How long are your passwords?
 

I've been using several different ones over the years (changing them as needed) for several different levels of security. That said, I've typically kept them less than 10 characters or so even though they're random and not likely to be "guessed". Dang processors have gotten fast enough so it only takes less than 60 seconds to "crack" most passwords of this length I now learn :(. So, I reckon it's time for this ol' dawg to learn a new trick....LONG passwords (i.e a long sentence) seems be the way of the future out of necessity....YMMV.

On a windows machine, open powershell and type: [guid]::NewGuid(). You will get something that looks like this: ba76b0c6-9f23-49c2-92ec-ce9adff7d51e
Use that - or as much as you can remember - as your password. Try to make a sentence out of it to make it easier to remember.

Yes, the processors are fast, but most systems only allow a certain amount of login tries before the account is locked. So that is not the way to hack into an account, they dont guess your password several million times per second and try them.
Passwords normally are saved encrypted in a DB.
The fast processors are faster to decrypt the passwords. And then it does not matter how complicated the password is then. The only thing that matters is how secure the encryption is. If the encryption is cracked, then every password with that encryption is visible, no matter how complicated.
And every string is just a string of characters to the machine.
jnedfuhwerh23hehf28hf23 is equally hard to decrypt as a string of words with the same length who are easy to remember.

Here is the password generator that I use.

I use sentences that I can remember, and throw in as many non-english words as I can. I figure a sentence in English, Spanish, and German is going to be hard to guess, if it is attacked in that way.
Still, I have my passwords saved as images in a database in an encrypted folder.

Like mentioned before it really isn't your passwords it's the data base that stores them where the issue lies.
I don't really worry about passwords much but more the device I am using them on. There is no banking info or any app along those lines on my phone, nor is the email service that has my banking on it. I use yahoo for banking and google for my phone.
I am not going to make it easy for someone to get access to my stuff but if someone is really determined to get at my credit rating of 247 and the $9.18 in my savings acct. then they are going to get it.
One thing that allows me sleep well at night is my bank. I have had my checking acct hacked three times over the last ten years, and getting it resolved was very easy with a simple trip to the office with my statement and check ledger.

It really doesn't matter. You can have the greatest password on Earth, but then the website gets hacked and they have your data anyway. It always amuses me how IT Security weenies create password rules that virtually guarantee you will have to write them down, make you change them every 30 days, but then can't protect the data. Yes, overly convoluted password rules are a pet peeve of mine.:)

^^^^ THIS is what I will do in the future as well. As a former systems programmer who knows a bit about the other issues mentioned above, encryption, db storage, etc. I can remember long strings of binary/hexidecimal with the best of 'em, and it's all "just" binary in the end ;). For the "average" user....this simple technique trumps all other approaches, isn't platform/device dependent, etc. and is KISS (simple)....YMMV.

That would not let me sleep well ... three times? I have never had my acct hacked.
And in future it will be harder to take a trip to that office as they are closing more and more of them. Good luck making all this online or via phone.

I should mention I use a credit union for my banking, one detail I forgot to mention

The LAST thing I worry about is my banking acct/debit :). Banks/Credit Union/Service provider "detects" fraud EVERY single day here in the states....I've had my debit # "stolen" before too. Just a minor inconvenience before on my end and the bank/CU (for me too) will ALWAYS eat any loss....it's just the "cost of doing business" for them.

I also spent the first half of my IT career in banking....brings back painful memories SmileWavy

Between home and the office, I have over 10 systems that I access; each with a unique password. Based on the security protocol for the specific machine, my passwords are anywhere from 8-26 characters long (only one of them is 8). Most of my systems have passwords that have to be changed monthly, and I can't use any of the past 10 passwords used in that system. It's "fun." :rolleyes: I don't use real words, or sentences in any of my passwords other than my home PC, FWIW.

My passwords are 16-24 characters. I use LastPass to manage them - means you only need to remember one password.

I forget my passwords

I am looking for the perfect password app. With different web site that I have accounts with numerous email accounts and devices. I want a way to enter my passwords from several devices and many web sites and programs.

Glen - check out LastPass. It stores an encrypted password file on each of your devices plus in their cloud. You actually launch your websites from inside LastPass itself via the browser plug in. It will auto log in for you.

That'd be a good one ;). Just started this thread as a suggestion guys (for the average user). Bottom line....use longer passwords than 8-10 characters. Unless it changes every single minute, then 6 digits is OK too. That's how pw's were "secured" in my former life....all ya had to do was remember your key FOB...and the dozens of systems behind it....many with unique pw(s)....back in the day SmileWavy

As you state - the problem with overly complex passwords is the need to write them down, which defeats the whole purpose of passwords! I bet a large percentage of folks reading this post have a sticky note 'cheat sheet' under their keyboard with their userid and password, or have a text file on their PC called "passwords.txt."

Using sentence-long passwords isn't really a good answer either - the longer the password, the greater chance of misspelling it and getting locked out of the device or application.

Two areas that show promise are:

1. Dual-authentication systems: for example - the typical card reader security locks are now being replaced with a card reader / keypad combination - you still have to swipe a card, but you also have to authenticate that card by entering a 4 to 8 digit code. I believe some applications like Facebook are implementing stuff like this by using your cell phone number as a secondary layer of authentication besides your password.

2. Biometrics: this has been around for a long time, but is getting a little more traction again -- I've used fingerprint access points to get into my datacenter for years - and now the same technology is at the consumer level - as found in the newer iPhones. Some folks feel it is not quite ready, but I really like the ability to unlock my iPhone using my fingerprint as authentication. It works very well for me, and since my fingers are hopefully attached to the rest of my body, it makes it very difficult for a thief to get into my phone without my knowledge.

Not a big fan of password vaults, as now you need to trust their cloud's security. And if you don't have access to their system, you don't have access to anything.

Best cloud to store passwords in are your brain. Still the hardest thing to hack.

-Z-man.

The actual problem there is in the software that allows multiple attempts in milliseconds. Most modern software should have measures to slow brute force hack attempts to a crawl. If it doesn't, then the password may as well be TSA - the image of security.

For Active Directory I require our users have at least 8 characters and use letters, numbers, and/or caps and punctuation. This rotates every 180 days but they can change it sooner if the like. If you go every 90 days people start writing them down since you can't have similar passwords when you change. After 5 unsuccessful attempts you get locked out and have to call one of us IT Security weenies. This is to prevent someone physically at the computer from gaining access that shouldn't have access. There are other things in place for other types of security breaches.

Since we are in healthcare if we find a Post-It with your AD password you can be terminated.

Passwords for forums such as this aren't as complex as what I use for banking and such. Again, to keep people from gaining access not script kiddies and such.