Evo

I'm doing a bit of (academic) work looking at password usage. It probably hasn't escaped your attention that almost everybody online wants you to register with a username and password - in the last week i've counted 55 separate password requests at work and play, and i'm not that much of an internet user, honest...

So, a thoroughly unscientific poll, but i'm interested in how y'all cope. One password everywhere? A few? Or unique passwords everywhere? Please be honest, and comments welcome - if you have a smart way of doing it, or just use one password and don't care, or...?

P.Pilcher

I tend to use one for the bank and one for everything else. My main password is a word of over six characters that I can easily remember. What infuriates me is those unnecessarily "super secure" sites which insist that the password is made up of a combination of letters and numbers which you have no hope of remembering - 'cos you are not supposed to write them down! I tend not to bother with such sites, nor the ones which cancel your password every three months and insist you invent another one.
I have now even managed to crack the problem of logging onto PPRuNe every 24 hours on my home machine. I won't need to log on again until 2010 unless I log off or clear out my cookie folder!
(rant over)

P.P.

gas path

Do you want a list of usernames and passwords to help in your 'research'

As for me, a 'ballpark' figure is........I gave up counting at 60 some of those do use the same password though with different usernames etc.
Problem is though I do write them down in a note book

Evo

It's alright, I can't remember my own, let alone anybody elses...

Genghis the Engineer

Use a car registration.

Ideally not a current car if you want to be ultra-secure. Somebody elses, one you scrapped years ago, your first car - something you'll remember, but anybody else would struggle to guess.

I suppose than an American aircraft registration would work too if you have a favourite, or use a page of your logbook as the key.

G

drauk

Some years ago I gave a lecture to some computer science postgrads at UCL. At the time they were doing a lot of research in to this issue and other password related matters. Perhaps you can find a copy of it on the web?

What I hate it is things that make you change your password periodically. I think, empirically, this is almost certainly going to reduce security, because you end up having to write it down. And what does it add? If someone gets your existing password then chances are they'll do the damage the want to do in the month or so before you have to change your password.

Another thing that is stupid is the use of asterisks when entering a password on a tiny little screen, like a mobile phone - how many times have you been typing a code/password in to a mobile phone and feared someone watching you? If someone you really didn't want to know was behind you wouldn't you just not type it in at that moment? It's fine for cashpoint machines, maybe okay for computers, but mobile phones? It's daft.

Anyway, I'm off to set everyone's PPRuNe password to 'password'.

Spinflight

I use three passwords, though the 'third' comprises of the various types of X I have used or owned over the years so runs to 20 odd types.

One crap password for irritating internet sites and a secure one for important stuff.

If I use the third type I can sometimes have to spend 20 minutes cycling through them till I find the right one!

I once worked for a bank which demanded a secure password change every month. Complete pain in the arse and counterproductive as everyone kept their latest password on a bit of paper in their drawer.

Gonzo

I tend to use one, or variations of that if sites require upper case and/or numbers. I read a PC magazine article a year ago where the author described his scheme, where each password was unique, as it was made up of certain characters in the website's URL.

frostbite

What currently pi55es me off most about using eBay is the number of times I am taken off to the slow (I'm on dialup) https signin site - typically 4-5mins to load.

Fair enough if I'm placing a bid, but to get sent there because I want to watch something/contact a seller/look at 'my ebay' is ridiculous, especially as all pages tell me I am logged in!

Yes, I do tick the 'keep me logged in' box but it seems to mean nothing.

Evo

On Firefox, Real Men hack a textfile that says "don't edit this textfile" and edit a number that's milliseconds since 1970 or somesuch. Other people use the CookieEditor extension. You need to edit two cookies called bbuserid and bbpassword, make them expire whenever you feel like. I use 2015

On other browsers, I dunno.

Binoculars

I use two passwords. No more. The deciding factor is whether I would want my daughters to see what's behind them.

Saab Dastard

EVO,

I'm not sure if you are asking for private internet usage, home, work, or all?

I have about 10-20 passwords that I need to use fairly regularly - and I'm discounting all those that I need to use to manage corporate or client systems!

They are mostly secure - in that they have a mixture of upper and lower case and include numberic or non-alpha chracters.

Of the ones that are under my control, they are almost all variations on a theme that is meaningful to me - even if you put 2 together you would be hard put to work out the connection and guess any others.

I tend to use a single password for all admin accounts that I never share and is unlikely to be broken by brute force!

At home I have a user account for most tasks and a separate Admin account for Admin tasks - I also need to know the children's passwords (and the wife's) then I've got the firewall admin password as well.

I need only about 3 for the vast majority of my personal internet usage - email, banking PayPal, ebay. But any others are again, variations that might take a couple of attempts to hit if I don't often need them.

Where I am lax is in not changing these passwords very often.

I use a similar approach at work, where we have to change our password regularly - and incrementing by 1 is no longer an option. I never write them down though.

Interestingly I am trialling a SSO (single-sign-on) solution at work that negates the requirement for individual logins to internal corporate systems. Works fine, but is an in-house app.


SD

Mac the Knife

5-10 I guess. I tend to use passphrases rather than passwords, since they're easier to remember (and more secure).

Stuff like "A H05tage 2 4Tune" or "A R00m w1th A Vi3w"

Also some which are longish words in a very obscure language that I happen to speak.

They're all on my Palm in an encrypted database (and written on the back flyleaf of Volune 5 of Churchill's "History of the English Speaking Peoples")

Actually, writing passwords down isn't that much of a security risk so long as you don't write them on PostIt notes and stick them to the screen.

HelenD

I think I have about 10 passwords that I use but I dont have the same username and password combination anywhere. None of my passwords are written down there have been a number of times that I have had to use the password reset functionality because I have forgotton my password but i wold rather that than be compromised. The only password that I share with others is the one for the test PC's at work all others are known only to me which my husband is not too happy about. I feel that I cant go preaching about having strong passwords that are not written down or known to others then not follow my own preaching.

Saab Dastard

In addition to having a theme for passwords, I forgpt to mention that I also have a bootable linux CD that can "adjust" the SAM on any Windows NT / 2000 / XP system, other than an Active Directory DC.

So if memory fails, I usually just reset the Administrator password to blank!

Blacksheep

When an ordinary website asks me to register using an e-mail address and password I always use the Yahoo mail account that I set up specifically for this. I visit once a week and delete the messages without bothering to read them- they are all SPAM by definition. I use my favourite old car's registration number as the password.

Some sites (such as PPRuNe) gave me a unique password. In these cases I memorise it.

I don't bother with on-line banking as I regard the whole internet as not secure enough for any banking purpose. Even ATMs have been hacked for heaven's sake!

I use "Folder Guard" to lock the folders containing information that I wish to keep confidential and use secure passwords to protect it - ten characters in upper case, lower case, numerals and symbols.

Ausatco

I use a number of passwords, but have difficulty remembering them, particularly when returning to a little-used password protected website.

To help me out I use Roboform. It stores usernames and passwords iand any other personal stuff in an encrypted file. After you've been to a page or site once and filled in the details manually it will remember the details for that page/site and offer to fill it in for you on subsequent visits.

You can protect this activity and all the encrypted data and edit functions with a master password. Roboform will then only fill in the blanks on a page or allow you to view/edit current data if you provide the master password, so if someone knocks off your lapptop or gets into your PC they can't maliciously use the automation the program offers or the info it contains.

Works with IE, Slimbrowser, Firefox, Netscape and maybe some others. Not Opera, unfortunately. See Roboform

5 stars, IMO.

Ausatco

egbt

Evo

Gartner published some interesting research on this fairly recently, the title was something about password entropy (appropriate for a lapsed astrophysicist ). I’m sure big blue can get it for you.

Ausatco

I seem to remember MS had a similar product; it was broken by the hackers within hours of release and caused a lot of red faces

regards

Evo

Thanks, egbt, interesting article - Google proved to be a much quicker way of finding it

egbt

When I think how much that service costs