In response to a comment in the Code Project Lounge about “International Password Change Day”, where a poster had expressed smug satisfaction at having succesfully pushed back on his superiors about the need to change passwords.

In a slight irony, I had to change my password through the “lost password” procedure to login and post this (long time lurker).

The problem with not changing your password, and having the same password (or two) in most places is profound. For example - if you had the same password for WoW and your online banking, I am sure everyone can see how it would be an issue. That is just an obvious example.

The poster used the fact that a simple dictionary password can be cracked in minutes as an excuse to not change it. However, one should have quite complex passwords that would in fact take months if not years to crack.

The problem with this, of course, is that it is inconvenient. I would argue that there are fairly simple ways to create complex, yet memorable passwords. One I prefer is to take simple 3 word phrases (such as Crick Crack Monkey), and using letters from these words, interspaced with numbers and/or special characters, depending on the length and complexity requirements of the system. For example, Cr1Cr2Mo3 is one example, or Cr!1Cr@2Mo as another. All one has to do is remember the basic formula, and the three word phrase. Of course using a formula reduces the word-space the cracker has to search, but it is better than whole or half words or names typically used. Another advantage is that you can use the source of your phrase as your password reminder (for my Crick Crack Monkey example it would be Paul Keanes Douglas - the author of the poem). For a Beatles song such as “Every Little Things”, the clue could be “Six Beatles for Sale” (the album the song came on, and track number).

Now having said all this, I believe that passwords are still inadequate and inconvenient. We need a stronger, two way security system. Google’s new challenge and answer system goes a long way towards this. Their system has a password, and then sends another token to you (via cellphone), which you must key in. Face recognition is also improving (and can be used on some phones).

Things are also moving to single-sign-in, so you can connect to many other sites using either your facebook, twitter or google (or other) accounts. This is either more secure (if you use a strong password and secure system), because you will take the trouble to maintain a good password, or far far less - if you use a crummy password on your primary login.