26 replies to this topic

[ᗅᗺᗷᗅ]

Does anyone else think password requirements have gotten out of hand? It's ridiculous. I just did one that requires a capital letter, a lowercase letter, two numbers, and a special character. As a result I'm forced to create some mess of a password that I will never remember. Write it down, people say, but that strikes me as stupid. The whole point of a password is to provide security; writing it down defeats the purpose. I really wish websites would just let me use the passwords I want to use. I'll check off a box saying I have been warned of the consequences of having a weak one. If I'm so stupid I want to use "1234" that's on me. Because what inevitably happens with all these requirement-heavy passwords is that I forget them, and then I have to go through the hassle of resetting them, which usually means choosing yet ANOTHER new one because most places won't let you re-use old ones.

 

[The Dark Empire]

My school makes me change my password every 6 months and it has all the dopey character requirements

[KiWi]

I just have my browser remember them, and I use a master password.

I should get a better master, but as long as that's client side, and I know the password to my email if I ever need to reset a password, I assume it's all fairly safe.

I don't follow practices like I know I should/would encourage others too, but eh.

[ᗅᗺᗷᗅ]

I don't like using my browser to remember passwords. It feels unsafe to me. If anyone ever got hold of my laptop all they'd need to do is break that one master password and they'd have access to everything. I know that's probably not likely, but it's how I think. That's also why I don't log into anything important on my smartphone (making email on the smartphone a colossal pain in the ass).

 

Besides, what if you're not on your computer? I was just trying to log into something from work, but I can't remember the damn password because the requirements are so specific.

[rotty]

I never let my browsers save passwords.

I save them in a folder and then hide them in the Wise Folder Holder software on a thumb drive. (haha, not for Macs)  

[He who posts]

Does anyone else think password requirements have gotten out of hand?

 

I think that's worse.

[Manoka]

Sooner or later they will start requiring double layers of security, then triple, 2-3 passwords, answers about yourself etc. 

 

I think it's designed to make things so hard on you that you have to give real information to keep up with it all, so they can gather more information.

[Infopowerbroker]

There is a lot of "research" back and forth, but the idea holds some merit:



Long phrases are good. Entropy (length and girth different types of characters) makes it better.

Having different passwords is good. Some folks do a neat thing where they have the same password base [J0r0stIsKing!] and add a different salt [unique suffix] to the end.
The reason this is important, is that many passwords are stored using the same hashing method (think encryption, but the algorithm only goes from text to scramble (cyphertext), there is no way to get back the original pw). The password J0r0stIsKing! would have the hash 5E-22-6C-70-B7-64-0D-6A-31-C9-DC-AF-EA-92-C3-8D when put through the MD5 algorithm.
Example for Pizza hut: J0r0stIsKing!PIZZA has a MD5 hash of B2-D5-7F-FB-30-C4-3E-7E-63-79-94-35-2D-BC-3D-C9
Example for Cybernations: J0r0stIsKing!CYBERNATIONS has a MD5 hash of 56-92-B3-9E-FD-76-27-D7-8F-F8-32-55-16-84-F1-3B
Example For PlentyOfFish: J0r0stIsKing!FISHYFISH has a MD5 has of DA-53-C7-6D-0C-4D-19-ED-44-BC-FA-5C-02-C7-F6-0E

As long as you keep the beginning secret (that J0r0stIsKing!), you can write down PizzaHut = PIZZA, Cybernations = CYBERNATIONS, and Plenty Of Fish = FISHYFISH in your password book, and anyone who snoops through your password book won't be able to get in.

If Plenty of Fish gets hacked and someone knows that your password hash is DA-53-C7-6D-0C-4D-19-ED-44-BC-FA-5C-02-C7-F6-0E, they won't be able to use it to try to get into cybernations or pizza hut.

Plus, it's easy to remember that J0r0stIsKing!, because, well, duh.

[Redezra]

As a security "expert" (and please, don't consider me any more than a network security researcher on this topic), yes it is out of hand. However, what the XKCD comic does not tell you is that computers guess non-randomly. The first thing I'll do is write a program that tests combinations of real english words, so "correct horse battery staple" is going to get pwnd a shitload earlier than Tr0ub4dor &3

[Infopowerbroker]

As a security "expert" (and please, don't consider me any more than a network security researcher on this topic), yes it is out of hand. However, what the XKCD comic does not tell you is that computers guess non-randomly. The first thing I'll do is write a program that tests combinations of real english words, so "correct horse battery staple" is going to get pwnd a shitload earlier than Tr0ub4dor &3

And yes, there are password cracking dictionaries for almost every language in use, including klingon and elvish, but for Jorost's original post, the idea does illustrate the value of entropy. (It was either XKCD or Shannon's Entropy Equation from NIST Special Publication 800-63 Electronic Authentication Guideline, Appendix A: Estimating Entropy and Strength(.pdf))

[Redezra]

Yeah, I know~ it's just that it means while it's theoretically effective, it's only effective against idiots. Which is why security on the scale Jorost is disliking happens.

 

Tbh, I do enjoy forcing people to use good passwords. I implemented an application whitelisting regime on my family's machines. That was fun :3

[Australia]

That's a misconception actually. I don't think writing it down and putting it in your wallet is insecure. After all, you have to secure your wallet against theft anyways.

[slimshadyinc]

Idk I always make passwords I can remember even with all that stuff so I don't have that problem

[the rebel]

I've always used the password yahoo email gave on register back in 2000, so its a generic password 14-20 characters long with different variations used over the years...I consider it very strong.

[ᗅᗺᗷᗅ]

That's a misconception actually. I don't think writing it down and putting it in your wallet is insecure. After all, you have to secure your wallet against theft anyways.

 

True. But then if your wallet is stolen, you would be that much more vulnerable. Security 101: never write anything down, never leave a paper trail.

[Redezra]

Security 101: Don't exist, it's easier.

[KiWi]

That's a misconception actually. I don't think writing it down and putting it in your wallet is insecure. After all, you have to secure your wallet against theft anyways.

 
True. But then if your wallet is stolen, you would be that much more vulnerable. Security 101: never write anything down, never leave a paper trail.
 

Unless you list what it's for, the user name with it, you have no other security measures in hand, you don't report that your wallet is stolen (and are already in panic mode cancelling credit cards and being pissed your shit and money is gone), who's going to take a piece of paper (esp someone who's stolen your wallet, likely then dumping whatever they don't take right then [cash or the credit cards, I guess]) and then think "this is that dudes password! With this I can sign into his [bank account] and steal the rest of his fortune".

Or something like that.

I'm not a screenwriter. I need an editor like anyone else.

[Orson]

Consider writing down all your passwords once.  Then download a software like KeePass is free and create a database there with all that information.  The app is available for Android and other OS.  You can pass the same file to your mobile and other electronics you own, ex. pen drives, tablets, etc.  You do only one database, it would be your little project but is worthy of doing it.  After that you just share that database with all your electronics.  That way you always have a copy of the database in case you experience criminal event. 

 

Anyhow after that burn the document.  Use a strong password for your KeePass database and learn that one and maybe your main email as well.  Use for a password something you like and some numbers you like as well, ex.  "2008blueBMW".  That method is not unbreakable but it gives a little trouble for a cracker, just a little, you're are not really safe

 

P.S. Of course a different password for each website.

[Infopowerbroker]

So, the real question: Do you have a photocopy of your credit card (front and back) so you have the customer rep phone numbers in a file folder if your wallet is stolen?

[HordeLorde]

Damnit i thought this was going to be a word game thread......