New Password

I know this is in jest, but thought I'd share something that could help everyone with passwords. This is going to be long, read it if you want.

I work in IT and have for many years. It's an industry standard that people should change their passwords every 90 days or so, use both upper and lower case, numerals and special characters. Also, do not write it down, but should be something you can remember and type in easily. Different companies vary this slightly, but that's the norm.

The problem is, when most users need to change their password, coming up with something that fits that criteria is difficult. Most people change the last character, typically a numeral, and increment it.

For example the following password : dOn@lDd5ck123

It's a good complex password, 12 characters long, fairly easy to remember, other than the character substitution and which ones are capitlized. However, when the user is prompted to change their password, the easiest thing for them to do is change it to dOn@lDd5ck124 and so forth. I've seen people do this as well : dOn@lDd5ck!@# and increment that special character (that is shift 1 2 3 on US keyboards), and change it to dOn@lDd5ck!@$ (shift 1 2 4).

This is predictable though, and it's been proven, that this type of password isn't that secure, because of people's habits of changing the password.

The example above : MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento is what we call a pass phrase, not a subset of a "password", it's easy to type, very long and just as secure (even using all lower case is fine). The reason why is because of the length. password complexity is only there to prevent people from using a password cracker, something that will brute-force a password by trying every single iteration.

For example : A, AA, AAA, AAAA, AAAAA, then B, BA, BAA, BAAA, BAAAA, and so forth, going through every possible password. 8 - 12 characters is the normal length suggested in todays industry, and using purely lower case, a password can be cracked in a matter of minutes or hours (depending on the hardware), so they want you to expand the character set and use upper, lower, numbers and special characters.

Using a pass phrase that is 40+ characters long (the joke password was 52 characters), even all lower case, will take a very long time to brute-force.

It's also pretty well known (or should be), that you shouldn't reuse your password anywhere. Especially when it comes to your money. If you have online banking, online credit card access, money market or any other type of financials online, you shouldn't use the same password on any of those that you do elsewhere.

For example, you use the same password on every site, and let's say that TDS was hacked and all of their passwords were taken by the hackers. You used that same password at your checking account. The hackers can then login and do what they want.

Many people may think that the odds of that happening are very low, and it couldn't happen to them, but it has happened, and continues, and it will only get worse.

But wokka, there is no way I can remember all of my passwords, keep them unique, don't write them down and stay secure. True, it's a challenge, but there are tools out there to help you.

I easily manage about 90 passwords for my personal use, between banks, websites (like slingshotinfo.com), computers, etc, and I have several hundred more I manage for my clients.

I've put my trust into https://www.lastpass.com/ and have been using it for several years. There are other options out there, but I researched and decided on lastpass. You may think that if they get compromised, I'm lost, and that's true to think that. You have 1 password to remember, and it's the decryption key to get into your "password vault". Lastpass does not know my key. Now, if someone gains that key, I'm closer to being compromised, but there are additional factors. If you login to my lastpass from a new computer, it will send me an email (before you get access to my passwords) and there are two factor options available.

Lastpass lets you generate long, secure passwords that you don't have to remember, for each site. For example, my gmail password is 60 characters long, and I don't know it. Some sites have a maximum number of characters (why, in this day and age, but they do). Some of my bank passwords only allow 15 characters, but they are complex and I don't have to remember them.

Lastpass best works when you let it install a plugin to your browser, so as you login to a site, say this one, it will prompt you to remember the password, but, if its the same password you used elsewhere, it will warn you, and that warning reminds me to go generate a new password and change it.

When I sign up for a new site, I can have lastpass generate the new password and fill it in, then remember it when I login to that site in the future.

Each time I open up my browser, I have to unlock lastpass on it, but using my 1 password that I have to remember.

This part doesn't apply to MACAWS, but lastpass has a smart phone app, so it works on my iPhone when I need to login to a website, and uses my thumbprint or facial recognition on the phone to login instead of me putting in my decryption password. I feel quite secure with this.

it's not perfect, but as someone that works in IT security a lot, I'm comfortable with it.

if anyone has questions about any of this, or wants help, feel free to ask. You can PM me as well if you don't want to talk publicly or we can arrange a phone call, I'll be happy to help anyone get more secure.

Passwords are such a stinking joke, but leave it to corporate America to keep us in the dark ages.

I also use LastPass to keep up with all my passwords because my aging brain just can't remember like it used to.

That and as time goes on and technology keeps advancing you end up with more passwords by the day, it was getting to be too much to remember.

And if you want to, LastPass will create passwords for you that are just a bunch of random letters numbers and symbols that have no meaning, and it will remember them for you.

It's hell getting old, LOL