Barney's Blog

Blog archive

Failing Passwords

I think we all know most passwords are far too weak. So it is no real surprise that a report from Trustwave reached the same conclusion. In fact, many passwords are still PASSWORD, or the word with a number or two afterwards. This is what Verizon always used whenever I had to debug my DSL connection, which happened more often than a Brett Favre interception.

Even worse, these are often administrator passwords! Ouch.

Here's why so many passwords are so darn weak. Keeping up with a wealth of complex (but safe) passwords is a nightmare. How often have you tried to get into a system and the password you thought worked doesn't? And how do you keep track of all these various iterations, all the user names (which need to be complex because all the good ones are taken) and the accompanying passwords? Do you have them all written down? How secure is that?

The answer was always said to be single-sign on, but I have yet to see a system that singly signs on to enough to make it worthwhile.

What is your solution? Hopefully you'll send news I can use to

Posted by Doug Barney on 03/16/2012 at 1:19 PM

comments powered by Disqus

Reader Comments:

Mon, Mar 19, 2012 Dave

2nd vote for Password Safe. Free, simple to set up and generates random passwords that meet the constraints of each particluar system. Very easy.

Sat, Mar 17, 2012 Jeff D UK

Single sign-on worries me! It's very convenient but once that password is compromised, it's full steam ahead into the sweet shop:-) I compare it to having an appartment block with a high secure entrance and then having the appartments use the same key - no one would that would do that would they?

Fri, Mar 16, 2012 netmarcos

Simple really: Roboform

Fri, Mar 16, 2012

One position I held required 117 unique u/n - p/w combos. I used a pda (with encrypted data) which was locked with a double set of logins, and I kept on a chain to my belt. Worked fine, but a pain in the butt!

Fri, Mar 16, 2012 matt

I use... Http://

Fri, Mar 16, 2012 Eno-Master

My issue is that a number of websites or services won't accept full complexity passwords. For a real need for security, I have no problem with 19 character passwords with all 4 levels of complexity. But there are too many places where it is just not allowed. Sometimes it is not the user that is at fault.

Fri, Mar 16, 2012 Tom

Single Sign-on works great - as long as you are on a domain offering it. Unfortunately at the individual level, there is no single authentication domain for single sign on functions to authentcate against. Even if there were, there is so much in the way today, that it still likely wouldn't work. Perhaps IPv6 will help with that - perhaps not. Either way, today I use KeyPass password manager on an encrypted USB key. I plug it in, put in the encryption password, and open KeyPass (granted, a second password, because I haven't got around to scripting a password pass-through script). Once in KeyPass, it remembers and fills in my passwords for me. There are several others out there as well, I just saw Keypass first, liked it, and it worked for me.

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Please type the letters/numbers you see above

Redmond Tech Watch

Sign up for our newsletter.

I agree to this site's Privacy Policy.