Source: https://gizmodo.com/the-guy-who-invented-those-rules-now-1797643987 Technology is often an exercise of trial and error. If you get something right, like Jeff Bezos or Mark Zuckerberg have done, the rewards are sweet. If you screw up and waste years of unsuspecting internet users’ time in the process, like Bill did, you get to apologize years later. We forgive you, Bill. At least some of us do.[/I][/INDENT] Now we need computer systems that eliminate the maximum character count. But I still chuckle about one lame system of a former employer: They had a NIST standard password enforcer to access your timecard. If you miss guessed 3 times, you were locked out and had to do a recovery. The recovery asked three 'personal' questions ... and only matched the answers of any length: Question one ... A: "one" Question two ... A: "two" Question three ... A: "three" I never had a problem after that. The best systems are two-part authentication using an RSA token. A synchronized 6-8 digit number is generated every minute and you add the constant password text to make a one-time use password. Some are trying to use a cell phone to send the number BUT they assume the cell phone is working. Of course the real problem is what are you protecting? My iPhone 5s has fingerprint reader that Apple internally encoded. So when my battery was replaced by a 3d party, the fingerprint reader permanently broke since Apple policy is to not fix this software problem. I don't care since eventually the iPhone 5s will age to 'end of life'. Just the Apple policy guts what should be a feature into foolishness ... like the complex passwords. Bob Wilson
Here is a much shorter version of that super-ugly link: The Guy Who Invented Those Annoying Password Rules Now Regrets Wasting Your Time
RSA is nowhere close to the "best" but it is pretty good for consumer level protection. I would argue that basically 99% of the people that use computers outside of a business environment have no need for any of this. Hackers that are for profit are just that, for profit. Your grandmother is not a very big target compared to the business down the road. And even then, with the most secure password, if fake tech support can call you on your landline and get all your passwords and bank information, why even bother using a strong password? That's just Apple being stupid Apple, why none of their products are in any of my properties. Also fingerprinting is a terrible authentication method. Easily fooled. And even more-so you have no guarantee to privacy if you have fingerprint locked your device. A CBP can force you to unlock a phone or device via a fingerprint but cannot force you to unlock a device with a passcode.
I use several 26-character passwords, composed of nonsense words that make sense to me with a random number at the beginning and/or end. I use three nonsense words that I switch around, as well as the numbers, so for one account it will be mendelbiscofomoto2 Another account will be biscofomotomendel2 And so on I realize none of those are 26-characters, as well as none of those are actual passwords that I use.... Of course, writing strictly as a non-techie. I did read a piece that said forcing constant changing of passwords was bad, since it encouraged people to write them down in all sorts of places so that they could remember them. Better they have bombproof PWs and use them all the time.
^ wait a sec... I like that four regular words one. Now if I could just get around to implementing it.
What about those password programs that make up random passwords for all your sites, and you just need to remember the password for the program; are they worth it?
I use Keepass, mainly to store passwords I already had set up for web sites, but sometimes I let it generate a password. It's quite easy once it's up and running, it has easy right-click shortcuts to copy/paste usernames and passwords, and they disappear from the clipboard automatically so you don't have to worry about inadvertently pasting the wrong thing to another web site. The one trick is to make the database file accessible from everywhere you might want it (home, work, mobile), cloud account storage can help there.
The other trick is to use a major strong password for the Keepass database itself. Otherwise it's all for not. Long time Keepass user here.
