Well, what did you expect?

There's so many thousands of websites where you have to register now, of course you'll reuse passwords. I have a password I use for almost everything which cannot initiate a financial transaction. Email and banking have much more secure and unique passwords, and I don't use social networking. Mind you, that Gawker and Station passwords were reused is a bit lame.

Password management...

I've been using LastPass for about 6 months... All my passwords are unique and strong. And I don't have to remember any of them. Great little browser plugin for Free use, and about £8 a year for the iPhone / Android app with the "Pro" version. Worth every penny.

No suprise there then.

From the movie Hangover 2: "Your password in baloney1?" "Yes - it used to be baloney, but then they made me add a number"

I see what you did there...

As by just saying Sony, you hope people just assume PSN. The PSN data has never been released, it's unlikely it ever will, and it's unlikely anyone actually got anything. (Clearly Sony can't categorically say they didn't get anything, so have to paint a worst-case).

The reality is, the PSN hack was a storm in a teacup, stirred by the media.

passwords

isn't this the fundemental flaw with the modern use of passwords, they are either so complex you don't remember or so easy they are insecure. With so many systems requiring passwords we need some better system. I am fed up with phoning some company that I briefly had dealings with a couple of years ago and hearing the shock when i tell then I have no idea what my password is.

I also worry about using password services, it assumes you completely trust the service that is generating and storing them for you. So is "LastPass" safe to trust my life to? There is a huge pot of cash waiting for someone who can come up with a better solution

No need

To write down anything or remember many (complex or not) passwords.

Lastpass has already been mentioned, personally I prefer KeePass.

Hardly rocket science, but need to enlighten people to the existence of these little helpers when a similar feature is not included with the OS.

Biometric?

Can't you remember which finger did you use for password? You have 9 more retries. 19, if you are willing to use your toes. Simples as pie, safe as houses. Just wash your hands to avoid false readings.

Why won't anybody use biometric? If big sites (hello, Gmail, Hotmail, Ebay) start allowing biometric, provided you have a fingerprint reader, you can get the habit started. (I understand some notebooks have them, and Windows 7 fully supports it.) No more passwords, then, or they become backup method (table saw users come to mind here). The whole vicious circle "I won't provide biometric alternatives because nobody has the reader / I won't provide the fingerprint reader because nobody supports it " can be broken easily, just make it REALLY easy, or force the user to 16-digit passwords with non-alfa keys, (which sucks btw).

Of course passwords for regular sites will be simple, easy to remember and type, while Banking stuff should be way more secure.

yup thats expected

I once worked in a IT repair shop, a woman came in saying she had forgoten her password and could i reset it, while reaching for my copy of ERD i noticed a post-it sticking out from under the battery, on there was every password she used with usernames and descriptions!

I have 4 passwords ranging from dont give a monkeys (no offence but el'reg is in that cat :p) up to a 28 charcater alphanumericsymbolic password which i honestly have to sit and think about before typing in this is used exclusivly for anything to do with money.

Its common practice to use a short simple password for most things my PSN password required me to press right and up that was it because using a controller is a pain in the arse :p

but it was only used for PSN and my credit card details were not logged so there we go.

Live IT or die by IT never has it beared more truth.

Password Managers

I don't know about the others, but LastPass only stores your passwords in encrypted form - 256-bit AES encryption, to be precise. Given distributed.net haven't cracked 72-bit RC5 yet, I'd say 256-bit encryption is fairly secure. You can download a copy of your vault for local storage - so as long as you don't forget your master password it's pretty safe - especially if your memory is not that great. If you fork out for LastPass Premium, you get offered the choice of two factor authentication, which increases security further.

LastPass is also multi-platform and multi-browser, so it'll work pretty much anywhere. The only issue I've found is that on a few sites (e.g. Wikia) it doesn't automatically recognise the username and/or password fields, so you have to use its menu options to copy / paste them into the relevant fields.

It really doesn't matter how complex you make your password

If it's going to be stored in plain text on an insecure* web site.

* or even a 'secure' one, for that matter.

"We all need to start using something like a SecurID tag for banking + "

You mean like the ones made by RSA who were hacked, so all their SecurID tags are compromised (See Lockheed Martin)

title is req'd & contain letters &/or digits - which is more secure than most site's pword rules

I've got what I consider "secure" passwords for use on certain systems, these use as many of the guidelines I can but sadly these are usually for trivial systems. The number of times I've tried to use a secure password on a system only to get a message back that it doesn't meet their criteria or I can only use letters makes me tear my hair out.

This usually results in an "arrggh" moment and using a password that is pretty high up on every list I have seen of weak passwords just so I can get in the bloody system to do what I want to.

as with so many things, mr adams has already been there

It was an Ident-i-Eeze, and was a very naughty and silly thing for Harl to have lying around in his wallet, though it was perfectly understandable. There were so many different ways in which you were required to provide absolute proof of your identity these days that life could easily become extremely tiresome just from that factor alone, never mind the deeper existential problems of trying to function as a coherent consciousness in an epistemologically ambiguous physical universe. Just look at cash point machines, for instance. Queues of people standing around waiting to have their fingerprints read, their retinas scanned, bits of skin scraped from the nape of the neck and undergoing instant (or nearly instant --- a good six or seven seconds in tedious reality) genetic analysis, then having to answer trick questions about members of their family they didn't even remember they had, and about their recorded preferences for tablecloth colours. And that was just to get a bit of spare cash for the weekend. If you were trying to raise a loan for a jetcar, sign a missile treaty or pay an entire restaurant bill things could get really trying.

Hence the Ident-i-Eeze. This encoded every single piece of information about you, your body and your life into one all- purpose machine-readable card that you could then carry around in your wallet, and therefore represented technology's greatest triumph to date over both itself and plain common sense.

LastPass etc sound very much like the Ident-i-Eeze to me.

PayPal

Paypal already has a security token available, which I have been using for a few years now. It is labelled "Vasco Identity Protection". This sort of thing helps but I would not want one for each site I had a password for!

Hunt concludes that the only safe password is "one you can't remember".

"one you can't remember" - is this with or without the quotes?

Security and Passwords

There are some massive assumptions being made here - most of it feeing the "ZOMG! Passwords are so insecure, buy [product]" or the constant pressure from some security consultants to defend against totally out of context threats.

I post comments on dozens of blogs / forums etc., each one needs a password. I have no great interest in making this a complex password or even a strong one. I also have no real interest in setting up different ones for each site. If you hack my El Reg account, you can use that password to post as me in quite a few places. I can live with that.

My internet backing password and email account passwords are different and different from each other.

Equally, the idea that having passwords made up of a single character type is "bad" is nonsense as the Sony / Gawker issue shows.

Complex passwords are only there to make it hard for someone to brute force a system. If the password is stored as a text file (or badly hashed etc) then it doesnt matter how complex it is. You have only made life hard for yourself.

Likewise, if a site sets up an internet access point which DOESNT limit the number of attacks, then madness will ensue. It will only be a matter of time before the password falls no matter how complex it is.

If you are talking about a site that lets you make five attempts before locking and needing a reset, then you can pretty much use ANY three character password with a good level of security. Anything longer will not fall to a brute force attack so the threats will compromise it whatever length it is.

Password complexity vs password length

Actually, password length is more important than password complexity.

given two, completely random passwords, one containing only lower case characters and the other containing characters from all the typeable characters, a 10-character lowercase password would be harder to crack than a 7-character complex password. The lowercase password would be considerably easier to remember, too. If you want to take it to extremes, a 14 digit number would be harder to crack than the 7-character complex password.

You try explaining that to a PCI or SOX auditor though!