do increased security measures cause anyone else to have even worse passwords?

[nageov3t]

my office has some pretty stringent password rules... 10+ characters, must include a lower case letter, number, and capital letter, can't repeat passwords, passwords must be changed once a month, etc...

but the thing is, I find it leads to me creating even worse passwords. I couldn't mind having one complex password that only changed once every 6 months or rotating between a couple passwords, but with these rules, I end up taking a really basic word (like password), capitalizing the first letter, and throwing a couple numbers at the end.

 

[GodlessAstronomer]

I've never worked in a situation like that but I'd imagine it would be the case. I heard a cool method of creating memorable passwords for things like forum/website registration. You use passwords like thisIsMyAnandtechPassword or myPasswordForATForum. They seem simple but the odds of someone correctly guessing them aren't high.

 

[amdhunter]

I've noticed that people find pretty simple passwords like P@ssw0rd or something like that, but they are still somewhat harder than the usual simple password...

 

[mugs]

I hate policies that require frequent password changes with no repeats. My last two passwords were Asdfjkl; and jkl;Asdf.

 

[BeauJangles]

I just use one core password and add characters to the start or end.

 

[spidey07]

<2 words combined with symbol><two digit number><word with symbol>

Increase two digit number to change. But no, statiscally increased security measures are there for a reason - they are proven.

1m@Spider84yesiam

 

[darkxshade]

I have the same problems and I hate it. What I usually do these days is to use some type of math formula so I don't forget what it is. I would use 2 random capitalized letters(RX for example) followed by the 6 numbers you get when dividing 5/7. I would write down R5X7 (pw would be RX714285). Honestly, I don't know why I even bother, who's going to be able to guess my pw anyway, type the pw incorrect 4 times and you get locked out plus the system can only be accessed from at work.

 

[BrownTown]

yeah, and the fact I need so many means they are all the same, plus changing is just means changing the number ie Password0, Password1 etc...

Also I have them all written down on a piece of paper in my wallet, and I have seen several people with all their passwords on a sticky note on their monitor.

 

[imported_Imp]

I used one of my generic passwords at work, the added variations as needed. Having to change it to a different one every month was stupid though. Ya, maye it might stop the stalker, but it's not like I give it out. I almost got my account locked a few times at the beginning of a new month/period, when I forgot what I changed it to (e.g. which letter did I capitalize, which number did I add/letter). If anything, this constant changing leads to having to write the password down somewhere for someone to read.

 

[Bignate603]

I've started to use dates with the month spelled out. After a month of punching in our anniversary I won't forget it.

 

[Cogman]

Having people change their passwords once a month is excessive. If a password is long enough, it will take far longer for a brute force method to crack it. (and any serious security system should limit the number of tries in a given amount of time)

 

[spidey07]

Originally posted by: Imp
I used one of my generic passwords at work, the added variations as needed. Having to change it to a different one every month was stupid though. Ya, maye it might stop the stalker, but it's not like I give it out. I almost got my account locked a few times at the beginning of a new month/period, when I forgot what I changed it to (e.g. which letter did I capitalize, which number did I add/letter). If anything, this constant changing leads to having to write the password down somewhere for someone to read.

But the "auditors" said you need to change it every 4 weeks for security purposes? I mean it's SOX and all and that's what they told us to do! It was one of the level 1 security vulnerabilities - greater than 4 week password change policy!!!!!!! ZOMG, it's SOX!!

I love everything and everybody, but I have a special kind of hate and pure brain smashing anger for IT auditors that can't be described on a message board. And by smashing I mean grab their brain and smash it with your bare hands.

 

[imported_Imp]

Originally posted by: darkxshade
type the pw incorrect 4 times and you get locked out plus the system can only be accessed from at work.

Ah, I remember that. I think our limit was 5. We had one IT software support guy at head office reset people's passwords all day long. They kept paper records and there was a couple inch stack at the end of every month. Think I had to take a half-hour 'break' once just to figure out one of my passwords I hadn't used in a long time. It was either that or keep trying, get it locked and call another office for them to reset it; then wait for them to callback to speak to me personally, verify, then reset.

 

[Throckmorton]

I hate when they make you change often. I think it's established that if you make people change passwords too often, with too complex rules, they tend to write it down, creating a security vulnerability.

 

[Skeeedunt]

Complexity requirements good. Frequent changes bad.

 

[sourceninja]

Let me give you a few of my old passwords, that shoudl help you

I used pattern based passwords. Here's some examples

1qaz=[;.
xsw2@#$4rfv
&YGVVFR$4rfv
MNBdfgIUY456
and one more 9*uIlKnm

Our policy is changing every 3 months. We currently do not allow repeats, but I plan to get that changed eventually. Too busy right now with other major overhauls to bring it up. So pick a pattern and you can get hundreds of variations just by moving it around the keyboard. I actually use one pattern for all my passwords at work, I just remember the first key for each system.

 

[DrPizza]

Originally posted by: sourceninja
Let me give you a few of my old passwords, that shoudl help you

I used pattern based passwords. Here's some examples

1qaz=[;.
xsw2@#$4rfv
&YGVVFR$4rfv
MNBdfgIUY456
and one more 9*uIlKnm

Our policy is changing every 3 months. We currently do not allow repeats, but I plan to get that changed eventually. Too busy right now with other major overhauls to bring it up. So pick a pattern and you can get hundreds of variations just by moving it around the keyboard. I actually use one pattern for all my passwords at work, I just remember the first key for each system.

I think I read somewhere on the forums here that if someone's already made it far enough in to start brute force attacking passwords, then your security measures have already failed.

 

[imported_Champ]

my work password has to be changed every 2 months...my last 4
12345
123456
1234567
12345678

 

[Green Man]

I don't mind PW complexity, but we got a new Security idiot who had to prove his worth by enacting a PW must be changed every 6 weeks policy.

Screw that A-hole, I took myself off the domain and had my email forwarded.

No one's said anything about it to me and it's been 9 months since.

 

[Bill Brasky]

Originally posted by: sourceninja
Let me give you a few of my old passwords, that shoudl help you

I used pattern based passwords. Here's some examples

1qaz=[;.
xsw2@#$4rfv
&YGVVFR$4rfv
MNBdfgIUY456
and one more 9*uIlKnm

Our policy is changing every 3 months. We currently do not allow repeats, but I plan to get that changed eventually. Too busy right now with other major overhauls to bring it up. So pick a pattern and you can get hundreds of variations just by moving it around the keyboard. I actually use one pattern for all my passwords at work, I just remember the first key for each system.

Hey, that's actually a really good idea. I especially like the last pattern.

My dad uses french words with the vowels dropped and number patterns in between. I thought that was pretty clever.

Originally posted by: Champ
my work password has to be changed every 2 months...my last 4
12345
123456
1234567
12345678

LOL. No letters or punctuation though?

 

[spidey07]

Originally posted by: DrPizza
I think I read somewhere on the forums here that if someone's already made it far enough in to start brute force attacking passwords, then your security measures have already failed.

Reference my post about IT auditors.

You're correct, if somebody can actually attempt brute force authentication then you're hosed.

What the internal password policies are for is the inside brute force authentication attack.

Never mind that the entire manufacturing industry is still running WEP for wireless and it's to expensive to fix it.

 

[jarfykk]

My personal hell: 14 character minimum requiring 2 of each of the following: capital letter, lower case letter, number, symbol. This password must change every 45-days (no repeats, ever...at least in the 3 years I've been here) with reminders coming at 30-35-40-41-42-43-44-45 days out to ENSURE you change it. Used to use different permutations of the same basic password but literally ran out of numbers/symbols/capitalization that weren't repeats. Couple this with photo, smart card + longer-than-normal PIN, and biometric measures and you get the feeling you're not wanted some days...

 

[GodlessAstronomer]

Originally posted by: sourceninja
Let me give you a few of my old passwords, that shoudl help you

I used pattern based passwords. Here's some examples

1qaz=[;.
xsw2@#$4rfv
&YGVVFR$4rfv
MNBdfgIUY456
and one more 9*uIlKnm

Our policy is changing every 3 months. We currently do not allow repeats, but I plan to get that changed eventually. Too busy right now with other major overhauls to bring it up. So pick a pattern and you can get hundreds of variations just by moving it around the keyboard. I actually use one pattern for all my passwords at work, I just remember the first key for each system.

Those are neat. Shouldn't the trailing 'm' be capitalised in the last one?

 

[Dr. Detroit]

Just was required ti have number, capital letter, and once of these ! @ # $ in my password with a minimum of 8-characters.

 

[ISAslot]

I just use memorable phrases I make up on the fly, then use the first letter of each word, capitalizing some, and converting some to symbols and numbers.