I have one that I use for everything. I keep it totally secret, and it’s completely unguessable.
Except for the system log-in at work. I have to change it every 30 days. I can’t re-use passwords on that one, so I’m constantly making up new stupid passwords. I have a theme and pick a new word that fits that theme every month. Made up example: science fiction. So, one month, it might be “picard,” the next month “starwars,” the next month “shatner,” whatever. So far, it’s working well. There are pretty much limitless possibilities with my theme.
Two for Web stuff
Bank card
Work network login
Work Lotus Notes
Work job-tracking software
Work vmail
Work Website access
Work pay-stub info
That’s 9 I control. Then there are more at work I use all the time but don’t control:
Helpdesk vmail
Helpdesk system status message on vmail
Helpdesk reset script, and the special section within it
Student Novell password database
Remote-control program to take over a user’s screen
Generic-user account for staff who don’t have Novell accounts yet
That’s 7 more, unless I missed something, so 16 that are more or less fresh.
Finally, there are four or five more I don’t use often and usually need to look up.
We have users who can’t cope with the three or four basic ones, so they want to set them all the same. Unfotunately, a couple are numeric, and one requires a mix of letters and other characters, but at least they can get down to two.
I have hit upon a method for dealing with forced password changes at work that seems to work pretty well. I have to change my network login every 3 months, so I have a short (2-5 characters) nonsense word followed by the month/year that I have to change it next. For example, if I changed passwords today, my new pw would be snzx0404 and the old one was snzx0104. The password never repeats, and I never have to memorize a new one. For not so critical passwords, that don’t change, I just use the nonsense word alone. It seems to work for me.
Yes! I reached password burnout a long time ago. It’s getting so I can’t remember my phone number. I was just trying to list out all the crap I need for work & I hadn’t realized how bad it has gotten.
Windows login…in windows I have:
Iris login – ticketing system
Titan login
Yahoo messenger login
Wavestar Gui login – Lucent software
SNMS login – more Lucent crap
Artis login – A records database
Xpercom – Another records database
Unix login…in Unix I have:
Fujitsu login
Netcool login – A network monitoring system
SNC 2000 – Yet more Lucent crap
React login – A remote T1 testing system
Nortel login
Plus my phone and 4 more logins when I’m forced to run security too.
That’s just for work, I got more at home. If I didn’t use variations on a few basic non-guessable words, I’d be doomed.
You have confirmed my theory that if you force people to keep changing passwords they degenerate to generic crap and will probably be written on post-its stuck under the keyboard. It happened here with the phone system.
BTW Q.N. all the SciFi stuff is bound to be in any cracking dictionary, but you knew that.
Pick a word you will remember. Let’s say PIRATE
Now let’s say the site you are at is amazon.com
Interweave the letters of the site into your word until you run out of room. This is now your password:
PaImRaAzToE
The ones that really give me trouble are when I put my login in an autoscript, and after a while I no longer have a clue of what was the password since I never get to use it. That’s a pain. So are the change-every-month, non-reusable pwds – often implemented in places where it’s total overkill.
Generaly speaking, I try to associate login names with password patterns – e.g. if my UserID includes a particular root word or initials, the password uses a permutation of a fixed set of other root “words” (alphanumeric sequences, really) that are meaningful TO ME. If the site does not give me the choice of my own name and pwd I seriously reconsider if I really need to work/shop there.
Having bought a Palm Tungsten|E recently (yay for fun practical toys), I am copying everything onto a “private” memo file with its own relatively-easy-for-me-and-my-trusted-associates password. However I’d rather avoid becoming too dependent on it.
Oddly enough, over dinner last night my wife complained of password burnout–hours after I had replied to this thread. She isn’t too thrilled with computers to begin with–she’s an artist–and couldn’t remember a password for some airline site she had joined months ago. Since she couldn’t remember the damn thing, I think she booked on another airline–take that password nazis!
How ironic. I click “reply” and the hamsters decide to forget who I am and make me enter my name and password. :smack:
And now for the other side of the topic…
I’ve got too many passwords! wah wah wah! I have to change my passwords! boo hoo hoo! How do you think it feels to be someone who administers passwords? At work, I stopped counting after 50 passwords.
Fifty passwords?? Ugh. Yep.
I do on-call support, so if someone pages at an inconvenient time (There seems to be a shift change at 3AM) because they goofed their Unix password, I normally have to go through:
***** Cell phone key unlock code to call the luser
***** Laptop power-on password
***** Windows / LAN password
***** Remote access transport password
***** Remote access login password
***** Remote access PIN for token (device changes a 6-digit number every 60 seconds)
***** Unix virtual workstation password (turns my laptop into an X Terminal)
***** PIN for Unix access token
***** PIN for Unix token administration system
***** And on occasion, one of 14 Unix “hostgroup” root passwords. (logical groupings of our 400 or so servers)
How do I keep track of it all? A variety of encrypted databases, obscured lists and memory.
I have about half a dozen I suppose of different security levels. Plus I don’t know how many four digit PINs of various kinds. And then variations on these for those situations where passwords are required to be changed regularly. For those I keep the same basic “word” but shift one or both of my hands on the keyboard. I have three or four positions that I cycle. Keeps the nonsense look, introduces non alphabetic characters and works like a charm.
I am down to 10 passwords and I am damned happy about it.
When I worked at AOL in the NOC I had about 30 passwords to remember. That wouldn’t be too bad except this. Each password had to be changed weekly. Each password, when changed, had to be unique. In other words you couldn’t just change a number on the end or something similar. So I had to keep track of 30 some odd passwords that changed weekly. Then to make things a little more fun they added SecureID. SecureID is a little key chain thingy that you carry around with you. The SecureID keychain has a window that displays a 10(I think it is 10, it might be 12) digit number that changes every few minutes. IIRC, the number changed based upon a signal sent from a satalite. Anyway, once you logged in with your password you had to type in the number on the SecureID fob. Once that was done you could actually login. We tried to track the SecureID numbers to see if we could hack it but we never got anywhere, mainly due to a lack of time. The SecureID numbers change pretty quickly, like every 3 minutes or so IIRC.
I miss working at AOL but I DO NOT miss living in password hell.
I like Opal’s system, I’ll have to try it. I tend to rotate among 3 or 4 favorites for all sites and applications. I was a bit embarrassed when at work I had to tell my IT support person what my password was. At the time it was “dog poop”
For important things, I have three meaningless alphanumeric codes that I use as passwords. For less important things, especially website user accounts, I have a standard password that I append the website’s URL to the end of. For example, XXXXyahoo, XXXXsdmb, etc.
Oh god I remember when they started using those! My husband was working for them (Digital Cities actually, at that time) and that thing was such a pain in the ass!
Munch, I think you were right with your initial estimate of flash drive cost. My MIL has a tax prep business, and she was talking about the nuisance of transferring files from home to work and back (she has an office, but works at home as well). I suggested a flash drive, and helped her find one when we were there over the holidays.
At Office Max, they had a 64MB flash drive for $30, which had a special of the week rebate for $20, making it $10. At that price, she decided she might as well try it.
Now if you want 256M or 512M flash drives, then the price goes up pretty fast. But for passwords? Sure, get whatever size is under $10.
Back to the topic:
I’ve got one basic password for non-secure sites – like message boards. I have a different one for slightly more secure places – like my e-mail account. Each of my financial accounts that I can get to online (like, to pay the electric bill) has a slightly different password on a similar theme. At work, they make us change the password periodically. I have four passwords that I cycle through. Each started as a nonsense word that my son used when he was learning to talk (over a decade ago), that incorporates a number (whether it’s “1” for “L”, or has “one” in it, or whatever) – and I cycle through them in numerical order. So they’re all mixed case, mixed numerals and letters; none is a dictionary word; but they’re easy to remember, and if I was forced to change recently and remember the previous one instead, I know what the current one is. I had a similar set at my previous employer, but I don’t reuse the same ones.
Hrmph… I’ve got two of the infernal things, and they’re not interchangeable. Two-factor authentication is well and good (it takes something you know and something you physically have to come up with the “password”) but the dang things are fragile!
I’ve lost count of how many of my users have killed their tokens by leaving them in hot cars, putting them through the laundry or dropping them.
btw - they don’t work by satellite. They simply have an accurate internal clock and a unique “seed” value that’s used to generate pseudo-random numbers. The token authentication server has the same seed values, and it’s very important that the server has accurate time so its expectations of what number’s on a token matches what’s actually on the token. The server is adaptive - it’ll accept the value before and after the current number it’s expecting and token by token, keeps track of the variances so it can compensate for clock drift in the tokens. Works pretty well - in three years, I’ve only had to re-sync one token.
I was just trying to list out all the crap I need for work & I hadn’t realized how bad it has gotten.