
How a password changed my life - caruana
https://medium.com/@manicho/how-a-password-changed-my-life-7af5d5f28038
======
PeterWhittaker
Awesome. Possibly the best hack I've ever read.

(Sure, I'm a security guy, and part of me agrees with some of the other
comments. Sure, I'm a tech geek, and I've seen and read about some wicked cool
hardhacks, unexpected softhacks, and their ilk, and even some good life hacks.
But this is awesome. An arguably silly security policy sought to control a
small aspect of his work-life and he gamed the spit out of it to take total
control of his life, change things up, get stuff done. Best hack ever.)

------
akerl_
Congrats on remembering your passwords, but this is a terrible way to generate
them. Phrases that are relevant to you or your life are the second thing that
somebody making a wordlist is going to aim for, after "password" and "letmein"
and friends.

~~~
Someone1234
I have a word list in front of me (2000 "short" and 10,000 "long" lists),
"Forgive@h3r" "Quit@smoking4ever" "Save4trip@thailand" and none of his other
passwords are listed on it.

The way those passwords are constructed don't make them common enough to
appear on most word lists and it would be very difficult for someone (who
knows you or not) to guess them.

Now, dates of birth, or other common profile information is commonly misused
in passwords and that is guessable. But that isn't what the article was about
and wasn't in their examples.

I think the article rebuffs your post before you even posted it. So unless you
can explain better how what the author is doing is insecure (and I highly
doubt you can) your criticism seems misplaced.

~~~
dubcanada
Are you a password cracker? Do you have a password cracker database in front
of you?

Forgive is a word. @ is a commonly used symbol h3r is her with vowel replaced
with number (very very common).

Quit is a word Smoking is a word Ever is a word For replaced with number (also
very common) @ common symbol

Tbh the best password he could have written would probably have been a
sentence like

I really should forgive my ex wife who I broke up with on May 23rd @ 8pm!

[https://xkcd.com/936/](https://xkcd.com/936/)

~~~
saileshr
Recent research seems to show that xkcd suggestion is not as safe as one would
think see
([https://www.ted.com/talks/lorrie_faith_cranor_what_s_wrong_w...](https://www.ted.com/talks/lorrie_faith_cranor_what_s_wrong_with_your_pa_w0rd))

~~~
dubcanada
Alright then try words written in latin & random characters from different
types of alphabets.

ѣд学한☏

Seems pretty secure, but it's not over 8 characters...

If UTF8 was better supported, you could do something like

phone, snowman, snowman, pile of poo, phone.

That's fairly easy to remember and next to impossible to guess.

~~~
itsybitsycoder
Great, now how do I use that password to log onto a mobile site from my phone?
None of those characters are on my phone keyboard. Am I supposed to save them
in a text file? That doesn't seem very secure.

------
TimWolla
God, i hate those "change your password at least every X days" policies. A
good password does not become weak after some time.

~~~
drzaiusapelord
Sure it does. A lot of people re-use passwords with different services, so if
one gets compromised, then criminals have that password.

On top of it, people get compromised all the time. Its trivial for a virus to
nab your saved browser passwords. Or someone sends you a phishing link and you
happily type in your credentials. It looked official, right?

All of this is invisible to the end user, typically. From the IT side of
things these credentials are used for all sorts of things like authenticating
with smtp to use our mail server to send spam, log into ftp sites to host
malware, etc, etc. Then the end user angrily walks up to IT saying, "Everyone
is saying my emails are spam. Why do you guys suck so much??!!"

Forcing password rotation helps with this because there's a chance the
password that got leaked is or will soon be retired. It also helps in
scenarios when employees give their passwords out to other employees and then
one of them gets fired and starts fucking with the system using someone else's
credentials.

In short, a lot of these polities exist because people are stupid. Don't blame
those of us trying to mitigate the damage. That said, you don't need a 30 day
expiration. I find 120-180 days works well enough. You don't need complexity
turned on as much as you need a sane minimum length. I'd rather train people
to use "mydogsnameisAlbert" than "Password1"

~~~
cjensen
If you rotate passwords every month, your users will be annoyed and use
password that are either trivial, will write it down passwords, or have a
trivial variation from month to month.

In other words, they will resort to using less-secure passwords. The notion
that rotating passwords improves security is little more than a cargo-cult.

~~~
x1798DE
Keeping a password written down (in your wallet, in your desk, etc) is
probably safer than you'd think, because people generally know how to secure
physical items, but they're much less certain about how to secure digital
information.

I think it's obvious that expiring passwords increases security to some
degree. It's also clear that user reactions will induce people to reduce the
security of those passwords. The password expiry interval you choose
(potentially as long as the duration of the system's existence) depends on
your threat model, really. Security is hard and often application-specific.

------
jordigh
These are called "affirmations" by self-help books:

[https://en.wikipedia.org/wiki/Affirmative_prayer#Self-
help](https://en.wikipedia.org/wiki/Affirmative_prayer#Self-help)

[http://www.self-help-and-self-
development.com/affirmations.h...](http://www.self-help-and-self-
development.com/affirmations.html)

------
throwaway12516
This hit very close to home. My (former) best friend and business partner
stole a ton of money from me and our business, and I'm about to declare
personal bankruptcy, right after my kid was born.

My password is some variation of how much of an asshole he is. But it's not
helping. In fact, it's causing me to constantly dwell on it, painfully re-
living our conversations, and thinking what I could've done differently to
prevent it from happening.

Logically I understand that I need to forgive him and let it go, but I'm not
able to do it. I'm going to change my password to an affirmation that I
forgive him. I think it will be a good start.

~~~
olegious
That sucks, I was once in a situation where I held a grudge against a person
for a very long time, to the point where I thought about them and what they
did almost every waking moment. It made it really hard to move on with my
life. What did it for me was forgiving the person in my own mind, truly
forgiving them. It didn't happen overnight but it made all the difference in
the world. Later on I bumped into learntoforgive.com and found that their
methodology was exactly what I intuitively did to forgive in my case, I took
notes on their process, hopefully they'll help you:
[https://docs.google.com/document/d/13w3d4a-e460yQV2y48iUVmBy...](https://docs.google.com/document/d/13w3d4a-e460yQV2y48iUVmByKC0wTkwxr00W-UxkI4U/edit?usp=sharing)

------
anoxic
Cheerful and unexpected from a password article :-)

------
lstamour
Just test your password strength first against
[https://passfault.appspot.com](https://passfault.appspot.com)

It might be more useful to use a long sentence passphrase for Windows/Exchange
purposes.

~~~
Kequc
Is your password secure? Type it into this box to find out.

~~~
Someone1234
Indeed. That site doesn't even pretend to be secure!

There are versions of that site which do everything in Javascript so your
password is never sent to the server. That is also insecure but at least they
pretend that it is not.

This site is designed to post your password up to the server and even works on
HTTP (as opposed to enforcing HTTPS only). So you've just shared your
password, IP address, and browser information with a completely anonymous
site!

PS - I think this site is DESIGNED to be Javascript only but the
implementation is bad, so the password is in fact sent to their server (which
generates an "Internal server error" by the way).

~~~
lstamour
To be clear, that's a demo site that's worked for me in the past to preview
the software.

You can download it here:
[https://github.com/c-a-m/passfault](https://github.com/c-a-m/passfault)

And the project itself is affiliated with OWASP.

------
a3_nm
I find this quite weird. OK, my password are meaningless sequences of random
characters, so maybe it makes things different; but I don't remember passwords
as strings, I remember them as gestures. For most passwords I would have to
imagine myself typing them to reconstitute their written or spoken form (which
can sometimes be tricky if you have to enter them on an unfamiliar device or
using an unfamiliar layout).

So I'm confused why after a few days you would still remember what the
password means when you type it in.

------
imjk
For those interested in these types of things, Love Yourself Like Your Life
Depends on It is a great quick read that builds on the same principle:
[http://www.amazon.com/Love-Yourself-Like-Your-Depends-
ebook/...](http://www.amazon.com/Love-Yourself-Like-Your-Depends-
ebook/dp/B0086BX8UE/ref=sr_1_1?ie=UTF8&qid=1405016447&sr=8-1)

------
ricket
I have used this technique to help me memorize company goals and also to
connect codenames with their version numbers. I hated when someone would
mention "Julio" and I'd have to ask "uh that's version 4.2 right?", or vice
versa. "Julio4.2" is a decent start to a password if you add another word or
two to it.

------
Liesmith
these are really weak passwords. I write poems that I made up myself. In
middle english. I use the letter thorn sometimes.

------
kbar13
So now, I just need to look at any of your social media posts to figure out
your password? Thanks!

~~~
Pwntastic
You just have to figure out his most important personal goal that shows up on
social media around the last week of the month, when AD starts warning him to
change his password

------
desireco42
This is beautiful story. I started reading not expecting anything that good.
All best.

------
drinchev
I'm with a password "Quit smoking" for a second week now and _nothing_ happens
( it's my screen saver password - just sayin' :D ). I enter it for 5-6 times a
day. What's next?

------
joeframbach
I used to work for one of _those_ companies. My monthly passwords were
January2007! February2007! March2007! April2007!

Looking back, I could have improved myself. Kudos for the inspiration!

------
bryon
I really expected this story to be about the pain of having a password stolen
or something. What a great surprise and great story. Thank you

------
cyphunk
^^^ goes and changes word list for jack the ripper

------
chiph
Find a cat? Cats find you.

------
bnejad
Well, congratulations.

------
lsh123
NLP in action :)

------
spain
Very cute story!

