Pick a good password, then never change it

Just another webcomic about passwords

And worse- to get around that problem they are starting to ask security questions with nondeterministic answers. Like “What is your favorite movie” or “Who was your first crush”. I can never remember what I put in for those vague questions five years ago when I signed up for this dumb service I never use but need one more time. :roll_eyes:


I do appreciate the reminder. It’s something I “know” but rarely think of. It’s a weak spot.


The thing with that, is if/when they present you with a multiple choice, one of which is your (visibly oddball) answer.

"What’s you favorite animal? A. Duck B. Owl C. Tardigrade D. SkRZzLp@123


That’s true, but unless SCF stores your password in the clear, the attacker still doesn’t have your BOA password (assuming it can resist a dictionary attack).

Unique passwords are better, of course (there are some sites that do store plaintext passwords, for a start), but I’m starting from the assumption that people do reuse passwords, because they definitely do. And if they are doing that, then password policies just create additional problems, and in some ways encourage the reused password to be less good.


“Security questions” get answered by random strings by my password manager. Then I store the question and “answer” in the notes section of the account entry in the password manager.


I had a hunch you were referring to something on the tubes, but I had no idea what. That strip does illustrate the problem with security questions. If they are too general there are many possible answers.

My method is to use a word unrelated to anything personal (no one says you have to tell the truth) with a prefix, usually three characters, suggested by the question.

@VeronicaConnor, I have seen individual Penny Arcade strips before, but I didn’t know anything about the transphobism of the authors. Thanks for spreading the word. I’ll be careful not to link to them in future.


For a password, I’ll string together two or three words all in different languages I know, such as Japanese, Kazakh, Spanish, plus a couple numbers and a symbol if allowed. It makes remembering it from a password manager easier, and I figure dictionary attacks won’t be very useful if the password is composed of multiple languages.


This is the point though. Your advice is vastly overestimating how good the password storage and encryption systems are on every two-bit piece of website software out there. Most of them are garbage and require no effort at all to crack without elaborate attacks. Furthermore dictionary attacks are far far more effective than you seem to be giving them credit for. The category of attacks lumped into “dictionary” is vastly more sophisticated than that. I have seen 15 character random strings get cracked in seconds with script kiddie stuff. If people only take one piece of advice (which is what we’re debating here) I argue it should be to use different passwords everywhere.

Of course the best overall approach is a password manager that generates long very high entropy strings, and multi factor authentication (preferably using an app, not your cellphone number). But again if we had to pick one thing for people to do, different passwords everywhere is my vote hands down.

ETA: To make this point a little further, an example. I have seen a mobile game login system that stores passwords by XORing them with 42 (because hurr hurr Hitchhiker’s Guide). I would never recommend anyone hang their security on the competence of a world full of overworked underpaid software engineers working on projects they hate. One password in multiple places does exactly that, no matter how good the password.


Password managers are an option, but then the pessimistic view is that you’re paying to be one malware incident away from having all your accounts compromised at once.

Don’t give your passwords to ANYBODY! Absolutely not some skanky commercial provider who will get breached (because they’re a valuable target). Or they’ll go out of business without warning one day. Or worst of all sell out to Kaspersky or someone.

Use an open source password manager like keepass. Memorize a really strong password for that database. Store the encrypted database on the cloud storage provider of your choice. Be selective about the security posture of that cloud provider.


But poor password handling by small websites is incredibly common. In fact the administrators of such sites are often open about not considering their site to be high value so they aren’t going to put in a lot of effort to make sure everything is set up correctly and will warm you not to reuse passwords. Also if they are quietly breached the attackers can add request logging that captures your password from the login form. Furthermore even security minded people often underestimate how good password crackers have gotten and what it takes to be resistant to offline attack.

It’s far better to just assume that any site that gets hacked your password is leaked.


Another layer of protection: use tagged email addresses.

This! Absolutely. I own my own domain, and my email provider supports a “catch-all” mailbox. So with zero effort I just make up yourcompany@mydomain.

If your company is legitimate, then I may setup the address as a forwarder to one of a few categorized mailboxes such as newsletters, merchants, etc. You have to be VERY high on my priority list to get an actual dedicated mailbox. In all cases, with “send-as” I can do a fair enough job of replying to received messages as the expected sender. Yes, it will disclose the name of the real mailbox the email went to. But that’s not such a huge deal.


The biggest problem I’ve run into is that PayPal scammers have found my domain name, and they make up their own random addresses at my domain for registering PayPal accounts.

I have NO IDEA how that really helps them because they can’t receive the activation confirmation emails that PayPal uses. Not unless they’ve somehow breached my email provider. And I have scoured for any evidence of that and cannot find it. All it allows the scammer to do is initiate a fake PayPal account that (supposedly) cannot fully complete activation. They can get a bit farther by registering a fake phone number, but even those must be validated somehow. So all I can guess is they use some kind of phone anonymizer service.

What I see is PayPal’s “Please confirm this email address”. “PLEASE confirm this email address”. “We still haven’t received your confirmation” messages addressed to the scammers.

I’ve spent hours on the phone trying to get PayPal to tighten their policies. But my complaints fall on deaf ears no matter my attempts to escalate. They take FOREVER to shut down those accounts. Sometimes, somehow, they never do. They CLAIM that it’s not possible to associate a bank account and send or receive money, or otherwise USE those accounts. But I’ve seen PayPal emails to the scammers that suggest otherwise in a couple of cases.

So PayPal is now on my list of companies I would NEVER do business with, and recommend no one else do so either.


The obvious solution is a constant media campaign hyping the desireability of number theorists as partners.

It’ll take a while to see the results; but once asymmetric key operations become part of humanity’s natural-language capabilities just think of how easy authentication will be!


Well I can’t fix the entire world. But that’s an interesting comment I’ll have to think about. Personally I can’t think of any site where I’ve ever seen multiple choice for the security responses. Though admittedly, it’s vanishingly rare that I ever use those procedures, so I may not see the UI for that.

I suppose I need to start making up PLAUSIBLE responses. Sigh . . .


Oof, I hadn’t seen that failure mode either. Because, why would someone reduce the entropy of the answer that much? The answer, obviously, is that most people don’t understand security.

1 Like

I used to like their online D&D games from PAX but dropped them cold when they showed what assholes they really are.


Absolutely I’d agree this is the most important SINGLE factor. Don’t reuse passwords. But that then leads to many other considerations, starting with how to remember ALL THOSE PASSWORDS. So password managers. Etc.


Saw this on tumblr yesterday:


*Computer security needs a better solution than typing on a keyboard



(Did we read the same children’s book?)