[hamster-bamster]

I am a subscriber on a yahoo groups list that got spammed, and we were all asked to change all of our passwords. I did change them all, including on this site.

Is there is a password hygiene guideline that you would recommend? Say, changing every X months? I would like to put a recurrent calendar event to remind myself of that.

Just my opinion but I like to use one good password for each site I use and keep it. My passwords are so long I can't even memorize them. If you are really paranoid your passwords should be 10 to 15 characters. Random upper case, lower case, and special characters.
I think its best not to use words... any words. If you're set on changing using a set schedule I hope someone has some good advice. I'd be interested in seeing the reasoning behind that approach.
If you're concerned about spam, use disposable email accounts when you register for new sites.

[hamster-bamster]

Quote:

Originally Posted by George H.

If you're concerned about spam, use disposable email accounts when you register for new sites.

So spam happened when the email accounts of some of the subscribers of the Yahoo group email list got hacked, and spam was sent out of their email addresses without their knowledge. So that kind of problem.

I understand. Just added a little helpful hint on how to decrease spam if you join a lot of new sites or need to use an email addy to register for downloads and such

[DocJohn]

Use a password that is a combination of letters and numbers. Use a set of letters that spells a made-up word only you would know (because you just made it up!).

Use different passwords for different sites -- especially for any financial institutions. One easy way of doing this is changing the number you use in the password.

Make it at least 8 characters.

For sites that support it, use a symbol and/or a capitalized letter in your password too.

--

If you do the very minimum and at least no word that appears in the dictionary, and no one's name, you probably have a stronger password than most people.

[Phreak]

The current schools of thought on being able to remember passwords are

A) use a passphrase I.e. I go shopping twice a week every week. You'd then take the first letter from each word for your password so it'd become "igstawew" which is really random but memorable.

B) write them down in rl.

Have different passwords for everywhere. Use symbols and numbers.

How frequently should you change them? How critical is it if your account gets breached? How likely is that to happen?

You don't want to be routinely changing too many passwords, you're more likely to stop bothering.

Hamster, it is the generally accepted practice to force a user to change their password every 90 days in the financial industry. So that is what I would recommend. Every 90 days.

Passwords don't go stale and hackers don't spend 90 days trying to guess your password. There is a totally different reason why some companies have a password expiration policy and it doesn't apply to individual internet users. The way I understand password expiration policy is that hackers will try to crack a password to create backdoor access for ongoing information theft. Scheduled pw changes theoretically limit that access time. I don't think the policy makes sense there either. People will most likely use a slight variation of their old password, use postit notes on their monitor, or forget the new pw and an admin will have to come in and fix it. And 30 to 90 days is a long time.
But... if it makes you feel more secure then have at it
Cool article on passwords.

[hamster-bamster]

Quote:

Originally Posted by George H.

I understand. Just added a little helpful hint on how to decrease spam if you join a lot of new sites or need to use an email addy to register for downloads and such

i do not have complaints in general - GMAIL's spam filters work great. That + the option to filter out. No issues with mass mailings. Just the one reported.

[-jimi-]

I'm glad my stalker hadn't found all places I went to when she hacked my login at a support site, I had gotten lazy and used the same weak low case six letter "word" most everywhere even if I started out better. All my email addys have good and secure passwords different from each other. For some reason I didn't feel like a login at a forum was equally important.

I had not been at that site for several days when someone alerts me to "What the heck are you DOING there???" and I go look, and stalker has cracked my PW, and deleted or altered many of my posts. I was like.. woops.... Because I realized at once who it was and that I should have kept a better PW at a site she knew I was using.

Was pretty quick changing my PW as admin at a forum (yup you read that right...), and right after she had posted there but not been in time to get into the admin part. And I moved on to change it for other sites.

What is crucial is not that you rotate your PW, it is that you have a strong password to begin with. My internet ID requires 12 characters of which at least one is a capital letter and one being a numeric. So I go by that rule.

Still must have taken many attempts to crack my 6 letter pass, guess she got some good software for it.