Well, I’m the guy who changes the passwords here and I only get about 10 calls in a month from a pool of over 700 people. And given the rotational nature of our work (5 week on, 5 weeks off), that isn’t an overly large number or amount of my time spent. About 10 minutes, including filling out the help desk ticket afterwards. Not that I disagree with the notion that you aren’t any safer by setting it to 5 vs. 50.
ARGHHHHHHHH!
You said the word ‘pasword’.
This brings up a very touchy subject with me. This is kinda off topic but…
I work for a company and we connect into clients to fix our software. Our software is password protected. Recently a law was passed and, according to the bosses, it requires strong passwords. I do know the law required that we beef up our credit card security. In any case our software now has strong passwords, more than 8 characters and must be a mix of numbers and letters, blah, blah, blah. Well, we have a slight problem. We have hundreds of clients. Each client has at least three passwords (PCA anywhere, Remote desktop or Go To My PC for 1, the network password for 2 and our password for 3). Some of our clients require nine or ten passwords (PCA, Windows passwords for mulitple machines, SQL, our passwords for each of our products which can be as high as 8 if I am counting correctly). On top of requiring strong passwords you get locked out after 5 failed password attempts and the password has to change every 90 days. We don’t connect to some of our clients for a year or more.
The problem is that we could barely manage our passwords before this little change happened. We had a fairly straigh forward way of dealing with incorrect passwords but we can’t do that anymore, everything is encrypted. So now we have to have strong passwords. Yet we get locked out after five failed attempts. This is an issue because after business hours there is rarely someone who can reset our passwords. So the developers came up with a password reset utility. Excpet it isn’t quite ready and it has some problems. First, besides not being ready to use for us poor suport folk, it requires web access. Not all of our clients like that. Our more security conscious clients have their servers locked down pretty tight. Thankfully that isn’t most of our clients. Second, it takes a long time to go through this little password reset utility. The demo I saw took over 10 minutes, I figure that once you get used to the process it is going to take about five to seven minutes. In my job that is a lot of time to waste.
To handle the new password every 90 day requirement they came up with a scheme for creating the new password. If you know when the last person was in the software for that user code you should be able to figure out what the password is. That would be great except some of our employees aren’t the best at logging everytime they get into a client. So you can’t be sure that you know the last time someone was in and might have changed the password, in which case, there is no way in hell to guess the password.
It is going to be a nightmare.
My guess is that about 181 days after the full roll out of this we are going to be screwed. I think people will be good about updating our password info once.
Slee
Sorry for the hijack but this has been bugging me for a while.
This isn’t as good as Doctor Who’s, but I’ll often take two random nouns, insert one in the middle of the other, and put special characters at the intersection points. Like bi%rickshaw3cycle, for example.
One technique I’ve used before is to use a regular word (or words) as a basis and then type the key above each letter of that word. So if the word is “password” the actual password to enter would be “0qww294e” This way the password is easy to remember and difficult to guess. It’s also easy to add uppercase letters and special characters by starting with words that are capitalized. However, on different keyboard layouts the pattern doesn’t necessarily hold.
My work IT guy tells us to use a phrase instead of a word, as in, “i_like_popcorn” “my_dad_is_tall”
My husband and I have used a Mandylion at home ever since we saw them advertised on ThinkGeek. Since we do a lot of stuff online, we have a lot of passwords. Our passwords are random, strong, and completely different from one another (i.e. we don’t have the same password for Amazon that we have for our bank).
I was thinking of people using the first few words of their favorite song:
ICan’tGetNo
or book:
ItWasADark&Stormy
or film title:
LOTR’s123
Seems easy to remember.
About a month ago, the IT department where I work decided we needed to upgrade to strong passwords to meet some sort of network security standard. The requirements are similar to those described in the OP. The passwords now must contain at least one each of the following: capital letters, lowercase letters, numbers, and symbols. It cannot contain dictionary words, expiration has been moved up from 90 days to 60, we can never reuse a password we’ve used in the past, and new passwords must be different from the previous one by at least X characters (where X is a number I can’t remember except that it’s a significant chunk). Accounts get locked after three failed attempts, though that’s the same as it’s always been.
Oh, they must be at least 14 characters long and we’re forbidden from writing them down.
I’m sorry, but I’m not capable of remembering a string of 14 random characters. I’m just not that smart. Especially one that I never see (because of the asterisks when you type them) and changes every couple of months, and multiply that by four because that’s how many different passwords I need to to my job. I have to write down all my passwords, and I’m sure almost all my coworkers are doing the same. Now a cursory search underneath the mousepads and keyboard trays at work will turn up all the passwords you need to get into anything.
Biometrics is the answer, perhaps. The company I work for has fingerprint readers for door access, but not for PC network access. I heard years ago they were making mouses with fingerprint readers that barely cost any more than a standard mouse. Why didn’t this take off?
Consumer biometric devices have (so far) been trivially easy to spoof.
A dummy “key” can be made in fifteen minutes or so, starting from a fingerprint left on any surface by the authorized user.
(The following isn’t what I use, but it’s the same principle.) I find it easier to have a system for passwords. For example, use the first inital in your first name, converted to number, then use the initial of your last name as a letter (or flip around.) For example, John Smith’s would start out as either 10s or j14. In front of that, pick a random character to always use. Use a keyboard starting point and use a pattern based on that start point. Maybe skip a letter/number and go to the next key on the upper or lower row. Jon smith, for example, might start with an “E” and go down one to the right (F), then go to the number that corresponds with that letter (06). John Smith might end up with *(random character) 10s(Initials) awdr (keyboard pattern starting with a and going up/down/up on the keyboard.)
As long as they remember their pattern, they’ll be able to remember their passwords. If they apply the similar pattern to all their passwords, it’ll be easy for them to remember.
Peace - DESK
My solution is to memorize one really strong random master password (using any trick necessary but it must be randomly generated for that extra peace of mind) and everything else just goes into a password manager that creates all my logins and passwords automatically and encrypts them in a database for me.
This has the huge advantage that if one of the lesser passwords is compromised (in a website for instance) they’re all different and the damage is contained.
I carry it around on my USB pen but I keep a copy on my PC and sometimes it is a pain to synchronise the database (it’s easy enough to do it automatically but I haven’t gotten around to it yet).
I use Doctor Who’s scheme in reverse. I generate a password with digits and upper and lower case letters, then make up a nonsense sentence with words and names beginning with the letters in the password. The weirder the sentence, the easier it is to remember. Sometimes I’ll change a character of the password or add an article or preposition to the sentence to improve it.
Unless you work for the Secret Service (and have therefore been specially trained to remember such information, at the same time as you were trained to resist torture), then the person who instigated this scheme is an ass. It’s a clear case of destroying the village in order to save it.
I’m convinced most of the stuff our IT department does is specifically intended to reduce productivity.
No kidding. I’m governed by a fistful of laws at state and federal levels, and our password length requirement is “only” a minimum of eight characters.
What’s ironic about it is that some systems (Solaris stands out in my mind) will happily accept a long password, but will only pay attention to the first eight characters. To a Unix server, Password and Password1 are the same. :smack: Some of the older mainframe applications are case-insensitive, and some of our Oracle-driven apps will choke if you try to use the @, $, % or period in the password.
Whether you merely loathe them, or despite them with every atom in your body, passwords seem to be with us for a good while longer.
[Guiness beer guy]Brilliant![/GBG]
Almost.
I like this except for the fact except with my 3 cell 15 watt brain, I am certain that I would forget the sentence.
Today on my drive up to the bay area, I had time to devote all three brain cells to the problem and I think that I have the solution to creating as secure a password as you want to, and yet make it easy to remember.
Use either song lyrics or famous movie lines.
Such as from the Star Spangled Banner
Oh say can you see
By the dawn’s early light
Becomes OscysBtdel. For a little higher security go with one phonetic for you and see OscucBtdel.
For higher security, you could capitalize one word and use letters for the rest such as OsCANusBtdel. If you want different (but similar) passwords for several sites, you could spell out different words in the phrase, for example the next password might be OscYOUcBtdel.
The beauty of this scheme is I can leave a reminder in plain sight that will mean nothing to anyone but me. For example The SPB was written by Francis Scott Key so my reminder might be Key or if I have spelled out one word it Key-can, or Key-u in the examples above.
Need a number in your password? Find some lyrics that have a number in it. For example the song White Rabbit by Jefferson Airplane
One pill makes you larger,
And one pill makes you small
Becomes 1pmylA1pmys Or if you have a website that does not allow a leading number (lowes.com) use OnepmylA1pmys
The reminder for this could be anything that reminds you of the song or a rabbit. Such as:
Grace
Bugs Bunny
Harvey (Hey he was a white rabbit)
Or even Jimmy Stewart (starred in Harvey)
Or if you really want to get creative (twisted), go with misheard lyrics 
For example the song Smoke on the water:
Smoke on the water,
Fire in the sky
Is often misheard as
Slow motion Walter,
Fire engine guy
So the reminder is Smoke on the water, but the password is SmWFeg.
Get a book of misheard lyrics and keep it by your desk. You would not even need to memorize anything, just refer to the book.
Like movie quotes? The reminder is John Wayne, the line is Fill your hand you son of a bitch the password becomes Fyhysob
Or if you want an uncrackable long password that famous exchange from the Blues Brothers
** It’s 106 miles to Chicago, we’ve got a full tank of gas, half a pack of cigarettes, it’s dark and we’re wearing sunglasses.
Hit it.**
Becomes I106mtCwgaftoghapocidawwsHi.
Crack that.
Me, I have already got my song picked out that has a number in the lyrics, and it is not the first two lines of the song either.
This is very similar to a method that I often suggest, but it has one flaw, in that you either have the same password everywhere, or you have to remember what sentence goes with what site/application/whatever. Here is what I often recommend to people:
Think of a phrase that you can remember, at least four words long, preferably one with a number or a word-that-can-be-a-number, such as:
“Way too much information”
Reduce this to:
W2mi
This becomes your “password prefix”, or the first 4 characters of all of your passwords. The remainder of your password is the first four letters of whatever it is the password to, or the first four letters of the url (after the www. part) of the site you are logging into. If it’s your gmail.com password, the password becomes W2migmai … if it’s your Outlook password, it’s W2miOutl etc. For further security you can also create a “password suffix” to add to the end of that, which can be another sentence-acronym, or a number that is meaningful to you, or even something derived from other parts of the password… for example, in the gmail example:
“W2migmai”
Let’s add two numbers to the end. These will be the numbers above the first and last letters of the variable part of the password (gmai) on the keyboard. The letter above the G (if you go by the diagonal line created by most-touching-surface) is 5. Above the L is 9. So the password is W2migmai59. The outlook password would become W2miOutl99.
For additional security, you can have a standard capitalization pattern, like every other character is capitalized if it is a letter. Or vowels are always capitals.
Secure. Unique. Easy to remember/recreate.
Also: if you have to remember a lock combination, write it down in the form of a phone number and keep it in your wallet 
(just pad out the extra digits with random stuff)