Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Security

Ask Slashdot: Changing Passwords For the New Year? 339

Posted by timothy
from the just-use-2012-and-your-initials dept.
New submitter windcask asks "Every New Year's Day, I assemble and memorize a random collection of seven to ten mixed-case alphanumeric characters and proceed to change every password I have on the interwebs to these characters (plus a few extra characters unique to the site). The problem is I only change them on the sites I visit. Once in a while, I'll come across a site I haven't visited for a few years, and I may end up not being able to guess the password before the try-lockout takes effect. What are your password-changing rituals, and how do they deal with situations like mine? I do use Keepass for work, but it is sometimes impractical for times I'm at other computers."
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Changing Passwords For the New Year?

Comments Filter:
  • Pwdhash (Score:4, Informative)

    by Overly Critical Guy (663429) on Friday December 30, 2011 @06:53PM (#38543812)

    I use a free implementation of the Stanfard PwdHash algorithm for the Mac called Locksmith (here on the app store [apple.com]). There are also websites that implement PwdHash, and even a Firefox add-on. By changing one master password, all the passwords I generate will automatically be changed when I regenerate them.

    • It doesn't always work, because sometimes somebody's given it a password other than "password" or "passw0rd" or "Passw0rd", and sometimes I want my actual name on an account, but for the most part the worst case is that somebody will start writing letters to the editor of the New York Times or Podunk Gazette with my name on them, or my Yahoo account will get spam advertising sales in zip codes other than 90210.

    • by hairyfeet (841228)

      I have a really simple system called....I really don't care. Most of the sites i go to have total bullshit data about me, hence bullshit passwords. if a place is bullshit, why should I care? The few things that are NOT bullshit have a decent password which is simple to remember, its the make and model and serial to one of my favorite basses with all of the vowels capitalized. that gives me a nice looong password with letters numbers caps and symbols that nobody is guessing.

      For those that have trouble with

  • Ahem (Score:5, Insightful)

    by Anonymous Coward on Friday December 30, 2011 @06:54PM (#38543824)

    What a good way to harvest guessing algorithms... Not giving you mine!

    • Yeah, if ever there was a phish attempt, this is it. Makes me wonder the common sense of those nominating posts like this.

  • by Joe_Dragon (2206452) on Friday December 30, 2011 @06:55PM (#38543834)

    but it's the new year time to change password12 to password1

  • Lastpass (Score:5, Interesting)

    by Anonymous Coward on Friday December 30, 2011 @06:55PM (#38543838)

    https://lastpass.com/

    • Re:Lastpass (Score:4, Insightful)

      by pionzypher (886253) on Saturday December 31, 2011 @09:47AM (#38547844)
      I second lastpass.com.

      IMHO it has by far the most elegant integration between chrome, FF, android browser and IE6 @ work. Changing passwords on a regular basis causes very little heartburn. Tinfoil hats need not apply though as your passwords aren't stored locally and you rely on the company keeping their db secure... For those who can get past that though, it blows kepass out of the water even when sharing the pass file via something like dropbox.
  • http://xkcd.com/936/ (Score:5, Informative)

    by Anonymous Coward on Friday December 30, 2011 @06:57PM (#38543862)
    • by kurthr (30155) on Friday December 30, 2011 @07:01PM (#38543910)

      I only use correct_horse_battery_staple now that I know how hard it is to guess!

      • by rubycodez (864176)
        now I don't even need the xkcd $5 wrench to get yours.
      • by Whiteox (919863)

        Yeah but there are no numbers in that and underscore may not be accepted on some sites. Also it's more than 12 characters.
        Best solution I came up with is to change the keyboard layout to include diacritical marks and make a password to include some of those characters.éíáý

    • by grumbel (592662)

      That sadly fails on like 40% of the services out there, as they don't allow passwords longer then 20 or so characters.

    • by hedwards (940851)

      Ultimately, even that isn't enough to really solve the problem. If you have 2 or 3 sites that you need to track, it's probably not a problem, but these days just about every site demands a log in to use, even free sites, good luck keeping 20 or 30 sites straight even with a simplifier like that. At that point you might as well just use 30 or 40 random characters as you're not going to remember 20 or more unique log ins.

      • by datavirtue (1104259) on Friday December 30, 2011 @10:38PM (#38545492)

        I just login everywhere with FaceBook!! Problem solved!

    • by Ambvai (1106941) on Friday December 30, 2011 @07:33PM (#38544228)

      I use a variant of that: Pick a line from a song you know well. It also works well with monthly rotations: Just pick the nth line from the song. Admittedly, last time I had a problem with that when I needed somebody else to use my account and they couldn't spell Ipanema...

  • by chrisgeleven (514645) on Friday December 30, 2011 @06:58PM (#38543870) Homepage

    Enough said.

    • by Krishnoid (984597) *
      Or Lastpass. I've heard good things about 1password as well.
    • by Fnord666 (889225)
      The problem with 1password is that they want you to buy a license for each platform. If you have both a OSX and a Windows machine, an iPhone and an iPad you are looking at shelling out $85 - $90 in licensing costs. Base cost for just the Mac app is $49.99. I think the only reason a lot of people have it is because 1password seems to be in most evey mac app bundle out there. It's a good app, but I don't know if it's $50 good.
  • Password manager? (Score:5, Informative)

    by OttoErotic (934909) on Friday December 30, 2011 @06:59PM (#38543880)
    Why not use a password manager and skip all that hassle? I use a portable version of KeePass, with both the app and my password database synced through Dropbox so I have them everywhere, including my phone. Random 20+ character passwords for every site and you can set expirations for every one so you don't have to remember when to change them, and all you have to remember is the master password. I don't understand why everyone in the world doesn't do this, it's just so convenient.
    • by artor3 (1344997) on Friday December 30, 2011 @07:03PM (#38543932)

      Because it can be inconvenient. Say I want to log in to a particular site on a friend's computer. I don't want to download KeePass on their PC, so I have to read the password off my phone. Reading and typing a 20+ character random string without errors is the opposite of convenience.

      • That makes sense, I guess I just never have that need myself. Although in that case I would think something similar but browser-based, like LastPass would work well.
      • If there's a password you're actually expecting to need to type yourself now and then, use a passphrase or something similar. Even if you aren't concerned with memorizing the passphrase, five or six randomly selected words are usually much easier to type quickly and accurately, and you just need to look at your password vault for a reminder.

      • by Krishnoid (984597) *
        Lastpass is pretty popular and works in exactly this case. In particular, it makes it easier to have longer, unique passwords for different sites.
      • by slaad (589282)

        It isn't really hard to download keepass, and if you use keepass portable it doesn't even need to install and can just run in place. If you don't want to download it you can keep it on a flash drive and run it right off of it. Or (on Android) put it on your phone's SD card and plug it in and run it right off of it.

        I guess it depends on how often you end up needing to do it, but for me the occasions in which I need to manually type out passwords is so rare that it's worth the bother. Also, you might find tha

    • by ve3oat (884827)
      And if you are at all shy about using the same p/w manager as everyone else, I recommend PasswordSafe by Bruce Schneier [schneier.com] of TwoFish encryption fame. Get it at SourceForge [sourceforge.net].
  • by roc97007 (608802) on Friday December 30, 2011 @06:59PM (#38543894) Journal

    Keepass is available for Blackberry, ios, android. (even Windows 7 Mobile, if that's how you roll.) You can migrate database files between PC and handheld device. (Although you should be careful of having company passwords on a personal device -- there might be a policy against that.)

    In your case, I'd spend an hour of quality time in keepass changing your passwords, sync it to work and home PC and whatever device you carry, then make all your websites conform.

    As to websites you haven't visited in a long time and have forgotten about, I don't have an answer. I have essentially the same problem with forums that require you to register to participate. I may only visit the forum once, but my login is forever.

    • by lakeland (218447)

      I use 1Password. It has a feature of providing an interface with all your passwords, the sites they are for and the last time you changed that password. I have never done so but it would be fairly painless to sort by last modified date and update all of your old passwords.

      I don't know Keepass but a quick google search shows this information is stored, so you could always export the data and process it that way if there is no GUI feature.

  • by John Bresnahan (638668) on Friday December 30, 2011 @07:00PM (#38543900)
    There are versions of Keepass available for both the iPhone and Android (perhaps others as well). I use DropBox to keep my phone and main computers in sync. Works like a champ!
  • I don't care (Score:4, Insightful)

    by Threni (635302) on Friday December 30, 2011 @07:01PM (#38543908)

    I gave up caring a few years ago. I protect my online banking, amazon etc passwords (write them down at home, long and random) but everything else I couldn't care less. If my Slashdot/openid etc ones get guessed or whatever then I'll just create a new account. Don't kid yourself that anyone cares about your online persona - they don't. Friends will get an email from you about your new G+/facebook account. Everyone else will just not be interested in "RandomInternetGuy10248034034" now being known as "RandomInternetGuy23038908343". It's just not worth the mental effort remembering, nor the paper writing down 40 odd passwords. It's just some website.

    • Re:I don't care (Score:5, Insightful)

      by Dwedit (232252) on Friday December 30, 2011 @08:09PM (#38544538) Homepage

      This only applies to people who don't have Moderator or Admin privileges on websites. Otherwise, you need to keep your account safe.

      As a regular user, the worst someone can do is a Joe Job, make the compromised account send nasty things to other users, or send a ton of spam.

      But if you've ever been a Moderator or Admin, you need to keep your password safe.

      • by Zadaz (950521)

        As a regular user, the worst someone can do is a Joe Job

        Obviously you don't understand Joe Jobs. There is no need to get anyones password to send emails that appear to come from someone else's address.

    • by Mia'cova (691309)

      Sure.. but before your friends get a new FB/G+ request, they'll get a whole bunch of spam written as recommendations/requests from you. I get annoyed when my friends spam me. I consider it pretty rude for them not to protect their account as it leaks anything I set as private and exposes me to spam I don't want to see. So I try to encourage my friends to be smart when it comes to things like FB as it's only a useful tool so long as we keep up the signal-to-noise ratio and some minimum amount of security/pri

  • I completely adopted the strategy described in this article: The Only Secure Password is the One You Can't Remember [lifehacker.com]. Essentially, I have a different password for every single website, service, etc. and all of them are behind a strong master password in a software called 1Password. The encrypted file is saved to DropBox, so it's both online and on several computers (including my smartphone). For more detailed description and reasoning for why that's good, see the article.

    The upsides: It's extremely unlikel

    • by rubycodez (864176)
      it's hardly the end of the world if you lose all your passwords, you can go through the hassle of "I forgot my password" on four dozen sites.
    • Add CrashPlan into that, and you have a way to recover your passwords even if all your machines are destroyed in a tornado. :) I use all of these together, and I never have trouble getting to a password - even my droid phone can get at them.

  • There are a handful of sites that I visit very infrequently, like my (now closed) student loan site, or my domain registrar.
    When I want to log in, I use the "forgot/reset password feature" and wait for a link to show up in my inbox. I "click here" to change it to something random and needlessly complicated, log in and don't bother writing it down.

  • by dmomo (256005) on Friday December 30, 2011 @07:13PM (#38544036) Homepage

    And since it's easy to find out what the make of my first car was, or what year I graduated, I have an alter ego with answers to those questions. I know what year "she" was born, "her" mother's maiden name, etc.

    As an extra layer, I don't just answer "What year did you graduate high school" with: 1938.
    I say: "year1938". And one more layer:

    Since this is likely stored as plain text, I have a site-unique word mixed in:
    "year1938banking"

    • by DamnStupidElf (649844) <Fingolfin@linuxmail.org> on Friday December 30, 2011 @08:22PM (#38544658)
      My password files just look like this:
      user: damnstupidelf
      pass: glintprickjuliatrunkwouldexcelhymnallearhopbloat
      first girlfriend: razeblazetrudytdmoltnobitalysankassetzd
      high school: actsdrurybyrneavailprofit'llsjmeaddrawpave
      some_other_weakest_link_in_site_security_question: alleysandalohmichead60fendweighhamlinwillstout

      I sign up for site accounts using email addresses at random domains that will expire soon. No chance of plaintext password-reset emails being sent out and intercepted unless the site uses a non-SSL third party relay.

      The password files are symmetrically encrypted with a passphrase that isn't used anywhere else. Long diceware passphrases are immune to rainbow tables, dictionary and brute force attacks, and rubber hose cryptanalysis (I can't remember them), although some worthless sites limit the length of password form fields (shouldn't the site salt and hash passphrases to a fixed number of bits immediately, thus negating the need to limit the length? Yes.) and I have to revert to uuencoding 16 bytes from /dev/random.

      The password files are on an encrypted partition using an ephemeral key on a netbook and there's a generator for power outages longer than a couple hours. Alt-SysRq-B has been modified to wipe RAM before rebooting. I hooked up a USB heart monitor as an actual deadman switch to use when I sleep.

      NO ONE is getting my WoW forum credentials.
  • For sites I don't visit often, I just reset the password every time I go there. Sure it takes a couple of extra minutes, but these are sites that I visit a couple of times a year or less. For sites I visit a lot, remembering the password is not a big deal.

    Think of it as poor man's federation with you email password.
  • I don't (Score:5, Insightful)

    by smash (1351) on Friday December 30, 2011 @07:17PM (#38544066) Homepage Journal
    I have sufficiently secure passwords that I see no benefit in changing just because.
  • write 'em all down, store them in a couple safe places. In general access to people's information, identity theft, and fraud isn't done via passwords, there are much easier ways.
  • If you have to try so much that you're going to get locked out (surely you suspect something after one or two failed attempts), doesn't the site offer some sort of password retrieval function? I know this doesn't really answer your question directly, but it seems like it would work for the few sites you seem to forget about each year.

  • The annual meeting of paranoid geeks?

  • by Above (100351) on Friday December 30, 2011 @07:28PM (#38544184)

    If you look at all the possible attack vectors and scenarios changing your passwords once a year change your statistical chances of being hacked or losing data very little. The ROI is low enough I wouldn't recommend changing your passwords on a regular schedule.

    Picking good (as in hard to crack) passwords is more important. For random web properties using different passwords for each so when one is compromised and caught storing passwords in plain text only one account is compromised is key.

    However, that's all not what I want to talk about. This entire question is the result of a huge failure of the industry. Every web site uses a password. Every one has a different idea of what a "good" password is, meaning if you come up with one (or use a generator) it won't always be allowed. Google has taken a step forward with their two factor options (via say, a cell text) but that's not really a practical option for many small web sites.

    This is an excellent case for a PKI. Users should generate a public-private key pair, and provide the public key to the web site upon sign up. Extra authentication steps could be done at setup (web of trust a la PGP, known entities, a la X.509, callback texts, whatever). Users would sign a login blob with their private key to authenticate.

    Using the same key for many web sites is much less dangerous. Compromising the web sites, and all the public keys, gets the attacker approximately nothing. They can be stored in plain (unencrypted) format on the web server. The only attack is to get the users private key, which can be encrypted on their machine behind passwords, biometrics, or whatever. Getting one user's private key gets you only one user, it's a low value attack.

    What's needed is a standard format for this encrypted exchange, and then support by clients (from web browsers to ssh clients) and their corresponding server services. This is where the industry is letting us down.

    If the big 15-20 web properties could get together with the big 4 browsers and make this happen it would be huge leap forward.

    • by KevMar (471257)

      Identify what accounts you need to keep secure or protected. Bank accounts, services where your credit card is available for one click purchases, and your email account. use your good passwords on them and rotate them like you are.

      Then use one password for all your worthless accounts that truly don't matter. You don't even need to change this one. Still make it a good password though. So if someone hacks slashdot.org, they will get access to my evernote, flicker, and twitter accounts. But I have what 1

  • I use a separate random user/password for each online account. If I post comments to "angryITworkers.com" (example), and the uid/password gets compromised, there's little to worry about. It cannot be used to access my bank account or other resources. Invalidate the compromised account, and damage will be very limited.

  • I keep my Keepass database on dropbox, so I can access it on any computer on which I can run the Keepass program. I then remember 3 passwords: my dropbox password and my Keepass password, of course, and my primary email password in case I lose access to my Keepass database for some reason and need to regenerate all my passwords. Works for me.
  • Use LastPass (Score:5, Informative)

    by darkmeridian (119044) <william DOT chuang AT gmail DOT com> on Friday December 30, 2011 @09:24PM (#38545088) Homepage

    LastPass is a web-based service that syncs your passwords across your computers, Android devices, iPhone, and Blackberry. Supposedly, it uses client-side encryption so even if the stored data is compromised, it is useless without your password. Most importantly, it supports Google Authenticator so those with Android devices can use it to generate secure keys needed to log in.

  • by KevMar (471257) on Friday December 30, 2011 @10:05PM (#38545284) Homepage Journal

    My method has slowly evolved over the years. I grew up on a crappy dial up connection out in the country. Our ISP gave us a generated strong password. Our connection would constantly drop and I would have to enter that password in several times a night. I kept that password and slowly morphed it over time. It kept getting stronger and stronger with every evolution. I did this with 2 passwords. One for secure stuff and one for everything else.

    Then not too long ago, I discovered rainbow tables. Pre-generated LM password hashes. My passwords were not in the free tables, but they would be in one of the more detailed collections. Then I started doubling my short passwords by typing them twice. Instant 16 char passwords that were easy to remember and type. Sometimes I would mix it up and use 2 of my old 8 char passwords together. I would think password1 then password2 and type them just as fast.

    More recently with smartphones and now tablets, my passwords were just a monster to enter in. One password was lnnLllnnlnnLllnn where l = lower, n = number, L = upper. A total pain when you also have to swap from numbers to letter on the key pad. My current passwords are much simpler, very fast and easy to enter, and even longer than before.

    One of the passwords that I just cycled out contained 2 swype-able (dictionary) words and a full 10 digit phone number. My short one was 19 character, easy to remember, and super fast to type on my computer and moble device. Entering the password is much more natural. I can swype on my moble and bounce over to the number pad on my desktop. I work in IT constantly get comments of shock from users when they see me enter my long passwords on systems.

    I do reuse passwords on sites more often then I would like to admit. I treat my email as the master password. With that, all other accounts can be reset. I have my financial password, my work password, my social password, and then everything else password. That everything else password is used on all accounts that I don't care about or don't impact me financially. The everything else password never gets changed. I will usually take 3 guesses at a password on a site. If its not my current one, previous one, or the everything password. I then request a password reset and set it to the everything password.

    I never know what to put for a password hint on the sites that ask.

  • by Nethead (1563)

    I've never changed my slashdot password. Maybe the next decade.

  • by mibus (26291) on Friday December 30, 2011 @11:26PM (#38545754) Homepage

    Git + GPG + a GPG-VIM plugin.

    I use "vim" to edit my password file as if it is plain-text; git pull/commit/push to make changes to it.

    If I need to roll back, I check out an older copy of the file.

It is much harder to find a job than to keep one.

Working...