I’ve run across this on overzealous security. It’s practically begging people to commit that most cardinal of I.T. sins: writing the password on a Post-It stuck to the side of their screen.
[quote=“Dag_Otto, post:39, topic:922029, full:true”]
In order to make that comparison, wouldn’t that mean that the passwords were being stored as plain text somewhere?[/quote]
Not necessarily, although there does have to be a way for the system to decrypt the encrypted password when the user attempts to change it. Also, obviously, the newly-entered password has to be in plain text in memory while the search against the dictionary for words is performed.
I made up a similar mnemonic for this combination lock I purchased something like 30 years ago. About 5 years ago I needed a lock, found this old one and actually remembered the combination.
Except maybe I’ll really didn’t - I wasn’t sure about one number. Imagine your friend 30 years later staring at her register thinking “When my husband was 39 he could fuck like he was…23?. But it was close enough. I still have no idea if the last digit is 29 or 30, but I jiggle the dial a little at the end and it works.
I have this one online account that I set up a LONG time ago. The password is ridiculously short and simple, and they’ve never made me reset it. Sometimes I think I should change it because security, then I think that no one would ever guess that anyone could get away with a password like that, so I never changed it.
I saw a 12-key PIN pad attached to the wall at a supermarket. Not entirely obvious what lock or access it controlled. But four of the keys had the numbers printed on them entirely rubbed off. Gee, can you guess which of the 10 digits the password might contain?
The new NIST standard is to use long, strong passwords which never expire and are only changed if a hack or suspected hack occurs. Unfortunately most organizations have been slow to move to the new standard.
I’ve seen a lot of similar all over our system. Thousands and thousands of cipherlocks both mechanical and electronic of every imaginable manufacturer & vintage. Most with the numbers worn off just a fraction of the buttons.
Then there are the new-fangled ones which have a 12-pad that’s completely blank. You need to know to push the LLC or LRC button (depending on some secret formula nobody can decipher) and the thing makes like a gameshow shuffling the deck, then stops to display the 10 digits, [backspace], and [enter] at random on the various buttons. With optics to prevent off-angle shoulder surfing so you have to stick your face directly in front of it to see what’s where. Which is extra easy when it’s mounted at hip height to comply w ADA accessibility requirements. Then you keystroke the magic code and [Enter]. Better hurry; the screen blanks and the system resets after about 5 seconds with no keystroke.
Great fun when there’s 12 of you in line and the no-piggy-backing police are out in force.
The best ones are where the ADA-complaint hip-height buttons open a door that lets you into a stairwell landing and nothing else. Good luck getting your wheelchair up those.
Yeah - one of the passwords I have to change every 3 months is like that. I’m up to something like 70 or so. Kinda puts a limit to how much longer I can work for them 
Another password is for our email program. I CANNOT use a password vault to fill that as it does not let me paste the password in from the vault. That’s probably the single worst one to deal with as a result. Luckily, I only need to fill it in when I reboot the computer. So I look it up in the vault and retype it. Sure would be easier if I could copy and paste, though.
Then there was the time when we were told that our Windows password - which had to be updated every 3 months - had to be 14+ characters “to encourage using a passphrase”.
So I changed it to a phrase - “mackdonna shoehorn butterhorse” or whatever. The next morning I was able to log in. The next AFTERNOON, however, I was not. The damn thing had quit recognizing the passphrase.
I called tech support. They said I was not the first person to call with this problem. I wound up having to ship the laptop off to a location in another state to get hacked and unlocked. This process took over a week as the mailroom put the wrong street number on the shipping label. Argh.
Thank goodness I still had my old company laptop or I’d have lost a week of billable time due to following corporate security guidance. The theory was that the space in the passphrase confused the system.
Those of you who have had issues with the password vault manager not recognizing your phrase: Try writing it down somewhere, at least initially, until you are sure you’ve got it memorized. If you do things like leet-ifying a phrase (“m@ckDonn@ sh0ehorn bu!!erhorse”) it can be easy to forget which substitutions you’ve made. It will often take me a couple of tries to get mine right.
Such behavior has prompted me to install one of my favorite Firefox addons:
Don’t F with paste, but the addon itself just goes ahead and uses the word, because F that.
On at least one of the mechanical door locks I used to get into a server room, it didn’t even matter which order the buttons were pressed in, so just press the worn buttons, and the door opens. That particular lock used black buttons with the labels next to them, so it wasn’t as easy to tell which were the four magic buttons. I was told the code was something like 0593. In my head I remembered it as 3c509, which is probably meaningful to some of the people in this thread.
Hah - though that would not work for my email program; it’s not browser-based. There IS a browser version but that one a) uses our regular intranet password, so no issues, and b) has crappy support for things like popups / meeting notices - so I put up with the standalone client.
This is probably my absolute favorite anti-pattern for security. It all but demands I use only a trivial password.
For passwords that I HAVE to remember (like my password manager for work), like to combine band names. 90’s bands are great for this.
Silverchair-Nudeswirl-Hammerbox (not a real password)
For everything else, I generate a password with my password manager. For those passwords that also require a number, I add the time I generated the password.
I log into my home PC, work PC, and work laptop with Windows Hello. This also works with my password managers.