Hard Light Productions Forums
Off-Topic Discussion => General Discussion => Topic started by: MP-Ryan on September 09, 2013, 09:50:23 am
-
http://www.popehat.com/2013/09/08/size-matters/
http://arstechnica.com/security/2013/03/how-i-became-a-password-cracker/
This subject has been mentioned before on HLP, but the above two links are excellent examples of why people should use long pass phrases that are easy to remember instead of short passwords that are not.
-
https://xkcd.com/936/
-
Nice. have to update a lot of my passwords I guess.
-
Yup. Now, don't you wish that passwords longer than 8-10 characters were allowed on most of the places where you need them? About the only place where I have been able to implement a pass-phrase is on my home wi-fi. Granted that's an important one, but how about my bank? My log-in at work? My log-in to SAP? My log-in to the engineering server?
Argh argh argh...
-
I was able to use a longer phrase for a few online retailers like Amazon, but yeah, a lot of password forms out there only go up to 10 characters, which defeats the whole purpose.
-
my bank password is required to be exactly 6 alphanumeric. i don't even get all that worried about password security, and that made me cringe.
work passwords are a little bit better at 8, but they are well and truly completely random and have no hope in hell of having a word list used on them.
-
my bank password is required to be exactly 6 alphanumeric. i don't even get all that worried about password security, and that made me cringe.
work passwords are a little bit better at 8, but they are well and truly completely random and have no hope in hell of having a word list used on them.
Hey, um.... Which bank do you use?
-
Funny you guys mention that. I haven't managed to hit a limit on Google's services, but the Microsoft Account for this tablet I'm testing at work is max 16 character password and enforces stupid rules
-
"Your password requires at least one number, an upper case letter, your mother's maiden name, a sacrificial goat, dancing around a fire and cutting out your heart to burn it in the hellfire pit in the middle of the temple to appease the password gods"
-
Banks are interesting. All I've encountered have quite weak password requirements & they don't ever force you to change your password (although some think changing passwords regularly isn't that important (https://www.schneier.com/blog/archives/2010/11/changing_passwo.html) anyway). They do seem to like 2 factor authentication though, like sending a confirmation SMS to your phone. While I think that part of this is them just writing off a certain amount of fraud, I think it also shows what's actually cost-effective at preventing fraud. i.e. if someone enters their password into a keystroke logger, it doesn't matter how strong said password is, and that event is more likely that someone brute force guessing your password.
Personally, I use a password management program (like KeePass) with a long master passphrase to open the file, and I use 16+ random character passwords for any sites that allow it, because once I'm using a password management program there's no reason not to make them as complicated as possible. I think that having non-trivial separate passwords (http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/) for every site I use is very important, and worth the risk of having all my passwords in a file that potentially could be stolen & unencrypted. And there is no way on earth that I can memorise all the passwords that I need, especially for sites that I only need to login to occasionally.
-
I only use 20-character randomly generated password for my bank account, which is always empty anyways. Everything else has one of 3 passwords I used in the past. I had to change password on my google account since some chineese tried to hack it. Luckily google has some more safeties and only NSA knows everything.
-
I had to change password on my google account since some chineese tried to hack it.
Query: How do you know they were Chinese and how do you know that there was more than one person involved in the attempt?
-
I had to change password on my google account since some chineese tried to hack it. Luckily google has some more safeties and only NSA knows everything.
Same here.
Now my password is like three times as long. (Takes so much longer to log in now)
-
best password i ever used was ultraneocontraantidisestablishmentarianism
-
I had to change password on my google account since some chineese tried to hack it.
Query: How do you know they were Chinese and how do you know that there was more than one person involved in the attempt?
Google tells you the location so at least the server was chineese. How many people were involved I don't care.
-
I just use true random passwords of length 12-16 for everything, aside from a master password holding my vault locked under a very long passphrase.
-
Good reads. I now feel tempted to change some of my passwords.
Microsoft has a guide on password creation that seems to echo what is being stated in the articles. (http://www.microsoft.com/security/online-privacy/passwords-create.aspx)
-
my bank password is required to be exactly 6 alphanumeric. i don't even get all that worried about password security, and that made me cringe.
work passwords are a little bit better at 8, but they are well and truly completely random and have no hope in hell of having a word list used on them.
Hey, um.... Which bank do you use?
hopefully one that will NEVER leak its password lists.
oddly enough, however, right after posting that i logged on and was greeted with a message saying they are going to be changing the password system soon. hopefully that means changed rules and not just a new logon page.
-
Two-factor authentication FTW.
I turn it on with every system I can. Twitter will send the one time use passcode via SMS, my bank uses a program called VIP Access from Symantec (formerly done by verisign), then there is the Google Authenticator. Every login system should include this functionality IMO.
-
google will never, ever, EVER get my real name or phone number. they wouldn't even have my email address if they hadn't bought out youtube and inherited it.
-
Two factor auth is good & I recommend using it where you can, but it's still (https://www.schneier.com/blog/archives/2005/03/the_failure_of.html) fallible (http://www.techspot.com/news/51037-trojan-bypasses-two-factor-authentication-steals-465-million.html) unfortunately (http://www.bbc.co.uk/news/technology-16812064). And I believe (although I can't find a link at the moment) that it's possible to intercept SMS's, or use social engineering on your Telco to transfer your number to a new SIM (http://thenextweb.com/africa/2013/05/28/south-african-mobile-operator-and-bank-team-up-to-tackle-sim-swap-fraud/).
-
greeted by the following new asinine password requirements when logging in to check my pay stub today
The PASSWORD MUST:
be 15 to 30 characters in length
contain at least two uppercase letters (A-Z)
contain at least two lowercase letters (a-z)
contain at least two numbers (0-9)
contain at least two of the following special characters: # @ $ % ^ ! * + = _
change at least four characters from your previous password
The PASSWORD CANNOT:
contain spaces
be one of your last ten previous passwords
The PASSWORD will expire in 60 days.
the government is ****ing retarded. thank you for guaranteeing i have to write down my password. oh, and these are a completely DIFFERENT set of requirements from the four or five other various government websites i have to use regularly.
-
What in the actual ****
All they're forgetting is security questions you have to answer each time you log on
Oh, and those also expire every 60 days
-
I've worked with (not at thankfully) companies that set the password expiry time to 30 days :rolleyes:
-
twofactor can burn in hell with the rest of the internet. obligatory nuke all the things.
greeted by the following new asinine password requirements when logging in to check my pay stub today
The PASSWORD MUST:
be 15 to 30 characters in length
contain at least two uppercase letters (A-Z)
contain at least two lowercase letters (a-z)
contain at least two numbers (0-9)
contain at least two of the following special characters: # @ $ % ^ ! * + = _
change at least four characters from your previous password
The PASSWORD CANNOT:
contain spaces
be one of your last ten previous passwords
The PASSWORD will expire in 60 days.
the government is ****ing retarded. thank you for guaranteeing i have to write down my password. oh, and these are a completely DIFFERENT set of requirements from the four or five other various government websites i have to use regularly.
government websites in general suck. as a result i deal with the government entirely in paper. i like to use totally unreadable fonts, to match my equally unreadable penmanship. the best thing is no ****ing passwords. i particularly hate alaska's fish and game website. it never works. i have filled out my deer harvest reoprt for last year 3 times now, it says it goes through fine, but they still send be the yellow cards that say i didnt file it. only reason i didnt send paper was because i lost the form and couldnt find the pdf on the internet. so bomb the **** out of bureaucrats with actual bureaucracy.
-
The PASSWORD MUST:
be 15 to 30 characters in length
okay
contain at least two uppercase letters (A-Z)
okay
contain at least two lowercase letters (a-z)
right
contain at least two numbers (0-9)
makes sense
contain at least two of the following special characters: # @ $ % ^ ! * + = _
I suppose
change at least four characters from your previous password
wat
This raises so many questions regarding the implementation of the password query....
If they're using a sane system, said system must (not can, MUST) be unable to make that determination. So assuming they do, this is a requirement that humans have to execute, and can thus circumvent.
If they don't, if their password storage is so bad that this kind of thing can be verified automatically, well, you (and they) are ****ed, cos there's a hole in the security a mile wide.
The PASSWORD CANNOT:
contain spaces
be one of your last ten previous passwords
Again with the what. Must be unique across x iterations I can sort of understand, but cannot contain spaces? What kind of bull**** input routines are they using?
The PASSWORD will expire in 60 days.
Riiiiight
-
---------- thought better of posting -----------
suffice it to say that the alternate logon method completely undermines the PW system anyway (but saves my ass from having to use it). but i don't really need to go sharing details of that on the open internet. :nervous: