The new password craze...

Page 2 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
P

PrinceofWands

Lifer
May 16, 2000
13,522
0
0
Mixolydian said:
OP needs this.
Click to expand...

I could certainly use something like that, especially something without an online requirement. But that just encourages the kind of behavior I'm pointing out as negative.

I'll probably just stick with my impotent protest and let the rest of the world run off and be stupid together while I shout at everyone to get off my lawn.
 
Red Squirrel

Red Squirrel

No Lifer
May 24, 2003
70,565
13,802
126
www.anyf.ca
I used to use a program called "Pins" but it's windows only. I ended up writing my own web based one that runs off my home server. It's rather primitive and the password to access it is the encryption key, so I can't change that password without re-encrypting all the passwords, but it works.
 
S

Scooby Doo

Golden Member
Sep 1, 2006
1,034
18
81
LevelSea said:
password_strength.png
Click to expand...

Word dictionary attack should make that one easy.
 
sourceninja

sourceninja

Diamond Member
Mar 8, 2005
8,805
65
91
Scooby Doo said:
Word dictionary attack should make that one easy.
Click to expand...

Sure if you are just using a single language and they know the pattern.

It's a lot more to guess just the words in my password. Did I use spaces? Did I punctuate? Are all my words from the same language?

Consider the password: "Ippon wins da match!"
 
_Rick_

_Rick_

Diamond Member
Apr 20, 2012
3,980
74
91
Worse than all that is the security questions paradigms. 99% of those are either impossible to remember, easily found out with a google search by anyone, and the rest take only the simplest of social engineering to break.

My old workplace switched from two-factor auth/login/everything with a 4-digit code to password-with-question-to-change for login and two-factor for the hard drive encryption - where the token doesn't always come back after going to standby.

Of course, in the former case, if you ever neede your actual password, you were screwed, because you never used it, and thus it was easily forgotten - it helped that it had to be changed every so often.

Gah. Simple is better, when it comes to security, because then at least everyone adheres to it....
 
Scarpozzi

Scarpozzi

Lifer
Jun 13, 2000
26,391
1,780
126
I change a bunch of passwords monthly at work. I didn't enforce personal accounts on the systems because the only way you can login is by being on the intranet anyhow (unless you spoof your IP somehow) I was just trying to make it easier on the people who use the system.

Since I have the system locked down physically, it didn't make much sense to expire passwords, but alas....auditors always tell you how to do it better. What's funny is how password complexity and age are such big security goals when the biggest risk is the end user and lacking network/system firewall security. Intruder lockout and HIDS/LIDS with active response go a long way.
 
sdifox

sdifox

No Lifer
Sep 30, 2005
100,238
17,895
126
soon we shall all submit to instant dna test and people will be sneaking up on you and cut your hair to steal your dna.
 
sportage

sportage

Lifer
Feb 1, 2008
11,492
3,163
136
I agree with the op.
There are some iT people that are totally anal when it comes to password security.
I have one financial site that requires a password change weekly.
Now THAT is just anal.
 
lxskllr

lxskllr

No Lifer
Nov 30, 2004
60,031
10,523
126
WelshBloke said:
The ironic thing is that it's only trivial things that make me have ridiculous passwords, my online banking password is a 5 character numeric code.
Click to expand...

I'm not against encouraging long passwords for seemingly trivial pursuits. Sometimes accounts aren't as trivial as they first seem. What bothers me is password restrictions. Some sites can't be too long, other sites can't be too small. Some require special characters, while others forbid them... There should be a reasonable length limit; around 30 characters, and no character restrictions. Put a strength meter next to the password selection box, and call it a day.
 
sdifox

sdifox

No Lifer
Sep 30, 2005
100,238
17,895
126
sportage said:
I agree with the op.
There are some iT people that are totally anal when it comes to password security.
I have one financial site that requires a password change weekly.
Now THAT is just anal.
Click to expand...

IT doesn't decide that... Management does.
 
Sho'Nuff

Sho'Nuff

Diamond Member
Jul 12, 2007
6,211
121
106
This is why secure and accurate biometric authentication is needed. Very hard to hack (provided the templates are secure), and is based on user friendly 1 factor authentication.

Note that I am not talking about the fiasco that is the fingerprint scanner on the iphone 5s, which was apparently hacked in just a few days.
 
rudeguy

rudeguy

Lifer
Dec 27, 2001
47,351
14
61
complex passwords lead to password files or hand written password

Don't believe me? Hack my Google Docs or my Outlook.
 
el-Capitan

el-Capitan

Senior member
Apr 24, 2012
572
2
81
what i use. Very easy to memorize, works for 90+% websites

1. take two random words, e.g. Anarchist and Workshop
2. take whatever follows after the www at the website that you need the pw for, e.g. anandtech.com
3. with these these three words, decide to start at first, second, fourth position, and take the following four letters. For our example we choose to start from the third letter. This gives us :
arch
rksh
andt
4. add a symbol and two numbers. E.g. & and my birth month, 11
5. add all above together and capitalize the first letter. This gives
Archrkshandt&11

Note that the only variable is andt here. For citibank.com this'd be tiba, for blogspot ogsp. for a short website you can roll into the .com, .net or start from the beginning of the domain name.

Havent logged into origin since you played DA 3 years ago? Forgot pw? No prob. It'll be the fragments your two words + igin + &11

Sorry, if I'm unclear. It's early in the morning.
 
C

Codewiz

Diamond Member
Jan 23, 2002
5,758
0
76
rudeguy said:
complex passwords lead to password files or hand written password

Don't believe me? Hack my Google Docs or my Outlook.
Click to expand...

Why wouldn't you use a password manager with plugins for browsers? I mean lastpass is great. But if you don't want it stored online, look at keepass or 1password.

Additionally, all those tools can generate a complex password of any length with the click of a button.
 
rudeguy

rudeguy

Lifer
Dec 27, 2001
47,351
14
61
Codewiz said:
Why wouldn't you use a password manager with plugins for browsers? I mean lastpass is great. But if you don't want it stored online, look at keepass or 1password.

Additionally, all those tools can generate a complex password of any length with the click of a button.
Click to expand...

Chrome remembers website passwords for me.

Does lastpass do anything besides websites?
 
Hayabusa Rider

Hayabusa Rider

Admin Emeritus & Elite Member
Jan 26, 2000
50,879
4,268
126
This is merely a symptom of an increasingly dysfunctional upper management which substitutes what it thinks for what others know. We just had the worst "upgrade" ever and it has "clueless wonder" all over it.
 
C

Codewiz

Diamond Member
Jan 23, 2002
5,758
0
76
rudeguy said:
Chrome remembers website passwords for me.

Does lastpass do anything besides websites?
Click to expand...

Lastpass can create secure notes. Attach documents. Pretty much everything you could want when it comes to passwords or things of that nature. You can setup profiles for filling in webforms. I rarely ever type in information on registration forms anymore.

I store all my software registration/licenses in lastpass.

You should not allow Chrome to store your passwords:
http://www.wired.com/threatlevel/2013/08/chrome-password-manager/
 
rh71

rh71

No Lifer
Aug 28, 2001
52,844
1,049
126
using full sentences including spaces even as short as 3 words is fine in all aspects.
 
lxskllr

lxskllr

No Lifer
Nov 30, 2004
60,031
10,523
126
rh71 said:
using full sentences including spaces even as short as 3 words is fine in all aspects.
Click to expand...

Young joined forces with fellow security researcher Josh Dustin, and the cracking duo quickly settled on trying longer strings of words found online. They started small. They took a single article from USA Today, isolated select phrases, and inputted them into their password crackers. Within a few weeks, they expanded their sources to include the entire contents of Wikipedia and the first 15,000 works of Project Gutenberg, which bills itself as the largest single collection of free electronic books. Almost immediately, hashes from Stratfor and other leaks that remained uncracked for months fell. One such password was "crotalus atrox." That's the scientific name for the western diamondback rattlesnake, and it ended up in their word list courtesy of this Wikipedia article. The success was something of an epiphany for Young and Dustin.

"Rather than try a brute force that makes sense to a computer but not to people, let's use human beings because people typically make these long passwords based on things that humans use," Dustin remembered thinking. "I basically utilized the person who wrote the article on Wikipedia to put words together for us."
Click to expand...

Almost immediately, a flood of once-stubborn passwords revealed themselves. They included: "Am i ever gonna see your face again?" (36 characters), "in the beginning was the word" (29 characters), "from genesis to revelations" (26), "I cant remember anything" (24), "thereisnofatebutwhatwemake" (26), "givemelibertyorgivemedeath" (26), and "eastofthesunwestofthemoon" (25).
Click to expand...

http://arstechnica.com/security/201...eling-the-next-frontier-of-password-cracking/
 
NikolaeVarius

NikolaeVarius

Lifer
Oct 25, 2006
11,036
11
91
sourceninja said:
Sure if you are just using a single language and they know the pattern.

It's a lot more to guess just the words in my password. Did I use spaces? Did I punctuate? Are all my words from the same language?

Consider the password: "Ippon wins da match!"
Click to expand...
Ippon is a defined english word. da is a common replacement for the word "the". Modern dictionary attacks would rip that password apart without breaking a sweat.

That XKCD is so damn misleading.
 
lupi

lupi

Lifer
Apr 8, 2001
32,539
260
126
Getting tired of the work ones now having to be canged every 60 days, ugh.
 
E

Exterous

Super Moderator
Jun 20, 2006
20,569
3,762
126
Scarpozzi said:
but alas....auditors always tell you how to do it better.
Click to expand...

I think a lot of people overlook the role auditors have in passwords (or maybe its just my own experience bias). Its like the zero tolerance policies at schools. Closed network thats physically locked down? Too bad - you need complex passwords that change every 60 days for everything regardless of actual need.
 
sourceninja

sourceninja

Diamond Member
Mar 8, 2005
8,805
65
91
NikolaeVarius said:
Ippon is a defined english word. da is a common replacement for the word "the". Modern dictionary attacks would rip that password apart without breaking a sweat.

That XKCD is so damn misleading.
Click to expand...


Because it would guess that combo with a exclamation and first letter cap? How long would it take? If it's less than 60 days, then yes it's a worry. But if it's more than 60 days, no worries.

Even if it was a concern, you could still write a human relate-able password with the same basic idea.

"Ippon wins 1 match!"

How is that less secure than 5rdxXSW@ ?
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom