I’m a keyboard combinations man, myself. I’ve got five or six different combinations of keys that are 8 characters long (which will go just about anywhere), that includes keys on the top row (numbers and signs), and another row. I hit the shift key in an alternating rythm as well, which gives me non-dictionary passwords that include special characters, and each one is different enough that it doesn’t trigger similarity alarms. I freely re-use them, especially in systems that require changing your password frequently. The system is easy enough to remember that I don’t have to write any down.
The whole security of a password system breaks down when you’re forced to keep a written record somewhere. Thus, make whatever concessions you need to avoid doing that.
I do have about 5 or 6 that I recycle usually. A lot of which are related to various log ons on chats, MB’s (where I can have multiple usernames), emails etc etc.
Most of my stuff is not really that important. If they want to log on as me, go right ahead. Half of the names I have I don’t use anymore, and have forgotten. The other half people will pick up that it’s not me (they always pick up that it’s me when I change my name even if I don’t tell them who it is. So why wouldn’t they be able to tell it’s not me?)
But it drives me nuts that when I go to log on to some things, I forget the password and go through my whole list of them before I finally find the right one. Usually the last one I remember out of my whole list. And sometimes they just won’t accept my log in even if I eventually get my password right, so I have to go through the process of having it sent to me only to learn it’s the password I’ve tried 7 times already!
<joke>
A company decided that more random passwords were better. So they found the most random 8-letter password, and assigned that to everyone.
</joke>
As another computer guy, I have the same problem with passwords. Two things I’ve done to try to keep track of them:
Go ahead and write them out for reference, but in an innocuous way. For instance, for my credit card and debit card PIN numbers (they all have four digits), I write them as phone numbers and keep them in my wallet with other phone numbers. For instance, “Vince: 332-9999.” This tells me it’s for my Visa (Vince, get it?). “332” is a local exchange, and “9999” is the PIN. (Of course, this works only because no one knows I use this system, so you must all die.)
I downloaded a nifty little program called Password Pal to track all my passwords. There’s probably other shareware and freeware programs like it out there. It’s easy to use, and just requires a master password to use. The downside, of course, is that if someone finds out the password to open Password Pal, you’re screwed.
You want a really asinine policy? Technically where I work, we’re supposed to use distinct passwords for each user and distinct root/admin passwords on all systems, with auditing for who needs access and other stuff. That makes sense for production systems, I have no problem with that at all. The asshats writing policy seem blissfully unaware that we’re in a goddamn test lab with 60 or more systems that about dozen people all use at different times, that get reinstalled routinely, that can’t be put into a single domain, and that don’t have any sensitive information other than the code we’re testing on them. Needless to say, we’ve taken a somewhat liberal interpretation of the password policy. And don’t get me started on that piece of shit security scanning tool we’re supposed to use to check compliance - sure, it turns up a few spots where patches are needed, but it gives more false positives than actual problems and (god I hate this) still shows X as a problem even after you’ve patched X away about half the time.
Win2K
WinXP
WinME
network
CQT call tracker
Outlook
Quickbase
QUBE
PitStop
corporate intranet
ClockTrack time clock
CRIS customer track
And none of them use the same convention - some require special characters, some won’t accept special characters, some want a number first or last, and others want at least 1 capital letter - oh, yeah, and the minimum/maximum length of the passwords appears to be arbitrary. And we’re forced to change them every 3 months, all on a rotating schedule based on when they were first installed or assigned - after 5 years, I’m running out of options.
You guys are cracking me up (IT jokes make me lose it - I’m growing more and more convinced of my own geekness daily - what happened to all my hipness?). Glad to hear I’m not alone in my rage. . .
Dooku, your company password rules are exactly what I was talking about. You’re right. I am lucky compared to you. 28 different passwords all having to match that criteria? Holy shit! A password like that is hard to even come up with never mind remember. I’m reminded of some stupid “free” thing I tried to sign up for on the internet (probably a dating or news service) that had a similar set of password criteria (no words/zip codes/some lower case/some numbers). You had to fill out a giant page of general info and if your chosen password didn’t live up to the criteria it sent you back to the page sans all the stuff you had just filled out. The back button was no help recovering the entered info. After 3 times entering all that shit I damn near destroyed my work area and gave up on whatever retarded thing it was.
But then again, I can’t see being too broken up if someone hacks into my livejournal. (Yea, that’s probably about the most important password I have, under my own values. I guess my student password might be more useful. Maybe.)
Have two different groups of password. For lots of sites where security (eg credit card details, work stuff) are less important, pick the same password. But use numbers and letters.
Keep a theme with your passwords. Use a special word and number - eg bongo and 77, then customise it for each site by adding the first three letters of the domain name. So for these forums, you would have bongo77str. Much easier to remember.
