My password expired today; I needed to set a new one. Below are the guidelines I got in the reset screen:
[ul]
[li]Number of characters check have exactly 8 characters [/li][li]Mixed case check have upper and lower case characters [/li][li]Maximum upper-case check not have more than 6 upper-case letter(s) <this is redundant because of bullets 1, 2, & 5>[/li][li]Maximum lower-case check not have more than 6 lower-case letter(s) <this is redundant because of bullets 1, 2, & 5>[/li][li]Minimum digits check have at least 1 digit [/li][li]Old password check not be an old password [/li][li]Non-alphanumeric character check have at least 1 of the following non-alphanumeric characters: _, _ <characters deleted>[/li][li]Non-login ID check not contain 3 or more consecutive characters from a selected login ID [/li][li]Non-name check not contain 3 or more consecutive characters of first or last name [/li][li]Common password check not contain words or combinations of characters easily guessed[/li][/ul]
Of course, they don’t give you that list of restrictions until you go into the password change screen. I knew it had to be exactly 8 characters & that it was a mix of upper & lower case letters & have a number in it. I had made up a new password based on the restrictions that I knew. What I didn’t know is that they are choosing one of those 8 characters for me, which means that I effectively have a 7-chara password. So I essentially needed to change my password on the fly to something that I’ll remember, because of course, you should never it down where someone could find it. :smack:
Is it so tough to give you the rules in advance when they send you the warning about it expiring soon?
The final kicker is that I need to reboot to keep access to my system even though I just logged in. :mad:
Into Chemistry?
H#1Hydrogen
C#6Carbon
Pu#94Plutonium
Get the gist? Sign, atomic number, name.
While I don’t personally use this formula (I use a different one), I’m giving it as an example of a way that you can create a common pattern that satisfies most password requirements, is relatively easy to remember but offers enough opportunities to not be easily guessed.
And gosh, how do you remember the password?
Simple: Write “carbon” on a sticky at your desk if you use C#6Carbon. The word alone won’t work unless someone knows the pattern you use, but it will be enough to remind you of what it is.
Except for the whole “precisely 8 characters” restriction, which is entirely inane.
And also the required system generated character. Seriously? The fuck?
That actually seems to reduce overall security. What if I wanna use a 9-character p/w? That’s BETTER, dammit.
Or stick a picture of a diamond on your desk. That’s made of carbon. Or strategically position a graphite pencil somewhere visible.
Oxygen? Picture of SCUBA divers.
Radium? Photo of Marie Curie.
Uranium? Map of Hiroshima.
Aluminum? Photo of the Washington Monument (the cap is made of aluminum).
Silicon? A computer chip. I don’t know, yank a 486 chip off an old motherboard or something.
Nickel? A nickel (US 5 cent coin).
Calcium? A bottle of Tums (the active ingredient is Calcium Carbonate).
Iodine? Bottle of iodine antiseptic.
Selenium? Bottle of Head & Shoulders shampoo (the active ingredient is Selenium Sulfide).
Iron? A horseshoe.
What if your dog’s name isn’t 8 letters long?
Change your dog’s name, of course.
Duh!
I once tried to make an account at StackExchange. It had similar restrictions but only informed me of them one by one. :smack: (That is, it complained I had no digits and, only after trying a new password, complained that I had no special characters, and so on and so on.)
HotMail has similar restrictions now; I used aA1!aA1! as my password there for a recent throwaway account, and may make it my default.
I find passwords annoying. In the case where security is very important – bank accounts – U.S. institutions often do not bother even to thwart sniffing with the simple challenge-response security that U.K. banks use. On the other hand, pointless message boards get a kick out of enforcing anal-retentive constraints.
When I signed up for StraightDope, simple all lower-case passwords were allowed and I used my simple default throwaway password. If anyone wants to guess it, post in my name, and make Dopers think I’m an asshole, go ahead! (I don’t think it will change anything. :o )
Start an animal shelter.
FidoIs#1
Let me know after you changed to that.
I’ve used planets as rotating passwords
1$Mercur
2$$Venus
3$$Earth
just use enough $s to make it 8 characters or truncate the names of longer planets.
Or, just go ahead and DO write it down and keep it in your wallet with some cryptic clue chosen by yourself as to what it’s for. How likely is someone to pinch your wallet and pay attention to a purple PostIt reading “ClA1 of the one that pulls BS to comply: Wh_13AlQ” ?
Plus, whoever wrote those password requirements should be put to the test as to whether THEY can comply with it in every field of their lives.
We are just starting this at work. Similar to the OP’s requirements except the bizarre must be 8char long (why not longer???), and the system generated crap. That truly sucks.
Choose a song you like and a verse in the song. Use the first letter of each word in the verse. Capitalize the first letter and put a 1! on the end.
Mercury? A picture of the Mad Hatter (optional: with your boss’ or IT chief’s face).
At one point, I worked as a temp doing insurance verification for a medical equipment company. At the site we verified Medicare on, you needed a password that (in addition to all the above restrictions, save length) required:
-that the numbers and special characters be neither first nor last in the password, and
-that no more than two sequential letters be in the same order they would actually appear in a word.
This essentially guaranteed that you’d have to write the password down.
Wouldn’t be any good for my work account. No dictionary words allowed within the password. I’d have to do something like C#6C4rb0n
In general, I’m not too worried about complicated password requirements, because i use LastPass, and get it to generate long, complicated passwords for me. I couldn’t tell you the password for any of my really important sites (banking, utilities, online purchases, memberships, etc.). I just have to remember one really secure password for LastPass. Then i log in to LastPass, and have it fill the fields for me.
That system breaks down, though, for things like my work password, because i need the password to log into the computer itself, meaning that i can’t use LastPass. So i’m left with a choice between a password that is easy enough to remember, or one that is so hard that i’’ probably need to write it down.
I have managed to construct some nice long, complicated passwords that i can also remember, but that’s only a temporary solution because of how frequently we have to change the damn things. I sometimes wonder whether the people who make these requirements actually think about the implications of the restrictions they impose.
Uh, what? I’m yet to see a bank login that wasn’t conducted over HTTPS.
Don’t all these rules actually reduce the search space for brute-forcing the password? I can’t think of a reason to make a password be EXACTLY 8 characters.
My password must be baseball!