how-to block ads
|
|  
BlitzenZeus
Burnt Out Cynic
Premium,MVM
join:2000-01-13
Beaverton, OR | Re: Big Sites That Don't Allow Complex Passwords !?! If your just setting up complex passwords in some password program, its not helping you at all. Using some master password to as part of a password storage then your only fooling yourself when it comes to security. | |
| | dave
Premium,MVM
join:2000-05-04
not in ohio
 ·Verizon Online DSL
 ·Verizon FIOS
1 edit | Re: Big Sites That Don't Allow Complex Passwords !?! said by BlitzenZeus  :If your just setting up complex passwords in some password program, its not helping you at all. Using some master password to as part of a password storage then your only fooling yourself when it comes to security. Assume an attacker has no access to your PC; he's merely attacking the web site (and it's not tricky to guess, for example, that there might be a user called 'dave'). There is no 'master password' involved. It's simply a matter of how hard it is to brute-force the password space.
If the password space is restricted to [A-Za-z0-9] then there are far fewer possible passwords than if passwords could use any characters. Thus, the password is easier to guess. Simple arithmetic.
This is just sloppy programming, about as sloppy as the idiots who insist you type credit card numbers without spaces, despite that fact that the numbers on the cards are grouped in fours for a very good reason.
I suppose the point of your comemnt may be that people who use 'complex passwords' must be keeping them in software-managed keyrings. That doesn't seem to follow at all. A few non-alphameric characters dropped into a password doesn't suddenly make it impossible to remember; even a scheme as silly as replacing an 's' with '$' adds a small amount of strength, withut making the password harder to remember.
--
Microsoft Security MVP, 2005-2007. | |
| | greenhatch
join:2005-08-14
UK!
| My ISP here in Britain doesn't permit special characters in passwords  : They are being pressured to change though  | |
| Mele20
Premium
join:2001-06-05
Hilo, HI
| Chase has that new double security that is so irritating. I now have to call them every month and get them to issue a special code to use because I flush their cookies after each visit. Chase wants me to keep the special identifier cookie they now have and since I don't their site declares my machine as having never accessed my accounts there before...hence the phone call I must make now every month. I then have to wait for the email after speaking to a representative and having him authorize a special code. Then after I get the email, I have to go to their site from the email link and put in the special authorization code and then finally get into my accounts. It is so irritating that I see little reason to use internet banking now. I would probably save more time mailing the check at the Post Office. My one concern there is that I had the USPS lose a check once for three weeks and Chase would not rescind the penalty when the check didn't reach them in time and I didn't know because I wasn't doing internet banking back then. That is why I started doing internet banking. But I find it less and less appealing. I probably will just start doing automatic electronic deduction with Chase. I never use my local banks websites as I can go in those banks. I guess I should have never gotten credit cards with banks outside my home town.
Why do you think Chase needs complex passwords when it has this new double security thing? Besides, if anyone tries to hack your password after three failed attempts Chase locks the account and even you cannot get into your own account. I had that happen not long ago. I had to call Chase and answer a bunch of questions and then they told me that someone had tried to hack the account and they were surprised that hadn't happened to me before as it was quite common but the would be hackers only get three attempts so I really don't see why you are so worried.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ | |
| | | 
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: 
| Re: Big Sites That Don't Allow Complex Passwords !?! said by nwrickert :I'm not sure why you see this as a problem. It's a problem because humans are better at remembering shorter passwords, and the use of more character sets allows one to add security while keeping length down.
So, ArdV4rk! is arguably a much better password than woof20slf02ld9dlw0 because the former is both sufficiently complex to thwart most guessing attacks but still short enough to remember easily.
For high security sites you probably shouldn't use memorable passwords at all, but it's not practical for most people to try and use a password manager for every single site they visit; and that's the focus of this point.
Far too many sites limit the usability vs. security tradeoff by not allowing special character sets in their passwords. It forces users to either 1) use easily guessable passwords, or 2) use longer ones that are forgotten more easily.
--
dmiessler.com -- grep understanding knowledge | |
| | | 
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Re: Big Sites That Don't Allow Complex Passwords !?! It's a problem because humans are better at remembering shorter passwords, ... The idea of remembering passwords went out the window once web sites started wanting passwords. It is unmanageable.
I keep only a very few remembered passwords. One of those is the passphrase I need to access my encrypted password database. And once one starts storing passwords in a database, there is no longer a need to keep them short.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 | |
| | | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
2 edits | Re: Big Sites That Don't Allow Complex Passwords !?! said by nwrickert :It's a problem because humans are better at remembering shorter passwords, ... The idea of remembering passwords went out the window once web sites started wanting passwords. It is unmanageable. Your argument is invalid simply because over 95% of users still do manage their own passwords. That's a guess, but it's actually probably closer to 99%. We have to solve the problems we have, not the problems we should have or wish we had.
--
dmiessler.com -- grep understanding knowledge | |
| | | | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Re: Big Sites That Don't Allow Complex Passwords !?! Your argument is invalid simply because over 95% of users still do manage their own passwords.
I manage my own passwords. Storing them in a file, and encrypting that file is part of how I manage them.
I just checked. I have 55 entries in that file, and I shun most web sites that require passwords. Nobody can remember that many.
If they actually are trying to remember 55 passwords, then they are probably using very weak passwords and re-using the same password for many sites. And if they are doing that, they have a more serious problem than the one you suggested in your OP.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 | |
| | | | | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| Re: Big Sites That Don't Allow Complex Passwords !?! said by nwrickert :Your argument is invalid simply because over 95% of users still do manage their own passwords.
If they actually are trying to remember 55 passwords, then they are probably using very weak passwords and re-using the same password for many sites. And if they are doing that, they have a more serious problem than the one you suggested in your OP. Well, that is the reality we're facing. The question is, how do we mitigate some of this risk? It's a lot harder to get users to change their habits than it is to get a single site that handles millions of accounts to change theirs.
I agree it's not a real solution, but nothing in security ever is. It's about reducing risk, and if we can add ANY significant amount of complexity to the incredibly weak passwords that most people use, we'll have accomplished something. Hence my OP.
--
dmiessler.com -- grep understanding knowledge | |
| | | Mele20
Premium
join:2001-06-05
Hilo, HI
| Why are you trying to remember passwords? I use no password manager, I never allow Fx to remember passwords. I write them all down (different one for each site) in two paper files...one for normal sites and one for banking sites. I generally meet my friends away from my home because of no parking for guests here and they don't want to park on the street because this is a heavily traveled beach street with lots of drunks/speedera/pakalolo high drivers hitting poles and cars. My point being that I don't have to hide the password folders since I am usually the only one in this condo.
I would never be able to remember any password that had characters other than numbers and letters and those would need to be too simple for safety for me to be able to remember them...memory deteriorates with age so it not realistic to tell older folks that they need to use special characters in passwords, memorize them all and change them every three months and then memorize them again. I rely on my bank to shut out anyone, including myself, after three tries. My home bank has a very elaborate procedure for how one gets one's account accessible again after being locked out. My other home bank is ever more of a hassle...you have to apply in writing via snail mail for a new password which is mailed after two to three weeks. You have no access to your account online during that waiting period. Why are these methods, that are in place at most banks, so poor security wise? I suppose if you choose JohnDoe1 as your password that might be easily guessed in three tries but most folks know to use something like 5s69bbl0gz6u3 as a password and I don't believe that is likely to be guessed in three tries before the bank locks the account.
As for AARP in this day and age requiring a SS number is criminal. Of course, all banks and credit card issurers still require the number instead of asking for the driver license number or something else..birth certificate, etc.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ | |
| 
DownTheShore
Maddie Knows Poopie
Premium
join:2003-12-02
Beautiful NJ
clubs: | To get back to Daniel's question:
Sovereign Bank | |
| | Just Basics
join:2003-06-08
Painter, VA
| Unless they have changed during the last year here are two more to add:
BB&T
NASA Credit Union
If they have changed let me know.
I might add that I am totally impressed with PayPal and eBay for implementing the VeriSign ID Protection - more financial institutions should take this service into consideration. | |
| 
nightdesigns
Gone missing, back soon
Premium
join:2002-05-31
AZ
 ·Cox HSI
| Not totally related to your question, but is related, how about companies that give you a username and you can't change it.
For example, my bank, a credit union, my username is my account number.
And the worst offender, AARP IRA/Mutual Funds, username is your SS#. That's scary.
--
[[Your signature here]] | |
| Cairninator
join:2007-02-14
Sedona, AZ | What is really scary is someone who would use their SS# as a login. It's really stunning how the average American can justify their stupidity. | |
| 
neonhomer
Honoray Mythbuster
Premium
join:2004-01-27
Edgewater, FL
clubs: | Space Coast Credit Union (in East Central Florida) doesn't allow complex passwords.
Neither does Earthlink. | |
| 
haze_nme
join:2004-01-13
Tucson, AZ | You can add Wells Fargo to the list of offenders. | |
| | 
major marco
Res Firma Mitescere Nescit
Premium
join:2003-02-13
Stepford, CA
clubs:
| Re: Big Sites That Don't Allow Complex Passwords !?! said by haze_nme :You can add Wells Fargo to the list of offenders. Which is why if you're THAT concerned, you should really be changing your password every month. But hey, let's not quibble with passwords.
In reality, majority of ID theft/hacking/site insecurity takes place completely beyond the end user's control. Your eight digit, alphanumeric, special character password won't do squat to protect you from data breaches caused by non-existent/rarely enforced security policies.
--
The Toll
| |
| 
CylonRed
Premium,MVM
join:2000-07-06
Bloom County | You CAN make a strong password with a-z (any type) and numbers - in factg - you could use a random jumble of letters (cap/no cap) and numbers and be VERY strong indeed. | |
| | dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
·Verizon FIOS
| Re: Big Sites That Don't Allow Complex Passwords !?! said by CylonRed :You CAN make a strong password with a-z (any type) and numbers - in factg - you could use a random jumble of letters (cap/no cap) and numbers and be VERY strong indeed. Of course. Daniel's point is simply that, if you restrict the character set, then you need more characters in order to achieve the same strength.
--
Microsoft Security MVP, 2005-2007. | |
| | |
CylonRed
Premium,MVM
join:2000-07-06
Bloom County
| Re: Big Sites That Don't Allow Complex Passwords !?! said by dave :said by CylonRed :You CAN make a strong password with a-z (any type) and numbers - in factg - you could use a random jumble of letters (cap/no cap) and numbers and be VERY strong indeed. Of course. Daniel's point is simply that, if you restrict the character set, then you need more characters in order to achieve the same strength. No his point (according to the subject to the thread) is that they DON'T allow a complex password and that is indeed - 100% wrong.
--
Brian
"Some people are like Slinkies...
Not really good for anything......
But they still bring a smile to your face when you push them down a flight of stairs." | |
| | | | Mele20
Premium
join:2001-06-05
Hilo, HI
| Re: Big Sites That Don't Allow Complex Passwords !?! said by CylonRed :said by dave :said by CylonRed :You CAN make a strong password with a-z (any type) and numbers - in factg - you could use a random jumble of letters (cap/no cap) and numbers and be VERY strong indeed. Of course. Daniel's point is simply that, if you restrict the character set, then you need more characters in order to achieve the same strength. No his point (according to the subject to the thread) is that they DON'T allow a complex password and that is indeed - 100% wrong. No, his basic assumption is wrong. He assumes everyone memorizes their passwords and thus needs shorter ones but with special characters so they can memorize them. Most folks don't memorize passwords and banks know this. Plus, adding special characters makes the password harder to memorize if some folks do that...young folks that is of course. What he should be asking is for the banks to institute better security.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ | |
| | | | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| Re: Big Sites That Don't Allow Complex Passwords !?! said by Mele20 :No, his basic assumption is wrong. He assumes everyone memorizes their passwords and thus needs shorter ones but with special characters so they can memorize them. Most folks don't memorize passwords and banks know this. Plus, adding special characters makes the password harder to memorize if some folks do that...young folks that is of course. What he should be asking is for the banks to institute better security. I think you're wrong on both accounts, actually. 1) Most people DO remember their passwords, and 2) I AM asking for banks to institute better security. That's the whole point of the thread.
--
dmiessler.com -- grep understanding knowledge | |
| | | | | | Mele20
Premium
join:2001-06-05
Hilo, HI
| Re: Big Sites That Don't Allow Complex Passwords !?! I have approximately 200 passwords at the moment. I don't have a photographic memory. Please explain how you think I should be able to memorize all those or why I should? I see absolutely no need to memorize them. I access them in the file I keep them in when I need them. If you have people spying in your personal papers, well, I think you should address that situation. Perhaps a special lock on your file cabinet? Microsoft's personal folder, etc?
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ | |
| | | | | | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
1 edit | Re: Big Sites That Don't Allow Complex Passwords !?! said by Mele20 :I have approximately 200 passwords at the moment. I don't have a photographic memory. Please explain how you think I should be able to memorize all those or why I should? Please explain why you think you, or any other knowledgeable regular on this site, represent an average Internet user. Once you've failed to do so you'll see my point.
--
dmiessler.com -- grep understanding knowledge | |
| | | | | | | | Mele20
Premium
join:2001-06-05
Hilo, HI
| Re: Big Sites That Don't Allow Complex Passwords !?! Gee, how was I, or anyone reading this thread, supposed to know that you want stronger passwords for dummies and those of us here don't need that but we are supposed to respond in your thread as though we are dummies and we need them? Do I have that right?
Quite frankly, who cares if your password gets swiped at a silly site like Digg? That is such a dumb site. I find it boring and I don't have a password there but if I did I wouldn't really care if someone swiped it. Digg was your first example of a site that desperately needs complex passwords. Now, if someone swiped my password here, or at Wilders, that would irritate me but again it wouldn't be any big disaster. I don't use a fancy password here or at Wilders. Plus, I have had the same one forever at both sites. Same for Castlecops. Does this site and the other two I mentioned allow for special characters in the password? I dunno. It has never occured to me to find out as I don't think it matters. I even have an email account here. Guess what the password is: same as for my login. I still have the same password though that I have had for ages here.
I don't see the extreme concern about passwords for anywhere except banking and other sites where financial matters are handled. I am much more concerned with banks, and sites where purchases are made, not making it crystal clear that one is behind "https" when one logs in or enters any sensitive personal information and to me a bank that is too stingy to provide https login on the main page or transfer the person to the secure login page (without the person having to resort to tricks such as deliberately putting in the wrong password) is much more of a problem than whether or not the password can have special characters. In fact, I think the more important issue is that all banks should be required to do what Bank of Hawaii does: put their entire site behind encryption.
The only sites where a password matters a lot are banking and ones where you do other business transactions.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ | |
| | | | | | | | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
3 edits | Re: Big Sites That Don't Allow Complex Passwords !?! said by Mele20 :Gee, how was I, or anyone reading this thread, supposed to know that you want stronger passwords for dummies and those of us here don't need that but we are supposed to respond in your thread as though we are dummies and we need them? Do I have that right? No, you don't have it right. Most everyone else does, but for some reason you have an attitude about this issue. You don't seem to understand how the majority of users employ passwords on the Internet. They are using dozens of sites, all over the place -- with short passwords that tend to be very weak. They use them for e-bay, social sites, forums, and yes -- banks. My point is simply that for those who would like to add some complexity to their passwords while maintaining a manageable length, the addition of another character set is a good way to do this.
Note that this is precisely the reason MOST sites have done exactly this. I'm not promoting some outlandish idea that nobody's heard of; the majority of web presences have already changed their systems to allow special characters. The whole point of this thread is to identify some of those that haven't -- especially the ones that are important in terms of finances or identity.
Look, I'm sorry if I somehow offended, but I'm not going to argue with you about this when it's clear that everyone else sees the problem but you.
--
dmiessler.com -- grep understanding knowledge | |
| | | | | | | | | |
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Re: Big Sites That Don't Allow Complex Passwords !?! You don't seem to understand how the majority of users employ passwords on the Internet. They are using dozens of sites, all over the place -- with short passwords that tend to be very weak. Do you really think users will change these habits just because their bank happens to allow special characters?
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 | |
| | | | | | | | | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| Re: Big Sites That Don't Allow Complex Passwords !?! said by nwrickert :Do you really think users will change these habits just because their bank happens to allow special characters? No, it's not a matter of everyone who has accounts with them going back overnight and making their passwords more secure as soon as the change is made. That's unrealistic. It's about users having the option to use better passwords when they create a new account or change their password there.
Contrary to what's been put forth a few times in this thread, there are many users who are both 1) advanced enough to want stronger/more usable passwords, and 2) reluctant (for whatever reason) to move to an encrypted database paradigm.
Those users are legion, and they will benefit from this change over time. Again, that's why the majority of sites on the Internet have already upgraded.
Also, there's another angle here that hasn't been explored. Why shouldn't they add the option? What's the downside? In other words, if this can help just one person (and it will obviously help thousands), wouldn't it be worth the tradeoff? I think so, given the ease in which this can be done programatically. Really, it's just a matter of laziness on the part of these various organizations. And that's the point of this -- getting them to overcome said laziness.
--
dmiessler.com -- grep understanding knowledge | |
| | | | | | | | | | Mele20
Premium
join:2001-06-05
Hilo, HI
| I still don't get why this is an important issue. Explain to me how these dictionary attacks are going to first figure out my USER NAME and then figure out my PASSWORD AND THEN SUCCESSFULLY COMBINE THE CORRECT USER NAME AND PASSWORD? Your argument reminds me of the recent thread here yelling the sky was falling in for Linksy router users because the default password is administrator and some folks never bother to change it although Linksy very clearly states that it needs to be changed immediately upon setting up the router. I changed mine but even if I had not, my user name is not easy to figure out by dictionary attack so I thought the whole thread was overblown. There were complaints I think I recall about the length and what is allowed in the Linksy user name and password and I couldn't see what the problem was as no one could demonstrate that it would be easy "low hanging fruit" to use a dictionary attack on a Linksy router to determine first the user name and second the password and then match them up.
So, do you have any evidence of how fast and easily this can done? Plus, you have continued to side step the fact that banks will lock the account so fast that your head will swirl if you start putting in the wrong user name and/or password. Three simple typos and you, yourself, are locked out. I can't tell you how many times I have gotten locked out of my local bank account because the user name is required to be in all caps and the password must be in mixed case. I got that wrong so many times especially since I can't see what I am typing for the password. I can't call the bank and get reinstated immediately either. There is a three day waitng period unless that has been changed recently. This bank won many awards back in the late 90's early 2000's as being the most secure, best banking site on the internet.
Besides my home bank that I no longer access on the internet as I have no loans or credit cards or savings account with them so I can't do any banking other than looking at my checking account statement and I write only two checks a month so I have little need to look at it before it comes in the mail, I use only two banking sites both of which have excellent protection already. In fact, Chase drives me nuts as does CapitalOne with logging me out not just within 13 minutes which is done even if you are actively using the site at that moment but which logs you out if there is hesitation, stumbling about, all sorts of things get you logged out. There are many protections that we are not really aware of at banking sites.
Again, this is barking up the wrong tree. The banks and business sites where purchases are made need first of all to ALWAYS use a secure login in page. I don't see you complaining about that problem. What difference will it make if your password has special characters if you aren't really on the site's secure page when you login?
I suppose you already know the answer to the dslreports login? Our site must allow special characters? Wilders and Castlecops also do this? As I said, I have no idea as I have not changed my password at any of these since I joined 6 years ago here and 5 years ago for the other two sites. You have me curious as if this is so important then I'm sure all three sites allow the special characters and somewhere on these three sites there must be a warning that I have missed telling me to change my password to include special charcters...right? Where is the the warning for this site?
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ | |
| | | | | | | | | |
See 8 replies to this post | |
| | | dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
·Verizon FIOS
| said by CylonRed :said by dave :Of course. Daniel's point is simply that, if you restrict the character set, then you need more characters in order to achieve the same strength. No his point (according to the subject to the thread) is that they DON'T allow a complex password and that is indeed - 100% wrong. said by Daniel :It's a problem because humans are better at remembering shorter passwords, and the use of more character sets allows one to add security while keeping length down. So, if you're going to argue that the later clarification isn't part of his point, fine.
Or if you're going to argue about what should be inferred from the word "complex", fine.
Just do it without me, please.
--
Microsoft Security MVP, 2005-2007. | |
| | | | |
CylonRed
Premium,MVM
join:2000-07-06
Bloom County | Re: Big Sites That Don't Allow Complex Passwords !?! I must have walked away form the PC while int he thread and not refreshed when I got back and missed the second post on his clarification.... WOuld have behooved him to also change the subject of the thread as well. | |
| | | | | | | | | |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
1 edit | said by CylonRed :said by dave :said by CylonRed :You CAN make a strong password with a-z (any type) and numbers - in factg - you could use a random jumble of letters (cap/no cap) and numbers and be VERY strong indeed. Of course. Daniel's point is simply that, if you restrict the character set, then you need more characters in order to achieve the same strength. No his point (according to the subject to the thread) is that they DON'T allow a complex password and that is indeed - 100% wrong. My mistake, but I thought it was pretty clear that I meant they didn't allow special characters. I mean, what else COULD I have meant? Have you ever seen a site come back and say, "sorry, you can use all those characters, but just not in that order." ???
Seriously, let's talk about the issue instead of picking nits over semantics.
--
dmiessler.com -- grep understanding knowledge | |
| Catmoves
join:2005-07-05
Albuquerque, NM
| I've had some success by writing to webmasters and suggesting that they might change the coding and allow the special characters to be used. I've also gotten form letters back from other sites saying their program doesn't allow for this. Some answer  . My answer is simple. If I really want to log in to the site, I make them send me my password. Then I change it. Every time.
--
Catmoves | |
| 
JTM1051
Premium,MVM
join:2000-07-08
Moorpark, CA
| said by Daniel :...What others do you know of? Unless they've changed recently SBC/AT&T Yahoo! DSL | |
| 
kringles
join:2000-11-05
Jasper, GA | A little OT but I would like the banks to use (or make optional) an RSA type key device similar to the PayPal/eBay one currently available. Of course if they don't allow complex passwords why would they offer a device like this? | |
| ElJay
join:2004-03-17
·Great Works Internet
| I use strong passwords when I need to. But to be honest I'm not too concerned about my online banking login info being brute forced... It just doesn't make any sense. For one thing they need to know my user ID, and secondly a six character password with letters and numbers is going to take a gargantuan number of requests to crack. Most banks only allow a few login attempts before access is locked out, anyway.
It also seems like most people with online banking are probably going to catch fraudulent activity before those that wait for a monthly statement. I am balancing my checkbook at least weekly thanks to online banking and I'm going to notice any errors very quickly. | |
| | 
Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
·Verizon Online DSL
1 edit | FWIW, about 7 years ago, I set up two Hotmail accounts within a two-week period as shown below:
xyzabc_de@hotmail.com
xyzabcde@hotmail.com
The actual letters were different than shown, of course, and were ordered approximately as noted. In the 7 subsequent years, the account with the underscore has never received a single spam message. The account without the underscore (_) received spam within 2 days of creation, and has continued to average about 3 spams a day. Both accounts have been used only for "private" eMail messages to personal friends.
What it proves to me is that dictionary-attack addressing engines simply do not attack with near the success if one simply incorporates one non-alphanumeric symbol. And I have no reason to believe it would be any different for using such an engine to attack a password. For a financial institution to not incorporate and require at least a few such symbols in passwords smacks of irresponsibility.
edit: clarification 1st para
--
If God wanted us to work with electrons, He'd make them big enough to see... | |
| |
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| Re: Sites That Don't Allow Special Characters In Passwords !?! said by Blackbird :What it proves to me is that dictionary-attack addressing engines simply do not attack with near the success if one simply incorporates one non-alphanumeric symbol. Exactly. These attacks are designed for low-hanging fruit. And anything you can do to take your password out of that category (while still keeping it usable) is an improvement. Good example.
--
dmiessler.com -- grep understanding knowledge | |
| | | bluezanetti
Premium
join:2003-10-04
| Re: Sites That Don't Allow Special Characters In Passwords !?! said by Daniel :These attacks are designed for low-hanging fruit. And anything you can do to take your password out of that category (while still keeping it usable) is an improvement. Good example. Actually, that statement should be generalized for the benefit of anyone who implements extremes in multifaceted security measures... anything aside from a preselected and purposely directed attack is aiming at low hanging fruit. That notion is often lost site of here and elsewhere.
Blue | |
| dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
·Verizon FIOS
| FWIW, anyone know if these sites also have length limitations?
They may not be overt; I just noticed that bugzilla (a defect-tracking system) allows any password length, but doesn't actually use more than 8 characters. I noticed this when I made a typo in the 9th...
(I'm not overly concerned by bugzilla. The only risk here is a reputation attack - you can file bugs that look like they come from me.)
--
Microsoft Security MVP, 2005-2007. | |
| | | |
|
Sites That Don't Allow Special Characters In Passwords !?!
·
I changed the title on the thread, though.
