$$$P0--ahgo6
June 21, 2005 12:47 PM   Subscribe

That's bullshirt. Matt has a really good method of coming up with and remembering complex passwords. Not sure where it was originally posted, but it can be found here .
posted by Malachi Constant at 12:52 PM on June 21, 2005

I would have to say that it makes sense, where I work too many people use simple passwords that include two types of waterfowl that i's really sad. Furthermore, even the sys and net admins use easily broken passwords, and the same password is used for almost every device, at least they could use a secret convention for setting passwords for devices of the same type, but that would be too logical.
Satyagraha
posted by thebestsophist at 12:52 PM on June 21, 2005

Actually, Matt's method of creating passwords is pretty weak and rather easy to mount a dictionary attack against. At the very least you'll have to add some random permutations or other twist.
posted by fvw at 12:57 PM on June 21, 2005

I'm surprised that he doesn't explicitly recommend the use of passphrases.

Schneier, BTW, is a genius. He gave this amazing interview regarding terrorism and security for a site called IT Conversations, and I swear I don't think I've ever seen one person make so much sense at one time.

(I've actually considered posting the interview as an FPP, but haven't gotten around to it)
posted by afroblanca at 12:58 PM on June 21, 2005

And if someone gets a hold of your wallet with a scrap of paper containing all your complex passwords? Well, empty bank accounts are likely just the beginning.
posted by mystyk at 1:00 PM on June 21, 2005

And if someone gets a hold of your wallet with a scrap of paper containing all your complex passwords? Well, empty bank accounts are likely just the beginning.

That's why the best thing to do is use a passPHRASE. It would actually be more secure to use the entire first line of a song than to use the first letters in the chorus. The secret to a secure passphrase is LENGTH, not complexity.

Plus, if you use an entire line from a song (without doing silly letter-number-punctuation substitutions), chances are that you'll have no trouble remembering it.
posted by afroblanca at 1:04 PM on June 21, 2005

I like to use the PasswordComposer GreaseMonkey script for website passwords. One master password, and unique, site-specific ones for everywhere I visit. Thus, my master password is never remotely stored. But if you've got to, say, log into your server or something, writing down a complicated one that changes fairly often is a good idea.
posted by blendor at 1:05 PM on June 21, 2005

Install String::MkPasswd from CPAN, and also install the example mkpasswd.pl script. Then this shell script will create a nice little password card for you.

#!/bin/ksh

printf "00 |--------|--------|--------|--------| 00\n"

i=0

while [[ $i -lt 16 ]] ; do

   i=$((i+1))

   printf "%.2d " $i

   printf " %s" $(mkpasswd.pl -l 8)

   printf " %s" $(mkpasswd.pl -l 8)

   printf " %s" $(mkpasswd.pl -l 8)

   printf " %s" $(mkpasswd.pl -l 8)

   printf "  %.2d\n" $i

done

printf "17 |--------|--------|--------|--------| 17\n"

Pipe the output of the script to a printer. Make several copies. Instead of using any one password, pick some pattern on the card. Say, some combination of individual letters from each of the strings, or a column, diagonal or row. Then you can safely record your password electronically, as a coordinate rather than as an actual string. You can also make passphrases using combinations of the individual 8-letter strings.
posted by Araucaria at 1:09 PM on June 21, 2005 [1 favorite]

> Actually, Matt's method of creating passwords is pretty weak and
> rather easy to mount a dictionary attack against.

I theory, yes. In practice, I doubt it is really practical -- the dictionary of well known sentences is much bigger than the dictionary itself.
posted by NewBornHippy at 1:09 PM on June 21, 2005

I haven't seen a cracker that attempts these chars yet and you can still have something that is easy to remember!!

Creating Uncrackable Passwords
posted by tke248 at 1:10 PM on June 21, 2005

A good idea I've heard is to write them down AND have some kind of easily remembered prefix (like '1q' or something). So even if someone gets access to the list, they won't be able to trivially get in.

The phrase thing doesn't work well for me -- it takes forever to convert the phrase into the password, and I always needs passwords with numbers, which limits the possible choice of phrases.
posted by smackfu at 1:11 PM on June 21, 2005

This FPP is a link to a one-paragraph blog post. (Well, three paragraphs, but the first two are single sentences.) Just sayin'.
posted by goatdog at 1:13 PM on June 21, 2005

I just use 12345.
posted by keswick at 1:16 PM on June 21, 2005

The phrase thing doesn't work well for me -- it takes forever to convert the phrase into the password, and I always needs passwords with numbers, which limits the possible choice of phrases.

The idea is to use the ENTIRE phrase, not just the initials from it. No conversion necessary.

Plus, if you have a passphrase that includes upper and lowercase letters as well as punctuation, you usually don't need to use numbers. (works on most Windows setups) So, a proper sentence would get you past the complexity requirements.

(I'm actually surprised that systems still have complexity requirements, considering how ineffective they are)
posted by afroblanca at 1:20 PM on June 21, 2005

It is most thoroughly secure to destroy all notions of personal value that you grant to your data. That way, there is nothing to protect and you can finally use a memorable password, such as God, Sex, or Love. Your system may be hacked one day, but not so your epistemological use-value.
posted by eatitlive at 1:21 PM on June 21, 2005

The unfortunate drawback to Matt's method is that you have to hum a lot of songs to remember all your unbreakable passwords. I have different "secure" passwords for different places - bank account, corporate VPN, paypal etc. I don't want someone that gets a hold of it one place to suddenly go wild trying it everywhere else.

I do something like what Schneier says, coupled with something like smackfu says. I do have a list written down but those aren't the actual passwords.

I would also add that if you use Matt's method, don't pick a well known song. I used to do something similar. But I used a line that a radio astronomy thesis advisor once said to me: "Everything will be fine, as long as we can find the 115Ghz line"

Ewbfalawcft115Ghzl

(No, I no longer use this password)
posted by vacapinta at 1:23 PM on June 21, 2005

I just use 12345.

Lies!
posted by muckster at 1:24 PM on June 21, 2005

I think everyone should get their passwords tattooed on their forearms.
posted by fenriq at 1:28 PM on June 21, 2005

I just use 12345

Sounds like the kind of thing an idiot would put on his luggage. :)
posted by Ljubljana at 1:30 PM on June 21, 2005

Schneier's right.

Write your passwords down, and make the motherf*ckers complicated.

You'll be more secure. Honest, you will.

I have dozens of passwords. Because of a fanatical belief that they must not be written down, I am much much less secure. I have to use the same passwords in order to have any chance of remembering them. I have like 5 or 6 full-stregth passwords with upper and lower case, punctuation, and numbers, and I bet my ability to remember that many is above average. And it's still not good enough.

Pass-phrases are fine, but I find them a pain in the ass. You have to have 4 or 5 or more words in order for them to be good, and that's just too much typing (and it's not uncommon to run into limitations on password length in software). And there still quite possible to forget, especially if you use them infrequently.

Write them down. At work, lock them up. At home, lock them up or put them away somewhere obscure. If you're breached that way, your problems are bigger than password security, and you should start thinking about those.

But in the end, password attacks aren't a problem unless the passwords are REALLY dumb. Telling users to write them down and lock them up can help alleviate that, thus making things better.
posted by teece at 1:35 PM on June 21, 2005

It's a risk-benefit tradeoff. No password is totally secure. Are the odds higher that someone will steal your wallet, or that they will hack your computer?

If they get your wallet, there are A LOT worse things that can happen than them taking a credit card, even without the password data in there.
posted by zerolives at 1:35 PM on June 21, 2005

Rather, I guess I should say "hack your server" or "a server".
posted by zerolives at 1:36 PM on June 21, 2005

This post and these comments are so 1999. And that's not a snark.
posted by y2karl at 1:39 PM on June 21, 2005

Paranoids can interleave passwords; type in the first phrase initials then interleave the second phrase:
1itlnyed + 2cbaba1 = 12ictblanbyae1d
Then supposedly you're protected from the dumbest keystroke recorders, say if you are on a less than secure machine. You can do it with normal word passwords, then interleave something else, like:
password + zyxwvutsr = zpyaxswsvwuotrsdr
posted by fleacircus at 1:39 PM on June 21, 2005

afroblanca, nice link (the interview)

I use an obscure 8 char alphanumeric pass for almost everything, chopping it up as necessary, and even changing its order. Need a pin and it's only numbers? there's 4 of them, so just choose. Need a 6 letter pass? take, oh, char 2-7, then maybe reverse them. It works pretty well, although I occasionally need to try 2 or 3 combinations.

For my heavy encryption, which means all my military stuff, I use blowfish 2. Specifically, I use one of two long sentences from famous novels, but not the actual original sentences so much as the way I specifically mis-remember them from childhood. They are well known lines, but certainly not the first from either book. In one case, a TS document had to be ported on a USB drive, so I used BOTH on it, one after the other, then flashed the drive after it got to its destination.
posted by mystyk at 1:39 PM on June 21, 2005

That first-line-of-a-song idea might prove a little tedious, and some systems won't let you type a long password anyhow. Maybe an acronym from a line of a song would work, like "COMWS" for "Carry on my wayward son" if you're a fan of Kansas (or the Foo Fighters).
posted by alumshubby at 1:40 PM on June 21, 2005

eatitlive: destroy all notions of personal value ... and finally use a memorable password, such as God, Sex, or Love

Hahaha :o) It may be equivalent to see everything as equally valuable. However of those three I'll probably pick Sex.
posted by nervousfritz at 1:45 PM on June 21, 2005

I never understood why people don't write their passwords down. Any good password or phrase is going to be too long and complex to always remember. Besides, most of us have many, many passwords or phrases to remember, and writing them down makes it possible to keep everything straight. Really, if someone can physically sit down at your computer, it won't really matter if you've got your passwords sitting there or not.
posted by elwoodwiles at 1:49 PM on June 21, 2005

If you are using non-pass-phrases, but standard passwords, it helps to use parts of the site name in the password. For example, instead of using matt's sample password, "“1itlntyed2cbaba1", you might put the first letter of the site name, followed by the number of letters in the site name, followed by the third letter of the site name shifted up by two letters, followed by the password.

So metafilter's password would be:

m10v1itlntyed2cbaba1

While amazon would be

a6c1itlntyed2cbaba1

Still easy to remember, but if someone gets ahold of your password, they'll find that it only works on one site. Depending on paranoia, you can add more rules if necessary, but as long as you remember that one ruleset, and your mnemonic, you can have a whole bunch of different passwords without needing to remember much (for example, site names that start with vowels get their string appended to the end, so amazon becomes "1itlntyed2cbaba1a6c", or the second digit is how many you shift the next letter by, so amazon becomes a6g1itlntyed2cbaba1, while metafilter becomes m10u1itlntyed2cbaba1, etc.).

Remembering a list of like 4 rules (first letter of site. Number of letters in site. Third letter of site shifted by first digit from last step. Then the first letters of "One is the loneliest number that you’ll ever do. Two…can be as bad as one…") is pretty darn easy (though it takes time to type in, as you do mental calculations), and provides enough variety that a spilled password to one site is not a spilled password to everything.

Though if you can't remember song lyrics without humming, lines from nonmusical sources would be better.
posted by bugbread at 1:49 PM on June 21, 2005

Passphrases are really weak for most web applications. Most truncate at 8 characters.

Matt's method is probably pretty secure as long as you don't use the same password at multiple sites (or as long as you don't care about the multiple sites. Don't use the same song for Metafilter and Fark that you do for E*Trade and Wells Fargo)

Mine are at least fairly secure (mixed case alphanumerics plus other punctuation as allowed by individual websites) and it's far more likely that a script kiddy is going to troll through the logins sequentially looking for insecure passwords.
posted by substrate at 1:57 PM on June 21, 2005

We're all good at securing small pieces of paper.

This guy doesn't know me.
posted by puke & cry at 2:00 PM on June 21, 2005 [1 favorite]

Keyboard patterns.
But then, I play guitar, so I've a fairly well trained tactile memory.
in fact, I use a blues-box method: 1 pattern, just move it up and down the key-[fret-] board.
re:this, would using a non-keyboard character help?
posted by signal at 2:01 PM on June 21, 2005

Totally missing the point here on all counts.

You can say a passphrase is better than a password, but in reality, they're the same thing. Longer doesn't mean better. Nor is complexity better then length. I could have the lyrics to "row row row your boat" as a passphrase, but that'd be far too easy to guess, regardless of how long it got. Likewise, something like "#&d8." while certainly complex, is easily brute forced. You need a happy combination of the two properties, and Matt's method is by far the best. Long, complex, and easy to remember.

I use a slightly different approach where I might replace "e" with a "3" or a with a "A" and I might capitalize certain letters as well.

But none of that matters.

There's a whole bunch of security theory underlying his remarks that he doesn't go into simply because it's a bit much to convey to people who really don't think much about it.

Crypto-Gram regulars and readers of his book Beyond Fear will have a better understanding of the underlying reasons.

It's about evaluating cost, effectiveness and risk for a given security layer. What is the cost and is it reasonable? How well does it work and what are the risks? After finding your answers you have to evaluate if the given solution is optimal.

So let's do that with writing down your password versus remembering it.

An assumption we must make here is that it is easier to remember a short/simple password than a long/complex one. The next assumption is that users who memorize passwords will probably use short/simple passwords while those who write on paper will use longer/complex passwords.

You might argue that by writing a password down, a user won't forget it, so the password won't need to be reset if it's forgotten. This would cut down on time spent by the user trying to remember a password and IT staff who have to reset the password and possible re-enable the account if there's a lock-out after x number of invalid passwords.

The risk of writing it down on paper is that someone will find it and use it. By memorizing it, nobody is going to stumble upon it and be able to use it.

But you also have the risk that a cracker will be in a position to brute-force the password by making an unlimited number of guesses. In those instances, the simpler password is going to be cracked much sooner than the complex one.

Writing it down requires physical access to the piece of paper. So maybe you limit your risk to only a few hundred (employees). Whereas a weak password could be brute forced by anyone with access to the authentication system, which could (and often does) include an internet component, opening up the system to any outside intruders (maybe a few thousand if we count only those who have the intent and know-how to do so).

But the larger the company, the more that argument equals out. Forgotten passwords versus lost paper with password on it could happen the same amount of time. So maybe we kill the cost argument as well.

So at this point, both approaches seem fairly equal. What I think pushes the written-down piece of paper over the top is the key point that you carry that piece of paper on you at all times (wallet, purse, whatever). Not under your keyboard or on a sticky note for everyone in your office to see. Put it right next to your driver's license. The idea is that maybe your password will have fewer chances for at least the 'casual' attacker to find and use it.

But ultimately you need to remind yourself that no matter what precautions you take, your password is only one small piece of the larger puzzle, and how far can you go in really protecting your password? Sure you can stick it in your wallet, but someone could steal your wallet. Sure you could memorize it, but someone could force you into revealing it.

And to be perfectly honest, passwords are the last spot a lot of attackers will go to gain access to your system. Why bother with countless hours trying to brute-force it when they can call you up on the phone, pretend to be IT services, and ask you to give it to them. Or why bother targeting you, when they can go to your boss or manager, who is much more weak in keeping his password secret. Or maybe an attacker walks into your company and finds an active jack to plug a small computer onto your network. That then dials home to give the attacker access to your intranet, easily bypassing your company's expensive firewall. Or your company is using a wireless network, in which case the attacker just sits in the parking lot.

There are thousands of points in a given security system (each user being a separate point on top of all the other layers). If you focus too much on one (passwords) you might ignore another (social engineering).

So Schneier keeps it simple. Write it down. Keep it in your wallet. There are much more important things you need to be worrying about.
posted by ruthsarian at 2:12 PM on June 21, 2005

Use a transformation.

Input --> Sitename; A (common) not-so-obvious keyword

Function
--> ROTx Sitename; ROTy keyword
--> Interleave (don't have it be plain alternation)
--> Profit!! Ok, maybe not.
posted by daksya at 2:12 PM on June 21, 2005

I have been using "matt's method" since matt was in fourth or fifth grade I reckon. The way I heard it was you use the first line in the song that was on the radio when you lost your virginity.

There's a lady who's sure all that glitters is gold ->
Talwsatgig1

which was my password everywhere for at least five years. Now I do different songs. Without special characters like *,&,%,$,# or @, most security software gives my passwords a crackability resistance of .95, not .99. But everytime I see somebody else's password (I am not an admin but I see a password by accident probably once every couple of weeks) I am never impressed by anybody else's password.

Anybody assaulting a system (as opposed to assaulting bukvich) is going to find some other user's password weeks before they are going to find mine.
posted by bukvich at 2:28 PM on June 21, 2005

tke258, how do you make those alt-characters on a Mac?
posted by dobbs at 2:34 PM on June 21, 2005

A complicated password that you write down is one that can be stolen in one place -- from that piece of paper. Lock that up in a desk drawer, even a lame office built-in desk lock, and you've made it basically invulnerable to the vast majority of the internet.

A simple password is one that can be stolen from anywhere on the net.

Bruce is exactly right here -- writing down a good password is far better than using a bad one, and the vast majority of passwords are very weak indeed. Yes, in an ideal world [1], everyone would use only strong passwords, and could remember them, and remember which sites were which, and, and, and.

They can't. Yes, they can use PasswordSafe. But that's a pain. Many don't bother. I'd much rather take the first risk, than the second -- because the attacks against a password on a piece of paper are much harder to do than attacks against weak passwords.

The meta answer is "Passwords are bad." But alas, the infrastructure for anything else simply isn't there and widespread enough to get rid of passwords.

Just treat that piece of paper as you would another piece of paper that is worth some amount of money. If you want to be fancy, do what I do:

Print them out. Tape them to the bottom of your keyboard.

(Heh.)

Lots of them. I use a grid of 10x40 passwords, all 12 character random. Three are highlighted.

Those three, along with about 300 others, are fake. I know where on the grid the good ones, and what they are for.

Now, am I insecure for writing down my passwords?

(By the way, there are boxes that lock out remote access if you try some of these passwords. Yes, this is a denial of service attack. First, compromise my firewall, getting access to that server. Now, compromise my office. Steal my keyboard. Now, start guessing servers. At this point, if you wanted to DOS me, just throw a bottle of gasoline and a match into the datacenter next to me.)

Security is a tradeoff. How much security vs. how much threat? If anyone gets to my keyboard, that list of 400 passwords is, quite frankly, one of the least of my worries.

[1] Ideal world. Cows are spherical and equally dense, friction isn't and computers never crash.
posted by eriko at 2:38 PM on June 21, 2005

I have a friend who uses the same password for everything. I've heard over and over that that's a stupid thing to do and have told him but when he asks why... I can't think of a good reason.

The obvious thing is that if someone figures it out they can get into all his places but he says "1. I don't tell anyone" (apparently it's not a phrase or word but a "random" string of characters). and "2. They'd have to know all the places."

Though I don't use his method as I have a great memory for convoluted password-nonsense (but unfortunately nothing else), I'd love to have some ammo to use against him. What am I missing?
posted by dobbs at 2:38 PM on June 21, 2005

What's wrong with using password manager software that encrypts the data?

Aside: Hi bukvich! Nice to see ya here! Yeah, when I saw Matt's method I remembered that's close to what you do too; is that a first-line gimmick a widespread meme now? I couldn't use it: I lost my virginity in a wooded patch by the roadside at night, and the only sounds I recall are random traffic noises and Helen going "Oh, David! Oh, David! Oh, David David David!"
posted by davy at 2:41 PM on June 21, 2005

I have been using "matt's method" since matt was in fourth or fifth grade I reckon. The way I heard it was you use the first line in the song that was on the radio when you lost your virginity.

Hold on Bukky: are you telling us you lost your virginity in the fourth or fifth grade? If so, well, damn, what a boy!
posted by davy at 2:44 PM on June 21, 2005

dobbs: Well, it first assumes that he trusts the administrators of the sites where he uses his password not to abuse it elsewhere.

Even if he does, let's say he uses the same password for Metafilter (or Flickr, or some other non-essential service) and for his online banking, or PayPal, or eTrade. Most of these financial sites use techniques (HTTPS is, I think, the most prevalent) which encrypt data (like your password) so that they can't be read by any curious sysadmin on any machine through which your HTTP packets have to travel. But now your curious sysadmin sees you use "mypassword" on Flickr (which doesn't use any such encryption, so this is very easy), and sees that there's encryped traffic between you and eTrade, and decides to try "mypassword" on eTrade on a hunch, and lo-and-behold, it works, because you use the same password for everything.

The attacker need not necessarily actually be a sysadmin — the above applies to folks running packet sniffers on open WiFi networks, for example.

(I'm not a security person or a network engineer and the above may be off at parts. But I believe the gist of it is correct.)
posted by IshmaelGraves at 2:56 PM on June 21, 2005

davy : "Hold on Bukky: are you telling us you lost your virginity in the fourth or fifth grade? If so, well, damn, what a boy!"

No, when matt was in 4th or 5th grade (unless of course bukvich is the same age as matt, in which case, "yes")
posted by bugbread at 3:01 PM on June 21, 2005

So Davy, is your password ODODODDD?
posted by palinode at 3:31 PM on June 21, 2005

Nonono, it's "OD!OD!ODDD!"

Or, for high security sites: "O,D!O,D!O,D,D,D!"
posted by bugbread at 3:36 PM on June 21, 2005

Hmm. Thanks Ishmael.
posted by dobbs at 3:49 PM on June 21, 2005

(Redundant, based on the above answers, but posted anyway)

Dobbs, a simple answer for your friend is that sometimes admins or people with access to admin data are not trustworthy. If they get your one-and-only password, they can just try it on random high-value targets.

For example, I (really) am a programmer working on a site which has multiple tens of thousands of users. Our site is not high-security, and we store passwords in a database, without encryption or hashing. I commonly clone the live database to our test server when testing new features. To login, I do a query against the database for a random user of the type I want (works for the right person, has the right privileges, whatever). I have that user's name, email address and password. I use it for "good purposes", but I often wonder how likely it is that the passwords to which I have such trivial access would grant me access to other sites. For example, we have thousands of hotmail and yahoo users. I wonder how many passwords in the database are the same as the hotmail or yahoo account passwords. I'd be willing to guess that more than a quarter are, and that more than half would be simple permutations of the password I have for them.

I could easily write a program which would walk through the database, yanking every likely account, and checking for access to Yahoo/Hotmail. It would be simple, probably less than an hour of work, and would certainly net me hundreds of accounts. Those people are the most likely to be stupid-password-people, and from there I could go to a local free wifi area (to help block tracing) and start trying high-value targets, like EBay, E*Trade, Wells Fargo. The only thing which prevents me from doing this is my ethics. I trust my ethics, but I don't know why your friend should.
posted by Invoke at 3:53 PM on June 21, 2005

Firstly, don't just pick some commonly know algorithm for creating and remembering passwords. That's just stupid. Make up your own method, check that it isn't cracked by password crackers and don't tell people.

Secondly. If only there were some kind of electronic component that could be used as an encrypted bank vault that was connected to the internet. Oh wait. Yes, YOUR COMPUTER. There are a number of bank vault programs out there, and they will hide and remember your passwords.

Thirdly. When's the world going to wake up and start using passport style logins. I'd be happy to have the same login for a number of minor sites, and it's an easy technical solution to ensure that this password is maintained in one place.

Finally, have a single "easy" password that you use in the places you don't care about. metafilter, metachat, slashdot, MoFi can all have the same password. Just don't tell anyone you're doing it.
posted by seanyboy at 4:03 PM on June 21, 2005

What eriko said. Once someone is in the physical space to see the password list on the bottom of your keyboard, the password is the least of your concerns. (Mr R works in a field perhaps even more security sensitive than eriko.)

Most of my passwords are of the low security version (the home proxy server, LJ, MeFi, AIM, etc) and those are just alphanumeric hashes. The more secure ones (bank, paypal, ebay) are more complex, and are written down on a sticky note tucked under the desktop. There are dummy passwords in that list, as well. And I rotate them. Sometimes, I change the list. Even Mr R doesn't know which ones are active, much less for which account.

mystyk- And if someone gets a hold of your wallet with a scrap of paper containing all your complex passwords? Well, empty bank accounts are likely just the beginning. Only if you've got the account/username listed there as well. If all they got was a list of random alphanumeric strings, it's a lot harder.

(What do you use if there wasn't any song playing when you lost your virginity (or if it was an instrumental)?)
posted by jlkr at 4:05 PM on June 21, 2005

Invoke:

do you let e-bay and amazon and the like keep your credit card on file or do you enter it for each transaction?
posted by bukvich at 4:09 PM on June 21, 2005

The problem with pass phrases is that people hate to type something that long into the keyboard without any visible stimulii. I'd happily try and type ... "My passwor.." sorry, try again without looking ... "My pa$$w@rd is so lonng and I'm so clever." (nope) "My password is" (nope) "My pa$$w@rd is so long, and I'm so clever." (yay) but unfortunately, I'm used to checking what I've typed on the screen.

I dare anyone out there to tell their users to start using pass phrases.
posted by seanyboy at 4:13 PM on June 21, 2005

Here's a simple tip. Just thought of it, and I'm not going to use it now because it's common knowledge, but surround all your passwords with quotes. That should bypass most dictionary attacks, and if you'd have thought of it all by yourself, you'd have forced people into brute force attacks.
posted by seanyboy at 4:18 PM on June 21, 2005

I don't let any site keep my CC numbers. Ever since I worked at a certain large four-letter-name computer company, and saw that they didn't encrypt Credit Card numbers in the database, I can't bring myself to trust any site with the proper storage of that information.

The SQL query "Select Users.name, CreditCards.* from Users inner join CreditCards on (Users.userId = CreditCards.userId)" worked at that company. Scary. No lie. I brought it to management, "We're behind a firewall" was the answer.
posted by Invoke at 4:19 PM on June 21, 2005

I've solved this problem for everyone. "Use" the same passphrase everywhere, but let a Javascript bookmarklet hash it with the hostname so no-one but you ever sees it in the clear. (The PasswordComposer GreaseMonkey script, among others, credits my solution as the original.)
posted by nicwolff at 4:23 PM on June 21, 2005

jlkr : "What do you use if there wasn't any song playing when you lost your virginity (or if it was an instrumental)?"

Login:    bugbread
Password: GEFEBCC#BMajorFifth

posted by bugbread at 4:23 PM on June 21, 2005

Passwords are so quaint. I'm waiting for some sort of teledildonics/biometrics hybrid system. "Uh... I'm just, uh, logging in..."
posted by pracowity at 4:38 PM on June 21, 2005

Phew. I'm glad i have an eidetic memory for character/number patterns.

People's names... not so much anymore.
posted by zoogleplex at 4:47 PM on June 21, 2005

Bukvich said, as bugbread pointed out: "I have been using "matt's method" since matt was in fourth or fifth grade...."

I thought I learned how to frigging read long before then, or at least long before this evening. I reckon I was wrong, or maybe I forgot.

To paraphrase Adrienne Rich:

Senility
It jumps you from behind

(I'm glad I lost my virginity while I could still figure out how.)
posted by davy at 6:28 PM on June 21, 2005

Dobbs, a simple answer for your friend is that sometimes admins or people with access to admin data are not trustworthy. If they get your one-and-only password, they can just try it on random high-value targets.

Schneier actualy mentioned this in his newsletter once, or more spesificaly he came up with a whole attack method spammers could use. Create 'free' pr0n site, spam for it and require people to come up with a username/password. If they logged in from work, you could then use those things to hack into their office. It was an intresting idea.
posted by delmoi at 7:29 PM on June 21, 2005

I write them down in code. If I ever forget the code, I won't need the passwords anyway.
posted by HTuttle at 7:40 PM on June 21, 2005

I just always use "quonsar." Doesn't everyone?
posted by yhbc at 8:27 PM on June 21, 2005

Okay, that last bit was a joke. However, I will admit that at least once, upon being suddenly required to choose a four-digit numeric personal identification number, I "randomly" chose a four-digit number with some historical significance to MetaFilter (and MetaTalk, too!). And I betcha I'm not the only one of you that has done it, either.
posted by yhbc at 8:32 PM on June 21, 2005

I just have to post something in this thread because of my namesake.

Guitar serial numbers have been good to me (long, full of numbers, I'll never lose the original).
My new thing is to jumble up all of the states I've lived in along with the years, randomly capitalizing some of the letters.
posted by password at 10:59 PM on June 21, 2005

p2ssw0rd
posted by kirkaracha at 11:11 PM on June 21, 2005

I use login, it's easier that way.
posted by drezdn at 11:16 PM on June 21, 2005

[post deleted]
posted by drezdn at 11:21 PM on June 21, 2005

Just be sure that your password is reproducible on all keyboards. It sucks going to Europe and not being able to access anything because you can't figure out how to get the $.
posted by srboisvert at 5:09 AM on June 22, 2005

Bruce Tognazzini had a good column on this a while back. My work requires at least 5 or 6 passwords to perform various computer related functions, and some of them have to be changed on a regular basis, so there is no choice but to write them down. I use a post-it on my monitor like everyone else. There is very little on my computer that is even remotely of interest to others, so I could function just fine using my computer at work as if it were available to the public. On the other hand, I have more secure passwords for my home computer where I do banking and shopping among other things. None of this has had any impact on the real threats to my credit card numbers and such; those come from companies that mishandle data and any larcenous retail workers that I hand my card to when I am using it.
posted by TedW at 7:53 AM on June 22, 2005

For whatever reason, I just don't have problems remembering lots of 10 to 20 character long random strings. When I was in college I was enamoured with memory-building books like Harry Lorayne's, and I worked at it pretty hard. At waiting tables, Mr and Mrs. Nothingsuch would always tip better when I remembered their name and what they preferred. I memorized namesfrom credit cards in case the customer ever returned, etc.

My current home PC's password is quite simple -- my brother's PO box number + my boss's car tag # + my sister's street address # + %TGB6yhn. If you actually type "%TGB6yhn" you'll see it's just a pattern in the keyboard. Most all passwords I use involve a keyboard pattern as a component.
posted by StewV at 9:09 PM on June 22, 2005