I have 3 different generic passwords I use commonly. Those are varied enough that I can almost always use one of them no matter the restrictions. Since most places give you 3 guesses on your password it works out well for the whole remembering part (which I suck at). After that important stuff has subtle variations of the above, something that easy enough for me to remember (i.e. somehow related), but changes the password fairly significantly, and has some part I can iterate on if I'm forced to change things up a bit, like the work password which changes every few months. Edited, Oct 18th 2013 8:28am by someproteinguy
That's how I am and that usually isn't an issue, but over time, I have come across ridiculous password policies that forces me to alter my passwords, creating new alterations.
The questions are the bane of my existence though. Firstly I don't have a favorite teacher, or a favorite fruit, don't remember the model of my first girlfriend's car, split my childhood between a few different houses, can never seem to remember whether or not my first phone number should include the area code, and that theme continues for 90% of what they come up with. I'd make up fake answers for those (which I'm told is best to do anyway), but I get forced into using those questions so infrequently I can't seem to remember my fake answers.
I'll just stick with the herd thing and hope enough of the rest of you are feeble, injured, or somehow look more delicious so the predators will go after you first and leave me alone.
Easy solution. Think of one place: Gotham City, One name : Peter Parker, One Pet Name: Alpha5, one car name: Pento and use those for every question. NEVER USE anything real that someone can use facebook/ social engineering to get.
Name of best friend/ girlfriend/ teacher/etc. = Peter Parker.
Place of birth; honeymoon; first vacation, etc = Gotham City
Now, the key is to remember this if a person challenges you on the phone. You have to ask are these MY security questions or are you using your database? A few years ago, a woman asked me the name of my son. I responded "??? I don't have a son, do you know something that I don't know?". There was an awkward pause, until I realized that she was asking my security question and answered. We laughed.
What's the point of creating a policy that doesn't allow special characters?
It makes users feel more secure. The reality is most password files are barely encrypted if not kept in plaintext and take an hour for a 12 year old to break. Forcing users to rule out "password" as a password seems like a good idea until dictionary attacks add "password_1" to lists.
I think you misread what I wrote. I'm asking why create a policy that does NOT
allow special characters.
idiggory, King of Bards wrote:
I've been arguing this concept for awhile. The more restrictions that you give, the less possibilities there are.