I’ve known that for a while, but I hate letting Google and Facebook know which sites I log into.
Yeah one of my workplaces mandated password changes every two weeks. Late one day I went looking for a person to test terminal access to my system. He had gone home but his co-workers helpfully told me the system they use to help remember their passwords (and it was written on a post-it anyway).
Just make sure it’s more than five letters long!
“spot? better go with 5p0+_1”
Oh that’ll get old when what3words takes off and everyone starts using the 3mx3m square around their front door as their password.
Know someone’s address? Rotate potential passwords from the site, in a spiral pattern around their address until you hit the correct three-word combination.
More seriously, though, (only slightly) if three random words is a good password, maybe the what3words guys are missing an opportunity for their database to be used that way. Pick a memorable place and there’s your password. All you need to remember is the memorable place (down to its 3mx3m square location).
(And it will never catch on / get critical mass because the US would never adopt it as nobody there knows what a metre is.)
I’ve been using 1Password for ages, but didn’t upgrade when they went to the subscription model. Now I’m just dreading the day when it stops working.
Is there anyone reading this that uses the subscription 1Password? Is it worth it?
I also need to set aside a day and go through and cull accounts I no longer use, and update the passwords for the sites I still use.
Thanks for including the support cost of password rotation!
In my mind, that is actually the biggest problem with password rotation. Account recovery is one of the biggest – if the not the biggest – weak spot in any authentication system. The more routine you make account recovery the more convenient it has to be and the less scrutiny your IT staff will apply to each request. Forgotten passwords are most likely to happen after a forced password change.
Honestly weak passwords aren’t nearly the problem people make them out to be at least alone. All but the weakest passwords are strong enough to protect against online brute force attacks as long as you implement appropriate rate limiting. The extreme example of this are android and iphone unlock PINs. A 4-6 digit PIN has a tiny bit of entropy, but the security chip enforces a maximum retry schedule and ultimately wipes the encryption keys after too many incorrect guesses. The only real problem with weak passwords is when they are combined with password reuse: if a hacker obtains an encrypted password database and then finds your usename and password they can try that for online attacks against other systems. But that can be solved by not reusing password and/or 2FA.
Of course to avoid password reuse you need to use a password manager which also allows you to use strong passwords with little penalty. So weak passwords are generally a sign of password reuse. But for the handful of password I need to enter by hand regularly I don’t really sweat the entropy that much.
The one I’ve noticed is that I have never encountered a system that both requires regular password changes and actually have anything anyone would want to access on the other side. No malicious actor wants to see company memos. I don’t want to see company memos, and I work there! Another one was to a system that allowed me to sign customers up for internet services. So if someone guessed my password they could… sign up new customers, I guess? I certainly didn’t have ready access to anything useful. Not seeing the downside to the company there.
I genuinely don’t think anyone ever asks the question “what’s the bad thing that can happen?” Because if they did, they might not think such rigour is necessary.
Had to bug an SA just this morning because my password expired. I didn’t think I would need it because we all log in with smart cards and pins now, but my computer also wants my active directory password if it has expired. Neat, huh?
Last week I was talking with the head admin and he was saying that one thing their latest hire (a few months ago) brought to the team was the idea of long but memorable passphrases. Uh, like diceware? I asked; which has been around since the mid 90’s. He hadn’t heard of it.
But then, I was in the SA’s office this morning about to type in my new password when she rattled off “At least 12 characters long, mix of numbers and special characters, and no dictionary words”. What? So, they aren’t all on the same page in that group.
…do you have a bank account, retirement account, or brokerage account?
Yes, and none of them require regular password changes.
That’s because you sods can’t spell “meter” properly =).
Well that’s your (Americans’) problem right there.
A meter is a device for measuring or indicating something (like speed, for example - and we can spell it just as well as you guys)
A metre is a unit of measurement of distance or length.
Now it has been explained, perhaps you might stop pretending all your gardens are only 36 inches long.
If you didn’t add nonexistent letters to “aluminum”, you might have a point xD.
Non-existent? Like the ‘i’ that’s already in there? Proves it exists, at least. Usage is a dfferent issue. And everyone knows you spell it ‘a-luminum’ and it’s a Harry Potter spell for conjuring up a light in the dark.
Security questions can work just fine if you provide answers that are unrelated to the topic.
For example:
“What is the first name of the boss at your first job?” - “transistorized”
“Name of the city where you were born?” - “Lefthand paperback”
Of course you will have to keep all these nonsense answers too, but that’s the purpose of the notes field in a good password safe.
Excuse me, I have to add a German-speaking opinion to this epic derailment.
A Meter is a unit of measurement, a Metermaß a tool for measuring a unit of length, just like a Zollstock. A Maß is a unit of beer. Aluminium is a metallic element with a melting point of 933.47 K (660.32 °C), and you can call it Al.
IPAC concedes the alternative version minus an i is “commonly used”, but I don’t give fuck. It’s all Davy’s fault, and he should be written Humphrey for eternity to repent for his sin.
Back on topic, the what three words system will never catch on due to the fact that they have created a closed standard, and charge for large-scale API access. OLC / plus codes and others compete them out by sheer mass. If Gmaps had embraced w3w, it would have catched on like a common cold.
ETA: back on the derailed topic, that is.
I’ll return to passwords in a next post…
Yes - I think it is a shame that what3words seems to have limited its appeal and adoption that way, and its home page now seems to be focused on attracting business use only.
But now that it has been noted that three random words makes a good password, I may think about using some grid references for notable locations to generate w3w ‘locations’ as passwords for the few things I do not let even a password manager manage (although I suspect that, sadly, some of those have password field lengths that will not accommodate this).