The investment company only allows 12 characters, symbols are prohibited. I complied with their restrictions; now my password appears to be slightly more random then it was 20 minutes ago. The bottom line in this article for me is that random characters that are easily remembered are best and it will be a cold day in Hell before you'll find me trusting a third-party password manager.

Amen, cincyflygrrl, you GO! I don't trust any programs either - if a hacker can hack a computer (which they do all the time), then they can crack that.

It already has been a cold day in hell for me, and always will be, before I use one.

[AndyBurns]

Quote

Brute force?! My IT shop allows 5 login attempts before locking an account. If someone allows more than 10, shame on them.

Yes, brute force. In web development the assumption is that the attacker gains access to the database, and, therefore, can take their time over trying as many different passwords as they like. Many hacks are just that; the password database gets copied, and then the passwords brute forced later (and offline).

Of course, that assumes that the passwords in the database were encrypted (or, more technically accurate, hashed). To not do so is a cardinal sin of software development.

Sadly, many sites work that way. Do not trust a site that can email your password to you. If a site is storing your password correctly, they shouldn't be able to recover it for you. (Sites that allow you to reset your password, though, can be much more secure).

[AndyBurns]

Quote

"Today, a single off-the-shelf PC can check several billion passwords per second" I call bullcrap.

Several billion is probably high - but not outrageously so. Troy Hunt has blogged about test brute forcing a password database, and he got around 250M passwords a second through a GPU:
http://www.troyhunt....no-clothes.html

Note that most brute forcing will be against a local copy of the target website's membership database, so there is no transmission or server component to this.