Tired and cross

Perhaps I'm just in need of sleep, having been in work since 8 o'clock yesterday morning, but just what the f*ck is the point of a computer security policy that refuses to let you log on until you change your password - a password so esoteric that nobody could possibly guess it - and then refuses to allow you to choose any easily-remembered variation of said password, so that you have to come up with something completely different and then write the sodding thing down so you don't forget it. What kind of cretin came up with that?!

Aghh!!!

...and then have to write it down on a post, which is then stuck to your monitor?

Yeah, it's great security huh.

Many many years ago, I worked in i.t. installing computers and networks in schools. One of the first lessons I learned was that practically every teachers machine had the password taped to the bottom of the keyboard

Easy way to make up a secure password and have it very strong at the same time?

Length is everything.

Think of 3 or 4 unrelated words. Such as

Battery Foggy Arc Chemistry

Make a little story in your head about them

" exploding Battery makes lovely Foggy arc's. wow chemistry! "

Depending on your password policy, make some letters a capital, stick your favourite number and punctuation mark in there some where and voila, a remember-able and very secure password.

Example for above

(password checkers are not completely accurate, but good for a educated guess at strength)

https://www.my1login.com/resources/password-strength-test/

I don’t think they ever take into account how unsafe it is to make people use complicated or frequently changing passwords because you write them down and generally leave them next to the computer.

I used to have to use 5 different systems, all passwords had to be changed every 6 weeks and you couldn’t use any password the same as the last 5.

I lost count how many times I sat down to use a computer and would find someone’s list of passwords.

Once I was on my hols in another country and something occurred that required the info I’d been emailed by a GP so had to give my boss my password over the phone. I’d been very frustrated trying to get the ailing system to update the password so it contained (amongst other words letters symbols) Ihatethesewankypasswords.

She was old school and did not laugh, just muttered something about conduct unbecoming

My passwords are always bike related, with a note to remember.

For example.

"fav bike, no rr or f %" For me means: HondaCBR600%

Obviously I have some constant rules on how I write it which I won't share. But constant rules, easy description, no one can guess based on the note on your computer!

on an old email account, no longer in use, my p/w was geezthatfartstinks, as i had let one rip when creating the account, always remembered it for some strange reason,

You can get an app called 'awallet' that stores all your passwords and you just have to remember a 4 digit pin.

on an old email account, no longer in use, my p/w was geezthatfartstinks, as i had let one rip when creating the account, always remembered it for some strange reason,

Hmmm.. Mine could be 'Wetherspoon fart' don't ask

I have an encrypted USB stick for work, that is terrible it changes every month and don't let you pick a password instead it will make up its own 12 character random password and tells you to memorise it

I keep it plugged into a powered hub now and just swap that between work and home systems as needed, all the time hub stays powered the drive won't lock

Perhaps I'm just in need of sleep, having been in work since 8 o'clock yesterday morning, but just what the f*ck is the point of a computer security policy that refuses to let you log on until you change your password - a password so esoteric that nobody could possibly guess it - and then refuses to allow you to choose any easily-remembered variation of said password, so that you have to come up with something completely different and then write the sodding thing down so you don't forget it. What kind of cretin came up with that?!

Aghh!!!

Do you work for NASA?

https://xkcd.com/936/

That is fascinating! Basically 3 or 4 unrelated words spelled nor alley like "bicycle spits mad fire" is thousands of times more secure than P4s5w0rd@

A few months ago our IT department decided to change all the passwords and are now obviously using random words connected with a few numbers and symbols included. Nobody can remember them so each PC on the network has a dymotaped password attached to the screen. Bear in mind that this is on a ship with a total of 24 people on board usually in the middle of sodding nowhere.

I hate the fecking computer generated passwords how the feck do they expect you to remember (av?;:#543aqrf1), I have a couple of remote logins and I can guarantee the first thing I'm going to click on is forgotten password

https://xkcd.com/936/

 

That is fascinating! Basically 3 or 4 unrelated words spelled nor alley like "bicycle spits mad fire" is thousands of times more secure than P4s5w0rd@

Simple mathematics... Most common password attacks are dictionary and brute force.

Dictionary is as it says an automated system will try all the words in dictionary (and some other combinations), until it gets a match hence any dictionary word is as weak as you can get even a ridiculously long one.

Brute force is trying a-z,0-9, all the special characters one by one, using letters alone ever letter extra is 26 times more combinations. So just by being 9 characters longer difficulty is going up exponentially. Add a capital letter randomly and that is 52 times more combinations per character, numbers make it 62 times a character etc...

Also dictionary attacks tend to adapt though, when capitals and numbers became the norm dictionary lists expanded to capitalise first letter and to add a single number at the end as most people who used 'password' just changed to 'Password1' so wouldn't be surprised if they adapted to trying 3/4 different words together as despite dictionary going up it would still be much faster than brute force.

Simplest answer to that is throw in numbers and special characters inbetween, don't capitalise first letter and misspell the odd word e.g. motabike#spitS&firre

https://xkcd.com/936/

 

That is fascinating! Basically 3 or 4 unrelated words spelled nor alley like "bicycle spits mad fire" is thousands of times more secure than P4s5w0rd@

 

Simple mathematics... Most common password attacks are dictionary and brute force.

Dictionary is as it says an automated system will try all the words in dictionary (and some other combinations), until it gets a match hence any dictionary word is as weak as you can get even a ridiculously long one.

Brute force is trying a-z,0-9, all the special characters one by one, using letters alone ever letter extra is 26 times more combinations. So just by being 9 characters longer difficulty is going up exponentially. Add a capital letter randomly and that is 52 times more combinations per character, numbers make it 62 times a character etc...

Also dictionary attacks tend to adapt though, when capitals and numbers became the norm dictionary lists expanded to capitalise first letter and to add a single number at the end as most people who used 'password' just changed to 'Password1' so wouldn't be surprised if they adapted to trying 3/4 different words together as despite dictionary going up it would still be much faster than brute force.

Simplest answer to that is throw in numbers and special characters inbetween, don't capitalise first letter and misspell the odd word e.g. motabike#spitS&firre

Kaspersky reckons 233 centuries to brute force the above. Secure enough for my tmbf login I reckon

If you have a lot of passwords, I do recommend a password manager. Many are available, personally I use lastpass for personal things.

Means I only need to remember a couple of secure passwords rather than hundreds

A lot of work places are now rethinking their password policy. Guidance from the NCSA is to reduce complexity (numbers, symbols) and drastically increase length. With longer, more memorable passwords there is little need to change them regularly as people won't need to write them down.

Even better, I usually use custom login emails for each service I use. This does require you to have a domain registered to you. But it means

A) If a company sells my details and I start getting spam I know they were responsible (although you can guarantee they'll go for the monkey with a typewriter defence)

B) if a company is crap enough to both not encrypt the passwords in their database and also to let some miscreants in you can guarantee it won't compromise my login for other services, as both my username and password is unique

Even better, I usually use custom login emails for each service I use. This does require you to have a domain registered to you. But it means

A) If a company sells my details and I start getting spam I know they were responsible (although you can guarantee they'll go for the monkey with a typewriter defence)

B) if a company is crap enough to both not encrypt the passwords in their database and also to let some miscreants in you can guarantee it won't compromise my login for other services, as both my username and password is unique

Ooh I understood.... some of that

That is fascinating! Basically 3 or 4 unrelated words spelled nor alley like "bicycle spits mad fire" is thousands of times more secure than P4s5w0rd@

 

Simple mathematics... Most common password attacks are dictionary and brute force.

Dictionary is as it says an automated system will try all the words in dictionary (and some other combinations), until it gets a match hence any dictionary word is as weak as you can get even a ridiculously long one.

Brute force is trying a-z,0-9, all the special characters one by one, using letters alone ever letter extra is 26 times more combinations. So just by being 9 characters longer difficulty is going up exponentially. Add a capital letter randomly and that is 52 times more combinations per character, numbers make it 62 times a character etc...

Also dictionary attacks tend to adapt though, when capitals and numbers became the norm dictionary lists expanded to capitalise first letter and to add a single number at the end as most people who used 'password' just changed to 'Password1' so wouldn't be surprised if they adapted to trying 3/4 different words together as despite dictionary going up it would still be much faster than brute force.

Simplest answer to that is throw in numbers and special characters inbetween, don't capitalise first letter and misspell the odd word e.g. motabike#spitS&firre

 

Kaspersky reckons 233 centuries to brute force the above. Secure enough for my tmbf login I reckon

But way before then quantum computing will be invented, and the password will be cracked a few seconds later

Personally don't think password policies etc... work, forcing users to make secure passwords just ends up with them being written down.

Two factor authentication is much more secure than any passwords will ever be, very easy to implement and a lot of software options available now removing necessity of the old hardware tokens.

One such site I host users can use a 'insecure' password but when account is created a QR code is scanned by user using Google authenticator (or similar), this then produces a random 6 number code that is changed every minute. To login user has to add this number onto the end of their password. No need for them to write password down and if phone was ever lost the 6 digits on their own are useless.

Speaking of passwords, I finally got home yesterday afternoon to find that my TV and internet, which went down two days earlier, still weren't working. I put in a call to Virgin Media, and after going through the normal rigmarole of confirming that my router and TV were actually plugged in a turned on and that I was generally conversant with living in the 21st century I finally got them to understand that my service - rather like one of Sir Richard's ill-fated balloons - had crashed catastrophically.

After I explained that their service status page was saying that there were no known faults on the line I was told not to take any notice of that, and that not only was there a known fault on the line but that it was going to take six days to repair. I wasn't pleased to say the least, but to placate me the customer service lady helpfully suggested that to avoid having to go through security checks each time I phoned for an update I should set a customer service password. Being pretty hopeless at coming up on the spot with passwords that I'm likely to remember five minutes later I dithered for a bit before she said "How about a favourite animal?" I duly obliged with one that I thought fitted the bill perfectly: Bearded Tit.

Kaspersky reckons 233 centuries to brute force the above. Secure enough for my tmbf login I reckon

*tries ar5esPank3r, gains access*

Even better, I usually use custom login emails for each service I use. This does require you to have a domain registered to you. But it means

A) If a company sells my details and I start getting spam I know they were responsible (although you can guarantee they'll go for the monkey with a typewriter defence)

B) if a company is crap enough to both not encrypt the passwords in their database and also to let some miscreants in you can guarantee it won't compromise my login for other services, as both my username and password is unique

Use Gmail. Gmail lets you create unique emails by simply inserting a + and some words just before the @ symbol.

So if your address was [email protected] you could create [email protected] and [email protected] etc.

Then use filters to filter your mails.

I do this all the time with websites as it means both the email and the password are unique.

The danger of using your own domain is that if you ever decide you no longer need the domain and let it lapse, whoever registers it next has access to your email so make sure you change your email everywhere you use it before letting the domain lapse.

When I buy aged domains I always setup a catchall email to see what email come in from the previous owners.. taken over some good twitter accounts by doing this in the past too.