Advice on updating and remembering passwords??

[EdNerd]

I've read the usual advice on creating a strong password you can remember: use a common base and add a patterned mnemonic for the particular website. So if my base is abc123, my password here could be abc123-PHAN.

I get that and it works well. But what about passwords that must be updated avery 60-90-180 days?? I could just add a number - but now I have to remember how many iterations I've been through on this particular password. Or a date reference - but now I have to remember what date I last updated the password.

For those with much deeper experience than I have, how do you advise / handle situations like this?

Ed

 

[SiempreTuna]

It's a PITA, basically. I would argue that frequent password changes actually reduce security for the very reason that most people simply 'increment' their former password.

Patterns and recognisable words don't make for great passwords. Obviously, entirely random passwords are the most secure but they're also impossible for a human being to create (as any fule kno).

One method I liked was using the initials (or second or last letters) from a memorable phrase or saying, e.g. "Frankly my dear, I don't give a dam*" would become "fmdidgad".



* a small, almost worthless Indian coin not a profanity

 

[EdNerd]

Agreed with the frequent changes. However, it is becoming more of a requirement with some of my necessary corporate sites. Most annoying are the ones where you log into a "master" site, register your password, and you're good to go on several "child" sites. Until your password is set to expire, and you haven't revisited the master site in months and don't remember the password you used there!!

Don't know if I have enough room on the bottom of my keyboard for another sticky note. And I'm not sure I remember where they all go to, anyways! =8>O

Ed

 

[Dngrsone]

I use a password archive. For internet stuff, I have LastPass though I hear good things about KeePass as well.

On my phone, I keep another copy in an app called Keyring, which is a holdover from my Palm OS days (a little over a year ago).

I tried moving to mSecure, but the app runs painfully slow for me.

At any rate, I keep so many passwords that there is no way for me to memorize them all, and I don't like to use the same key for a bunch of different locks, so I need a keybox, as it were.

Using a phrase of random words is actually better than a handful of random characters, as it makes for more work for the cracking software...

 

[big_z]

At my last job (a contractor for the government), I had a password for:

• my main corporate login (corporate email, HR stuff, timecard)
• my corporate laptop (in theory synced to my corporate account, in practice it was out of sync because I never used my corp laptop)
• my government web login (mostly useless)
• my government PC
• at least 6 different database servers, all rotating on different periods
• a JIRA account
• an HP (low) Quality Center account
• test user accounts in the integration testing environment
• a report server
• a workflow automation server

I gave up and wrote almost all of them on a full size piece of notebook paper, in pencil, with an "as of" date listed. I kept it in my drawer. I posted my HPQC login and password on a post-it on my monitor, in plain view for everyone.

 

[mplevy]

Like big_z, I have MANY passwords just for my job (6 domains, servers for drive encryption, not to mention MY company's systems since I'm a contractor for the company I support). I don't keep any of the domain ones in my password app (they all have the same change interval though) but the ones for my company's systems are there.

I use Roboform for my personal passwords, it's cross-platform and with Roboform Everywhere I can keep all my devices synced. The app also allows you to set requirements and have it generate random passwords for you, and save them.

 

[jefboyardee]

I use Spell Catcher Plus to extend shorthand codes for all my login strings. For instance, if I type ‘jx (space),’ it types ‘jefboyardee.’ That way, I just have to memorize a bunch of two letter codes to access dozens of lengthy logins.
http://www.rainmakerinc.com/products/spellcatcherplus/whatsnew.html

 

[argedion]

I created most of my passwords randomly. I do keep a master password list in PDF format that yep you guessed it needs a password to enter. I just find it easier to remember the one password and then look up the others

 

[Rukbat]

Another vote for KeePass, one on the desktop, one on the laptop and KeePass Droid on the phone, with the password file on one of the cloud servers. All I have to remember is the one password for KeePass.

As far as strength, 20 character passwords, using upper and lower case alpha, numeric and special characters.

 

[Davdi]

A passphrase os a good idea if theservice you're authenticating to allows it. E.G. HuntingTigersOutInIndia(OutInOutInOutInIndia) would be a secure passphrase, and it's easily remembered and unlikely to appear in any dictionary list. Any line or two from a song or poem you know very well is suitable and more easily remembered than 'randon' passwordds. It's the length that makes it secure. a 10 character password (Upper Case, Lower Case and Numerics fir simplicity) increases in difficulty by powers of 62 (26 Upper Case, 26 Lower case and 10 numerics) has 10^62 possible combinations, 11 characters has 62^11 (which is 62^10 ^2). A minimum of 14 characters is suggested for secure passwords, so a passphrase will easily be longer and more secure. or use a password store. see: https://www.schneier.com/passsafe.html
Bruce Scneier is one of the best security researchers and writers around. If he thinks something is good, then it most likely IS.

 

[sfbloodbrother]

You can create patterns, or random letters combined with special letters, but then you will have to write them down, which I hear is not safe. for example, I used to have passwords that went something like

aFKo46e7M416

I would have to write that down, and everytime I wanted to log in to that accont, I would have to look it up.

 

[codesplice]

Passphrases based on songs or poems aren't really a good idea; it's become fairly trivial for crackers to import huge phrase lists and run them much as they would a standard dictionary-based attack. Make a passphrase out of words that really don't belong together ("correct horse battery staple") and you'll be better off - throw in some numbers and special characters and you'll be even better.

Personally, I use the Memorable Passwords function of Advanced Password Generator, which spits out nonsense word combinations with numbers and symbols tacked on (36MentalCabbyPlumes``). These are much easier to remember than truly random passwords (43M~5GSu) while also being significantly more secure (~125 bits versus ~50 bits).

I recently moved into a new job and have already accumulated more than 20 passwords to keep track of, so a password manager is an absolute must. To that end, I use Safe In Cloud, which uses strong encryption, syncs the password database to whatever cloud I want it to, and also has a Windows-based Chrome plugin for easily entering passwords into web forms.

 

[sfbloodbrother]

Wow, getting all technical.

 

[PhilippC]

with votes here for Keepass, you might take a look at (my app) Keepass2Android (General News & Discussion - Android Forums at AndroidCentral.com). It has a password generator integrated which creates really long and random passwords. The password database itself can be protected with a master password + key file (or even One-Time-Passwords with Yubikey NEO in the next version).