Re: Password protection

1

They just simplified brute-force attacks against their system. Well done MAA.


Posted by: togolosh | Link to this comment | 01-21-15 8:26 AM
horizontal rule
2

And if you click the "Forgot Password" link, it asks you for your grandparents' original names.


Posted by: Moby Hick | Link to this comment | 01-21-15 8:27 AM
horizontal rule
3

Except for the specific list of special characters, those seem like pretty common requirements to me.

Obligatory xkcd link.


Posted by: AcademicLurker | Link to this comment | 01-21-15 8:35 AM
horizontal rule
4

So, so stupid.
But LastPass/KeePass/1Password are really the way to fly until the world comes up with something better than passwords.


Posted by: Nathan Williams | Link to this comment | 01-21-15 8:36 AM
horizontal rule
5

I once used '1234' as my PIN on a library card. Somebody used my card to reserve books, I think accidentally.


Posted by: Moby Hick | Link to this comment | 01-21-15 8:39 AM
horizontal rule
6

4: is right - at least until I have a stroke and can't remember my lastpass password


Posted by: Nworb Werdna | Link to this comment | 01-21-15 8:41 AM
horizontal rule
7

This website is infuriating. I can't figure out my username, even after resetting my password - the thing I have written down isn't working, none of the obvious choices work - and there is no way to find out your username, as far as I can tell. You can reset your password, but not your username, and it's not something unchangeable like your email address.


Posted by: heebie-geebie | Link to this comment | 01-21-15 8:42 AM
horizontal rule
8

5 - Did you change the locks on your luggage?


Posted by: snarkout | Link to this comment | 01-21-15 8:42 AM
horizontal rule
9

Except for the specific list of special characters,

This being the point of the OP.


Posted by: heebie-geebie | Link to this comment | 01-21-15 8:43 AM
horizontal rule
10

Can just anybody join the Math Association of America or do you have to pass a test?


Posted by: peep | Link to this comment | 01-21-15 8:44 AM
horizontal rule
11

8: Not that I don't appreciate the reference, but I really don't see the point of luggage locks.


Posted by: Moby Hick | Link to this comment | 01-21-15 8:45 AM
horizontal rule
12

10: I think there is a test, and I'm failing it.


Posted by: heebie-geebie | Link to this comment | 01-21-15 8:47 AM
horizontal rule
13

Those are the rules for my work password. And it changes every ninety days. I have a different password to interact with my timesheets, with different rules. Different agencies I deal with have their own password protected systems with different rules.

I have completely given up on good password hygiene. I just do the minimally acceptable version of something I can remember, and change it as minimally as possible from site to site and version to version.


Posted by: LizardBreath | Link to this comment | 01-21-15 8:52 AM
horizontal rule
14

So your password is Yo!LandiVi$$er.


Posted by: chris y | Link to this comment | 01-21-15 8:53 AM
horizontal rule
15

Profanity followed by an exclamation point makes for a pretty easily remembered password. The requirement to include a number spoils it a bit, though.


Posted by: AcademicLurker | Link to this comment | 01-21-15 8:54 AM
horizontal rule
16

Personal passwords that I need to be able to access from different places all get emailed to myself, then labeled with the label "passwords" and put in a folder. I just pull up that folder in gmail anytime I need to access any of them.

Work passwords like those described in 13 are all written on sticky notes in my desk drawer.


Posted by: urple | Link to this comment | 01-21-15 8:55 AM
horizontal rule
17

Profanity followed by an exclamation point makes for a pretty easily remembered password. The requirement to include a number spoils it a bit, though.

Also profanity doesn't usually have enough characters.


Posted by: urple | Link to this comment | 01-21-15 8:57 AM
horizontal rule
18

You can add "mother" to the front most profanity to get more characters.


Posted by: Moby Hick | Link to this comment | 01-21-15 8:58 AM
horizontal rule
19

If somebody gives me $169, I can join the MAA.


Posted by: Moby Hick | Link to this comment | 01-21-15 9:00 AM
horizontal rule
20

I thought the list of profanities to which "mother" could usefully be added to the front was fairly short.


Posted by: urple | Link to this comment | 01-21-15 9:00 AM
horizontal rule
21

The requirement to include a number spoils it a bit, though.

2girls1cupOh@#$%!


Posted by: | Link to this comment | 01-21-15 9:00 AM
horizontal rule
22

I forgot about electronic filing passwords for the SDNY, the EDNY, and New York State. Also for the NYS court website that lets you sign up for scheduling reminders and docket updates for cases you're working on, even if they're not efiling cases (which most of mine aren't, because they're a particular type of special proceeding that is exempt from the efiling regulations. I'm probably one of the last lawyers in America interacting with bluebacks.) That website is completely unconnected to the efiling website.

Of course, if you want to know what's in the court file in a case that isn't efiled, there are websites with the paper filings scanned in and uploaded. But of course those are individually set up by county. New York County's is erratic -- some stuff gets uploaded, but you can't count on it. Queens, Kings (Brooklyn), and Richmond(Staten Island) didn't have anything last time I looked. And the Bronx, oddly, is great, and has been for a long time. But you have to know that it's the Bronx County Clerk's website, not anything that's part of the court system's website.

I would like vocational training as a plumber, please.


Posted by: LizardBreath | Link to this comment | 01-21-15 9:02 AM
horizontal rule
23

Just make a random one and email it to yourself. If someone breaks into your email the last of your worries will be your MAA password.


Posted by: Unfoggetarian: "Pause endlessly, then go in." (9) | Link to this comment | 01-21-15 9:03 AM
horizontal rule
24

Why don't they just let you pick something from this list? I mean, these must be the most effective ones, right? Otherwise why would they be so popular?

Also if they let you use spaces it's easier to incorporate special characters, numbers and so on if you just use a sentence. ("Wait, so Bill ate 23 pies yesterday?") Also if someone is watching you type in your password you end up looking like some bizarre paranoid.


Posted by: MHPH | Link to this comment | 01-21-15 9:08 AM
horizontal rule
25

Also profanity doesn't usually have enough characters.

Ah, but Russian profanity does. You may now proceed to break into my work email. Enjoy!


Posted by: Mister Smearcase | Link to this comment | 01-21-15 9:09 AM
horizontal rule
26

Oh, and the PACER password. Which is the same system as federal e-filing, but you need a different account and password if you just want to look things up, rather than filing them.


Posted by: LizardBreath | Link to this comment | 01-21-15 9:09 AM
horizontal rule
27

24: I do that sometimes, just typing the sentences without spaces.


Posted by: LizardBreath | Link to this comment | 01-21-15 9:10 AM
horizontal rule
28

But I stopped because a surprising number of systems have a fairly low upper limit on password length.


Posted by: LizardBreath | Link to this comment | 01-21-15 9:11 AM
horizontal rule
29

LastPass/KeePass/1Password are really the way to fly

Seriously, people, get on board with one of these. It makes life so f'ing much easier.


Posted by: Sir Kraab | Link to this comment | 01-21-15 9:11 AM
horizontal rule
30

Ugh, SO BAD. It is absolutely infuriating when the people enforcing password rules don't have the foggiest notion what actually makes a strong password.


Posted by: redfoxtailshrub | Link to this comment | 01-21-15 9:11 AM
horizontal rule
31

26 is no longer true, or, at least, is in the process of changing -- one less id and password!


Posted by: peep | Link to this comment | 01-21-15 9:14 AM
horizontal rule
32

SDNY remembers your PACER password for you, so you can look things up from inside your SDNY efiling account -- is that all the districts? I haven't had anything going on in the EDNY for the last year or two.


Posted by: LizardBreath | Link to this comment | 01-21-15 9:16 AM
horizontal rule
33

29: what is the advantage of these products over the system described in 16.1?


Posted by: urple | Link to this comment | 01-21-15 9:17 AM
horizontal rule
34

In case nefarious evildoers rifle your desk.


Posted by: LizardBreath | Link to this comment | 01-21-15 9:19 AM
horizontal rule
35

My office door is lacking a lock.


Posted by: Moby Hick | Link to this comment | 01-21-15 9:19 AM
horizontal rule
36

4 is absolutely right. A password keeper is basically essential these days. Do yourself a favor.


Posted by: ogged | Link to this comment | 01-21-15 9:20 AM
horizontal rule
37

If 34 was in response to 33, note that you seem to be comparing against to the system described in 16.2, not 16.1.


Posted by: urple | Link to this comment | 01-21-15 9:21 AM
horizontal rule
38

Does a password keeper actually save you from having to retype all the passwords or just store them for you?


Posted by: Moby Hick | Link to this comment | 01-21-15 9:21 AM
horizontal rule
39

Urple's system is exactly what I do.

School requires we change our password every six months. I use my age, or age.5, on the end, which helps me remember my age.


Posted by: heebie-geebie | Link to this comment | 01-21-15 9:22 AM
horizontal rule
40

I use urple's system also, except that I don't have a special folder for them in my email. And I don't list the actual password. I leave cryptic clues that would be incompressible to anybody who hacked my email and, after about three months, myself.


Posted by: Moby Hick | Link to this comment | 01-21-15 9:24 AM
horizontal rule
41

I have fears around these password keepers! That it won't work for all my systems (phone, ipad, home computer, work computer), that there will be updates that I have to download regularly, that if my browser or phone gets old or out-of-date, the latest update won't work for some reason, and that if you ever need to get out of the system, it will be a massive headache.


Posted by: heebie-geebie | Link to this comment | 01-21-15 9:24 AM
horizontal rule
42

Does a password keeper actually save you from having to retype all the passwords

Yes. I use LastPass and for about 70-80% of sites, it fills in the info and logs me in automatically. Bank sites that have logins across multiple pages often require me to right click and choose the info to enter in a box, but I never have to type anything.


Posted by: ogged | Link to this comment | 01-21-15 9:25 AM
horizontal rule
43

38: There are browser plug-ins that type them in for you. Sometimes totally automatically, sometimes you have to right-click and select the "Put this site's password here" button. Depends how annoying the site is.


Posted by: Nathan Williams | Link to this comment | 01-21-15 9:25 AM
horizontal rule
44

40: I admit I do sometimes googleproof the passwords, although I'm not sure exactly why.


Posted by: urple | Link to this comment | 01-21-15 9:25 AM
horizontal rule
45

What amuses me is that the answers so many of the security questions that are used to protect passwords can be now be gleaned from social media profiles. Whats my mother's maiden name? Gosh, I'm linked directly to her in the Facebook. What high school did I graduate from? Well, if its not listed directly in my profile, its probably the same high school as all the friends in my network who happen to be the same age as me and from the same city. The name of my first pet? Heck, you could probably find a name and a picture.


Posted by: Spike | Link to this comment | 01-21-15 9:26 AM
horizontal rule
46

That's intriguing, but I'm still going to stick with urple's system. It's robust and if everybody gets on a password keeper, that will probably just escalate the number of passwords I need to keep.


Posted by: Moby Hick | Link to this comment | 01-21-15 9:26 AM
horizontal rule
47

30 Ugh, SO BAD. It is absolutely infuriating when the people enforcing password rules don't have the foggiest notion what actually makes a strong password.

And now most of them have implemented some little color-coded widget that goes from red to yellow to green as the password you're making up becomes "stronger". Drives me nuts.


Posted by: essear | Link to this comment | 01-21-15 9:27 AM
horizontal rule
48

until I have a stroke and can't remember my lastpass password

My recent experience with a stroke-having relative convinced me that we're all eventually doomed, password-wise. I was logging into his accounts to ensure everything's up-to-date, when I hit a challenge question. So off I went, driving to the hospital, wondering, "Yesterday, Grandpa didn't know what hospital he was in, or that Christmas had already happened, or that the Bears are not playing today. What are the odds he remembers his high school mascot?"


Posted by: Stanley | Link to this comment | 01-21-15 9:30 AM
horizontal rule
49

The concerns in 41 are basically non-issues. Fundamentally, the password keeper is just a database in the cloud, so you can always access it (this is true for LastPass, and I assume the others) in a regular browser. And they make plug-ins and apps for all the major platforms. And they allow export/import of your info, so it's pretty easy to switch between services.


Posted by: ogged | Link to this comment | 01-21-15 9:30 AM
horizontal rule
50

except that I don't have a special folder for them in my email

I didn't used to have a special folder--I would just search for them--but a few starting turning up pages and pages of search results in my email, with my password email buried in there somewhere, and it became a pain. The dedicated folder makes it a breeze. Also for some bizarrely paranoid reason my dedicated password folder isn't actually labeled 'passwords', it's labeled... something else, but I know what it means.


Posted by: urple | Link to this comment | 01-21-15 9:31 AM
horizontal rule
51

41 is not a crazy set of fears but they're mostly addressed. I'm just going to talk about LastPass, since it's the one I (and apparently ogged) use and know. The browser plugins update automatically and sync with each other, so home/work is done; I think the iOS versions are a little bit more of a pain, but still synchronized, just more touches/clicks to fill things in. If you need to get out of the system there's an "export to a text file" option.

On preview: ogged, get out of my brain.


Posted by: Nathan Williams | Link to this comment | 01-21-15 9:31 AM
horizontal rule
52

48.last: Pretty good, actually. Obviously it varies, but generally the older memories go last.


Posted by: Moby Hick | Link to this comment | 01-21-15 9:32 AM
horizontal rule
53

the password keeper is just a database in the cloud

Like gmail! Only an even juicier potential target for nefarious hackers.


Posted by: urple | Link to this comment | 01-21-15 9:33 AM
horizontal rule
54

Fundamentally, the password keeper is just a database in the cloud, so you can always access it (this is true for LastPass, and I assume the others) in a regular browser.

This just sounds like how IT people smooth your fears that end up coming true, exactly as you figured.


Posted by: heebie-geebie | Link to this comment | 01-21-15 9:33 AM
horizontal rule
55

I'm a brand ambassador for LastPass.


Posted by: ogged | Link to this comment | 01-21-15 9:33 AM
horizontal rule
56

My important-stuff password now takes two words at a time from a book, combined with a number related to those words. So it's relatively easy to update and, if need be, retrace the previous ones.


Posted by: Minivet | Link to this comment | 01-21-15 9:34 AM
horizontal rule
57

How would LastPass know that MAA requires a reduced range of special characters?


Posted by: heebie-geebie | Link to this comment | 01-21-15 9:34 AM
horizontal rule
58

Does no one have an answer to 33? (Other than I guess you don't have to actually type the passwords.)


Posted by: urple | Link to this comment | 01-21-15 9:35 AM
horizontal rule
59

My password keeper (Pastor) just uses an encrypted file on my hard drive (which I can then put in the cloud via Dropbox or whatever if I like).


Posted by: redfoxtailshrub | Link to this comment | 01-21-15 9:36 AM
horizontal rule
60

58: No. You won.


Posted by: Moby Hick | Link to this comment | 01-21-15 9:37 AM
horizontal rule
61

58: less hackable, I assume? They change your password super frequently or something on your behalf?


Posted by: heebie-geebie | Link to this comment | 01-21-15 9:37 AM
horizontal rule
62

Like gmail! Only an even juicier potential target for nefarious hackers.

The important difference here is ENCRYPTION.


Posted by: redfoxtailshrub | Link to this comment | 01-21-15 9:37 AM
horizontal rule
63

62 also to 61.


Posted by: redfoxtailshrub | Link to this comment | 01-21-15 9:38 AM
horizontal rule
64

How would LastPass know that MAA requires a reduced range of special characters?

It wouldn't. Sorry. The only person I pressured into adopting a password keeper was my wife, after the billionth time that she said "what's the password for...." Y'all can do what you like.


Posted by: ogged | Link to this comment | 01-21-15 9:39 AM
horizontal rule
65

57: I don't know about LastPass, but KeePass lets you tweak the constraints on how it generates a password (length, required/excluded characters, etc.). Also, if 54 means you don't trust LastPass's cloud, with KeePass you have control over your password database (which for most people means keeping it in dropbox or whatever to sync between devices).


Posted by: potchkeh | Link to this comment | 01-21-15 9:39 AM
horizontal rule
66

The only person I pressured into adopting a password keeper was my wife, after the billionth time that she said "what's the password for....

This is exactly how I adopt any new technology - Jammies gets sick of me complaining, buys me or sets up for me the thing I'm intimidated by, and then I realize I love it and him and feel very happy.


Posted by: heebie-geebie | Link to this comment | 01-21-15 9:42 AM
horizontal rule
67

62: I use the double-plus whatever thing for gmail security.


Posted by: Moby Hick | Link to this comment | 01-21-15 9:42 AM
horizontal rule
68

The idea is you have a single, lengthy master password -- "Jammies' tattoo says DICK and it is rad", or whatever -- and you enter that to unlock your password file. OnePass etc. then do magic to autofill passwords based on the values stored in the password file when you're using your browser, or you can look them up and enter them manually. The individual passwords generated are unmemorable random keystrokes, so like line noise or your cat on the keys or the Perl I wrote in 2002, but you don't ever have to pay any attention to those. And they're different for every site and essentially unguessable.

If hackers get hold of the OnePass files, we're in bigger trouble than we thought if they can decrypt properly-implemented Blowfish (or whatever) using strong passwords.


Posted by: snarkout | Link to this comment | 01-21-15 9:42 AM
horizontal rule
69

58: The combination of not typing and automatic generation and saving of passwords is a lot smoother than having to switch over to email and look something up. It's worth trying.

For non-UI advantages, the generated passwords are random (thus very hard to guess) and there are checkboxes in the password-generating window for which character types to include - uppercase, lowercase, digits, "special". For the paranoid, the storage is more secure than webmail, since the cloud service doesn't actually know the passwords, it just has an encrtypted blob that is handed back to your browser and locally decrypted with your "one" or "master" password.

With the special selection of special characters that the MAA uses, you might have to click the button to generate a new password a few times until it gets one that doesn't have the forbidden character.


Posted by: Nathan Williams | Link to this comment | 01-21-15 9:42 AM
horizontal rule
70

57: LastPass's generator let's you tell it what the restrictions are. You could also just manually add an '@'.

The only thing unusual about the restrictions in the OP is the very limited set of "special characters." My guess is the web developer wanted a simple, short regular expression.

Years ago, when I first started using a password manager, I would generate long passwords with lots of "special" characters and turn up fun bugs where the password setting code didn't agree with the password checking code about what was valid (or something got escaped somewhere along the way) and so I got locked out of my account with a valid password. I'm not sure why sites don't just accept arbitrary Unicode strings.


Posted by: Yawnoc | Link to this comment | 01-21-15 9:43 AM
horizontal rule
71

The idea is you have a single, lengthy master password...

That's what I do now when I can. It's more of a rotating list because of requirements to change it so often.


Posted by: Moby Hick | Link to this comment | 01-21-15 9:46 AM
horizontal rule
72

62: I use the double-plus whatever thing for gmail security.

Yes, but your emails aren't encrypted on the Gmail servers. Google has access to them as plaintext, and that means that there are multiple routes from which a bad actor can get at them and read them.


Posted by: redfoxtailshrub | Link to this comment | 01-21-15 9:46 AM
horizontal rule
73

If hackers get hold of the OnePass files, we're in bigger trouble than we thought if they can decrypt properly-implemented Blowfish (or whatever) using strong passwords.

Who's to say it's all properly implemented? I mean, the mathematical strength of the encryption is one thing, but whether your particular password-safe is actually doing everything properly so that there isn't any way to get to the passwords in clear text is, if you're not the right kind of nerd, down to "Trust us." Which is fine, but not clearly to me better security than bits of paper in my desk.


Posted by: LizardBreath | Link to this comment | 01-21-15 9:47 AM
horizontal rule
74

72: They aren't really plain text. They're clues to myself, sort of like the security questions but harder. Obviously, if there is an internal problem at Google, I'm screwed. But that's so true for so many reasons, I don't think the passwords in the gmail even registers.


Posted by: Moby Hick | Link to this comment | 01-21-15 9:49 AM
horizontal rule
75

It's not like I keep my bank account password on gmail or anything. I keep that on a sticky note in my desk drawer.


Posted by: Moby Hick | Link to this comment | 01-21-15 9:50 AM
horizontal rule
76

Last summer, the lawyer I was working for was in court in the middle of a hearing, when he realized he needed something from back at the office. He jotted down his password on a sticky note and explained what he needed, and I ran over to get it, noticing along the way that the password was something like "PieIsAmazing81." Later on that day when we left court, he turned to me and thanked me for getting the thing and then deadpanned, "I want you to know: I really do think pie is amazing."


Posted by: Stanley | Link to this comment | 01-21-15 9:51 AM
horizontal rule
77

74: Well, then, sure!


Posted by: redfoxtailshrub | Link to this comment | 01-21-15 9:51 AM
horizontal rule
78

73 has it. There's been far too many exploits based on minor implementation failures (e.g., "goto fail") to rely heavily on algorithmic security.


Posted by: Yawnoc | Link to this comment | 01-21-15 9:51 AM
horizontal rule
79

This just sounds like how IT people smooth your fears that end up coming true, exactly as you figured.

My fears don't need smoothing.


Posted by: TJ | Link to this comment | 01-21-15 9:53 AM
horizontal rule
80

I'm not sure which if any of these tools have been code audited; you could implement a similar process using off-the-shelf tools like openssl and a text file if you were willing to give up the nice UI.


Posted by: | Link to this comment | 01-21-15 9:54 AM
horizontal rule
81

I'm just reluctant to start one more account.


Posted by: Moby Hick | Link to this comment | 01-21-15 9:54 AM
horizontal rule
82

73 is true but I think not convincing. Really, the usability advantage here is huge, and the security gains from not using the same or same few passwords all over the place, and using genuinely difficult-to-guess passwords (because they're randomly generated), likely outweigh the risk that it's implemented wrong - and the right kind of nerds seem to agree (KeePass at least is actually open source, so they can check for sure, and that's an advantage it has). There is a certain amount of "trust us" with LastPass/1Password, though as far as anyone can tell they do exactly what they claim to do.


Posted by: Nathan Williams | Link to this comment | 01-21-15 9:54 AM
horizontal rule
83

I take some comfort in the fact that people and businesses get hacked all the time, and so my credit card and bank have a lot of experience dealing with the crisis, also.


Posted by: heebie-geebie | Link to this comment | 01-21-15 9:55 AM
horizontal rule
84

Topical tweet in my feed today (@kerihw):

Your password must contain an upper case character, an antagonist character and a moment where the main character saves a cat.


Posted by: JP Stormcrow | Link to this comment | 01-21-15 9:56 AM
horizontal rule
85

73: keepass and I think some of the others are open source, so rather than trusting a particular company, you're trusting collective scrutiny. Obviously not foolproof but better than just trusting a black box if that's what you're worried about.


Posted by: potchkeh | Link to this comment | 01-21-15 9:56 AM
horizontal rule
86

64 is slightly wrong; ogged pressured me into lastpass, or at least recommended it. I like it a lot. I am not his wife.

LSAC, the centralized law school admissions thing, requires special characters and capital letters and all sorts of stuff for a password I use exactly once a year to upload rec letters. my success in remembering this is exactly what you'd expect.


Posted by: FL | Link to this comment | 01-21-15 9:56 AM
horizontal rule
87

you're trusting collective scrutiny

Bleeds my heart with a monotonous languor.


Posted by: JP Stormcrow | Link to this comment | 01-21-15 10:00 AM
horizontal rule
88

78 was not meant to condemn password managers. I use LastPass myself. Just don't assume it's secure because it uses Blowfish. (To show I'm not attacking a strawman, 80 ignores that there have been at least two major OpenSSL exploits in the past year.)


Posted by: Yawnoc | Link to this comment | 01-21-15 10:00 AM
horizontal rule
89

Stolen from Twitter and slightly edited for my status updates: "Your password must contain an uppercase letter, a number, a punctuation mark, a Hangul syllabic block, a gang sign, an extinct mammal, and a hieroglyph."


Posted by: Minivet | Link to this comment | 01-21-15 10:00 AM
horizontal rule
90

ogged pressured me into lastpass, or at least recommended it

At Vasser you could say I raped you into it.


Posted by: ogged | Link to this comment | 01-21-15 10:02 AM
horizontal rule
91

there have been at least two major OpenSSL exploits in the past year

This reminds me of another nice thing about LastPass: when these happened, it ran an audit of my passwords and told me which sites had been hacked and needed new passwords.


Posted by: ogged | Link to this comment | 01-21-15 10:04 AM
horizontal rule
92

87: But yes, all in all one of the systems will be more secure.

... until the day it isn't; but you will at least have a lot of company and your stuff will most likely be relatively boring and not as lucrative compared to some others in the mix.

Reminds me of my take leading up to Y2k where I had some responsibilities for some systems. I was relatively OK with either:
1) My stuff and everyone elses worked.
2) Everything failed and we were burning our furniture and eating each other to stay alive,
but not,
3) Everybody else's stuff worked and mine failed.


Posted by: JP Stormcrow | Link to this comment | 01-21-15 10:05 AM
horizontal rule
93

90: At Vasser you could say I raped you into it.

And you could learn how to spell "Vassar" as a bonus.


Posted by: JP Stormcrow | Link to this comment | 01-21-15 10:08 AM
horizontal rule
94

He meant Vasser. At Vassar, they would never trivialize rape like that.


Posted by: Walt Someguy | Link to this comment | 01-21-15 10:09 AM
horizontal rule
95

"Your password must be a haiku."


Posted by: AcademicLurker | Link to this comment | 01-21-15 10:10 AM
horizontal rule
96

One thing that almost has me convinced about these password keepers is that you all have been beating the same drum - with the exact same specific keepers - for over five years. I was worried then that specific ones would be faddish and I'd be expected to switch to some new, better password keeper, every few years, while the old one would become unsupported and outdated.


Posted by: heebie-geebie | Link to this comment | 01-21-15 10:11 AM
horizontal rule
97

And you could learn how to spell "Vassar" as a bonus.

I did learn to spell Albuquerque, so you're probably right.


Posted by: ogged | Link to this comment | 01-21-15 10:12 AM
horizontal rule
98

Would it be a pain if Jammies and I are sometimes logged into some things as ourselves and sometimes as each other? I'm thinking of things like Amazon - we both have accounts but his is prime, but mine sends kindle books to my ipad, etc.


Posted by: heebie-geebie | Link to this comment | 01-21-15 10:15 AM
horizontal rule
99

The main password on my Mac was "buttmunch" for a long time (easy to remember!). Then I had to have it fixed and there was an awkward moment when the guy asked me for my password. I recommend against using profanity for your passwords is what I'm saying.

I use lastpass for most things, using a complicated base password and an addition based on the site name, so I can usually guess it if laspass isn't available for some reason. For really important passwords I write them down on a piece of paper and keep it carefully concealed among other pieces of paper. To get to those passwords someone would need physical access to my apartment and time to rifle all my many piles of paper. Or a keylogger, I guess.


Posted by: togolosh | Link to this comment | 01-21-15 10:15 AM
horizontal rule
100

I use lastpass for most things, using a complicated base password and an addition based on the site name, so I can usually guess it if laspass isn't available for some reason.

Doesn't this practice negate the main benefit of lastpass?


Posted by: | Link to this comment | 01-21-15 10:18 AM
horizontal rule
101

98: on a shared computer, you mean? You have options: (1) LastPass can cope with having multiple logins for a particular site, you just have to use the right-click menu to tell it which one to use. (2) If you want to keep it for just you, you could sign out of LastPass in the browser. (3) If you want convenience, you could set up separate browser "profiles" (like another copy of the browser, but with different sets of preferences, plugins, history, etc.) and just have LastPass in yours.

(Also, if he has Prime, you should be able to have Prime as well.... have we talked about this before?)


Posted by: Nathan Williams | Link to this comment | 01-21-15 10:23 AM
horizontal rule
102

LastPass can cope with having multiple logins for a particular site, you just have to use the right-click menu to tell it which one to use.

Yeah, this works very well. Switching between my home and work gmail accounts, for instance, is fairly effortless.


Posted by: Sir Kraab | Link to this comment | 01-21-15 10:34 AM
horizontal rule
103

I'm admitted to a whole lot of courts, and so I have ECF passwords up the yin yang. (Maybe I should end them with that symbol?) I spend no time thinking someone is going to hack in and file something as me in the NDNY, CDIll, WDTex, whatever.

My foot hurt pretty bad yesterday, so I was mostly binge-watching Archer and counting down to the next painkillers. I did have a couple of calls with judges, though, and I don't think it was my heightened state that led opposing counsel to engage in some of the most embarrassing dialog with a judge I've ever heard. In the first one, we're all willing to stipulate to a particular fact, but the judge says the other people need to present sufficient evidence to support the thing. He's told them this repeatedly, orally and in writing, and they keep not doing it. The purpose of the call was to tell them one more time, and Jesus what whining: this was middle schoolers not wanting to do the homework.

Then the next call was with a federal judge -- plaintiff's atty gave a light chuckle when the judge told him he had to amend to properly allege diversity (I mean, come on, everyone knows it's not "residence") but then later when she pointed out that he'd left out a required section from one of his filings, he went on a rampage of whining, how many different rules he has to know, how often th rules are changing, how hard it is to keep up. The judge was all 'I don't understand why you don't just take a look at the rules before you file something' but the lawyer -- 30+ years in, Ivy League degree -- just thought this was totally unreasonable.

I had my paralegal on the calls -- which I never do -- because she'd take coherent notes. I think a good bit of the mystery got stripped away.


Posted by: CharleyCarp | Link to this comment | 01-21-15 10:36 AM
horizontal rule
104

It's knowing the actual rule pretty much the sole value-added component of a lawyer?


Posted by: Moby Hick | Link to this comment | 01-21-15 10:41 AM
horizontal rule
105

LastPass also allows sharing passwords between accounts (might be a premium feature). My wife and I have a folder of shared passwords for Netflix, banks, etc.


Posted by: Yawnoc | Link to this comment | 01-21-15 10:42 AM
horizontal rule
106

urple, I used to use a variation on 16.1. A password keeper is better (for me) because it's just simpler. I don't have to open my e-mail or search it or remember to e-mail myself or write a new sticky note if I change the password, don't have to worry about one of the sticky notes falling behind the desk in the gap that's too narrow to reach but you try anyway and your arm gets stuck and it's the weekend so no one's around and you're forced to consider whether you can cut your own arm off with a staple remover.


Posted by: Sir Kraab | Link to this comment | 01-21-15 10:44 AM
horizontal rule
107

Now why isn't there an app for that.


Posted by: Moby Hick | Link to this comment | 01-21-15 10:46 AM
horizontal rule
108

It wouldn't have to amputate for you. Just work out the odds of amputation or not.


Posted by: Moby Hick | Link to this comment | 01-21-15 10:47 AM
horizontal rule
109

Like "This to That," but "Cut This with That." Brilliant.


Posted by: Sir Kraab | Link to this comment | 01-21-15 10:48 AM
horizontal rule
110

||

Late last month, before I went on vacation, I remember dropping my rent check for January in the lobby box.

Around the 6th or 7th of this month, I get a call from my landlord, saying he doesn't have my rent. I think maybe I'm just remembering my plans to drop the check off early, but not actually doing it, and so I make out a new one.

I just now got another call from the landlord. Again, he says he doesn't have the check. This time I'm absolutely sure I've given it, so I'm baffled. None of the checks have been drawn; it would have shown up in my bank account by now if they had. The rent box is one of the mailboxes, which I know the mail carrier can open, but I don't know if it has its own separate lock as well. The payee is a property company, not an individual, so I imagine it would be hard for a thief to cash the check.

I don't really suspect the landlord of bad faith; he's pretty outstanding overall, has not made a fuss the couple of times in the last few years I forgot about the rent, and when I ask him for maintenance it gets done both well and scary-fast. On the other hand, by now my rent is significantly below market, so he would gain if I left.

Any perspective WTF is going on? (Other than that my not recording the checks I write is coming back to bite me.)

|>


Posted by: Minivet | Link to this comment | 01-21-15 10:53 AM
horizontal rule
111

104 -- One of my primary mentors would always say: 'As Wittgenstein said, don't think, look it up.' Or, when a little more bothered by one of those all user emails posing a legal question, 'crack a fucking book.'

We're all supposed to know the rules, at least roughly, but they do change, so one really should check before filing something.

The guy had one additional rule faux pas -- I'd raised a personal jurisdiction defense for one of my 2 corporate defendants in the answer. Opponent says, Ha! not a motion, that's a waiver. The judge didn't actually say crack a fucking book but did point him to the rule.


Posted by: CharleyCarp | Link to this comment | 01-21-15 10:55 AM
horizontal rule
112

100: Lastpass will generate really strong passwords for you but if it isn't available you're hosed. I use the system I describe above so that I have a limited number of guesses before finding the right password. Lastpass eliminates the guessing and takes care of all the login BS for you, which is why I use it.


Posted by: togolosh | Link to this comment | 01-21-15 11:12 AM
horizontal rule
113

If somebody had a password app that generated passwords based on Law & Order character names plus body parts, "ButtMunch" would probably be a common password.


Posted by: Moby Hick | Link to this comment | 01-21-15 11:15 AM
horizontal rule
114

(Also, if he has Prime, you should be able to have Prime as well.... have we talked about this before?)

Wait, what?


Posted by: heebie-geebie | Link to this comment | 01-21-15 11:30 AM
horizontal rule
115

Yes, Prime goes by household. Share Your Amazon Prime Benefits


Posted by: redfoxtailshrub | Link to this comment | 01-21-15 11:32 AM
horizontal rule
116

The shipping part, anyhow.


Posted by: redfoxtailshrub | Link to this comment | 01-21-15 11:33 AM
horizontal rule
117

You can get all the Hermione/Snape fiction you want.


Posted by: Moby Hick | Link to this comment | 01-21-15 11:34 AM
horizontal rule
118

I started reading this thread with trepidation, fearing that someone would explain why it wasn't safe to use Last Pass, knowing that I'd still use it anyway because of convenience.

Heebie, you've got to get it. It's not just the password management; it's also the form fills. Next time you find yourself facing a screen full of fiddly little blanks, know that you could, if only you had Last Pass, hit a little button and already be done.


Posted by: Mme. Merle | Link to this comment | 01-21-15 11:44 AM
horizontal rule
119

When I started my current employment in 1991, I was told to make up a password to access the word processing capability. I thought a password was really stupid, since you needed to be at my desk to use it, and the only stuff on the computer system was word processing, so I just used my wife's first name.

That's still my password for my work computer, which at this point travels home with me every night and sometimes is in checked baggage, has my credit card information, many documents with my social security number, the file with all of the other passwords in it [some safety--that file does not have the word password in its name or its contents so wouldn't be all that easy to find] and lots of other stuff. I sometimes think about changing it, but I also think it would be cool to tell people at retirement that I've used the same password for my entire career.


Posted by: unimaginative | Link to this comment | 01-21-15 11:55 AM
horizontal rule
120

Mme. Merle!


Posted by: knecht ruprecht | Link to this comment | 01-21-15 12:05 PM
horizontal rule
121

I've had the same password at amazon.com since I created an account in 1998. It's also the password for my bank and lots of other things. (Basically, anything else that doesn't have bizarre requirements that force me to create some other password.) It's not my wife's last name, though--that would be too easy. It's her last name backwards, with a special character thrown in at the end for good measure.


Posted by: urple | Link to this comment | 01-21-15 12:05 PM
horizontal rule
122

119: I can't do it from here, but would you like me to edit that when I get home? It seems indiscreet.


Posted by: LizardBreath | Link to this comment | 01-21-15 12:06 PM
horizontal rule
123

Not compared to 121, it doesn't.


Posted by: Moby Hick | Link to this comment | 01-21-15 12:07 PM
horizontal rule
124

Let's all reveal our salary and our passwords.


Posted by: gswift | Link to this comment | 01-21-15 12:11 PM
horizontal rule
125

They're both 1234?


Posted by: Moby Hick | Link to this comment | 01-21-15 12:12 PM
horizontal rule
126

Don't forget your social security numbers!

Indiscretion is the new blasphemy!


Posted by: peep | Link to this comment | 01-21-15 12:12 PM
horizontal rule
127

123: Urple, I figure there's a 50/50 chance that he's on the one hand lying, or on the other hand protected by his private reality vortex. Unimaginative might have actually just slipped up.


Posted by: LizardBreath | Link to this comment | 01-21-15 12:14 PM
horizontal rule
128

Plus, women the same age all have the same name, more or less.


Posted by: Moby Hick | Link to this comment | 01-21-15 12:16 PM
horizontal rule
129

127 is sort of insulting. Why would I be lying? Does someone reading this blog want to steal my login passwords? (If they did, do they have my login id? And how many guesses would it take to actually get the correct password?)


Posted by: urple | Link to this comment | 01-21-15 12:17 PM
horizontal rule
130

Urple's information is further protected by a crossbow.


Posted by: JP Stormcrow | Link to this comment | 01-21-15 12:18 PM
horizontal rule
131

Their name is Jane.

But jesus, does everybody have Amazon Prime these days? I swear, that thing is going to kill us.


Posted by: parsimon | Link to this comment | 01-21-15 12:18 PM
horizontal rule
132

127 is sort of insulting.

Your reality vortex isn't private?


Posted by: LizardBreath | Link to this comment | 01-21-15 12:19 PM
horizontal rule
133

private reality vortex

I thought that only the Flash could twirl around in circles fast enough to create one of those.


Posted by: peep | Link to this comment | 01-21-15 12:20 PM
horizontal rule
134

It was more the 50/50 chance I'm lying. What have I ever lied to you about?


Posted by: urple | Link to this comment | 01-21-15 12:21 PM
horizontal rule
135

How would I know?


Posted by: LizardBreath | Link to this comment | 01-21-15 12:22 PM
horizontal rule
136

122: Nah, the whole point is to live recklessly. And since I don't do drugs, alcohol, guns, motorcycles, or extramarital sex . . .


Posted by: unimaginative | Link to this comment | 01-21-15 12:23 PM
horizontal rule
137

You could try to hack his Amazon account to see.


Posted by: Moby Hick | Link to this comment | 01-21-15 12:23 PM
horizontal rule
138

135: well ok then why would I likely be lying while unimaginative "might have actually just slipped up"?


Posted by: urple | Link to this comment | 01-21-15 12:25 PM
horizontal rule
139

You look shifty from here.


Posted by: LizardBreath | Link to this comment | 01-21-15 12:25 PM
horizontal rule
140

It takes imagination to tell a lie.


Posted by: Moby Hick | Link to this comment | 01-21-15 12:27 PM
horizontal rule
141

Unimaginative's pseud, on the other hand, reeks of stolidity, Him, I'd trust implicitly.

(There's a business opportunity out there for anyone willing to comment as Forthright McReliable for the sole purpose of selling me swampland in Florida.)


Posted by: LizardBreath | Link to this comment | 01-21-15 12:31 PM
horizontal rule
142

Well now I'm angry enough that I've gone and changed my fucking bank password. You fucking ingrates.


Posted by: urple | Link to this comment | 01-21-15 12:33 PM
horizontal rule
143

Chicken. Unimaginative is living dangerously.


Posted by: LizardBreath | Link to this comment | 01-21-15 12:35 PM
horizontal rule
144

My amazon account is still yours for the taking. My credit card isn't stored on there, so I'm not sure what damage you could do, other than adding some shit I don't want to my wishlist. (Hrmph.)


Posted by: urple | Link to this comment | 01-21-15 12:36 PM
horizontal rule
145

We could download free books to your Kindle?


Posted by: LizardBreath | Link to this comment | 01-21-15 12:37 PM
horizontal rule
146

I143: may not have clearly conveyed that I'm legitimately not-joking irritated about this.


Posted by: urple | Link to this comment | 01-21-15 12:38 PM
horizontal rule
147

I don't have a fucking kindle.


Posted by: urple | Link to this comment | 01-21-15 12:39 PM
horizontal rule
148

I'm very sorry. I don't know about LB, who is much more heartless than I.


Posted by: Moby Hick | Link to this comment | 01-21-15 12:41 PM
horizontal rule
149

Typical new yorker.


Posted by: urple | Link to this comment | 01-21-15 12:43 PM
horizontal rule
150

By all accounts, New Jersey is worse.


Posted by: Moby Hick | Link to this comment | 01-21-15 12:45 PM
horizontal rule
151

While I am more heartless than Moby (as well as being infinitely less likely to interact with anything called 'cob'), I do apologize. Literally, I thought there was a good chance you were kidding around (which it was rude of me to have described as lying, but I have terrible manners) by following unimaginative's indiscretion with a matching, but even more specific mock-indiscretion. What made me think it was probably a joke was that it followed unimaginative's comment, rather than anything about your character.

(I do stand by my statement that you look shifty from here, though.)


Posted by: LizardBreath | Link to this comment | 01-21-15 12:46 PM
horizontal rule
152

149: WE TAKE THAT AS A STUDIED INSULT.


Posted by: OPINIONATED NEW YORKERS GENERALLY | Link to this comment | 01-21-15 12:47 PM
horizontal rule
153

My only worry with LastPass is that if someone has physical access or remote desktop control of my computer, they have everything.


Posted by: SP | Link to this comment | 01-21-15 12:50 PM
horizontal rule
154

I'm not sure how anything about 121 would have been funny, had it been a joke.


Posted by: urple | Link to this comment | 01-21-15 12:50 PM
horizontal rule
155

My sense of humor is arcane and idiosyncratic.


Posted by: LizardBreath | Link to this comment | 01-21-15 12:52 PM
horizontal rule
156

Wait, is 153 right? I presume that the long password I have to enter before using LastPass prevents other people from using it? (Ugh, this is exactly the kind of worry I had hoped to avoid).


Posted by: Mme. Merle | Link to this comment | 01-21-15 12:57 PM
horizontal rule
157

Wait, is 153 right? I presume that the long password I have to enter before using LastPass prevents other people from using it?

Yes, it's encrypted. Of course if you leave it OPEN and someone has access, then there it is.


Posted by: redfoxtailshrub | Link to this comment | 01-21-15 12:58 PM
horizontal rule
158

You can set up LastPass so that it remembers your password on your personal device, in which case 153 is totally justified. I think you have to click through a warning or two, though...


Posted by: Micah | Link to this comment | 01-21-15 1:01 PM
horizontal rule
159

When I started my current employment in 1991

I... what...

This is so completely outside my comprehension I can't even.


Posted by: Josh | Link to this comment | 01-21-15 1:03 PM
horizontal rule
160

155: FWIW I read 121 as a joke too.


Posted by: Josh | Link to this comment | 01-21-15 1:04 PM
horizontal rule
161

Don't you go claiming to share my arcane sense of humor. I said it was idiosyncratic. Not merely unusual, idiosyncratic.


Posted by: LizardBreath | Link to this comment | 01-21-15 1:06 PM
horizontal rule
162

161: as 160 should adequately demonstrate, I don't actually have a sense of humor.


Posted by: Josh | Link to this comment | 01-21-15 1:08 PM
horizontal rule
163

159: The recession in 1991 wasn't that bad.


Posted by: Moby Hick | Link to this comment | 01-21-15 1:09 PM
horizontal rule
164

I'm coming up on nine years at the same job. If I get to ten, I'm going to turn into a European because I'll be able to take off a whole month in the summer.


Posted by: Moby Hick | Link to this comment | 01-21-15 1:23 PM
horizontal rule
165

Jammies has been at the same job since 2000. He did narrowly avert getting fired just last week, though.


Posted by: heebie-geebie | Link to this comment | 01-21-15 1:33 PM
horizontal rule
166

Anybody could have spilled 50,000 gallons of oil.


Posted by: Moby Hick | Link to this comment | 01-21-15 1:36 PM
horizontal rule
167

...but spilling into a daycare takes finesse.


Posted by: heebie-geebie | Link to this comment | 01-21-15 1:41 PM
horizontal rule
168

heebs, is there an anonymous-enough version of the story at 165 you can tell us?


Posted by: Sir Kraab | Link to this comment | 01-21-15 1:56 PM
horizontal rule
169

Check her personal blog.


Posted by: LizardBreath | Link to this comment | 01-21-15 2:07 PM
horizontal rule
170

Short version: he was told to apply (immediately!) for a different job within the same company because his department was laying people off that very day. Now he works with race cars. And has to go out of town a lot more, which sucks for me.


Posted by: heebie-geebie | Link to this comment | 01-21-15 2:11 PM
horizontal rule
171

Ugh, heebs, that sucks.


Posted by: Sir Kraab | Link to this comment | 01-21-15 2:19 PM
horizontal rule
172

That does suck, but still, race cars.


Posted by: Moby Hick | Link to this comment | 01-21-15 2:21 PM
horizontal rule
173

Also, it is kind of nice that the people he worked with affirmatively pulled him out of the firing zone.


Posted by: LizardBreath | Link to this comment | 01-21-15 2:28 PM
horizontal rule
174

I have a password technique that eases the pain:

one master password, itself memorable, which I then modify by adding the first three characters from the name of the login site in question, in full caps, into specific, predetermined slots in the master password.

only problem is the very occasional site with a MAXIMUM password length. those can fuck right off....


Posted by: (dammit jim) I'm a lurker | Link to this comment | 01-21-15 2:40 PM
horizontal rule
175

Lawyer word.


Posted by: Moby Hick | Link to this comment | 01-21-15 2:40 PM
horizontal rule
176

175 to "affirmatively".


Posted by: Moby Hick | Link to this comment | 01-21-15 2:41 PM
horizontal rule
177

174: Been a while, hasn't it?


Posted by: Moby Hick | Link to this comment | 01-21-15 2:42 PM
horizontal rule
178

Wait race cars?


Posted by: Tim "Ripper" Owens | Link to this comment | 01-21-15 2:50 PM
horizontal rule
179

131 But jesus, does everybody have Amazon Prime these days? I swear, that thing is going to kill us.

No, they still charge for killing, you just get it done faster with Prime.


Posted by: essear | Link to this comment | 01-21-15 2:51 PM
horizontal rule
180

No. Moving race cars.


Posted by: Moby Hick | Link to this comment | 01-21-15 2:51 PM
horizontal rule
181

Like, NASCAR? World Rally? Formula One? Going out to the Bonneville Flats and just being like fuck it, huge engine, move this thing? I guess this is literally asking for personally-identifiable information but come on, race cars, plus Urple did it.


Posted by: Tim "Ripper" Owens | Link to this comment | 01-21-15 2:58 PM
horizontal rule
182

No, they still charge for killing, you just get it done faster with Prime

Just wait until they get permission to use those drones.


Posted by: Jesus McQueen | Link to this comment | 01-21-15 3:03 PM
horizontal rule
183

181: Sort of yes! He'll be with them when they take the demo car with their computer parts in it to various races.


Posted by: heebie-geebie | Link to this comment | 01-21-15 3:06 PM
horizontal rule
184

Further to 182, I think that might make them price-competitive with the guy in Pakistan who said he'd kill anyone I wanted for 200 bucks.


Posted by: Jesus McQueen | Link to this comment | 01-21-15 3:09 PM
horizontal rule
185

183: Awesome. Will he get a cool "Team X" jacket out of the deal?


Posted by: AcademicLurker | Link to this comment | 01-21-15 3:16 PM
horizontal rule
186

I don't know if they're part of a team, per se, because I don't think anyone drives their demo car in the actual race - I think they show it off as part of the circus surrounding the race. But I bet they have matching outfits of some kind. Can't have them looking all haphazard at the Formula 1 Racetrack.


Posted by: heebie-geebie | Link to this comment | 01-21-15 3:18 PM
horizontal rule
187

Probably just a simple tights, singlet, codpiece combo.


Posted by: Moby Hick | Link to this comment | 01-21-15 3:30 PM
horizontal rule
188

||

Just putting this here for reference:

[O]n any given day, I'd say 75 percent of what you read in the tech press is somewhat accurate, 20 percent is complete bullshit, and 5 percent is actually true.
I think it's safe to say this applies to most journalism, not just tech. I bring it up because we often have conversations in which somebody says something to the effect that every article they've ever read in which they had first hand knowledge was on some level incorrect. This guy - who worked for most of a decade in tech journalism, and now has been on the VC side for awhile - is offering a slightly more nuanced take that's probably useful to bear in mind.

|>


Posted by: JRoth | Link to this comment | 01-21-15 4:00 PM
horizontal rule
189

If that's to 187, I don't think I count as "press".


Posted by: Moby Hick | Link to this comment | 01-21-15 4:17 PM
horizontal rule
190

I use KeePass and often when I have it generate passwords for accounts I get a message on the signup form that essentially says "your password is too strong; weaken it" and then I look more closely and see that they have a non-intuitive definition of special characters or don't allow spaces or whatever.


Posted by: fake accent | Link to this comment | 01-21-15 7:01 PM
horizontal rule
191

Aren't docs stored on google drive encrypted? Maybe that's better than gmail.


Posted by: urple | Link to this comment | 01-21-15 7:15 PM
horizontal rule
192

115: Thanks! Additional household member added.


Posted by: Mr. Blandings | Link to this comment | 01-21-15 7:28 PM
horizontal rule
193

Catching up on this thread, I think my dad got the same login message at work for the last 20+ years before he retired:

"Your password has not changed for 30 days. Please consider changing it."

The password was a four-letter word, not profane. I occasionally logged into his work system to play text-based games as a kid.


Posted by: fake accent | Link to this comment | 01-22-15 1:28 AM
horizontal rule
194

Also, while reading this thread I tried to log into a site, failed, thought it was one of the sites where my account pre-dated my use of a password manager, meaning there was a decent chance I still relied solely on memory for it, requested a password reset so I could log in and then put the new password in my password manager, discovered I had previously entered both the site and old password in the manager, discovered my reset request had gone through so I couldn't use my old password, generated a new password, entered the new password on the site, saved the new password in the manager. This took about five minutes.


Posted by: fake accent | Link to this comment | 01-22-15 1:37 AM
horizontal rule
195

I once had an intern whose friend was interning for a Formula 1 team. And they gave a £1000 bonus to everybody on the team, including the interns, for every point gained in a race. They did averagely OK that year and he was about £50K up.


Posted by: chris y | Link to this comment | 01-22-15 2:38 AM
horizontal rule
196

A couple of times we house-sat* for one of the executives at M\ acLare \n . It was a very nice detached house in Surrey, but it wasn't particularly ostentatious.

* my wife used to au-pair for one of their neighbours, so we knew them slightly.


Posted by: nattarGcM ttaM | Link to this comment | 01-22-15 4:42 AM
horizontal rule
197

My only worry with LastPass is that if someone has physical access or remote desktop control of my computer, they have everything.

You can configure LastPass on a site by site (or secure note by secure note) basis to require a reprompt of your master password. A pain in the arse for day to day use, but if you're worried about other people accessing your computer/device you could do it for the sensitive ones. Or you could be extra diligent about using lock screens.


Posted by: Ginger Yellow | Link to this comment | 01-22-15 5:52 AM
horizontal rule
198

I'm surrounded by people who work for Formula 1 (I so did not realise I had moved to Formula 1 land). My next-door neighbour is a mechanic (not pit crew, experimental) for Lotus; friend is an electrical engineer for Mercedes; etc, etc. All I can tell is that it's pretty damn good to work for Mercedes right now, what with Lewis Hamilton winning everything.


Posted by: Parenthetical | Link to this comment | 01-22-15 6:54 AM
horizontal rule
199

YOu mean you live near Wan\tage? It used to be all horses there but the last time I drove to visit a friend it seemed to be nothing but racing car firms


Posted by: Nworb Werdna | Link to this comment | 01-22-15 10:01 AM
horizontal rule
200

Same county, farther north. Spitting distance from the Mercedes HQ.

I really liked Want/age when we visited, though -- would love to live there.


Posted by: Parenthetical | Link to this comment | 01-22-15 10:23 AM
horizontal rule
201

I have traumatic memories of the place -- my best friend from school lived there because his father had a pub in the centre of town with an upstairs disco where we could spend afternoons drinking cream stout and playing Cream on the PA. I don't think I have ever been more unhappy but the booze and the music helped.

He now lives up the road, in Gro/ve having managed to avoid paid work since the age of 25. One of the wittiest men I have ever known and I would once have said the most talented of all my friends.


Posted by: Nworb Werdna | Link to this comment | 01-22-15 10:58 AM
horizontal rule
202

Ooof, doesn't sound like fun. I've only been there on a long weekend, country B&B and walks on the Ridgeway. Pleasant memories.


Posted by: Parenthetical | Link to this comment | 01-22-15 11:00 AM
horizontal rule
203

Oh, the countryside around is lovely. If you're not a miserable adolescent at a single sex boarding school it's probably enjoyable too. And there are great pubs.


Posted by: Nworb Werdna | Link to this comment | 01-22-15 11:04 AM
horizontal rule
204

||
"Interestingly, while in Western society vaginal intercourse is the main cause, more than half of the reported penile fractures in the Middle East, especially in Iran, are inflated by manual bending of the erected penis to achieve detumescence due to cultural circumstances (i.e., forceful hiding of an erect penis in underwear, known as Taghaandan practice, "breaking the Qholenj") [5].
|>

[from]

Now that's what I call repression.


Posted by: Nworb Werdna | Link to this comment | 01-22-15 11:10 AM
horizontal rule
205

This is because they don't have baseball.


Posted by: Moby Hick | Link to this comment | 01-22-15 11:12 AM
horizontal rule
206

So in American football they deflate the balls, but in baseball, it's the penis? I think I understand it now.


Posted by: Nworb Werdna | Link to this comment | 01-22-15 11:16 AM
horizontal rule
207

I've been keeping my passwords in the GMail, but, after looking at the graphic half way down this page, I think I'm going to not do that any more. You know, in case I ever wind up on the wrong side of The Man.


Posted by: Spike | Link to this comment | 01-22-15 11:35 AM
horizontal rule
208

LastPass and KeePass and all these similar services are technically programs you have to install, right? Or if "programs" is the wrong word, they're apps or browser plugins or something? In that case, I can't use them at work, because our computers here are straightjacketed. And there's at least two or three things I use regularly at home that I'd also like to have the password to at work.

So for now I'll probably stick with my current system: I have two main password phrases that aren't written down anywhere, and for every Web site I use one of those with numbers or symbols added in various places, and I have a text document on my home computer with a list of each of them, with a file name that has nothing to do with passwords. For example, it'll say something like "Amazon: secondary password, 2 in third position, ! at end."

I promise, I'll really look into those options if I ever stop goofing off at my job, or let me install a plugin to make it easier.


Posted by: Cyrus | Link to this comment | 01-22-15 2:26 PM
horizontal rule
209

You could put the app on your phone and use that to look up your passwords, but you'd lose a lot of the convenience of the browser plugins.


Posted by: Yawnoc | Link to this comment | 01-22-15 2:45 PM
horizontal rule
210

You can run KeePass off a flash drive but your work may block USB ports and flash drives have the built in risk of losing them because they're small. Come to think of it, it may be possible to run KeePass w/o admin privileges, though there may be workplace policy against unauthorized apps.


Posted by: fake accent | Link to this comment | 01-22-15 3:38 PM
horizontal rule
211

FWIW, the computers at my work are pretty locked down (no USB devices, even for charging, for instance), but I could still install the LastPass plugin.


Posted by: Ginger Yellow | Link to this comment | 01-22-15 4:51 PM
horizontal rule
212

Personally, I bought the app for marriage, LastAss.


Posted by: Tim "Ripper" Owens | Link to this comment | 01-22-15 4:54 PM
horizontal rule
213

||No more oiling up for King Abdullah.|>


Posted by: Jesus McQueen | Link to this comment | 01-22-15 5:02 PM
horizontal rule
214

I use PasswordSafe, which I'm somewhat surprised hasn't been mentioned. It runs on multiple platforms and is recommended by Bruce Schneier (and IIRC partly written by him).

It is more nerdy than LastPass etc., in that one must supply a master password to open a "safe" and then copy-paste the password (it copies it on a double-click of the entry). Once the safe is open it stays accessible for a while, then shuts again.

I don't trust cloud-based or cookie-based systems, and it will be years until I do.

I keep vowing to put a copy of the master password and the the safe file in my deposit box, in case I die or go senile.


Posted by: DaveLMA | Link to this comment | 01-23-15 10:56 AM
horizontal rule
215

I don't trust cloud-based or cookie-based systems, and it will be years until I do.

Nor do I, ultimately, but this is a situation where the perfect is the enemy of the good for me. If it's not something as convenient and as accessible anywhere as LastPass, I'm simply not going to have a different secure password for all of, or even a meaningful proportion of, the sites/apps I use. Which means I'm vulnerable at many points, not just one, at least theoretically more secure, point.


Posted by: Ginger Yellow | Link to this comment | 01-23-15 11:08 AM
horizontal rule
216

All this talk about passwords reminds me of a bunch of the stuff I hate about Windows 8. Number 1 on the list: they didn't adequately QA it for people who didn't want to get a WindowsLive account and use that password for their login password. That was me - instead of something like KeePass, I've kept a list of accounts and somewhat obscure password hints on my laptop (with a backup on my home computer), while using a non-obvious (no "1234") but not super-strong password to secure the laptop, counting on physical possession of the laptop to be my main defense.

I ran into this both on the Windows 8.1 upgrade and on Skype initialization - Windows wanted me to go get a WindowsLive account right then and convert to using it as my login password. While there was a non-obvious link on the page to say "No I want to keep my existing login password, thank you very much", in both cases it didn't work, looping me back to the screen prompting me to get a WindowsLive account. The former case I eventually figured out a workaround for (logging in with an invalid password, and then finding a way around it in the resulting prompts), but the latter had me stuck in an emergency situation where I needed to get Skype working right away*. So I wound up having to pick a non-obvious password that I had a fighting chance to remember and Windows thought was strong enough (being pickier than most programs), and I now have that as my login password (without a hint) on my laptop, where I get reminded multiple times a day how much I hate Windows 8 (8.1 these days).

* - More details: our engineering meeting had been kicked out of the conference room we usually use by our CEO, who needed it for another meeting. So I was trying to use Skype on my personal laptop to link in my boss, because the new room didn't have teleconferencing. I got to spend 20 minutes with our whole Engineering department watching me curse out Windows repeatedly, as I first tried to find a workaround, then gave up and asked for a WindowsLive ID, then got told that my email was already in use and I needed to supply the previous password (which I had no chance of getting to, because if I had recorded it, it was on the laptop that currently had me stuck in this loop), then went through the password reset procedure, which involved a text to my cell phone (which fortunately I had with me), then go through the process of picking a password that Windows would accept, and finally wait around while it took its own sweet time reconfiguring my system with the new password and linking my new password to my Skype login. Because, of course, having a WindowsLive ID is so awesome that I had nothing better to do at that particular time than go through all the hoops to get my laptop configured with it. Have I mentioned how much I hate Windows 8 lately?


Posted by: Dave W. | Link to this comment | 01-23-15 8:42 PM
horizontal rule
217

I absolutely hate Windows 8 requiring a Windows account to be a computer users' account for certain things. I don't mind needing a Windows account to download from the Windows store but I'd rather have my own access to the machine.

I took over my mom's Windows 8 laptop and after determining that I wasn't going to brick it, installed Ubuntu. I did install Windows 8 in VirtualBox (using the key that came with the computer) but only in case I absolutely require compatibility. I mainly run it to sync some files on my work Google account to my laptop - no Google drive desktop sync in linux - so I end up usually running it with a non-administrative non-Windows Live user account.


Posted by: fake accent | Link to this comment | 01-23-15 10:53 PM
horizontal rule
218

I really would have thought the Math Association of America would have given a bit more thought to entropy. There are 67 characters in their permitted alphabet, but three of the characters in your password have to be chosen from smaller sets: lower case letters (26), digits (10), and special characters (5), reducing the complexity of a brute-force search by 2-3 orders of magnitude. Bumping the length requirement to eight characters (with a dictionary check to rule out guessable words and common passwords) would have improved security a lot more than their silly special-character rule.


Posted by: Evan | Link to this comment | 01-26-15 2:21 AM
horizontal rule