Many of you may have seen this, but in case not, I have found a great article on how to choose good safe passwords: Choosing good passwords (http://www.auscert.org.au/render.html?it=2260) on the AusCERT site.

Among the useful information are tables showing how easy it is to break passwords of various lengths (8 is the best number of characters, btw) and types (using all lowercase makes for easily crackable passwords).

Good reading. Appropiate for web site managers and everyone else who does anything at all online.

From that article, "... it is important to note that many machines artificially restrict the length of the password usually by silently truncating what you enter to their maximum length ..."

Indeed. In several instances, being asked for a password, I have supplied a 20-character string. Unknown and undisclosed to me, that system accepted only the first n characters and assigned that smaller string as my password. Next time I tried to authenticate, rejected! Solution: recursively retry the authentication using successively smaller strings from the string that I supplied, truncating one character at a time from the right end. That's really bad design!

From that article, "... it is important to note that many machines artificially restrict the length of the password usually by silently truncating what you enter to their maximum length ..."

Indeed. In several instances, being asked for a password, I have supplied a 20-character string. Unknown and undisclosed to me, that system accepted only the first n characters and assigned that smaller string as my password. Next time I tried to authenticate, rejected! Solution: recursively retry the authentication using successively smaller strings from the string that I supplied, truncating one character at a time from the right end. That's really bad design!Yeah. You’d think they would tell you there is an 8-character limit (which is, I gather from that article, a limit on some Unix servers).

My new resolve is to use 8-character passwords. Seems pretty good (better than what I have been doing).

KT:

My new resolve is to use 8-character passwords

That seems sensible. Now can you give us a link to a Web site offering advice on how to remember them?

That seems sensible. Now can you give us a link to a Web site offering advice on how to remember them?No. But you should write them down.

There are many programs that will store passwords, charge card numbers, subscription and login details, etc. They themselves are usually password-protected, though, so you will need to remember at least one password.

KT:

But you should write them down

I thought you should never write them down, advice which is implied by the statement in that Australian site:

'Choose a phrase or a combination of words, that make the password easier to remember'.

But writing your passwords down seems the easiest way. My wife can't even remember the code for our telephone area, though our number is easy to remember (3210 . .).

How necessary are passwords in general is another question.

How necessary are passwords in general is another question.The point made in the article (and another article I read that led to that one) was that if you are careless with passwords and someone exploits your carelessness, the results cause problems for everyone whose mail (and/or web site) is on the same server your mail is on.

So I would guess that the quality of passwords is extremely important.

As for whether you need them, not sure how else you get around on the web, use modern software, and otherwise deal with the digital world. I am obliged to set up passwords for dozens of things, from joining a forum or e-mail list, ordering from catalogs, and reading online publications. Doesn’t really matter what I think of the necessity, really.

KT:

I am obliged to set up passwords for dozens of things

So am I, of course, but I question the need for a lot of them. For instance, why should one have to give a password when ordering something from a catalogue, which is being delivered to your address and is paid for via your card?

So am I, of course, but I question the need for a lot of them. For instance, why should one have to give a password when ordering something from a catalogue, which is being delivered to your address and is paid for via your card?Well, you can always choose not to buy from that company. Otherwise, the necessity is built into the transaction.

KT:

Otherwise, the necessity is built into the transaction

We obviously don't share the same suppliers. I don't know of any that insists on a password, unless it's to establish a credit account.

KT,

I am obliged to set up passwords for dozens of things, from joining a forum or e-mail list, ordering from catalogs, and reading online publications. Doesn’t really matter what I think of the necessity, really.
In defense I have a system of a 'good', 'better', and 'very good' passwords I use for these various purposes, depending on the criticality of the application.

Less problems then remembering dozens of them, or of being seriously compromised if one is cracked. Also I never reveal them to anyone, but I do have to have them stashed somewhere inconspicous for when those senior moments strike !

I also try to use the same or similar userids (not as easy as it sounds) to help me from forgetting which is which.

Perhaps having used ids and passwords since back in the mainframe days helps a bit. But, now the browsers ability to invisablely remember and apply them, is not helping my memory of them, and could lead to a problem done the road, especially if I forget where I put my 'cheat sheet' !

That seems sensible. Now can you give us a link to a Web site offering advice on how to remember them?
I have found a good supply of 4x6 recipe cards valuable in this regard.
I have 75 cards with 144 passwords (some duplicates).
Note that they cannot be hacked-into.

I also try to use the same or similar userids (not as easy as it sounds) to help me from forgetting which is which.I often find the userids more of a problem than the passwords. I really hate places that insist on using my e-mail address as the ID. I have several, and change them from time to time for various reasons. If I didn’t remember to make a note of the ID when I signed up, I may have to try two or three before hitting on the right one.

I actually use iData for my IDs and passwords. You can set up a datafile just for those. As a safeguard, iData files can be read with any text editor, too.

We have no casual visitors or passersby who could mess around with my computers. And I have DSL and a router as well as OS X software as barriers to outsiders.

It has worked so far, anyway. I would be sunk if I could not write them down.

The danger of passwords being sussed out while in use seems to be more serious. So for that, better passwords should help. And not using the same one for multiple locations. Sigh.

I have found a good supply of 4x6 recipe cards valuable in this regard. I have 75 cards with 144 passwords (some duplicates).
Note that they cannot be hacked-into.So long as you can keep track of them. I do have a nice wooden box for 4X6-inch cards — so it isn't a bad idea.

Right now I keep them in a piece of software, a mini-database that sits open on my desktop most of the time, so it is easy to find. That has the added advantage of allowing for copy/paste for sites that allow pasting.

Right now I keep them in a piece of software, a mini-database that sits open on my desktop most of the time, so it is easy to find. That has the added advantage of allowing for copy/paste for sites that allow pasting.I did that for a week until I forgot the password for the password-keeper :(.
My 4x6 cards (together with index cards) are stored in a Ziploc Freeze-Guard bag, so even an inadvertent drink spill won't lose the (permanent ink) information.

I did that for a week until I forgot the password for the password-keeper :(.Yeah, I know how that can happen! So I don’t use a password for mine. I could, but I don’t.

Feel pretty safe here, all in all.

From that article, "... it is important to note that many machines artificially restrict the length of the password usually by silently truncating what you enter to their maximum length ..."



That is just shoddy programming. You could use a javascript test on the length (1 or 2 lines of code) and even then should have a server side test to deal with those people with JS turned off. If it must be truncated, it should not be done silently.

Don McCahill

Right now I keep them in a piece of software, a mini-database that sits open on my desktop most of the time, so it is easy to find.Are you using a program specifically for passwords, or just a mini-database?

Yeah, I know how that can happen! So I don’t use a password for mine. I could, but I don’t.

Feel pretty safe here, all in all.I use the excellent Forgotit? (http://home.snafu.de/erich/shareware/forgotit.html), recommended by Brad Walrod, for mine. It has a password requirement, but I use one I know I won't forget for that.

Are you using a program specifically for passwords, or just a mini-database?Not a special password program, although I have downloaded and tried a bunch of them over the years.

This is something called iData, a small database that you can set up with proper fields if you want to or just use it as a freeform text file, which is usually what I do. It searches very quickly.

This program is from an old-time Mac developer, one of the few still working on the same program. I have used it since 1985, when it debuted as QuickDEX (freeform only), then morphed into InfoData, and now iData2.

I like it because it is small, and the datafile can be made quite small visually so I can leave it open in a corner of my desktop. I have a general file that is always open (on startup), plus others dedicated to useful snippets of CSS and HTML, another to type-related snippets, one to good quotes, and a couple of others. Only one is field-based. The files can be read with any text editor, another plus.

There must be something similar for Windows — unless it is too simple for those sophisticates! <g>

I use the excellent Forgotit? (http://home.snafu.de/erich/shareware/forgotit.html), recommended by Brad Walrod, for mine. It has a password requirement, but I use one I know I won't forget for that.I think that is one of those I tried.

Requires too much discipline for me, especially as I do not quite see the point.

I use Splash ID, which has both desktop and PalmOS apps that keep each other synchronized. It's password protected (both apps), but like you I set one that I know I'll remember. Many's the time I've had to look up a user ID and password while away from the computer and Splash ID has saved the day. Oh yes, with it you can export all your records, all categories, to plain text and .csv files. I export to both formats periodically.

I use Splash ID, which has both desktop and PalmOS apps that keep each other synchronized. It's password protected (both apps), but like you I set one that I know I'll remember. Many's the time I've had to look up a user ID and password while away from the computer and Splash ID has saved the day. Oh yes, with it you can export all your records, all categories, to plain text and .csv files. I export to both formats periodically.That sounds handy. I just looked (for the first time in how many years of ownership?) at the options in Forgotit? and it also allows text file export.