February 16, 2016 at 9:16 pm
Comments posted to this topic are about the item Forcing Strong Passwords
February 17, 2016 at 2:09 am
It is shameful when sites only allow [a-z][A-Z][0-9]. I can understand them disallowing non-printable characters but disallowing symbols is ridiculous. Length should also be a reasonable maximum at least e.g. 128 characters (maybe more). I am not certain about enforcing a minimum strength but at least have one of those bars that shows the strength of the password as an encouraging guide (the problem is a little like free speech - I may not like you saying what you say but I want you to have the right to say it).
Perhaps password setting pages should have links to advice on passwords and, maybe, links to reviews on password managers etc.
The bottom line is that all sites should allow strong passwords and I believe that they should help educate those users who need it. I also accept that minimums could be applied but we shouldn't nanny users either. Similarly, in the financial world institutions must offer sound information but it is not their responsibility to enforce a fiscal policy on individuals.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
February 17, 2016 at 7:39 am
Password managers have their own dangers, they are NOT something you should recommend. One compromise of a user's system and EVERY SINGLE SITE they log into is compromised--and they won't even know it.
Worse, if they regenerate their passwords for a site (thinking it was compromised) they're still hosed.
We've already seen a couple of different password managers compromised in the past. Keychains are nothing more than juicy targets for hackers.
Having said that, standard practice isn't a lot better. Complex passwords are basically an invitation for users to share them between sites or write them down--both of course not recommended, but what can we do?
And don't mention biometrics either, BM (ha!) shares all the weaknesses of passwords AND if compromised can't be changed.
The best compromise (and it still sucks from a convenience standpoint) is 2 factor ID, one of which is a one-time use "password".
Again, let me stress, password managers are *DANGEROUS*.
February 17, 2016 at 8:01 am
As somebody mentioned the other day, this[/url] sums things up well.
How to post a question to get the most help http://www.sqlservercentral.com/articles/Best+Practices/61537
February 17, 2016 at 8:27 am
A bank I used to use limited passwords to 8 characters. Yes. You couldn't have a password longer than 8 characters on your online bank account. I wonder who though up that lovely piece of security.
I find it sad that I've got accounts on forums that require more secure passwords than ones that hold my real information. Not that I don't use secure passwords anyway - just that the nothing sites seem to care more about security.
I use a password safe on my phone. It doesn't connect to anything. It warns me at the logon screen that if I forget my password they can't recover the database. This way I can access my passwords when needed and they're always with me.
February 17, 2016 at 8:49 am
I use a program on my iPhone called MSecure. It doesn't generate strong passwords but it does give you a good place to store them (it's possible they have an add-in for generating strong passwords, I don't know). It is strongly encrypted and has a password to run the program. Switch away from the program and it locks itself again. Every five changes you make within its system and it prompts you to back it up by producing a file that you can email to yourself.
In addition to storing passwords, I also store 'authentication' questions. When a system asks me for questions for password resets that theoretically can be answered through social media mining, I'll give an unrelated question. What model was my first car? Blue. What was my first grade teacher's name? Pinto. Things like that. It wouldn't be sensible for copying/pasting passwords in to sites except those on your phone or iPad, but it's a decent repository.
I've been happy with it overall, I think it was one of the first programs that I paid money for on my phone. I had a similar program on my Palm Pilot that was quite useful, but that was a while ago.
Personally, I have three strengths of passwords. They're all easy to remember, generally using permutations of a core word plus a prefix or suffix or both related to a site. I'm thinking about doing a numeric permutation based on the vowel/consonant pattern of the name of the site that I'm dealing with, something that I could reconstruct with a little bit of thought.
-----
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]
February 17, 2016 at 8:52 am
Marie, that bank wasn't in southern NM was it? π I had the same experience with a bank where the password had to be 8-12 characters, but you could enter a longer one. It just wouldn't tell you, and then you could never log on again without an admin reset because the longer pwd fubar'd their authentication system.
I dropped them toot sweet and haven't looked back. Seeing a system crash that showed their ODBC drivers connected to a Paradox backend didn't give me the warm fuzzies either.
-----
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]
February 17, 2016 at 9:16 am
I suggest everyone use 2 factor ID for all critical sites, starting with email.
Control email, and you can take over many sites lingering in all those old emails that have simple to use: "request a new password" process. And having it written down, and held in a secure site is not as bad as it sounds. Really no different than storing your bank lock key.
The more you are prepared, the less you need it.
February 17, 2016 at 9:17 am
I love mSecure. It was one of the first apps I paid for as well and has been worth every penny. Got jealous of my wife's newer iPhone since it takes at advantage of the fingerprint reader instead of requiring me to type in my relatively convoluted password every time.
A tiered password schema is something that I agree with as well. Having completely unique passwords is an extreme measure and there are some website or logins that just aren't important enough to justify having to go to the app to lookup the password.
As Kevin Mitnick points out, at the end of the day the biggest security threat is often the end user not the complexity of their passwords. Most "hacks" don't come through brute force attacks. Not saying they don't happen, just that it's not the easiest threat vector in many cases. In fact, an argument can be made that requiring complex passwords or security measure like changing passwords every x days can actually make the social engineering hacker's job easier.
Kris
February 17, 2016 at 9:40 am
Thanks for the info about the fingerprint ID being usable for Msecure, Kris. Just goes to show that it's never a bad thing to review settings when software gets upgraded. π
One cautionary word about using fingerprints to unlock things. There have been court rulings about the ability to produce an item, such as a key or fingerprint, to unlock something versus forcing someone to produce a password or code from memory to unlock something. You can be legally compelled to produce a key to unlock a safe, or your finger to unlock your phone, but it's a lot tougher for you to be compelled to produce a password to unlock your device. You can be compelled, especially in the UK with prison waiting for you if you fail to comply, but it's much tougher in the USA.
Myself, I use a code to unlock my phone, but my fingerprint for buying books and unlocking a couple of things.
-----
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]
February 17, 2016 at 10:56 am
I've been tempted to rely, 100%, on the "I forgot my password" links on more critical sites. They all send an email (and I have a very secure password) and after you click the link, just enter an enormous, ridiculous password and do it again every time you go to that site.
Does anyone else do this?
February 17, 2016 at 12:00 pm
thisisfutile (2/17/2016)
I've been tempted to rely, 100%, on the "I forgot my password" links on more critical sites. They all send an email (and I have a very secure password) and after you click the link, just enter an enormous, ridiculous password and do it again every time you go to that site.Does anyone else do this?
I do this for some places, but when I go to 2 factor, this is a problem and a pain.
February 18, 2016 at 2:37 am
.
February 18, 2016 at 5:50 am
thisisfutile (2/17/2016)
I've been tempted to rely, 100%, on the "I forgot my password" links on more critical sites. They all send an email (and I have a very secure password) and after you click the link, just enter an enormous, ridiculous password and do it again every time you go to that site.Does anyone else do this?
Constantly π
February 18, 2016 at 6:48 am
My banks website refuses to allow special characters in the password. Shameful if you ask me.
Password managers to me are a false sense of security to a certain degree. If it is hacked they have everything about you and very well documented.
Viewing 15 posts - 1 through 15 (of 33 total)
You must be logged in to reply to this topic. Login to reply