Pick a good password, then never change it

Originally published at: Pick a good password, then never change it | Boing Boing


It’s absolutely true. Frequent password changes result in people simply reusing the same one and varying it only a little by changing a number on the end, for example. And because people are generally lazy (I can cop to that, too), they’ll reuse those passwords other places, too, increasing the odds it’ll get hacked at some point. Now that they have a previous version, it takes far fewer tries to get the new one.

Longer password, complicate it, don’t use anything related to your life. I use a password program these days for the ultimate in random password generation (and storing all those hard to remember codes).


Using a password manager helps a lot too. I picked one good password for that, and it picks incredible passwords for each site, that I don’t even know what they are.

Anyway the weak point now is password reset protocols, more so than actual passwords. So many places have lax password resets. It’s hard to make a balance between a policy that is strict enough to be safe, but lax enough to not be an annoyance for your users.


For years I used CorrectHorseBatteryStaple for everything.
Then it showed up in SOME ONLINE COMIC!
So much for picking a good password and then never changing it.

I’ve since changed it to WrongHorseBatteryStaple and it seems OK.


For security questions, I still use “What is delicious?”


Another layer of protection: use tagged email addresses. GMail. for instance, supports username+string@gmail.com, and any qmail-based server will use username-string@domain.tld.

Since emails are often used as usernames, if the account credentials are leaked, automated processes will usually attempt to use the (incorrect) tagged email on a new service, so even if you have reused passwords, it’ll be protected. I mean, don’t. But it’s there.

It adds a layer of protection against spam: if a tagged email address is leaked, you can easily add a filter rule to blackhole it.


I read what seemed like a good idea on this once.

If your Security team is really concerned about passwords, have them run a password cracker on their own database.

If they come up with a collision for your password, yiu get to change it right there & then.

But if they can’t crack it, you get to keep using it until they do.




100% agree with this – and furthermore, “security questions” have to be consigned to the rubbish heap of history. Sure, I’d like to give a hacker a 2nd way to get into my account!

Another thing that has to stop: forced change of password where “it can’t be any of your previous passwords”. Great, so you are storing not just one of my passwords, but several? And now when your service gets hacked and passwords revealed, the hackers have an entire list of my passwords to try out elsewhere? Wonderful


I know exactly how long I worked for AT&T because they made me change my password every 3 months. So I had XXX! XXX@ XXX# XXX$ and so forth.


Your periodic reminder that the gentlemen at Penny Arcade are transphobic assholes who repeatedly double down on those positions when challenged about it. They cling to a number of other shitty world views as well.

Just one example to get you started, if your mind is too clean today:


I would go further and say that if your password is immune to dictionary attacks, then you are probably better off using the same password even in different places.

The thing with received password wisdom is that even though alleged security experts can lay out the reasoning for it, their reasoning is patently, cretinously wrong, because it presupposes that users will memorise a unique strong password for every service, even though we know for certain that this is not the case. It can’t be, when people have hundreds of logins, most of which they don’t use more than twice a year. You can’t fix that by scolding users for living in the wrong reality.

When a service enforces rules about passwords, they’re just making it impossible for you to use a password you can remember.

  • If they require certain characters, you’ll just add those characters to your standard password, so you end up making multiple attempts on every site ("was it ‘Boobs’ or ‘Boobs69_’?), which leads to pointless lockouts, plus malicious sites get to watch you cycling through your whole list of passwords
  • If they force you to change your password, see OP
  • If they forbid reusing recent passwords, apart from the problems above, this means anyone hacking their site has hashes of four of your passwords instead of just one. So if you’re a password reuser it’s much worse, and if you’re not, then they didn’t need this policy in the first place.
  • When they enforce a maximum length, it discourages password reusers from even picking a long string. I saw a site, recently, with an 8-character limit (!).

The upshot is crappy UX, “Important Passwords.docx”, and regular password resets that are only as secure as your email account anyway. Some sites have started just using that reset process instead of passwords, and it says a lot that this counts as a refreshing improvement.

What I would like to do is memorise a list of 20 obscure words, and have some scheme for working out which three of them make up my password on a given site. But most sites forbid that, requiring me to use less secure practices instead.

Password managers are an option, but then the pessimistic view is that you’re paying to be one malware incident away from having all your accounts compromised at once.

tl;dr: Bah


Yeah I know, I probably shouldn’t link to it. But that one for some reason is as indelible in my mind as correct horse battery staple.

1 Like

I like where they ask “which of these is an address where you’ve lived?” And at least one of them is extremely improbable, like “59722 Silver Queen Meadow Ave”* which means a malefactor can rule those right out.

*To be fair, new street names themselves seem to be AI-generated. We visited some friends’ new house and the street name was something close to “My Misty Morning Dr.”

1 Like

Respectfully but strongly disagree.

The way peoples’ critical personal data gets compromised is not generally because Bank Of America gets cracked. It’s because Sally’s Crosstitch Forum gets cracked and people used the same password for their banking app as they did on that little forum.

Your passwords can stand to be less secure if you religiously use a different one in every single place. Strong passwords everywhere is ideal of course, but it’s a huge advantage to minimize your risk exposure by distributing it thinly.

I’ve gotten a dozen emails over the years from some service that I forgot I logged into once saying “hey your account data leaked, change your password”. It’s never a big deal because said credential is not used anywhere else.

If you use the same password everywhere, then every service you use has to be secure to keep you secure. That’s madness. No password is that good.


I assume that I miss a joke here.

I find analog to be my best bet. If you’re determined enough to break into my house and go through the mountain of crap in my office to find one little piece of paper with my passwords on it… have at it. Of course, this method also gets varied mileage based upon how “important” you are. (If you’re someone whose accounts are worth the effort to ransack an office… maybe you can invest in a service, or like, guards…)

Edit: Quest Reward - Mark’s pocket lint (2)


That’s fine- and I will continue to take all those opportunities to let everyone know what shitheads those guys have historically been. Most PAX attendees and such have no idea what monsters are profiting from it all.


For security questions I store those in my password manager also - in the free text area. And I make up random nonsense answers.

I consider security questions another wrong-headed unintentional vulnerability in modern security policies. Now EVERYWHERE wants to know my mother’s maiden name.

As typically implemented, security questions are as broken an idea as biometrics.