Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
 ·Verizon Online DSL
1 edit | reply to Daniel
Re: Sites That Don't Allow Special Characters In Passwords !?!
FWIW, about 7 years ago, I set up two Hotmail accounts within a two-week period as shown below:
xyzabc_de@hotmail.com
xyzabcde@hotmail.com
The actual letters were different than shown, of course, and were ordered approximately as noted. In the 7 subsequent years, the account with the underscore has never received a single spam message. The account without the underscore (_) received spam within 2 days of creation, and has continued to average about 3 spams a day. Both accounts have been used only for "private" eMail messages to personal friends.
What it proves to me is that dictionary-attack addressing engines simply do not attack with near the success if one simply incorporates one non-alphanumeric symbol. And I have no reason to believe it would be any different for using such an engine to attack a password. For a financial institution to not incorporate and require at least a few such symbols in passwords smacks of irresponsibility.
edit: clarification 1st para
--
If God wanted us to work with electrons, He'd make them big enough to see... |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: 
| reply to nwrickert
Re: Big Sites That Don't Allow Complex Passwords !?!
said by nwrickert  :Do you really think users will change these habits just because their bank happens to allow special characters? No, it's not a matter of everyone who has accounts with them going back overnight and making their passwords more secure as soon as the change is made. That's unrealistic. It's about users having the option to use better passwords when they create a new account or change their password there.
Contrary to what's been put forth a few times in this thread, there are many users who are both 1) advanced enough to want stronger/more usable passwords, and 2) reluctant (for whatever reason) to move to an encrypted database paradigm.
Those users are legion, and they will benefit from this change over time. Again, that's why the majority of sites on the Internet have already upgraded.
Also, there's another angle here that hasn't been explored. Why shouldn't they add the option? What's the downside? In other words, if this can help just one person (and it will obviously help thousands), wouldn't it be worth the tradeoff? I think so, given the ease in which this can be done programatically. Really, it's just a matter of laziness on the part of these various organizations. And that's the point of this -- getting them to overcome said laziness.
--
dmiessler.com -- grep understanding knowledge |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| reply to Blackbird
Re: Sites That Don't Allow Special Characters In Passwords !?!
said by Blackbird :What it proves to me is that dictionary-attack addressing engines simply do not attack with near the success if one simply incorporates one non-alphanumeric symbol. Exactly. These attacks are designed for low-hanging fruit. And anything you can do to take your password out of that category (while still keeping it usable) is an improvement. Good example.
--
dmiessler.com -- grep understanding knowledge |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
 ·Verizon FIOS
| reply to Daniel
FWIW, anyone know if these sites also have length limitations?
They may not be overt; I just noticed that bugzilla (a defect-tracking system) allows any password length, but doesn't actually use more than 8 characters. I noticed this when I made a typo in the 9th...
(I'm not overly concerned by bugzilla. The only risk here is a reputation attack - you can file bugs that look like they come from me.)
--
Microsoft Security MVP, 2005-2007. |
|
bluezanetti
Premium
join:2003-10-04
| reply to Daniel
said by Daniel :These attacks are designed for low-hanging fruit. And anything you can do to take your password out of that category (while still keeping it usable) is an improvement. Good example. Actually, that statement should be generalized for the benefit of anyone who implements extremes in multifaceted security measures... anything aside from a preselected and purposely directed attack is aiming at low hanging fruit. That notion is often lost site of here and elsewhere.
Blue |
|
sheiny
join:2005-03-13
Turlock, CA
1 edit | reply to Daniel
Are we focusing on the wrong problem? Attempts to guess even simple alphanumeric passwords by brute force should trip off alarms at banking sites long before they have a chance to succeed.
Added: 8 characters, alphanumeric, not case sensitive = 2,821,109,907,456 possibilities |
|
Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
·Verizon Online DSL
| said by sheiny :Are we focusing on the wrong problem? Attempts to guess even simple alphanumeric passwords by brute force should trip off alarms at banking sites long before they have a chance to succeed... Well... if the "alarm goes off", what does the institution do then - especially if these attacks are a continual real-time phenomenon? if you establish too restrictive a logon policy (eg: 3 failed logons and the account gets blocked), you set everyone's accounts up for the mother of all DOS attacks. There are various intermediate schemes I've seen... eg: 3 failed attempts and the account becomes blocked from further access attempts for 5 minutes, or after 3 failed attempts the site access reverts to asking a personal info question before accepting further attempts for some defined time period. Whether some of these concepts would have major effect on a sophisticated, patient brute force dictionary-attack scheme (other than to slow it down) seems debateable.
--
If God wanted us to work with electrons, He'd make them big enough to see... |
|
SnowyOne
Premium
join:2003-04-05
Kailua, HI
 ·RoadRunner Cable
 ·Clearwire Wireless
| reply to Daniel
Here's my banks PW policy (Bank of Hawaii)
"Note: Your Password must be between 6-32 characters in length. It must contain at least 1 alpha and 1 numeric and is case sensitive. Your Password and User ID cannot be the same."
It's a flexible policy that's soon to be backed up with a unique to the account picture & phrase authentication (verification?) scheme. What I think would be a good practice is if these PW protected areas set a minimum PW strength & ran them through an automated password strength checker, rejecting the PW's that don't meet the threshold. |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Daniel
Re: Big Sites That Don't Allow Complex Passwords !?!
I still don't get why this is an important issue. Explain to me how these dictionary attacks are going to first figure out my USER NAME and then figure out my PASSWORD AND THEN SUCCESSFULLY COMBINE THE CORRECT USER NAME AND PASSWORD? Your argument reminds me of the recent thread here yelling the sky was falling in for Linksy router users because the default password is administrator and some folks never bother to change it although Linksy very clearly states that it needs to be changed immediately upon setting up the router. I changed mine but even if I had not, my user name is not easy to figure out by dictionary attack so I thought the whole thread was overblown. There were complaints I think I recall about the length and what is allowed in the Linksy user name and password and I couldn't see what the problem was as no one could demonstrate that it would be easy "low hanging fruit" to use a dictionary attack on a Linksy router to determine first the user name and second the password and then match them up.
So, do you have any evidence of how fast and easily this can done? Plus, you have continued to side step the fact that banks will lock the account so fast that your head will swirl if you start putting in the wrong user name and/or password. Three simple typos and you, yourself, are locked out. I can't tell you how many times I have gotten locked out of my local bank account because the user name is required to be in all caps and the password must be in mixed case. I got that wrong so many times especially since I can't see what I am typing for the password. I can't call the bank and get reinstated immediately either. There is a three day waitng period unless that has been changed recently. This bank won many awards back in the late 90's early 2000's as being the most secure, best banking site on the internet.
Besides my home bank that I no longer access on the internet as I have no loans or credit cards or savings account with them so I can't do any banking other than looking at my checking account statement and I write only two checks a month so I have little need to look at it before it comes in the mail, I use only two banking sites both of which have excellent protection already. In fact, Chase drives me nuts as does CapitalOne with logging me out not just within 13 minutes which is done even if you are actively using the site at that moment but which logs you out if there is hesitation, stumbling about, all sorts of things get you logged out. There are many protections that we are not really aware of at banking sites.
Again, this is barking up the wrong tree. The banks and business sites where purchases are made need first of all to ALWAYS use a secure login in page. I don't see you complaining about that problem. What difference will it make if your password has special characters if you aren't really on the site's secure page when you login?
I suppose you already know the answer to the dslreports login? Our site must allow special characters? Wilders and Castlecops also do this? As I said, I have no idea as I have not changed my password at any of these since I joined 6 years ago here and 5 years ago for the other two sites. You have me curious as if this is so important then I'm sure all three sites allow the special characters and somewhere on these three sites there must be a warning that I have missed telling me to change my password to include special charcters...right? Where is the the warning for this site?
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ |
|
sheiny
join:2005-03-13
Turlock, CA
| reply to Blackbird
Re: Sites That Don't Allow Special Characters In Passwords !?!
said by Blackbird : Well... if the "alarm goes off", what does the institution do then - especially if these attacks are a continual real-time phenomenon? if you establish too restrictive a logon policy (eg: 3 failed logons and the account gets blocked), you set everyone's accounts up for the mother of all DOS attacks. For SSL connections you have an IP address you can block. Not trying to minimise the DOS potential but even failing after a few thousand failed logon attempts would negate the effectiveness of brute force attacks. If an attacker can use offline techniques to attack online sites then a majority of passwords will likely fail (50-60 percent).
"Choosing Secure Passwords"
»www.schneier.com/blog/archives/2···ure.html |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| reply to Daniel
I have trouble getting excited that a bank won't allow special characters is a password, when that same bank uses only a 4-digit PIN to protect ATM transactions.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| said by nwrickert :I have trouble getting excited that a bank won't allow special characters is a password, when that same bank uses only a 4-digit PIN to protect ATM transactions. It's not a 4-digit pin. That's the second factor. The first factor is having your card in the first place. So you have to both have the card and have the PIN. That's not weak security, and even if it were it wouldn't be a reason to accept weak security in another area.
--
dmiessler.com -- grep understanding knowledge |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| reply to Mele20
Re: Big Sites That Don't Allow Complex Passwords !?!
said by Mele20 :I still don't get why this is an important issue. Explain to me how these dictionary attacks are going to first figure out my USER NAME and then figure out my PASSWORD AND THEN SUCCESSFULLY COMBINE THE CORRECT USER NAME AND PASSWORD? How about when the username is bsmith, and the password is bsmith1? We're not talking about major, complex attacks here. And we're also not just talking about banks. Banks are just one type of site that has have this issue.
--
dmiessler.com -- grep understanding knowledge |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| said by Daniel :How about when the username is bsmith, and the password is bsmith1? We're not talking about major, complex attacks here. And we're also not just talking about banks. Banks are just one type of site that has have this issue. Sure, but then the problem is the user's ignorance/stupidity/laziness. Do you think that the user that fits this profile is going to bother to add a special character to his user name and/or password when he could not be bothered in the first place to use a more difficult user name and password? Who would use their real name in their handle or their password? That doesn't make the slightest bit of sense and even when I was brand new to computers and had no idea this site (security forum) existed and I couldn't understand McAfee 4.2 that came on my computer (bloodhound, heuristics), I certainly knew to never use my real name anywhere on the internet especially not at a banking site when logging in or in Hotmail. The only thing I was taught really before I got a computer was to hide my real identity.
I think what you are really asking for is that computer dummies be forced to get educated about security.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ |
|
dave
Premium,MVM
join:2000-05-04
not in ohio
·Verizon Online DSL
·Verizon FIOS
1 edit | Hold on, just let me tell our trained IT guy that he's an idiot for requiring at least one non-alphanumeric character in all passwords.
I'll get back to you with his response...
Slightly more seriously, it seems quite easy to understand. Allowing more characters gives a greater range of password possibilities, at close to zero cost. Why is it worth arguing against this?
If it's optional, some people will not take avantage of the ability. They are no worse off. Meanwhile, some people are better off. Why is it worth arguing against this?
--
Microsoft Security MVP, 2005-2007. |
|
bluezanetti
Premium
join:2003-10-04
| said by dave :If it's optional, some people will not take avantage of the ability. They are no worse off. Meanwhile, some people are better off. Why is it worth arguing against this? It's not.
Blue |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to dave
I believe the OP started out complaining that Digg was bad because they don't allow for a special character in their login and the OP said there were a number of big sites like that. Then he sort of switched to banking sites only...kind of two different topics as what banks do with passwords is not at all like regular sites where it doesn't matter that much if your password gets grabbed. We can grab each other's over at bugzilla and have fun confusing the mofo folk...you'd get more embarassed than I probably because I would likely post not too good bugs under your id and not write them up as well as you would for bugs you posted under mine. Or we could have fun adding each other's email address to a ton of very active bugs and give 10 votes to some dumb bugs, etc.  But what real harm would be done by such pranks?
I am not objecting per say to allowing this. I am objecting to the OP's attitude that this is some huge deal and we all need to immediately get behind pushing "derelict" sites to do this as of yesterday. No one has answered my question of whether or not this site, Wilders Security, and Castlecops allow special characters? If they don't are they derelict and have to be pressured immediately? I just took issue with the "sky is falling" attitude of the OP. I also disagree with the OP that everyone except myself memorizes all 200-300 passwords that they have and may change (especially banking ones) every three months.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ |
|
Just Basics
join:2003-06-08
Painter, VA | This site does allow special characters.
I try to use special characters in all of my passwords first - they are rejected about 50% of the time. |
|
Bubba17
Less is More
Premium
join:2006-09-21
| reply to Daniel
I completely agree with your position for password character-set inclusion. Long ago, I adopted 'program-controlled' management for security vital sites, and more. At this moment, away from my machine, I'm incapable of accessing 95% of the sites of import to me. The 5% committed to memory share a common core, with subtle variations, and character-set allowance punches them to a higher security level.
--
HN7000s|H1(127W)-1110mhz|.98m-2w|Pro+|3.0ghz dual-core|3gig-ram|BFG7800GT-OC-256MB|XP-Pro w/SP2
"Fast is fine, but accuracy is everything." -- Wyatt Earp |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| reply to Mele20
said by Mele20 :I just took issue with the "sky is falling" attitude of the OP. You see what you want to see. All I did was bring the issue up; I didn't ever say it was life or death, or use any other language that would indicate I thought there was a need for panic. If that's what you saw then that's on you. All I did was bring it up. I think your interpretation of "sky is falling" comes from you not getting the point of the post in the first place. Meaning, if anyone even mentions something that in your mind "doesn't matter", then by virtue of it even being brought up it's automatically considered overreacting. said by Mele20 :I also disagree with the OP that everyone except myself memorizes all 200-300 passwords that they have and may change (especially banking ones) every three months. That would have been a much better point had I ever said that. But since I didn't, it's not.
--
dmiessler.com -- grep understanding knowledge |
|
