Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[Capntastic]

Highlight my previous post in this thread if you like SECRET PUZZLES

[Starver]

I'm annoyed by websites having different kind of requirements for passwords, like lenght or whether it can start with number etc.

Well, I asways try a minimum length of 8 anyway (and if I'm asked to do more than that, can comply easily enough).  It's maximum lengths of 8 that cause me concerns.  I've seen it, though can't remember where.

One site I can remember (an old, and now defunct, "teaching you about computers" site[1]) was interesting, in that it liked punctuation in general.  But when one old gentlemen[2], without prompting, used a password with an @ in it, it went funny.  Not refusing to take the password, but even with an identical confirmation box it didn't accept it.

It wasn't used in the context of an email address, although I'm wondering if someone had put something in to prevent email addresses being used as passwords.  There was no instructions or warning about this, though, and my best interpretation as to why the confirmation of password never worked was that one of the two password entering boxes was subjected to an @-stripping process, but not the other.  (Or string-literal @ to string-literals \@, which I've seen done, for no good reason on various things...)

Anyway, for that guy's case, I just pursuaded him to use "at" instead of "@", and it worked.

Given that (not to give anything away) some of the choices (which I never noted down, but always made sure that they noted down) were often something like "June1944" (although one guy had tried to use his army number, but then had to add a letter at the end because it didn't like all-digits either... the reverse of most people who only used alphabetic characters unless forced otherwise), I wasn't too concerned.  Given what they were making a password for, it was more of everyone's concern that they remember their password (or be able to read it from their notes[3]) than there be absolutely no way for anyone else to log onto their account and... what..? learn how to use a keyboard instead of them?


But when it comes to online banking, and other similarly vital/vulnerable things, I'm hoping that those that have the passwords written down don't just have:

River's Bank: 12345678
Amazon: 87654321
eBay: 4uc710n
PersonalPornSite: p455w0rd
Swiss Bank: thankyougreatgrandadheinrich

..but instead something more like

River's Bank: paddi87654321ing
Amazon: extr12345678a#s
eBay: rann017cu4dom~
PersonalPornSite: obdr0w554pfusc8
Swiss bank: rthankyougreatgrandadheinrichubbish

Except better than just reversing and shifting them around in the middle of other junk letters, of course.

Highlight my previous post in this thread if you like SECRET PUZZLES

Indeed. That's obviously off-topic. Kindly ignore this attempt to flagrantly add communications evasively, valuing a less urgently engineered affectation. No, don't imagine generating numeric operations. Read everything directly initially, thanks. <If no secret evolves, really think some more in lexical expressions, yes?>


[1] That needed knowledge of a significant amount of the first few modules (which included very basic tutorials about the keyboard and mouse) in order to get yourself using it (never mind connected to it in the first place.  Which is where the tutors, such as I came in...  After telling the least previously knowledgeable (and not everyone was at that quite low a level) how the mouse cursor and the text cursor were different, how they could use <tab> to move the cursor between fields if they preferred that to using the mouse (hey, I do, where possible!), and giving my own advice about avoiding the Caps-Lock, but IT WAS THERE IF THEY REALLY WANTED TO USE IT...  Then they could get onto the web-site properly and learn a lot of what I'd already told them about from the screen...  Ho hum.

[2] Heard he died the other day.  RIP.

[3] And here the big problem was writing their passwords in capitals when they weren't.  (After all, they were using a keyboard with "QWERTY" keys on it, not "qwerty" ones, most of them.)  Or InitialCapitalising what they wrote by hand.  Or putting spaces in.  Which they may or may not have conveyed when typing it in.  And once they got better with the keyboard they might have different ideas.  And I make no judgement about this (because they were pretty much all new to the idea of computers and email), but the number of times I've seen email addresses being entered as "j bloggs @ hot mail . co" (yes, or ". com . uk"[4]).  And this was something else the online course didn't clarify and was left up to me to try to explain.

[4] Although maybe you want to blame some of that on the decisions of the .uk domain authority that were different to (say) the .au counterparts.

[X] Sorry, am I going OT?

[JoshuaFH]

I never knew you were such a huge password buff Starver.

[Karlito]

I now have a complicated password for a Lastpass account which stores a bunch of different randomized passwords for everything else. It's pretty convenient, especially for places that make you change your password.

Highlight my previous post in this thread if you like SECRET PUZZLES

I suspect I read that in much less time than it took you to make it, so 

[Capntastic]

Nah

[Starver]

I never knew you were such a huge password buff Starver.

At one time it was a professional concern that I get people to be serious about passwords.  In serious data security situations.

But the more extreme levels I'm talking about (to the extent of two-factor[1] and three-factor access controls...  even considering what four-factor access controls might be usable) won't be applicable to most password needs.  I just thought I'd try to put things in context.

(Although having a piece of paper saying "My passwords are..." hanging around is just asking for it.  OTOH, loss of that piece of paper is probably worse than it being discovered by someone else, especially if you've made some obfuscation attempts to make it basically unusable.  What I'd suggest is that you make sure you have several copies, which naturally you've suitably obfuscated to make them useless to others, but as well as the copy 'hidden' down the side of your computer you also have one in a kitchen cupboard and maybe one in your desk at work.  And if you're not confident doing that..?  You obviously haven't obfuscated it enough, in your attempts to safeguard your External Password Remembering System. )

((Oh, and when you update one copy, whether because of changes or additions, work to update them all ASAP.  You know things will go wrong when you're ill-prepared for them to do so...))



[1] Here a shortcut for "any 'n' of: something you know, something you have, something you are", e.g. passwords, passcards and biometrics.  But you could also double/triple up on any of those in a looser interpretation, like having a secondary confirmatory password to confirm changes to (and sign) data initially accessed by other methods, adding "another factor level".  But that's not what really what that means and it was a bit tongue-in-cheek and being thrown around as "additional security measures" that sounded good to those that it was good to impressed with such inanities.  The FFIEC wouldn't brook such descriptions though, so don't try it with them.

[JoshuaFH]

What do you think of those World of Warcraft password generator things you stick onto your keychain?

[Skyrunner]

What do you think of those World of Warcraft password generator things you stick onto your keychain?

Ya mean the one-time passcodes?

I know for a fact that they can foil most game hackers, 'cause after I OTP'd my account for DFO and came back 3 months later, the tell-tale signs of a failed hacking were there, but nothing was actually gone.

Contrast that to the time before, a different account that was ransacked, used for scams and frozen, all in a year's time.

[ToonyMan]

Nah

My eyes hurt reading those.

[Itnetlolor]

Here's a useful device I came across:

http://howsecureismypassword.net/

[zombie urist]

It would take a desktop PC About 25 million years to hack your password

What I do for passwords is keep a list of words and then combine them.

For example, I might have door, cat, dwarf, goblin. Then a password can be catdoor. Then I replace some letters with numbers and add some caps, etc.

[Starver]

What do you think of those World of Warcraft password generator things you stick onto your keychain?

Never seen one of those in the flesh, but there are plenty of equivalent systems out there.  I wonder what type it is.

Some work off an internal clock and generate one new number via (essentially) encoding the time-slice (maybe a minute or two in length) that it is currently.  The server-end does something similar with the current time and may also do so with times anything up to a couple of minutes either way.  (If it finds the client-clock is getting fast, it'll probably change the 'central offset' for next time to account for any drift.)  That's pretty secure, although the possibility of getting a peek at a device one minute and using its 'secret' a couple of minutes later has to be considered.

Others work on the fact that each query of the device gives the next number in the particularly-seeded PRNG sequence.  Account has to be taken for (especially with inquisitive owners) skipping number-checks.  And, even more so, an attacker could "pinch a number" at any time he wants and, as long as he gets to use if before the legitimate owner asks for another number and uses it (so invalidating the pinched one), it's a 'free go' for the attacker.

Then there are ones with keypads so that either a personal PIN[1] of the legitimate owner or the server's query (or both?) can get typed in to produce an output which could not be so easily 'scraped' as mentioned above.  There's some flaws with that (discounting the old MITM-attack methods that could get around most systems, but often needs a lot more preparation) but it'd be vastly better.

Now, this tech being used for WOW...  Well, I suppose a lot of people put a lot of time and money into it (or someone else can make use of an exploited person's time in order to earn themselves some money), but it seems like bank-level security has leached down a level or too, there.

(Back in the day, we were investigating combi-devices that were essentially set to release something of a time/instance variable authentication code according to what was read by the biometric (fingerprint) sensor upon it.  But while the ideas were advanced, especially the idea that multiple fingers could be used[2], the tech still had a few issues and it wasn't considered for too long.)


Oh, and I'm not currently doing anything like that, so I stand to be shown to be completely out of date, insofar as the bleeding-edge of the field.


[1] Shall I tell you how I hate the term "PIN Number", eh?  What does the "N" in "PIN" stand for?  Right.

[2] For redundancy purposes.  Not just because you'd be hard pressed to lose both hands at once (and still be wanting to get straight back to work!), but so that a key could be shared by different people in a team.

[Putnam]

Here's a useful device I came across:

http://howsecureismypassword.net/

Code: [Select]

It would take a desktop PC
About 698 septendecillion years
to hack your password

Length: Long
Your password is over 16 characters long. It should be pretty safe.
My password was "The quick brown fox jumps over the lazy dog."

(exactly)

I don't think that's quite as good as it thinks...

[Itnetlolor]

Sure, that is kinda silly, I'll admit, but it does at least give you a good idea of if you're using an abundantly overused password at least, or if you haven't varied a simple, though unlisted, password enough to get past the simple-minded household snooper by suggesting at least to add more to it (more characters, symbols, numbers, case-sensitivity).

[Trapezohedron]

Highlight my previous post in this thread if you like SECRET PUZZLES

Oh sure...

*highlights the first few words*

Oh I know where this is going.

New Guy cancels decode: Genre Savviness takes over.