h2g2 The Hitchhiker's Guide to the Galaxy: Earth Edition

Having access to a good password cracker is very good for a security concious system administrator. The worrying thing is if the encrypted password file is leaked to someone with bad intentions. If you then have a poor (insecure) password it can be found very easily.

On our PE* teachers clipboard (which he carried everywhere)

Username: ARN
Password: QWERTY

Rules of password creation:

1) don't use QWERTY
2) don't write it down where someone might be able to see it
3) don't (insert suitable expletives) carry it around with you!

Your PE teacher sounds pretty cool! You wouldn't happen to have his e-mail address now, would you ...

I've always found it to be the best when you go for two distinctly seperate words seperated by a number or space or combination of both. My favorite method though is to get two words of the same length and intersperse the letters. For example, the words Antidote and Discover.
The password would then be adnitsicdoovteer, it's not very quick to type but it is very difficult to crack. If the two words have meaning to you that isn't plainly obvious then it is typically very easy to remember.

BTW: It was listed a long time ago that the two most common passwords at the time were god and love. This was back when there were no minimum password lengths because no one thought anything was going to happen. as for these days with 6-8 min. character passwords, the most common passwords are birthdays in the form of MMDDYYYY (or YY, and also DDMM depending on your location if it is six characters) or if a letter is required to begin the password, Month abbreviation followed DDYYYY

I find that I routinely make mistakes while entering a password. I don't know why -- maybe it's because I basically dislike doing it -- so I know that I'd absolutely HATE having a long one. Someone once set up a site for me, telling me that he'd passworded it with my surname -- eleven letters long -- and every single time I entered it in, I made an error. I changed it VERY QUICKLY!

"god" and "love", huh? I guess we've all changed a whole lot since then ...Magnolia

My passwords are generally free-association. For instance, on the New York Times website (which, bizzarely enough, does require you to log in to look at the news) my password would end up being "fugit". Here's the way I arrive at that:
1) "New York Times" gets examined and the word "Time" is pulled out.
2) As everyone knows, time flies (especially when you throw alarm clocks out the window), so "Time Flies" is the next iteration.
3) "Time Flies" is translated into Latin to become "Tempus Fugit"
4) Since "Tempus" means "Time", I ditch it and am left with "Fugit"

I find this works very well as the word "fugit" is not something that pops readily into the mind.

You can try [email protected] if u really want.

(I just hope the IT teacher doesn't get angry... I need to ask him for advice on computer jobs for the next 12 months.)

Password update from work.
One of our systems didn't feel like letting me in to get any work done earlyier this week. 'Why is this a problem?' you might ask. Well, I can honestly say that I don't have a good answer to that. Anyways, I brought over the guy in charge of making that system available to us, and found out that the system had changed my password without bothering to tell me. A bit perplexed, I still decided to get a new password to be able to log into the system, sent for a computer generated password and logged in. Then the guy tells me that I'm not supposed/allowed to change that password, but rather should use that password, which I had no way of remembering directly, so I had to write it down, and writing passwords down isn't often very smart.
Anyone else heard of people being told not to use a pasword other than the computer generated one?

On the contrary, at Uni we were all given a computer generated password in order to log on to the network and told TO change it.

I don't know anybody who has though.

Clive

I know... That's my whole point. Everywhere else, they encourage us to change the passwords into something we can relate to, and remember, but not at IBM. Weird, I tell you, weird!!

For web sites (about the only thing I use passwords for) I use the maiden names of my two grandmothers. One for low security sites (but windows always remembers those passwords anyway), and the other for high security sites. It's more cunning than it sounds, as even my brothers probably don't know their maiden names.
It's pointless me trying anything else as not only would I have to write them down, but I would have to write down the name of the site that I use them on. No one else uses my computer anyway, except my 5 year old, and he certainly won't know them.

there is a company where i live that hands out electronic credit-sixed cards. For all emploies, a random 11 number password is created every 5 mins and sent out to the cards, when you log on you enter a personal password and the number that just appeared on the screen of your card...very secure but to get on you always need your card. Also at any time when your on it may randomly ask for the number or a piece of personal information (like your wifes mothers maden name)

My immediate thought was: eek! Supposing a person doesn't KNOW her/his wife's mother's maiden name? -- but immediately realized that this information must have been fed into an employee's dossier by the employee, so he/she WOULD be likely to know. Still. It could be a little nerve wracking. I am never ENTIRELY sure who I am and what my personal details are..

I usually go for as random a combination of letters as possible, using some sort of system to remember it... first letters of days, some cryptic acronym from programming, that sort of thing.

I also tend to use a fairly standard password but I always mutate it with some sort of word that relates to what I'm using it for.

The *best* strategy, I think, is to randomly generate a password then come up with some way of remembering it. For example, C&W use extremely nasty usernames - mine's m04au500, which I remember as 'me for 500 gold' - au being the symbol for gold, of course.

So. Get a random string of letters and numbers, then work out something to fit it. That'll give you the ultimate security, I reckon - nobody can guess it and you don't have to write it down.

It's just too much effort, is the problem.

26199

Yes, that sounds like a good system. I can imagine using it.

Reading over all these posts, it seems to me that ways of storing passwords in a secure place are almost as important as the passwords themselves. The Cow's system for choosing the password using the telephone dial seems most useful in this respect. First you think up the word/name/whatever you want to use as your password, then you convert it to numbers, then you can store the numbers in a public place. They will look like an innocent telephone number and no-one will know the better.

Ta 4 the praise!

I take my method from HHGTTG, and us phone numbers mixed up like the last four digits backwards then the first three digits forwards, then the area code backwards of where ever I happen to be at so it's always on the phone so I don't have to remember anything.

When I was a sysadmin, I used to give people passwords that combined nouns from foreign languages (to avoid that dictionary test) and street numbers (I'm from New York City, where streets are numbered, so it's pretty easy to find an apropos number), and a punctuation mark or two. For my own serious passwords (if someone hacked in, they could pretend to be me), I generally use numbers and symbols combined with names of neighborhoods of foreign cities, because they don't necessarily appear in dictionaries (even foreign language ones) or gazetteers (dictionaries of place names). For shopping websites (where I'd have to enter my credit card in anyway) I use street names of relatives or friends, with numbers appended or prepended.

For those systems where you have to keep changing your password, I feel that the best way to remember the passwords is to use the particular mood that your are in, or a word relating to that. (such as happy could become birthday or merry, or depressed could become life-who-needs-it or damn). Then put in a punctuation mark in a seemingly random place and when you have to remember the password, just think back to how you were feeling when you had to change it last...

¦M¦

At my old school, using this method, I'd be hardpressed to come up with passwords other than:

ReallyHackedOffThatTheS***SystemDemandsPasswordChangesEveryTwoWeeks