I’m sure I’m not alone in this: at the start of each month I have to change my network password at work. Part of the “security protocols”. (Side note: It’s August already! How the hell did that happen? I know it’s a cliché, but where the fuck did this year go?)
So when I logged in today I dutifully changed my password. Now every time I have to log back in I type in last month’s password by mistake. I HATE the first couple of days of having a new password. Another of the security protocols mandates that the screensaver kicks in really quickly if you’re away from your PC. So I have to re-log in about a dozen times a day.
It’s a relatively small thing but it’s fucking annoying. Having to log in so many times every day PLUS getting it wrong the first time for a day or so each time I have to change password. I know some people suggest you should change all of your passwords regularly but that’s fucking crazy.
With all of the passwords I have to keep track of online (internet access itself, banking, blog, YouTube, LiveVideo, Reddit, Digg, Flickr and a bunch of other sites) actually changing them regularly would be impossible. The only surefire way of tracking them would be to write them down which, um, kind of reduces the security.
But then you hear stories of “hackers” all the time. The latest pack of fuckwit losers acting out their inadequacies online go by the name of “anonymous”. There are all sorts of stories circulating about them “hacking” people’s accounts. In some of the stories they deliberately target people and in others the people were just unlucky.
So how do they even “hack” people’s passwords? Are these people using any sort of firewall or anti-virus software? Do they have a stupid password like “password”? Do they have the same password for every site they visit? (not a good idea) Do they leave their PC switched on and connected to the net when they aren’t there? (also not a good idea) Were they tricked into signing up for a site whose sole purpose was to trick them into providing password details? (most likely porn)
Hacking is one of those all-purpose, borderline meaningless words the media like to throw around. I’d really like an idea of what method was used to “hack” these people’s passwords. If only stupid people are vulnerable, I’d feel better.
28 responses to “Passwords suck”
Hmmm… I got so fed up with having to fit my password with the stupid anal password rules at work. That I gave up using good passwords like \\’4nk3rs (my personal favourite) and my last password was Password1.
Stupid password rules being too complicated to come up with a decent password.
i got about a dozen diffrent passwords all of them cryptic as hell and i dont even remember them yet they seemingly go right no matter what muscle memory i quess. also i memorize new passwords if they arent word based really quickly.
I find the best way to come up and remember new passwords is using the first letter of each word in a sentence. So “I HATE the first couple of days of having a new password” becomes ihtfcodohanp. Just switch every other letter to uppercase and add some rule you always obey such as there must always be an exclamation mark at the end and you get IhTfCoDoHaNp!
Good password and easy to remember because you’ll always hate changing passwords 🙂
I used to use Japanese cuss words for passwords, typing them in russian transcription while keeping English keyboard layout turned on. Alas, I long since ran out of Japanese invectives and Russian keyboards. Still no problem inventing long unreadable horrible passwords, but it’s to much of a challenge to type them again and again, so I start using “remember password” checkboxes, and then by the time I want to change a password I have usually already forgotten the old one. So now I write them into a copybook and keep it under my mattress as a back-up. Anyway, if somebody sneaks into my home and gets under my mattress for those passwords, there are probably more serious dangers for me to consider than loosing my blogger account.
I hate those sites that make you use a combination of letters and numbers, it completely fucks me up. I can come up with things as obscure as you like, but I’ll remember it if it actually means something.. I can’t do that with the numbers thingy…
Yeah, passwords suck. I used to do some tech support in IT, and a lot of users use the default password.
Password rules that force you to make overly complicated passwords and then force you to change them every month (like were I work) are completely fucking stupid and useless. The only thing they force you to do is make easily guessable passwords like P@ssw0rd1 and/or write them down on a post-it note stuck to your screen.
Too many idiots in IT.
Hello to everybody and especially our host, Mr. Angry.
The worst about password rules is that EVERY website has their own and everyone are different.
And the worst rules are about the length and about special characters (allowing or not, the allowed subset, etc). Many combinatios are mutually exclusive.
I tried to have the same password (a secure one) for most noncritical websites and it’s impossible… so, as Mr. Angry stated, I have had to save them in a piece of paper…
First post. Sorry for mispelling and syntax errors, I’m spanish, from Canary Islands, geographically african but culturally european.
Congratulations about the blog, I reached through joel on software, because I’m a software developer too and now I’m reading and watching your blog from the beginning, currently reading september 2006… but I coulndn’t help me on commenting about password rules world-class messsssssss….
Ha! I fart in the general direction of your measly little “Password” dilemma! ;p
I work in the mortgage industry, we deal with over 35 Lenders. ALL of whom require a password for their website access. ALL of which must be changed every 30 to 45 days. Of which at least 1/2 of them require special characters, numbers AND capitals. And another 1/3 of them will not let you “reuse” old passwords!!!!!
AND…in my current position…everytime we set up with a new Lender, *I* get to set all of the Loan Officers up on the website for the first time too! So that’s another 23 passwords I have to come up with! (which they regularly forget or lock themselves out of, meaning I have to go in and reset them..stupid people!).
Passwords??? PASSWORDS??? I’ve got passwords coming out my yin-yang and let me tell YOU, Mr. Angry….those damn special characters hurt like hell when the come out! ha..ha..ha…!!!
all of this will one day go the way of the dodo (that is to say, bludgeoned to death by stupid white people), replaced by iris recognition or some such fancy biometrics, and some brilliant inventor will come up with a middleman strategy to correlate all of your legacy passwords with a combination of sounds and blinks in morse code. then you’ll have to remember how many fucking times you have to blink and twitch and make farting noises just to log on to your own damn website. you just have to face the facts – computers suck.
I can’t believe that noone’s mentioned the stupid Windows networking “your password will expire in 14 days”, “your password will expire in 13 days” etc. bullshit. You know what? If my password will expire in 14 days then fuck off and come back in two weeks.
Imagine if your car did this; warning you every ten seconds “you only have twenty litres of fuel remaining”, “your car will require servicing in three months’ time”, “your seatbelt is fastened now, but don’t forget it next time, will you?”
The official reason for this, apparantley, is that people might be going on holiday, so they need to know to change their password before they go because, as we all know, after six weeks all passwords get sent by email to hackers, crackers and Al fucking Qaeda.
The worst part is that ISO certification requires you to do this retarded crap, so we’ve has to make our network less secure (with everyone’s password being PAssword1) than it was before in order to get it certified as “secured”.
My impression is that the majority of passwords are hacked one of 3 ways:
– Seeing somebody type it in, or seeing it written down. (Apparently people are using phone cameras to record people’s ATM pins these days.)
– Key loggers downloaded from nefarious websites (Yep, that means porn, probably involving goats) or email attachments using exploits that decent up-to-date virus software and OS patches would prevent.
– Brute force dictionary attacks. If your password is in the dictionary, consider yourself owned.
Common sense (which should include an aversion to goat porn), decent network security and an random symbol or two should keep these from affecting most people.
Hey, long time listener first time commenter. I love your videos, by the way. Anyway, I just wanted to give a reply to the “Anonymous” message. There are a few places where “Anonymous” applies online. Those are the chan websites (4chan, 7chan, 420chan, and so on and so forth), and then the ebaums world. Trust me on this one, the site that they were interviewing on fox news (420chan and 4chan), it is not a group of people who get together to hack places.
There was actually an audio response sent into the fox website. http://media.putfile.com/Dear-Fox-News There’s the link there. Either way, that’s enough on the “Anonymous” issue.
As for the password thing–yeah, having to change your password at the beginning of the month really sucks. And they always have the protocol that you cannot use a password you already had used before. It is a shame when you have to start looking in the dictionary for words to use, because your creative passwords you often forget after a while.
Massif: yeah, they just added the “can’t re-use old passwords” rule as well
Shadow: you have a unique ability!
DOA: yeah but they make me change it every month, I don’t know how many ways I can say it!
Vlad: Yeah, the “remember password” can be a lifesaver for web accounts, doesn’t help with network logins though
Michelle: I gotta use at least two numbers… at least one capital… all sorts of dumb rules.
Range: it’s amazing how many system breakins happen that way – I heard some ATMs have a default password.
Volvo: yeah, the writing them down on post-its is very common
Javi: good luck catching up, I hope the angry overload doesn’t fry your brain 🙂
Cinkitty: sounds like you need some moist wipes for those special characters 😉
Tom: I saw a really funny piece about that the other day. Damn, wish I could remember the link now…
Paul: Oh yeah, that’s another pet hate about changing passwords
Brian: I think those are three good warnings you’ve provided there.
Nicholas: thanks for joining in, hope to hear from you again!
Hey Mr A
I was interested to learn you use Digg. I’m a Digg addict myself. I’ve been dabbling with the Digg API recently using Flex and I’ve built a couple of tools that might interest you:
To monitor your Digg submissions:
To monitor your Digg comments:
I’m a long time reader of yours, so I hope you don’t consider this as spamming.
What’s you Digg user name? I don’t blame you if you don’t want to tell me, but I’m just interested in what you have to say on Digg.
I find nursery rhymes work best:
jbnjbq: jack be nimble jack be quick
jjocs: jack jumped over the candle stick
omhaf: old macdonald had a farm
eiei0: self-explanatory 🙂
Get a fingerprint scanner, link all your passwords to it and be happy.
Still have to change the bloody things monthly, but after you link it to the scanner, you don’t have to worry about it.
yeah, i want one of those!
Paul: I’ll send you a message
DaPuma: That’s an excellent tip, thanks.
rahab: Then I just have to worry about someone cutting off my finger to access the system.
flo: careful what you wish for!
well, well, lets say you have a strong password of 12 or more characters, okay it’s best if you have s structured sentenc phrase say, idiocracyhacksmetabolism. this is a perfect password. a pass phrase when u wanna change, u can maintain idiocracy and change hacks to say melts, then you have idiocracymeltsmetabolism.this can not be confusing at all. anyway you can do same with your local language phrase.
Here are some of the ways people get passwords:
1) The downloading of keyloggers.
2) Hackers (if they have a known target) can port scan (check the open ports on a computer), find ports with vulnerabilities, and transfer data (such as a keylogger or R[emote]A[ccess]T[rojan]) through to the computer.
3) Hackers connct to a server of an email service, messenger service, etc., and run a brute force/dictionary attack. This is done by writing a program to continually try and rearrange letter combinations (brute force), or test all the words in the dictionary.
Pingback: the secret in making password fun! « david nii-noi
Pingback: Passwords and How They are Stolen « The Nerdcan
Nevermind cutting off your fingers…they can make a jelly mold of your fingers that will fool at this point any fingerprint scanner on the market.
Look up some of the research on this, it’s both hilarious and depressing. Gelatin has the same insulative factor as human flesh, so it fools any of those ones that check to see if it’s a “living” finger just fine. Heat? Keep it in your pocket.
dniinoi: thanks for the tip!
vainentree: good overview, I wish I knew how some of these actually succeeded (in specific terms) Like did the victims do something really dumb or was it almost impossible to defend against the attacks?
Chris: I’ve read quite a bit on Bruce Schneier’s site about how easy it is to trick biometrics
Well, the victims didn’t necessarily do something stupid. If a hacker has discovered a whole in a piece of software (or someone has for him) then he might be able to exploit the software. This might be the user’s fault if they haven’t updated their software, but if no patch to an exploit has been created then the user can do nothing (except uninstalling the software).
A hacker has discovered an exploit on port 80 (HTTP) that allows him to send data to the port on a remote computer through the TCP/IP program of choice (such as netcat). In a simple buffer overflow attack (sending more data than the computer can handle). This could crash the system.
That’s actually an example for the port scanner. As for the brute force attack, you just have to hope that the server sees what’s going on and will stop the attack or report it.
I have over 140 servers that I have to be able to log into at work. We use schemes to help us remember our passwords. Most of the people here use three letters a two digit number (or a number and a character) and then three more letters (mixing it up with upper and lower case letters). Every month when we have to change the passwords all you have to do is change the numbers or character in the middle. That way you aren’t coming up with a completely different password each time. For example if your password was “dog!1dog” the next month you could use “dog@2dog”. We can get away with this because of the security they have set up to block people from accessing our LAN in the first place.
For personal passwords I will come up with 3 or 4 and spread them out to all my sites I log into. Then when it’s time to change them I will rotate them. That gives me 3 or 4 months with the same set of passwords.