Starting today we were required to update one of our passwords to a 12 character monstrosity that includes at least one of each of the following:

1. Capital letter
2. Number
3. Symbol (ie, @#$&!)

And the reuse of previously used passwords is restricted to waiting until the 21st round of passwords. Oh, and we’ll now be required to change our passwords in 60 days instead of 90 days.

I have passwords for more than a dozen systems and some of those systems have two levels of passwords. What makes them think that they’re actually increasing security by making it so much harder to remember all of the passwords? Because at some point a cheat sheet is required just to avoid calling the help desk several times daily to get your passwords unlocked because you entered them incorrectly too many times.

All viewpoints are welcome. Please keep your comments profanity free. Do not flame others. HTML links will not work. Please just post any links as is in your comment.

You must answer the captcha question in order for your comment to post. If you don't know the answer, let me know. I may or may not give it to you.

I reserve the right to delete and/or edit objectionable comments. Be nice and have fun!




1. I thought that eight with a number was bad. I will remember that the next time I want to complain about a password.

   Posted by Michael  on  12/01/08  at  06:50 PM

2. Hint: Use Bible verse references as passwords. 1Timothy3-15 would work, as would any longer named book. Be consistent, using “-” instead of the “:” and you’ll find it easier to recall.  Now you can take your Bible, put a bookmark on the page with the reference, put the name of the system on the bookmark and you have an instant password vault.

   Posted by  on  12/01/08  at  07:14 PM

3. The Bible verse is a good suggestion. Alternatively, if they’ll let you install software on your machine, you can download something like Password Safe, then you only need to remember one password (well 2, one for logging in to your normal pc and then 1 for the safe).

   Posted by beth  on  12/01/08  at  08:35 PM

4. “What makes them think that they’re actually increasing security by making it so much harder to remember all of the passwords?”

   Harder to remember = Harder to guess

   Sorry, it’s the IT Professional in me.

   Posted by  on  12/01/08  at  11:47 PM

5. Except that “guessing” isn’t how most hacking is done...a password cracker is the tool of choice.  All that length and special characters do is make it take longer for the software to run through the combinatorics.  BUT that is where the power is.

   according to this neato tool:
   mandylionlabs.com/ PRCCalc/ BruteForceCalc.htm
   To crack 1Timothy3-15, would take about 74,802 hours of computer time.

   Dictionary lookup attacks only take a few seconds and retrieve about 25% of passwords.

   Posted by Lynellen  on  12/02/08  at  09:34 AM

6. I’ll try the Bible verse idea.

   I’m not allowed to download anything to my computer.

   Yes, I understand hard to remember means harder to crack. Still frustrating, though.

   Posted by jen  on  12/02/08  at  11:10 AM

7. The Bible verse idea makes sense.  What I tended to do was keypad combos where all you have to remember is the starting point.  So, !Qazxsw23edc could be one. Upon change, start with the 2 instead of the 1:  @Wsxcde34rfv.  Always do the symbol and capital as the first two.

   Posted by James Joyner  on  12/02/08  at  11:29 AM

8. Hmmm. That’s an interesting idea. I’ll consider doing that.

   Posted by jen  on  12/02/08  at  11:50 AM

9. My policy for handling the change is that on days I can’t remember my password I’m just going to go home.

   Posted by Robbo  on  12/02/08  at  12:58 PM

10. I use the expression O2B~ followed by the four-character ICAO code for the airport near a place I would like to be (at).

    O2B~kcho (Charlottesville) for example.

    When I need an updated password, I just pick a new airport.

    Posted by  on  12/02/08  at  02:24 PM

11. You could make it easy, but use numbers and symbols in it....

    like L1ntf!ni@lMu$!ng.  Those are hard to break!

    Posted by Janie  on  12/02/08  at  02:48 PM

12. Good ideas. I especially like Robbo’s idea.

    For this iteration I used the previous password and just added 4 characters to it. So far, so good. I get 58 more days with it.

    Posted by jen  on  12/02/08  at  03:53 PM

<< Back to main