That’s awful. Only 16 characters, and in response to a social engineering type exploit.
They really should know better if they’re being paid for that.
Umm, the assignment was “a long password I can actually remember”.
dubious
Completely concur with the advice about using a password manager, along with the convenience of having passwords remembered by browsers, email clients, and whatever other apps you have that need passwords. When I look at the some hundred-odd passwords in my password manager, it astounds me that anyone can get by without one. I wouldn’t be able to remember a single one of them.
Where I differ from most is that, in my capacity as a grumpy Old Fart Set In His Ways, my password manager is a strictly local affair. I think we’ve had that discussion elsewhere and many folks need a password manager in “the cloud” so they can get at them remotely. I don’t.
I have multi-factor authentication on my important accounts, and one of the easiest things to add is biometrics, since my phone already unlocks with fingerprint or face. Unfortunately, fingerprints degrade with age, and I have to delete and re-add my fingerprints frequently - think every two to three weeks - because my phone stops recognizing me. The face recognition works pretty well in good light, as long as I’m wearing my glasses and not wearing a mask (I don’t usually try to get into important accounts when I’m in a crowded public place, so that’s not much of a problem).
When I was working, they made us change our passwords yearly, which was really no problem at all. However, we were definitely, unquestionably not allowed to share our passwords, which would have been perfectly fine, but when combined with the facts that they had cut office staff down to the bone and left us with only one person who had access to each type of records, meant that we 100% shared our passwords. If the head secretary was out, for instance, the principal was the only other person who could get into the system to request and track substitutes, and she was often out of the office before the beginning of the school day. So if no one else could use the secretary or principal’s login, we couldn’t verify or request substitutes. The same situation arose if I was out and someone wanted to enroll or withdraw a student.
Enhanced security is great, but as long as humans are involved, you have to take their frailties into account.
As a (former) software developer who has spent more than 30 years in IT, a good designer takes this into account and then a bad IT manager doesn’t put it into practice.
On my previous phone, a Samsung Galaxy S20, my daughter, then aged 6, discovered that her index finger could unlock my phone, instead of mine. I don’t particularly trust biometrics as the implementation could be shoddy. Some Android devices can be fooled by facial recognition from a photograph.
I use secure passwords. Except for my phone, which is now my children’s playground, my daughter knows more about the functionality related to picture editing, underlaying notes with images, finding apps that I never knew existed… when she gets around to sending emails I will probably change the password.
I’m fed up with passwords. I belong to the Law Society of Alberta, and every time I log in, I have to enter a new password, and have it confirmed by e-mail, etc. etc, etc. Apparently, the LSA believes we lawyers often log in, which would keep our passwords active. Like many lawyers, I don’t find the need to. Why would I, unless I’m renewing my membership or renewing my professional insurance? I don’t know how long the LSA allows passwords to be active before they expire and you must get a new one, but I wouldn’t be surprised to find that it was only two weeks.
And the new password has to be nine characters, which uses alphabet letters, upper and lower case, numbers, and symbols. I’ve said the hell with it, and now write my password on a piece of paper, which I put in my desk drawer. What can anybody do with my account, except to pay my annual membership or professional insurance fees?
In chasing more security, the LSA has made things more insecure. Which doesn’t make things correct. It just means that a bunch of lawyers like me now have their LSA logons and passwords written on a piece of paper in their desk drawer.
That’s very common, and it’s why the security labs have been arguing vehemently for everyone to get past the password model and embrace newer forms of authentication. I work in software, specifically in regulatory-compliance systems for financial institutions, and we constantly wrestle with the fact that our clients are big banks whose technical understanding is inertially locked into a mindset from thirty years ago. We show white paper after white paper from specialists, which concretely show using hard statistical analysis that a rule which seems to make a password harder to crack actually has the opposite real-world effect because of the human factor. But none of it has any impact; our clients keep insisting on their antiquated audit-quality checklists, tinkering with various superficial elements of the password policy (“instead of one special character, now we will require two! and instead of expiring the password after 60 days, we want you to expire it after 45!”) which ultimately not only don’t help but in fact make things worse, and they never take any real steps toward rethinking the whole regime.
I like to use a song lyric of a random song I heard recently.
It’s easy to remember, it’s not personal to me, and they can be fairly complex. Also, I include spaces between the words, and punctuation.
I have a relatively simple password that I use for websites like this and game sites. Anything to do with finance gets a unique complex passphrase that I write down in a book. Of course, most of the time Google remembers them for me until I clear cookies.
I’ve run into sites that don’t allow pasting the clipboard into the password prompt, apparently on the theory that making it impossible to use a password manager and difficult to use a password with any real randomness somehow improves security.
That’s why this is one of the extensions installed in all of my browsers. It’s available for Chrome, too, but the Chrome store calls it “Don’t F*** With Paste,” so I’m not going to link it, because it deserves to be written out.
Those totally lights my fire too. WTF in this day and age?
I think I understand the (defective) thought process behind this. You also sometimes see the same no-paste trick applied to sites that ask for your email twice, once for real and once to confirm.
The logic IMO is to prevent the scenario where the person typos their email, then copies the typo, then pastes the defective copy. (Ctrl-A Ctrl-C Tab Ctrl-V goes by real fast). Now the two fields match, so the webpage allows the account creation with the bogus email address. The customer never notices the mistake they made before the page is gone.
Now the customer never gets the new account creation confirmation email, none of the later “important” marketing messages, and can’t log on when they next try. Despite having carefully written down the password. And the customer has no no insight into why. So they either badger customer service (which costs the company a lot of money) or they stomp off in a huff from your obviously defective website (which also costs the company a lot of money).
Forcing the user to re-enter a dozen or 20 familiar-to-them keystrokes is a small price to pay to prevent all this cost and/or lost revenue. Or at least thats what the website’s owner thinks. I think it’s bunk, but you can see how a company thinking only of themselves, not of their users, could easily go there.
The same (defective) logic applies to password creation. Making you hand-keystroke it twice enables the page to detect typos by a simple equals/not equals check. Allowing paste propagates typos and denies checking. What the idjit companies don’t realize in the case of no-paste passwords (vice emails) is the obstacle that presents to quality passwords managed by quality password managers. They’re adversely selecting themselves into a user base of only the less tech-capable nd less security-conscious. Probably a net loss for them, but not one they can see.
When setting something up for the first time and being prompted to type it twice to insure against typos, it makes sense to disable paste-in for at least the second iteration. The problem is that some web sites disable paste-in for routine entry of usernames and passwords, apparently because the site designer mindlessly carried over the disable-paste-in feature from the initial setup.
Unless you are using a password manager which created a random 15 character string.
ETA: @Steve_MB two posts up.
Yeah. There is a distinction between sign-up and ordinary login. And disabling paste-in during ordinary login is totally brain-dead with zero upside for the site or the user.
But even for sign-up disabling paste-in means the nice password my manager just generated, e.g.:
n!*nxc3%Ga7ZF$3WA&Ze
has to be keystroked at least once, and maybe twice, without error while not being able to see what I’m typing. Very user-unfriendly.
Very important point about the Correct Horse Battery Staple method: You have to choose the words randomly. I’ve seen so many people who say things like “I use that method, except I improve it by picking words that form a meaningful phrase, so it’s easier to remember.”. No! That makes it easier to attack, too, because it’s not hard for a computer to figure out what a meaningful phrase is. Consider how often your phone guesses what your next word is, when you’re typing on it.
A variant of the Correct Horse Battery Staple is to pick something that is an inside joke that is only significant to a small group of friends. TT-RPGs are great for this, in that someone says some phrase that’s random and (un?)intentionally funny, and it is forever in your mind.
One example from my group: Half Elven Big Ass League (add/modify other characters as needed to meet requirements - for example when I used this the Half was “1/2”).
The reason? The whole party was half-elven, and had to go on a mission to another town. No one in the entire party was proficient in horse riding. The phrase resulted when a guard asked who the party was 5 days later.
None of us who were there will ever forget.
Another favorite was a DM trying to figure out (different campaign) the health of mounts and beasts in the party via random rolls. All were fine except one that fumbled, and the DM says “Except for the one mule, who has some sort of flaming pustule mule disease…”
So if anyone IRL or the party ever was sick, or cursed, or diseased we described it as “Another case of flaming pustule mule disease” or FPMD.
Lots more examples, but I’m sure you get the point.
This is what I would do when I briefly was required to have a long one. Always a song lyric.
R1dingThatTra1nH1ghOnCoca1ne!