Comments on: When have you last changed you password (and is it complex enough)?

By: BUGabundo

BUGabundo — Sun, 12 Apr 2009 01:58:32 +0000

I change my passwords 2 or 3 times per here, or more, when some actual leak.
I have a diff pass for every service.
I just create an algorithm that somehow relates a master pass and the service, so each pass is unique.

By: Eric Duminil

Eric Duminil — Fri, 10 Apr 2009 15:56:26 +0000

Andy, you might want to check pwdhash : https://www.pwdhash.com/

By: John Carlyle-Clarke

John Carlyle-Clarke — Fri, 10 Apr 2009 08:18:21 +0000

Felt motivated to comment because of the great choice of Radiohead song! I’ve used this method in the past, although I do like your enhancements a lot.

I wanted to mention Keepassx ( http://www.keepassx.org/ ). This is a really *awesome* tool, and I’m trying to get into the habit of using it more. It’s such a well designed piece of free software, it’s cross platform, it’s easy to use and understand and has a bunch of neat security features. You can use it with a master keyfile or passphrase. The only thing it lacks is a CLI.

By: Andy

Andy — Fri, 10 Apr 2009 00:31:17 +0000

My philosophy has been to have one really long password which I remember, which I use only on devices that I’m in complete control of. I don’t see any value in changing it at all – if it gets found out, then I’m already stuffed anyway, and changing the password won’t get me anything.

For things where I don’t control the password checker (e.g. logins to websites, internet banking passwords, etc), it is a bit tougher. I have two strategies, one for sites I care about (internet banking), one for sites I don’t (most websites). Both strategies are similar, I take a master password, and the domain name of the site, and apply a function to them which spits out a password. The low security one is a simple function (anyone could easily work it out in their head). The high security one involves an md5sum.

This way, I use different passwords everywhere, and I only have to remember a few easy to remember words or phrases.

By: KC

KC — Fri, 10 Apr 2009 00:17:09 +0000

Every 60 days? That’s impressive. I make really strong passwords for important stuff, but I don’t change them more once every year or two. Especially for my web accounts that have somewhat weaker passwords, there are just too many to change my pass all the time. If only more of them used OpenID…

By: Dougie

Dougie — Thu, 09 Apr 2009 20:57:07 +0000

The method we employee for our users is that they need to choose a new password every 30 days. Now this introduces the likelihood they wont learn it and will write it down.

So we give them the choice of three generated passwords and they pick the most memorable.

The script generates three sets of three characters all in the format consonant-vowel-consonant. This tends to generate a group of three syllable that people seem to remember.

Seems to work well.

By: Mez

Mez — Thu, 09 Apr 2009 20:17:25 +0000

Alberto, that’s just an extra source of entropy :P

By: Mez

Mez — Thu, 09 Apr 2009 20:16:41 +0000

Loving the 2(oa) bit!

Maybe we should also use regex’s in our passwords :D

(oa){,2}

By: Christoph

Christoph — Thu, 09 Apr 2009 18:06:11 +0000

The song method is definitely a good one. I use of version of this as well. Thanks for the instructions to tell other people.

By: Alberto

Alberto — Thu, 09 Apr 2009 17:38:24 +0000

Hi:

I use a method similar to yours but with a little bit more of random. I turn on a radio station and surf until I find a song I know and I use that song.

Yours.

Alberto.