questionsrant: is everyone who sets up password protocols…


I feel you. Big time. Like, it's a burning throb sensation in and around the taint region.
I agree that it would save me some guesswork if they just told me what they required. It would clue me into the level of complexity password I chose for that site. For sites that always trip me up (the once a year thing as you mention) I'll leave a note to myself in a bookmark or elsewhere that reminds me how complex that particular password was without including the actual password. What's really annoying is while some sites require it, others don't accept special characters! I know you're supposed to use different passwords for every site, but it sure would be nice if I could use the same complex password on both federal and state tax web sites, for instance. I'm starting to think I need one of those password manager programs...anybody have a recommendation on one of those? If so, what does it cost? Cloud-based or locally stored? What are the risks?


I'll see your rant and raise you two rantlettes.

Social Security Administration. Same password protocols, but we are required to change our passwords at least every six months, no repeats. Of course, except for getting a copy of my 1099R for taxes once a year, I don't usually need to log in there. So I have to change my password every friggin' time I log in. So, of course, I have to write the password down.

Oh, but that's only half the fun! In case we forget a password (not that that's going to happen a lot to people who are in their 60's 70's 80's, right?) they give us three test questions we can answer to get our password sent to us via e-mail. Each of the three lets us select from a list of questions, like: "Who was your 1st Grade Teacher?" or "What was the number of your first telephone?" or "What was the city of birth of your maternal grandfather?" (And yes, those are all actual selections on the site.) And every time I log on, they want the questions changed ...


@adadavis: When we first started filing our Federal reports online, HUD required us to change our passwords every 45 days, with no repeats each nine passwords. We filed the report annually, and it was literally a Federal case (call HUD, get a help ticket) to get your account re-issued if you missed a password change because you were automatically booted from the system. So we all had it on our calendars every month and a half to go change our passwords, and most of us just kept the year's worth of passwords written in our calendars. That got changed pretty quickly, I suspect half the staff at HUD spent all their time re-issuing accounts.


I know it's the "bad" guys who are responsible for this password mess, but I often wonder if they, too, get upset trying to keep up with their own passwords. If so, GOOD!


@bsmith1: Re password managers

Read this article on secure password managers

I don't use them, since they have too many potential problems. Like: if someone hacks your password for your password manager, they get all your passwords; if the site storing your password manager is offline, down for maintenance, or has a drive failure - then what?; what happens if the company/software you use goes out of business; etc. So, do you write down all your passwords as a backup to your password manager?


Oh, that lifehacker site made me crazy (which means I didn't read the "fine" article), but here's a related question from yesterday that may be helpful.

I strongly recommend writing passwords down, especially if you can keep them in a safe place. Yes, that's right. You heard me. Write them down.

I prefer password managers that run on your own computer, rather than in the cloud. I don't use them myself, but I remember my passwords (comes from years and years of having to).

Of all the things I hate, the idiot questions for password hints is close to the top of the list. What was the color of my first car? Is FOAD a color?


@shrdlu: I keep a password protected Word file with password hints for my regular passwords in it on my computer at work. But I never remember to put in silly one-use type stuff, and sites that require frequent updates get out of date really quickly. What I really need to do is upgrade that document to carry all my passwords, as well as stuff like serial number.

Avast is offering a password locker for subscribers with it's anti-virus protection. It costs $10 extra to add it to the antivirus package.


Try being a Nurse. Same protocols, but I need 3 separate passwords. They all expire at different times, and none can repeat over 5 resets.



@shrdlu: FOAD is a fantastic color. It is similar to DIAF on the color wheel. :)


My company has the most deplorable logon and password system ever. Just to get into my computer I have to put in my general PW then to get into my email theres another PW and to see my paycheck theres a third and a forth to do my timesheet because even though we're salary employees they need to assign our time to money making projects. Each of these must be changed every 30-45 days. And no two land on the same rotation no matter how hard I try. If I need to upload or download something to/from a client we each have our own individual PW per client per project. These do not expire but I don't get to choose them either. I have 6 clients and 8 projects right now. I keep them all written down in a notebook. Good luck whoever steals it.

I hate passwords.


@nmchapma: I would much prefer a biometric scan system: Fingerprint or retinal scan gives us access to everything we need. Of course, someone could still duplicate fingerprints (or just take your fingers) but it would be much harder to do over the internet. Retinal scans might be a tad expensive (and bulky) for home use - or for your tablet or phone, but facial recognition might be an option. I don't think DNA would work, because there's just too much of our DNA we leave around in one form or another.


Use a password manager with two factor authentication. I realize this is a pain in the butt, but right now it is the only way to keep yourself reasonably safe. What is happening is that the database for the passwords and usernames gets stolen. That normally wouldn't help them that much: passwords are normally kept as hashed and salted versions of what you write. Now here is why you need to be paranoid.

Using GPU (and multiple GPU) acceleration hackers (once they attempt to figure out the hash) will run hash against know lists of common passwords. There are dictionaries of millions of them. These accelerated programs can run millions of guesses per second. If one uses a common password (like password, 123456, monkey, John316, or such like) they get cracked quickly. Then you are owned. What they then do is to try your username and password against other known sites. (continued)


So, they take your password from and try it against Bank of America. If you use the same username/password combination at your banking site, you are now totally screwed.

I used LastPass with a hardware second factor (Yubikey). It is admittedly a PITA, but with a combination of highly random secure passwords, different passwords for different sites, and a second factor I feel pretty good about it. LastPass also supports Google Authenticator, so you can use that as a second factor if you always have your cell phone with you.

This having been said, I hated the government password requirements with a passion. I would end up using things like this: ZaQ1XsW2CdE3VfR4%^&. Little keyboard patterns (you can see what I did there). Guess what: those password databases have ALL those keyboard patterns in them: they are no more secure than monkey1234.



Part of this is coming from an unreasonable expectation to change your password every so often, sometimes as frequently as every 90 days, or sooner. That is just stupid. Why do it? They aren't like produce: they don't go bad. They only reason to change the password is if one assumes that the sysadmins can't keep control of their files: if one gets out there MAY be a limitation of damage. Wouldn't it be smarter to keep control of the file in the first place?

And these policies end up making people do the worst thing possible: writing down the password and keeping it by their computer. All somebody now has to do is to copy the username/password and go to town. I resorted to this: but my passwords book was kept in a security container (milspeak for safe) by my desk and locked up when I wasn't there. I don't think most people do that.


I would complain that some sites do not allow you to use special characters.
My password is 2 simple words one misspelled the the other I have included a number in. I have a special character in the password and a capital letter. What trips me up is when a site does not allow for special characters.


@wilfbrim: I was trying to remember the name of the password program I used to use, it was LastPass. As I recall I really liked it because it had an online aspect where I could access my passwords from computers where I didn't have the LastPass program. I use passwords from personal sources, so people close to me might be able to guess them but not a stranger. The only one that people online might know is my dog's name, and I only use that for his pet insurance. The others are nonsensical personal references.


@moondrake: I have a similar issue at my work, with 90 day resets and no repeats for 9 passwords. I have a simple system to get around that particular issue.

Take a word you can remember, I'm going to use elephant as an example. Replace a couple letters with number 1s: el1ph1nt. Then add a capital or two somewhere: el1PH1nt. Now every time period you just up the number a digit and keep cyclying through el1PH1nt, el2PH2nt, el3PH3nt... As long as you don't have a block of 4 or more letters that are the same most systems will allow this.Then all you have to keep on your password sheet is what number you are on, and even if someone sees the sheet it won't help them much.