I'm doing a bit of (academic) work looking at password usage. It probably hasn't escaped your attention that almost everybody online wants you to register with a username and password - in the last week i've counted 55 separate password requests at work and play, and i'm not that much of an internet user, honest... :uhoh:

So, a thoroughly unscientific poll, but i'm interested in how y'all cope. One password everywhere? A few? Or unique passwords everywhere? Please be honest, and comments welcome - if you have a smart way of doing it, or just use one password and don't care, or...?

I tend to use one for the bank and one for everything else. My main password is a word of over six characters that I can easily remember. What infuriates me is those unnecessarily "super secure" sites which insist that the password is made up of a combination of letters and numbers which you have no hope of remembering - 'cos you are not supposed to write them down! I tend not to bother with such sites, nor the ones which cancel your password every three months and insist you invent another one.
I have now even managed to crack the problem of logging onto PPRuNe every 24 hours on my home machine. I won't need to log on again until 2010 unless I log off or clear out my cookie folder!
(rant over)

P.P.

Do you want a list of usernames and passwords to help in your 'research' :uhoh:

As for me, a 'ballpark' figure is........I gave up counting at 60:ugh: some of those do use the same password though with different usernames etc.
Problem is though I do write them down in a note book:eek:

Do you want a list of usernames and passwords to help in your 'research' :uhoh:

It's alright, I can't remember my own, let alone anybody elses... :O

Use a car registration.

Ideally not a current car if you want to be ultra-secure. Somebody elses, one you scrapped years ago, your first car - something you'll remember, but anybody else would struggle to guess.

I suppose than an American aircraft registration would work too if you have a favourite, or use a page of your logbook as the key.

G

Some years ago I gave a lecture to some computer science postgrads at UCL. At the time they were doing a lot of research in to this issue and other password related matters. Perhaps you can find a copy of it on the web?

What I hate it is things that make you change your password periodically. I think, empirically, this is almost certainly going to reduce security, because you end up having to write it down. And what does it add? If someone gets your existing password then chances are they'll do the damage the want to do in the month or so before you have to change your password.

Another thing that is stupid is the use of asterisks when entering a password on a tiny little screen, like a mobile phone - how many times have you been typing a code/password in to a mobile phone and feared someone watching you? If someone you really didn't want to know was behind you wouldn't you just not type it in at that moment? It's fine for cashpoint machines, maybe okay for computers, but mobile phones? It's daft.

Anyway, I'm off to set everyone's PPRuNe password to 'password'.

I use three passwords, though the 'third' comprises of the various types of X I have used or owned over the years so runs to 20 odd types.

One crap password for irritating internet sites and a secure one for important stuff.

If I use the third type I can sometimes have to spend 20 minutes cycling through them till I find the right one!

I once worked for a bank which demanded a secure password change every month. Complete pain in the arse and counterproductive as everyone kept their latest password on a bit of paper in their drawer.

I tend to use one, or variations of that if sites require upper case and/or numbers. I read a PC magazine article a year ago where the author described his scheme, where each password was unique, as it was made up of certain characters in the website's URL.

What currently pi55es me off most about using eBay is the number of times I am taken off to the slow (I'm on dialup) https signin site - typically 4-5mins to load.

Fair enough if I'm placing a bid, but to get sent there because I want to watch something/contact a seller/look at 'my ebay' is ridiculous, especially as all pages tell me I am logged in!

Yes, I do tick the 'keep me logged in' box but it seems to mean nothing.

[What's the secret to stayed cookied for PPRuNe then??]


On Firefox, Real Men hack a textfile that says "don't edit this textfile" and edit a number that's milliseconds since 1970 or somesuch. :O Other people use the CookieEditor extension. You need to edit two cookies called bbuserid and bbpassword, make them expire whenever you feel like. I use 2015 :)

On other browsers, I dunno.

I use two passwords. No more. The deciding factor is whether I would want my daughters to see what's behind them.

EVO,

I'm not sure if you are asking for private internet usage, home, work, or all?

I have about 10-20 passwords that I need to use fairly regularly - and I'm discounting all those that I need to use to manage corporate or client systems!

They are mostly secure - in that they have a mixture of upper and lower case and include numberic or non-alpha chracters.

Of the ones that are under my control, they are almost all variations on a theme that is meaningful to me - even if you put 2 together you would be hard put to work out the connection and guess any others.

I tend to use a single password for all admin accounts that I never share and is unlikely to be broken by brute force!

At home I have a user account for most tasks and a separate Admin account for Admin tasks - I also need to know the children's passwords (and the wife's) then I've got the firewall admin password as well.

I need only about 3 for the vast majority of my personal internet usage - email, banking PayPal, ebay. But any others are again, variations that might take a couple of attempts to hit if I don't often need them.

Where I am lax is in not changing these passwords very often.

I use a similar approach at work, where we have to change our password regularly - and incrementing by 1 is no longer an option. I never write them down though.

Interestingly I am trialling a SSO (single-sign-on) solution at work that negates the requirement for individual logins to internal corporate systems. Works fine, but is an in-house app.


SD

5-10 I guess. I tend to use passphrases rather than passwords, since they're easier to remember (and more secure).

Stuff like "A H05tage 2 4Tune" or "A R00m w1th A Vi3w"

Also some which are longish words in a very obscure language that I happen to speak.

They're all on my Palm in an encrypted database (and written on the back flyleaf of Volune 5 of Churchill's "History of the English Speaking Peoples")

Actually, writing passwords down isn't that much of a security risk so long as you don't write them on PostIt notes and stick them to the screen.

I think I have about 10 passwords that I use but I dont have the same username and password combination anywhere. None of my passwords are written down there have been a number of times that I have had to use the password reset functionality because I have forgotton my password but i wold rather that than be compromised. The only password that I share with others is the one for the test PC's at work all others are known only to me which my husband is not too happy about. I feel that I cant go preaching about having strong passwords that are not written down or known to others then not follow my own preaching.

In addition to having a theme for passwords, I forgpt to mention that I also have a bootable linux CD that can "adjust" the SAM on any Windows NT / 2000 / XP system, other than an Active Directory DC. :E

So if memory fails, I usually just reset the Administrator password to blank! :cool:

When an ordinary website asks me to register using an e-mail address and password I always use the Yahoo mail account that I set up specifically for this. I visit once a week and delete the messages without bothering to read them- they are all SPAM by definition. I use my favourite old car's registration number as the password.

Some sites (such as PPRuNe) gave me a unique password. In these cases I memorise it.

I don't bother with on-line banking as I regard the whole internet as not secure enough for any banking purpose. Even ATMs have been hacked for heaven's sake!

I use "Folder Guard" to lock the folders containing information that I wish to keep confidential and use secure passwords to protect it - ten characters in upper case, lower case, numerals and symbols.

I use a number of passwords, but have difficulty remembering them, particularly when returning to a little-used password protected website.

To help me out I use Roboform. It stores usernames and passwords iand any other personal stuff in an encrypted file. After you've been to a page or site once and filled in the details manually it will remember the details for that page/site and offer to fill it in for you on subsequent visits.

You can protect this activity and all the encrypted data and edit functions with a master password. Roboform will then only fill in the blanks on a page or allow you to view/edit current data if you provide the master password, so if someone knocks off your lapptop or gets into your PC they can't maliciously use the automation the program offers or the info it contains.

Works with IE, Slimbrowser, Firefox, Netscape and maybe some others. Not Opera, unfortunately. See Roboform (http://www.roboform.com/)

5 stars, IMO.

Ausatco

Evo

Gartner published some interesting research on this fairly recently, the title was something about password entropy (appropriate for a lapsed astrophysicist :p ). I’m sure big blue can get it for you.

Ausatco

I seem to remember MS had a similar product; it was broken by the hackers within hours of release and caused a lot of red faces:E :ooh:

regards

Thanks, egbt, interesting article - Google proved to be a much quicker way of finding it :)

:mad: When I think how much that service costs :{

If you're interested in the whole area of computer security Evo then I'd recommend Secrets and Lies by Bruce Schneier. Written back in 2000 but still very relevant today.

Most people don't realise that it isn't their password itself which is saved but a Hash of it, otherwise Danny could go around logging into everyone's banking systems. :p

Also by focussing on the entropic complexity of a password, rather than using a random search (brute force) most passwords can and will be cracked within minutes by a tool such as l0phtcrack. Even without access to the hashcodes (which could have several possible sources) the data itself is only hashed on the serverside so sniffing the first 20 or 30 characters of each ip packet which passes across a node would probably get you enough passwords to interesting places not to need any form of cracking.

In his book he mentions some chap who set up a website of interest to sysadmins. Logon details required a reasonably complex password and company name. He had dozens of root passwords within weeks..... :eek: :cool:

sniffing the first 20 or 30 characters of each ip packet which passes across a node would probably get you enough passwords

Only if sent in plain text - which is not the case using https, where the data is encrypted. This is why you should NEVER use a strong password that you use for any secure purpose over an insecure link.

If you are speaking of LANs, it really is no longer the case that logon passwords are sent in clear text to be intercepted by packet analyzers.

MS have implemented Kerberos since 2000 (although care must be taken in mixed NT and 2000 envrionments, as NTLM authentication is considerably weaker), where all authentication traffic is encrypted. There's good docs on Kerberos on the MS website.

SD

Its a shame that Microsoft have tried to turn Kerberos into a proprietary standard of their own. Its about as secure a system as you could wish for.

Trouble is that the encryption is merely a marketing tool rather than a serious security feature. Saying that all authentication uses 128 bit encryption (as NT does) sounds wonderful until you realise what is being encrypted.

You could encrypt a single character password using 128bit cyphers and there would still only be 70 or so possible combinations (without salting). It certainly adds an extra layer to the security but dosn't change the fact that the security of the system is still based upon the complexity of the password.

As stated above it is the entropic complexity rather than the length, though l0phtcrack was reckoned to be abe to check every possible comination of password in 480 hours on a PII. 5.5 hours for every alphanumeric combination etc.

An opteron with shed loads of memory would cut those times massively.

The initials of my first girlfriend followed by the password I was assigned at high school.

8 chars in all.

I've got 3 basic passwords. One 'high security' (banks, etc.), the other two relatively low

I use the low often suffixed by a number, at work for instance, where the password has to be changed every month - but all the data is on shred drives so anyone there can access it anyway.

(The best passwords I've ever seen where used by a mate of mine, of Polish extraction. He had a load of the things, all collections of random consonants. I asked him where he got them from and he said they were all names of his cousins).

Best bet is to have just one password - and then forget it...


Conan

Ooooh eck....

Tried L0phtcrack out on my 2000 machine (for legitimate purposes I hasten to add).. 7 passwords on there in total, it had 5 of them within 5 minutes..... :\

Its doing 650,000 keys per second and all alphanumeric passwords will be checked within 3.5 hours. Figure less than 2 hours on average to find any password. Hell it isn't even a fast machine.... :}

I use one simple, probably easy-to-guess password for all those annoying sites that demand an e-mail address and login password. The e-mail address is the name of the annoying site @ my domain.

Mail to any unknown address at my domain is automatically forwarded to my Spamcop account (which gets a stunning amount of mail every day). Those few that aren't spam are forwarded to me.

The important stuff (PayPay, Ebay, banks, etc) all have unique and hard-to-guess passwords. I keep them all in my iPaq - and have to look them up all too often.

Looks like I'm fairly unique (well 9%) in having 2 sheets of A4 covered in log-in ids and passwords. Maybe I need to rethink my strategy!

I have two work log-ins, my main log-in is supposed to be secure, but all and sundry seem to need to get into my workstation so it's a well known password - just append the number scribbled on the masking tape on the top of my monitor! My other log-in is secure and secret and not written down (it relates to my time sheet).

As others have stated, you don't need 101 passwords if you reserve certain ones for high-security / low-security-web-based etc etc.

The trouble I have is that I'm prompted to suggest a password when I least expect it, suggest one that seems memorable at the time, and therefore find myself in the stressful situation I'm in now where I have over 10 different ones, and can never remember which for which...

I'm nervy about writing them down, and as stated before, reserve certain ones for low-security stuff such as Ppruning, and others for the credit card etc, however, it often takes me several attempts for passwords I don't use regularly, and on top of all the PINs I have to remember I feel as if I'm going into mental overload to be honest...

I couldn't remember the word I used for a credit card, and could only log in to see my statement after having the card for 2 months (the software wouldn't say you had the wrong word, just that the "server was busy").... Not that I should have anything to worry about, but one should check financial statements for obvious reasons...

So anyway, my point is that I don't think having all these passwords makes life any less stressful...far from it.

I have a safe, so I guess maybe I should write them all down and put them in there in case reference is needed.

Not sure if my experience will benefit Evo's article, but it really is a PITA to remember all these words and PINs... :*

I should actually read htis thread because I've been meaning to have a rant on JetBlast for a while now about this.

It really p1sses me off :*

I would like to have two, maybe three "levels" of password: an easy one for email, a middle one and a strong one for on line banking. The trouble it that I can't do this because each site seems to have its own rules. Must have eight character, must have specials, must have letters and numbers.

It's the same for IDs too. I want just a couple. Some places have an underlying "account number" and you can give yourself a nickname, but a lot of places are not that flexible. I have this one banking site and they gave me a random ten digit number that I couldn't change (because of security they said) . This has one of two outcomes: either (1) I have to write it down to remember it, which is of course less secure than me choosing my own or (2) I just don't use their stupid site.

It's the same at work, I have four different Id with different password rules, and different expiration frequencies. So what do I do? You got it, it's all written on a post it note stuck to my monitor :mad:

I use about four. I've got the same one for all the sites that demand a password, but I'm not worried about other people logging on as me. Then others for forums, email and bank.

None of the passwords I use are easily guessable. The one I've been using longest (15 years or so) is a random corruption of a latin name of a fish I used to keep! The others are either random letters, randomly capitalised, or people's unusual names, followed by a number.