Discussion on:

How to avoid the '500 worst passwords of all time'

I have about 50 passwords and some need to be changed as ofter as once a month. Several need to be 12 characters of varies forms. There is no way to keep that all in my head. In desperation I looked at many password programs. More than 20.

Roboform has my vote. I've used it for about a year now. It has secure notes for those passwords and ID's that are not able to be saved automatically like some bank sites. It has never failed me. Well worth the money. As an added benefit it fills in web forms at a single click. I wouldn't be without it now. I even own the portable USB version. I buy the licenses as gifts because I find it so useful.

Patrick,

Thanks for the note and info. Roboform is what I am considering. Seems worth the money...J

I can say that none of my 66 current passwords nor any of the 53 retired one are on the list. Some are close, but only a part of the actual password. I do have some relatively simple passwords/PIN #'s I have been changing some to more complex ones or ones that can't be figured out immediately--such as Sarah Palin's were.. If I have a city name, it will part of my former address, etc. License plate numbers are used or variations on them, such as adding the state name, especially if you no longer live there.
I use a Password protected Excel Spreadsheet, it doesn't populate any webforms, but is free and easy to use.

Just an FYI dhays. Don't make the mistake of thinking your Excel spreadsheets are protected when you use a password. Look up "Advanced Office Password Recovery Pro"...

One of my favorite methods is one of several vulgarisms in German, Spanish or Italian. It's easy to remember, and when the capitalization is off by a couple of characters, it's difficult to crack.

Your Sarah Palin example doesn't work. It wasn't the strength of the password used, it was Yahoo's crazy password reset process. No website should make it so easy to access that information.

Roboform may well be great. But I'm a tightwad. I use the free KeePass and it works very well for me.

I originally used Gator until it became annoyingware, then switched to
RoboForm, however, there's no RoboForm for Mac, so I was pretty
happy when 1Password for MacOS X arrived.

I looked at the list of PWs and I thought that 1q2w3e4r5t6y would have made it up there. But oh well.


But going on how to avoid passwords. Try to think of the two most random things and stick them together.

EX: tvtree, windowbag, phonestick, etc

Also another thing is to add random #s and Caps inside of it.

EX: TvtReE, wiNd0WBag, pH0NEsT1ck, etc

One more things is to spell them in a different way.

EX: tveetrie, whinndoowbaag, foonstiic, etc

So all together and you got a hard password.

30 passwords? 50 passwords? monthly changes? Independently from my different 'identities/user names' (yahoo!, google, msn, work, ...), I have only 3 different passwords. The 1st one is 'private-private': personal email, amazon, paypal, banks. The 2nd one is 'private-professional': it is used on my company's network, and can be reset by the network administrator. Le last one is 'default public password', very useful for all these sites where subscription is mandatory. I woudl give the 3rd one to everybody close to me, from my children to my assistant. The second one does not need to be given to anybody, as it can be reset. The 1st one is written down on a piece of paper, sealed in an envelop, to be open after I am dead ...

I just came up with an algorhythm that utilizes the name of the website requiring a password. For example, for this site, I'd use smartxxx99, where the xxx99 is the same for every website. For CBS.com, the password would be cbsxxx99. I just don't share the xxx99 with anyone so it is easy to remember 100's of passwords without having to pay for software like Roboform.

I can't believe they forgot "iamgod"

every sysadmin knows that one...

Roboform may be very good; I wouldn't know as I have never tried it, but I suggest you do consider the free and open source password manager KeePass Password Safe. I use it to manage dozens of passwords: http://keepass.info/
and have found it to be excellent.
"What is KeePass?
Today you need to remember many passwords. You need a password for the Windows network logon, your e-mail account, your homepage's FTP password, online passwords (like website member account), etc. etc. etc. The list is endless. Also, you should use different passwords for each account. Because if you use only one password everywhere and someone gets this password you have a problem... A serious problem. The thief would have access to your e-mail account, homepage, etc. Unimaginable.

KeePass is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish). For more information, see the features page. " BRgds, Peter

I always use an easy to remember sentence, then substitute numbers for one set of the letters.

I might sub 1 for all the "I"s, 0 of "O", 5 of "S" and similar. I like working the word "ate" into it, subbing the singular 8 for the whole word.

I write the sentences out as you would normally, including punctuation. This helps people remember where any capital letters are, at the start and in any proper nouns.

Examples:

Y0u f0rg0t the passw0rd already!?

Who 8 all the 1cecream?

Plea5e don't abu5e thi5 5erver.

If spaces are not allowed I simply eliminate them.

I've yet to have anyone forget their password/phrase. Most of them are wireless keys btw. I'll make a much shorter statement for windows user passwords, for eg:

B0nny r0ck5!

If you make the phrase appropriate to the user (or deployment) you don't have to write it down, just the nature of the substitution(s) o - 0, s - 5 for to above example.

One system admin I knew was into trivia. He liked to use passwords that reminded him of things. Such as 56HDW63 being the years rein of some famous person.

Something I do (Im also a system admin) is keep lists. But even my lists, or password manager programs, dont actually list the password itself. On some sites involving giving them an account of credit card it will say "money" which is NOT the password but only a reminder that I used my really hard to figure out money password there. On other sites that I happen across and am not sure I will ever come back to.it will say "password" which is NOT the password but will tell me I used my junky default password there. No offense but this site was one of those and I was real surprised that I was able to login.

ANY storage list of passwords is still keeping a list where it can be snagged from you. I would recommend using this trick to remind yourself without actually writing the password.

OH and on those security questions, I have complete sets of answers that I use which do not match my real answers.

A very good and FREE {open source} solution is keepass, It allows for storage and creation of passwords and many bits long as you need, Key generation is customizable as well. Its all stored in a very secure database. You set the size type of encryption etc.They have versions for every major OS including black berry, windows Mobil and many others. The new version allows for you to host the file on a secure site and divvy out access to it. You ca use a password, a key file or both to get in. One of the nifty features is the auto type feature and a scripting feature. It allows for password entry as well as many other tasks to be recorded or scripted. So easy a cave man could do it.

Great article, John.

I use LastPass plugin for Firefox to remember my hundreds of passwords. As far as creating passwords, I've written several articles on the topic. One good method is simply to come up with a meaningful phrase and then convert it a string of characters. Here?s one: I drive 33 miles round-trip each day. (Notice I included numbers and a dash.) That could become id33mr-ted. Make some of the characters uppercase: iD3#mR-TeD (I made every other character uppercase ? easy to remember). You get the idea.

You can check out one of my main articles "How to Write Down Your Passwords and Not Worry About Anyone Stealing Them" at http://bit.ly/106ha9 .

Security in its current forms is inherently user unfriendly, and as such, will be
implemented badly by most people. Passwords and secrecy in general are direct
reactions to conflict and anonymity. If anonymity can be lessened and the incentive for
attack can be removed - friendlier forms of gatekeeping can finally be utilized.

I can't get to the 500 items.
The server times out.
dmaesc

Yep everyone wants to know if their password is on the list. I couldn't get in either.

I've used PasswordWiz and was happy with it, but it doesn't work on several of the new sites using Flash. I've not counted my passwords but it long ago surpassed the century mark so I need help and want the convenience of a pw manger. Some have suggested "systems" which work as long as no one wants to crack them. The most secure is random character sets and the longer the better.

Having managed the admins for some very large secure networks I've been amazed at the nonchalant use of passwords by top management as well as admins. As a consultant I've entered systems simply by extending the systematic password patterns given to users.

On top secret sites we have used external key generators, but that is more than most people want to use. The best thing about passwords is that it keeps nosey people out of your space.

I disagree with the author if by saying a good password is "easily
recalled by its owner" he means "easily remembered". A good (i.e.,
"strong") password should be a random string of upper and lowercase
letters, numbers, symbols, and punctuation marks. Most people can't
remember multiple such passwords. But there are tools that can help
them, such as desktop password software (1Password, Keepass,
PasswordSafe, SignUpShield, Roboform, etc.), USB password drives
(IronKey, ID Vault, etc.), and standalone devices (Atek Logio Secure
Password Organizer, Mandylion, etc.). If by "easily recalled" the author
meant by the use of a tool such as these, then I agree...of course.

I wouldn't mind the occasional grammatical, orthographical, lexical or other mistakes, but 6.5 in such a short article tops it. I'm not a native speaker, but would say my English is good enough to spot these. A bit more journalistic care would be good. Elsewhere I saw those it's/its, their/they're again...

[ ] meaning that was missing, { } meaning that was too much.

1) Number 496 is a ?mistress? although I don?t [know] if the owners...
2) ...about 50% of passwords are passwords [that] are ?based on names of a family member...
3) I have far to[o] many for that..
4) He also avoid passwords hints such as boyhood dog...
5) I tried {a} something called a secure login called vidoop... -- nice doubling up
6) Some of the advice is {is} obvious, but worth repeating.

I said 6.5 mistakes above, because I'm not 100% sure about this one:
6.5) ...although I don?t if the owners lean toward kept women or...

Invenio,

I believed ALL the dropped words and typos are fixed....fixed them several days ago.

--JD

Sounds like overheated paranoia to me

I have used AnyPass Pro for several years for all my contact info: passwords, telephone numbers, etc. I have [probably] 150 passwords. The software can be password protected, so I feel reasonably safe. In addition to my computer, the software can be run on a flash drive without any special tricks needed.

For a password, I usually use two words with a numeral between them, and I change every password annually - as I encounter it after the new year. I usually use a string of 7-9 characters in a password. Sometimes, I use the "=" or "+" or another symbol as well as a numeral.

I also have a collection of logon IDs that I use, switching them around irregularly. I keep a list of these logons in AnyPass, so that I don't repeat a logon closer than three years. I make sure to never use a logon as a password [or vice versa].