I'm pretty obscure, myself

[andrewducker]

[Poll #1750188]

Comments

[dougs.livejournal.com]

The only two passwords I have which coincide are the "dougs" local user passwords on my two laptops. I probably have around forty distinct unrelated passwords.

[drainboy.livejournal.com]

How do you manage to remember them all?

[dougs.livejournal.com]

I just remember them all. I have a technique to do so, but it's very much less than obvious and disclosing it would make it less secure.

[channelpenguin.livejournal.com]

Doesn't seem that hard - I can rememeber the complete lyrics, tune and structure to 140+ songs, and I am not unusual... password memorisation doesn't strike me as much different...

In fact unique passwords for service would be *easier* than what I do which is recycle about 6(with variants). Maybe I'll start.

[drainboy.livejournal.com]

Lyrics, tunes and structure aren't abstract and I reckon you couldn't tell me, off the top of your head, the 34th word of any of those songs without working through the first 33.

Remembering the password for a given website which you might use twice a year sounds a lot more difficult, especially if that password is in no way connected to that website (to avoid making it easily hackable) and might be a string of random digits/letters.

I guess it depends what the passwords are, how abstract they are and how much you use them. I can remember my current (and previous) full bank card details, but I use them a lot. If I had 40 to remember that would be pretty tough.

[momentsmusicaux.livejournal.com]

... plus it's mostly irrelevant as Firefox remembers them all for me... :/

[call-waiting.livejournal.com]

I have a fairly complex system for online passwords.

All my passwords are composed of a common prefix, and a unique suffix generated with apg.

The prefix is common, so I can remember it. It's secret and not written down.

The suffixes, I can only remember for a couple of things (Google, PayPal, bank). They're stored (encrypted, using a different old-fashioned secret password) and I have to look them up just about every time I use them.

The prefix is useless on its own. The list of suffixes is useless on its own too. If an attacker gets a complete password, it won't get them access to anything else, and even if they figure out (manual process!) that the prefix is shared, because the suffixes are more or less random, having a single password doesn't much reduce the search space for other passwords.

Of course, the password for my computers is always "trustno1".

[randomchris.livejournal.com]

Five different passwords (two of which are massively unsecure and only used for things like petition sites) but combine those with four or five different login names and you've got 25 possible combinations.

[drplokta]

I keep all my passwords in 1Password, with the files stored in Dropbox so that I can access them from anywhere. I have (separate) passwords for 1Password and Dropbox that I can remember (but they're still eight characters, and include digits and punctuation). The rest of my passwords are generated by 1Password, and are things like ")98f7:P9g)>]H4Y".

[andrewducker]

I've been tempted by that - but I can't install software at work, Dropbox is blocked, and thus I would find it difficult to access secure websites when I was in the office.

[johncoxon.livejournal.com]

1Password have an Android app. I have around 200 unique strong passwords using their service, I believe.

[andrewducker]

I was tempted by that, but the thought of copying strings of gibberish from my phone to my desktop was just too frustrating to me.

However, thinking about it, I'd only have to do it once per password, as Firefox would remember it after that.

[johncoxon.livejournal.com]

Also (I believe this is still true) if you open your 1Password keychain using a web browser you can access a web UI, for cases when you can't install the actual app, so if you copied it across to a memory stick you would be able to access it at work.

[andrewducker]

Sadly, we can't use memory sticks at work. Being a financial institution we're terribly paranoid about data going in or out.

[autopope.livejournal.com]

I use SplashID rather than 1Password. Same principle. Generated random passwords for use everywhere.

I do use the same password on my laptops, though. And there's a (different) password (for my AppleID) which is simple enough for me to remember, because there are occasions when I need it on a machine I don't have SplashID on yet.

Memo to self: must set up two-factor authentication on Google. (Must repo the loaner iPhone 3G so I can install and configure the Google authentication app on an emergency backup device first ...)

[andrewducker]

I found two-factor authentication very easy to set up (see previous post) - I've not had any problems with it since I did so. Putting a unique password into the various places that sync or use SMTP/IMAP was the most annoying bit, and I only had to do that about 8 times.

[erindubitably.livejournal.com]

I don't bother remembering my passwords - all I have to do is remember my mother's maiden name is Jones and I'm set!

[andrewducker]

Does remembering your mother every time you log into SexySlashFic.Com not cause...issues?

[ami-bender.livejournal.com]

I am now disturbed

[andrewhickey.livejournal.com]

I have one password that I use for most things (randomly generated alphanumeric one), another one that I use only for my email, and a third one that I use specifically for sites whose security I doubt or where I want to share my password with a third party.
At work we have to change passwords every couple of months. For that, I have a system which I can use to generate a long, finite, memorable alphanumeric string.

[spacelem.livejournal.com]

Most of my passwords are generated by taking a line of a song (not necessarily in English), taking the first letter of each word, and maybe applying some punctuation or l33t speak (e.g. "Ask not for whom the bell tolls!" would become "An4wtbt!" -- and no, that's not one of mine). I know it's not the most secure system in the world, but it's better than nothing. It's also got the advantage that I can picture the song in my head while I'm typing, and my fingers remember the password, whereas it would take me a while to think about it if I were writing it on paper.

However, I really do need to get round to choosing some more passwords and retiring the old ones. It's just... one of those things that you never get round to until it's too late :P

[apostle-of-eris.livejournal.com]

Actually, I thought that was regarded as one of the more secure systems.
Very memorizable, difficult to attack.

[spacelem.livejournal.com]

Well, it is certainly a decent system, however I've heard that it is could be prone to dictionary based attacks (since you could in theory create a dictionary of song lines using the same method).

The worse culprit is probably having too few characters, since it is possible to brute force attack any short passwords these days. An4wtbt! has 8 characters, upper and lower case, digits and punctuation, so assuming about 20 bits of punctuation that's (26+26+10+20)^8 = 2x10^15 possible passwords. I wouldn't be surprised if that could be cracked in a relatively time on a modern GPU.

[gwendally.livejournal.com]

I have a main password (plus variants) for personal stuff with no identify theft risk issues. (Go ahead, steal my Amazon Reviewer's ID!)

I have another main password (plus variants) for financial stuff. The variant I use for my financial sites - which I try to keep more secure than, say, my LiveJournal - contains a string signifying the date I set that password, so every time I use it I have to note how long it's been since I reset it.

Then I have a unique one for a specific secure application at work.

[lpetrazickis.livejournal.com]

I'm not comfortable sharing this somewhere that's not at least password protected (e.g. a friends-locked entry). I don't need random googlers stumbling on my reply in 5 years.

[andrewducker]

Well, by saying that you've told people that it's not one of the more secure options...

[lpetrazickis.livejournal.com]

Eh.

BTW, did you know that if post your LiveJournal password in a comment it shows up as asterisks?

For example, my LJ password is *********.

See, automatic asterisks. Magic.

[andrewducker]

bash.org/?244321 ?

[lpetrazickis.livejournal.com]

That's off-topic.

This is Leo from SixApart tech support. Your account may have been compromised by hackers. Please provide your password so we can verify that your data is secure.

[strawberryfrog.livejournal.com]

Unique passwords. Over 100 of them. Written down, in an encrypted file, with a master passord.

[eatsoylentgreen.livejournal.com]

I know, I'm the one who needs to improve his password policy. Only 6 chrs long too!

[eatsoylentgreen.livejournal.com]

actually for financial transactions I have a more complicated one.

[eatsoylentgreen.livejournal.com]

when I admit to stupid stuff I should use this icon instead

[don-fitch.livejournal.com]

I mostly use one password for everything. But then -- I have only one computer-device, kept at home where I live alone, and containing no financial/bank account or credit-card information. Years ago (admittedly), Bruce Schneier (Himself) said "for you, that's probably adequate security".

[marrog.livejournal.com]

Actually, that's not quite correct, as what I do is cycle variants of the same password, changing quite regularly but always keeping just three variants that I'm using everywhere at any given time so that I can take a guess at which three to try when logging into somewhere by remembering approximately how long ago I was last there.

[khoth.livejournal.com]

I use 12345 for random things I don't really care about, and hunter2 when security is important. It's easy to remember, and it's worked for me so far.

[henriksdal.livejournal.com]

I found my dad's (a software engineer since the 70s) password cipher a few years ago - it was well cool, does anyone still use them?

[lizw.livejournal.com]

I have a system I use to generate passwords for sites where I'm not too concerned about security; it's a little bit more complicated than "numbers on the end", but probably falls under "etc". It means I don't have to record the passwords anywhere or remember them individually - I just use the system to derive them again any time I need to return to the site. For banking sites and other places where security is a real concern, I use unique passwords plus a technique for memorising them, so those also aren't recorded anywhere.

[crm.livejournal.com]

i have one password for all the sites i dont care about
and one set of cypher based passwords for the sites i do care about, and system logins.

[octopoid-horror.livejournal.com]

I have no option but to have upwards of twenty passwords, mostly for work.

They change on different timescales and are of varying lengths and formats.

Re: Passwords

[wolfieboy.livejournal.com]

I have about 3-4 passwords for places that I don't care about. Places that require me to register but that I may or may not ever be back to.

For everything else, I have unique passwords. I will usually remember then but if I don't, I have OI Safe to remember it for me.

[cartesiandaemon.livejournal.com]

I tend to have a separate password for: sites I don't care about; social networking I care about and email; shopping and anywhere else I give my credit card; bank. But it's a bit out of sync and could be a lot better.