Ask Slashdot: Changing Passwords For the New Year?

A new submitter asks "Every New Year's Day, I assemble and memorize a random collection of seven to ten mixed-case alphanumeric characters and proceed to change every password I have on the interwebs to these characters (plus a few extra characters unique to the site). The problem is I only change them on the sites I visit. Once in a while, I'll come across a site I haven't visited for a few years, and I may end up not being able to guess the password before the try-lockout takes effect. What are your password-changing rituals, and how do they deal with situations like mine? I do use Keepass for work, but it is sometimes impractical for times I'm at other computers."

Pwdhash

[Overly Critical Guy]

I use a free implementation of the Stanfard PwdHash algorithm for the Mac called Locksmith (here on the app store [apple.com]). There are also websites that implement PwdHash, and even a Firefox add-on. By changing one master password, all the passwords I generate will automatically be changed when I regenerate them.

http://xkcd.com/936/

[Anonymous Coward]

http://xkcd.com/936/ [xkcd.com]

Password manager?

[OttoErotic]

Why not use a password manager and skip all that hassle? I use a portable version of KeePass, with both the app and my password database synced through Dropbox so I have them everywhere, including my phone. Random 20+ character passwords for every site and you can set expirations for every one so you don't have to remember when to change them, and all you have to remember is the master password. I don't understand why everyone in the world doesn't do this, it's just so convenient.

The answer is still keepass

[roc97007]

Keepass is available for Blackberry, ios, android. (even Windows 7 Mobile, if that's how you roll.) You can migrate database files between PC and handheld device. (Although you should be careful of having company passwords on a personal device -- there might be a policy against that.)

In your case, I'd spend an hour of quality time in keepass changing your passwords, sync it to work and home PC and whatever device you carry, then make all your websites conform.

As to websites you haven't visited in a long time and have forgotten about, I don't have an answer. I have essentially the same problem with forums that require you to register to participate. I may only visit the forum once, but my login is forever.

Re:I do not use the same password for multiple sit

[Pharmboy]

Most websites don't store your password, just a hash of it. When you enter the password, it hashes what you just entered then compares the hashes. Reverse engineering the password when you only have the hash isn't trivial.

Re:I do not use the same password for multiple sit

[Alan Shutko]

Based on my experiences working on websites, far too many companies store the password in plain text. Many, many more will hash it, but will hash it ineffectively by not salting it. Lots of the people working on these websites don't even understand the kinds of attacks salting and hashing are intended to block.

As an example, look at mailman, the mailing list manager. Not only did it store the plaintext password, it mails it to you monthly. Fortunately, the current developers aren't idiots and have removed this flaw (as of ~2007) but tons of sites out there are still using the old version since I keep getting the "reminders".

Trust me... Spend a bit of time in industry working on these websites, and you'll understand.

Re:I do not use the same password for multiple sit

[Anonymous Coward]

Not only that. You say 'hey this is insecure' you have to prove it with an exploit. They will fix the exploit missing the point...

Then you they look at you like you are weird trying to attack the site. Got yelled at once for 2 hours straight by a manager who worked on a different product for doing this. Even though my boss explicitly told me to do it. At that point I realized no one really cares until they are hacked and it is in the news.

So I use a pattern based password for web sites and when I buy things I use a 1 time used credit card number.

For example if you had said 2 years ago that sony would have in the wild their entire db for credit cards people would have laughed at you. Now not so much. Security is an afterthought many times.

I dont even bother mentioning it on my projects anymore. No one cares. Or it is 'something we will fix later'.

So I *know* I am not alone in this and this just a small sample. So I use passwords that match the site one to one. Do not reuse them anywhere. And one time credit card info.

Re:I do not use the same password for multiple sit

[shokk]

XKCD on password security.
http://xkcd.com/936/ [xkcd.com]

Use LastPass

[darkmeridian]

LastPass is a web-based service that syncs your passwords across your computers, Android devices, iPhone, and Blackberry. Supposedly, it uses client-side encryption so even if the stored data is compromised, it is useless without your password. Most importantly, it supports Google Authenticator so those with Android devices can use it to generate secure keys needed to log in.