[153570] in North American Network Operators' Group
Re: Dear Linkedin,
daemon@ATHENA.MIT.EDU (Alec Muffett)
Fri Jun 8 15:59:27 2012
From: Alec Muffett <alec.muffett@gmail.com>
In-Reply-To: <4FD25716.3000801@mtcc.com>
Date: Fri, 8 Jun 2012 20:58:21 +0100
To: Michael Thomas <mike@mtcc.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
> I have accounts at probably 100's of sites. Am I to understand that I =
am supposed to remember
> each one of them and dutifully update them every month or two?
Yes; of course if most of those accounts are moribund and unused then =
you don't need to change them so often, but the passwords you use =
frequently should be changed at regular intervals.
It's pretty commonsensical once the threat is understood.
> So the implication is that I have 100's of passwords all unique and =
that I must
> change every one of them to be something new and unique every few =
months.
> And remember each of them. And not write them down.
Yes; of course more than a couple of dozen random passwords or =
passphrases will be hard to remember, so look into something like =
1Password, PasswordSafe or LastPass to help you with that - amongst =
others.
It goes without saying that your password database should be protected =
by something really quite long but memorable to you.
> * Create a strong password for your account, one that includes =
letters, numbers, and other characters.
>=20
> And that each of those passwords needs to be really hard to guess that =
I change to every
> few months on 100's of web sites.
Yes. My 1Password configuration for my work system is for 16 character =
random passwords, sprinkled with punctuation and mixed case. My home =
one is less thoroughly set up but is being migrated to the same.
They are this way because I have both read and understood the =
performance statistics for some software called "Hashcat" which I have =
seen burn through every single 1 thru 8 character lowercase alphanumeric =
password in 32 minutes, on a single Alienware gamer laptop. Imagine =
what it can do on AWS.
> I'm sorry, my brain doesn't hold that many passwords. Unless you're a =
savant, neither does
> yours. So what you're telling me and the rest of the world is =
impossible.
Stop using your brain, use a computer.
> What's most pathetic about this is that somebody actually believes =
that we all really
> deserve this finger wagging.
Yes, some people evidently do.
-a
