What is Digg?Sponsored by Dragon Age: Origins
Follow the Dragon Age: Origins development team on Twitter view!
twitter.com/DragonAge - EA presents BioWare's new dark fantasy epic Dragon Age: Origins. '9/10' from Game Informer.
103 Comments
- roastedbagel, on 10/12/2007, -1/+41I work for an IT HelpDesk at a rather large company, and despite all the different areas of problems I deal with on a regular basis, resetting passwords is probably 70% of the problems I deal with everyday. It's beyond obnoxious.
- dustyshadow, on 10/12/2007, -0/+23Well, when corporations make you use a different system for everything such as payroll, timecards, benefits website, document repository, pc logins (I could go on and on) and require you to use an auto-generated password for each one, what do you expect? I can't be expected to remember 10 passwords. It's completely ridiculous. And then to top it off, they make you change each of them every 2-4 months.
- mymoustache, on 10/12/2007, -4/+27Ok, here's the deal. I hope somebody reads this.
Use a password scheme. USE A PASSWORD SCHEME.
Let me explain. Say you want different passwords for windows login, gmail and aim.
Pick ONE password. We will use "password."
Then, for each service, set your password as "password@SERVICENAME"
So, instead of three easily forgotten random passwords we get three relatively strong, easily remembered passwords.
pass1: password@windows
pass2: password@gmail
pass3: password@aim
The "@" scheme is easy for most people because they are used to using that syntax with email addresses, but could just as easily be replaced with any other character, and the order or number of the password elements could be changed further.
EASY - seattle98104, on 10/12/2007, -1/+22i'm a choose one password and stick with it sort of guy.
the only ones i can't stick to is my work accounts (unix and windows), have to change them every few months or so, but i've worked out a system of using the same characters in a rotating order. it's the only way i'd remember them.
crikey. - gosix, on 10/12/2007, -5/+23keep ass. hmm
- armbar, on 10/12/2007, -0/+14I'm similar in that I have a list of about 6 or 7 passwords that have different levels of "security" for me. The ones that would be harder to guess, and harder to type, are a higher security level for me. The easy ones are for random registrations, medium are for email or other non-critical, and high are for banking and computer login.
I don't really worry about most of my passwords being detectable, since you'd have to be logged into my computer (which has a harder to guess password) to even have the chance to enter them. - jsd8cc, on 10/12/2007, -1/+14That's why I use KeePass. You only have to remember one master password. This allows you to create some really secure passwords without having to remember them (and thus, changing them is no problem).
http://keepass.sourceforge.net/ - audioobsessed, on 10/12/2007, -0/+12i have about 20 passwords at work but i only use 3 on a day to day basis. for the rest of them i just type in random ***** and then call the help desk when i need to use that program. Works like a charm :-)
- LordOfTheSponge, on 10/12/2007, -0/+8My company has about 15 different passwords for various systems.
They all have different "rules" as to what a password must contain. And they all have different requirements on how often they need to be updated. It is totally insane. A lot of people I work with just write them down somewhere. - Matt2k, on 10/12/2007, -0/+7> The whole point of multiple passwords is to make everything more secure, your keyring programs take that away, only leaving one password to access everything when you are on your comptuer.
Baloney. If your workstation is that compromised, nothing is going to save you from a keylogger (you still have to type them in!). What do you propose to do then, when you have upwards of hundreds of passwords, if not securely encrypt them in a lockbox or write them down. Memorize them all?
> Let me explain. Say you want different passwords for windows login, gmail and aim.
> Pick ONE password. We will use "password."
> Then, for each service, set your password as "password@SERVICENAME"
That may work if you're always using trusted big name resources. Maybe. But what if Forum XYZ's database is cracked, or an online store you frequent has their database copied. Suddenly your password scheme is awfully darned transparent and guessable. So really this scheme isn't a whole lot better except that it makes cracking the hash the first time a little bit harder. Assuming that particular site is even bothering encrypting the password. - simd, on 10/12/2007, -0/+7Passwords really should have been killed off as a method of authentication a long time ago and replaced with certificates.
- inactive, on 10/12/2007, -0/+7@mymoustache:
The password schemes don't really work for two reasons:
1) Different passwords require different things. Some require upper and lower. Some just lower case. Some all numbers. Some have max length. Some specify character/letter order (can't do assd1. must be ass1d)
2) THEY MAKE YOU CHANGE THE PASSWORDS AT VARYING INTERVALS. I can't have a standard password, when I'm forced to change that password on one system every 3 months, and another system every month.
To be honest, the benefits of rotating passwords is dubious.If your users share passwords, rotating doesn't help. If they don't share, rotating isn't really needed. Nobody is going to spend 3 months trying to brute force guess your password, and then be foiled by a change.
I'd be interested in anyone who has examples of why requiring password changes should be required at all. - white1827, on 10/12/2007, -0/+6S-OX regulations have encouraged my company to require all passwords to expire every 30 days. So half of the users now use the month and year as passwords. Super safe!
- threepio, on 10/12/2007, -0/+5Keychain in OS X works wonders for me.
- fume, on 10/12/2007, -0/+5Not to mention that when resetting the passwords, I also have to remember 30 different passwords. All this just so I end up getting locked out while attempting to reset a password for a user. Ridiculous.
- mymoustache, on 10/12/2007, -0/+4@persol
honestly, requiring password resets has the singular effect of preventing coworkers from using each other's passwords (or their bosses) for a few days, until they learn the new one.
at least it gives them the chance to "undo" the fact that they gave it away in the first place, but generally few people really care, or understand why they should.
generally, in our office, this process just slows work down for a couple of days every few months. - terrya64, on 10/12/2007, -0/+3I was forced just today to change my password in SAP. It happens like every month or so. My password I just changed was 1234567a. Since we have to do it so often I try to keep it simple. On top of that we have our outlook password, computer login and passwords for the support websites. What a pain...
- sycorob24, on 10/12/2007, -0/+3Same as others on here, I recommend KeePass (http://keepass.sourceforge.net/). It's open-source, so shouldn't have any crazy trojans in it. You create a database of logins and passwords, and the whole thing is encrypted with another (preferably hard) password that you make up. So I go to a random web app that I haven't used in a while, double-click the KeyPass icon in the tool bar, enter my master password, find the entry for the web app, Ctrl-C the password to the clipboard, and paste it into the web form. Most of the time I don't even know what the password is that I'm using. 7 seconds later, Keypass clears the clipboard.
One of the best damn programs I've ever installed. I've even emailed the password database to myself for safekeeping, comfortable in the knowledge that nobody's going to hack an AES-encrypted file even if they do get their hands on it. And since it doesn't show the password on the screen ever (I actually have to paste into a text document if I want to see it), I can fire it up with a coworker at my desk and not worry about it. - xswag, on 10/12/2007, -0/+3I like KeePass. It can be found at Sourceforge.
http://keepass.sourceforge.net/download.php
Its available in all flavors. Win32, OS X, Linux
OS X and Linux users look here
http://keepassx.sourceforge.net/en/downloads.html - gd007, on 10/12/2007, -0/+2try abc123 for every system.
- CosmicJustice, on 10/12/2007, -0/+2That is the greatest post I've ever seen.
- VeganG, on 10/12/2007, -0/+215+ passwords? My head would explode.
- cajunman4life, on 10/12/2007, -0/+2I use KeePass installed on a USB drive. I also have pwman (http://pwman.sourceforge.net/) installed on one of my UNIX machines. It uses gpg to encrypt its database.
- diggdat, on 10/12/2007, -0/+2The best solution I have read for this, was in a prior posted story on password salting:
http://blog.stevex.net/index.php/2006/02/17/common-password-salting/
I consider this story good advice.
I also like password variations in the form of an e-mail address.
E.G.
Fakepass@somefakeYada.org
This bogus example is a 29 character, mixed case password with two symbols in it and you can still use the great ideas listed in this article.
Come up with a variation that works for you and use the salting technique in the article (I have no affiliation with the blog it is on, it was posted previously on Digg).
I used to use a mnemonic, but this easier... - britkev1, on 10/12/2007, -0/+2Problem is that most companies do not promote the use of tools like keepass. There are lots of options for companies in this area but they don't seem to see it as being the large problem that it actually is.
- syberghost, on 10/12/2007, -0/+2Or use a HARDWARE password manager:
http://www.thinkgeek.com/gadgets/security/7573/
(I use a scheme. Actually, two schemes; one for work, and one for not-the-work.) - AriaStar, on 10/12/2007, -1/+3Last count I had 17different passwords for work, all requiring a capital, a lower case, a number, AND a special character. All of my passwords but one have a limit of 45 days. When they expire, I can't use a password if it was one of my last five. So every few days a password expires and I have to come up with a new one. Even using the same five or six and rotating them is annoying because I have to remember which I'm on. Only one password doesn't expire, so I'm blissfully unaware of what it even is anymore as I just saved it. Um, I keep them written on a pink Post-It (I am a girl, I can use pink) hidden near my computer.
Is basically requiring a piece of paper somewhere any more secure than allowing fewer passwords? - josegutz, on 10/12/2007, -0/+2I remember my passwords because I keep them all the same...
Password: $0hBu99ah! - OBDriftwood, on 10/12/2007, -0/+2We were evaluating a commercial password caching type product. Works fine but it's just one more layer of crap for the data center staff to maintain.
The first thing users log on to is their workstation using their Windows/AD user-name and password. AD uses standard Kerberos tickets and is a standard LDAP directory. I tried to make the point that all our apps should key off of that. If the app can't handle Kerberos or LDAP we shouldn't be using it. Not a popular opinion and not practical in all cases, but that should be the goal for a Windows shop. - doctorcaligari, on 10/12/2007, -0/+2I agree with you on most points, and lord knows I deal with that situation on a daily basis.
However, I won't call those users dumb (even thought I sometimes feel like it). They are just ignorant of computers and computer programs. Most users tend to think that everything on a computer is one-dimensional (i.e. the operating system, programs, websites, hardware is all on the same level). Most users think everything on a computer is actually part of the computer itself, so that's why they can't tell you anything. Windows-Word-IE-Email is a computer to them.
To turn this example around: I am a man. I know nothing about makeup. To me, it's all the same. My girlfriend could go on and on about foundation, eyeliner, lipstick, hair products, etc. I don't know what the hell she is talking about. I just nod and say OK. And that is exactly what everyone does to us "computer people" when we try to tell them something. They don't know what the hell we are saying, and they don't really care. They just know that you will bail them out next time, because that's your job. - sebnukem, on 10/12/2007, -0/+2I have one good(*) password and use it everywhere.
* meaning it survived common password-cracking library runs, such as John the Ripper. - youareretarded, on 10/12/2007, -0/+2Software and hardware password keeping solutions are great, IF your company allows them.
Mine doesn't:( - atbnet, on 10/12/2007, -0/+2That password hardware manager looks very handy too bad it's so expensive. I wish I could buy just one.
- simd, on 10/12/2007, -1/+3"Then, for each service, set your password as "password@SERVICENAME""
Love the idea... Only problem I can foresee is some services - especially web sites - limit pasword length to, say, 10 characters. - rjfrederick, on 10/12/2007, -0/+2I also worked at a first level help desk for a large company. The 70% estimate on password related calls is pretty accurate. This company made you change your password every month. I always told people to use an algorithm to help them remember their password. For example, the password for September, you can use: Sep2006 and so on. This helped reduce the number of password related calls greatly.
- NeoTechni, on 10/12/2007, -0/+1" I know on the internet I have dozens and dozens of passwords. What is one to do?"
I remember them all. Simple solution. - encognito, on 10/12/2007, -0/+1Chalk up another vote for KeePass! I have used this FREE program for years off of a USB flash drive. It is so handy because you don't even need to install it on any computer.
- inactive, on 10/12/2007, -0/+1I use to work for a equipment broker that dealt with old computer surplus from primarly banks. I can not tell you how many laptops and monitors we ran across with usernames and passwords taped all over them. kinda a cheat sheet applied with scotch tape. scary that the stuff was out of banks... but it shows the problems faced in the workplace. the say the average is 15 passwords... thats just at work... add the ones people have to remember on home systems... makes me want to have a beer.
- inactive, on 10/12/2007, -0/+1Simple solution.
Install fingerprint readers.
Bam! Third wheel. - McNamron, on 10/12/2007, -0/+1Yep, another vote for KeePass. There's also a PocketPC version available, so you can keep your passwords with you and accessible when you're not by your PC.
Handy.
http://keepass.net/ - encognito, on 10/12/2007, -0/+1I say again, KeePass doesn't even need to be installed on the computer. It runs independently of the underlying OS and is so small that you can install it and run it on a 128MB USB key drive from 6 years ago. It generates supremely random passwords of any length with check boxes for upper, lower case letters, numbers, symbols, etc.. It also stores URL which you can click on to launch your web browser instead of clicking on a link in a possible phising e-mail. It also wipes the clipboard of stored passwords after 10 seconds or less if you want. And it is open source and 100% FREE.
- encognito, on 10/12/2007, -0/+1It is not a problem for the top people in a company or even middle management which is why it is not addressed. It is probably seen as a personal problem, not a company problem. Thus people who can't remember their passwords don't say anything to the higher-ups for fear of looking stupid.
- peterlisanti, on 10/12/2007, -0/+1Amen brother - we run almost the same AD setup at my shop.
- gbob, on 10/12/2007, -0/+1Thank you for the Mac / Linux version link. Now I don't have to Boot Camp / Parallels to get my password!
- AxeSwinger, on 10/12/2007, -0/+1been using it for the better part of two years it's great you can use a password to access the data or a usb drive as a key so security can be greater than just a master password but would require physical key.
- alsutton, on 10/12/2007, -0/+1I've been working on a multi-user web based password safe and a lot of companies are coming round to wanting this. With things like Sarbanes Oxley comming into force a lot of companies have little choice about needing something, but it's taking them time to understand what they need and what they should do.
Oh... and if your interested the app I've written is at http://www.argosytelcrest.com/eps.html - Ahnteis, on 10/12/2007, -0/+1I tell my users to write them down AND keep them with their credit cards. Everyone knows that you don't leave your credit cards around for people to look at. It's simple, it's effective, and they don't have to worry about forgetting effective passwords.
For myself, I use different passwords depending on the importance. Bank / etc get one password. Personal information stores get another. Random forums (like this one) get one that I don't really care about. - smellinator, on 10/12/2007, -1/+2@mymoustache
As has been already stated, your scheme does not improve security.
Your scheme needs to be modified to hash the password and location into something that is not recognizable by anyone at that location.
If your passwords are
password@windows and password@gmail, consider something not so obvious. Instead of the word "password", use something more random, but meaningful. Like the initials of the lyrics of a favorite song: "is this the real life, is this just fantasy. Caught in a landslide...." password becomes ittrlitjf
take the location, and hash it some way as well. I think keyboard hashes are the easiest. shift your fingers. gmail becomes h,so; (other hashes on the location can use phoenetics, alternating letters, reverse, insert characters, etc., but just stick to the same scheme)
Once you have established a scheme (like - "I always use the characters ittrlitjf plus the service name, shifted over on the keyboard"), then you have a pretty secure password. It won't be obvious at gmail that your password for yahoo is ittrlitjfusjpp.
or, use http://mushpup.org/ to do the hashing for you.
I have had a scheme since my first experience on the internet back in the 80's and I had to recall one of those passwords just the other day - one that hasn't been used in 20 years. And I was able to recall it. No sweat. Not written down, not re-used. Just a scheme that I have used for 20 years. Recalling what my IRC password was ...well, it was a piece of cake! - kweee, on 10/12/2007, -0/+1My password for everything is my age: three and a half.
- halleyscomet, on 10/12/2007, -0/+1I've memorized a finite number of alphanumeric mixed case passwords and cycle through those. Every now and then I drop an older one from the rotation and add a new one.
I used to work with a guy who recited the entire "Man from Nantucket" limerick, claiming to use the first letter of each word to build his password.
The fact that this left him with far too many letters didn't deter him. He just relished the chance to make us squirm by reciting the damn thing with such gusto ten to twenty times a day. -
Show 51 - 100 of 103 discussions
© Digg Inc. 2009
— Content created and posted by Digg users is