kringles
join:2000-11-05
Jasper, GA | reply to Daniel
Re: Big Sites That Don't Allow Complex Passwords !?!
A little OT but I would like the banks to use (or make optional) an RSA type key device similar to the PayPal/eBay one currently available. Of course if they don't allow complex passwords why would they offer a device like this? |
|
ElJay
join:2004-03-17
 ·Great Works Internet
| reply to Daniel
I use strong passwords when I need to. But to be honest I'm not too concerned about my online banking login info being brute forced... It just doesn't make any sense. For one thing they need to know my user ID, and secondly a six character password with letters and numbers is going to take a gargantuan number of requests to crack. Most banks only allow a few login attempts before access is locked out, anyway.
It also seems like most people with online banking are probably going to catch fraudulent activity before those that wait for a monthly statement. I am balancing my checkbook at least weekly thanks to online banking and I'm going to notice any errors very quickly. |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: 
2 edits | reply to nwrickert
said by nwrickert  :It's a problem because humans are better at remembering shorter passwords, ... The idea of remembering passwords went out the window once web sites started wanting passwords. It is unmanageable. Your argument is invalid simply because over 95% of users still do manage their own passwords. That's a guess, but it's actually probably closer to 99%. We have to solve the problems we have, not the problems we should have or wish we had.
--
dmiessler.com -- grep understanding knowledge |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
·AT&T Midwest
| Your argument is invalid simply because over 95% of users still do manage their own passwords.
I manage my own passwords. Storing them in a file, and encrypting that file is part of how I manage them.
I just checked. I have 55 entries in that file, and I shun most web sites that require passwords. Nobody can remember that many.
If they actually are trying to remember 55 passwords, then they are probably using very weak passwords and re-using the same password for many sites. And if they are doing that, they have a more serious problem than the one you suggested in your OP.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| said by nwrickert :Your argument is invalid simply because over 95% of users still do manage their own passwords.
If they actually are trying to remember 55 passwords, then they are probably using very weak passwords and re-using the same password for many sites. And if they are doing that, they have a more serious problem than the one you suggested in your OP. Well, that is the reality we're facing. The question is, how do we mitigate some of this risk? It's a lot harder to get users to change their habits than it is to get a single site that handles millions of accounts to change theirs.
I agree it's not a real solution, but nothing in security ever is. It's about reducing risk, and if we can add ANY significant amount of complexity to the incredibly weak passwords that most people use, we'll have accomplished something. Hence my OP.
--
dmiessler.com -- grep understanding knowledge |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Daniel
Why are you trying to remember passwords? I use no password manager, I never allow Fx to remember passwords. I write them all down (different one for each site) in two paper files...one for normal sites and one for banking sites. I generally meet my friends away from my home because of no parking for guests here and they don't want to park on the street because this is a heavily traveled beach street with lots of drunks/speedera/pakalolo high drivers hitting poles and cars. My point being that I don't have to hide the password folders since I am usually the only one in this condo.
I would never be able to remember any password that had characters other than numbers and letters and those would need to be too simple for safety for me to be able to remember them...memory deteriorates with age so it not realistic to tell older folks that they need to use special characters in passwords, memorize them all and change them every three months and then memorize them again. I rely on my bank to shut out anyone, including myself, after three tries. My home bank has a very elaborate procedure for how one gets one's account accessible again after being locked out. My other home bank is ever more of a hassle...you have to apply in writing via snail mail for a new password which is mailed after two to three weeks. You have no access to your account online during that waiting period. Why are these methods, that are in place at most banks, so poor security wise? I suppose if you choose JohnDoe1 as your password that might be easily guessed in three tries but most folks know to use something like 5s69bbl0gz6u3 as a password and I don't believe that is likely to be guessed in three tries before the bank locks the account.
As for AARP in this day and age requiring a SS number is criminal. Of course, all banks and credit card issurers still require the number instead of asking for the driver license number or something else..birth certificate, etc.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ |
|
major marco
Res Firma Mitescere Nescit
Premium
join:2003-02-13
Stepford, CA
clubs:
| reply to haze_nme
said by haze_nme :You can add Wells Fargo to the list of offenders. Which is why if you're THAT concerned, you should really be changing your password every month. But hey, let's not quibble with passwords.
In reality, majority of ID theft/hacking/site insecurity takes place completely beyond the end user's control. Your eight digit, alphanumeric, special character password won't do squat to protect you from data breaches caused by non-existent/rarely enforced security policies.
--
The Toll
|
|
CylonRed
Premium,MVM
join:2000-07-06
Bloom County
| reply to dave
said by dave :said by CylonRed :You CAN make a strong password with a-z (any type) and numbers - in factg - you could use a random jumble of letters (cap/no cap) and numbers and be VERY strong indeed. Of course. Daniel's point is simply that, if you restrict the character set, then you need more characters in order to achieve the same strength. No his point (according to the subject to the thread) is that they DON'T allow a complex password and that is indeed - 100% wrong.
--
Brian
"Some people are like Slinkies...
Not really good for anything......
But they still bring a smile to your face when you push them down a flight of stairs." |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| said by CylonRed :said by dave :said by CylonRed :You CAN make a strong password with a-z (any type) and numbers - in factg - you could use a random jumble of letters (cap/no cap) and numbers and be VERY strong indeed. Of course. Daniel's point is simply that, if you restrict the character set, then you need more characters in order to achieve the same strength. No his point (according to the subject to the thread) is that they DON'T allow a complex password and that is indeed - 100% wrong. No, his basic assumption is wrong. He assumes everyone memorizes their passwords and thus needs shorter ones but with special characters so they can memorize them. Most folks don't memorize passwords and banks know this. Plus, adding special characters makes the password harder to memorize if some folks do that...young folks that is of course. What he should be asking is for the banks to institute better security.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
·Verizon FIOS
| reply to CylonRed
said by CylonRed :said by dave :Of course. Daniel's point is simply that, if you restrict the character set, then you need more characters in order to achieve the same strength. No his point (according to the subject to the thread) is that they DON'T allow a complex password and that is indeed - 100% wrong. said by Daniel :It's a problem because humans are better at remembering shorter passwords, and the use of more character sets allows one to add security while keeping length down. So, if you're going to argue that the later clarification isn't part of his point, fine.
Or if you're going to argue about what should be inferred from the word "complex", fine.
Just do it without me, please.
--
Microsoft Security MVP, 2005-2007. |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
1 edit | reply to CylonRed
said by CylonRed :said by dave :said by CylonRed :You CAN make a strong password with a-z (any type) and numbers - in factg - you could use a random jumble of letters (cap/no cap) and numbers and be VERY strong indeed. Of course. Daniel's point is simply that, if you restrict the character set, then you need more characters in order to achieve the same strength. No his point (according to the subject to the thread) is that they DON'T allow a complex password and that is indeed - 100% wrong. My mistake, but I thought it was pretty clear that I meant they didn't allow special characters. I mean, what else COULD I have meant? Have you ever seen a site come back and say, "sorry, you can use all those characters, but just not in that order." ???
Seriously, let's talk about the issue instead of picking nits over semantics.
--
dmiessler.com -- grep understanding knowledge |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| reply to Mele20
said by Mele20 :No, his basic assumption is wrong. He assumes everyone memorizes their passwords and thus needs shorter ones but with special characters so they can memorize them. Most folks don't memorize passwords and banks know this. Plus, adding special characters makes the password harder to memorize if some folks do that...young folks that is of course. What he should be asking is for the banks to institute better security. I think you're wrong on both accounts, actually. 1) Most people DO remember their passwords, and 2) I AM asking for banks to institute better security. That's the whole point of the thread.
--
dmiessler.com -- grep understanding knowledge |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| I have approximately 200 passwords at the moment. I don't have a photographic memory. Please explain how you think I should be able to memorize all those or why I should? I see absolutely no need to memorize them. I access them in the file I keep them in when I need them. If you have people spying in your personal papers, well, I think you should address that situation. Perhaps a special lock on your file cabinet? Microsoft's personal folder, etc?
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
1 edit | said by Mele20 :I have approximately 200 passwords at the moment. I don't have a photographic memory. Please explain how you think I should be able to memorize all those or why I should? Please explain why you think you, or any other knowledgeable regular on this site, represent an average Internet user. Once you've failed to do so you'll see my point.
--
dmiessler.com -- grep understanding knowledge |
|
sivran
Long Live The Suite
Premium
join:2003-09-15
Arlington, TX
clubs:
 ·RoadRunner Cable
| reply to Daniel
I didn't see Verizon mentioned. I can't verify verizon.com, but I know verizon.net allows only alphanumeric.
"Important" sites that only take alphanumeric seriously annoy me now. I like to use SFSP style passwords whenever possible, and especially on any site where sensitive information might be stored. If I use such a password I rarely need to bother storing it in password safe.
A quick look through my password safe ought to turn up some others..
bestbuy.com (hey, my aunt gave me a $75 gift card... I wouldn't normally shop there!)
cafepress.com (this site has other security issues, as well..)
equifax.com
progressive.com
taxcut.com (alphanumeric, plus underscore)
When even small shops and relative no-names like Megagear (online comic Megatokyo's store) and Surplus Computers can allow punctuation at the very least, it's rather silly that places like Best Buy and Equifax(!) don't or can't!
--
Think outside the fox...Seamonkey |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Daniel
Gee, how was I, or anyone reading this thread, supposed to know that you want stronger passwords for dummies and those of us here don't need that but we are supposed to respond in your thread as though we are dummies and we need them? Do I have that right?
Quite frankly, who cares if your password gets swiped at a silly site like Digg? That is such a dumb site. I find it boring and I don't have a password there but if I did I wouldn't really care if someone swiped it. Digg was your first example of a site that desperately needs complex passwords. Now, if someone swiped my password here, or at Wilders, that would irritate me but again it wouldn't be any big disaster. I don't use a fancy password here or at Wilders. Plus, I have had the same one forever at both sites. Same for Castlecops. Does this site and the other two I mentioned allow for special characters in the password? I dunno. It has never occured to me to find out as I don't think it matters. I even have an email account here. Guess what the password is: same as for my login. I still have the same password though that I have had for ages here.
I don't see the extreme concern about passwords for anywhere except banking and other sites where financial matters are handled. I am much more concerned with banks, and sites where purchases are made, not making it crystal clear that one is behind "https" when one logs in or enters any sensitive personal information and to me a bank that is too stingy to provide https login on the main page or transfer the person to the secure login page (without the person having to resort to tricks such as deliberately putting in the wrong password) is much more of a problem than whether or not the password can have special characters. In fact, I think the more important issue is that all banks should be required to do what Bank of Hawaii does: put their entire site behind encryption.
The only sites where a password matters a lot are banking and ones where you do other business transactions.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ |
|
CylonRed
Premium,MVM
join:2000-07-06
Bloom County | reply to dave
I must have walked away form the PC while int he thread and not refreshed when I got back and missed the second post on his clarification.... WOuld have behooved him to also change the subject of the thread as well. |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
3 edits | reply to Mele20
said by Mele20 :Gee, how was I, or anyone reading this thread, supposed to know that you want stronger passwords for dummies and those of us here don't need that but we are supposed to respond in your thread as though we are dummies and we need them? Do I have that right? No, you don't have it right. Most everyone else does, but for some reason you have an attitude about this issue. You don't seem to understand how the majority of users employ passwords on the Internet. They are using dozens of sites, all over the place -- with short passwords that tend to be very weak. They use them for e-bay, social sites, forums, and yes -- banks. My point is simply that for those who would like to add some complexity to their passwords while maintaining a manageable length, the addition of another character set is a good way to do this.
Note that this is precisely the reason MOST sites have done exactly this. I'm not promoting some outlandish idea that nobody's heard of; the majority of web presences have already changed their systems to allow special characters. The whole point of this thread is to identify some of those that haven't -- especially the ones that are important in terms of finances or identity.
Look, I'm sorry if I somehow offended, but I'm not going to argue with you about this when it's clear that everyone else sees the problem but you.
--
dmiessler.com -- grep understanding knowledge |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| reply to CylonRed
said by CylonRed :I must have walked away form the PC while int he thread and not refreshed when I got back and missed the second post on his clarification.... WOuld have behooved him to also change the subject of the thread as well. A good point. I tried to use the original title but there's a length restriction on this site.  I changed the title on the thread, though.
--
dmiessler.com -- grep understanding knowledge |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| reply to Daniel
You don't seem to understand how the majority of users employ passwords on the Internet. They are using dozens of sites, all over the place -- with short passwords that tend to be very weak. Do you really think users will change these habits just because their bank happens to allow special characters?
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 |
|
