I was signing up for WinQual, and I got stumped at the password requirements:
Password Requirements: A password must: be at least 8 characters long and no longer than 16 characters have at least 1 lower-case alphabetic character have at least 1 upper-case alphabetic character have at least 1 number have at least 1 punctuation character/symbol have at least 1 non-alpha (number or a punctuation/symbol) within the 2nd to 6th character
Holy moly! The rules are so complex, I need to write my password down just to verify that I meet the requirements. Talk about a stupid system -- any time you have to write my password down, the system has become insecure. Yeesh!
To make matters worse, they don't even have a "generate" button! Ug.
Well, writing them down only makes it insecure against people who have physical access to your computer, and physical access beats almost anything.
-- SirG3
True -- but it's still an awfully horrible way to require a password. For example, it'd be easier to socially engineer this password off a user because it's nothing personal to them -- it's probably not a password they use on a daily basis so they would be more apt to give it out.
I agree with you, Aaron. I have a domain hosted with a Cpanel X control panel installed on it. The password for this domain was given to me by my buddy and is rather insecure... so I tried to change it. Cpanel X is even worse than that site, because it doesn't tell you WHAT the requirements are! It only tells you, after you've put in the new password, what part of the requirements you've failed. In any case, after about 15 tries, all of which either violated some asinine rule ("no partial 14-letter esperanto words !") I gave up, and the crappy password stays.
Wow, crappy. I was a bit miffed when my csci account for school required a numerical character in the password. Creating all those rules is just ridiculous.
Some rules I can handle -- like at least one number and length. I can count to 6 pretty easily, and I know whether I've used a number or not. But the sheer quantity of rules for WinQual baffles me. :: shrugs ::
I use SplashID. I let it generate passwords for me, and store them encrypted on both my PC and my Treo 650.
Far out, talk about being fanatical, security over conscious. I wonder if a password using a mixture of char as opposed to all letters, makes a difference in time to crack, for password cracking programs that do not use dictionaries?
I use KeyWallet (http://www.keywallet.com/) with the database on my secure USB key, as I travel around alot. Although I would like to find one that works seemslessly on mac, win and linux because it is limited to just windows.
I've used PasswordMaker (http://www.passwordmaker.org) for a few sites . I like that you can store the "online" version (which doesn't do any communicate with the server, it's all on the client machine using JavaScript) on a USB key, your HD or whatever. Plus the passwords that it generates are as unique as you like, you can choose your algorithm, choose the characters to use. While all the passwords are derived, there are enough variables that are used to derive the password that it's going to be a significant amount of work to try to figure out how you generate your passwords. Another nice this is as long as you enter the same values, you always get the same password. So you don't have to write a password down anymore.