. . .or not.
I see articles occasionally about the death of passwords, creating effective passwords, blah-blah. Well, passwords and the insecurities created by stupid (or lazy. . . or more like both) people and their password habits aren’t going away any time soon, and most of the articles suggesting improvements are seriously lacking in effective counsel. Most now suggest pass phrases with common substitutions of symbols and numbers for letters, but really, how many folks will do that? Others suggest using password managers (I often suggest this, myself, but even users who have PAID me for consulting rarely make even the exceptionally minimal effort to effect this change in their behavior *sigh*).
So, what’s a solution? When it comes to ID10T errors like lazy or stupid (or both) password behavior, the only solutions seem to be either eliminating the users or letting them reap the effects of their bad behaviors.
*meh*
Now, I’ll admit that my own normative password policies would definitely not appeal to most users, although it baffles me why that case is, save for excessive laziness on their part. OK, so here’s a loose outline of a process that’s super simple and easier than most pass phrase processes. That it is similar to my own is purely coincidental. ๐
Select a song from childhood or early youth that can you reliably “sing” mentally. Or choose a memory shared only with people you have not seen for many years.
Extract an inner verse from the song or a visual from the selected memory.
Using the verse as a passphrase, extract ONLY the first letter of each word in the verse; using the visual of the memory, create a passphrase and do the same thing.
Now, with those passwords extracted from the passphrases, make your substitutions of symbols and numbers, as appropriate.
There. Relatively long, complex, fairly uncrackasble (in any reasonable amount ot time), easy to remember passwords. I have a couple passwords created by means similar to this that are 60-some-odd characters long, though most websites don’t allow passwords that are really all that long. No problem typing such passwords, because the pass phrases they are built on are extremely memorable, and I really don’t have problem typing long passwords.
Of course, for non-critical sites, I go ahead and use LastPass. *shrugs* I only allow it to autologon to sites that have no (genuine) PII for me and where I DGARA about some bad actor getting in, but I still use strong passwords, anyway. Oh, and a good VPN ALWAYS when online.
As for my devices, a good firewall (actually, firewalls on the devices that do not conflict with a hardware firewall for the network), strong passwords, encrypted PII, solid backups of data, and physical control of access will have to suffice.
Still, I cannot recall the number of calls (OK, I could go back on my records, but that’s where I will pead laziness *heh*) I have had from folks who “forgot” (or worse, “mislaid”–which means they had it written down somewhere) the passwords for their computers. *smh* Baffles me. It truly does.
I am currently using KeePass.
KeePass is one of the decent password managers, but it’s best if it manages very strong passwords. ๐
BTW, all the push some IT people/sites make to change passwords periodically? Numerous studies have demonstrated the only value of that practice is if users consistently select poor passwords.
BTW, Colin, imagine selecting a little-known song from your repertoire that is several hundred years old, preferably with lyrics in a less-than-modern dialect, and basing a password on that. Makes me smile to do that.