It's World Password Day: Change Your Passwords 116
An anonymous reader writes "Today is World Password Day — a day dedicated to promoting the use of strong passwords and the creation of good habits. However insecure this method of authentication is, it's not going away anytime soon, and people should be educated on how to make the best of it. To that end, last year Intel started an action-oriented campaign to raise user awareness regarding password problems, and this year their initiative has a new digital home. Passwordday.org provides the Password Blaster (a videogame that teaches good passwords using real leaked passwords), the Password Strength Meter, links to McAfee's Heartbleed Test tool, offers animated educational GIFs and tips and tricks for upgrading your passwords."
Enough "world days" (Score:3, Insightful)
Please.
Re: (Score:1)
Personally I'm waiting for the "World days awareness day".
Re: (Score:1)
World world day day.
Re: (Score:2)
It is also "World record Post-it Note sales" day.
Re: (Score:2)
Sorry, we have not filled them up yet. [un.org]
America is out of food days, [tfdutch.com] now there are duplicates.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2, Funny)
World " Change Underwear Day "
"You! Change underwear with him. You! Change underwear with her. You bring that thong on over here and change with me sweetie "....
OK, but not sure 123456 is any better than 1234 (Score:1)
Don't see what the point is
Re: (Score:1)
Re:OK, but not sure 123456 is any better than 1234 (Score:4, Funny)
You're doing it wrong. It's suppose to be something like Hj1pAab5!z21i0lO&sa8q0, on a sticky note attached to the machine.
Re: (Score:3)
If you MacGyver the executive secretary's desk drawer, you will find the passwords to all the C*Os of the company on sticky notes, as well.
Re:OK, but not sure 123456 is any better than 1234 (Score:4, Funny)
Re:OK, but not sure 123456 is any better than 1234 (Score:4, Funny)
I don't want to know how those notes got sticky.
She is a big fan of McGuyver.
Re: (Score:1)
I put the 123456 on a publicly shared network file called "Passwords.docx" - is that good enough?
And then enabled Bluetooth.
Re: (Score:1)
Probably the best variant of this I've seen was a friend who concatenated md5sums of various kernels he'd compiled into a string and printed them onto a dog tag which he kept on his person.
Based on something he knew about the machines location he started at a certain row and column and typed a certain number of characters off the tag.
Re: (Score:2)
You're doing it wrong. It's suppose to be something like Hj1pAab5!z21i0lO&sa8q0, on a sticky note attached to the machine.
That's the combination^W^W my Bitcoin address!
Re:OK, but not sure 123456 is any better than 1234 (Score:4, Interesting)
My bank assigned me the random PIN of "1234" for my debit card. One of my student loan websites (Citibank) ignored anything past the 8th character of your password anyway. One of my old credit unions had a six character password limit, alphanumeric only. Financial institutions are a little behind the times.
Re: (Score:2)
My bank allows letters and numbers only and is not case-sensitive. This is so the password can be used on phone keypads.
In other security news, AmEx requires a number or special character IN YOUR USERNAME. WTF?
Re: (Score:1)
What about password length? My bank is similar, only letters and numbers but requires at least on uppercase letter...but a MAXIMUM length of 5 characters!
Re: (Score:2)
That reminds me of the other quirk of my bank.... username is case sensitive. e.g. SJHillman was already taken, but it let's me use Sjhillman
Re: (Score:2)
Re: (Score:2)
When I finally started using it for large purchases I decided to try out the the online banking, but as I had never used it before there was no password set up. I gave them a call and explained what I wanted to do and asked them to send me a password reset to get online with.
The reply: "Oh, we set that up for you when you opened the account. The password is set to you
Re: (Score:2)
my bank limits the password to 5 alphanum chars
Re:OK, but not sure 123456 is any better than 1234 (Score:4, Funny)
Upper case, lower case, symbol, digit, more than 12 chars. Check!
Re: (Score:2)
looks quite okay, doesn't it? Is it in any real world password set? Is it in a wordlist? How many password crackers provide brute-force preset options, which will find this one in a short time? I guess you would have be quite secure, if you actually used it.
Now you can argue, slashdotters will tune their bruteforce tools to include a lot of consecutive letters with only little random parts before/after maybe in the middle, but if you have to many exception rules, you will miss passwords which can be brute f
it's supposed to be "world" (Score:2)
so change it, already
Re: (Score:1)
Came up with a better one - Death - nobody will guess that one!
i liked to play Password (Score:3)
Re: (Score:1)
Is that you Betty?
And Tomorrow is 'What was my password again?' Day (Score:5, Funny)
IT Workers rejoice!!
Tomorrow (Score:1)
Followed by "Reset Your Password Day" tomorrow.
It's World Sniff Your Password Day (Score:1)
What a great time to sniff or keylog, knowing a lot of people will be changing their passwords!
I hope I'm wrong.
Let's not celebrate passwords (Score:1)
Passwords, and with them password reset questions, need to go away. There are proper authentication mechanisms. Passwords are not among them.
Re: (Score:2)
What I'd like to see is a service like the following:
One gets a client cert like how it is done normally... but the cert is used as a CA cert, perhaps stored in a dedicated HSM. Then, when one uses a new computer or gets a new smartphone, the device has a client cert, then it gets signed by one's own CA cert. That way, one has the security of client certs but without the need to manually copy the same certificate to each device (and risk having it stolen.) If a cert is stolen, the CA cert one has can eas
Re: (Score:2)
I hate the two factor stuff, since it all wants to be on a smart phone. But I will not use a smart phone for this (more ways for google to spy on me). And many of the sites that want the two factor stuff are fluffy social sites where it's not important whereas the really vital stuff like banks have basic security.
Re: (Score:2)
The main reason for password insecurity is brute force, not stolen devices.
WorldPasswordDay1! (Score:4, Funny)
Let's celebrate with 8-16 characters that must include at least one capital, one number, and one symbol but not repeat any character more than twice. Ahh screw it, why don't we celebrate World Write Down Your Password On A Post-It Note Day?
Re: (Score:2)
Salem1!
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
I recommend (Score:4, Funny)
worldp@sswordday14
That way you can remember it until next year!
World Packet Trace Day (Score:2)
Change your passwords today, so our new filters can capture them!
Re: (Score:2)
Or even better, type your new password into our webpage and we'll tell you if it's secure.
Comment removed (Score:3)
Re: (Score:2)
nope. I use passphrases almost everywhere, there are only a few sites which are refusing it. (sadly including my bank, which demands a 5 char password)
Re: (Score:2)
Re: (Score:1)
Those passwords suck, and I hate you for even suggesting them.
Better idea, simple passwords. "Pencil".
Then lock the account after a reasonable number of attempts - like 50. How many tries to brute force a single word password? More than 50.
Re: (Score:3)
Those passwords suck, and I hate you for even suggesting them.
Better idea, simple passwords. "Pencil".
Then lock the account after a reasonable number of attempts - like 50. How many tries to brute force a single word password? More than 50.
Yikes, that's horrible, horrible advice.
You need to stay away far, far from single dictionary word passwords. If the hashed password database is compromised, you need a password that will at least withstand a basic dictionary attack, since obviously it's beyond locking because of failed attempts at that point. If there's any significant amount of time between when the breach occurs and when it's discovered, your only defense is a password long and complex enough to withstand any brute-force attempt within
Re: (Score:2)
Salt doesn't necessarily solve the breached hash problem if you're using simple dictionary words. It forces a per-hash computation, so they can't use a rainbow table of pre-computed hashes, but dictionary words will still be the second thing criminals will try (the first thing is a quick-list of top password offenders). Sure, it significantly slows the process down, but once the database is offline, there's plenty of CPU horsepower available to do that sort of thing.
Actually, it may be more accurate to sa
Can tomorrow be world English grammar day? (Score:2)
I'll trick 'em all! (Score:3)
12345...7
Okay... (Score:1)
"password02". Done!
Re: (Score:2)
This is because Microsoft doesn't change stored passwords on Hotmail when they update policies for the service... Case in point, my dummy account from the '90's still has a password that is well under the minimum number of characters required to login. Very short, sweet, easy to remember, and cannot be brute forced because nobody would think to check a password outside of their "requirements"! (oh wait, fuck, I just admitted publicly there are passwords outside of their requirements)
Not happening. (Score:2)
I have 400+ unique passwords. I don't think I'll be changing those for password day.
I suppose putting my trust in a password manager could also be considered a risk, but I use a passphrase long enough that even someone with an extensive dictionary attack would take years to get through it.
Re:Not happening. (Score:5, Insightful)
Password change frequency (Score:2)
Although I do not have proof of this, I believe that the the password change policy came from the way early UNIX systems handled the password files.
Early UNIX systems did not separate the username file from the password file. Both were kept in /etc/password. This file had to be world readable in order for anyone to log in. So if you had any access at all, including guest access, it was easy to copy the password file. Although the passwords in the the file were hashed, it they could be cracked or a rainbow
Re: (Score:1)
Re: (Score:2)
That's great, in theory. In reality it will just lead people to create very easy to remember passwords, since people are good at routine and not at things that change constantly. Those easy passwords, in turn, are much more easily cracked. How would you mitigate that risk, increasing the password change frequency?
I've worked with highly sensitive systems (*ahem* the Ogone payment system for one) that use silly policies like these, and yet are horribly unsafe. At one time when I tried to login with an expire
Re: (Score:2)
I think this is intended for those users who use poor passwords. Although, come to think of it, it wouldn't help them either.
This shouldn't be an issue. I'm a long-time Mac OS user, which has come with an encrypted password manager since at least 2001. I'm sure Windows must have one by now, too. It's trivial to create a strong, unique password for every site or service I sign-up to, (somewhere north of 600 unique passwords, now), and I've only had to remember one strong password all these years. I've never
Ummm (Score:3)
I thought that regularly changing one's password was unnecessary https://www.schneier.com/blog/archives/2010/11/changing_passwo.html [schneier.com]. I thought that it needs to be changed if found to be hacked, but otherwise as long as its strong, there's no need to change it. So while promoting good password habits is a good idea, I'm not sure that "annually change all your passwords on the same day every year so that any eavesdropper/keylogger can look for possible password change activity on one day" is one of them.
Great (Score:1)
Now I'm going to post as an Anonymous Coward for the next six months!
Bad idea (Score:2)
If you were going to install sniffers all over to collect passwords as people changed them, what day would be better than World Password Day...
I'll let the herds get culled as I watch from the hills above, thanks.
Click here if you have forgotten your password. (Score:2)
A new holiday will be sent to your email address.
Security Tokens (Score:2)
I use security tokens instead of passwords, and then external services use OAuth against this centralized service to verify my identity... passwords? What are those!?
Also (Score:2)
if a legit user can hack you systems, the user password isn't your problem.
So many site make you enter a secure password to protect their systems. Ignoring the fact that a malicious person could set up an anonymous account.
Thanks for verbiage suggestion, ideas short (Score:1)
due to all the past changes. My new password is "It's change your password day"
I don't always change my password.... (Score:1)
once a YEAR huh? (Score:2)
Anything important should be changed more frequently. And anything less important... why do we have a special day for it? Waste of time. *shrug*
Re: (Score:1)
Anything important should be changed more frequently.
Why? If my password isnt comprised, why the fuck would I change it? All that does is encourage people to use shitty passwords because they have to change them all the time.
I hate people like you
Easy (Score:1)
This is a perfect time to employ... (Score:1)
passphrases.
Because (ignore quotes) "bob is a dork and i hate my job" is largely easier to remember and more powerful than, "Tr0ub3c43r#$" [insert obligatory XKCD].
I mean really. If a person makes a passphrase as a full sentence (i.e. spaces, punctuation, capitalization, all the things grammar teachers teach), then that will give some part of school you likely never cared about some meaning in your life, and it would make your passphrases much more secure and easier to remember (i.e. it tells you a lot abou
I'm changing my password to 'incorrect' (Score:3)
Re: (Score:2)
Re: (Score:2)
My software told me "your username/password is invalid". So I entered "invalid" for both. Still didn't work.
You're not doing it right, maybe.
I hate to admit XKCD was right, but....goddamnit (Score:2)
The prevalence of the passwords requiring uppercase, lowercase, punctuation etc is ridiculous as more and more sites and servers I use are requiring it.
I'm going to make an assumption here and I bet I'm I'm right. (I have NO idea!)
The VAST majority of security breaches are due to poorly patched software / bugs / social engineering / angry staff etc.
I'd wager very very few password hacks are due to people having the password
"momspajamas2212" instead of "M0mspaJAMas22!2"
I will say I'm finding the only way to
Re: (Score:2)
Re: (Score:2)
The prevalence of the passwords requiring uppercase, lowercase, punctuation etc is ridiculous as more and more sites and servers I use are requiring it.
I'm going to make an assumption here and I bet I'm I'm right. (I have NO idea!)
The VAST majority of security breaches are due to poorly patched software / bugs / social engineering / angry staff etc.
I'd wager very very few password hacks are due to people having the password
"momspajamas2212" instead of "M0mspaJAMas22!2"
I will say I'm finding the only way to still remember my passwords on sites now is to start using pattern based passwords, example "$RFV%TGB4rfv5tgb" (try typing that) - it's not ideal but I can remember the bastard thing. (I hope this helps someone else out, I gave it out to someone recently and they adopted something similar pretty much instantly and yes, I know you could add patterns to the dictionary)
If you look at those who have analyzed cracked databases to see what passwords people actually used, you'll find that people get hacked because they're using passwords like "password", "123456", "monkey", and so on [cbsnews.com].
Honestly, I've found that a password manager is really the only sane way to use cryptographically secure (and completely different) passwords on every site without worrying about losing those passwords. I use Lastpass, since it syncs between machines automatically and has a plugin which automati
Buck the trend (Score:2)
So what if this is a ruse to get people to change passwords on the one day that security exploits are in place to capture the new passwords? Buck the trend and change them some other day or not at all.
Too many rules.... (Score:1)
Fallout (Score:2)
Does that mean today is World "I Forgot My Password" day?