ISF Logo   IS Forum
Forum Index Register Members List Events Mark Forums Read Help

Go Back   International Skeptics Forum » General Topics » Computers and the Internet
 


Welcome to the International Skeptics Forum, where we discuss skepticism, critical thinking, the paranormal and science in a friendly but lively way. You are currently viewing the forum as a guest, which means you are missing out on discussing matters that are of interest to you. Please consider registering so you can gain full use of the forum features and interact with other Members. Registration is simple, fast and free! Click here to register today.
Reply
Old 11th August 2017, 11:52 AM   #41
Ron_Tomkins
Satan's Helper
 
Ron_Tomkins's Avatar
 
Join Date: Oct 2007
Posts: 41,392
Funny thing, I was trying to research more on William Burr (the guy who created the whole password restriction thing, and recently admitted that he regrets it), and I found his actual e-mail address. So I sent him an e mail asking him if I could ask him a couple of questions for an article I'm writing on the subject, but the e-mail bounced back with a message saying the e-mail was not a valid address. So either the e-mail is incorrect, or there's also a secret password to contact the guy who invented password restrictions!
__________________
"I am a collection of water, calcium and organic molecules called Carl Sagan"

Carl Sagan
Ron_Tomkins is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 11th August 2017, 12:41 PM   #42
paulhutch
Master Poster
 
Join Date: Mar 2010
Location: Blackstone River Valley, MA
Posts: 2,011
If it was the email address on his official NIST contact page (https://www.nist.gov/people/william-e-burr) then I'd guess he was getting overwhelmed with mail after the news articles so they shut it down temporarily until things settle down in a month or two. Being part of a big news story is not a normal situation for anyone who works at NIST.

Last edited by paulhutch; 11th August 2017 at 12:42 PM.
paulhutch is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 11th August 2017, 01:25 PM   #43
badnewsBH
Thinker
 
Join Date: Sep 2007
Posts: 244
Definitely, the longer the password is, the better. I've heard this from a couple of security experts. I try to have at least fifteen characters in mine these days.
badnewsBH is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 11th August 2017, 01:51 PM   #44
Elagabalus
Graduate Poster
 
Join Date: Dec 2013
Posts: 1,839
You can use the local sport team and insert numbers between the letters. Basically you're combining the local sports team with 1,2,3, that'll learn'em.*


*For even more security you can use the shift key for some of the numbers. And apply that same pattern to all of your passwords.
Elagabalus is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 11th August 2017, 01:54 PM   #45
Hellbound
Merchant of Doom
 
Join Date: Sep 2002
Location: Somewhere between the central U.S. and Hades
Posts: 11,507
Originally Posted by Modified View Post
Aren't password crackers aware of that by now. I wouldn't use common sayings, movie quotes, literary quotes, song lyrics, etc., but something more personal.
True, I was just using a common one as an example. You should definitely choose something more specific to you.

Originally Posted by deadrose View Post
The point of having upper and lower case, numbers and symbols is that the pool of possibilities for each character is enlarged massively. Instead of 26 letters, you have 52, plus 0-9, and whatever symbols are allowed. It makes a dictionary attack useless, and a brute force attack much more difficult.

So even if you license plate it, l33t it or just turn it to txtspk, unless it's the current hot catchphrase or song title, it's unlikely to be broken, and yet is easy to remember.
A couple points. One, just making those characters available expands the character space; requiring them for everyone doesn't add anything to that. IN fact, if I know passwords require special characters and numbers, I can immediately through out a standard dictionary attack, because I know your password can't be a dictionary word.

In addition, most dictionary attacks these days include common substitutions, like 3 for E and @ for a and so forth. Relying on "license plating" or txtspk is not safe.

Also, can't recall who mentioned the hashed passwords as being a server problem, not necessarily. Hashed passwords are also what gets sent across a network. Now hopefully, the connection itself is encrypted, but not always. Not to mention passwords (well, hashed versions anyway) are often cached locally on user machines, at least for some small number of users (often the last user, sometimes the last three). To add to that, if I can compromise a single user's system (say, your sales guy with that laptop he connects to public networks while he's travelling), then I can put software in it that will sniff out hashed passwords on the wire when he gets back to the office network.

Just FYI, this particular type of crack (attacking a list of hashed passwords by trying to match hashes) is called a Rainbow attack, IIRC. And it's not just brute-force, often they'll use a dictionary, along with l33t speak and text speak substitutions, as well as lists of common passwords. And it's MUCH faster because everything is local.

But generally, there does have to be a security failure somewhere for an attacker to gain access to hashed passwords, just doesn't have to be the server.
Hellbound is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 11th August 2017, 03:05 PM   #46
blutoski
Penultimate Amazing
 
blutoski's Avatar
 
Join Date: Jan 2006
Posts: 10,744
Originally Posted by Modified View Post
Aren't password crackers aware of that by now. I wouldn't use common sayings, movie quotes, literary quotes, song lyrics, etc., but something more personal.
You wouldn't but tragically too many others still would. My 80 year old parents use one password for everything whenever possible, and all their passwords are written down on a piece of paper taped to their 2nd monitor (which they have not been able to figure out how to use, so it's a $500 cork board).

I'm not doing much UX these days, but I still try to keep up with the literature. Recently, we had to absorb the results from a OECD Skills Research paper. [Skills for a Digital World]. 40% of the participants surveyed could not perform the following task: "Delete email message."

They are also not going to be able to break the bad habit of reusing easy passwords. I think the number one password across the Internet is still "password," with the 2nd runner up being "Passw0rd"
__________________
"Sometimes it's better to light a flamethrower than curse the darkness." - Terry Pratchett
blutoski is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 12th August 2017, 02:00 AM   #47
cullennz
Embarrasingly illiterate
 
cullennz's Avatar
 
Join Date: Sep 2006
Posts: 12,535
I go for the simple

I have a password which is basic and just has a slight variant depending on the app (that have no access to anything sensitive), for most things, as I dont keep anything worth knowing on most things.

And just save the trendy complicated ones for stuff I actually care about.

It is amazing how few you really need

I do the same with emails

One important one I only use for important things and then dummy ones, that I don't mind being filled with crap and can just ditch if it gets annoying
__________________
I generally oppose gun control, but I support the ban on assault weapons and I support a slightly longer waiting period to purchase a gun. With today’s Internet technology we should be able to tell within 72-hours if a potential gun owner has a record.

Source: The America We Deserve, by Donald Trump, p.102 , Jul 2, 2000
cullennz is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 13th August 2017, 08:26 AM   #48
PhantomWolf
Penultimate Amazing
 
PhantomWolf's Avatar
 
Join Date: Mar 2007
Posts: 16,319
The ones I use to tell my students to use were things like taking the 2nd line of the first verse of your favourite song and using the first two letters of each word, or making a sentence up, and then doing substitutions. So things like...

Using Flash Gordon Theme by Queen...

"Flash, a-ah, he'll save everyone of us"

Becomes.... Flaahesaevofus
Which becomes... Fla@hesaev0fu5

Of you could have something like..

"The brown dog barked"

which would become.... Th3browndogb@rk3d

Both systems create hard to crack easy to remember passwords.
__________________

It must be fun to lead a life completely unburdened by reality. -- JayUtah
I am not able to rightly apprehend the kind of confusion of ideas that could provoke such a question. -- Charles Babbage (1791-1871)
My Apollo Page.
PhantomWolf is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 13th August 2017, 08:37 AM   #49
fuelair
Cythraul Enfys
 
fuelair's Avatar
 
Join Date: May 2006
Posts: 55,696
Originally Posted by Hellbound View Post
You'll be happy to see this, then:
https://nakedsecurity.sophos.com/201...-need-to-know/



ETA: NIST's new password recommendations say get rid of all that crazy stuff that makes users either use the same password everywhere or forget them all the time. You don't need artificial complexity to generate a strong password.

ETA2: Try converting a phrase or sentence, with punctuation and case, substituting 2 for to/two/too and 4 for "for". For example, take "I have not yet begun to fight!" and convert it to Ihnyb2f!.
One of mine (at least) does exactly that. Use words (etc.) that are familiar to you but adapted to not be obvious to outsiders.
__________________
There is no problem so great that it cannot be fixed by small explosives carefully placed.

Wash this space!

We fight for the Lady Babylon!!!
fuelair is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 13th August 2017, 01:51 PM   #50
fuelair
Cythraul Enfys
 
fuelair's Avatar
 
Join Date: May 2006
Posts: 55,696
Originally Posted by fuelair View Post
One of mine (at least) does exactly that. Use words (etc.) that are familiar to you but adapted to not be obvious to outsiders.
For example 8 lends itself to a number of words: lamin8, frustr8, abomin8, intest8, coron8, toler8. And adding s gives you 12, Adding ing gives you 18, adding ed takes you to 24. Easy/peasey!!!!!
__________________
There is no problem so great that it cannot be fixed by small explosives carefully placed.

Wash this space!

We fight for the Lady Babylon!!!
fuelair is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 14th August 2017, 08:08 AM   #51
Ron_Tomkins
Satan's Helper
 
Ron_Tomkins's Avatar
 
Join Date: Oct 2007
Posts: 41,392
Well, update: I contacted someone from the NIST staff and asked them if I could have mr Burr's e mail address to ask him something, and they gave it to me.

I just e-mailed him a couple brief questions to add to my article. What started as a casual rant that was gonna be posted in a free blog, is going to turn into an actual serious article with an interview to the man himself, which I'm gonna try to get into this online magazine where I once contributed before.

So, something good came out of the bad.
__________________
"I am a collection of water, calcium and organic molecules called Carl Sagan"

Carl Sagan
Ron_Tomkins is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 14th August 2017, 08:54 AM   #52
carlitos
"más divertido"
 
carlitos's Avatar
 
Join Date: Jul 2009
Posts: 17,714
I logged into this topic to post the Gizmodo article about Bill Burr, so I'm glad that you saw that.

Personally, I use LastPass, and I'm slowly saying "yes" to the Safari browser prompts to "remember" my password. I don't know any of my own passwords; they are auto-generated and remembered only by my devices. If someone has my thumbprint or my master password, and the authentication questions, they will get all of my passwords.

Writing them in a notebook seems super-sensible. Old-school solution to modern-day problem.
carlitos is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 14th August 2017, 08:57 AM   #53
carlitos
"más divertido"
 
carlitos's Avatar
 
Join Date: Jul 2009
Posts: 17,714
Originally Posted by Ron_Tomkins View Post
Some of these are plain laughable and feel like the site creator is literally mocking us: "A password must not include any regional sports teams or players" Could this be more random? First of all, why sports teams/ players? Why are those a no-no, but not Martial Arts fighters or movie directors? Is the person who created the site someone who hates sports? Or is there an actual logic behind this stupid requirement?
My anecdotal evidence tells me that sports players and teams are going to be waaaaaaaaay more common than the other subjects that you mentioned. People strongly self-identify with sports teams, and in most places / socio-economic groups, sports are huge and players are the biggest celebrities around. It's probably purely a numbers exercise to keep the "most common" words and names out of the passwords.
carlitos is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 14th August 2017, 11:29 AM   #54
Molinaro
Illuminator
 
Molinaro's Avatar
 
Join Date: Dec 2005
Posts: 4,040
The best password to use is "incorrect".

Because if you forget it and enter something wrong it will tell you, "The password is incorrect."
__________________
100% Cannuck!
Molinaro is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 14th August 2017, 11:36 AM   #55
Ron_Tomkins
Satan's Helper
 
Ron_Tomkins's Avatar
 
Join Date: Oct 2007
Posts: 41,392
Originally Posted by Molinaro View Post
The best password to use is "incorrect".

Because if you forget it and enter something wrong it will tell you, "The password is incorrect."
__________________
"I am a collection of water, calcium and organic molecules called Carl Sagan"

Carl Sagan
Ron_Tomkins is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 14th August 2017, 01:02 PM   #56
TX50
Graduate Poster
 
Join Date: Oct 2005
Posts: 1,791
Originally Posted by Molinaro View Post
The best password to use is "incorrect".

Because if you forget it and enter something wrong it will tell you, "The password is incorrect."
I always forget what the Elvish word for friend is.
TX50 is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 14th August 2017, 01:18 PM   #57
Ron_Tomkins
Satan's Helper
 
Ron_Tomkins's Avatar
 
Join Date: Oct 2007
Posts: 41,392
Originally Posted by TX50 View Post
I always forget what the Elvish word for friend is.
Mellon.
__________________
"I am a collection of water, calcium and organic molecules called Carl Sagan"

Carl Sagan
Ron_Tomkins is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 14th August 2017, 02:38 PM   #58
Segnosaur
Philosopher
 
Join Date: Jan 2002
Posts: 9,605
Originally Posted by Ron_Tomkins View Post
Minimum password length must be 8 characters and consist of at least 2 alpha characters, 1 number and 1 special character.
A password must have no consecutive repeated characters.
A password must not include your user name or any part thereof.
A password must not include the names of a spouse, children, pets or one's own name.
A password must not include any regional sports teams or players.
A password must not include any office symbols.
A password must not include your social security number or any subset of your social security number that is more than a single number.
A password must not include words that can be found in any dictionary, whether English or any language.
A password must not be any of the 11 most recently used passwords for the account.

Some of these are plain laughable and feel like the site creator is literally mocking us: "A password must not include any regional sports teams or players" Could this be more random? First of all, why sports teams/ players? Why are those a no-no, but not Martial Arts fighters or movie directors? Is the person who created the site someone who hates sports? Or is there an actual logic behind this stupid requirement?
As someone pointed out... many people identify themselves with sports teams. I suspect its probably more common with sports teams than (for example) movie directors. So having a password like 'YankeesFan' might be easy for a cracker to guess.

Quote:
Some are, simply absurd: "A password must not include your social security number or any subset of your social security number that is more than a single number." First of all: If I'm a completely new user who's opening their account for the first time, then that means I haven't even entered such information as my Social Security Number. How in the Blue Hell then do you even know if any of the numbers I'm entering in my new password are found in my Social Security Number??

In that case, I think the problem might be: If your password includes your social security number and someone someone gets it (maybe you have it written down somewhere...) they now have some identifying information on you.

Quote:
Finally, they completely destroy any possibility for you to create a password that you would remember and that would make sense to you by dictating that "A password must not include words that can be found in any dictionary, whether English or any language." This means, you are left with nothing but strings of random letters, meaning, this will be something you will need to write down in a piece of paper and save it so you can remember it.
Others have already touched on this... The best way is to find patterns. Pick a common word or sentence, and then drop out all the vowels, or take the first letter. For example: Could you guess "DTiai"? Hint: its all the first letters of the sentence "Donald Trump is an idiot". And if you need a password reminder, you don't need to write down your password, just a note about "What I think of president Trump". Need some numbers to tack on to the end of it? How about TDiai2113581. That's the same "Donald Trump is an idiot, then go the periodic table of the elements, and pick the first digit of the atomic weight in the last column.

Quote:
The way I see it: it's my account, my responsibility. If I decide to create a password that's just "1234", and that means it has an extreme risk of being deciphered by others, that's MY PROBLEM.
The thing is, it may not be just your problem. Depending on what service you're dealing with, having your password broken can affect other people.

Someone breaks your email password? They can start sending out spam in your name, and YOUR mail provider then has to handle all the angry responses. (Or they can overload your network connection or server with traffic, slowing down access for everyone.) Or sometimes getting access to a system from one password can help you get access to other accounts on the same system. (Sometimes security is multi-layer. Getting passed the first layer makes it easier to get past subsequent layers.)
Quote:
Second of all, as I mentioned earlier, by introducing such a large list of demands, you make it so that I have to create a password that I wouldn't remember, because it ends up being something crafted to the site's individual desires. So I have to write it down somewhere, because I just won't remember. Especially considering each site has their unique list of requirements. That means that, at the end of the day, I'm still at the risk of having someone find that list and have access to all of my passwords. So, the rationale that this makes your password more secure, isn't precisely true.
True, that is a big problem. Although from what I understand, the biggest problem is simply stupidity. Want to break into a system? Call people at random, say "I'm with tech support... we're having problems and need your user ID/password". Many will be foolish enough to give it to you.

I remember seeing an interview with a former "Hacker" (it might have been Kevin Mitnick) who said his most valuable piece of hacking equipment was a photocopier.... he could use it to make a fake ID, then hang out near the fire escapes near an office. People go out to smoke and leave the doors open. Just follow them inside (with your fake ID) and you have access to the building. You can then hunt for all of the written-down IDs you want.

This is an old NOVA documentary. Some of the technology in it is outdated, but its still an interesting look at computer security.
https://www.youtube.com/watch?v=EcKxaq1FTac
__________________
Trust me, I know what I'm doing. - Sledgehammer

I'm Mary Poppin's Y'all! - Yondu

We are Groot - Groot

Last edited by Segnosaur; 14th August 2017 at 02:44 PM.
Segnosaur is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 14th August 2017, 08:03 PM   #59
theprestige
Penultimate Amazing
 
Join Date: Aug 2007
Posts: 23,463
Originally Posted by bytewizard View Post
What's even funnier is that the administrators of the passwords create a backdoor username and password for the programmers to use so they don't have to try and remember a complex one when they have to repeatedly log in. The backdoor username/password is usually something as simple as "Admin5/Admin5". Hypocrites.
Yeah no.

Maybe in small, incompetent shops. Here in the real world, we use tools to inscrutably store such secrets and use them at runtime without the programmers ever having to know or care what the password is.

As for hypocrisy? Think about it: Somebody, somewhere, is always going to have the keys to the kingdom. It's like airline pilots at airport security. If you don't trust them enough to let them bypass security, how do you trust them enough to let them fly the plane?

This signature is intended to irradiate people.
theprestige is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 14th August 2017, 08:20 PM   #60
Loss Leader
Would Be Ringing (if a bell)
Moderator
 
Loss Leader's Avatar
 
Join Date: Jul 2006
Location: Florida
Posts: 24,056
M3tS%4%EV4H

fits the parameters while being stupidly easy to remember and, for that matter, guess.
__________________
I have the honor to be
Your Obdt. St

L. Leader
Loss Leader is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 14th August 2017, 09:23 PM   #61
Dr. Keith
Not a doctor.
 
Dr. Keith's Avatar
 
Join Date: Jun 2009
Location: Texas
Posts: 14,303
Originally Posted by fuelair View Post
For example 8 lends itself to a number of words: lamin8, frustr8, abomin8, intest8, coron8, toler8.
Be careful. You don't want to use that INXS.
__________________
I once proposed a fun ban.

Suffering is not a punishment not a fruit of sin, it is a gift of God.
He allows us to share in His suffering and to make up for the sins of the world. -Mother Teresa
Dr. Keith is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 15th August 2017, 04:44 AM   #62
TX50
Graduate Poster
 
Join Date: Oct 2005
Posts: 1,791
Originally Posted by Ron_Tomkins View Post
Mellon.
Don't call me a melon!

I always use the old take a phrase, take some of the letters (first, last, whatever), add some random special chars (incl spacebar) bung in some numerals and pad it out to a nice length. Steve Gibson recommends this so it's good enough for me too (for now).
TX50 is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 15th August 2017, 07:46 AM   #63
Blue Bubble
Sharper than a thorn
 
Blue Bubble's Avatar
 
Join Date: May 2005
Location: Duxford, Cambridgeshire, UK
Posts: 4,311
You might also consider this method: https://www.passwordcard.org/
__________________
eiπ+43
Blue Bubble is online now   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 15th August 2017, 06:02 PM   #64
fuelair
Cythraul Enfys
 
fuelair's Avatar
 
Join Date: May 2006
Posts: 55,696
Originally Posted by Ron_Tomkins View Post
Mellon.
Sooo, if your friend is all wet, he/she would be Water Mellon!!!!
__________________
There is no problem so great that it cannot be fixed by small explosives carefully placed.

Wash this space!

We fight for the Lady Babylon!!!
fuelair is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 15th August 2017, 10:47 PM   #65
Dabop
Critical Thinker
 
Join Date: May 2015
Location: Oz
Posts: 433
I have several ways depending on how often I have to type it in
I often use my encrypted usb stick with text files stored on it with the various totally random passwords (I often open notepad, bash the keyboard with my keys closed and then save the result to my usb stick- copy paste into the password field whenever needed) That way I often dont even know what the password actually is, I've never even seen it

The other way is make up a sentence only I would remember, make it long, and then modify it in strange ways (like remove all spaces from a long sentence then leet it, then reinsert spaces at different points according to a pattern

Short version would be something like this "I love to play fetch with my #1 dog!" becomes ilovetoplayfetchwithmy#1dog! then il0v3t0playf3tchw1thmy#1d0g! then spaces at certain places by pattern 4,2,3,1,4,2,3,1 becomes il0v 3t 0pl a yf3t ch w1t h my#1 d0 g!

For really secure passwords (such as encrypt keys passwords etc) I might reverse the whole thing, or reverse every second character grouping il0v t3 0pl a yf3t hc w1t h my#1 0d g! and becomes
!g d0 1#ym h t3fy a lp0 3t v0li

Whatever takes your fancy and you can easily remember but makes a tough to crack password- you dont have to write it down permanently, just remember your sentence and patterns and you can rewrite it down on the spot easily to recreate it (just remember to swallow it afterwards in best spy traditions LOL)

I used a variation of this at a place that wanted new passwords every month and they couldn't be a repeat of any old one- it became (as an example) month name, boppa name,year,I hate this password****!, then my usual leeting swapping etc
I often had the IT guys come around wanting to know where I had written it down (also a big nono there) and he was much bemused that I had it all in my head lol
__________________
It's a kind of a strawman thing in that it's exactly a strawman thing. Loss Leader
Dabop is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 16th August 2017, 01:41 AM   #66
steenkh
Philosopher
 
steenkh's Avatar
 
Join Date: Aug 2002
Location: Denmark
Posts: 5,129
At my work I have about 75 user accounts, and I need to type the password for about ten of them several times a day. Most situations, like Windows login screens, have no access to the clipboard. It is very impractical with passwords longer than about 8 characters. The longer a password is, the greater is the possibility that there is a typing error.

I really hope that some day soon we can do away with passwords altogether. On my phone and tablet there is a workable fingerprint recognition. This can probably be fooled rather easily, but I am sure that currently this needs physical access to the unit, and apart from theft, my units seem quite safe with this system.
__________________
Steen

--
Jack of all trades - master of none!
steenkh is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 16th August 2017, 07:29 AM   #67
Ron_Tomkins
Satan's Helper
 
Ron_Tomkins's Avatar
 
Join Date: Oct 2007
Posts: 41,392
Man.... this got a really weird yet interesting turn. What originally was meant to be a short, informal article about my experience with the password guidelines, became an actual article that I'm trying to pitch to this online magazine I collaborate with, because as I mentioned earlier, I actually got a hold of William Burr himself and he answered some questions, which was great... however, some of the answers are very technical and I don't know if I can/should include everything he says. For instance, he talks a lot about SP 800-63 Appendix A which is basically the document that he created listing all the password security requirements. However, sometimes when he talks about these developments, he sounds very technical (duh, being the engineer who designed password security as we know it) and I fear it might sound too complicated for the average reader.

In the end, I'll just try to edit and research myself as much as I can to clarify anything that comes off as too technical. I'm trying to avoid as much as possible bothering him with more e-mails asking him questions.

That said, if there's anyone here who is very tech savy about this topic and wants to give it a read, PM me and I'll send you a copy of the e-mail William Burr sent me.
__________________
"I am a collection of water, calcium and organic molecules called Carl Sagan"

Carl Sagan
Ron_Tomkins is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 16th August 2017, 07:42 AM   #68
3point14
Pi
 
3point14's Avatar
 
Join Date: Nov 2005
Posts: 13,323
I came here to post XKCD, but that's been done.

This is tangentially related and slightly interesting:

https://howsecureismypassword.net/
__________________
Some seem to think the UK leaving the EU is like Robbie leaving Take That.
In reality it's more like Pete leaving The Beatles.

We are lions, not tigers.
Turns out I don't know a lot about tigers.
3point14 is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 16th August 2017, 08:10 AM   #69
TheGnome
Scholar
 
Join Date: Jul 2009
Location: Berne, Switzerland
Posts: 96
Originally Posted by 3point14 View Post
I came here to post XKCD, but that's been done.

This is tangentially related and slightly interesting:

https://howsecureismypassword.net/
Well if I enter my password there, it might be a lot less secure after that
TheGnome is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 16th August 2017, 02:33 PM   #70
elgarak
Illuminator
 
elgarak's Avatar
 
Join Date: Nov 2003
Posts: 4,280
Originally Posted by steenkh View Post
At my work I have about 75 user accounts, and I need to type the password for about ten of them several times a day. Most situations, like Windows login screens, have no access to the clipboard. It is very impractical with passwords longer than about 8 characters. The longer a password is, the greater is the possibility that there is a typing error.

I really hope that some day soon we can do away with passwords altogether. On my phone and tablet there is a workable fingerprint recognition. This can probably be fooled rather easily, but I am sure that currently this needs physical access to the unit, and apart from theft, my units seem quite safe with this system.
That's the point I want to drive home using sentences. Because it's easier to type full sentences to get long-ish passwords with less typing errors. Long passwords are prone to typing errors because you have to type "!Wt4iTf@*****".
elgarak is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 16th August 2017, 09:21 PM   #71
marplots
Penultimate Amazing
 
Join Date: Feb 2006
Posts: 29,167
The concensus here seems to be balancing the security of a password with usability - especially for naive/disinterested users for whom passwords can be painful.

With that in mind, I like the idea of one strong password to be used across all sites instead of multiple passwords. The idea is one key for everything, but a strong key. I think I can make a case for lumping the entire internet under one "seal" and essentially, one password. Just make it a good one.

I get 35 quintillion years given to crack a password that consists of my pet's name with my birthdate and elementary school name. That's the full, 21 character password. If I cut it short at ten characters (or the site limits length) the strength is given as only 8 months.
marplots is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 16th August 2017, 09:47 PM   #72
cullennz
Embarrasingly illiterate
 
cullennz's Avatar
 
Join Date: Sep 2006
Posts: 12,535
Originally Posted by marplots View Post
The concensus here seems to be balancing the security of a password with usability - especially for naive/disinterested users for whom passwords can be painful.

With that in mind, I like the idea of one strong password to be used across all sites instead of multiple passwords. The idea is one key for everything, but a strong key. I think I can make a case for lumping the entire internet under one "seal" and essentially, one password. Just make it a good one.

I get 35 quintillion years given to crack a password that consists of my pet's name with my birthdate and elementary school name. That's the full, 21 character password. If I cut it short at ten characters (or the site limits length) the strength is given as only 8 months.
Or a couple of hours if someone reads that and is mates with you on facebook

Lol

Sent from my SM-J500Y using Tapatalk
__________________
I generally oppose gun control, but I support the ban on assault weapons and I support a slightly longer waiting period to purchase a gun. With today’s Internet technology we should be able to tell within 72-hours if a potential gun owner has a record.

Source: The America We Deserve, by Donald Trump, p.102 , Jul 2, 2000
cullennz is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 16th August 2017, 10:01 PM   #73
marplots
Penultimate Amazing
 
Join Date: Feb 2006
Posts: 29,167
Originally Posted by cullennz View Post
Or a couple of hours if someone reads that and is mates with you on facebook

Lol

Sent from my SM-J500Y using Tapatalk
Probably.
Should I rank that as a higher worry than someone getting my car/house keys or wallet? I admit I've left all those items where they can be snatched - more than once.

I think, too often, we mirror what happens to others (extreme cases) and take unwarranted and costly measures to fight the anxiety and worry.
marplots is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 16th August 2017, 10:34 PM   #74
Segnosaur
Philosopher
 
Join Date: Jan 2002
Posts: 9,605
Originally Posted by marplots View Post
With that in mind, I like the idea of one strong password to be used across all sites instead of multiple passwords. The idea is one key for everything, but a strong key.
The problem with that...

You may be dealing with multiple sites, each with different levels of security.

Lets say you use the same (unbreakable) password on your email account as on your online banking accounts. If your email account is hacked (perhaps someone finds a flaw in their security), they will then have access to your banking password too.

Now, that doesn't necessarily mean you need a unique password for EVERYTHING. But, grouping accounts makes some sense. (e.g. non-critical accounts like your password here could be reused with other on-line forums, since its not a major target for hackers.)
__________________
Trust me, I know what I'm doing. - Sledgehammer

I'm Mary Poppin's Y'all! - Yondu

We are Groot - Groot
Segnosaur is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 16th August 2017, 10:50 PM   #75
marplots
Penultimate Amazing
 
Join Date: Feb 2006
Posts: 29,167
Originally Posted by Segnosaur View Post
The problem with that...

You may be dealing with multiple sites, each with different levels of security.

Lets say you use the same (unbreakable) password on your email account as on your online banking accounts. If your email account is hacked (perhaps someone finds a flaw in their security), they will then have access to your banking password too.

Now, that doesn't necessarily mean you need a unique password for EVERYTHING. But, grouping accounts makes some sense. (e.g. non-critical accounts like your password here could be reused with other on-line forums, since its not a major target for hackers.)
This is true. However, remember we are trying to strike a compromise between security and ease of use. My premise is that people pick easy, stupid passwords just because they need so many. I think, overall, one solid one is better than a bunch of "guessables."

Further, we are always vulnerable to system errors (by the website) beyond our control. How realistic is it to think, if you get my netflix username and password, you will then be able to access other accounts I have? And, what would you gain?

My thinking is to parallel how I handle physical security in the brick and mortar world. Naturally, people's comfort level will vary. I'd like a single key for my car, bike lock, and house.
marplots is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 16th August 2017, 11:03 PM   #76
Segnosaur
Philosopher
 
Join Date: Jan 2002
Posts: 9,605
Originally Posted by marplots View Post
This is true. However, remember we are trying to strike a compromise between security and ease of use. My premise is that people pick easy, stupid passwords just because they need so many.
I agree that's a problem. I'm just pointing out a possible flaw in your solution.

Quote:
Further, we are always vulnerable to system errors (by the website) beyond our control. How realistic is it to think, if you get my netflix username and password, you will then be able to access other accounts I have? And, what would you gain?
Depends on what accounts you share the passwords with, and if other information is included in the hack.

Pay your netflix with a credit card or on-line banking transaction? If the netflix hack includes your banking account number (since you use it to pay for their service), then they could try using your netflix password on your banking account.

Or do you have an email contact (like gmail) attached to your netflix? They use your netflix password on your gmail account and they can access your email. Then, they can do a quick search in your mailbox for the word 'credit card'.
__________________
Trust me, I know what I'm doing. - Sledgehammer

I'm Mary Poppin's Y'all! - Yondu

We are Groot - Groot
Segnosaur is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 16th August 2017, 11:28 PM   #77
marplots
Penultimate Amazing
 
Join Date: Feb 2006
Posts: 29,167
Originally Posted by Segnosaur View Post
I agree that's a problem. I'm just pointing out a possible flaw in your solution.


Depends on what accounts you share the passwords with, and if other information is included in the hack.

Pay your netflix with a credit card or on-line banking transaction? If the netflix hack includes your banking account number (since you use it to pay for their service), then they could try using your netflix password on your banking account.

Or do you have an email contact (like gmail) attached to your netflix? They use your netflix password on your gmail account and they can access your email. Then, they can do a quick search in your mailbox for the word 'credit card'.
Again I have to agree these make the practice less than optimal.

Curious though. Do the things you describe actually happen regularly? Is it a risk inflated by theory - as in: if they steal my house key they can sneak in an attack me while I sleep - or is what you describe actually going on and how much/often?

I can't rely on my own experience (at least a decade of using online as much as possible for financial, social and entertainment). I might have been lucky so far not to have any trouble whatsoever.

In truth, I use the same base password and add site specific info to each to make it different enough but still easy to remember. So, for example, I might have "Happydog*gmail&791" for gmail and then swap in hotmail or paypal for those sites. I get a slightly different password but still have the base format so I'm not remembering too much new stuff.

That's the compromise I ended up with - not as secure as possible, but works for me.
marplots is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 17th August 2017, 01:51 AM   #78
steenkh
Philosopher
 
steenkh's Avatar
 
Join Date: Aug 2002
Location: Denmark
Posts: 5,129
Originally Posted by elgarak View Post
That's the point I want to drive home using sentences. Because it's easier to type full sentences to get long-ish passwords with less typing errors. Long passwords are prone to typing errors because you have to type "!Wt4iTf@*****".
True, but I also wanted to stress that all long passwords, even those with full sentences, are prone to typing errors. The dots that traditionally are used to tell how many characters you have typed, compound the problem.

In Lotus Notes, there was a system that showed Egyptian hieroglyphs dependent on the password you typed. This was absolutely brilliant, because after a while you could recognize by the hieroglyphs if your typing was correct (and the number of hieroglyphs was not directly tied to the number of characters), and you could not reconstruct the password simply by trying to achieve the same hieroglyphs.
__________________
Steen

--
Jack of all trades - master of none!
steenkh is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 17th August 2017, 05:56 AM   #79
GlennB
Loggerheaded, earth-vexing fustilarian
 
GlennB's Avatar
 
Join Date: Sep 2006
Location: Pie City, Arcadia
Posts: 21,334
Working on VAX/VMS system years ago the login procedure introduced longer and longer pauses between failed login attempts. Is this not a solution to the brute-force methods of cracking passwords? Let's say the system recognises the IP address of the failed login and forces increasing delays on further attempts from that IP address - how would the hacker get around that? Change IP addresses for each attempt? There are only so many proxies, I'd have thought.
__________________
"Even a broken clock is right twice a day. 9/11 truth is a clock with no hands." - Beachnut

Last edited by GlennB; 17th August 2017 at 05:58 AM.
GlennB is online now   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Old 17th August 2017, 08:59 AM   #80
Hellbound
Merchant of Doom
 
Join Date: Sep 2002
Location: Somewhere between the central U.S. and Hades
Posts: 11,507
Originally Posted by marplots View Post
Curious though. Do the things you describe actually happen regularly? Is it a risk inflated by theory - as in: if they steal my house key they can sneak in an attack me while I sleep - or is what you describe actually going on and how much/often?
Yes.

In fact, the main reason that hackers will go after low security passwords (like free email accounts and similar) is that they can sell those usernames and passwords to others, or use them themselves, against a variety of financial institutions and similar. Although usually it's fishing attempts, social engineering, or other similar methods to collect these, rather than cracking an actual system.

But it's common for hackers to attempt using names and passwords at other locations. My wife accidentally fell for a phishing email once, and gave a password we used on several sites. The Phishing attempt was for Amazon, IIRC (some sort of online store like that, can't recall immediately now). She knew what she did immediately, so we were able to change those passwords right away. But over the next few weeks, we saw several failed login attempts to two of our credit card accounts.
Hellbound is offline   Quote this post in a PM   Nominate this post for this month's language award Copy a direct link to this post Reply With Quote Back to Top
Reply

International Skeptics Forum » General Topics » Computers and the Internet

Bookmarks

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT -7. The time now is 02:37 AM.
Powered by vBulletin. Copyright ©2000 - 2017, Jelsoft Enterprises Ltd.
© 2014, TribeTech AB. All Rights Reserved.
This forum began as part of the James Randi Education Foundation (JREF). However, the forum now exists as
an independent entity with no affiliation with or endorsement by the JREF, including the section in reference to "JREF" topics.

Disclaimer: Messages posted in the Forum are solely the opinion of their authors.