It seems like more and more websites are becoming very stringent with the requirements for each individual users password. Why is this? Are there really that many people that have had their Yahoo, e-mail, and message board type passwords hacked? For example, the frickin' state legislature in Arkansas recently passed a law that all state-related computer passwords must be updated every 90 days and use at least letters, numbers, and upper and lower-case letters. I go to a state school, so my campus password falls under this law, which is annoying as balls. First, after a while, it gets hard to remember what your new password is. Second, if you don't update your password, you get locked out of your account until you go fill out a paper form in the tech office that allows you to access in order to update a new password. I'm waiting for the day when every password must look something like :Ofjsodjsfoijweoirfar7^4287q9)**!#&^T#4878!~~!!!!!"
my co-worker has a great solution for this... write it down on a post-it and stick it to your monitor. problem solved! he's never forgotten his passwords.
You can always use phrases to help remember passwords. For example: THRh53wa29lly! = The Houston Rockets had 53 wins and 29 losses last year! (granted, you better remember the Rockets record).
Most corporate offices use the 90-day rule and some variant the number/symbol/letter/case methods. I think a lot of the companies I've worked at have been using that for the past 5-10 years at least. Remembering the password shouldn't be too difficult after you remember it the first time. Just add a number to or increment the number at the end. Of course some draconian IT departments won't let you use passwords that are similar to ones you've already used. Our development department just tore our IT department a new one with all their screwy "security" features they implement without considering the consequences. lol. What I've never understood is why you'd need to change your password if it's aready a strong password.
As an aside, any website who make me change my password is sending out a great-big-o red flag that they can not keep your password secure. Same thing for employer.
I guess since the invention of math people have known how hard it is to crack passwords like Dog and Car.
And yet banks and credit card companies still have stupid limits for passwords. Only 8 characters? Numbers and letters only?
There are programs (bots, I believe they're called?) that run constantly with different words and number combos from a dictionary to try and crack into some systems. So, for example, if your pwd was "door11"... theoretically as soon as the bot got to the word "door" in the dictionary, it would get in on the 12th try of that word with numbers after it. door0, door1, door2, door3, door4, door5, door6, door7, door8, door9, door10, door11... or similar. The programs used to "troll" for access will even wait 15 minutes once locked out to try again, or so I've heard. The most efficient way to stump the combination program is to used misspelled words, or as suggested above, use a password with an odd assortment of letter, both upper and lowercase, and a minimum of 2 digits. Blame the bots. It's only a matter of time before they become self aware.
Unless I'm missing something, if the attack is limited to 3-5 attempts per 15 minutes, the defense is doing a good job (especially if they actually realize something is up after 30-45 minutes...or preferably less). The more dangerous attacks are when they can actually test billions (or maybe trillions I guess depending on implementation/hardware?) of possible passwords per second. That was the objective of a CS project I had in one of my security classes. In Linux (and probably other OSs, never really paid much attention), there's a file that contains the encrypted passwords for users. But the encryption algorithm is pretty well known. So if you can obtain that file (which is/was easy to obtain), it is simply a matter of encrypting possible passwords, and comparing them to the encrypted version. We had a list of 20 passwords, and it generally wasn't very difficult to break at least half of them in ~10 minutes or so, depending on how efficient your program was and what hardware it was running on (mine was horribly inefficient, and it was still pretty surprising to see how well it worked). Think they fixed some of the issues with this vulnerability though, so its not as big of a deal. But the aim is still to bypass the login UI in order to maximize the processing power of the machine(s) doing the attack.
Uhhh... and you still let them? For what, FUN? Ever heard of BLOCKING IPs and patterns? C'mon, now. For "months"? This implies more than one... so at the first attempt, that user/ip/block is in the intrusion-detection logs.
For those "not so important" sites, I just use the same word password and have it end with 2 zeroes. When it's time to change, I make it 01 at the end, and so forth. You'll at least have an idea what you're at as most people give you a few tries to get your old password right to change to the new one.
One of the programs I use at work requires a different password every 90 days. I started with *****001. I'm up to *****035.
If you followed all password strength guidelines, you'd never be able to get into anything. A different password for each log-in, new passwords unrelated to old passwords, don't write anything down, etc. - the human mind could not possibly manage it. So, all these shortcuts are used instead: incrementing the password, repeating the same password for different log-ins, writing it down on a post-it, etc, to defeat your own security. We need a holistic, secure, but easy-to-use security system. I don't think the password scheme is a great solution. I have 4 passwords. One is a work password, which increments up in the middle of the word. One is a secure private password with a number in the middle that does not increment. The other two are low-security private passwords for websites where security is not important (I have 2 because I had widely used a 7-letter one and then websites started requiring 8 letters).