1

It seems to be generally accepted the same password should not be used for different sites or devices. How different should passwords be? For example +_^gum<JW1 and +_^gum<JW2 are very similar. Does it matter what the passwords are used for, for example having two e-mail accounts with similar passwords may be poor security but would having an e-mail account and encrypted USB device with similar passwords be better? What if two or more passwords follow a pattern or relation? For example applesorangesbannansand pottatoescarrotsturnips

I have read that all passwords should be random. This is ideal but not feasible.

  1. It is most difficult to remember and password managers may not be a viable option (for example password to memory stick you carry with you).
  2. It has been stated that computers should not be used to create random passwords.
  3. Some devices it's very hard to type long complex passwords in, such as smartphones.
Community
  • 1
Celeritas
  • 10,187
  • 24
  • 85
  • 148
  • 1
    If you're using password1, you should change it to password2... It's amazing how common the use of password1 is... Seriously, the change must be such that it can't be guessed by people who know you. And 2-3 characters is not a password change, in reality, humans have a bad habit of creating patterns and a little knowledge about them shows their habitual patterns. – Fiasco Labs Dec 16 '15 at 07:39
  • +_^gum<JW1 and +_^gum<JW2 are identical on one of the server where the password checking is historicaly truncated to 8 chars before hashing. Hence on these historical servers +_^gum<J is also working, with the 4096 variants you can imagine with a standard qwerty keyboard. – dan Dec 16 '15 at 07:48

4 Answers4

9

I have red that all passwords should be random. This is ideal but not feasible.

Why not?

1)It is most difficult to remember and password managers may not be a viable option (for example password to memory stick you carry with you).

Why isn't it feasible? I do it all the time.

2)It has been stated that computers should not be used to create random passwords.

Where is this stated? This is blatantly false.

3)Some devices it's very hard to type long complex passwords in, such as smartphones.

Smartphones have password manager apps as well. They allow you to copy and paste passwords stored in them.

  • 1
    @Celeritas Password managers..... –  Apr 22 '14 at 08:58
  • But then you have to have the password manager and database with you. Sometimes this isn't feasible. For example you may not have permission to install the password manager, or you may need to do it too frequently. – Celeritas Apr 22 '14 at 08:59
  • 1
  • http://security.stackexchange.com/questions/17940/is-it-safe-to-generate-passwords-online/17944#17944
    • – Celeritas Apr 22 '14 at 09:00
  • so you're saying maintain a database of passwords on a smart phone? That itself sounds difficult (again because all the typing of random characters on a small keyboard). Is there an app that lets you type them on a different computer and syncs the database to the smartphone? Sort of like lastpass, but it doesn't have a free android app. – Celeritas Apr 22 '14 at 09:03
  • 3
  • You should not generated passwords ONLINE. This doesn't mean that you shouldn't generate passwords locally on your computer.... 2. Yes, it's called keepass and dropbox.
    • –  Apr 22 '14 at 09:04