I know it defeats the purpose of these security questions, but for the more important online verifications, I write down my answers to all of this shit. So now I have a little piece of paper, labelled "Welcome, Burglers!", with lightly coded password keys and verification answers to my entire life.
Privacy is obsolete. Identity theft will be much less of a concern moving forward as we come to accept that we are all part of the same hivemind.
I know it defeats the purpose of these security questions, but, like Apostropher, I make up nonsense answers to all these questions, and then can never remember them.
I especially hate it when someplace imposes parameters on my password (at least 10 characters, including at least one number and one letter, case sensitive with at least one capital letter and one special character), that none of the passwords in my "standard repertiore" comply with, so I have to make up some new and original password on the spot. It might as well just make up its own password and not even tell me, since I'm never going to be able to access my account again anyway.
Did I mention how I hate passwords, locks, alarms, PINs, clothing?
Really, JM, you should hide that. When my computer was stolen, I was so happy to find my list of passwords hidden at the bottom of a pile of bills. And I don't save them in my browser, either.
I'm down to names of pets that I didn't even like.
That cracked me up.
How many sites do most of us have to remember passwords for? Two or three dozen? It's madness.
My six failed pet names were Eliot, Hemingway, Parker, Molly, Maggie, and Protein.
It's mostly hidden, mcmc. Uh, and it is coded, sorta.
I thought the CSRs didn't have access to the security questions, like they don't for passwords. Isn't that a security flaw somehow? (but then, what isn't these days?)
(but then, what isn't these days?)
Heh.
I did get a pretty cool piece of biometric hardware from Bloomberg, one which softens up my hatred of security devices with its space age technological appeal -- it reads your fingerprint and then translates a flashing light on your computer screen into an alphanumeric password that you can enter on the Bloomberg Terminal.
'Protein' is a fantastic pet-name...
And 7, the only appropriate answer to "What is your favorite pet?" would be Candi.
translates a flashing light on your computer screen into an alphanumeric password
Is it flashing in morse?
I think it's probably flashing in bar-code language but am not sure.
ObPets: Yesterday saw the induction into the Clownæ family of its fourth member, a 3-month-old Shih-tsu puppy named Pixie.
One of my university accounts requires FOUR security questions, and for each one you have a choice of four, every single one of which is something that I don't have a single answer to. They're all things like what's your favorite movie? Band? Book? Etc. Maddening.
My dad used to have a business card in his wallet where he had written what was apparently a local phone number on the back, but the last four digits were his ATM PIN.
So naturally, I cleaned him out pretty thoroughly.
Some online stores offer three choices for payment: register as a new user, returning user or 'shop anonymously'. I use that last one. I do have to re-enter address, credit card, etc., but I like not having yet another password to remember.
'Protein' is a fantastic pet-name
Protein was a really great cat. My co-blogger Froz Gobo and I got her as a kitten while we were dropped out of college, working minimum wage jobs, and living in an apartment mostly free of furniture. There was an outside chance we were going to have to eat her, but luckily we were both working in restaurants.
3 gets it right. I have (I think) three passwords that I use for different kinds of things.
That said, I'm locked out of my bank account right now too because none of them works. Either that or I'm misremembering my username.
God but do I hate the password dance.
I have an idea. Let's all tell *each other* our passwords, and we can write them down for the other person. Then say I can't remember mine: I give Armsmasher a ring. He can't remember his, he calls LB. LB forgets hers, she calls B-Wo. And so on.
I used lines from short poems for awhile, with the obvious l33t-speak alphanumeric substitutions. And absolutely everything that doesn't have any financial importance gets the same easy password.
Once upon a time, I had an account that was so restricted, I had to change the password every couple months. It drove me mad, especially since it was also one of those where the password had to have special characters, numbers, the whole bit. Once I got so fed up with trying to find a new password that I could remember, that I went with a variant of "your mom".
24: It's surprising how many variations on the theme "Fuck that noise" you can come up with for password purposes.
At work, where I have to change it every 90 days, I've used the same word, followed by a different punctuation mark. So, using "Monkey" as an example, it's Monkey!, then Monkey@, then Monkey#, etc.
24: Yeah, I used to have one of those at an old job, with a one month cycle. I just went line by line through
Ra20r5pa1ny0u
r1v3r5ar3damp
ac1d55ta1ny0u...
24 -- Our computers at work have this feature and it drives me past crazy. The standard thing is to come up with a password which ends with '1', then each time you need to change the password, increment the final number, and spend the next few days forgetting your password when you need to log in. So somebody in the security department got the bright idea, require two or more characters to be changed when a password expires.
I especially hate it when someplace imposes parameters on my password (at least 10 characters, including at least one number and one letter, case sensitive with at least one capital letter and one special character), that none of the passwords in my "standard repertiore" comply with, so I have to make up some new and original password on the spot.
Ah, yes! HATE. And the worst thing is (and RMcMP will correct me if I'm wrong) is that these things actually can tend to make passwords LESS secure, rather than more, since restrictions like "at least one number" and "no repeated letters" just limit the set of passwords that a brute-force attack has to try. Yes, we don't want people using "aaa" as their password, but my awesome and easy to remember password happens to have the same letter twice in a row along with some nice numbers, etc, and I can't use it at my damn bank. HATE.
My current job requires at least one each of a letter, a number, and a symbol, and changes pretty frequently. It took me ages to come up with a workable system for new passwords I could remember.
Looks like I'm late to the error-of-judgment orgy. Suggest shredding this thread and burning the confetti.
29: `no repeated letters' is probably not a great one, but no, these measures tend to make passwords much more secure.
The main reason is to reduce effective dictionary attacks. It is probably a bit difficult to analyse the practical outcome of the instructions given, without knowing whether people interpret them minimally or not. In other words, does `at least one number' usually end up with just one number.
Exhaustive brute force attacks are usually too expensive. Consider just lowercase alphabetic passwords of 6 letters, that would be 26^6 possibilities, if checking each takes a second (via web, or with a delay at login) you are still looking at around 10 years to do the attack. On the other hand, there are only a few thousand dictionary words of six letters, so that's quite cheap.
It is annoying that they have fixed `rules' rather than a measure of fitness, but these measures do counteract the easiest attacks.
I have two core passwords, with standard variations for pickier password-picking mechanisms. Both are completely unguessable and perfectly secure.
One possibility for passwords that require numbers -- NOT THAT THIS IS MY SOLUTION -- is to go through the digits of pi in groups of three. So if your base password is monkey, you'd go through monkey314, monkey159, monkey265...
This only works if you once had a job so boring that you literally were reduced to trying to memorize pi as far out as possible, using the Calculator. (No internet access on my computer! Cruel and unusual!)
Does anyone know what "turf toe" is? I heard this during the Bears game last night.
14: Beat me too it. That program is genius.
28: Mine too. My department discussed this and decided the answer was [word]11, [word]22, [word]33 etc. Probably not the action (or solution) the security guy was hoping for.
35: yeah, this is a problem. If the solution is a relatively simple mapping, you can guess that and exhaust those possibilities too. Still, it takes longer than just [word] would.
But doesn't that security measure of being locked out after three unsuccessful attempts thwart the brute force attacks?
Turf toe, in a nutshell, is tearing the capsule around the joint at the base of the big toe. Pretty common for football players who run on artificial turf and reportedly quite painful.
Thanks, apo. I guess I could have just looked that up. But it's more fun this way.
My toe has actually been hurting the last few days, and I am claiming that I have turf toe. It's fun times.
38: yes, that is one part of the purpose, although as I understand it some of these have a timeout too (in other words, you can do more than 3 tries if you don't do them right away). On the other hand, much of the collected wisdom about `good passwords' predates these sort of web logins.
Mac users: I haven't gotten around to trying it myself, but I've recently had Password Wallet recommended to me.
Big group hate on the "security questions" nonsense. Picking a "favorite" anything is hard enough without it being mandatory, and trying to remember what I thought about it three months ago is terrible. I go with an encrypted file for these things, and a suite of semi-standard passwords (a few different low-security ones). Fortunately, my line of work lets me mostly get away with using SSH keys as login authentication and I don't even *have* passwords on most company systems.
Having experienced the glory of single-signon in an earlier life, I know that we could do better technologically. It makes me kind of sad that the state of the world is as bad as it is.
In lower-tech but annoying security goop, I helped my grandmother set up her new cable tv/telephone/internet access in her new apartment yesterday. Her son has complained that he'd left her voice mail but she didn't know how to get it. First, I had to figure out that the "Messages" light on the cable box had nothing to do with this and was just the annoying, useless cable-company "Look! We've got hockey games!" messages. Next, I found the booklet they left her about the phone service and the access number for voicemail, and we get tripped up by a "temporary passcode". Nobody has written down what this is or where we can find it. Diverting away from that, we try to use their web-based access to voicemail, and spend ten minutes trying permutations of her username and password before remembering which of those had a digit added to it due to their password policy (mutating an otherwise fine, non-dictionary password). But then the lockout we'd tripped on the telephone login had also locked out the online login... finally, we called the company and they told us that it's the last four digits of her phone number. Not terrible, but somebody should have communicated that at the beginning of the process, and the whole thing was just a technological tragedy of annoyances.
Somehow this Slate article seems relevant:
Perhaps the most striking example of informal knowledge helping to solve what would appear to be a purely technical problem occurred in a particular company that [on Sept. 11] lost all its personnel associated with maintaining its data storage systems. The data itself had been preserved in remote backup servers but could not be retrieved because not one person who knew the passwords had survived.
The solution to this potentially devastating (and completely unforeseeable) combination of circumstances was astonishing, not because it required any technical wizardry or imposing leadership, but because it did not. To access the database, a group of the remaining employees gathered together, and in what must have been an unbearably wrenching session, recalled everything they knew about their colleagues: the names of their children; where they went on holidays; what foods they liked; even their personal idiosyncrasies.
And they managed to guess the passwords. The knowledge of seemingly trivial factoids about a co-worker, gleaned from company picnics or around the water cooler, is not the sort of data one can feed into a risk-management algorithm, or even collate into a database—in fact, it is so banal that no one would have thought to record it, even if they could. Yet it turned out to be the most critical component in that firm's stunning return to trading only three days after the towers fell.
45: Oh my God. It's wrenching just to imagine.
I've been experiencing this very strange phenomenon where numbers that I haven't used in a decade suddenly come bubbling into my consciousness. When asked to write my address I will suddenly find myself writing the address of the house where I lived *in 1990* and have to stop myself. I *frequently* write the zip code of the house I where I lived four moves ago, instead of my current zip code.
Characters from a particular work make a good set of names to draw passwords from. Hamlet, Claudius, Gertrude, Polonius, Laertes, Ophelia, Horatio, Rosencrantz, Guildenstern, Fortinbras. L33t or punctuate (Ophe!ia) as required, I suppose.
Doesn't solve the favorite monkey problem, but what does?
47: Those make great password aids. The sail numbers from the Sunfish I raced as a teenager will be stuck in my head forever, and make a fine numeric addition to any password.
PasswordSafe is pretty awesome... You could also just take Schneier's advice to write down your passwords.
This post is also apropos. (Shorter Schneier: secret questions suck.)
How many sites do most of us have to remember passwords for? Two or three dozen? It's madness.
Many in high places recommend using an algorithm based on the name of the site that still results in a secure password; this is possible if you're creative.
Also, long phrases are both easier to remember, and as well if not more suited to withstanding attacks than hard-to-remember passwords. I think Bruce Schneier has recommended them, as does Stanford.
49: All these little memories just leave me with the feeling that I'm drowning in numbers. Like, at some point someone is going to ask me to remember a phone number, and I'm going to go into cataleptic shock, able only to mumble what appear to be arbitrary strings of digits.
Hey, someone just sent me a Richard North Patterson book to review. The name is vaguely familiar in a 'sucky bestseller' kind of way. Am I being unfair, or is it worth reading?
You could also just take Schneier's advice to write down your passwords.
That's what I said, but ogged rebuffed me. Buff me once, etc. etc.
That "passwords in your wallet" advice is so monumentally bad that even though I really like Schneier's site, I now take everything he says with a grain of salt.
Any fans of OpenID in the house? (If so, tell me more about it.)
For additional security, one could carry around all one's passwords in one's wallet, but written in some secret code, like pig-latin.
Apo woudl have written: "Bank Passord: onkey-may."
"passord" is one more extra layer of security, since no one could guess what it means.
55: It's a bad idea to keep your ATM PIN in your wallet. I'm not convinced it's a bad idea to keep your other passwords in your wallet, since anyone who wants to use them needs to know not just the password but the userid as well. (For anything other than banking, they need to know what services you use too.) And if you lose your wallet or it gets stolen, you *know* you're at a higher risk of having your accounts compromised and can take action to prevent that.
Which Richard North Patterson book? I haven't read many but I thought Protect and Defend was a decent enough treatment of some of the issues surrounding abortion rights that I've recommended it to non-wonky friends who wouldn't have thought about the issues otherwise.
userid as well
Yeah, but this is usually one of about five possible combinations based on the person's name.
Am I being unfair, or is it worth reading?
No and probably not.
Richard North PAtterson's novels were much more impressive to me before I started reading blogs. That sounds stupid, but hear me out.
What was interesting in his books was simply getting to hear all of the voices around a particular issue (I also read the abortion one), and to have them make their best cases for their beliefs and positions, and to watch those voices smash up against each other. Now that I can do that in real life with a click, his accomplishment seems less impressive.
Also, the plots seemed a bit too neat to me; the "reality" he's contrived solves the argument rather conveniently. Since in this real life, the arguments go on and on, and I feel like my side is losing position to stupidity and cowardice rather than gaining position, his plot contrivances that make the world seem better stick a bit in my throat.
I'd be curious to read your take on him. Also, I should admit I've only read a few of his bijillion novels. Have I mentioned that I hate series?
61: The one that's coming out in January; it's called Exile.
I haven't read any others of them, but you and Jack are making it sound at least legible. The topic is Israel/Palestine, though, which means to review it I'd have to come up with a coherent thought on the subject.
Richard North PAtterson's novels were much more impressive to me before I started reading blogs
Interesting. I read Protect and Defend in, I think, 2000. It wouldn't surprise me if I had the same feeling you do. I thought he was good at laying out all of the arguments on all sides and special interests surrounding an issue but I may be less impressed by that now that that's more at my fingertips.
34, 39: It feels something like shin splints but in your toe if that makes sense. Very bad times. Though not as bad as plantar fascitis for my money.
Yeah, but this is usually one of about five possible combinations based on the person's name.
Maybe if you've got an unusual name. For most people, even if they're using their name it's going to be one of five possible combinations based on the person's name, followed by some indeterminate number.
Maybe if you've got an unusual name.
Hadn't thought of that, but you're right.
52: I've yet to memorize my phone numbers here, and despair of ever doing so.
I tend to recycle old phone numbers and addresses into current passwords when I need to add some alphanumeric chaff. For less important accounts I just pick some word associated with the act at hand -- e.g. "bookworm" for Amazon [note: not a real example] -- then l33t it (e.g. b00kwOim, with the Jersey "i" for good measure) until it passes the fitness metric of the site.
By the way, unless you wear armor, pet monkeys are a bad idea.
"I remember you telling me you can take the teeth and testicles out of a monkey but not the wild instinct."
Ugh. Couldn't you have marked that one NSFQP (Not Safe for Queasy People)?
72. But couldn't you make a similar argument about dogs? But dog attacks are relatively few (and fools are aplenty). What about w monkeys? What percentage of monkeys attack?
Don't kill my dreams. Next you'll tell me pet bears "aren't safe".
I like the "she was the perfect child" thing. Anyone with a kid knows the little fuckers will hit and bite. Thankfully, they're not equipped with razor-sharp teeth, otherwise we'd see a lot more mangled parental hands.
Yeah, it's like the old one-liner: "I slept like a baby last night. I woke up and howled every half-hour, then I shat in the bed."
29, 32: I agree wholly with sobrizquet's take on it. Ramp that password up to 8 characters, repeated letters OK, numerals OK, . , ; : and the shift-numeral characters OK, case-sensitive, you're looking at, what, 76^8 possible expressions? Giving a potential cracker a clue as to how complex the passwords are is quickly outweighed by increased possible values.
Due to some recent experiences, I have come to find myself in the "one good, strong password used for life (or at least for a very long time)" camp, personally, as opposed to the "change your password in a minor way every five minutes" approach. For the better part of a decade I didn't change the password on my main personal email account. Through countless intrusions on the system overall, my login was never one of the casualties because it had one good, strong password and there was always going to be lower-hanging fruit.
In fact, I think there's probably a case to be made (though I don't know of any studies done) that frequent password changes are actively harmful because they lead people to write down their passwords. These days, most intrusions are inside jobs. It is far more dangerous in most cases, I think, for people to write down their passwords where Gary The Disgruntled Accountant can get to them than it would be to have one tough, memorable password that gets used for a year.
In truth, I wish everything just had single sign-on with either a time-dependent or asynchronous numeric token for authentication. I love 'em. But they're impractical for many reasons, and so we use passwords.
78 (and 32): Sure, of course, increased complexity is a very good thing. It just drives me crazy that "a1fa8#4k" is acceptable but "aa1f8#4k" isn't, even though they're equally strong passwords.