lawl @ story about guy in the basement

Worst I have come across is http://www.virginmobile.com.au, your user name has to be your phone number, and your password has to be nothing but exactly 6 numbers.

What annoys me more is having restrictions on what your password must or must not have. Let the user know that they are being an idiot by selecting such a weak password and then move on… I don’t believe it’s their place to dictate what I use as my password, and frequently it requires me to use a password that I forget frequently and thus would have to keep in an excel spreadsheet or something else… which makes it less secure.

I used to use: travi$l0ve as my “go to” password for various services but I finally had to abandon it because some services didn’t like the $ and others said I would have to have a capitol letter, etc etc. (to anyone reading, this password has been totally phased out except maybe one or two throw away services I do not plan on ever using again).

While I recognize the above isn’t the worlds STRONGEST password, for the time being I am not Julian Assange and I just want a password that is going to keep most people out, and if someone want’s access to my accounts bad enough they will get in regardless.

What IS dumb is Fatcow’s rule for email addresses that they must be between 6 and 8 charaters long and can only be alphanumeric. My email passwords are always my strongest passwords (because they are my fucking email passwords), so I don’t use their email platform.

Luke,

I think when our loved ones are affected it affects us the most.
Not to mention the entire industry built off of identity protection.
I think StDoodle had a good point:

My wife has an “in case of emergency” envelope with my KeePass passphrase/word, and it has everything else. There’s a copy on my laptop, my work computer, and my phone; if all three are lost, the town was probably nuked and my passwords are the least of her worries.

I try to continue to help my loved ones do better with their passwords. What’s interesting is a lot of people are used to using one handle online as well.
Compare that to possibly tracking a user down on torrent sites via their information already given.

I think xkcd made a good point, and it’s a shame we have conditioned ourselves to think that way.

@ MrJones:

Oh no! It’s in German! My evil plans are ruined by the language barrier! :D

@ Liudvikas:

http://www.postbank.de

Ok, I was only able to skim before my last post, so now that I’ve read further, here are my additional thoughts:

1) People don’t care because anything on a computer isn’t “real.” Don’t give me the rational argument against this; it’s an emotional response, not a rational one. I work in the construction industry, technically, and I can’t tell you how many times people insist on getting a fax because it’s more “real.” Of course, lack of internet access in this country doesn’t help either (yeah, when the building’s done it won’t be an issue, but try getting a good connection on a job site without getting raped by your cell phone provider if you use it constantly; but I digress). On the low end, people tend to think of everything in those mysterious boxes as “magic,” while on the mid-range it’s just an appliance. On those of us geeky about these things in general see it for what it is enough to worry about such things.

2) One really good & complex pass phrase (you can combine a full pass phrase with various symbolic substitutions for a decent “password”) + KeePass + syncing (I use SpiderOak personally, but whatever; just be a bit more careful if you use dropbox) and you’re set. My wife has an “in case of emergency” envelope with my KeePass passphrase/word, and it has everything else. There’s a copy on my laptop, my work computer, and my phone; if all three are lost, the town was probably nuked and my passwords are the least of her worries. ;) Actually, one could also re-download KeePass and grab the database from SpiderOak; don’t worry, I store the password in KeePass, so it should be…. oh damnit.

@ Liudvikas:

for noble reasons for science.

FTFY

@ Victoria:

Our company uses first initial + last name which has been working out fine so far. All the emails have been unique so far and quite easy to guess/recognize. We also had some funny ones. One guy who worked for us for a few week was W. Hoops so his email became whoops@companyname.com. He got fired fairly quickly and the management decided that he was a whoops indeed.

My university uses last name + first initial so I’m always logging into the wrong systems with the wrong username. :)

@ astine:

That is very likely their “official” cover story for 6 character password length limit. I still like my punch card theory the best.

@ StDoodle:

Well, seeing how you read this here blog I consider you a honorary member of the industry – even if in spirit only. I’d print out and send you a certificate of achievement or something but I’m lazy. :)

@ Douglas:

Six characters exactly? Wow… That’s… I have no words.

Actually, I do – I wonder how many people chose their six characters to be “FUCKOF”.

@ Kim Johnsson:

You are lucky.

@ k00pa:

Then you put a small link next to FB, Twitter and Google buttons that says “Other”, and gives you access to full set of OpenID options. Those with custom OpenID ought to be smart enough to click on it, while the dummies will be distracted by the big colorful ones long enough to get scared of it. :)

@ Morghan:

This is actually pretty clever. Use a really long and difficult string, and let the service itself pick a subset of it. I like this!

@ k00pa:

The browser detection plugin I use has sort of became abandoned by its creator. It has not been updated in years. One of these days I will sit down and make sure it properly detects mobile browsers…

@ axebeer:

Wow, nice. One time pad approach to bank security. This is actually pretty neat.

Also, might I add, I was mildly shocked to find out that bank websites out there use… persistent passwords? Over here in Finland a few banks (probably all of them) hand out a list of passwords to each customer, and while the passwords are short, they are all disposable, one-time, and you have to use them in the same order as they appear on the list. So as the customer you have to punch in your login ID and then the one-time password. Should you lose the list, you might be fucked, but the thief would still have to know the login ID which is always numbers-only, and never printed on the list.

The only logical option is to change this scenario, aggressively. We will ridicule every programmer/website developer/whoever who caps the password length to anything less than 500 characters or so.