I log in quite seldom to allegro.cc and it's not one of the websites for which I do remember my password for any long time.

Unlike almost every forum I've seen, on the first log in page there's no "forgot my password" link.

Maybe there's a good reason for this. I wouldn't know.

Anyway, I suggest adding just that, so that me (and others) can more easily retrieve the password whenever it disappears. Feels like a basic function that should just be there.

I've learnt to work around it on allegro.cc, by clicking "create new account" I can get to another page which has a link such as "Do not create multiple accounts, click here if you forgot your pw", other times by using google I've been able to "allegro.cc forgot password", and such, but like I said, it's not obvious and it's not like 90% of web pages and forums I've ever seen in my life, for no apparent reason. The first few times I really got stuck and took a good while to find the link for retrieving the pw. It was there, it was just hard to find.

I don't have a problem with this anymore. Still I find it's worth suggesting. People will have the same problem as I did.

https://www.allegro.cc/account/join - there is an email to support. Matthew will get back to you within 3 months

However, invest in a password manager, like PasswordSafe. If you use firefox then get sxipper as well for double back up and password remembering.

That way, you'll never forget.

I'm too paranoid to keep my passwords saved anywhere but in my memory.

I keep my passwords on a piece of paper near the computer, and the characters still have to be remapped on the keyboard (one row up modulo) so if the paper says
"JumboPeanutGoobers396" then you have to type in "U7jg9)3qy75T99g34wc.n" for the actual password.

I'd rather trust 256 bit twofish encryption that a keyboard shift or my brain

That sounds like it requires a computer to use. If you forget your logon password to your computer, you're screwed! So you need at least one password stored some other way.

My passwords are usually absurdly long (as long as the password field will accept) number sequences that are easy to remember or recreate, which are then obfuscated somehow.

For instance, 147221134175226134020105168421 (hailstone sequence starting at 14) gets shift held down and becomes !$&@@!!#$!&%@@^!#$)@)!)%!^*$@!.

Is the service important? Then I use a long, random password. Will I ever need to access the service while away from my desktop and laptop? If not, I use a long, random password.

Otherwise, my password is one of 3 separate ones that I've used for the past decade.

I can't access my email when I am away from my computer, but since my email account would give someone access to my bank accounts, social networking, and literally everything else, I'm willing to live without it.

I also keep a copy of portaPuTTY on my phone, so if I have that I can SSH to my server and get my passwords from that.

With this thread in the back of my head, I went into a state between silently quivering in a corner and laughing out loud ,when I encountered this hellish mix of user inconvenience and lack of safety today: (translated)

Your password must adhere to the following:

• It must contain at least 8 characters.

• It may not be longer than 13 characters.What?!

• It must contain at least one digit.

• It must contain at least one lowercase letter.

• It must contain at least one capital letter

• It may not contain diacritics (like à en é), no spaces and no unicode characters(like ,.;'").YOU'RE KILLING ME! IT HURTS

• The password may not contain your first or last name.

• The password may not contain any sequence of three characters from your username.

My suspicion was confirmed, that the password can only contain alphanumerics. And on the last rule should be noted, that the user name is a random sequence of digits... possibly ruling out a lot of digit sequences, for... "security".

Meh. Almost all password hacks are due to keylogging anyway, not brute force. I have 4 different passwords of increasing complexity that I use almost everywhere. I use clipperz to store anything very vital or that deviates from my regular passwords for some reason (like having absurd rules about passwords used).

weapon_S: I raise you my incompetent bank's "improved" password policy from earlier this year. The password must

• Be at least 8 characters long.

• Not be longer than 13 characters.

• Only consist of letters and numbers (this was changed from a previous policy which also allowed punctuation).

• Contain at least one lowercase letter.

• Contain at least one capital letter

• Contain at least two digits.

Yes, really.

A few random thoughts on the matter.

1. I use KeyScramber which means any keyloggers are (hopefully) doomed to failure
2. I can vaguely remember reading a blog by one of the chief google engineers saying password fields (using *) are pointless and should be made normal by default. Which actually makes sense to me.

What? Password Fields prevent over the shoulder password stealing.

Right, because encrypting your keystrokes and then immediately decrypting them certainly prevents them from being logged

I agree here. Was this the article?

My analytical skills suck, but I've always thought that adding rules to your password made it easier to brute force crack...

That depends on how you mean. If people had actually been smart enough to choose strong passwords by themselves, password rules would only make them easier to crack. Unfortunately, unless you stop them, people will choose easily guessable, all lowercase letter passwords (besides classics like "qwerty123" or, for people who think they are clever, "name$YEAROFBIRTH").
Therefore, you pretty much have to implement password policies, or brute forcing becomes a feasible line of attack.

But there are still no excuses whatsoever for the Daily WTF-worthy "two digits" rule my bank implemented.

I hate that. I like putting in random (to other people) non-letter and non-number characters... I always feel as though I have to "dumb down" my passwords due to rules like that.

It occurred to me to check my email (gmail) last night, and I couldn't access gmail, Google account or YouTube account even with the passwords I had plainly written on pieces of paper in front of me.
I went through the pages asking for info on creation dates, commonly accessed email addresses, etc. but it wasn't good enough to suit them, so the accounts are disabled. I remember the subscriptions of importance on YouTube, I never logged onto Google itself (targeted advertising?), and the email was mostly one-shot registration stuff, so it's no loss, but still...
Except my weirdly cherished email reply from DJ Delorie himself from a few years ago

I like the little "password strength" meter some sites give you. It's funny what they consider a strong password. I've typed in an all-lowercase common english word and a single digit and gotten a strong rating.

So, what do you all consider a strong password?

rf34f7jwea16q is pretty good.

MySpace at some point added a policy such that you can't set your password to "password". I guess that was a common problem. Fortunately, I set my MySpace password before that limitation

x98LhEpf;v)Y

That would be a password I would use (assuming the site is not imposing any limits on what character I can and can't use, or require certain types of characters to appear as one class they check for may not appear)