Password Change Day

[hitchcockgreen]

Today I spent a few hours changing ALL my web-based passwords something I'd put off for far too long).
They are now all unique and randomly generated.

My question is;
How often does everyone change their password and generally what kind of complexity do you put behind it?
Pass phrases? Randomly generated passwords with mixed case, alpha numeric, special characters?
What's your best practice?

For a while I had a generic password I used for quick signups.... today I went through them all and determined which had to be more secure and which accounts could be closed and/or abandoned.
(Abandoned meaning log in, generate excessively large random password, change account password and not make note/record it so I can't log in again).

Sent from my GT-I9000 using Tapatalk

[Blunt Force Trauma]

I still use only 5 or so. I have a couple for low value loss such as forums and news sites. I also have the remaining for more high value ones I use for banking and credit and such.

Risky I know.

[Ometiklon]

My bank online pass is 19 letters & numbers
It's the name & year of the flag football team I played on when I was 8 years old
I also use the name & year of schools attended, from elementary, HS, & college
Now that you know this, You're in my Grendel sites

[hitchcockgreen]

Bwa ha ha!

Even randomly generated alpha numeric passwords are surprisingly susceptible to brute force cracking.
The toughest passwords to break are pass phrase strings; four or more randomly selected and unrelated words. (I.e. something like what www.passphra.se generates)

Unfortunately many websites insist on password formulas that won't allow for that.

Sent from my GT-I9000 using Tapatalk

[Sno]

How often does everyone change their password and generally what kind of complexity do you put behind it?

About every 6 months. Complexity includes all character types. I also had a program that goes by your password and mouse movements to authenticate.



Pass phrases? Randomly generated passwords with mixed case, alpha numeric, special characters?
What's your best practice?


All phrases that I come up with on my own, impossible for any person to understand. I think the longest one I came up with was * * * characters long

[FirBirGir]

It's all about the password length if you want to protect against brute force protection. Someone posted a link to a password strength tester website and experimenting with passwords showed that length was the best defense against brute force.

I use 3 tiers of passwords:

1. Don't care at all, I just want the freebie thing passwords (never use them for anything I care about - my Diary Queen DQ Sunday Club password)
2. My important but not financially impactful passwords
3. My ultra important high risk passwords

I never use a #1 password for #2 or #3 nor would I use a #2 password for #3. For #1, I cycle through a dozen 8-10 letter passwords with number and letters. For #2, it's a smaller number of longer and more complex passwords. For #3, it's pass phrases, usually sentences that only make sense to me. I change all passwords at varying intervals but no set schedule.

At work, we had a security class and they cracked all of our passwords and showed us how many seconds it took. The funny part is, it's the same guys who restrict our passwords to 7 or 8 characters and only alphahumeric. No one can make an uncrackable password with those restrictions. The exercise just showed how weak the restrictions make everyone's passwords.

Eddy

[Sno]

The funny part is, it's the same guys who restrict our passwords to 7 or 8 characters and only alphahumeric. No one can make an uncrackable password with those restrictions. The exercise just showed how weak the restrictions make everyone's passwords.

Sounds like someone needs to modify that policy

[hitchcockgreen]

Lol yeah a lot of places have those lax security policies.

Part of the problem is MS Active Directory policies allow for that weakness in the first place.

Sent from my GT-I9000 using Tapatalk

[Blunt Force Trauma]

Wrong entry timeouts are a decent protection. But from what I read, a large number of serious password infiltration is from social engineering, human to human phishing.

[hitchcockgreen]

Yeah...people using easily guessed words plus dates is a very common issue.

I've been advocating for stricter policies at work but since most users are functionally computer-illiterate and barely understand what it is that IT does.... let's just say policy change isn't easy. At least at one of the agencies...

The other just bought vsphere licences and blade servers so at least there I'll be preoccupied with work and can ignore the others technophobia.

Sent from my GT-I9000 using Tapatalk 2