dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
3
share rss forum feed

07108968

join:2012-12-11
North Coast
reply to antdude

Re: Who's using 'password' as a password? TOO MANY OF YOU!

Too many use the same password for everything or a password that is too easy to guess.


cableties
Premium
join:2005-01-27
I'll tell you one thing that is frustrating on passwords, now that I use a serious pwd (strong) generator, am I the only one that finds many of the financial institutions (banking, CU, stocks, merchants...) are inadequate with having a 16 character limit? And some not even allowing non-alpha-numerics like "?" or "_" or "!" symbols!

Where I work, we can use sentences or random words separated by spaces or symbols.

No wonder we get hacked. 6-16 character limits. I don't think these sites/places take our finances and information seriously...
--
Splat

TheMG
Premium
join:2007-09-04
Canada
kudos:3
Reviews:
·NorthWest Tel

1 edit
said by cableties:

No wonder we get hacked. 6-16 character limits. I don't think these sites/places take our finances and information seriously...

16 character limit is fine as long as the website or service in question limits the number of unsuccessful attempts, which most if not all banks do.

For instance, the bank I'm with will lock you out after 3 successive login failures. After that, you need to contact the bank by phone or in person and verify your identity to have the password reset.

This means an attacker has 3 chances to get it right. In other words, as long as the password isn't guessable, it doesn't matter that the password isn't insanely long.

The only effective attack method when the number of unsuccessful attempts in a given time period is greatly limited would be a dictionary attack. So as long as the password isn't guessable, you're good.

Very lengthy passwords are important mostly when the rate at which attempts can be made is very high or unlimited. File or hard drive encryption is a good example of that. The speed at which someone can brute-force encrypted data is only dependent on how much processing resources are available to the attacker.

In most cases when someone's online account to a website gets "hacked", it's as a result of one of the following:

A) keylogger
B) dictionary attack
C) vulnerability in the site's code or server
D) poor website security policy, allowing the attacker to perform a password reset
E) social engineering
F) using the same password for more than one site (and the password at another site gets compromised)

Brute forcing of online accounts are a relatively rare thing, as it would take nearly forever, even for a seemingly short 16 character password. Assuming the web site in question imposes no limits on failed login attempts, internet latency (ping) alone would make the process take years/decades, not to mention you'd probably unintentionally DDoS the web server in the process. Besides, if the website administrator did his job, such malicious activity should raise a red flag pretty quickly.

07108968

join:2012-12-11
North Coast
reply to cableties
In most cases the issue isn't character limit but the password itself, people like to pick passwords that are easy to remember which makes them easier to guess.

Other "common" passwords are grand-children's names, and pet's names.
Passwords shouldn't be real words, but if they are they should be mixed upper and lower case, maybe mixed with numbers within.

You have 52 alphabet characters, 10 numbers, maybe 10+ special characters, most banks and such give you three "tries" then you are locked out.

Too many want to use the same password for everything so it is easier to remember, sometimes they will even use the same screen name too.

Those with the resources to "brute force" a 16 character password are not going to waste the time required on a personal bank account, those are usually guessed or the person is tricked into giving it out.


Ian
Premium
join:2002-06-18
ON
kudos:3
said by 07108968:

Those with the resources to "brute force" a 16 character password are not going to waste the time required on a personal bank account, those are usually guessed or the person is tricked into giving it out.

There isn't anyone the world who qualifies.

Assuming 100 trillion guesses per second, it would still take 1.41 hundred million centuries to brute-force a 16 digit password.
--
“Any claim that the root of a problem is simple should be treated the same as a claim that the root of a problem is Bigfoot. Simplicity and Bigfoot are found in the real world with about the same frequency.” – David Wong