ItsGeekToMe.co
The official home of It's Geek to Me on the web!
Issue #921: March 16-22, 2025
Q: I’m considering a password manager but I have a concern. I have several on-line accounts in the Defense Department’s system. The DoD’s password requirements are particularly onerous. The passwords have to be at least 15 characters; use upper case, lower case, special characters and numbers; can’t reuse any password from the previous 18 months; must change at least eight characters from the preceding password can’t have more than two duplicate adjoining characters (.e.g. “aaa” is bad); can’t use my name, social security number, telephone number or Zip Code; and — here’s the kicker — must be changed every 60 days! How do password managers deal with frequent mandatory changes? Do password managers generate passwords? Can I input password criteria into the application? Do they have a maximum number of passwords which can be stored? Thanks.
– Ed R.
Fort Walton Beach, Florida
A: Oh, what a great question, Ed! (It’s also among the last ones in my queue, so after this I’m going to be writing off the cuff until I get some column fodder rolling in the door!) Other than answering your direct questions, the only thing you left me to talk about is to explain to the uninformed exactly what password managers are, and what they can do. Let’s get started.
A password manager is a special type of software application that’s designed to securely store, generate and even automatically fill-in passwords and other credentials in applications and web sites. They are available to work on smart phones, computers, pad devices, and pretty much any other device into which one might need to use a password to protect personal data.
One of the unique aspects of a password manager is that once you have one fully set-up and working, you, the human user, don’t even need to know the passwords that protect your accounts and data. The password manager creates them, stores them, enters them when needed, and can update them on a regular basis. The only password you need to know is the one to get into the password manager itself.
Now, to answer some of your questions, Ed. Those DoD security requirements might sound pretty harsh, but it has been proven that when people are allowed to choose their own passwords without rule restrictions, they will choose pretty dumb and guessable passwords. QWERTY, 12345, and even PASSWORD are all common examples, selected by more people than you would probably expect. Beyond that, there are password cracking tools that can go through all the words in the dictionary in a few seconds and try each one, along with iterations that replace a with @ and E with 3, and all those tricks that we think are so clever. People who are experts at breaking user accounts are also up on all the techniques that we use having to do with names of kids, pets, anniversaries, birthdays, etc.
A quality password manager can be configured to create passwords of lengths far beyond your 15-character minimum, Ed. One online generator I’ve seen allows you to create passwords up to 50 characters. Typically, you can include any combination of uppercase, lowercase, numbers and special characters. You can even tell it to make all the characters unique. The passwords generated by the password manager will be an angry-looking mish-mash of characters guaranteed to meet the criteria that you specified. It doesn’t matter that it’s not a pattern that’s familiar to you, since you don’t need to remember it, or type it in, with the possible exception of setting it into a system for the first time. And it will generate a unique password for every application and site you program it for – no more using the same password everywhere because you can’t remember all the passwords for multiple sites. If there is a limit to the number of passwords, that will be clearly stated up front. I doubt any limits will be so small as to have a practical effect on even the most prolific users.
One concern I have for you personally, Ed, is whether a 3rd-party password manager is compatible with your DoD systems. Accessing them via personally-owned hardware would not be an issue, but you could run into a problem if the hardware is government-owned. Your organization’s IT department might not allow the software to be installed on government hardware, no matter how superior it is to allowing users to enter their own passwords.
To view additional content, comment on articles, or submit a question of your own, visit my website at ItsGeekToMe.co (not .com!)
One Response to “Issue #921: March 16-22, 2025”
Leave a Reply
You must be logged in to post a comment.
This column almost makes me want to spend real money on a password manager. But it does touch on a problem I have with a medical site. Until a few weeks ago, the site would populate my password for a doctor’s office from the Edge password list. Then it stopped — aggravating to have to go find, copy and paste the password. I contacted the medical site. Agent said she couldn’t discuss the issue because of HIPPA rules. Since I am not the site’s client, I contacted my doctor’s office, which pays for that service. We have a fine relationship, but so far no luck seeing a change. My question: Would a password manager be able to override the medical site’s obstinacy and populate the password entry? Added note: we have two doctor offices that use the same medical site, same issue and double the aggravation but the second is less cooperative.