Comments on: Password Resolutions for 2009

By: Daniel Flounders

Daniel Flounders — Sat, 03 Dec 2011 12:28:24 +0000

There is no ‘perfect solution’ regarding password creation.
Some of the above is good, however, one big problem is that websites have different restrictions on the type of characters and length, which often break the ideas above.

For example, most sites require passwords of a minimum 6-8 characters to a maximum of 12-16.
Some sites won’t allow special characters i.e. !@?$, etc.

I have around 4-5 different passwords which use a combination of numbers, lower and uppercase letters, special characters at beginning and end, and importantly, NON dictionary words – something I don’t think you covered.

Dictionary words should be avoided as these are the most commonly used passwords and the obvious ones for brute force scripts to break.

However, dictionary words can easily be broken up using numbers i.e, password becomes p4ssw0rd

By: Omarra Byrd

Omarra Byrd — Mon, 19 Jan 2009 02:06:22 +0000

I actually love the RoboForm software myself. I use it all of the time and it takes all of the menial everyday tasks that I have to perform on my computer daily and shortens them extremely! What once took me fifteen minutes to complete now takes me only one second because RoboForm does the same task with just one click. In fact I wrote a Report about a lot of RoboForm’s capabilities for use that aren’t even touched on in the User’s Manual for RoboForm. You can get that Report here:

http://www.theroboformreport.com

There is also a FREE version of RoboForm that you can download on this web page, just to test the RoboForm software out for yourself! I highly recommend it!

By: Matt Selbie

Matt Selbie — Thu, 15 Jan 2009 17:06:54 +0000

Nice article that highlights the growing need for usable security products on the internet. Nevertheless some of the solutions you and your readers propose are seriously flawed.
Longer or more complicated password strings are not the solution, as they confound the memory even more AND can be keystrokelogged.
We know from lots of research that people prefer pictures to words and from our own research at Vidoop, that by far the majority of US adults on-line are very frustrated with remembering and organizing passwords. So we developed a visual login that eliminates passwords and yet is effective against the prevalent forms of hacking. Its free, usable, secure and works on multiple computers. It remembers passwords and fills in forms so you dont have to, which means there DOES NOT have to be a trade off between usability and security.
Shameless plug but, check out the frisbee catching tortoise video at http://www.vidoop.com

By: nightclaw

nightclaw — Thu, 15 Jan 2009 09:16:42 +0000

@Mark – although this is obviously true i think it’s a fair trade-off between usability and safety.

One point i miss in the post: always use https when it’s available, a good password is worth nothing if it’s transmitted in plain text.

gmail users can also use the emailadress+random-part@gmail.com option to add extra login-unguessableness when using their email address as login

By: Mark Shead

Mark Shead — Thu, 15 Jan 2009 02:22:17 +0000

@nightclaw – that would work, but if someone gets your password for yahoo.com it is trivial to guess your password for Amazon.com.

By: nightclaw

nightclaw — Wed, 14 Jan 2009 21:09:43 +0000

##
$5*9twoop6 for Amazon.com, $5*9twoop5 for Yahoo.com
##

instead of using numbers you could use the full url for extra length and it’s much more easy to remember.
e.g. $5*9twoo_amazon.com and $5*9twoo_yahoo.com

By: Mike Nash

Mike Nash — Wed, 14 Jan 2009 18:36:47 +0000

Another important point is security challenge questions – never answer them truthfully when creating an account. Use another response. For example, your credit card has challenge question of what year you graduated from High School – that is way to easy for someone else to know. Instead use a password as described above.

Suggest you use a program like RoboForm to keep track of those hairy passwords.

By: tom

tom — Wed, 14 Jan 2009 18:03:53 +0000

I remember a few years ago where they came out with a study that a good percentage like 20% of people were willing to give away their password for like technical support without fully knowing if the person who will help them is legitimate.

Fast forward now, at my job in a call centre, I have received calls from internal customers calling about a problem with their system and without hesitation they are giving me their passwords and what not.

It goes to show you how people can be careless with such sensitive information.