If you have a LinkedIn account ...

velocomp - 2012-06-07 1:17 PM

This is where it becomes hard. I have accounts on probably 50 - 60 sites when I really look at things.  This is one of my older accounts and uses an older email username.  But I would be hard pressed to remember all the sites that I may or may not use that email/password combination.  Fortunately it is not the password for the email account itself.

It makes me wonder how to keep track of all the accounts.  Especially in this age of smartphones where everything from google reader to words with friends requires you to sign in.

jmcconne - 2012-06-07 9:38 AM If you use that password for anything else, you probably want to change it their as well.  If they can figure out your login to another site by the info in linkedIn, say your e-mail address, then they may likely try to log into that account as well.

cnsegura - 2012-06-07 3:39 PM

Also a good time to remind everyone not to use passwords that are "easy". From the article looks like they posted only the hashed versions of the password, not the real password. That sucks, but sucks less than if it had been the actual password (which, in a secure system isn't stored anyway). People doing a lookup against simple passwords like 12345 (my luggage) the thieves can use the hash to figure out a simple/common password. (Note this doesn't work with difficult to guess passwords with numbers, symbols, capital letters etc.)

I use LastPass to create and manage passwords for me. Simple, works great at much more secure than an easy to remember, but useless, password.

TriRSquared - 2012-06-07 2:02 PM

Also relevant: http://xkcd.com/936/

cnsegura - 2012-06-07 5:33 PM

 

But amazingly incorrect. That second password *might* be more secure, but only because it's longer. Computer pwd cracking cares only about how long (really how many combinations) a password has not that it's easy/hard to remember. Make both passwords the same length, but in one only allow real words, and in the second one force the use of caps, numbers, punctuation etc. and the second password strength increases exponentially (because you have more combinations that need to be tried) while the first one remains rather simple to hack because all the computer has to do is try fixed combinations of the 26 character alphabet.

 

gearboy - 2012-06-07 6:11 PM

OF course being longer it is more secure. That's what it means when it refers to how many bits are in the password. But it is still correct in that a nonsense phrase is going to be easier to remember for a human than the normal "strong" passwords that have to have a mix of capital and lower case letters, numbers, and symbols (except for "@" and "#"), which are the rules for some sites. Being hard to remember is amplified when you have to change passwords every 6 weeks (like my workplace) - which results in people writing down the password on a physical piece of paper and sticking on the computer. Which ends up being the opposite of secure.

TriRSquared - 2012-06-07 5:34 PM

Exactly... what's easier to remember...

RunBikeSwimBackwards (

or

shyT%$#uy90ccrrt%=!

cnsegura - 2012-06-07 9:39 PM

But for a computer cracking program, the second one is MUCH harder to crack. Sorry, but assuming basic words, particularly words/phrases that can be typed into a typical 8-12 password field is secure just because it's not in "standard" English speaking order is poor security. The computer doesn't care what order the words are typed in. ALL it cares about is how many combinations must be tried before it happens to land on the right order of letters. A password that is easily remembered but easily hacked is useless.

If remembering passwords is really that big a deal, use the services listed here (LastPass etc.) It will generate a strong password, that you don't have to remember at all, it will even fill in your username/pwd for you on a website.

None of this necessarily means that a password has to be hard to use. There are plenty of good ideas being used out there with pattern recognition etc. that do make it secure, and easy to remember However, if typed out words is your option, more variation, not less is better.

TriRSquared - 2012-06-08 8:59 AM

Now THAT'S bad security.  Having your passwords all in one place and set to autofill on websites  No way.  That's like not even having a password.  All I have to do is nab your laptop and I have access to all of your accounts and the ability to change the passwords.

 

TriRSquared - 2012-06-08 6:59 AM

Now THAT'S bad security.  Having your passwords all in one place and set to autofill on websites  No way.  That's like not even having a password.  All I have to do is nab your laptop and I have access to all of your accounts and the ability to change the passwords.

 

cnsegura - 2012-06-07 9:39 PM

But for a computer cracking program, the second one is MUCH harder to crack. Sorry, but assuming basic words, particularly words/phrases that can be typed into a typical 8-12 password field is secure just because it's not in "standard" English speaking order is poor security. The computer doesn't care what order the words are typed in. ALL it cares about is how many combinations must be tried before it happens to land on the right order of letters. A password that is easily remembered but easily hacked is useless.

If remembering passwords is really that big a deal, use the services listed here (LastPass etc.) It will generate a strong password, that you don't have to remember at all, it will even fill in your username/pwd for you on a website.

None of this necessarily means that a password has to be hard to use. There are plenty of good ideas being used out there with pattern recognition etc. that do make it secure, and easy to remember However, if typed out words is your option, more variation, not less is better.

gearboy - 2012-06-08 10:43 AM

Biomterics are going to be the future, although I always think about things like having my eyeball/iris damaged, or losing my thumb in an accident, or having a stroke and thus changing my typing patterns - all of which would result in being unable to use my secured sites.

TriRSquared - 2012-06-08 11:44 AM

Agreed.  I've always said why do we worry about your SS# and bank account #s getting out in the open.  They are going to get out there eventually.  We need a system that allows those #s to be public but useless w/o a unique ID that is PART of you.  Either voice pattern recognition (for phone calls) or biometric scans for in person.

gearboy - 2012-06-08 12:49 PM

Wait - are you agreeing with my observation that biometrics are coming, or my paranoid ravings about having my eyes fall out, losing my thumbs, and becoming paralyzed?

bzgl40 - 2012-06-07 6:48 PM It takes me over two hours every month to change all my passwords for work.  And the number of them I have keeps growing.  A sticky note is not sufficient for me so I know use an excel spreadsheet.  The rules on the passwords are so messed up I don't even try and remember them.  I randomly type until I find one that it will accept on the most restrictive system and use that.  I get password rage every single month.