Changes in Password Best Practices

Crypro-Gram ^ | 10/15/2017 | Bruce Schneier

[Bikkuri]

Sweet :D

[Yaelle]

My technique too. I had a strange pass / banking communique in another country. I made up a mnemonic device to remember it. So I reuse the mnemonic device to this day using all sorts of different keys and symbols. Change it every 6-12 months depending on the site. But since I know the key, I can always figure out even the ten year old ones. And they can be made more or less complex depending on if the site needs top security or no big deal.

[cynwoody]

I'd say that they'd be better off with a 2-factor scheme, like something that sends a one-time code to your phone. Unfortunately, given the number of times I end up having to enter a password every day, that would really, really suck.

It's also not totally secure. Hackers can potentially hijack your phone number, so that they receive the one-time code texted to your number.

https://www.theregister.co.uk/2017/05/03/hackers_fire_up_ss7_flaw/

Hardware challenge-response tokens are probably better. Bank sends you a challenge code. You enter the code into the token. The token displays the response. You send that to the bank.

[cynwoody]

I just use admin:admin for everything. For routers and stuff like that, never change the defaults, so that in case you forget them they can always be looked up on the internet.

If a hacker can get into your network, he can get the MAC address of your router. That will tell him the manufacturer. Then he can go get the manual and learn the installation defaults for that brand of router.