Mastodawn

Aleš Časar May 20

It's the annual "change my work password" day. (Yes, I know, don't tell me, tell the IT department.)

For credentials I'm going to type a lot, I still prefer a short password full of strange characters to a long passphrase made of words. It's more effort to memorise, but once that's done, it's faster to enter than a long passphrase – a benefit that lasts the rest of the year.

My current memorisation technique involves a recurring timer. Every N minutes, an alert goes off, and I stop whatever I'm doing, run 'su $USERNAME -c "echo ok"', type my password, and make sure it did echo "ok". I do the password change first thing in the morning, and over the course of the day, increase the period between memory checks, from 5 minutes down to 15 or 30, so that it moves from short-term to long-term memory. If I find I've forgotten it in one of these tests, I'm allowed to look it up, but in every test I must first try it from memory and _then_ find out what I got wrong. And then retype it right.

I like this technique because it's simultaneously practice at remembering the password, and practice at typing it quickly and accurately. Even the "do it right now, interrupting whatever else you were doing" aspect is deliberate: it trains the skill of remembering the password _even while distracted_, which is actually necessary, if e.g. you need to 'sudo' something in a sudden emergency that's taking up most of your brain.

Reinforcing the new password periodically over the course of the first day is generally enough that when I come to log in the next morning I can remember it even after a night's sleep. And then I'm over the hump.

But one problem I still haven't solved is remembering, the next day, *that* I changed my password. It's still common for me to type the old one three times running before I realise what the problem is!

Simon Tatham May 21

Maybe writing a Mastodon post all about changing my password will fix the incident in my memory so that I remember not to type the old one the next morning?

Nope.

stackeffect May 21

@simontatham LOL

@simontatham I feel like the answer there is probably a post-it note 😊

David Cantrell 🏏May 20

@simontatham I did tell my IT department. They sighed, and said they agreed with me, and that our auditors were idiots.

Matt Hardy 3.11 for Workgroups May 21

@DrHyde @simontatham I've put compliance frameworks and the auditors on my risk register. It's a valid form of protest.

Aris Adamantiadis

💲Paid May 20

@simontatham my memory is really bad and forcing me to remember a new password is deemed to fail. That's why most people's password is asdf123 and I don't blame that technology mistake on them.

Simon Tatham May 20

@aris don't tell me, tell the IT department!

Aris Adamantiadis

💲Paid May 20

@simontatham If they read the academic documentation, they know. After reading the NIST recommendations that says forcing password change is useless, they compromized and changed mandatory change from 3 months to 6 months 🤷. Everyone is just reusing the same password and adding numbers because that's the only password memorization scheme that works on the median person who has dozens of passwords to remember.

Gregory Dodwell May 20

@simontatham @mwl Annual? That’s nice.

potion_genderqueer

@simontatham I had a habit of using single words or short phrases in non-English languages (Icelandic, Latin, Klingon (yes!), Dutch, to name a few) with the appropriate non-alpha bits thrown in to satisfy the stupid parser... _and then I'd stuff them in my password manager_, whose master passphrase is under MY control, and accessible from my phone as well as the desktop... as an SRE I'd use sudo often enough to get it in my head by EOD if I changed it in the morning, and, given advanced warning, I made sure to never change it on a Friday... that way the muscle memory has time to sink in before the weekend.

The real problem was coming up with a good one in the first place - easy enough to type, complex enough to satisfy the idiots who wrote the standards... the thing that really gets me is that while _allowing_ numbers and specials is one thing, _requiring_ one of each class really cuts your pattern space... taking you from a choice of 92 different values for each character to 30, 26, and TEN choices respectively for three of'em. (Assuming Little Bobby Tables rules aren't in play, which further reduces your specials count...) (OTOH, if you say, "must contain _at least three_ of upper, lower, number, symbol" that makes it easier for you and harder for the black hats... 😈 )

@simontatham
I just take forced password changes as a "your password must be Spring2026" policy.

If they want me to use a better password, they can change the policy.

(Though where I worked, it was always the Microsoft default of three months).

Scott Neville May 20

@simontatham when you're finished the day before, imagine doing something drastic/noticable/unpleasant to your keyboard for a minute or so.The more convoluted and visceral the better. (You poured coffee all over the keyboard, then lit it on fire so that it smells of charred roast and is blackened to ash. Also somehow still sticky to the touch.) That memory should pop to mind when you arrive in the morning, which you can use to remember the change.

@simontatham My new password problem is that my brain stores it in the tactile memory section after I used it a couple of times and then if I have to type it in on keys instead of touch pad or vice versa I suddenly lose all concept of it.

Simon Tatham May 20

@nachtet yes, I've heard that from a few other people too. Seems fairly common. Happily I don't have that problem myself – the finger shapes are associated fairly strongly with the characters, for me, so even if I temporarily forget what the characters are, I can remember them again _by_ imagining my fingers going through the motions.

Marcos Dione May 20

@simontatham we change the passwords way more often, 3mo I think, and we have 2 (long story). I dump them in a password manager they gave me, whose main password does not change, and do a little dance every time I need to enter them. Nothing I do requires snappiness.

@simontatham
Only once a year? I never had such a long period at any job - it was always 90 days between changes, with the difference in similarity rules.

@simontatham
Wouldn't simply counting it up help then?
You basically can keep your password, as it does not make sense to change it in the first place. It only gets longer one character (0-9). Or even not longer at all if the last char already is a number.