How important is password strength?

I have taken to using KeePass and having it generate random passwords. For an account I really use all the time, I’ll remember the random string after using it a few times, and for others it’s no big deal to open up KeePass and get it occasionally.

My workplace requires a twelve-character password that must contain three of these four groups: lower-case, upper-case, numbers, and special characters. It has to be changed to something new every three months. My assumption is that most people just write theirs down and keep it in their desks.

My workplace requires several passwords–with different “rules” for each. And the guys at the help desk tend to forget which rules apply…

We have to wear ID badges. Mine goes in a badge holder that hangs from my neck; there’s also room for a bit of money & my ATM card. When I get a new password, I scribble it on a piece of paper & slip it into the badge holder. So it’s always available, but not visible to anyone else. (No, the ATM Number isn’t part of the package; I’ve managed to memorize that.)

Why bother with Yahoo’s SMTP servers? The world is full of SMTP servers that don’t require authentication (well, maybe not as many these days). You can get a cheap email account with SMTP service, or even set up your own SMTP server. But the spammer wants to hide his origin, and he doesn’t need your password to appear to be you.

Because mail coming from Yahoo servers is treated better than mail coming from some SMTP server operated by god knows who.

Another method for better passwords, suggested by Farhad Manjoo on Slate (link). Take a sentence that is memorable to you and use the first letters of each word as the password.

Add numbers if necessary. Pretty easy, and works for most password rules.

I know 3 people who all had their Gmail or Yahoo accounts hacked. In all 3 cases, the hacker sent out emails to everyone in their addressbooks, with a sad story about being stuck overseas with their passport/wallet stolen. Please send money.

For sure one, and I think all three of them were using standard dictionary words with maybe a number on the end, as a password. The hackers just had a computer try over and over again, using a list of word in the dictionary.

I am puzzled by this - do you mean a justification more compelling than avoiding employee theft? Person A orders a Mercedes with the intention of using it for himself. If he has access to all the passwords in the rest of the people in the list, he can approve every step necessary in the process, collect the Merc, and no-one is there to call shenanigans. If, however, Person A knows that if a Merc comes in, someone is going to check it against the legitimate orders, and that a string of people down the line will do likewise, he won’t bother.

If there are only two people involved in the process, they get their heads together and fraudulently order two Mercs, and approve each others’.

Hence the more independent approvers who are potentially able to blow the whistle the better (from a fraud prevention perspective). It is, of course, a complete PITA to actually work within such a system, but that is the price paid for security.

Now I can’t imagine that you hadn’t figured that out. So why is having that secure audit trail that not a good explanation?

No, read to the end: Nava is saying that all of those accounts have the same password, so even though it’s supposed to take five people in cooperation to buy a Mercedes (for the good reasons you point out), a single person who guessed all the passwords (since they’re all the same) could easily cheat the system.

The three out of four thing is typical of Active Directory, which is used to (among other things) authenticate users on Windows computers and computer networks. Configurable details include: length of password, whether it needs to be changed and how often, the minimum amount of time between changing passwords, and how long before you can reuse a password.

Unix/Linux systems also have password complexity requirements, but allow you to override them.