They just simplified brute-force attacks against their system. Well done MAA.
And if you click the "Forgot Password" link, it asks you for your grandparents' original names.
Except for the specific list of special characters, those seem like pretty common requirements to me.
Obligatory xkcd link.
So, so stupid.
But LastPass/KeePass/1Password are really the way to fly until the world comes up with something better than passwords.
I once used '1234' as my PIN on a library card. Somebody used my card to reserve books, I think accidentally.
4: is right - at least until I have a stroke and can't remember my lastpass password
This website is infuriating. I can't figure out my username, even after resetting my password - the thing I have written down isn't working, none of the obvious choices work - and there is no way to find out your username, as far as I can tell. You can reset your password, but not your username, and it's not something unchangeable like your email address.
5 - Did you change the locks on your luggage?
Except for the specific list of special characters,
This being the point of the OP.
Can just anybody join the Math Association of America or do you have to pass a test?
8: Not that I don't appreciate the reference, but I really don't see the point of luggage locks.
10: I think there is a test, and I'm failing it.
Those are the rules for my work password. And it changes every ninety days. I have a different password to interact with my timesheets, with different rules. Different agencies I deal with have their own password protected systems with different rules.
I have completely given up on good password hygiene. I just do the minimally acceptable version of something I can remember, and change it as minimally as possible from site to site and version to version.
Profanity followed by an exclamation point makes for a pretty easily remembered password. The requirement to include a number spoils it a bit, though.
Personal passwords that I need to be able to access from different places all get emailed to myself, then labeled with the label "passwords" and put in a folder. I just pull up that folder in gmail anytime I need to access any of them.
Work passwords like those described in 13 are all written on sticky notes in my desk drawer.
Profanity followed by an exclamation point makes for a pretty easily remembered password. The requirement to include a number spoils it a bit, though.
Also profanity doesn't usually have enough characters.
You can add "mother" to the front most profanity to get more characters.
If somebody gives me $169, I can join the MAA.
I thought the list of profanities to which "mother" could usefully be added to the front was fairly short.
The requirement to include a number spoils it a bit, though.
2girls1cupOh@#$%!
I forgot about electronic filing passwords for the SDNY, the EDNY, and New York State. Also for the NYS court website that lets you sign up for scheduling reminders and docket updates for cases you're working on, even if they're not efiling cases (which most of mine aren't, because they're a particular type of special proceeding that is exempt from the efiling regulations. I'm probably one of the last lawyers in America interacting with bluebacks.) That website is completely unconnected to the efiling website.
Of course, if you want to know what's in the court file in a case that isn't efiled, there are websites with the paper filings scanned in and uploaded. But of course those are individually set up by county. New York County's is erratic -- some stuff gets uploaded, but you can't count on it. Queens, Kings (Brooklyn), and Richmond(Staten Island) didn't have anything last time I looked. And the Bronx, oddly, is great, and has been for a long time. But you have to know that it's the Bronx County Clerk's website, not anything that's part of the court system's website.
I would like vocational training as a plumber, please.
Just make a random one and email it to yourself. If someone breaks into your email the last of your worries will be your MAA password.
Why don't they just let you pick something from this list? I mean, these must be the most effective ones, right? Otherwise why would they be so popular?
Also if they let you use spaces it's easier to incorporate special characters, numbers and so on if you just use a sentence. ("Wait, so Bill ate 23 pies yesterday?") Also if someone is watching you type in your password you end up looking like some bizarre paranoid.
Also profanity doesn't usually have enough characters.
Ah, but Russian profanity does. You may now proceed to break into my work email. Enjoy!
Oh, and the PACER password. Which is the same system as federal e-filing, but you need a different account and password if you just want to look things up, rather than filing them.
24: I do that sometimes, just typing the sentences without spaces.
But I stopped because a surprising number of systems have a fairly low upper limit on password length.
LastPass/KeePass/1Password are really the way to fly
Seriously, people, get on board with one of these. It makes life so f'ing much easier.
Ugh, SO BAD. It is absolutely infuriating when the people enforcing password rules don't have the foggiest notion what actually makes a strong password.
26 is no longer true, or, at least, is in the process of changing -- one less id and password!
SDNY remembers your PACER password for you, so you can look things up from inside your SDNY efiling account -- is that all the districts? I haven't had anything going on in the EDNY for the last year or two.
29: what is the advantage of these products over the system described in 16.1?
In case nefarious evildoers rifle your desk.
4 is absolutely right. A password keeper is basically essential these days. Do yourself a favor.
If 34 was in response to 33, note that you seem to be comparing against to the system described in 16.2, not 16.1.
Does a password keeper actually save you from having to retype all the passwords or just store them for you?
Urple's system is exactly what I do.
School requires we change our password every six months. I use my age, or age.5, on the end, which helps me remember my age.
I use urple's system also, except that I don't have a special folder for them in my email. And I don't list the actual password. I leave cryptic clues that would be incompressible to anybody who hacked my email and, after about three months, myself.
I have fears around these password keepers! That it won't work for all my systems (phone, ipad, home computer, work computer), that there will be updates that I have to download regularly, that if my browser or phone gets old or out-of-date, the latest update won't work for some reason, and that if you ever need to get out of the system, it will be a massive headache.
Does a password keeper actually save you from having to retype all the passwords
Yes. I use LastPass and for about 70-80% of sites, it fills in the info and logs me in automatically. Bank sites that have logins across multiple pages often require me to right click and choose the info to enter in a box, but I never have to type anything.
38: There are browser plug-ins that type them in for you. Sometimes totally automatically, sometimes you have to right-click and select the "Put this site's password here" button. Depends how annoying the site is.
40: I admit I do sometimes googleproof the passwords, although I'm not sure exactly why.
What amuses me is that the answers so many of the security questions that are used to protect passwords can be now be gleaned from social media profiles. Whats my mother's maiden name? Gosh, I'm linked directly to her in the Facebook. What high school did I graduate from? Well, if its not listed directly in my profile, its probably the same high school as all the friends in my network who happen to be the same age as me and from the same city. The name of my first pet? Heck, you could probably find a name and a picture.
That's intriguing, but I'm still going to stick with urple's system. It's robust and if everybody gets on a password keeper, that will probably just escalate the number of passwords I need to keep.
30 Ugh, SO BAD. It is absolutely infuriating when the people enforcing password rules don't have the foggiest notion what actually makes a strong password.
And now most of them have implemented some little color-coded widget that goes from red to yellow to green as the password you're making up becomes "stronger". Drives me nuts.
until I have a stroke and can't remember my lastpass password
My recent experience with a stroke-having relative convinced me that we're all eventually doomed, password-wise. I was logging into his accounts to ensure everything's up-to-date, when I hit a challenge question. So off I went, driving to the hospital, wondering, "Yesterday, Grandpa didn't know what hospital he was in, or that Christmas had already happened, or that the Bears are not playing today. What are the odds he remembers his high school mascot?"
The concerns in 41 are basically non-issues. Fundamentally, the password keeper is just a database in the cloud, so you can always access it (this is true for LastPass, and I assume the others) in a regular browser. And they make plug-ins and apps for all the major platforms. And they allow export/import of your info, so it's pretty easy to switch between services.
except that I don't have a special folder for them in my email
I didn't used to have a special folder--I would just search for them--but a few starting turning up pages and pages of search results in my email, with my password email buried in there somewhere, and it became a pain. The dedicated folder makes it a breeze. Also for some bizarrely paranoid reason my dedicated password folder isn't actually labeled 'passwords', it's labeled... something else, but I know what it means.
41 is not a crazy set of fears but they're mostly addressed. I'm just going to talk about LastPass, since it's the one I (and apparently ogged) use and know. The browser plugins update automatically and sync with each other, so home/work is done; I think the iOS versions are a little bit more of a pain, but still synchronized, just more touches/clicks to fill things in. If you need to get out of the system there's an "export to a text file" option.
On preview: ogged, get out of my brain.
48.last: Pretty good, actually. Obviously it varies, but generally the older memories go last.
the password keeper is just a database in the cloud
Like gmail! Only an even juicier potential target for nefarious hackers.
Fundamentally, the password keeper is just a database in the cloud, so you can always access it (this is true for LastPass, and I assume the others) in a regular browser.
This just sounds like how IT people smooth your fears that end up coming true, exactly as you figured.
My important-stuff password now takes two words at a time from a book, combined with a number related to those words. So it's relatively easy to update and, if need be, retrace the previous ones.
How would LastPass know that MAA requires a reduced range of special characters?
Does no one have an answer to 33? (Other than I guess you don't have to actually type the passwords.)
My password keeper (Pastor) just uses an encrypted file on my hard drive (which I can then put in the cloud via Dropbox or whatever if I like).
58: less hackable, I assume? They change your password super frequently or something on your behalf?
Like gmail! Only an even juicier potential target for nefarious hackers.
The important difference here is ENCRYPTION.
How would LastPass know that MAA requires a reduced range of special characters?
It wouldn't. Sorry. The only person I pressured into adopting a password keeper was my wife, after the billionth time that she said "what's the password for...." Y'all can do what you like.
57: I don't know about LastPass, but KeePass lets you tweak the constraints on how it generates a password (length, required/excluded characters, etc.). Also, if 54 means you don't trust LastPass's cloud, with KeePass you have control over your password database (which for most people means keeping it in dropbox or whatever to sync between devices).
The only person I pressured into adopting a password keeper was my wife, after the billionth time that she said "what's the password for....
This is exactly how I adopt any new technology - Jammies gets sick of me complaining, buys me or sets up for me the thing I'm intimidated by, and then I realize I love it and him and feel very happy.
62: I use the double-plus whatever thing for gmail security.
The idea is you have a single, lengthy master password -- "Jammies' tattoo says DICK and it is rad", or whatever -- and you enter that to unlock your password file. OnePass etc. then do magic to autofill passwords based on the values stored in the password file when you're using your browser, or you can look them up and enter them manually. The individual passwords generated are unmemorable random keystrokes, so like line noise or your cat on the keys or the Perl I wrote in 2002, but you don't ever have to pay any attention to those. And they're different for every site and essentially unguessable.
If hackers get hold of the OnePass files, we're in bigger trouble than we thought if they can decrypt properly-implemented Blowfish (or whatever) using strong passwords.
58: The combination of not typing and automatic generation and saving of passwords is a lot smoother than having to switch over to email and look something up. It's worth trying.
For non-UI advantages, the generated passwords are random (thus very hard to guess) and there are checkboxes in the password-generating window for which character types to include - uppercase, lowercase, digits, "special". For the paranoid, the storage is more secure than webmail, since the cloud service doesn't actually know the passwords, it just has an encrtypted blob that is handed back to your browser and locally decrypted with your "one" or "master" password.
With the special selection of special characters that the MAA uses, you might have to click the button to generate a new password a few times until it gets one that doesn't have the forbidden character.
57: LastPass's generator let's you tell it what the restrictions are. You could also just manually add an '@'.
The only thing unusual about the restrictions in the OP is the very limited set of "special characters." My guess is the web developer wanted a simple, short regular expression.
Years ago, when I first started using a password manager, I would generate long passwords with lots of "special" characters and turn up fun bugs where the password setting code didn't agree with the password checking code about what was valid (or something got escaped somewhere along the way) and so I got locked out of my account with a valid password. I'm not sure why sites don't just accept arbitrary Unicode strings.
The idea is you have a single, lengthy master password...
That's what I do now when I can. It's more of a rotating list because of requirements to change it so often.
62: I use the double-plus whatever thing for gmail security.
Yes, but your emails aren't encrypted on the Gmail servers. Google has access to them as plaintext, and that means that there are multiple routes from which a bad actor can get at them and read them.
If hackers get hold of the OnePass files, we're in bigger trouble than we thought if they can decrypt properly-implemented Blowfish (or whatever) using strong passwords.
Who's to say it's all properly implemented? I mean, the mathematical strength of the encryption is one thing, but whether your particular password-safe is actually doing everything properly so that there isn't any way to get to the passwords in clear text is, if you're not the right kind of nerd, down to "Trust us." Which is fine, but not clearly to me better security than bits of paper in my desk.
72: They aren't really plain text. They're clues to myself, sort of like the security questions but harder. Obviously, if there is an internal problem at Google, I'm screwed. But that's so true for so many reasons, I don't think the passwords in the gmail even registers.
It's not like I keep my bank account password on gmail or anything. I keep that on a sticky note in my desk drawer.
Last summer, the lawyer I was working for was in court in the middle of a hearing, when he realized he needed something from back at the office. He jotted down his password on a sticky note and explained what he needed, and I ran over to get it, noticing along the way that the password was something like "PieIsAmazing81." Later on that day when we left court, he turned to me and thanked me for getting the thing and then deadpanned, "I want you to know: I really do think pie is amazing."
73 has it. There's been far too many exploits based on minor implementation failures (e.g., "goto fail") to rely heavily on algorithmic security.
This just sounds like how IT people smooth your fears that end up coming true, exactly as you figured.
My fears don't need smoothing.
I'm not sure which if any of these tools have been code audited; you could implement a similar process using off-the-shelf tools like openssl and a text file if you were willing to give up the nice UI.
I'm just reluctant to start one more account.
73 is true but I think not convincing. Really, the usability advantage here is huge, and the security gains from not using the same or same few passwords all over the place, and using genuinely difficult-to-guess passwords (because they're randomly generated), likely outweigh the risk that it's implemented wrong - and the right kind of nerds seem to agree (KeePass at least is actually open source, so they can check for sure, and that's an advantage it has). There is a certain amount of "trust us" with LastPass/1Password, though as far as anyone can tell they do exactly what they claim to do.
I take some comfort in the fact that people and businesses get hacked all the time, and so my credit card and bank have a lot of experience dealing with the crisis, also.
Topical tweet in my feed today (@kerihw):
Your password must contain an upper case character, an antagonist character and a moment where the main character saves a cat.
73: keepass and I think some of the others are open source, so rather than trusting a particular company, you're trusting collective scrutiny. Obviously not foolproof but better than just trusting a black box if that's what you're worried about.
64 is slightly wrong; ogged pressured me into lastpass, or at least recommended it. I like it a lot. I am not his wife.
LSAC, the centralized law school admissions thing, requires special characters and capital letters and all sorts of stuff for a password I use exactly once a year to upload rec letters. my success in remembering this is exactly what you'd expect.
you're trusting collective scrutiny
Bleeds my heart with a monotonous languor.
78 was not meant to condemn password managers. I use LastPass myself. Just don't assume it's secure because it uses Blowfish. (To show I'm not attacking a strawman, 80 ignores that there have been at least two major OpenSSL exploits in the past year.)
Stolen from Twitter and slightly edited for my status updates: "Your password must contain an uppercase letter, a number, a punctuation mark, a Hangul syllabic block, a gang sign, an extinct mammal, and a hieroglyph."
ogged pressured me into lastpass, or at least recommended it
At Vasser you could say I raped you into it.
there have been at least two major OpenSSL exploits in the past year
This reminds me of another nice thing about LastPass: when these happened, it ran an audit of my passwords and told me which sites had been hacked and needed new passwords.
87: But yes, all in all one of the systems will be more secure.
... until the day it isn't; but you will at least have a lot of company and your stuff will most likely be relatively boring and not as lucrative compared to some others in the mix.
Reminds me of my take leading up to Y2k where I had some responsibilities for some systems. I was relatively OK with either:
1) My stuff and everyone elses worked.
2) Everything failed and we were burning our furniture and eating each other to stay alive,
but not,
3) Everybody else's stuff worked and mine failed.
90: At Vasser you could say I raped you into it.
And you could learn how to spell "Vassar" as a bonus.
He meant Vasser. At Vassar, they would never trivialize rape like that.
"Your password must be a haiku."
One thing that almost has me convinced about these password keepers is that you all have been beating the same drum - with the exact same specific keepers - for over five years. I was worried then that specific ones would be faddish and I'd be expected to switch to some new, better password keeper, every few years, while the old one would become unsupported and outdated.
And you could learn how to spell "Vassar" as a bonus.
I did learn to spell Albuquerque, so you're probably right.
Would it be a pain if Jammies and I are sometimes logged into some things as ourselves and sometimes as each other? I'm thinking of things like Amazon - we both have accounts but his is prime, but mine sends kindle books to my ipad, etc.
The main password on my Mac was "buttmunch" for a long time (easy to remember!). Then I had to have it fixed and there was an awkward moment when the guy asked me for my password. I recommend against using profanity for your passwords is what I'm saying.
I use lastpass for most things, using a complicated base password and an addition based on the site name, so I can usually guess it if laspass isn't available for some reason. For really important passwords I write them down on a piece of paper and keep it carefully concealed among other pieces of paper. To get to those passwords someone would need physical access to my apartment and time to rifle all my many piles of paper. Or a keylogger, I guess.
I use lastpass for most things, using a complicated base password and an addition based on the site name, so I can usually guess it if laspass isn't available for some reason.
Doesn't this practice negate the main benefit of lastpass?
98: on a shared computer, you mean? You have options: (1) LastPass can cope with having multiple logins for a particular site, you just have to use the right-click menu to tell it which one to use. (2) If you want to keep it for just you, you could sign out of LastPass in the browser. (3) If you want convenience, you could set up separate browser "profiles" (like another copy of the browser, but with different sets of preferences, plugins, history, etc.) and just have LastPass in yours.
(Also, if he has Prime, you should be able to have Prime as well.... have we talked about this before?)
LastPass can cope with having multiple logins for a particular site, you just have to use the right-click menu to tell it which one to use.
Yeah, this works very well. Switching between my home and work gmail accounts, for instance, is fairly effortless.
I'm admitted to a whole lot of courts, and so I have ECF passwords up the yin yang. (Maybe I should end them with that symbol?) I spend no time thinking someone is going to hack in and file something as me in the NDNY, CDIll, WDTex, whatever.
My foot hurt pretty bad yesterday, so I was mostly binge-watching Archer and counting down to the next painkillers. I did have a couple of calls with judges, though, and I don't think it was my heightened state that led opposing counsel to engage in some of the most embarrassing dialog with a judge I've ever heard. In the first one, we're all willing to stipulate to a particular fact, but the judge says the other people need to present sufficient evidence to support the thing. He's told them this repeatedly, orally and in writing, and they keep not doing it. The purpose of the call was to tell them one more time, and Jesus what whining: this was middle schoolers not wanting to do the homework.
Then the next call was with a federal judge -- plaintiff's atty gave a light chuckle when the judge told him he had to amend to properly allege diversity (I mean, come on, everyone knows it's not "residence") but then later when she pointed out that he'd left out a required section from one of his filings, he went on a rampage of whining, how many different rules he has to know, how often th rules are changing, how hard it is to keep up. The judge was all 'I don't understand why you don't just take a look at the rules before you file something' but the lawyer -- 30+ years in, Ivy League degree -- just thought this was totally unreasonable.
I had my paralegal on the calls -- which I never do -- because she'd take coherent notes. I think a good bit of the mystery got stripped away.
It's knowing the actual rule pretty much the sole value-added component of a lawyer?
LastPass also allows sharing passwords between accounts (might be a premium feature). My wife and I have a folder of shared passwords for Netflix, banks, etc.
urple, I used to use a variation on 16.1. A password keeper is better (for me) because it's just simpler. I don't have to open my e-mail or search it or remember to e-mail myself or write a new sticky note if I change the password, don't have to worry about one of the sticky notes falling behind the desk in the gap that's too narrow to reach but you try anyway and your arm gets stuck and it's the weekend so no one's around and you're forced to consider whether you can cut your own arm off with a staple remover.
Now why isn't there an app for that.
It wouldn't have to amputate for you. Just work out the odds of amputation or not.
Like "This to That," but "Cut This with That." Brilliant.
||
Late last month, before I went on vacation, I remember dropping my rent check for January in the lobby box.
Around the 6th or 7th of this month, I get a call from my landlord, saying he doesn't have my rent. I think maybe I'm just remembering my plans to drop the check off early, but not actually doing it, and so I make out a new one.
I just now got another call from the landlord. Again, he says he doesn't have the check. This time I'm absolutely sure I've given it, so I'm baffled. None of the checks have been drawn; it would have shown up in my bank account by now if they had. The rent box is one of the mailboxes, which I know the mail carrier can open, but I don't know if it has its own separate lock as well. The payee is a property company, not an individual, so I imagine it would be hard for a thief to cash the check.
I don't really suspect the landlord of bad faith; he's pretty outstanding overall, has not made a fuss the couple of times in the last few years I forgot about the rent, and when I ask him for maintenance it gets done both well and scary-fast. On the other hand, by now my rent is significantly below market, so he would gain if I left.
Any perspective WTF is going on? (Other than that my not recording the checks I write is coming back to bite me.)
|>
104 -- One of my primary mentors would always say: 'As Wittgenstein said, don't think, look it up.' Or, when a little more bothered by one of those all user emails posing a legal question, 'crack a fucking book.'
We're all supposed to know the rules, at least roughly, but they do change, so one really should check before filing something.
The guy had one additional rule faux pas -- I'd raised a personal jurisdiction defense for one of my 2 corporate defendants in the answer. Opponent says, Ha! not a motion, that's a waiver. The judge didn't actually say crack a fucking book but did point him to the rule.
100: Lastpass will generate really strong passwords for you but if it isn't available you're hosed. I use the system I describe above so that I have a limited number of guesses before finding the right password. Lastpass eliminates the guessing and takes care of all the login BS for you, which is why I use it.
If somebody had a password app that generated passwords based on Law & Order character names plus body parts, "ButtMunch" would probably be a common password.
(Also, if he has Prime, you should be able to have Prime as well.... have we talked about this before?)
Wait, what?
Yes, Prime goes by household. Share Your Amazon Prime Benefits
You can get all the Hermione/Snape fiction you want.
I started reading this thread with trepidation, fearing that someone would explain why it wasn't safe to use Last Pass, knowing that I'd still use it anyway because of convenience.
Heebie, you've got to get it. It's not just the password management; it's also the form fills. Next time you find yourself facing a screen full of fiddly little blanks, know that you could, if only you had Last Pass, hit a little button and already be done.
When I started my current employment in 1991, I was told to make up a password to access the word processing capability. I thought a password was really stupid, since you needed to be at my desk to use it, and the only stuff on the computer system was word processing, so I just used my wife's first name.
That's still my password for my work computer, which at this point travels home with me every night and sometimes is in checked baggage, has my credit card information, many documents with my social security number, the file with all of the other passwords in it [some safety--that file does not have the word password in its name or its contents so wouldn't be all that easy to find] and lots of other stuff. I sometimes think about changing it, but I also think it would be cool to tell people at retirement that I've used the same password for my entire career.
I've had the same password at amazon.com since I created an account in 1998. It's also the password for my bank and lots of other things. (Basically, anything else that doesn't have bizarre requirements that force me to create some other password.) It's not my wife's last name, though--that would be too easy. It's her last name backwards, with a special character thrown in at the end for good measure.
119: I can't do it from here, but would you like me to edit that when I get home? It seems indiscreet.
Let's all reveal our salary and our passwords.
Don't forget your social security numbers!
Indiscretion is the new blasphemy!
123: Urple, I figure there's a 50/50 chance that he's on the one hand lying, or on the other hand protected by his private reality vortex. Unimaginative might have actually just slipped up.
Plus, women the same age all have the same name, more or less.
127 is sort of insulting. Why would I be lying? Does someone reading this blog want to steal my login passwords? (If they did, do they have my login id? And how many guesses would it take to actually get the correct password?)
Urple's information is further protected by a crossbow.
Their name is Jane.
But jesus, does everybody have Amazon Prime these days? I swear, that thing is going to kill us.
127 is sort of insulting.
Your reality vortex isn't private?
private reality vortex
I thought that only the Flash could twirl around in circles fast enough to create one of those.
It was more the 50/50 chance I'm lying. What have I ever lied to you about?
122: Nah, the whole point is to live recklessly. And since I don't do drugs, alcohol, guns, motorcycles, or extramarital sex . . .
You could try to hack his Amazon account to see.
135: well ok then why would I likely be lying while unimaginative "might have actually just slipped up"?
It takes imagination to tell a lie.
Unimaginative's pseud, on the other hand, reeks of stolidity, Him, I'd trust implicitly.
(There's a business opportunity out there for anyone willing to comment as Forthright McReliable for the sole purpose of selling me swampland in Florida.)
Well now I'm angry enough that I've gone and changed my fucking bank password. You fucking ingrates.
Chicken. Unimaginative is living dangerously.
My amazon account is still yours for the taking. My credit card isn't stored on there, so I'm not sure what damage you could do, other than adding some shit I don't want to my wishlist. (Hrmph.)
We could download free books to your Kindle?
I143: may not have clearly conveyed that I'm legitimately not-joking irritated about this.
I'm very sorry. I don't know about LB, who is much more heartless than I.
By all accounts, New Jersey is worse.
While I am more heartless than Moby (as well as being infinitely less likely to interact with anything called 'cob'), I do apologize. Literally, I thought there was a good chance you were kidding around (which it was rude of me to have described as lying, but I have terrible manners) by following unimaginative's indiscretion with a matching, but even more specific mock-indiscretion. What made me think it was probably a joke was that it followed unimaginative's comment, rather than anything about your character.
(I do stand by my statement that you look shifty from here, though.)
149: WE TAKE THAT AS A STUDIED INSULT.
My only worry with LastPass is that if someone has physical access or remote desktop control of my computer, they have everything.
I'm not sure how anything about 121 would have been funny, had it been a joke.
My sense of humor is arcane and idiosyncratic.
Wait, is 153 right? I presume that the long password I have to enter before using LastPass prevents other people from using it? (Ugh, this is exactly the kind of worry I had hoped to avoid).
Wait, is 153 right? I presume that the long password I have to enter before using LastPass prevents other people from using it?
Yes, it's encrypted. Of course if you leave it OPEN and someone has access, then there it is.
You can set up LastPass so that it remembers your password on your personal device, in which case 153 is totally justified. I think you have to click through a warning or two, though...
When I started my current employment in 1991
I... what...
This is so completely outside my comprehension I can't even.
Don't you go claiming to share my arcane sense of humor. I said it was idiosyncratic. Not merely unusual, idiosyncratic.
161: as 160 should adequately demonstrate, I don't actually have a sense of humor.
159: The recession in 1991 wasn't that bad.
I'm coming up on nine years at the same job. If I get to ten, I'm going to turn into a European because I'll be able to take off a whole month in the summer.
Jammies has been at the same job since 2000. He did narrowly avert getting fired just last week, though.
Anybody could have spilled 50,000 gallons of oil.
...but spilling into a daycare takes finesse.
heebs, is there an anonymous-enough version of the story at 165 you can tell us?
Short version: he was told to apply (immediately!) for a different job within the same company because his department was laying people off that very day. Now he works with race cars. And has to go out of town a lot more, which sucks for me.
That does suck, but still, race cars.
Also, it is kind of nice that the people he worked with affirmatively pulled him out of the firing zone.
I have a password technique that eases the pain:
one master password, itself memorable, which I then modify by adding the first three characters from the name of the login site in question, in full caps, into specific, predetermined slots in the master password.
only problem is the very occasional site with a MAXIMUM password length. those can fuck right off....
131 But jesus, does everybody have Amazon Prime these days? I swear, that thing is going to kill us.
No, they still charge for killing, you just get it done faster with Prime.
Like, NASCAR? World Rally? Formula One? Going out to the Bonneville Flats and just being like fuck it, huge engine, move this thing? I guess this is literally asking for personally-identifiable information but come on, race cars, plus Urple did it.
No, they still charge for killing, you just get it done faster with Prime
Just wait until they get permission to use those drones.
181: Sort of yes! He'll be with them when they take the demo car with their computer parts in it to various races.
Further to 182, I think that might make them price-competitive with the guy in Pakistan who said he'd kill anyone I wanted for 200 bucks.
183: Awesome. Will he get a cool "Team X" jacket out of the deal?
I don't know if they're part of a team, per se, because I don't think anyone drives their demo car in the actual race - I think they show it off as part of the circus surrounding the race. But I bet they have matching outfits of some kind. Can't have them looking all haphazard at the Formula 1 Racetrack.
Probably just a simple tights, singlet, codpiece combo.
||
Just putting this here for reference:
[O]n any given day, I'd say 75 percent of what you read in the tech press is somewhat accurate, 20 percent is complete bullshit, and 5 percent is actually true.I think it's safe to say this applies to most journalism, not just tech. I bring it up because we often have conversations in which somebody says something to the effect that every article they've ever read in which they had first hand knowledge was on some level incorrect. This guy - who worked for most of a decade in tech journalism, and now has been on the VC side for awhile - is offering a slightly more nuanced take that's probably useful to bear in mind.
|>
If that's to 187, I don't think I count as "press".
I use KeePass and often when I have it generate passwords for accounts I get a message on the signup form that essentially says "your password is too strong; weaken it" and then I look more closely and see that they have a non-intuitive definition of special characters or don't allow spaces or whatever.
Aren't docs stored on google drive encrypted? Maybe that's better than gmail.
115: Thanks! Additional household member added.
Catching up on this thread, I think my dad got the same login message at work for the last 20+ years before he retired:
"Your password has not changed for 30 days. Please consider changing it."
The password was a four-letter word, not profane. I occasionally logged into his work system to play text-based games as a kid.
Also, while reading this thread I tried to log into a site, failed, thought it was one of the sites where my account pre-dated my use of a password manager, meaning there was a decent chance I still relied solely on memory for it, requested a password reset so I could log in and then put the new password in my password manager, discovered I had previously entered both the site and old password in the manager, discovered my reset request had gone through so I couldn't use my old password, generated a new password, entered the new password on the site, saved the new password in the manager. This took about five minutes.
I once had an intern whose friend was interning for a Formula 1 team. And they gave a £1000 bonus to everybody on the team, including the interns, for every point gained in a race. They did averagely OK that year and he was about £50K up.
A couple of times we house-sat* for one of the executives at M\ acLare \n . It was a very nice detached house in Surrey, but it wasn't particularly ostentatious.
* my wife used to au-pair for one of their neighbours, so we knew them slightly.
My only worry with LastPass is that if someone has physical access or remote desktop control of my computer, they have everything.
You can configure LastPass on a site by site (or secure note by secure note) basis to require a reprompt of your master password. A pain in the arse for day to day use, but if you're worried about other people accessing your computer/device you could do it for the sensitive ones. Or you could be extra diligent about using lock screens.
I'm surrounded by people who work for Formula 1 (I so did not realise I had moved to Formula 1 land). My next-door neighbour is a mechanic (not pit crew, experimental) for Lotus; friend is an electrical engineer for Mercedes; etc, etc. All I can tell is that it's pretty damn good to work for Mercedes right now, what with Lewis Hamilton winning everything.
YOu mean you live near Wan\tage? It used to be all horses there but the last time I drove to visit a friend it seemed to be nothing but racing car firms
Same county, farther north. Spitting distance from the Mercedes HQ.
I really liked Want/age when we visited, though -- would love to live there.
I have traumatic memories of the place -- my best friend from school lived there because his father had a pub in the centre of town with an upstairs disco where we could spend afternoons drinking cream stout and playing Cream on the PA. I don't think I have ever been more unhappy but the booze and the music helped.
He now lives up the road, in Gro/ve having managed to avoid paid work since the age of 25. One of the wittiest men I have ever known and I would once have said the most talented of all my friends.
Ooof, doesn't sound like fun. I've only been there on a long weekend, country B&B and walks on the Ridgeway. Pleasant memories.
Oh, the countryside around is lovely. If you're not a miserable adolescent at a single sex boarding school it's probably enjoyable too. And there are great pubs.
||
"Interestingly, while in Western society vaginal intercourse is the main cause, more than half of the reported penile fractures in the Middle East, especially in Iran, are inflated by manual bending of the erected penis to achieve detumescence due to cultural circumstances (i.e., forceful hiding of an erect penis in underwear, known as Taghaandan practice, "breaking the Qholenj") [5].
|>
[from]
Now that's what I call repression.
This is because they don't have baseball.
So in American football they deflate the balls, but in baseball, it's the penis? I think I understand it now.
I've been keeping my passwords in the GMail, but, after looking at the graphic half way down this page, I think I'm going to not do that any more. You know, in case I ever wind up on the wrong side of The Man.
LastPass and KeePass and all these similar services are technically programs you have to install, right? Or if "programs" is the wrong word, they're apps or browser plugins or something? In that case, I can't use them at work, because our computers here are straightjacketed. And there's at least two or three things I use regularly at home that I'd also like to have the password to at work.
So for now I'll probably stick with my current system: I have two main password phrases that aren't written down anywhere, and for every Web site I use one of those with numbers or symbols added in various places, and I have a text document on my home computer with a list of each of them, with a file name that has nothing to do with passwords. For example, it'll say something like "Amazon: secondary password, 2 in third position, ! at end."
I promise, I'll really look into those options if I ever stop goofing off at my job, or let me install a plugin to make it easier.
You could put the app on your phone and use that to look up your passwords, but you'd lose a lot of the convenience of the browser plugins.
You can run KeePass off a flash drive but your work may block USB ports and flash drives have the built in risk of losing them because they're small. Come to think of it, it may be possible to run KeePass w/o admin privileges, though there may be workplace policy against unauthorized apps.
FWIW, the computers at my work are pretty locked down (no USB devices, even for charging, for instance), but I could still install the LastPass plugin.
Personally, I bought the app for marriage, LastAss.
||No more oiling up for King Abdullah.|>
I use PasswordSafe, which I'm somewhat surprised hasn't been mentioned. It runs on multiple platforms and is recommended by Bruce Schneier (and IIRC partly written by him).
It is more nerdy than LastPass etc., in that one must supply a master password to open a "safe" and then copy-paste the password (it copies it on a double-click of the entry). Once the safe is open it stays accessible for a while, then shuts again.
I don't trust cloud-based or cookie-based systems, and it will be years until I do.
I keep vowing to put a copy of the master password and the the safe file in my deposit box, in case I die or go senile.
I don't trust cloud-based or cookie-based systems, and it will be years until I do.
Nor do I, ultimately, but this is a situation where the perfect is the enemy of the good for me. If it's not something as convenient and as accessible anywhere as LastPass, I'm simply not going to have a different secure password for all of, or even a meaningful proportion of, the sites/apps I use. Which means I'm vulnerable at many points, not just one, at least theoretically more secure, point.
All this talk about passwords reminds me of a bunch of the stuff I hate about Windows 8. Number 1 on the list: they didn't adequately QA it for people who didn't want to get a WindowsLive account and use that password for their login password. That was me - instead of something like KeePass, I've kept a list of accounts and somewhat obscure password hints on my laptop (with a backup on my home computer), while using a non-obvious (no "1234") but not super-strong password to secure the laptop, counting on physical possession of the laptop to be my main defense.
I ran into this both on the Windows 8.1 upgrade and on Skype initialization - Windows wanted me to go get a WindowsLive account right then and convert to using it as my login password. While there was a non-obvious link on the page to say "No I want to keep my existing login password, thank you very much", in both cases it didn't work, looping me back to the screen prompting me to get a WindowsLive account. The former case I eventually figured out a workaround for (logging in with an invalid password, and then finding a way around it in the resulting prompts), but the latter had me stuck in an emergency situation where I needed to get Skype working right away*. So I wound up having to pick a non-obvious password that I had a fighting chance to remember and Windows thought was strong enough (being pickier than most programs), and I now have that as my login password (without a hint) on my laptop, where I get reminded multiple times a day how much I hate Windows 8 (8.1 these days).
* - More details: our engineering meeting had been kicked out of the conference room we usually use by our CEO, who needed it for another meeting. So I was trying to use Skype on my personal laptop to link in my boss, because the new room didn't have teleconferencing. I got to spend 20 minutes with our whole Engineering department watching me curse out Windows repeatedly, as I first tried to find a workaround, then gave up and asked for a WindowsLive ID, then got told that my email was already in use and I needed to supply the previous password (which I had no chance of getting to, because if I had recorded it, it was on the laptop that currently had me stuck in this loop), then went through the password reset procedure, which involved a text to my cell phone (which fortunately I had with me), then go through the process of picking a password that Windows would accept, and finally wait around while it took its own sweet time reconfiguring my system with the new password and linking my new password to my Skype login. Because, of course, having a WindowsLive ID is so awesome that I had nothing better to do at that particular time than go through all the hoops to get my laptop configured with it. Have I mentioned how much I hate Windows 8 lately?
I absolutely hate Windows 8 requiring a Windows account to be a computer users' account for certain things. I don't mind needing a Windows account to download from the Windows store but I'd rather have my own access to the machine.
I took over my mom's Windows 8 laptop and after determining that I wasn't going to brick it, installed Ubuntu. I did install Windows 8 in VirtualBox (using the key that came with the computer) but only in case I absolutely require compatibility. I mainly run it to sync some files on my work Google account to my laptop - no Google drive desktop sync in linux - so I end up usually running it with a non-administrative non-Windows Live user account.
I really would have thought the Math Association of America would have given a bit more thought to entropy. There are 67 characters in their permitted alphabet, but three of the characters in your password have to be chosen from smaller sets: lower case letters (26), digits (10), and special characters (5), reducing the complexity of a brute-force search by 2-3 orders of magnitude. Bumping the length requirement to eight characters (with a dictionary check to rule out guessable words and common passwords) would have improved security a lot more than their silly special-character rule.