What is 'best practice' for password management?

[Coram Daes]

Mystere, I am not saying that Gibson is to be taken by the letter, but rather that there are simple ways to get good passwords through Character repetition. There are many ways to test passwords these days and I actually think that setting up a combination of any "short" character sequence (given upper-case, lower-case, special and numbers) and repeating it, is equally safe and easier to remember than many other approaches.

I tested a few passwords I actually use at Password Strength Checker which also accounts for repetitiveness, and they came out 100%. All those inspired by GRC's writings.

 

[crawfish]

(Edit) I have a harder time remembering my security questions.

Security questions are stupid. I use unique random strings for them the same as I use for my passwords.

 

[Coram Daes]

Security questions may be stupid, but they are in fact widely used in Corporations in order to actually help regular users reset their password. That is not such a bad idea in itself, but then again, perhaps not as safe.

 

[crawfish]

The problem is, if I've lost my password, I've also lost my security answers. I would never use legit and therefore guessable answers, so security questions are basically a double-password system from my perspective. I guess there might be some value as long as passwords and security answers are stored separately and aren't easy to match, but then again my main passwords are strong and hard to brute-force, so it mainly just adds inconvenience AFAICT.

 

[Mystere]

Security questions may be stupid, but they are in fact widely used in Corporations in order to actually help regular users reset their password. That is not such a bad idea in itself, but then again, perhaps not as safe.

Ask Sarah Palin Her email was hacked because her security question was "What high school did you go to?" and everyone knows she went to Wasilla High School.

 

[DavidY]

(Edit) I have a harder time remembering my security questions.

Security questions are stupid. I use unique random strings for them the same as I use for my passwords.

Security questions might not be so bad, but some organisations include stupid options like "what is your favourite colour?"; a question to which I never know the answer (perhaps it's cyan this week ).

 

[XweAponX]

Security questions may be stupid, but they are in fact widely used in Corporations in order to actually help regular users reset their password. That is not such a bad idea in itself, but then again, perhaps not as safe.

Ask Sarah Palin Her email was hacked because her security question was "What high school did you go to?" and everyone knows she went to Wasilla High School.

HAHAHAHA! Well, she's stupid, what is anyone else's excuse Bfhahahaha!

Actually one of the ones I use IS my original Elementary School, the only people that could guess this, would be people I knew only in Kindergarten. That makes it a short list of about 1 person.

 

[Coram Daes]

I would never use legit and therefore guessable answers, so security questions are basically a double-password system from my perspective.

Well, I get the point, but that also defeats the purpose with security questions, as I understand them. And you can actually have that setup in a number of ways, it is up to the application developer to decide upon any numbers of security questions and what they should be, or, as I have where I work, the ability to make up your own.

I think you forget that these actually presume you have access to the e-mail account they send out a link to, assuming they do that.

Sara Palins example is in that context proof that the guys in charge for her e-mail server were nuts. The poor security does not really lie on her, or similar stories, but on the guys responsible for the security of the account.