Email this to the sysadmin.
Except for video games. My World of Warcraft account is important.
LOL!
After struggling through one of those “reveal each requirement with each password attempt” sites I ended up with a password that was something similar to WhofuckingC4RES!
I used to use Thissucks1!
A ton of stuff has it, but it’s often optional.
As someone mentioned, my WoW account has an optional authenticator on it, though my account has still been compromised TWICE with that (both times Blizzard’s fault because their incompetent GMs didn’t follow procedures).
My gmail has multi-factor authentication. I attached my phone to it, any time I log in to an unverified system or change certain account settings, I get a text and have to enter a verification code. I can choose to verify a system (like my home PC) which then skips the authentication.
My bank operates similarly to my gmail.
And as for passwords themselves, I tend to think that these password settings are missing the point. They should be easy to remember and hard for computers to brute force. I think xkcd did an awesome example of why so many of these schemes are stupid.
And for some of the schemes mentioned here, you’re making a critical mistake. You cannot use a scheme such that if someone knows one password of yours, they can guess another. Consider for a moment that if I use, say, that element password scheme everywhere, then is someone gets happens to get my password from an insecure site, say a random poorly secured website on the internet, it wouldn’t take much to guess what my password might be on a critical site, like my bank or email. I think the sports one I saw works pretty well because the association between the password and the memorization clues isn’t obvious.
I prefer a strategy of pass phrases. I choose a phrase that has a memorable association to whatever it is for me. So, take the SDMB as an example, something like “The Master Speaks” would be bad, since it’s something anyone familiar with the board would also have as an association, but I’m sure we all have some silly quote we remember, or a particular thread or whatever and I use that and run it through a transform akin to other methods mentioned above. For example, I can use the first letter of each word, or first couple if the phrase is too short, or even the whole thing if I’m allowed to use a really long password (I’ve had 30+ character passwords because they were easy to remember). And I generally don’t even need to make a note to remind me.
And this works because it means that even if someone happens to have one of my passwords, even if they can figure out my encoding scheme, it doesn’t help them guess another one. Someone who doesn’t know me has no way of guessing that a non-obvious association and the encoding keeps it from being easily brute forced and meet most complexity requirements, but because of the association, it’s still super easy to remember. And, yeah, I do tend to pick associations based upon how much I care about securing it. For my email, it’s like a 6 or 7 step chain that, as it occurred to me made sense, and now it’s there, but even people I know wouldn’t figure that out, but something like a random page that requires me to log in for generic stuff will get a much simpler one, especially if I use it rarely. And ones where I could care less if anyone gets access because there’s nothing private there, I’ll just use a very generic password.
I use what is basically a variation of this system at work, using other numbered items easily searchable on internet if I forget the password.
However, i’m pretty sure the security people would hate this kind of patterns if they were told about it, since knowing an old password and reading the sticky would make guessing the new password trivial.
I change my dog’s name every 30 days just to be safe. Normally I’d forget what I changed it to, but that’s why I match it to my bank account.
You think that’s bad… try working in IT in a position where you have access to multiple systems.
I can think of seven passwords that I commonly use, and I think I have a handful more logins on systems that I rarely log into, and whose passwords I’ve long forgotten.
That’s in addition to probably 15-20 passwords for various sites, devices, credit cards, banks, utility providers, game systems, etc…
I’ve ended up with a handful of “standard” passwords that I vary in ways that are predictable to me, but not necessarily to everyone else, in order to meet the varying requirements.
It wouldn’t really hurt anything to write down all your dog’s names and keep it on a slip of paper in your wallet, assuming that your dog (like most dogs) can’t read.
OK, so right after we got married & opened our checking account, the wife and I were getting signed up to access the account online (along with about a dozen others for cards, savings, power bill, etc.). After trying 4 or 5 variants of our preferred username and finding those all were taken, we got mad and just signed in as “FuckYou(xyz)”.
Later we were both at the actual branch dealing with something and the guy asked if we had online access. We didn’t remember whether we’d set it up so the guy checked for us. A couple seconds after his eyebrows popped up he asked us whether we’d had some difficulty settling on a username. 
I forgot my password to access my bank account online a month ago, and discovered that my bank’s password recovery system is a closed loop. Before they’ll reset your password, they want you to verify that you are who you say you are… which they do by asking you to enter your password.
:smack:
I’m really, really hoping that was just a bug in the logic of the password recovery system, and not a deliberate design choice. But either way, it doesn’t put my bank in a very flattering light. I’d be very concerned that my money isn’t safe there, if I had any.
A password that starts with Fuc4 uses the Capital and Number. So it’s a pretty good start.
To also protect from dog logins, use only the interior rows of keys, not the top and bottom rows. Dogs can’t hit the interior keys with their paws without mashing multiple buttons.
Oh, pshaw. Your dog could log in to your account, steal all your money and personal information, even steal your identity, and nobody would ever be the wiser. Cite.
ETA: If your dog is a dachshund, he could even dox you.
Ugh, my bank requires exactly 6 digits, one must be a number, no special characters or capital letters. I’ve emailed them several times asking them to increase the maximum character length but they keep replying that they believe it’s sufficiently secure. I have a 22 character password on my email, and six on my bank. :rolleyes: And that on-screen keyboard is a nightmare when I’m in a situation where I’m worried my screen may be observed while I’m entering it.
I get so used to ignoring those reminders I miss the “in 1 days” regularly, and need IT to reset me.
I used to be more diligent until after one of the many times I locked myself out right after changing my password, IT told me to write it down (instead of telling me to wait 15 minutes before using it for another application - they finally started doing that after two years, and we had all already figured it out).
Now I just let it expire and ask them to reset me.
Where would it be safer than in a system that no one can access?!
My bank asks for my user name (first and last name, no spaces or caps). Then it has one of three challenge questions: paternal grandfather’s first name and father’s middle name and “Name of first boyfriend/girlfriend;” if I were gay or a straight female they could all be the same. Next is a photo of an HP 200A audio oscillator to prove they are who they pretend to be(!), and finally my password, which happens to be, well, I won’t say. All very highly secure.
Some sites I have my user name and password in the name of my favorites. I really don’t care who hacks my gmail account.
I’ve finally given up and started, no, not keeping lists of passwords in a txt.
Keeping lists of password requirements in a fucking txt. Because some of the places I need to log into (such as several of my utilities) can’t be arsed tell you what their requirements are, and one gives the wrong information. Hey you morons! If it has to be all-numbers, provide that hint somewhere, and if it has to be exactly 9 characters long don’t say “6 or more”.
Oh and the ones who require “special characters” but of course it’s a limited list thereof. Your webpage shouldn’t go into spasms if someone types a diacritic into a password field.
I have a govenment password that must be 14 characters, must have at least one capital letter, one special character and one numeral, no repeat letters and no known words, also no previously used password. I have to use a password generator and it still rejects those. also the password is only good for 60 days.