Dear Linkedin,

Linkedin has a blog post that ends with this sage advice:

  * Make sure you update your password on LinkedIn (and any site that you visit on the Web) at least once every few months.

I have accounts at probably 100's of sites. Am I to understand that I am supposed to remember
each one of them and dutifully update them every month or two?

  * Do not use the same password for multiple sites or accounts.

So the implication is that I have 100's of passwords all unique and that I must
change every one of them to be something new and unique every few months.
And remember each of them. And not write them down.

  * Create a strong password for your account, one that includes letters, numbers, and other characters.

And that each of those passwords needs to be really hard to guess that I change to every
few months on 100's of web sites.

I'm sorry, my brain doesn't hold that many passwords. Unless you're a savant, neither does
yours. So what you're telling me and the rest of the world is impossible.

What's most pathetic about this is that somebody actually believes that we all really
deserve this finger wagging.

Mike

https://agilebits.com/onepassword (1Password) is one solution to managing web site passwords.

--lyndon

Use a password safe. Simple. Most of them even include secure password generators. That way you only have one password to remember stored in a location you have control over (and is encrypted), and you get to adopt secure practices with websites.

The only real inconvenience might be having to log into each of whatever sites it is you're concerned about and changing the password on them.

Paul

I have accounts at probably 100's of sites. Am I to understand that I am supposed to remember
each one of them and dutifully update them every month or two?

Yes; of course if most of those accounts are moribund and unused then you don't need to change them so often, but the passwords you use frequently should be changed at regular intervals.

It's pretty commonsensical once the threat is understood.

So the implication is that I have 100's of passwords all unique and that I must
change every one of them to be something new and unique every few months.
And remember each of them. And not write them down.

Yes; of course more than a couple of dozen random passwords or passphrases will be hard to remember, so look into something like 1Password, PasswordSafe or LastPass to help you with that - amongst others.

It goes without saying that your password database should be protected by something really quite long but memorable to you.

* Create a strong password for your account, one that includes letters, numbers, and other characters.

And that each of those passwords needs to be really hard to guess that I change to every
few months on 100's of web sites.

Yes. My 1Password configuration for my work system is for 16 character random passwords, sprinkled with punctuation and mixed case. My home one is less thoroughly set up but is being migrated to the same.

They are this way because I have both read and understood the performance statistics for some software called "Hashcat" which I have seen burn through every single 1 thru 8 character lowercase alphanumeric password in 32 minutes, on a single Alienware gamer laptop. Imagine what it can do on AWS.

I'm sorry, my brain doesn't hold that many passwords. Unless you're a savant, neither does
yours. So what you're telling me and the rest of the world is impossible.

Stop using your brain, use a computer.

What's most pathetic about this is that somebody actually believes that we all really
deserve this finger wagging.

Yes, some people evidently do.

  -a

Michael Thomas wrote:

Linkedin has a blog post that ends with this sage advice:

* Make sure you update your password on LinkedIn (and any site that you
visit on the Web) at least once every few months.

I have accounts at probably 100's of sites. Am I to understand that I am
supposed to remember
each one of them and dutifully update them every month or two?

* Do not use the same password for multiple sites or accounts.

So the implication is that I have 100's of passwords all unique and that
I must
change every one of them to be something new and unique every few months.
And remember each of them. And not write them down.

* Create a strong password for your account, one that includes letters,
numbers, and other characters.

And that each of those passwords needs to be really hard to guess that I
change to every
few months on 100's of web sites.

I'm sorry, my brain doesn't hold that many passwords. Unless you're a
savant, neither does
yours. So what you're telling me and the rest of the world is impossible.

What's most pathetic about this is that somebody actually believes that
we all really
deserve this finger wagging.

Mike

Different passwords have different security clearances.

Some stuff, especially all those "security questions" just has to be stored somewhere retrievable.

Joe

No actually, it's not impossible.

I use 1password, you might use LastPass. They both work on Android, iPhone,
Linux, Mac, Windows.

I have over 900 passwords in that system, and I don't know any of them.
They're all 8-14 characters. All random. I know my master password, and no
one on the Internet has a copy of that. On some systems, I have a Yubikey
with a 45 character master password.

Change your habits. Fix the password anti-pattern.

-j

And how about "Do not store your passwords using unsalted sha1?"

Simon

Whether those rules are *practical* is orthogonal to whether they're
necessary.

Ob:

https://xkcd.com/792/

https://xkcd.com/936/

Cheers,
-- jra

Does your password safe know how to change the password on each
website every several months?

Mike

Oh come on.. now you're just being ridiculous, even bordering on childish.
LinkedIn are offering solid advice, routed in safe practices. If you don't want to do it that's your problem. Stop bitching just because security is hard.

Uh, I'm not the one saying you should change your passwords every
month, Linkedin is. If you think it's childish, take it up with them.

Mike

Does your password safe know how to change the password on each
website every several months?

Not far off, actually; my 1Password has an auto-login-page feature which you can often wire to be the same as the password-change URL.

So, nyah.

  -a

PS: when security is hard, people simply don't do it. Blaming the victim
of poor engineering that leads people to not be able to perform best
practices is not the answer.

Mike

Yes.

PS: when security is hard, people simply don't do it. Blaming the victim
of poor engineering that leads people to not be able to perform best
practices is not the answer.

Passwords suck, but they are the best that we have at the moment in terms of being cheap and free from infrastructure - see http://goo.gl/3lggk

We've been in a bubble for the past few years, where Moore's law hardware had not quite caught up with the speed of SHA and MD5 password hashing throughput for effective brute force guessing; that bubble is well and truly burst.

Welcome back to 1995 where the advice is to change your passwords frequently, because it has a half-life of usefulness imposed upon it from (a) day to day external exposure and (b) the march of technology - and keep your hashing algorithms up to date, too. See http://goo.gl/iL9EP for suggestions.

Have a nice weekend,

  -a

I run a website. If it can change it on mine, I'd like to understand
how it manages to do that.

Mike

I think this is exactly right.

The idea that we are going to train everyone on earth to keep eleventy
billion distinct passwords in their heads -- or in a "password safe"
that is either (1) under someone else's control because it's a web
service or (2) inaccessible half the time because it's on their laptop
and they're using their phone now and OMG -- is preposterous. (This
without mentioning that they also have to remember the username that
goes with it, which is _also_ variable.)

We have an engineering challenge here, and the PKI we have so far
doesn't work. No, I have no magic answers. I'm not that smart.
Michael Thomas is still right about this.

Best,

A

A lot has changed from 1995, and still we're using technology that
is essentially unchanged from the 1960's. For my part, on my app/website
(Phresheez), the app actually auto-generates passwords for the user
so that they don't have to type one in. I do this mainly because people
hate typing on phones, but it has the nice property that if you have
a password exposure event, you do not have the cascading failure
mode that Linkedin has now unleashed. With apps and browsers that
can remember passwords why are we still insisting that users generate
and remember their own bad passwords? That's one reason that I
find the finger wagging tone of that Linkedin post extremely problematic --
they have obviously never even considered thinking beyond the current
bad practice.

Mike

KeePass, KeyPassDroid and Dropbox.

I'm sure it will just get simpler as time goes on.

My mom uses a key database just fine.

I log in to your website, change my password, and the software picks up that I've changed the password and updates the safe accordingly. The software doesn't initiate the password change, it just notices it and updates its database accordingly. Sorry, I should have explained that more clearly.

If you have a Mac or a Windows box, download the 1Password 30 day trail and take it for a run. It really is a useful bit of software. No, it doesn't work on my *BSD, Solaris, or Plan 9 machines. But it does sync across all my Mac, Windows, and Android gear, and the Android client lets me pull up passwords on my phone when I'm on one of the systems that doesn't have a native 1Password client, or when I am on the road.

--lyndon