Monday, March 03, 2014

correct horse battery staple

I have been bad. I have re-used passwords. Mea culpa. Sure I have lastpass and generate great, strong, long passwords for most sites, but what about apple id that I have to type in on the phone, or live.com that I have to type in now to log into my windows 8.1 instance? It is just too hard to remember good secure passwords. Or is it...

xkcd password generator

I have pretty much switched over to using passwords/passphrases of this type when I am likely to have to type the password in, or tell it to someone else (live.com does not do shared developer accounts, I have to give the marketing guy my password so he can update the app description... but that is a whole nother rant) I just change over to it, still store it in lastpass and have to look it up maybe a few times but after a week it is stuck in my brain, and it stays in lastpass should I ever forget it. These longer passphrases are pretty much immune to shoulder snooping too, just too many characters to follow as long as you are not holding the device perfectly still.

So I was just resetting the password on live.com as I was sick of trying to type in g2A16S0DDFt4efsv just to log in, and generated up something like "look double headed parts". But am foiled thrice by Microsoft's take on what is a secure password:

"Your password can't be longer than 16 characters."

Geez, really? You can't spare a couple of bytes? Okay then, this is less secure... it's not my personal account so - care factor - m'okay: "look double part":

"The password contains characters that aren't allowed."

Wha? Is it the spaces?... It's the spaces. FFS are you serious? "lookdoubleparts"

"Please choose a password with a mix of lower and upper case letters, numbers and symbols."

Well, okay that is probably a reasonable objection, so what do I end up with now? "l00kDoubleParts"

Wow. So easy to remember (see xkcd).

So your advice Microsoft is this: "Make a password with different cases and symbols, wait, wait, not that symbol, good, good, hey no, not so many." Strangely enough, it will accept "password1" which should pretty much be universally banned.