dslreports logo
 
    All Forums Hot Topics Gallery
spc
uniqs
12

cableties
Premium Member
join:2005-01-27

cableties to 07108968

Premium Member

to 07108968

Re: Who's using 'password' as a password? TOO MANY OF YOU!

I'll tell you one thing that is frustrating on passwords, now that I use a serious pwd (strong) generator, am I the only one that finds many of the financial institutions (banking, CU, stocks, merchants...) are inadequate with having a 16 character limit? And some not even allowing non-alpha-numerics like "?" or "_" or "!" symbols!

Where I work, we can use sentences or random words separated by spaces or symbols.

No wonder we get hacked. 6-16 character limits. I don't think these sites/places take our finances and information seriously...
TheMG
Premium Member
join:2007-09-04
Canada
MikroTik RB450G
Cisco DPC3008
Cisco SPA112

1 edit

TheMG

Premium Member

said by cableties:

No wonder we get hacked. 6-16 character limits. I don't think these sites/places take our finances and information seriously...

16 character limit is fine as long as the website or service in question limits the number of unsuccessful attempts, which most if not all banks do.

For instance, the bank I'm with will lock you out after 3 successive login failures. After that, you need to contact the bank by phone or in person and verify your identity to have the password reset.

This means an attacker has 3 chances to get it right. In other words, as long as the password isn't guessable, it doesn't matter that the password isn't insanely long.

The only effective attack method when the number of unsuccessful attempts in a given time period is greatly limited would be a dictionary attack. So as long as the password isn't guessable, you're good.

Very lengthy passwords are important mostly when the rate at which attempts can be made is very high or unlimited. File or hard drive encryption is a good example of that. The speed at which someone can brute-force encrypted data is only dependent on how much processing resources are available to the attacker.

In most cases when someone's online account to a website gets "hacked", it's as a result of one of the following:

A) keylogger
B) dictionary attack
C) vulnerability in the site's code or server
D) poor website security policy, allowing the attacker to perform a password reset
E) social engineering
F) using the same password for more than one site (and the password at another site gets compromised)

Brute forcing of online accounts are a relatively rare thing, as it would take nearly forever, even for a seemingly short 16 character password. Assuming the web site in question imposes no limits on failed login attempts, internet latency (ping) alone would make the process take years/decades, not to mention you'd probably unintentionally DDoS the web server in the process. Besides, if the website administrator did his job, such malicious activity should raise a red flag pretty quickly.
07108968 (banned)
join:2012-12-11
North Coast

07108968 (banned) to cableties

Member

to cableties
In most cases the issue isn't character limit but the password itself, people like to pick passwords that are easy to remember which makes them easier to guess.

Other "common" passwords are grand-children's names, and pet's names.
Passwords shouldn't be real words, but if they are they should be mixed upper and lower case, maybe mixed with numbers within.

You have 52 alphabet characters, 10 numbers, maybe 10+ special characters, most banks and such give you three "tries" then you are locked out.

Too many want to use the same password for everything so it is easier to remember, sometimes they will even use the same screen name too.

Those with the resources to "brute force" a 16 character password are not going to waste the time required on a personal bank account, those are usually guessed or the person is tricked into giving it out.

Ian1
Premium Member
join:2002-06-18
ON

Ian1

Premium Member

said by 07108968:

Those with the resources to "brute force" a 16 character password are not going to waste the time required on a personal bank account, those are usually guessed or the person is tricked into giving it out.

There isn't anyone the world who qualifies.

Assuming 100 trillion guesses per second, it would still take 1.41 hundred million centuries to brute-force a 16 digit password.