So tell me why is it that some websites have a Fort Knox approach to passwords when it may not be appropriate?
Most of that is answered with a question: Appropriate to whom?
The best way to answer all of this for myself is through examples.
I have a few passwords that I repeat all over the place. The reason why I repeat them is because I don't care if the account gets compromised. Websites that require free registration are typical of this. If you aren't really invested in the information, a password is a nuisance and I generally give them "that password".
"That Password" was one that I used at work, years ago. It became something that quickly formed a "body memory" in that I could sit at a keyboard and just burst it through my fingers. So why not, right?
The problem there is "Familiarity Breeds Contempt". You want a password you know, and that you think others won't guess, but not too simple. That leaves out things like your dog's name, Mom's name, your elementary school, 12345, password, or the ever favorite "qwerty".
Why? When someone tries to crack a password online, any given network for example, they typically won't walk up to "your" computer and type away. They'll be noticed.
Who was that guy in cubicle 9 anyway?
They will use software that will show up if someone is actually watching the store. That network guy who is usually in cubicle 9 is probably down the hall watching the statistics on a remote computer or the phone, and locking down that specific port or address coming in to his network that someone outside is running the software on and will be back in a moment. He's got to stop off and visit the boss, grab coffee, hit the head, and fight a few fires.
The problem is that companies have decided that it is your problem to worry about your own passwords. So they're getting grumpy. You're asked to think of a new password every time you log in because you haven't visited them in more than once a month, and there are rules. Evil, sick, and twisted rules. Something that you won't remember because it requires Mixed Case, Punctuation - but not all punctuation, and a f3w numb3rs.
Yeah, numb3rs. That will show th3m! The name Eric becomes 3R1q just because it is k3wl and L337.
Except it doesn't. All those remote attacks will be done via software. The software has access to all the same books you read, plus the ones you didn't read, plus the telephone book, plus many other aspects of popular culture. I once came across some of those dictionaries to crack a computer that I was given and they're massive.
I didn't end up using that because on the fourth try, I guessed the password for the happy client.
My biggest complaint, though, is the Recruiting and Human Resources websites. The worst of them assume that you actually care about them. You end up rewriting your resume once you get in, and have to type in War And Peace while you're doing it. Oh, and don't forget to log back in once every two weeks or we will delete your information!
No wonder why I try the "Low Security" password that I memorized and if that doesn't work I click on the "I forgot" link.
Recruiters, you really are not all that significant and are a hurdle to get past, so relax on the security.
So what do you do?
When I was doing Project Management at the University you would be shocked to know how many times I found people's passwords. Forget the Social Engineering tricks of their baby's name plus their dog. I would walk to their workstation and lift up their keyboard. There would be a Post-It note with the passwords written on it.
Believe it or not, that isn't as terrible as it sounds - if you convert that post-it note to a text file on your phone or on the cloud that you really really do know what the password is for. After all, while I would lift your keyboard, I won't be able to get into your phone. That is unless it is unlocked or your password is "1111" or something simple like that.
There is a file I keep on my computer. It's a clear text file. Has the passwords on it. There is a wrinkle though, it is only hints to the password and the hints are pretty obscure unless you are in my family. But it is in a "safe place" that only I know where it is.
Now that you have found the place to store the hint file, what would I suggest you make the password?
Random numbers, letters, and punctuation is probably best, but make it a physical keyboard pattern you will find easy to memorize, and change it for truly important websites like your bank and credit cards and that annoying website you get all your financial advisor's information from.
That last one emails me practically every day and I hate logging into it.
Find the file, open it up and remember what that password was...
Actually, this all makes me wonder where I put that post-it note. Nope, not under my keyboard. I'll have to have a look.