I was actually thinking of devoting a blog post to just that. I think most people would be much safer if they chose one password for their email and used another for everything else (of course, they could choose different ones for every service — but again, we get into the issue of memorizing them and writing them down.)

Thanks for bringing it up!

Louise

(*disclaimer – I write for a password manager)

My personal bugbear over passwords is with idiot sysadmins that enforce constantly changing passwords. At one place I worked a few years back, passwords had to be changed every month and it remembered – and refused to let you reuse – the previous ten passwords. The solution I came up with was to use passwords such as:

december2002, january2003, February2003…

Completely insecure and solely due to a ridiculously overzealous password policy.

That’s always a concern I share too.

There’s nothing worse than to be forced to use a strong password only to have it stored in plain text and (here’s the best bit) have it emailed to you after signing up!

@robs: Your comment doesn’t make any sense.

’strong passwords are bad.. because a user is not able to type it fast. that means everybody can copy the password. you should force the user to choose a password which he can write in less than 0.5s.’

sounds good, right?

You do know that password fields don’t show you the password you’re typing, right? So, no, it doesn’t sound good at all; sounds quite daft, actually.

how about reading some security papers before preaching bad practices?

How about rationally addressing the issues that I raise and engaging in intelligent debate to further our collective understanding of the topic? Your comment is sarcastic but doesn’t make a rational argument.

Mario brings up a good point in his comment. I have actually seen passwords being stored as plain text! This is just wrong and no website should do this. Always encrypt the user’s password before storing it. Another irritating thing is when some websites send you an email with your password. It’s ok to send a randomly generated password if the user has forgotten it and requested it but don’t send an email with the users password.

Thanks for the article Aral, makes one think.

I agree with you, sites like a social networking application shouldn’t require super strong passwords. I generally have a light password I use for these types of sites, and a stronger one that I use (with variations) for more secure things like my banking. Its incredibly frustrating when you can’t use something you typically use elsewhere because your missing a capitol letter or something. I’m just talking from a usability standpoint, not from a security standpoint.

The one thing I’d like to point out is that sites that have added stronger password requirements don’t typically do this retroactively. For example I still keep a hotmail account that I opened in 1998. At that time I could have an all letter 5 character password. I can still log in today with that same password. I’d expect if making a stronger password was that important that I would have gotten a message at some point at least encouraging me to change it, it not requiring me to do so when I logged into the account.

I’d say its fine that a site requires stronger passwords, but they need to let you know that in a clear and usable way up front (pownce does a great job with this). Thanks for the post!

i wouldn’t care less if they just use their bad practice on their own. but no! they have to preach it to the whole world.

@jason
“Victor is completely wrong…”

.. let’s hope you’re not completely wrong:

‘wanu3ved3xoby’

“what a great password!” some security nubs might claim. or is it?
well it must be! it looks really good!

execpt for my boss’ password is ‘wanu3ved3xobx’ but i’m sure it’s secure anyway, because it looks complicated!

@aral
why do you write such things? you could also write:

‘strong passwords are bad.. because a user is not able to type it fast. that means everybody can copy the password. you should force the user to choose a password which he can write in less than 0.5s.’

sounds good, right?

@all
how about reading some security papers before preaching bad practices?

don’t take it personally.. such things just make me angry :)

cheers robs

Because L33t does not always guarantee you will remember your password. For example:

x site has a 8 character minimum.
y site has a restriction on non-alpha numerics
z site refuses spaces
q site wants a 4-digit pin

The problem is every site is different. So it’s impossible to make a password you can use everywhere. I like to have “password levels”. I have one for public internet, a different form for financial sites, etc.