My bank has one of those idiotic rules forcing us to change our password for online banking every 90 days. It is my opinion that their rule increases vulnerability rather than resistance to attack, but it is a situation about which I can do nothing, and I otherwise like the bank.
I use my program named ‘craic’ to generate random-but-somewhat-memorable passwords, and I keep a numbered list of 100 of them. The system works well, and all that I have to remember is that #15 is the current bank password. When one expires, I just switch to the idea that #20 is new bank password, and if the list were to be compromised, there is nothing that indicates which passwords are valid, nor with what they are associated.
The bank’s system also enforces a rule that the password must contain a capital letter, a lower case letter, a symbol, and a digit, so they are not exactly “random,” and there is a minimum and a maximum length.
Today was change day. The next password on the list this morning was:
It broke the system. Not only does it indicate poor coding, but the nature or the above string gives a clue about how the candidate password is scanned with regex, and what other vulnerabilities there might be.