Well, I don’t write them down, just annoying to have to come up with a new one every 90 days.
My childhood phone numbers are all easily available on the internet linked to my name. That seems like a particularly bad way to choose a password.
This is also basically untrue. The people I am trying to keep my password from are random criminal elements somewhere in the world with internet access. Basically 0 of them have access to my office or wallet. So a complicated password written down is much more secure than a simple password not written down.
Why would your childhood phone numbers be linked to your name? They would be linked to your guardians.
I suspect most password policies were created in order to give the people who create password policies something to do.
This is a problem with passwords of the form “correcthorsebatterystaple” that I’d like to start using. But I have a pretty good, memorized formula for creating complex passwords that are all different. My problem is with banks and other websites that supposedly take security seriously telling me I must only use letters and numbers and can’t use any symbols except underscore. Or worse, giving me a 12 character password limit I can’t exceed!
That’s when I resort to using “123456seven” as my password and then deleting my account as soon as I’m done. If I really need to use the site, that is. Often when I run across those restrictions, I realize I didn’t need to use that site that bad anyway and just close the tab and never look back.
Because that was the phone number you used if you wanted to call me.
Just to be clear my child hood phone number is also linked to my parents and my sister.
Then use your parents number. I don’t use numbers connected to my name.
Use an easily remembered letter prefix. Do you think hackers will specifically target you?
Sure why not? I work in a telecom company. There are news reports of targeted phishing of people who work in telecom companies. These same databases that hold my childhood phone numbers also say who I work for.
But your advice was to use something from your childhood that is easily found out by anyone with an internet connection. That is crappy password advice.
If you do this, then nobody, legitimate or otherwise, can log in. A legitimate user inherently must interact with the password file in some way, because that’s how the system recognizes the user as legitimate. But no user should ever have any kind of access to the protected data before logging in.
And length alone is no protection. The only protection is a sufficient amount of randomness. You can increase your randomness by increasing your length, but there still needs to be randomness. This is one of the key points of the correcthorsebatterystaple method that a lot of people miss: The words must be chosen randomly. If you choose your favorite words, or words that make an easy-to-remember sentence, then they’re not random any more, and the system doesn’t work.
This is no help. The brute-force attacker isn’t going to try every possible password in random order. They’re going to set up their brute-force generator to generate passwords without the special characters before it generates the ones with them. So even if the site does permit them, and even if most people would be expected to have them, leaving them out will still mean your password is cracked much earlier than others’.
Back when dinosaurs still roamed the earth, phones were connected to wires that ran out of the house. onto big Poles, and then ran miles and miles to the telephone company office. You couldn’t fit them in your pocket and you certainly couldn’t carry them with you (because of the wire, not the weight).
Back in those days, most people had one phone per house. The whole family shared the same phone number! Primitive, eh? If you called somebody, you’d have to say something like “Can madiscool come to the phone?” and whoever answered would go get madiscool and tell him to come to the phone.
See, I think this is exactly the misconception that Randall Munroe was trying to fight. If your password is “onefishtwofishredfishbluefish,” that’s already so difficult to brute force with today’s hardware that what you say won’t even apply. For 8 digits passwords, yes, they’ll probably try all lowercase combinations first, but by the time they get to all combinations of 29 digit passwords, they’ve long since given up and moved on.
Except that if your password is “onefishtwofishredfishbluefish”, you’ll never even get to the brute-forcing stage, because that’ll be caught by a dictionary attack.
Now, if you used eight actually random words, then you’re safe, because that’s plenty of randomness even without the special characters. But for a shorter password, the presence of those special characters could mean the difference between “practical” and “practically impossible”.
I’m likely missing something obvious, but how is that 29 character string more vulnerable to a dictionary attack than any other alpha string of the same length?
Because it is a well known phrase (from Dr. Seuss if I am not mistaken). A dictionary attack doesn’t need to use a real English dictionary. It simply means that a list of what are assumed to be popular password choices are tested.
Ah, then that’s the bit I’m missing. 
I suppose it’s like someone thinking that “Galadriel69” is in some way secure.
This seems like an urban legend. Do you have any proof of this?
Your parents are connected to your name.
I’d turn off my stupid password-complexity requirment, but (on the antique system I have), it’s the only thing preventing users from using their own names as passwords.
Fortunately, I’m not in a position where I have to judge who is dumber: people who use their own name as a password, or banks that require less than 9 characters, with no spaces or special characters allowed.