oh, come ON!
Subscribe to:
Post Comments (Atom)
-
LEGO Americana Roadshow: Building Across America I just checked out this traveling exhibition from LEGO and was quite impressed. The scale ... -
Merry Christmas, everyone!
-
When we let politics trump science, people are needlessly put in harm's way. http://arstechnica.com/science/2017/01/self-censoring-fears...
After increasingly draconian rules like this, my company gave up and just randomly generates acceptable passwords that it lets us choose, so we're all stuck with Hjk51I9p
ReplyDeleteThat's ridiculous.
ReplyDeleteThe last one is interesting. So they keep a record of the hashes of all previous passwords?
Judging by the third point, they probably aren't hashing the passwords at all.
ReplyDeletePhillip Landmeier I'm not allowed to use a password I used 15 years ago! It's amazing...they remember my passwords far better than I ever could. ;-)
ReplyDeleteI generate passwords and keep them in a safe / encrypted file. Done that for years.
ReplyDeleteA password with these requirements would be less safe in my case. I just would have to write it down because there is no way I would remember a password that complicated.
ReplyDeletePatrik Hanson Indeed, a lot of people do. I see a lot of Post-Its with passwords on monitors, for example. The rest of us (probably about 5-10%, I expect) use encrypted password managers.
ReplyDeleteMy most complex passwords are determined by a sequence of nearby keys on my keyboard and they usually are not afraid of the above paranoia. The only little problem that poses me is when I am travelling and have to use keyboards designed for other languages.
ReplyDeleteDavid Steinmuller
ReplyDeleteYou don't have to keep clear text passwords to keep a history. If you salt them, you can take each of the previous and use the embedded salt to has your current password. If the 2 strings match, it is the same password.
I set up an algorithm for passwords based on the periodic table. As long as I remember which element I'm on, I can simply run it through the algorithm in my head and recreate the password as needed. When I need to make a new one, I just move on to the next element. You can do the same thing for any set combination of words and numbers. I'd recommend keeping a favorite book with you and using the first or last word on a page and the page number. For the next password, just move to the next page.
ReplyDeleteFor a while, some service was kicking passwords that had dictionary words in them, including those silly 2 and 3 letter words people only use when playing Scrabble. That was ridiculous.
ReplyDeleteDavid Butler I know you can do that. The third item, the short password max is usually a sign that they are storing them in plain text. The database limits that usually cause those requirements could be handled through the hashing phase, unless they aren't hashing.
ReplyDeleteSlap 3 or 4 digits in the middle and increment.
ReplyDeletehow weak. i require 24 minimum
ReplyDeleteAnd the blood of a virgin.
ReplyDeleteAnd ground unicorn horn
ReplyDeleteJodi Kaplan Sprinkle on your keyboard.
ReplyDeletePassword Managers which is preferable open source where you can make a new 20+ password for every service is the only way. I personally use Pass (passwordstore.org) which uses gpg to encrypt.
ReplyDeleteMaking up "systems" or writing down on paper is not good substitutes.
instead of using a password that is only 8 random characters (and most hashes for <= 8 are already precomputed, they're known as rainbow tables) and hackable in less than a second, turn a nonsense sentence into your password.
ReplyDelete"Blueone2HeaRTsen$or!bUILTchest*"
that's easy for you to memorize with the minute and computationally impossible for even a high end GPU CUDA array computer to break in months even with deterministic pattern application.
as a digital forensics expert at a global web and data hosting company, i can empirically tell you that your 8 character password will definitely be hacked regardless of any assemblage of character sets should a bot randomly land on your username.
mathematically, each additional character is 2^8 stronger. a 9 character password will take 2^8 as long to iterate through all character sets as an 8 character password.
each year, consumer computers and graphics cards get considerably more powerful. your 8 character password that security experts cautioned you about in year 2000 is about as strong as toilet paper against a garden hose. the only thing that saves you is random chance that malware lands on your account username, combined with time delays that some services employ between failed password attempts.
if a site's database of password hashes are stolen and they used common and weak md5 salting and hashing, consider it a foregone conclusion that your account is instantly compromised. all possible md5 hashed (non-salt) passwords for <= 8 characters is only 15G and both downloadable and easily looked up online. malware does it automatically and has been doing it for decades.
when i do PCI/SOX/* vulnerability analysis and certification of clients, we will refuse to certify clients that have less than 12 character requirements. it's simply unacceptable to permit such weak passwords.
ReplyDeleteDavid Ford Yes, using a "sentence" as a password is pretty good... for a master password. The issue with using it normally is when you start to have multiple sentences... Then it starts to be difficult to remember them all.
ReplyDeleteI kinda like change password processes that give feedback on how relatively strong the your new password is as you create it.
ReplyDeleteThe only thing that bothers me about this list is the limit of 24 characters.
ReplyDeleteEdward Morbius Same here. I switched to that method a few years ago because with so many services requiring passwords these days you need 150 different ones. So I was using about a half dozen strong passwords sprinkled across 150 services. I'm good at memorization, but jeez. That's dangerous, of course. So I solved it. The file is encrypted with "hard" encryption and the password is a long random sequence.
ReplyDeleteI had a bank that had even more draconian restrictions. I calculated that those restrictions (including a max password length of 8) reduced the available entropy to about 20 bits.
ReplyDeleteBut we are past the point where memorizable passwords are useful - a single GPU can brute-force 8-character passwords in seconds (depending on the hash algorithm and of course having the hashes available). Everyone should use 2FA and let a password manager or even their browser remember the passwords.
John A. Tamplin The browser is not a good idea... they keep them in clear text. So either a manager or manually encrypt is the way. Pass is nice as it is like manually but automates it. Which means the vector is really small and you have more control.
ReplyDeleteMy point is the password is only a minor part of the security, and you basically assume a diligent attacker has it. 2fa can also be attacked (your phone lost or sms intercepted), so the password's only value is to protect against that.
ReplyDeleteJohn A. Tamplin Yes, 2fa can be good and adds extra security... it is a bit cumbersome though. No matter what.. the passwords should always be encrypted.
ReplyDeleteU2f hardware keys are cheap and incredibly easy to use - far easier than typing a password, for example. Mobile browsers could (but don't currently) emulate u2f using the secure enclave. I even got my mom to setup 2fa using a $5 key from Amazon.
ReplyDeleteJohn A. Tamplin I was thinking of that to gain the extra security you need to plug/unplug the device and/or use a pin on the device. You also need to carry it with you and not all support mobile.
ReplyDeletePhillip Landmeier On HN a few weeks back, someone replying to me mentioned 770 user/pass pairs they had. That raises other issues.
ReplyDelete