snopes.com  

Go Back   snopes.com > Non-UL Chat > Techno-Babble

Reply
 
Thread Tools Display Modes
  #21  
Old 21 January 2014, 10:51 PM
ganzfeld's Avatar
ganzfeld ganzfeld is offline
 
Join Date: 05 September 2005
Location: Kyoto, Japan
Posts: 23,599
Default

Quote:
Originally Posted by GenYus234 View Post
Why not give people the option of not hiding their password behind asterisks when setting it? It seems that very few hacks come about due to shoulder surfing anymore (if they were ever that common).
Sounds OK to me. I often turn that on when it's available.
Quote:
Or, provide 4 password entry fields and 4 confirm password entry fields.
Not sure about this one.

Here's an idea (that some security experts have also endorsed): Tell people to write them down and keep them in a safe place. Even better: Tell them how to write them safely and keep them safely. At the very least we should stop giving the bad advice "never write them down!"
Reply With Quote
  #22  
Old 21 January 2014, 11:24 PM
me, no really's Avatar
me, no really me, no really is offline
 
Join Date: 02 June 2005
Location: Brisbane, Australia
Posts: 2,546
Default

and stop already with the "we have 4 systems here, and you need a different login and password for each one to ensure security". That just guarantees that people will write them all on post it notes beside the computer. My employer is better now, but in the past we had several systems that were off the shelf systems or close to. The password rules were incompatible enough that it was pretty much impossible to have the same password for each (one had an 8 character only box, one required more than 8 characters, that sort of thing) That becomes hard to remember - especially if you have to chnage them all regularly and you have just come back from a holiday - or even a weekend sometimes
Reply With Quote
  #23  
Old 21 January 2014, 11:35 PM
ganzfeld's Avatar
ganzfeld ganzfeld is offline
 
Join Date: 05 September 2005
Location: Kyoto, Japan
Posts: 23,599
Default

Yeah, that's a tough one. A lot of exploits do rely on the fact that people reuse passwords. There is a pretty good compromise, I think, in reusing a basic pattern in a secure way which is easy to do but takes practice so it's done in a way that's not easy for that bad guys to crack.

People will always find a way to mess things up. The lesson, I think, is that people' s habits aren't going to get more secure by giving them some simple (and, as it turns out, stupidly designed) rules. It takes practice, like driving a car or climbing a mountain.
Reply With Quote
  #24  
Old 21 January 2014, 11:36 PM
Singing in the Drizzle Singing in the Drizzle is offline
 
Join Date: 24 November 2005
Location: Bellingham, WA
Posts: 4,745
Default

Quote:
Originally Posted by Gayle View Post
My system at work requires at least one capitol, one of a restricted number of symbols, one numeral, and no words of any kind including do, to, be, it, ar, etc. If you can pronounce it, it is rejected. This password must be reset every two months and cannot be reused for two years.
Who comes up with these things, because every IT security person I have run into says something like this is just asking for person to write it down. Having a written passwords laying around is just as bad or worse than an easy to crack one. In my passed experience these type of password criteria come for somewhere way up the change of command and from someone that does not know much about computer security.

The 30 min lock out after 3 failed attempts will stop any brut force attacks and also should raise alarm bells even for simple passwords. Then the biggest risk is being able to guess a person password or the person giving it out or installing malware with a key logger. The latter two being the most common way to crack security.
Reply With Quote
  #25  
Old 22 January 2014, 05:50 AM
Dasla's Avatar
Dasla Dasla is offline
 
Join Date: 15 April 2010
Location: Brisbane, Australia
Posts: 3,648
Default

Om God passwords..passwords. One of the things that really stresses me the most with my memory disability is passwords. I have one for on-line banking, one for Snopes, one for social security, my own one at work, one I share with two other people at work and that is just the ones I use regularly.

I HAVE to write at least some of them down. I just can't do it otherwise. I usally do it in a way that doesn't link them to what they are. If I didn't write them down and had to some of the other restriction on them (no dictionary words, random numbers and capitals) I just couldn't cope.

The only one that I am really concerned about is my online banking. I mean if someone breaks my code and post false information at Social Securty*, it would be upsetting by not the end of the world, the rest? well different levels of problem but Meh?





*I receive a disability pension but have to go on fortnightly to enter my income and answer a few details before I receive it.
Reply With Quote
  #26  
Old 22 January 2014, 06:18 AM
ganzfeld's Avatar
ganzfeld ganzfeld is offline
 
Join Date: 05 September 2005
Location: Kyoto, Japan
Posts: 23,599
Default

No one should feel bad about writing passwords down and keeping them where we keep other safe valuables - such as in our wallets:
https://www.schneier.com/blog/archiv...down_your.html
No one should feel bad about not being able to remember a password because passwords shouldn't be so easy that they can be easily memorized. Other than good old fashioned paper, there are lots of good tools out there to help.
Reply With Quote
  #27  
Old 22 January 2014, 07:51 AM
Richard W's Avatar
Richard W Richard W is offline
 
Join Date: 19 February 2000
Location: High Wycombe, UK
Posts: 26,192
Default

Quote:
Originally Posted by Singing in the Drizzle View Post
In my passed experience these type of password criteria come for somewhere way up the change of command and from someone that does not know much about computer security.
One set of similar guidelines comes from the Payment Card Industry Data Security Standards (PCI DSS), which every business that uses payment card information is supposed to follow. The standards that you have to be audited against would rule out the kind of passwords that xkcd likes. They do update the standards regularly though, and having seen a draft of the next set I think they've added more flexibility around what they consider a "secure password".

Ironically, the banks often seem to have worse security than these standards would allow for - apparently they only apply to other people. As I said, my own bank actively prevents you from choosing a password that would meet the recommended standard, because you're not allowed to use a wide enough variety of characters.

(I'm not personally as convinced by xkcd's argument as all that - partly for the reason ganzfeld gives; people aren't in practice going to be choosing randomly from all possible English words. You'd probably be able to get down to a set of 300 or so that would cover almost everybody's, and if you're choosing only 4 words out of 300 with some combinations that commonly go together, then the number of tries needed to guess most of the passwords is much smaller than he claims).
Reply With Quote
  #28  
Old 03 February 2014, 04:10 AM
Johnny Slick's Avatar
Johnny Slick Johnny Slick is offline
 
Join Date: 13 February 2003
Location: Phoenix, AZ
Posts: 11,628
Default

Even if the number of passwords is smaller, just the action of having 4 words strung together, random or no, is going to be pretty damn hard, and on top of that any security company worth their salt needs to be safeguarding against one computer or location trying the kind of brute force attack that that kind of thing seeks to prevent.

One thing that can be done (which, in fairness, I still haven't tried but which I am sure works) is to memorize not a password but an algorithm. For example, memorize something like "my password is letters 1, 3, capital 2, and 8 of a word, the number of vowels it has in it, letter 5, the 2-digit month I entered in, the at sign, and letter 7." That's a lot to remember but the thing about repetition is that you'll get it down eventually.

Then, sticky a word to your computer. Oh, yoiur IT department will probably hate you for doing it because they'll think that your posting "lavender" actually means that your password is "lavender". You can truthfully tell them that it's not and even offer to allow them to try to put it in. Trust me, they will never guess lvAr3n02@e, not in a million years. Hell, you could even put up multiple post-its along with whatever passcode they adhere to. And, of course, after a week or so you can probably take the post-it down because you've memorized the new password anyway. Just don't ever, ever write down the algorithm.
Reply With Quote
  #29  
Old 03 February 2014, 04:15 AM
ganzfeld's Avatar
ganzfeld ganzfeld is offline
 
Join Date: 05 September 2005
Location: Kyoto, Japan
Posts: 23,599
Default

Nice to see you again, Johnny S!
Reply With Quote
  #30  
Old 03 February 2014, 02:03 PM
Johnny Slick's Avatar
Johnny Slick Johnny Slick is offline
 
Join Date: 13 February 2003
Location: Phoenix, AZ
Posts: 11,628
Default

Nice to be here! I'm kind of glad I never Rule 6ed myself...
Reply With Quote
  #31  
Old 03 February 2014, 03:21 PM
Singing in the Drizzle Singing in the Drizzle is offline
 
Join Date: 24 November 2005
Location: Bellingham, WA
Posts: 4,745
Default

I have my password cracked a couple of times on different accounts over the years. This has always been a 10 character password with upper and lower case letters, numbers and symbols when they are aloud plus I do not use words found in a dictionary. Since I never give out (not even to my wife) or write down the passwords they are being found out by some other method than a guess or me giving it to them. interestingly enough my standard 6 letter lower case word that I have used as a password years on accounts that I do not care if they are cracked has never been cracked.

In my opinion the security breach with my accounts has always been at the company end, not mine.
Reply With Quote
  #32  
Old 03 February 2014, 10:29 PM
ganzfeld's Avatar
ganzfeld ganzfeld is offline
 
Join Date: 05 September 2005
Location: Kyoto, Japan
Posts: 23,599
Default

It's quite possible it's been on the other end. We know that lots of companies have flawed hashing and storing of passwords (if they do any hashing at all and apparently some don't). However, if you've had malware on your machine it's not unusual for it to employ keystroke loggers or even more tricky methods to get passwords.
Reply With Quote
  #33  
Old 04 February 2014, 12:42 AM
Singing in the Drizzle Singing in the Drizzle is offline
 
Join Date: 24 November 2005
Location: Bellingham, WA
Posts: 4,745
Default

I with zone alarm running at all time and me tightening security down on it. I do think a key loggers has gotten a past it. I have caught a couple in the past but that does not mean I missed one. Also when anything looks strange on my accounts I change all the passwords except the ones with the generic password that I use. Things like log in dates not agree with my last log in.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is On

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Is "having faith" equivalent to "assuming"? Spud Sabre Social Studies 54 17 January 2013 09:49 AM
SC Republican Fiercely Opposes "North American Union" and the "Amero" Bohemian Rhapsody in Blue Sightings 13 31 May 2008 11:46 PM
"Winkie Chant" in "The Wizard of Oz" E. Q. Taft Entertainment 18 23 May 2008 12:57 AM
"Colors" "Box of Crayons" Glurge Capri Glurge Gallery 22 08 June 2007 08:14 AM


All times are GMT. The time now is 06:20 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2018, vBulletin Solutions, Inc.