My rant, weak as it may be.

I hate passwords. Sure I want my accounts protected, but I would rather just kill every theiving, cyber, indentity criminal(insert other dirtbags here) and end the need. (if that was possible)
I have like 809 zillion passwords. I cant remember half of them, so I have to constantly write them down, which is probably not good. It used to be you could use you favorite cats name or your favorite car, but now it has to be 40 digits, 3 capital letters, no words, 4 symbols, etc, etc, etc.

My stupid DS Login for the military is the worst. You have to come up with a new password, every other day or so. (at least it seems that way). The password has to be changed frequently.

Passwords for shopping sites, passwords for internet forums, passwords for banks, for travel, for paying bills, for the doctor, for prescriptions, and on and on. it gets old.

I never hated passwords so much, until I started working for the Fed Gov.

Have you thought about using a master database program for such things? That way you only really have to remember one master password and then you just save username, pw, url, and sec question/answer in one repository. Something like KeePass... or any other the other ones out there. Could also just save an excel sheet which you pw protect.

Another method is to simply save them on your phone in contacts like:

Jimmy Smith (Army Buddy)

password@gmail.com

As long as you are only saving the password and not necessarily anything about that pw except an occult reference you understand, it isn't awful.

I used to hate passwords too ... now I use LastPass (https://www.lastpass.com/) and have moved on to other things to bitch about. :)

I have one complicated password on a piece of paper in my wallet (because I'm not going to memorize a 12 random character PW) and that's it. Then I generate 12-24 random character passwords for every site I use (using a different one for each site) and I don't have to remember anything and every one of them is pretty strong.

Im not geeky enought to know about all the work arounds you guys know about. I will look into them.

If you can use this site you can use LastPass. Its designed for non geeks.

If the program were to send info out, that would be one thing.

However, it doesn't. And, it's encrypted by your own Master password.

Now, if someone cracks your 256-bit pw while on your system and figures out it's SNWOL@N2n39AS!@#nbdlsn92ncVBGF$%@, you have larger problems.

suggestion: phrase usage. better suggestion: unlikely phrase usage

example: USMC5ucksI<3Commun15m

No one in their right mind would figure that out by social engineering, and I can pretty much guarantee it's not on a rainbow table. :)

I have friends that don't know how to change the password for their wifi, so they just write the random characters down on a piece of paper and hand it to you when you come over. I think it's pretty funny.

I get annoyed at changing passwords for different systems at different times. The password to get into my tablet, and the password to get into the system on the tablet are always different because they require changes at different times.

but how do you trust it???

I trust it better than using pet names or other words as passwords. I don't trust anything on the internet completely (for example I don't use ATMs nor online banking).

Where you run into problems with passwords is using the same password on multiple sites. People generally don't "crack" people's individual passwords, they hack a site where people have login accounts and get the list of usernames with their passwords and then use that list to try to log into multiple other sites and when they get a hit they start taking over your accounts. Keeping different passwords for every site you log into is the cornerstone of online security (making the passwords hard to guess just adds another layer of security).

suggestion: phrase usage. better suggestion: unlikely phrase usage

example: USMC5ucksI<3Commun15m

Time for the requsite posting of this cartoon:
https://imgs.xkcd.com/comics/password_strength.png


I get annoyed at changing passwords for different systems at different times.
Sites that force you to change your passwords regularly actually undermine their own security because they encourage people to use simple and easier to guess passwords (like pet names or "password123") I'm looking at you DOD.

https://www.ar-15.co/attachment.php?attachmentid=69754&d=1490373165

^^ I had that happen the other day on DFAS. [AR15]

Zund: youwillneverguessmypasswordcusitssolongandunlikely batteryhorsestapler

One favorite of mine is to use obscure scripture passages in latin. Or is it?

The biggest problem with complex passwords is that not every site/service deploys the same allowed special characters or rules.

I have an uncommon phrase that includes mixed case + numeric + special + unique site characters I tend to use, but it's not always accepted in a reasonable form.

Example - one service that required THREE special characters, but allows them all to be the same. WTF? Yea, I'm talking about you UniFi.

While the next site won't accept more than one, etc.

My preference is to allow simpler base passwords with two factor auth required.

Wouldn't life be easier if we all had a chip in our right hand or forehead?

CAC/smart card + never-changing PIN FTW.

Work Safe


https://www.youtube.com/watch?v=_YI_VKOohDk

I screwed up logging into both of my bank accounts more than once, each just now. I log into each of them several times a week. I'm sure that this thread is to blame.

With all the passwords I have to remember for work, I've really come to appreciate the fingerprint feature on my phone for personal stuff.

Lastpass is an excellent password manager. The beauty of it is that the owners of Lastpass don't have your passwords, they are encrypted at all times and only decrypted by your local machine that you are using. They use the same 256bit AES encryption madated by DOD, so as long as DOD remains unhacked, your passwords are safe.

I've been using it myself for years and recommend it to everyone. Take the time to go through their video tutorials to really learn how to use it. It's worth the 20 minute investment of your time. And best of all, it's totally free. There is a premium version you can buy if you want mobile support, but it's only $1/month.

I use Xmarks (Premium), that is now owned by LastPass, to sync bookmarks across multiple browsers and devices.

It's been (mostly) reliable although I did fight an issue for a few weeks recently where it was, of all things, moving my shortcut to COAR15 in my (Chrome) bookmarks bar to a different position. No amount of fiddling, resyncing, restoring (online), uploading/downloading to every sync'd device would fix it. It would randomly stay where I put it for minutes/hours, then mysteriously move again. I finally moved it to the first item and found that to be stable, then moved it to close to where I wanted it, but still not the same spot and it's been fine since. Super strange behaviour. I will say that the shortcut does have some "special" characters in it that may have confused the app.

COAR15 كفّار ΜΟΛΩΝ ΛΑΒΕ

I know a bunch of folks who use Dashlane. It integrates into your browser of choice and can help auto-populate passwords to a certain degree. All you need is the master-password and you can get into the encrypted container to review all of your other ones...

Password Rant:

Capital letters: Check
Lower case: Check
Symbols: Check
Implied Swearing: Check

Rant strength: strong

I know a bunch of folks who use Dashlane. It integrates into your browser of choice and can help auto-populate passwords to a certain degree. All you need is the master-password and you can get into the encrypted container to review all of your other ones...

You can view passwords for nearly any site you have allowed it to save from the browser if you have the local user account password.

My wife forgets hers all the time, and then forgets where I showed her to look (in Chrome) for them.

I still think she doesn't understand that since I have her windows password, I can get to all the others (if I wanted to.)

Thanks for explaining that to me.

Im behind on the tech stuff. I use the computer only to buy, buy, buy, research and forum surfing. Im getting caught up(not really) . Brutal gave me the information on the Samsung galaxy sky and now I have a smart phone. Its nice, but I doubt Im going to use most of its features. I have downloaded the cadpage which is nice, an EMT study guide, a predator calling app, turkey calling app, a knot tutorial because my kids like to learn that stuff,TRASOL, Strelok PRO, scanner radio and USAA (its nice to depost checks mobile when you have USAA).
So far I have only used the features here at home with the wifi to save money (and I rarely go anywhwere)
The cadpage is cool, when I get toned out, it sounds like a fire truck, then it maps the location for me.

I have never had a job where we used a computer. Well thats not entirely true. In the Corps I worked in the Armory for a while and had to make lists of guys whose weapons were dirty.

Now install a malware detector and run it - Lookout Security and/or Malwarebytes. A fair amount of those freeware apps have malware in them. There's also been some known popular FACTORY NEW phones that have been found to have malware in them - slipped in along the supply chain and not installed by the OEM or carrier.

The problem with LastPass is when the credentials change, but the program repeatedly tries with the old password and locks you out. We had an executive at work that did this...over and over and over again.

There's also Password Safe: https://pwsafe.org

I use roboform with a long master password and I dropbox the data so it's available on all my PCs.... I'm sure it's not the most secure but so many sites, including .gov have given up my info, I feel like it's good enough.

Zund: youwillneverguessmypasswordcusitssolongandunlikely batteryhorsestapler

One favorite of mine is to use obscure scripture passages in latin. Or is it?

non est

nisi vestri passwords es animalibus

69787

69787
[LOL]

I have found it helpful to create patterns on the keyboard that can be moved around the keyboard. Basic example: 6tfc^TFC9ijn(IJN This can be moved around the keyboard or expanded/amended for just about any level of security. This type of password also meets all the annoying requirements for 16 characters, uppercase, lowercase, symbols, and numbers.

Every few months, I switch up the pattern so all of my passwords change. It's a little tedious, but by remembering the pattern, I can right down password reminders that don't compromise my account. Using the above password example for a fictional account, I might write down this password reminder:

Yahoo email account: 6^9(

This tells me where to start the pattern, but not what the pattern is. Now, somebody may be able to guess that you just go down the keyboard with that simple example, so maybe your pattern could be something like this: 6ctf^CTF9nij(NIJ. Now the pattern has changed and it is mathematically just as hard to crack. The only limitation is your imagination.

Funny story...

Did some work for a company using their development environment. We had a BA enter accounts to run test cases. He set up about a dozen but one was odd because the rest were like TestAccount1, TestAccount2, etc... Turned out to be the name of an actual ex Jenny _______ with the password = hotsex69.

He didn't know that column encryption wasn't enabled on the password field in the user table because it was a dev environment.

For the remainder of my time there, I called him Hotsex. He had a good sense of humor :)

Another story...

Did some work for a different company with an online presence where I was a customer many years ago. They replicated their production DB into a dev/test environment and failed to anonymize the PII and remove the passwords. There was my name, SSN, address, and password from many years prior.

Last one...

Had a coworker need help with login, called the helpdesk and had them on speakerphone. Rep asked for his password. This was an ancient AS/400 system that limited us to four characters. His password? POOP. Rep says "what?" He responds "PEE OOH OOH PEE." We died.

Moral of the story: Just because the UI doesn't show your password doesn't mean other people can't see it.

Side note: It is incredibly easy to anonymize info and obliterate passwords in data. Whenever I move data, I make it a point to do this. Even financial data for companies is scrubbed. But don't you dare tell a DBA why that's important because they know best even when they don't.

Had a coworker need help with login, called the helpdesk and had them on speakerphone. Rep asked for his password. This was an ancient AS/400 system that limited us to four characters. His password? POOP. Rep says "what?" He responds "PEE OOH OOH PEE." We died.


Probably a lot of "ancient" AS/400 still out there running, but after 26 years, the OS is still alive and kicking. http://www-03.ibm.com/systems/power/software/i/index.html

Four character pwd would have been set as a system value. Prior to complex password support, up to 8 characters. Used to be an option for no password required at all, but it's been gone from the OS for very many years now. This was prior to Token Ring, Ethernet and TCP/IP, when we had hard wired terminals.

Seems like we're moving back to shared computing. They just call it "the cloud" and your terminal is a browser.

I remember when you wanted a color monitor, you had 2 choices - green or amber.

I'm still fluent in iSeries (as/400) for a government agency today. Very much alive and well.

I had the same password for my work computer for years. It was one of those that you had to every sixty days or so and I would keep,it the same and just change the last couple of digits. Worked well for about twelve years. Then those IT screwballs changed the rules and my password could no longer contain the word "password" and I was screwed. Lol.

My password used to be "Password01" and I would just change it to 02, 03, etc. every time I had to change it.

Apparently after twelve years that no longer met my company's strict security requirements.

I hope they don't find out that I have all of my logins and passwords written down in a book in my desk drawer. That will really make their heads spin.

I don't know how else they could expect anyone to remember unique logins and passwords for the computer, the time sheet program, my vehicle expense account, my purchase card, the corporate training site, my account access for controls operations, my benefits website, my retirement website, the HR service portal, and about six other things that require me to login with a password.

And that's just for work. I probably have about fifty other things to keep track of for my personal life. Some of those are written down as well. Some aren't.

I say fingerprint scans or retinal scans for everything screw the passwords.

(because I'm not going to memorize a 12 random character PW)

You know, a random-character password isn't more secure than a password of words you can remember.
http://www.explainxkcd.com/wiki/index.php/936:_Password_Strength

(I will point out that I do very poor practice and basically use the same password all around, or at least as much as they let me. I hate sites that have an upper limit on passwords that I have to remember where it stops!)

I'm still fluent in iSeries (as/400) for a government agency today. Very much alive and well.

Gov or Quasi Gov?

I'm an infrastructure/engineering guy, no coding.

Hiring?

You know, a random-character password isn't more secure than a password of words you can remember.
http://www.explainxkcd.com/wiki/index.php/936:_Password_Strength

(I will point out that I do very poor practice and basically use the same password all around, or at least as much as they let me. I hate sites that have an upper limit on passwords that I have to remember where it stops!)

As much as I enjoy the XKCD cartoon (after all I posted it earlier in this thread) it doesn't take into account how actual hackers hack passwords. If they're going to "brute force" hack the password (that is just start throwing guesses en masse at the login) they tend to start out with a "commonly used passwords" list, then move to a dictionary, THEN run random characters.
But more commonly they'll look through your social media and compile a list of words that seem meaningful to you because most people use meaningful words as a password (for example my boss uses his wife's middle name plus their anniversary date for all his passwords).

No password is uncrackable, but actual words are slightly easier to guess. The strategy employed by the XKCD guy is long pass phrases of random words, which will work well against someone running a purely random brute force hack.

I'm still fluent in iSeries (as/400) for a government agency today. Very much alive and well.

Have a client that runs contact stuff for gov and is in the finance industry (PCI).

root password (not really "root") hasn't changed in eleventy years. In all honesty, only those with special access can even get somewhere they could enter those credentials, and everything is encrypted over the wire of course.

As much as I enjoy the XKCD cartoon (after all I posted it earlier in this thread) it doesn't take into account how actual hackers hack passwords. If they're going to "brute force" hack the password (that is just start throwing guesses en masse at the login) they tend to start out with a "commonly used passwords" list, then move to a dictionary, THEN run random characters.
But more commonly they'll look through your social media and compile a list of words that seem meaningful to you because most people use meaningful words as a password (for example my boss uses his wife's middle name plus their anniversary date for all his passwords).

No password is uncrackable, but actual words are slightly easier to guess. The strategy employed by the XKCD guy is long pass phrases of random words, which will work well against someone running a purely random brute force hack.

Most common user accounts are wide open after securing access to another database through exploits.

With most accounts getting locked out quickly after xx bad tries, brute force attacks on Joe blow's email or bank account isn't likely.

However, just one more reason to chose two (or if required 3) factor authentication methods where offered.

The worst was when I worked in a vault out at Falcon (Schriever). Had to go down to the SAs computer once a month and look at a random 8 character password with upper case, lower case, special characters and numbers, then memorize it and hope you still remembered by the time you got back to your desk. Of course if you were caught writing it down was a security violation. Got pretty good at memorizing after a while.

We just reset my wife's arlo password today.