I don't do that with my personal machine, but I work in a call center. The computers in the call center are used by various rotating personnel. Someone decided that it was stupid to make everyone memorize a continually changing password, so both the password AND the login id are written on a Post-it note and stuck to the desk for every computer in the call center. Genius.

Most of my passwords have "smart" changes requirments where you can't reuse old passwords for several changes, no duplicate numbers,phrases and characters used in the previous versions.

Instead I use a password program to store all my +60 access requirements. In particular the password program I use is stored on my Palm Pilot. One password to access all my other passwords. Neat, Clean always handy. There are also some nice Freeware password programs that can be used on a PC. Some will even generate a high secure password, so you don;t need to remeber the password as long as you can quickly look it up from a secure database?

Now if I can only get my wife to start using this password software, I am afraid that it can cause some issues in the future because she uses a simular approach you describe.

Maybe you can do an article about these handy password tools?

FH_LH

Among the most idiotic is LiveJournal's claim that my password is "too easy to guess" because it still doesn't have any digits in it.

Well, anybody trying to crack a LiveJournal password KNOWS THAT LiveJournal requires at least one digit and thus will NEVER try mine.

Oh the tediousness and drudgery of having to come up with a new password every 90 days! Now that every one carries a cell phone and a palm pilot and no one memorizes 10 digit phone numbers, folks would have plenty of extra 'processor' cycles to come up with new passwords.

Perhaps it's not your 'processor', but you've spent too many 'cycles' staring at a giant flat screen that you've lost all creativity.

Sure, I'm a computer professional, so memorizing scores of usernames and passwords is an occupational hazard. But, here are a couple of tips for those of you who aren't 'tech saavy' enough to come up with a new password easily.

Think of all the streets you've lived on and use the character substitution trick. Same for Elementary, Middle, High School, and College. Don't use an address or street name you've lived on in the last ten years as that will also appear on your credit report and is therefore more likely to be attempted as a hack.

Do you need a ridiculous number of charaters for a password? Use the International Radio Signals:

PapaAlphaSierraSierraWhiskeyOscarRomeoDelta
make it harder by subsituting characters or randomly throwing in numbers.

It also sometimes helps to come up with a progression of items that you might use: Greek Gods, Planets, colors, candy bars, nats batting order, etc.

I use a base word and add a number to the end. When it expires, I make the 1 a 2, then the 2 and 3, etc. I keep a post-in in a locked drawer with the number. The rest is in my head. After 9, I've made the number of required changes and I can go back to 1.

I have a coworker who will change it when needed and then (in a period of 5 minutes) change it 9 more times and then back to the original.

My bank makes me change every 45 days. But I then go back and change to the "old" password as there isn't a limit on re-using passwords.

The really sad part is that my company does this nonsense, but none of the systems have the password cycles in sync and all have differing requirements.

I've spent many a hour with tech support resetting the password on systems I rarely use and have forgetten which of my core passwords I used. Some of the support people say that very high percentage of their calls involve password resetting.

I use the initials of a line of poetry (non-English)and keep recycling using Rob's tricks (substituting various symbols for letters). This password would look totally random to anyone else.

If you think it is frustrating to "have" to change a password (and I agree it is,) think about what happens when you want to change a password (and/or email address for that matter.)

It isn't easy for about 50% of the sites I subscribe to. I'm currently trying to change email and password for NetLibrary. Got a library staff member to do it--didn't work. Did it myself--didn't work.

Why do I need a password for the local cooking store's newsletter or even NetLibrary? Is somebody going to steal a recipe?

My old bank would do this. My new one just requires two passwords along with a login ID.

In college, the computer system would make us change passwords every six months. We would all simply change our passwords, and immediately change them back. Perhaps it was counterproductive, but I like to think of it as our own little silent protest.

Was it Arthur C. Clarke who commented (in "3001: The Final Odyssey") on how many nonsensical strings of letters and numbers we in today's society are forced to memorize?

Bank account No., ATM PIN, Social Security No., personal computer password, personal e-mail password, work computer password, work e-mail password. And those are just your basic, living-in-the-21st-century people.

I have another two or three dozen accounts with Web sites (like this one) that require passwords, as well as Netflix, school-loan lending agencies, server passwords and application logins at work (lord knows how many passwords IT guys have to memorize), bike lock (trivial, and yet not), wireless network passwords, administrative passwords for my computer, administrative passwords for my parents computer, chat application passwords.

Thank GOD for Keychain in Mac OS X (and I hope to SJ it's as secure as the app's name makes it sound...)

I had a similar argument when my computing group discussed "raising the level" of security by adding various requirements to the password policy. Like some here, I argued that mandating certain items does little to improve the security -- esp since it tells potential hackers what's likely to be in the password.

Also I KNOW I've seen reports that the image-pollution "safe pass" crud that's been foisted 'pon us by banking institutions of late is not secure: people don't bother noticing whether the image presented them is truly the one they picked or not.

And I'd love to see a study wherein it was shown that when forced to insert a non-alphanumeric, 99% of populace chooses.. an exclamation point. And you know the hackers know this, too.

Social engineering remains the easiest way to get someone's password, though: remember when el Reg got people on the street to tell them their passwords in exchange for a PENCIL?

And I've done tech support in too many offices where people will willingly call out a password or helpfully point to a sticky on the machine with the required information. These were NOT offices where I was a familiar face.

Anyway, my old brain doesn' do passwords much, either, so here's another vote for Palm-based (but with nice Mac desktop version) SplashID. I hear KeePass also is highly regarded.

When I worked at a large telecommunications company, I had logins to something like 30 systems. A reflection of the chaos within that company, where mergers caused multiple trouble ticket and provisioning systems to absolutely not talk to each other, each system had different password requirements. Some needed 9 characters, some needed fewer. Some needed to be changed every 30 days, some less frequently. It drove me crazy.

In the days before cell phones and palmpilots, I wrote an Excel file with every login and password, and the date it had last changed. I then password protected the file...and promptly forgot the password. Just about every rep at all the help desks in every department eventually got to know me over the next six weeks. (Hello, Kansas City, Reston, and Atlanta! How's it going?)

Rob, if you're using Windows-based systems, check out KeePass. You can even put it on a USB stick as a portable app and have everything available and encrypted all the time. All you have to do is not forget the password that opens that file. Make sure it's an easier one to remember than the one for my Excel file.

Beginning February 1 all Federal Agencies must comply with new regulations relating to making systems more secure and mandates all users to use a 12 character passwords which expire every 60 days. If and when you need to update your password, the requirements are:
12 or more characters are required (spaces are allowed but do not count as a character),
You will be prompted to change your password every 60 days,
You may NOT use the last 24 passwords you created (meaning, in theory, within the last four years), and
Your account will be locked out after 5 invalid attempts (duration of 15 minutes).

And, if you have access to multiple computer systems (for example, many people have access to an unclassified and a classified computer system, if not multiple programs on those computers), the passwords cannot be the same.

Of course, if you're password is found written somewhere during nightly checks, you've committed a security violation which effects your career.

And, to add passwords to the fold, you have a separate password for personnel issues, separate passwords for access to various other programs, none of which follow the same "change password" schedule.

And they wonder why people have problems working with the government?

Dungarees@gmail.com

I go back and forth between my husband's first name and my dog's name, including a digit at the end that I increase as needed (e.g. james1, then rover1, then james2, then rover2). This is only for my work computer where I make a point of never logging in to any sites, programs, etc. with a "real" password; I too feel good about my little victories.

On my home computer I have a very good (randomly generated) password to log in with and otherwise I just let Firefox remember passwords.

Here at work we are required to come up with a 12-digit password that uses a combination of numbers and upper and lower case letters that are not recognized by the dictionary. It cycles every 90 days and rejects any password too similar to the previous one (e.g., you can't do SubbaSubba12, SubbaSubba13, etc.). For me, it's really hellish trying to come up with 'memorable' unique nonsense and I usually go through 3 or 4 tries before the system accepts the new password. I also have the misfortune to have the renew password cycle hit on Friday, so that over the weekend I have lots of time to forget the new nonsensical password.

Can anyone give me the names of good password generating sites/softwares?

Clearly, our network is heading toward being so secure that no one in the workplace can use it. I'm not a network administrator, so I don't know, but why isn't there a way for the 'outer' network shell to be hardened through stringent security controls to allow 'inner' network users to more easily access their desktops?

I think that locking you out after a few attempts is worse than requiring a change. After three attempts! That's waaaay to few. If someone were really trying to hack your password, it would make very little difference to them if the limit was 3 or 30. I think they should also tell you BEFORE you lock yourself out by adding a message: Warning. If you enter an incorrect password again, your account will be locked out. That way you at least know you're on your last chance.

At my company, it used to be we had passwords assigned to us by Operations that followed a predictable algorythm: first name, last initial, some numbers, equaling 8 characters. I could get onto anyone's computer, which was useful when someone went on vacation. We weren't allowed to change the passwords, either.

Then we had a major security breach.

Now we have to change our passwords every 90 days, and can't reuse them within the past 12 versions or months or something. So I have a base password I use, and then change the ending; everyone else does about the same thing.

Improved security is good, but we've really gone from no security at all to very high security. Maybe we could have tried something in-between first?

RSA SecurID may be what you want.

http://www.rsa.com/node.aspx?id=1156

That way you don't ever have to remember a complete password. Just your partial password and the secure id token. Just try not to lose your token. Though, there is a backup authentication process to access without the token.

I'd be tempted to say that you should try a password manager -- but of course if you need to remember this password to get INTO the terminal, well, that just won't work.

For everything else though, you could try an online password manager. So when hopping from one terminal to the next, you don't have to tote a USB around just to access your logins.

Online vs. Offline password mangers:

http://tinyurl.com/3ba3et

Tara Kelly
PassPack Co-founder

Each system requires different character numbers, letters, characters, different lengths -- minimums and maximums. I was swimming in passwords.

I finally decided to make one master document in Microsoft Word that has all my screen names, passwords, account numbers, everything. Then I password protected the Word document. So my entire security system comes down to the security of a Microsoft Word document.

I run into problems when I have to change my passwords at work, since my one document is for both work and home. Then I redo the document and email to myself. I email it to myself on the first of every month for the heck of it.

And rather than having to click "No." for 13 straight days about not wanting to change my password, I gave up. I change it now the first time it asks, and just update The Document. The Man has won.

Grrrrrrrr. Had Dell tech support on the line and got locked out of my router after three attempts. The guy laughed. Turns out it had one of those gobbly gook computer generated passwords. Life is so complicated. I reset it to a "weak" password for my weak brain. If I need to reset a password I use the above mentioned add a digit, first time around it's something 1, then something 2 and so on.

Rob, you state that forced password changes are a "counterproductive exercise that creates more opportunities for phishing and other social-engineering attack."

My question is, how does the practice create more opportunities for phishing and what is a "social-engineering attack?"

I use the opportunity to help me memorize any numbers I need to remember. I take a simple character password and append a number I would like to memorize (phone number, lock combination, CC number, etc.). After 90 days you are almost guaranteed to remember it.

You get 13 days notice? Some of the systems that require me to change a password give no notice at all. One day I login and it demands a new password before proceeding. New password now: It must conform to the unstated rules for this particular site, system, whatever. Minimum length? Maximum length? Required character types? Forbidden character types? It must be unguessable. It must be memorable. It must be chosen NOW.

The affinity system I sometimes work with, in addition to forcing you change your password periodically, won't ever allow you to use the same password twice. This means every few months I have to call IT to reset my password (since I forgot my old one). I think this actually works against keeping systems secure!

I have a file of passwords on an unprotected computer. I put them in a file with a boring name (like "newshoes.txt") and I have two basic passwords: short (something like "house") and long (something like "schoolhouse").

For places with no restrictions, my file just has the site or computer and "short". For ones with minimum lengths, it may say "long".

If they need numbers it might say 6short or long2000 or something like that. Unless someone figures out what short and long are, I'm safe.

Use the name of a single malt scotch. Guaranteed not to be in any English dictionaries. When the password expires reverse the letters.

As a reminder, keep a collection of the various single malts in your office. If you forget, drink from bottle until you fall over, then remember it was a reversed version.

If that doesn't work, and your account gets locked out for 15 minutes open another bottle....

Slaintè Mhath

I agree it's terrible, but as some of these comments demonstrate people refuse to take the time to pick a good, strong password. If everything goes well and you obey all other security precautions (never authenticate over plain text protocol, never written down/stored in an insecure location, never used at a compromised computer with a keylogger, never fall for phishing scheme, ...) then you would never need to change a good, secure password. Unfortunately in the real world you rarely get that so these expirations are a crutch for those shortcomings.

The biggest issue this creates is it increases the number of password reset calls to IT and someone who wanted to break into an account at a large enough company would just have to call IT and ask for a password reset, which would be routine enough that usually no questions would be asked.

What we really need is a way to move beyond the antiquated security model relying fully on passwords. RSA SecurID, smart cards or USB tokens paired with weak passwords or PIN numbers would be a much better system (but not RFID!). There are still many issues to address with this but it would eliminate passwords' problem of putting burden on the user to do so.

I work as a temp at a law firm, where we're required to sign in and out on a paper log at a central location. The list with our names and sign-in and -out times also lists our user names and passwords.

Mighty fine protection, that.

It's not the tedium of managing one password that's the problem -- it's the lack of standardization. I probably use 25-20 different web sites that require passwords, plus utility accounts, brokerage accounts, bank accounts, credit cards, etc., etc. All told, I probably have 100 passwords out there. Half the time a standard format will work (say, a min of six digits)and I can use the same password. But the other half of the time, each account has some little quirk, like it must be 8 digits, or must be both letters and numbers, or must have a non-alpha and non-numeric character. There's no freakin' way I can ever remember all these variants. Then combine that with username variants (Is it email address? If so, home or work? Something else?) and the non-standard scheudle for changing the passwords on some accounts, and it's totally unworkable. Technology was supposed to make life easier and better.

The Treasury Department has a super-stupid password policy.

The Treasury Direct program allows people to buy I and EE savings bonds on a pre-arranged basis.

In the past, treasury used password schemes similar to banks and brokerages.

Last month, however, they sent along a wallet card so that after you type in your password, you need to enter a three digit confirmation passcode.

Now, if a robber breaks into my house or steals my wallet, he'll know that I have a stash of savings bonds in cycberspace.

the Treasury Direct policy also makes it incredible difficult to check on your account when you are at the office or on vacation or somewhere away from your super secret decoder ring. Or what do you do if you loose or misplace the card?

How come banks and brokerages can deal with security in an annoying but relaitvely unobtrusive way and the feds make it ridiculously complex and unworkable?

Someone needs to inexpensively integrate a biometric ID solution into networks, online banking and VPN's to erradicate the 90 day re-right the PW rule.

I use PasswordSafe on a USB Memory Stick - the passwords are encrypted and are easy to use to login. On Windows, CTRL-T copies your designated userid/password to the previous window you were in. I use KeePass (I think that's its name) on my OSX Mac as it uses the same database as PasswordSafe. One master password for the encryption - don't lose it as there's no back door.

Personally, I want *stronger* passwords than some companies think I should be allowed to use. 8 characters with only letters and numbers? That was weak years ago.

http://www.schneier.com/passsafe.html

Password Gorilla is also cross-platform
http://www.fpx.de/fp/Software/Gorilla/

Use geometric patterns on the keyboard. Then you just need to remember the starting key, shape, and direction.

E.g., triangle starting at 'b': bhu8ik,mn

If you need a capital, capitalize the first letter. Next month, shift the triangle to 'n'. If you need more characters, concatenate two shapes.

Wow....as a security professional, a lot of these comments scare me. If this is what the "bad guys" are up against, you can plan on reading about more breaches in the future. Otoh, that creates more of a job market for me.

I use things like

--my second grade teacher with the year
--my mother and her twin sister's names
--what my younger brother called my mother
--the spelling bee I lost in 4th grade

and other very personal names, events, and dates interspersed with numbers and punctuation.

My favorite is a payroll tax payment site for a state out west. The password is good EXACTLY ONCE. They send you a piece of paper, which you use to log into the system. After that, you're locked out until the next quarter when they send you a new piece of paper....

My favorite password base is a phrase purposefully misspelled in order to force a speech program to pronounce it correctly. The character sequence does not correspond to dictionary words, but I remember it because I had to work hard to create it. Then I substitute a number for one of the letters, and change the number when I have to change my password.

Another favorite process is to use a foreign language colloquial phrase, which is not recognizable in an English dictionary, although if you knew which language it was in you might guess it. With this process you should choose a language not spoken by many people. Navajo would be good, or Estonian. I use one from my ethnic background. Of course, not many Americans pay any attention to languages other than colloquial English; this can be good for security against American hackers, but hard for American password users to remember. Better for me, though.

I have a couple of favorite poems and arias, and like to use the first letter of each word. Then I tack a numeral and exclamation point on the end. When it comes time to change the password, I increase the numeral by one. Seems to work with most password programs.

And just as a backup, there is an obscurely named file in an obscurely named folder somewhere on my hard disk that has all the passwords. Listed in a way that won't be picked up by an indexing program. My substitute for a post-it note, I guess.

I tried to standardize all my personal accounts (100++) on three primary passwords. It works for about 75% but password different rules create problems. I have a simple password for low risk (my loss is low if compromised) sites like cnn.com, nytimes.com, etc; a better password for more important sites (email, etc), and an excellent password for banks and other high risk/yield sites. Oh yeah, one more super excellent pass phrase for PGP. But enough sites have different rules that I have a list of exceptions. I store all my passwords in a PGP encrypted file on my smartphone (well secured) but I can't have my phone where I work (secure environment) so it isn't always available. I have similar problems with userids, so many rules and so many different uids. That is just for personal passwords and uids. Work is another story.

With work passwords, a different one for each system classification level, doors codes, combination locks, gate codes, voicemail pins. They all change periodically. It's a nightmare. I refuse new codes whenever possible because I have just too many to deal with already. The problem is a lot bigger than I can describe here. There's a lot I can't say in a public forum.

I tried to standardize all my personal accounts (100++) on three primary passwords. It works for about 75% but password different rules create problems. I have a simple password for low risk (my loss is low if compromised) sites like cnn.com, nytimes.com, etc; a better password for more important sites (email, etc), and an excellent password for banks and other high risk/yield sites. Oh yeah, one more super excellent pass phrase for PGP. But enough sites have different rules that I have a list of exceptions. I store all my passwords in a PGP encrypted file on my smartphone (well secured) but I can't have my phone where I work (secure environment) so it isn't always available. I have similar problems with userids, so many rules and so many different uids. That is just for personal passwords and uids. Work is another story.

With work passwords, a different one for each system classification level, doors codes, combination locks, gate codes, voicemail pins. They all change periodically. It's a nightmare. I refuse new codes whenever possible because I have just too many to deal with already. The problem is a lot bigger than I can describe here. There's a lot I can't say in a public forum.

I tried to standardize all my personal accounts (100++) on three primary passwords. It works for about 75% but password different rules create problems. I have a simple password for low risk (my loss is low if compromised) sites like cnn.com, nytimes.com, etc; a better password for more important sites (email, etc), and an excellent password for banks and other high risk/yield sites. Oh yeah, one more super excellent pass phrase for PGP. But enough sites have different rules that I have a list of exceptions. I store all my passwords in a PGP encrypted file on my smartphone (well secured) but I can't have my phone where I work (secure environment) so it isn't always available. I have similar problems with userids, so many rules and so many different uids. That is just for personal passwords and uids. Work is another story.

With work passwords, a different one for each system classification level, doors codes, combination locks, gate codes, voicemail pins. They all change periodically. It's a nightmare. I refuse new codes whenever possible because I have just too many to deal with already. The problem is a lot bigger than I can describe here. There's a lot I can't say in a public forum.

I'm with marquisem on this - you people scare me.
I am an I.T. professional, I work in a datacenter, and in any given day I have to use 8 or 10 or 12 different passwords, most of which meet standards of best password practices. Of course I don't LIKE to see the "password about to expire" but come on folks, get over it.
I don't use mnemonics or re-use passwords with one little change. I use random letters, numbers, special characters and after I've entered it 2-3 times it's memorized. It really and truly isn't a big deal, so get secure!

I'll even give you one of my current passwords as an example - q2Nk4%]p 98
It looks hard to remember, but it's not, really and truly it's not.

I recently suffered a stroke, and the aphasia makes remembering passwords a nightmare. Also I can't type error free, when all appears is ********. The whole password ethos is a violation of the ADA laws.

Sever years ago I turned off the automatic password expiration feature on all our computer.

"My primary avenue of protest against these policies is to keep using the same raw material for each new password. I memorize one short, non-obvious phrase--the root words don't appear in a any dictionary--and then make the minimum number of changes necessary to placate the pin-headed password gods. For instance, I'll replace an "i" with "1," then 90 days later I'll turn the "1" into an "!", which will in turn be succeeded by an "|"; eventually, I've gone full circle and I can revert to the original "i.""

I try this avenue too at my work. The only problem is, our system store the last 24 passwords associated with your user name, so it gets kind of hard to "reuse the raw material" after awhile.

I use chemical formulas in my pass words to make them more secure.
For example,
nacldog = saltydog , h2Obug = waterbug. Of course the suffix is still a number++ every cycle.

Really it should be your thumbprint that is then encrypted and a password key is derived from it using a encryption sequence that's randomly generated for each individual in the company. This way it's constantly changing for security reasons but you never have to know what it is or memorize.

I love all the comments from the IT guys. Well here's one back at LALA. I'll see you your 12 and raise you 35. That's right, I have 47 passwords that I keep recorded on my HD. Some of these systems I won't access for months at a time. This does not include the login info for the laptop I keep this info on.

Instead of posting smug, self congratularly comments about how this isn't a problem for you, how about some useful advice on how to remember this stuff? You know, like the rest of the posters on this thread?

The IT promise: "Hey, we don't produce much, but at least we're secure"!

A contest! I had 72 passwords at my previous job - a certain Federal gov't agency wouldn't let us use a common authentication method like LDAP, so all developers and Sysadmins had individual accounts on every server. And they expired every 60 days ... I survived only because I kept the passwords stored in the encrypted PasswordSafe. Anybody want to guess how many passwords were 'hidden' on yellow stickies under the keyboard?

To Mike--booknet: tools like PasswordSafe make passwords easier to use, though you still have to remember the one master password. Perhaps this would help you with the aphasia. I never thought of that problem. Another thing you can do is type your password into a text program, then cut-and-paste it into the password field. This way you can see what you type. You could even type your username and password together, then cut-and-paste the password from the username field into the password field.

Brian Krebs' column today speaks of "a huge recent spike in the cost of computer intrusions for banks and consumers". Perhaps weak passwords are part of the problem, eh!
http://blog.washingtonpost.com/securityfix/2008/03/the_fdic_computer_intrusion_re.html?nav=rss_blog

I've also taken to using a complex username. One site I use allows longer and more complex usernames than it does passwords!

My bank just implemented a point-and-click entry for my PIN (after using my userid/password to get in). And they made it work only with Internet Explorer! Time to switch banks.

It's a jungle out there ...

The webcomic AF Blues has the best take on this:

http://www.afblues.com/?p=27

@Chris Viking

I win the contest. I have well over 200 passwords. :)

Your bank implemented an IE-only technology?! That's so.... bad.

We encourage users to analyze, comment on and even challenge washingtonpost.com's articles, blogs, reviews and multimedia features.

User reviews and comments that include profanity or personal attacks or other inappropriate comments or material will be removed from the site. Additionally, entries that are unsigned or contain "signatures" by someone other than the actual author will be removed. Finally, we will take steps to block users who violate any of our posting standards, terms of use or privacy policies or any other policies governing this site. Please review the full rules governing commentaries and discussions.