When I logged into my email today, as usual I checked my spam folder first, to make sure there wasn’t anything good in it. The only thing in the folder was a notice from WordPress that my “login credentials were recently discovered in a list of compromised accounts published by security researchers,” and therefore my password was reset.
Not sure if it was genuine or not, I went to my WordPress account. Sure enough, I couldn’t get in. So I clicked “Forgot password?” (NO! I did NOT “forget” it!), and then opened my password spreadsheet. I used to keep all my passwords in my head, but password rules have gotten so complex in the past few years–or even assign you strings of unrememberable random letters and numbers–that I’ve resorted to keeping a password list. Especially when a site forces me to create a password by rules that violate my password rules.
I won’t say what my rules are, because if you’re a brute-force attacker, it would eliminate a big chunk of combinations you’d have to go through. Of course, complex password rules also eliminate a big chunk of combinations that have to be tried. To a computer, saying you have to have an uppercase letter and a lowercase letter and a number and a symbol is like saying, “Guess a number between 1-1,000, but don’t bother with anything between 200-900.”
The passwords that I commit to memory are referred to simply by a reminder or which one I’m using for a site. That used to include WordPress. But when I changed to memorized password #2, WordPress rejected it as “too easy to guess.” Memorized password #3 it rejected as “too common.” That left password #4, which is only semi-memorized because there’s variant ways to write it, and I don’t always remember which way I wrote it for a given site, so I have to write it out in the password log.
Having to write it out in the password log means I can’t get to it when I’m not logging in through my own computer. It also means that anybody who gets a hold of my computer can get into all the sites that have complex password rules (including WordPress, now), but still wouldn’t be able to get into the sites that are only logged with reminders of memorized passwords.
For all the 30-odd years I’ve been entering computer passwords, I never considered using significant dates. But with these complex password rules, I may start. 11September2001! may be far more guessable than the passwords WordPress won’t allow me to use, but most complex-rules password systems would be happy to have me using it.
Oh, yeah, and my password was compromised by “an external site or service that you also use being hacked and their user data leaked by the attackers.” (My guess is that means a site that uses WordPress for its comments.) In situations like that (which I believe are the most common way for the bad guys to get your password–more common than all other ways combined), it makes ABSOLUTELY NO DIFFERENCE WHAT YOUR PASSWORD IS!