As I try to log onto my bank website, and enter my username (which has to be at least 10 characters long including letters and numerals), and then my password (which has to be 10 characters including uppercase letters, lowercase letters, at least two numerals, and at least two punctuation marks, and be changed frequently, and pass a test to spot numbers just incrementing or reusing old versions), of course I have to use my password manager (which has 68 passwords in it now as well as many challenge question responses and other such stuff).
Doesn’t managing all this stuff create more opportunities to let it slip? It’s not as though the more critical ones can be managed mentally. People have to write them down, or reset them and have the new ones sent by email, or various other things. And if a password manager gets breached, to say nothing of a spreadsheet or list on paper, it’s a bunch of passwords lost.
I just wonder if anybody’s studied the question and what the result was.
If they make them so difficult to increase the number of tries a stranger needs from 10^10 to 10^20, that’s hardly eliminating many successful cases of guessing
You absolutely need a strong password for your password manager itself. Do that, and get a quality password manager, and you’re as safe as it’s possible to be. As for the password for the manager itself, probably the most secure option is to write it down on a piece of paper that you keep in your wallet. You’re already in the habit of keeping your wallet secured, and even if it is stolen, it’s probably going to be by someone who doesn’t have access to your computer.
It’s always an issue: stronger passwords are harder to remember and thus are more like to be written down. A password manager (I use Lastpass) is one solution.
Another is to remember that length equals strength. Use an entire sentence (with punctuation: CallmeIshmael,Moby.) and it should be easy to remember but extremely difficult to crack.
I believe that it is now accepted, and I am sure I saw this on this board, that a long nonsense password with plenty of odd characters in it is the most secure. This in spite of having to write it down on some physical medium.
People do strange things though, like an acquaintance who has good strong passwords for his financial connections and stores them all in a word document for easy access. As you say over there - go figure?
“Sorry, your password has been in use for 90 days and has expired - you must register a new one.”
roses
“Sorry, too few characters.”
pretty roses
“Sorry, you must use at least one numerical character.”
1 pretty rose
“Sorry, you cannot use blank spaces.”
1prettyrose
“Sorry, you must use at least 10 different characters.”
1fuckingprettyrose
“Sorry, you must use at least one upper case character.”
1FUCKINGprettyrose
“Sorry, you cannot use more than one upper case character consecutively.”
1FuckingPrettyRose
“Sorry, you must use no fewer than 20 total characters.”
1FuckingPrettyRoseShovedUpYourAssIfYouDon’tGiveMeAccessRightFuckingNow!
“Sorry, you cannot use punctuation.”
1FuckingPrettyRoseShovedUpYourAssIfYouDontGiveMeAccessRightFuckingNow
“Sorry, that password is already in use.”
As far as I know, nobody has copied my list of passwords - on a sheet of paper tacked to a cork board next to the PC.
As a code-slinger back in the day, I used a series of vowel progression in a core non-sense word with various prefixes and/or suffixes. Between that and the need to be on a real terminal with a wire going into the mainframe, exposure was minimal.
A tiny Post-It had 2 or 3 letters on it - current vowel and key to and -fix. The Post-It was on the terminal.
There was a big noise about a couple who turned out to be Russian spies.
Their password was 26 characters. Yes, they wrote it down.
These were professional, deep cover spies.
Just not very bright ones…
Classic.
Well done.
Obligatory XKCD link(8 posts? You’re slipping, guys!).
I use LastPass with an incredibly strong master password, which I’ve memorized. I let LastPass handle all of the other passwords.
99.999% of stolen passwords are stolen by people thousands of miles away from your sticky with the password on it.
There was a Fresh Air around the recent list of bad passwords. The guy on it recommended two words together with some substitutions -
Like P(ett4R0se That is pretty immune to a dictionary search, and easy to remember.
Terr, I’m not going to offer to have your kids, but if you need a babysitter give me a call 
I am sorry if I made it seem like the joke came from me. It has been floating around on the 'net forever, I just snagged one of the versions and reposted.
Thank you for being there when I was having problems with BOA. Will love you forevermore. 
A few years ago, I was doing some temp work for a medical company, and was assigned to insurance verification. At the time, that section of the Medicare website (and, Medicare being what most of the patients used, the main one we were supposed to use) required a password that was:
- at least eight (but not more than fourteen) letters long
- contained at least one lowercase letter, at least one uppercase letter, at least one number, and at least one symbol
- did not contain any consecutive upper- or lowercase letters, numbers, or symbols
- contained no spaces or underscores
- did not contain a string of two or more letters (regardless of case) that formed a word
Essentially, they guaranteed it’d be a password that you’d have to write down. I got around the word restriction by simply lapsing into Irish, which features both long words and Martian spelling; but it really drove the point home when, not two weeks later, Yahoo got hacked and lost a whole bunch of email passwords. I had been using the same password (with no capitalization, numbers, or symbols) since I started the account on Rocketmail in 1994, and it made it eighteen years without a single problem, until the damn company got hacked. Every other time I’ve had to change a password (other than when I’ve forgotten it and had to reset it, since everything requires an account now, and everyone uses stupidly complex password rules) has been when the organization in question gets itself hacked and a bunch of passwords are stolen. If you make me make a password so complicated it takes longer to type than it would to memorize War and Peace in Vietnamese, kindly extend me the courtesy of having your network security system consist of more than a narcoleptic bulldog.
Even that password isn’t very good, since dictionary searches include common substitutions. There are even more sophisticated techniques that do a good job of predicting all of the tricks that humans think are so clever.
ArsTechnica had a good article a few years back about how easily passwords can be identified from a list 16,000 of hashes (which is how passwords are stored on the server you log in to). In a nutshell, three different experts were able to get most of the passwords in less than a day, using pretty ordinary computers.
Since the whole article is rather long, here are a few quotes:
Personally, I’ve given up on remembering lots of not-very-good passwords. I use Keepass2 as my password manager, with one strong passphrase that I have to remember. Every password for accounts that I care to keep secure is completely random and as long as each website will allow.
It’s hard to believe that moderately strong passwords aren’t good enough. Is guessing somewhat complicated passwords really that big a part of all the breached accounts? Isn’t theft of lists of passwords or other ways of getting into accounts more of a problem?
Nice collision of post times. I guess it is after all.
As any good humorist will tell you, 90% of the joke is in the timing.
On the main theme, one thing that drives me nuts is that the amount of symbols available is usually limited, and usually not given. So, small wonder people tend to use the bare handful of symbols which the immense majority of systems accept.
Complex passwords really are the best ones, but the catch is that the passwords that humans think are complex aren’t the ones that really are complex. As a rule of thumb, if you can explain why you chose a particular password, then it’s not actually a secure password. If it’s “it’s the first letters in this phrase”, then a password cracker might come up with that phrase. If it’s “this funny-looking pattern of keys on the keyboard”, then a cracker might try that same pattern. It really needs to be something like “I rolled dice for it”, because even if the cracker tries rolling dice, it’s not going to roll the same numbers you did.