Posted: 1/20/2016 3:32:51 PM EDT
|
Moved to a new office/new machine, and the password dance is making me rage. Fuck Google. If I'm resetting my password, complete with 2-step verification, I want to use the password that I want to use. By forcing me to use a completely unique pword that has never been associated with the account, you have utterly destroyed the mnemonics that I use to keep my passwords organized. This means that I have many different and completely unrelated passwords, making them impossible to remember when I need to log in from a new device.. And no, I don't want to individually set up app passwords for every single app on every single one of my devices (all 8 of them).
The xkcd.com bit about the stupidity of password protocols has never been more trenchant. Essentially, they are forcing me to use the very worst security technique of all--writing all my shit down on a post-it. 
|
|
I have a pair of base passwords that I use in rotation and update systematically each time. That way when I change my password on Friday and forget I did it on Monday, I'm always less than 3 tries off and my account doesn't get locked. This has worked at 5 employers over the last 20 years or so. Now my linux account requires a completely random set of characters, with sub-rules, and keeps track of variations. It will tell me that passwords like xQwr1T are dictionary words. Show me the fucking dictionary that one is in. This pisses me off no end. In addition to all the other rules, they only allow 6 characters.  However, they give me linux interface programs that allow me to save the password in the program so when it opens, I'm connected.  And for the one program that doesn't save the password, I write it down, screw it. |
|
Quoted:
lol They're forcing you to write your passwords down... riiiiiiight. Use a password manager and save the pouty face. I use keepass. I also recognize the logical fallacy of having a pile of randomized "strong" passwords all in a virtual box locked with an easier to remember password .
|
|
Quoted:
I use keepass. I also recognize the logical fallacy of having a pile of randomized "strong" passwords all in a virtual box locked with an easier to remember password. Quoted:
Quoted:
lol They're forcing you to write your passwords down... riiiiiiight. Use a password manager and save the pouty face. I use keepass. I also recognize the logical fallacy of having a pile of randomized "strong" passwords all in a virtual box locked with an easier to remember password. Yup. It's one point of bad passwords rather than a series of them around the interwebs. |
|
Quoted:
lol They're forcing you to write your passwords down... riiiiiiight. Use a password manager and save the pouty face. 
you mean write all my passwords down type all my passwords on a post-it into a password manager, so anyone who looks at the piece of paper accesses my database/uses my machine gets all of my passwords? i mean, don't get me wrong--defending multiple independent passwords with only one password is better than nothing. but it's a metric fuckton less secure than having passwords that can be conveniently stored in my wetware...which was the whole point of passwords in the first place. |
|
Quoted:
I use keepass. I also recognize the logical fallacy of having a pile of randomized "strong" passwords all in a virtual box locked with an easier to remember password .Quoted:
Quoted:
lol They're forcing you to write your passwords down... riiiiiiight. Use a password manager and save the pouty face. I use keepass. I also recognize the logical fallacy of having a pile of randomized "strong" passwords all in a virtual box locked with an easier to remember password .Tell me more about this app
|
|
Quoted:
Tell me more about this app Quoted:
Quoted:
Quoted:
lol They're forcing you to write your passwords down... riiiiiiight. Use a password manager and save the pouty face. I use keepass. I also recognize the logical fallacy of having a pile of randomized "strong" passwords all in a virtual box locked with an easier to remember password .Tell me more about this app http://keepass.info/ Might be a pain in the arse to have to type in dozens of passwords when setting it up, but once you have it set up it's a dream. Remember one password, and then just copy as paste any other password whenever you need to use it. |
|
Quoted:
http://keepass.info/ Might be a pain in the arse to have to type in dozens of passwords when setting it up, but once you have it set up it's a dream. Remember one password, and then just copy as paste any other password whenever you need to use it. It also has a somewhat customizable pseudorandom password generator. |
|
Quoted:
http://keepass.info/ Might be a pain in the arse to have to type in dozens of passwords when setting it up, but once you have it set up it's a dream. Remember one password, and then just copy as paste any other password whenever you need to use it. Quoted:
Quoted:
Quoted:
Quoted:
lol They're forcing you to write your passwords down... riiiiiiight. Use a password manager and save the pouty face. I use keepass. I also recognize the logical fallacy of having a pile of randomized "strong" passwords all in a virtual box locked with an easier to remember password .Tell me more about this app http://keepass.info/ Might be a pain in the arse to have to type in dozens of passwords when setting it up, but once you have it set up it's a dream. Remember one password, and then just copy as paste any other password whenever you need to use it. I use Dashlane and it has chrome and Firefox plugins that identify and fill password fields. |
|
Quoted:
Hah we have a machine logon password.. That we don't use we use cards and pins... That password luterlay does nothing other than expire. Also why require complexity if everything locks you out after a couple tries anyway... Posted Via AR15.Com Mobile In case the SAM database (or similar depending on system) gets compromised and the passwords get cracked offline. |
|
Quoted:
http://keepass.info/ Might be a pain in the arse to have to type in dozens of passwords when setting it up, but once you have it set up it's a dream. Remember one password, and then just copy as paste any other password whenever you need to use it. Quoted:
Quoted:
Quoted:
Quoted:
lol They're forcing you to write your passwords down... riiiiiiight. Use a password manager and save the pouty face. I use keepass. I also recognize the logical fallacy of having a pile of randomized "strong" passwords all in a virtual box locked with an easier to remember password .Tell me more about this app http://keepass.info/ Might be a pain in the arse to have to type in dozens of passwords when setting it up, but once you have it set up it's a dream. Remember one password, and then just copy as paste any other password whenever you need to use it. This. I use MiniKeePass on my iOS devices and KeePassX on my computer. MiniKeePass is able to use Touch ID so I don't have to put in the database password each time, which is a biggie. |
|
Pick a word for a password that's easy to remember and add a number on it. If your password is ILUVHILLARY then make it ILUVHILLARY1. When you need to change the password, make it ILUVHILLARY2, and then ILUVHILLARY3 after that. This way you don't need to remember a hundred passwords. You just need to remember what number it ends with, and revealing the number won't help hackers in the least.
I can publically say my own password has a 41 in it. Doesn't help you much does it? |
|
Quoted: The password requirements for USPS became so ridiculous and it infuriated me so much that my password became a variation on telling them to go fuck themselves. So one time I got so frustrated I did that sort of thing. Our IT department is the only one that I have ever dealt with that occasionally will ask for your password. So I ended up telling the helpdesk; My password? Um... It's--um.... It's fuckyouIT.  |
|
Quoted:
So one time I got so frustrated I did that sort of thing. Our IT department is the only one that I have ever dealt with that occasionally will ask for your password. So I ended up telling the helpdesk; My password? Um... It's--um.... It's fuckyouIT.
Quoted:
Quoted:
The password requirements for USPS became so ridiculous and it infuriated me so much that my password became a variation on telling them to go fuck themselves. So one time I got so frustrated I did that sort of thing. Our IT department is the only one that I have ever dealt with that occasionally will ask for your password. So I ended up telling the helpdesk; My password? Um... It's--um.... It's fuckyouIT.
I love people like you. I would offer to reset their password to "Triskadecaphobia" and they immediately remember how to be polite. |
|
Quoted:
So one time I got so frustrated I did that sort of thing. Our IT department is the only one that I have ever dealt with that occasionally will ask for your password. So I ended up telling the helpdesk; My password? Um... It's--um.... It's fuckyouIT.
Quoted:
Quoted:
The password requirements for USPS became so ridiculous and it infuriated me so much that my password became a variation on telling them to go fuck themselves. So one time I got so frustrated I did that sort of thing. Our IT department is the only one that I have ever dealt with that occasionally will ask for your password. So I ended up telling the helpdesk; My password? Um... It's--um.... It's fuckyouIT.
I have never had a help desk ask for a password and I'd be having a word with their management if they did. |
|
Quoted:
Hah we have a machine logon password.. That we don't use we use cards and pins... That password luterlay does nothing other than expire. Also why require complexity if everything locks you out after a couple tries anyway... Posted Via AR15.Com Mobile So your password is luterlay? That's a good one. Certainly not a dictionary word, doesn't mean shit. Better add a number and a special character though. |
|
Quoted:
We're going to change your password every 50 days... It needs to be 14 characters. 2 upper, 2 lower, 2 special, and 2 numbers And it can't be one of your last 20. Thanks, IT. That's what you get when your IT dept sucks, knows it, and at least wants to look busy. The line out the door for password resets every morning keeps the numbers guys happy. |
|
Quoted:
That's what you get when your IT dept sucks, knows it, and at least wants to look busy. The line out the door for password resets every morning keeps the numbers guys happy. Quoted:
Quoted:
We're going to change your password every 50 days... It needs to be 14 characters. 2 upper, 2 lower, 2 special, and 2 numbers And it can't be one of your last 20. Thanks, IT. That's what you get when your IT dept sucks, knows it, and at least wants to look busy. The line out the door for password resets every morning keeps the numbers guys happy. For better or worse there are good reasons for the complexity. Now the best answer is to move to some sort of two factor like RSA tokens, but those cost money. |
|
Quoted:
Pick a word for a password that's easy to remember and add a number on it. If your password is ILUVHILLARY then make it ILUVHILLARY1. When you need to change the password, make it ILUVHILLARY2, and then ILUVHILLARY3 after that. This way you don't need to remember a hundred passwords. You just need to remember what number it ends with, and revealing the number won't help hackers in the least. I can publically say my own password has a 41 in it. Doesn't help you much does it? I used to use a similar method for my mil computer passwords, I would just add another special character to the base password at change time. Such as: Ilovearfcom! Ilovearfcom!! Ilovearfcom!!! Ilovearfcom!!!! Ilovearfcom!!!!! |
|
Quoted:
For better or worse there are good reasons for the complexity. Now the best answer is to move to some sort of two factor like RSA tokens, but those cost money. Quoted:
Quoted:
Quoted:
We're going to change your password every 50 days... It needs to be 14 characters. 2 upper, 2 lower, 2 special, and 2 numbers And it can't be one of your last 20. Thanks, IT. That's what you get when your IT dept sucks, knows it, and at least wants to look busy. The line out the door for password resets every morning keeps the numbers guys happy. For better or worse there are good reasons for the complexity. Now the best answer is to move to some sort of two factor like RSA tokens, but those cost money. The user is an integral part of security. The password nightmare described above absolutely ignores the user. Institute a system like that and give me five minutes to browse an office and I'll likely find everything I need to fuck your system up taped to the bottoms of keyboards. |
|
Quoted: We're going to change your password every 50 days... It needs to be 14 characters. 2 upper, 2 lower, 2 special, and 2 numbers And it can't be one of your last 20. Thanks, IT. Just to let you know, not all IT people are that dumb. I know that if I put that in place, everyone's password would be on a sticky note on their monitor tomorrow. |
|
Once you have a password you can remember make sure the last character is one of the symbols above the numbers at the top of the keyboard just reuse it and change the change the Character each time.
Example; Password! the next time it is; Password @ then; Password # and so on. Works for me. |
|
Quoted:
The user is an integral part of security. The password nightmare described above absolutely ignores the user. Institute a system like that and give me five minutes to browse an office and I'll likely find everything I need to fuck your system up taped to the bottoms of keyboards. Our policy for administrative passwords is even more stringent than our user ones, which we still have as well. That said we in IT at my organization have been working to make everything two factor so passwords are a thing of the past. |
|
Quoted:
What happens if the password manager program/site you're using gets hacked? I'm really interested in this, but have some hesitation because of this reason. OP - I feel your rage, I've been there way too many times, and continue to go there every few weeks. The DB that your passwords are stored in should be encrypted (and protected with a VERY secure and very long password). Shit, I'll give you a copy of my password database without losing a single second of sleep over it. Good fucking luck doing anything with it.
I don't use online services to manage my passwords, and neither should you. |
|
Quoted:
The DB that your passwords are stored in should be encrypted (and protected with a VERY secure and very long password). Shit, I'll give you a copy of my password database without losing a single second of sleep over it. Good fucking luck doing anything with it.
I don't use online services to manage my passwords, and neither should you. Quoted:
Quoted:
What happens if the password manager program/site you're using gets hacked? I'm really interested in this, but have some hesitation because of this reason. OP - I feel your rage, I've been there way too many times, and continue to go there every few weeks. The DB that your passwords are stored in should be encrypted (and protected with a VERY secure and very long password). Shit, I'll give you a copy of my password database without losing a single second of sleep over it. Good fucking luck doing anything with it.
I don't use online services to manage my passwords, and neither should you. wait--you're saying that you only store passwords locally? this makes the problem even bigger. since repetitive use is pretty much the only way to remember something, and since password managers mean that you never use (i.e., enter) your passwords, how do you remember your passwords in the event that you don't have access to your device? this is pretty much my problem right now. i'm on a new machine, having to enter every single password for every app/service. WTF was my arfcom password again? i don't remember--i never use the damn thing. so without the benefit of the mnemonics i use (multiple dictionary words with constant capitalization and rotating numbers), or an online service, i could never log into arfcom from a new machine without changing my password...which would force me to change it on all of my other devices. |
|
Quoted:
wait--you're saying that you only store passwords locally? this makes the problem even bigger. since repetitive use is pretty much the only way to remember something, and since password managers mean that you never use (i.e., enter) your passwords, how do you remember your passwords in the event that you don't have access to your device? this is pretty much my problem right now. i'm on a new machine, having to enter every single password for every app/service. WTF was my arfcom password again? i don't remember--i never use the damn thing. so without the benefit of the mnemonics i use (multiple dictionary words with constant capitalization and rotating numbers), or an online service, i could never log into arfcom from a new machine without changing my password...which would force me to change it on all of my other devices. Quoted:
Quoted:
Quoted:
What happens if the password manager program/site you're using gets hacked? I'm really interested in this, but have some hesitation because of this reason. OP - I feel your rage, I've been there way too many times, and continue to go there every few weeks. The DB that your passwords are stored in should be encrypted (and protected with a VERY secure and very long password). Shit, I'll give you a copy of my password database without losing a single second of sleep over it. Good fucking luck doing anything with it.
I don't use online services to manage my passwords, and neither should you. wait--you're saying that you only store passwords locally? this makes the problem even bigger. since repetitive use is pretty much the only way to remember something, and since password managers mean that you never use (i.e., enter) your passwords, how do you remember your passwords in the event that you don't have access to your device? this is pretty much my problem right now. i'm on a new machine, having to enter every single password for every app/service. WTF was my arfcom password again? i don't remember--i never use the damn thing. so without the benefit of the mnemonics i use (multiple dictionary words with constant capitalization and rotating numbers), or an online service, i could never log into arfcom from a new machine without changing my password...which would force me to change it on all of my other devices. I sync the DB (it's just a file at the end of the day) across all my devices. And the DB is protected with 256bit AES encryption, so even if the cloud service(s) I use to sync everything is compromised, I won't lose a second of sleep over it. |
|
Quoted: Just to let you know, not all IT people are that dumb. I know that if I put that in place, everyone's password would be on a sticky note on their monitor tomorrow. Quoted: Quoted: We're going to change your password every 50 days... It needs to be 14 characters. 2 upper, 2 lower, 2 special, and 2 numbers And it can't be one of your last 20. Thanks, IT. Just to let you know, not all IT people are that dumb. I know that if I put that in place, everyone's password would be on a sticky note on their monitor tomorrow. before we went CAC enabled login at least. Still change our BB passwords pretty often... Fucking VM PIN gets nixed if you don't check VM once a month (good thing we don't have 3-4 trips every now and then and can't, eh?). And then they'll send the reset on a friday afternoon when you've gone home...but have 24hrs to change the PIN before having to start the process again. DOD IT sucks balls...and ours is apparently a center for hiring fairly incompetent minorities. |