I am sick nearly unto death with the endless need for more and better passwords. And how websites always have some nonsensical scheme I have to abide by to “make them more secure.” Yet we don’t actually do what has proven to be of more value security wise with our passwords – it is not all the crazy characters, 8 characters, at least on number and one capital letter. Actual strong passwords are derived from strong entropy considerations – not just from spelling it as p4$$w0rD or deciding no one will ever think of the word avocado. The minimal required bits to get through the darn form are of no concern and we just put typically put what we’ve always put whenever possible.
One of the more recent developments has been the DICE method of determining passwords. It works in much the same way but gives you your words from random lists. And with the advances in password cracking your password should contain, as of this writing, 6 unique words. I do this for everything that needs actual security – and I’ll often add in capital letters just for a few more easy entropy bits.
For low impact concerns I have a mutation based password method that I use. It has a permutation pattern that I can apply quickly and easily. But, I know it is not ACTUALLY a secure password. However, it is typically enough for the quick drive by password attempts – at least it isn’t drowssap1. And with the mutations I don’t use the same password repeatedly as a result so if one platform is compromised – it doesn’t put my bank accounts at risk.
There was an interesting article today on Arstechnica regarding passwords, and the policies we enact in the attempt to be more secure – such as 60 or 90 day mandatory password resets.
Frequent password changes do little to improve security and very possibly make security worse by encouraging the use of passwords that are more susceptible to cracking.
It was very interesting to see that it is the opinion of some within the FTC that frequent password changes are actually the enemy of security! And there are studies that show frequent password changes minimally change the chance of a password being cracked, and actually are counter productive.
Of course the worst part with all the mandatory passwords is that most people are unable to remember the nonsense, and they put themselves at risk and destroy all security by writing out their passwords on post it notes or tape them under the keyboard or in a drawer.
Do yourself a favor and at least update your secure passwords to something you can remember without having to write it out.