dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1607
share rss forum feed


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to redxii

Re: P@$$1234: the end of strong password-only security

said by redxii:

I sort of do the same thing, but most of the important websites I use (bank, insurance, etc; they are big names everyone knows) impose asinine limitations, such as low max character limits around 12 and unable to use special characters.

That goes right back to the password lockout policy.
That needs to be factored into the relative strength of a password at a practical or real world level.
I'm not aware of any financial site that doesn't utilize an account lockout policy.
Take a financial site that doesn't have one in place add a script, a dictionary, & that complex password is a lot less secure than a simple eight character password protected by a lockout policy.


sivran
Seamonkey's back
Premium
join:2003-09-15
Irving, TX
kudos:1

1 recommendation

reply to NotTheMama

How many websites actually allow you to use such long passphrases though?



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..

said by sivran:

How many websites actually allow you to use such long passphrases though?

+1. It's long been my experience that the more sensitive the personal data involved (financial, tax submittals, SSA, etc), the shorter and simpler the actual passwords must be constructed to access the site/accounts. It's all upside down! Over the past few months, I've seen some faint signs that's changing, but it still has a long way to go.
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
Reviews:
·Verizon FiOS

Given that we still see sites that have restrictions like "you can't use 'special' characters in a password", there's not a lot of skill invested in some web sites.

(What is 'special' about, say, a dot or comma is beyond my comprehension. Possibly the programmers don't know big words like 'alphanumeric'.)



NotTheMama
What Would Earl Do?

join:2012-12-06
reply to sivran

Email systems seem to be the least restrictive on length. I've yet to find a limit for Google, but I haven't bothered to check for longer than what I prefer to use. My credit union allows maybe half of what I'd prefer. Almost all other sites don't have anything I'm particularly concerned about securing. The restriction, though, doesn't change my method, just reduces the length--I use what they allow.
--
"Face piles of trials with smiles; it riles them to believe that you perceive the web they weave."



Blackbird
Built for Speed
Premium
join:2005-01-14
Fort Wayne, IN
kudos:3
Reviews:
·Frontier Communi..
reply to dave

said by dave:

... (What is 'special' about, say, a dot or comma is beyond my comprehension. Possibly the programmers don't know big words like 'alphanumeric'.)

A long time ago I was told that special characters (non-letter/number) were used for field delimiters and control symbols in certain kinds of database structures, so they were forbidden as part of field entries like passwords and such. But that was years ago, and I can't imagine that the state of the art in software design hasn't moved light years beyond such archaic limitations... particularly with something like a password. Perhaps the real reason is that a lot of log-in software still has archaic interface modules that are 15 years or more behind the times...
--
“The American Republic will endure until the day Congress discovers that it can bribe the public with the public's money.” A. de Tocqueville

Mele20
Premium
join:2001-06-05
Hilo, HI
kudos:5

1 recommendation

I don't understand why the banks can't get their act together. Chase, apparently, can't recognize a Win 8 computer and thus requires that I go through, EACH TIME, an intricate procedure whereby a code is sent to my email address and that I have to then enter and then do two challenges, etc( which I already did...but Chase claims my computer has never logged in there because it is Windows 8) and makes me do again. This happens on Fx 10.0.12 ESR. Then there is the separate Opera 12.14 problems at Chase where I can login (after the same "we don't recognize your computer" hassle), but cannot enter a payment amount that Chase sees and cannot logout at all unless I navigate to the main Chase Online page. As large as Chase is, you would think they could get these problems fixed quickly.
--
When governments fear people, there is liberty. When the people fear the government, there is tyranny. Thomas Jefferson



Dustyn
Premium
join:2003-02-26
Ontario, CAN
kudos:11
reply to antdude

I don't even know my passwords.
They are random gibberish created by a random password generator in KeepPass. The only password I'll ever need is my master password and a key file. Simple and highly effective.



Dustyn
Premium
join:2003-02-26
Ontario, CAN
kudos:11
reply to redxii

said by redxii:

I sort of do the same thing, but most of the important websites I use (bank, insurance, etc; they are big names everyone knows) impose asinine limitations, such as low max character limits around 12 and unable to use special characters.

TD Canada Trust is even worse. 8 characters max, one must be a digit.
--
Remember that cool hidden "Graffiti Wall" here on BBR? After the name change I became the "owner", so to speak as it became: Dustyn's Wall »[Serious] RIP

Kearnstd
Space Elf
Premium
join:2002-01-22
Mullica Hill, NJ
kudos:1

1 recommendation

reply to Blackbird

said by Blackbird:

said by sivran:

How many websites actually allow you to use such long passphrases though?

+1. It's long been my experience that the more sensitive the personal data involved (financial, tax submittals, SSA, etc), the shorter and simpler the actual passwords must be constructed to access the site/accounts. It's all upside down! Over the past few months, I've seen some faint signs that's changing, but it still has a long way to go.

I find it funny I have a bank, I cannot use all but a few select symbols in my password. My World of Warcraft account? I can have the PW be long and effectively contain pretty much everything on my keyboard.

Kinda makes no sense when a video game lets me do more complex passwords than a bank.
--
[65 Arcanist]Filan(High Elf) Zone: Broadband Reports


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

Has anyone ever heard of a US bank account being compromised via a weak password?
I know that I haven't.
Between phishing, vishing, post-it notes etc... illegal access occurs daily but it has nothing to do with a weak password.
If anything, the password reset function presents a larger risk than current simple password restrictions.
But not to dilute the challenge - Can anyone find a verifiable reference to a US bank account hacked via a dictionary or brute force attack?



Kilroy
Premium,MVM
join:2002-11-21
Saint Paul, MN
reply to Kearnstd

said by Kearnstd:

I find it funny I have a bank, I cannot use all but a few select symbols in my password. My World of Warcraft account? I can have the PW be long and effectively contain pretty much everything on my keyboard.

But did you know case doesn't matter for your World of Warcraft account? So, that cuts out 26 characters.

Snowy See Profile, you're just not getting it. Did you even read the article?

said by Deloitte Aritcle :
How do passwords get hacked? The problem is not that a hacker discovers a username, goes to a login page and attempts to guess the password. That wouldn’t work: most web sites freeze an account after a limited number of unsuccessful attempts, not nearly enough to guess even the weakest password.
NO ONE tries to brute force passwords directly, due to incorrect password lockouts.

I agree that password resets are a major problem.
--
“Progress isn't made by early risers. It's made by lazy men trying to find easier ways to do something.” ¯ Robert A. Heinlein


Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable

said by Kilroy:

Snowy See Profile, you're just not getting it. Did you even read the article?

Yes, I read the article.
I just didn't get that the scope was framed around
90% of user generated passwords would fail if the password file were attacked"
If it were I'd think the title would have been 90% of password files are not secure.

The article would make even less sense if that's what it's about because at the point of attack the password becomes dependent on the strength of the password file.
If it's stored in plain text then it's not 90% that would fail - it would be 100%.

How or if the password is salted would come into play etc... there's too many variables to come up with a hard number as they did (90%).

Even if it were about passwords stored in a password file that was subjected to an attack:
1. They should have attacked a plain text file to get a 100% failure rate
2. I'm not aware of any US financial institution that lost their password files - though anything is possible.
3. If their point was a stronger password to offset a lost password file advocating a best policy in password file encryption would be more practical than changing the habits of 90% of humankind.


Dustyn
Premium
join:2003-02-26
Ontario, CAN
kudos:11

1 edit
reply to antdude

»www.grc.com/passwords.htm
»www.grc.com/haystack.htm
»www.microsoft.com/en-gb/security···ker.aspx



Snowy
Premium
join:2003-04-05
Kailua, HI
kudos:6
Reviews:
·Clearwire Wireless
·Time Warner Cable
reply to Kilroy

said by Kilroy:

Snowy See Profile, you're just not getting it. Did you even read the article?

Aah, it took reading that twice,
I usually just gloss over this type of noise
"Most organizations keep usernames and passwords in a master file. ...
So far, so secure. However, master files are often stolen or leaked....


I hope Deloitte is just setting the stage for a breach disclosure rather than actually believing that.
Deloitte's 90% figure still doesn't change any fact.
It's still true that 0% of US banking customers have had their accounts compromised due to a brute force or dictionary attack or even a weak password being cracked via a leaked or stolen password file.
Phishing, vishing, post-it notes, impersonation, forgery, ACH fraud, bank losing master password file.
It doesn't even look right.