Forgot your password?
typodupeerror
Security

It's World Password Day: Change Your Passwords 116

Posted by Soulskill
from the 123456-becomes-1234567 dept.
An anonymous reader writes "Today is World Password Day — a day dedicated to promoting the use of strong passwords and the creation of good habits. However insecure this method of authentication is, it's not going away anytime soon, and people should be educated on how to make the best of it. To that end, last year Intel started an action-oriented campaign to raise user awareness regarding password problems, and this year their initiative has a new digital home. Passwordday.org provides the Password Blaster (a videogame that teaches good passwords using real leaked passwords), the Password Strength Meter, links to McAfee's Heartbleed Test tool, offers animated educational GIFs and tips and tricks for upgrading your passwords."
This discussion has been archived. No new comments can be posted.

It's World Password Day: Change Your Passwords

Comments Filter:
  • by Anonymous Coward on Wednesday May 07, 2014 @03:10PM (#46942429)

    Please.

  • by turkeydance (1266624) on Wednesday May 07, 2014 @03:13PM (#46942445)
    Ludden was the best.
    • by Anonymous Coward

      Is that you Betty?

  • by Curialis (218588) on Wednesday May 07, 2014 @03:13PM (#46942447)

    IT Workers rejoice!!

  • by Anonymous Coward

    Followed by "Reset Your Password Day" tomorrow.

  • by Anonymous Coward

    What a great time to sniff or keylog, knowing a lot of people will be changing their passwords!

    I hope I'm wrong.

  • by Anonymous Coward

    Passwords, and with them password reset questions, need to go away. There are proper authentication mechanisms. Passwords are not among them.

    • by mlts (1038732)

      What I'd like to see is a service like the following:

      One gets a client cert like how it is done normally... but the cert is used as a CA cert, perhaps stored in a dedicated HSM. Then, when one uses a new computer or gets a new smartphone, the device has a client cert, then it gets signed by one's own CA cert. That way, one has the security of client certs but without the need to manually copy the same certificate to each device (and risk having it stolen.) If a cert is stolen, the CA cert one has can eas

      • by Darinbob (1142669)

        I hate the two factor stuff, since it all wants to be on a smart phone. But I will not use a smart phone for this (more ways for google to spy on me). And many of the sites that want the two factor stuff are fluffy social sites where it's not important whereas the really vital stuff like banks have basic security.

  • by danbert8 (1024253) on Wednesday May 07, 2014 @03:24PM (#46942565)

    Let's celebrate with 8-16 characters that must include at least one capital, one number, and one symbol but not repeat any character more than twice. Ahh screw it, why don't we celebrate World Write Down Your Password On A Post-It Note Day?

  • I recommend (Score:4, Funny)

    by BobMcD (601576) on Wednesday May 07, 2014 @03:26PM (#46942587)

    worldp@sswordday14

    That way you can remember it until next year!

  • Change your passwords today, so our new filters can capture them!

    • by jlv (5619)

      Or even better, type your new password into our webpage and we'll tell you if it's secure.

  • by nimbius (983462) on Wednesday May 07, 2014 @03:28PM (#46942601) Homepage
    Ive used passphrases from passwdqc [openwall.com] for quite some time. theyre just as complex and a whole lot easier to remember. The downside being many websites still restrict users to 8 or 10 character passwords whereas phrases can easily consume 17 or more characters.
    • If a site restricts your passphrase/word to some arbitrary limit, be concerned that they aren't hashing it and instead storing it in plaintext. Hash output will be the same length regardless of input length, so a password limit makes no sense. There may be DoS protection in limiting input to *some* length, but not less than (arbitrarily) 2^8 characters.
  • That last sentence in the intro made me a bit ill.
  • by jddj (1085169) on Wednesday May 07, 2014 @03:30PM (#46942625) Journal

    12345...7

  • by Anonymous Coward

    "password02". Done!

  • I have 400+ unique passwords. I don't think I'll be changing those for password day.
    I suppose putting my trust in a password manager could also be considered a risk, but I use a passphrase long enough that even someone with an extensive dictionary attack would take years to get through it.

    • Re:Not happening. (Score:5, Insightful)

      by Derekloffin (741455) on Wednesday May 07, 2014 @03:55PM (#46942857)
      Indeed, and I've never understood the advice to change your password frequently. The only thing that would help against is if someone has already compromised your account and has been laying low (rather than what they usually do which is clean it out asap). However, changing passwords constantly highly encourages you to use less and less powerful passwords as you can't remember them all the time meaning you're that much more likely to get that initial compromise.
      • Although I do not have proof of this, I believe that the the password change policy came from the way early UNIX systems handled the password files.

        Early UNIX systems did not separate the username file from the password file. Both were kept in /etc/password. This file had to be world readable in order for anyone to log in. So if you had any access at all, including guest access, it was easy to copy the password file. Although the passwords in the the file were hashed, it they could be cracked or a rainbow

      • The advice to change passwords frequently is meant to protect against offline cracking: If an attacker gets a password database they can quickly try passwords without restrictions. Given enough time and computing power there is no uncrackable password. But if you change your password frequently, by the time the attacker guesses your password successfully it will already be invalid.
        • That's great, in theory. In reality it will just lead people to create very easy to remember passwords, since people are good at routine and not at things that change constantly. Those easy passwords, in turn, are much more easily cracked. How would you mitigate that risk, increasing the password change frequency?

          I've worked with highly sensitive systems (*ahem* the Ogone payment system for one) that use silly policies like these, and yet are horribly unsafe. At one time when I tried to login with an expire

      • by sudon't (580652)

        I think this is intended for those users who use poor passwords. Although, come to think of it, it wouldn't help them either.

        This shouldn't be an issue. I'm a long-time Mac OS user, which has come with an encrypted password manager since at least 2001. I'm sure Windows must have one by now, too. It's trivial to create a strong, unique password for every site or service I sign-up to, (somewhere north of 600 unique passwords, now), and I've only had to remember one strong password all these years. I've never

  • by PaddyM (45763) on Wednesday May 07, 2014 @03:53PM (#46942837) Homepage

    I thought that regularly changing one's password was unnecessary https://www.schneier.com/blog/archives/2010/11/changing_passwo.html [schneier.com]. I thought that it needs to be changed if found to be hacked, but otherwise as long as its strong, there's no need to change it. So while promoting good password habits is a good idea, I'm not sure that "annually change all your passwords on the same day every year so that any eavesdropper/keylogger can look for possible password change activity on one day" is one of them.

  • by Anonymous Coward

    Now I'm going to post as an Anonymous Coward for the next six months!

  • If you were going to install sniffers all over to collect passwords as people changed them, what day would be better than World Password Day...

    I'll let the herds get culled as I watch from the hills above, thanks.

  • A new holiday will be sent to your email address.

  • I use security tokens instead of passwords, and then external services use OAuth against this centralized service to verify my identity... passwords? What are those!?

  • by geekoid (135745)

    if a legit user can hack you systems, the user password isn't your problem.
    So many site make you enter a secure password to protect their systems. Ignoring the fact that a malicious person could set up an anonymous account.

  • due to all the past changes. My new password is "It's change your password day"

  • Anything important should be changed more frequently. And anything less important... why do we have a special day for it? Waste of time. *shrug*

    • by Anonymous Coward

      Anything important should be changed more frequently.

      Why? If my password isnt comprised, why the fuck would I change it? All that does is encourage people to use shitty passwords because they have to change them all the time.

      I hate people like you

  • I am celebrating this day by changing my passwords from 'password' to 'password1'.
  • passphrases.

    Because (ignore quotes) "bob is a dork and i hate my job" is largely easier to remember and more powerful than, "Tr0ub3c43r#$" [insert obligatory XKCD].

    I mean really. If a person makes a passphrase as a full sentence (i.e. spaces, punctuation, capitalization, all the things grammar teachers teach), then that will give some part of school you likely never cared about some meaning in your life, and it would make your passphrases much more secure and easier to remember (i.e. it tells you a lot abou

  • by Kittenman (971447) on Wednesday May 07, 2014 @06:38PM (#46944173)
    That way, when I forget it, the software/site will come back and tell me "Your password is incorrect', so I don't have to remember it at all.
    • by Culture20 (968837)
      My software told me "your username/password is invalid". So I entered "invalid" for both. Still didn't work.
      • by Kittenman (971447)

        My software told me "your username/password is invalid". So I entered "invalid" for both. Still didn't work.

        You're not doing it right, maybe.

  • The prevalence of the passwords requiring uppercase, lowercase, punctuation etc is ridiculous as more and more sites and servers I use are requiring it.

    I'm going to make an assumption here and I bet I'm I'm right. (I have NO idea!)
    The VAST majority of security breaches are due to poorly patched software / bugs / social engineering / angry staff etc.
    I'd wager very very few password hacks are due to people having the password
    "momspajamas2212" instead of "M0mspaJAMas22!2"

    I will say I'm finding the only way to

    • by jrumney (197329)
      My favorite incident of what I call "security by handwaving" was my bank changing the wording on their site from password to passphrase, but they rejected the space character and limited the "passphrase" to 16 characters.
    • by Dutch Gun (899105)

      The prevalence of the passwords requiring uppercase, lowercase, punctuation etc is ridiculous as more and more sites and servers I use are requiring it.

      I'm going to make an assumption here and I bet I'm I'm right. (I have NO idea!)
      The VAST majority of security breaches are due to poorly patched software / bugs / social engineering / angry staff etc.
      I'd wager very very few password hacks are due to people having the password
      "momspajamas2212" instead of "M0mspaJAMas22!2"

      I will say I'm finding the only way to still remember my passwords on sites now is to start using pattern based passwords, example "$RFV%TGB4rfv5tgb" (try typing that) - it's not ideal but I can remember the bastard thing. (I hope this helps someone else out, I gave it out to someone recently and they adopted something similar pretty much instantly and yes, I know you could add patterns to the dictionary)

      If you look at those who have analyzed cracked databases to see what passwords people actually used, you'll find that people get hacked because they're using passwords like "password", "123456", "monkey", and so on [cbsnews.com].

      Honestly, I've found that a password manager is really the only sane way to use cryptographically secure (and completely different) passwords on every site without worrying about losing those passwords. I use Lastpass, since it syncs between machines automatically and has a plugin which automati

  • So what if this is a ruse to get people to change passwords on the one day that security exploits are in place to capture the new passwords? Buck the trend and change them some other day or not at all.

  • Why cannot we force all websites and services to comply with a common password complexity rule? There is a wide variation in the rules that phone companies, banks, utilities and various online services enforce when I create passwords. As a consequence, it becomes difficult to decide on a password-generating algorithm to create and remember passwords across these websites/services. So, coming back to the question, can we not have a standard password complexity rule which every website/service has to stick to
  • Does that mean today is World "I Forgot My Password" day?

Arithmetic is being able to count up to twenty without taking off your shoes. -- Mickey Mouse

Working...