nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
 ·AT&T U-Verse
 ·AT&T Midwest
| reply to Daniel
Re: Big Sites That Don't Allow Complex Passwords !?!
I'm not sure why you see this as a problem.
These days if I want a new web site password, I generate a random bit string of suitable length and then encode that in base64, Finally, I delete the '+' and '/' chars from the result for sites that won't allow those. Oh, yes, I do record the password in an encrypted file.
There is a problem with special characters - some of them are differently encoded depending on the national character set you are using. There is a point to avoiding all characters where there is some potential ambiguity as to how they will be encoded.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs: 
| said by nwrickert  :I'm not sure why you see this as a problem. It's a problem because humans are better at remembering shorter passwords, and the use of more character sets allows one to add security while keeping length down.
So, ArdV4rk! is arguably a much better password than woof20slf02ld9dlw0 because the former is both sufficiently complex to thwart most guessing attacks but still short enough to remember easily.
For high security sites you probably shouldn't use memorable passwords at all, but it's not practical for most people to try and use a password manager for every single site they visit; and that's the focus of this point.
Far too many sites limit the usability vs. security tradeoff by not allowing special character sets in their passwords. It forces users to either 1) use easily guessable passwords, or 2) use longer ones that are forgotten more easily.
--
dmiessler.com -- grep understanding knowledge |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| It's a problem because humans are better at remembering shorter passwords, ... The idea of remembering passwords went out the window once web sites started wanting passwords. It is unmanageable.
I keep only a very few remembered passwords. One of those is the passphrase I need to access my encrypted password database. And once one starts storing passwords in a database, there is no longer a need to keep them short.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
2 edits | said by nwrickert :It's a problem because humans are better at remembering shorter passwords, ... The idea of remembering passwords went out the window once web sites started wanting passwords. It is unmanageable. Your argument is invalid simply because over 95% of users still do manage their own passwords. That's a guess, but it's actually probably closer to 99%. We have to solve the problems we have, not the problems we should have or wish we had.
--
dmiessler.com -- grep understanding knowledge |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL
·AT&T U-Verse
·AT&T Midwest
| Your argument is invalid simply because over 95% of users still do manage their own passwords.
I manage my own passwords. Storing them in a file, and encrypting that file is part of how I manage them.
I just checked. I have 55 entries in that file, and I shun most web sites that require passwords. Nobody can remember that many.
If they actually are trying to remember 55 passwords, then they are probably using very weak passwords and re-using the same password for many sites. And if they are doing that, they have a more serious problem than the one you suggested in your OP.
--
AT&T dsl; Westell 2200 modem/router; SuSE 10.1; firefox 1.5.0.10 |
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
| said by nwrickert :Your argument is invalid simply because over 95% of users still do manage their own passwords.
If they actually are trying to remember 55 passwords, then they are probably using very weak passwords and re-using the same password for many sites. And if they are doing that, they have a more serious problem than the one you suggested in your OP. Well, that is the reality we're facing. The question is, how do we mitigate some of this risk? It's a lot harder to get users to change their habits than it is to get a single site that handles millions of accounts to change theirs.
I agree it's not a real solution, but nothing in security ever is. It's about reducing risk, and if we can add ANY significant amount of complexity to the incredibly weak passwords that most people use, we'll have accomplished something. Hence my OP.
--
dmiessler.com -- grep understanding knowledge |
|
Mele20
Premium
join:2001-06-05
Hilo, HI
| reply to Daniel
Why are you trying to remember passwords? I use no password manager, I never allow Fx to remember passwords. I write them all down (different one for each site) in two paper files...one for normal sites and one for banking sites. I generally meet my friends away from my home because of no parking for guests here and they don't want to park on the street because this is a heavily traveled beach street with lots of drunks/speedera/pakalolo high drivers hitting poles and cars. My point being that I don't have to hide the password folders since I am usually the only one in this condo.
I would never be able to remember any password that had characters other than numbers and letters and those would need to be too simple for safety for me to be able to remember them...memory deteriorates with age so it not realistic to tell older folks that they need to use special characters in passwords, memorize them all and change them every three months and then memorize them again. I rely on my bank to shut out anyone, including myself, after three tries. My home bank has a very elaborate procedure for how one gets one's account accessible again after being locked out. My other home bank is ever more of a hassle...you have to apply in writing via snail mail for a new password which is mailed after two to three weeks. You have no access to your account online during that waiting period. Why are these methods, that are in place at most banks, so poor security wise? I suppose if you choose JohnDoe1 as your password that might be easily guessed in three tries but most folks know to use something like 5s69bbl0gz6u3 as a password and I don't believe that is likely to be guessed in three tries before the bank locks the account.
As for AARP in this day and age requiring a SS number is criminal. Of course, all banks and credit card issurers still require the number instead of asking for the driver license number or something else..birth certificate, etc.
--
"If you want to do DRM on a PC then you need to treat the user as the enemy." Ross Anderson in "`Trusted Computing' Frequently Asked Questions"
»www.msfirefox.com/ |
|
