About Vaughn Ripley

Vaughn is a happily married daddy, author, and CIO. He is an HIV+ hemophiliac, and is one of the longest surviving HIV+ people in the universe.
--
Follow Vaughn on Twitter: @vripley
Like Vaughn's page on the Facebook: www.facebook.com/VaughnFRipley
Read his personal blog: HIVLongevity.com
Visit his web page: www.VaughnRipley.com

Comments

  1. Hey V, What about those instances where your network password must be changed periodically and, let’s say, you can’t reuse the past 6 passwords? What a PAIN!!! I’ve been looking for an easy way to remember those. If they had SSO inplace it would be alot easier but the internal apps require individual passwords as well.

    • Great question, Mike! I do exactly what Brian mentions two comments below. Using a sequence matched with your normal secure password is a great way to tackle this. Almost all passwords that must be changed don’t allow you to reuse a previous password for several times (up to a maximum of ten). For this reason, I use a single digit 0-9, which covers ten changes.

      I believe that if we were better at password management and also memorizing them (never write them down) that we wouldn’t have to change them… Ever. Unfortunately, it’s a catch-22… If they make us change them frequently, and we don’t use a solid system to memorize them, then we end up writing them down anyway.

      Thanks for the comment!

      -V

  2. Dan McNally says

    What? When it says enter “password” I do . . . I type “password” . . . . isn’t that what everyone does? 🙂

    • HA! You joke, but I knew someone (years ago) who was having trouble logging in. On the phone I told here, “Now type your password,” and she kept failing to get in. So, I walked down to her desk and stepped through the process… Watching, I noticed that when the time came for her password, she was typing, “Y O U R P A S S W O R D”

      That was what I had told her to do…

      LOL

  3. Brian Anderson says

    Very helpful thanks Vaughn. Also, for all my passwords that expire I use a sequential numbering scheme in front. I change all these on the same day with the same number. That way all I have to remember is the password I came up with from above, and the number I am on. Since I am touching these accounts to change the pw, this also keeps my accounts open for those that may expire due to inactivity.

    • Excellent idea, Brian! I do something very similar. Passwords are meant to be secure and private, and unfortunately sys admin tricks like making us change them often make them unsecure (insecure just doesn’t have the same IT sound to it… HA!) and public (because people tend to write them down somewhere).

      Thanks for the kind words, and checking in!

      -Vaughn

  4. Tom Bilen says

    While I agree that this method is a great one to come up with a complex password, I do have some disagreement with some of the other recommendations.

    – While this PW is strong and then last part changes, if you have a compromise of any site where the attacker gains your PW, you are really relying on the strength of the remaining portion that is different per site.

    – I believe that using a password manager is a good method. I happen to use LastPass (yes, I know they were breached a while back so I now trust them to be even more careful and what was stolen was not usable if you had a strong PW to begin with for their site). There are a number of other good PW managers out there. You can pick a strong PW to use for the manager using a method like what Vaughn talked about and then change it at some reasonable interval, say every 3-6 months depending on how good it was to being with. PW managers often have strong PW generation capabilities that don’t associate back to any poem and are randomly (at least as good as computer randomization is, it is usually much better than humans) created based on criteria you select such as upper, lower, special, numbers, etc and length.

    – If you use a PW manager then you only have to remember the one strong PW and if you change it regularly I think you might even be a little safer and than all your PWs can be much more random and unique per site.

    – Another issue I have with the OP’s method (sorry Vaughn), is that many sites have different rules for PWs so you can’t always use the same PW and just change the end bit. This compounds the difficulty in remembering your PW without using some kind of password manager.

    – Lastly, the sites will often have different times that they require the PW change to happen. This will cause further drift of similarity b/w what you use for each site and again point to the need to use a PW manager that can just create strong PWs for you and you truly only have to remember one (well, ok maybe two (your login to your device that you run the PW manager on which is sometimes a corporate laptop or something that has its own PW rules and the PW manager won’t be running at login time). To get around that is easy though. You can run the PW manager typically on mobile phones or access them in the cloud (in the example of Lastpass) from any computer. There are ways to join 2 factor authentication to the main account and really get as secure as you want.

    – Tom

    • Awesome response, Tom! Thank you for putting so much useful info in there. I agree for the most part. My way is flawed in a few small areas, but has worked nicely for me for years. I guess I’m still paranoid about PW managers and will probably remain so until I can be shown the light. Thanks for chiming in!

      -V