nanog mailing list archives

Re: Dear Linkedin,

From: Alec Muffett <alec.muffett () gmail com>
Date: Fri, 8 Jun 2012 20:58:21 +0100

I have accounts at probably 100's of sites. Am I to understand that I am supposed to remember
each one of them and dutifully update them every month or two?


Yes; of course if most of those accounts are moribund and unused then you don't need to change them so often, but the 
passwords you use frequently should be changed at regular intervals.

It's pretty commonsensical once the threat is understood.

So the implication is that I have 100's of passwords all unique and that I must
change every one of them to be something new and unique every few months.
And remember each of them. And not write them down.


Yes; of course more than a couple of dozen random passwords or passphrases will be hard to remember, so look into 
something like 1Password, PasswordSafe or LastPass to help you with that - amongst others.

It goes without saying that your password database should be protected by something really quite long but memorable to 
you.

* Create a strong password for your account, one that includes letters, numbers, and other characters.

And that each of those passwords needs to be really hard to guess that I change to every
few months on 100's of web sites.


Yes.  My 1Password configuration for my work system is for 16 character random passwords, sprinkled with punctuation 
and mixed case.  My home one is less thoroughly set up but is being migrated to the same.

They are this way because I have both read and understood the performance statistics for some software called "Hashcat" 
which I have seen burn through every single 1 thru 8 character lowercase alphanumeric password in 32 minutes, on a 
single Alienware gamer laptop.  Imagine what it can do on AWS.

I'm sorry, my brain doesn't hold that many passwords. Unless you're a savant, neither does
yours. So what you're telling me and the rest of the world is impossible.


Stop using your brain, use a computer.

What's most pathetic about this is that somebody actually believes that we all really
deserve this finger wagging.


Yes, some people evidently do.

        -a

Current thread:

Re: Password safes &c. (was: Dear Linkedin,), (continued)
- - - Re: Password safes &c. (was: Dear Linkedin,) Lyndon Nerenberg (Jun 08)
    - Re: Password safes &c. (was: Dear Linkedin,) Jay Ashworth (Jun 09)
    - Re: Password safes &c. Paul Graydon (Jun 08)
    - Re: Password safes &c. (was: Dear Linkedin,) JoeSox (Jun 08)
    - Re: Dear Linkedin, Alec Muffett (Jun 08)
    - Re: Dear Linkedin, Lyndon Nerenberg (Jun 08)
    - Re: Dear Linkedin, Michael Thomas (Jun 08)
    - Password Safes Lyndon Nerenberg (Jun 08)
    - Re: Password Safes Michael Thomas (Jun 08)
    - Re: Password Safes JC Dill (Jun 10)
- Re: Dear Linkedin, Alec Muffett (Jun 08)
  - Re: Dear Linkedin, John Levine (Jun 08)
    - Re: Dear Linkedin, Alec Muffett (Jun 08)
- Re: Dear Linkedin, Joe Maimon (Jun 08)
- Re: Dear Linkedin, John Adams (Jun 08)
- Re: Dear Linkedin, Simon Perreault (Jun 08)
  - Re: Dear Linkedin, valdis . kletnieks (Jun 08)
- Re: Dear Linkedin, Jay Ashworth (Jun 08)
- Re: Dear Linkedin, [and proposed mitigation approach] Rich Kulawiec (Jun 08)
- Re: Dear Linkedin, Ted Cooper (Jun 08)
  - Re: Dear Linkedin, Michael Thomas (Jun 08)

(Thread continues...)