On Wednesday, February 10, 2016 at 2:49:55 AM UTC, Rod Speed wrote:
"Graham." wrote in message
...

I just use a very decent password manager and form filler that
allows you to only enter your info once and then it will fill in
any form you like in any browser, manage your passwords
completely, invent them as complex as you like, and which
uses a single master password that you need to enter
manually to use it, and keeps the completely encrypted
database in synch across all the devices you own.

Great when you start ordering from a new online seller etc.

What happens when you upgrade to a new computer?

Jonathan

On Wednesday, 10 February 2016 00:34:05 UTC, Dave Plowman (News) wrote:
In article ,
Jonno wrote:
Apparently Tesco are expecting online shoppers to remember parts of
their passwords, like the 1st, 4th, 5th and 8th letters/digits.
Brilliant, the person who told me had to write out the password and pick
out the digits they required. So much for security.

Barclays have used that for ages. A drop down menu. But perhaps they
expect most people with a bank account can spell.

what does spelling have to do with it the best passwords aren't spellable
they even tell you not to use words in teh dictonary, how many wordss can you spell that arn't in the dictionary that yuo can remmeber.

who can;t remebr how to spell password.

but what if your password was psswrdao
as a clue to the clueless I used this system for a while .
you take a known name/word you can spell and rememeber but use constants 1st, then add the vowels at the end.
or visa versa. Or how about turning your keyboard upside down, but this ,ight only work if you are a touch typist.

On Wednesday, 10 February 2016 00:48:07 UTC, Graham. wrote:
On Wed, 10 Feb 2016 00:31:38 -0000, Sam Plusnet wrote:

In article ,
says...

I've used the same password for years, nobody has a hope in hell of ever
guessing it. I can remember it.

Recently some site insist on having numbers as well, so I've had to add one.

Now the bloody things want an upper case letter as well!

Didn't they ask for a non-alphanumeric character as well?

Not trying hard enough.


One of your competitors, who supplies me with calls on my landline,
asks for my web passworm as one of their security questions when I
call their helpdesk. I have written to their CEO pointing out the
error of their ways.
In the meantime, I have changed my passworm to neveraskforpassword in
order to make a point if I am asked again.

Probebly should have ROTted that ;-)

That's an idea ROTted passworms, does anyone do that?


Didn't a consumer show have someone complaining that their bank wouldn;t allow them to use an obscene password, well **** them I'd say.

On Wed, 10 Feb 2016 11:22:44 +1100, "Blanco"
wrote:



"ss" wrote in message
...
On 09/02/2016 23:11, Jonno wrote:
David Lang scribbled


I've used the same password for years, nobody has a hope in hell of ever
guessing it. I can remember it.

Recently some site insist on having numbers as well, so I've had to add
one.

Now the bloody things want an upper case letter as well!

How the 'kinell does that make anything more secure?

Surely it's my choice, not some bell end running a web site?



Apparently Tesco are expecting online shoppers to remember parts of
their passwords, like the 1st, 4th, 5th and 8th letters/digits.
Brilliant, the person who told me had to write out the password and pick
out the digits they required. So much for security.

I have so many passwords now that I cant remember that I have to write
them down or put on a spreadsheet, not the best security.

A decent password manager fixes that problem

That way you only have to remember the master
password or use a fingerprint sensor etc for that.


The password manager concept is also being pulled apart. Mine can
generate passwords but the often are not accepted by the host.

I can copy username and password to clipboard but increasingly sites
do not allow these to be pasted.

Whilst I may know my passphrases fairly well I find it a struggle to
pick out the 3rd, 7th and 9th characters without writing it down -
though I have them written down in my password manager with the
position type above, though the editor is not fixed font so another
pain.

Other sites require the entry to be via their little keyboard which
jumbles the numbers up so I have to look for each one in a weird
position.

And as a part of extra security my password manager will not accept
biometric finger print access - no doubt for fear that someone has
pinched my finger for nefarious purposes.

I do try to have different passwords for different sites especially
where banking/finance are involved.

I'm with the OP on this. It's becoming a PITA and I hope someone
comes up with a better way.



--
AnthonyL

On Wednesday, 10 February 2016 07:43:41 UTC, Mike Barnes wrote:
Jonno wrote:
Apparently Tesco are expecting online shoppers to remember parts of
their passwords, like the 1st, 4th, 5th and 8th letters/digits.
Brilliant, the person who told me had to write out the password and pick
out the digits they required. So much for security.

Those would be so much easier, if they presented a "fill in the blanks"
form rather than telling us the digit positions.

my bank has that system. I wish visa verification was like that.


E.g. instead of presenting us with something like this, where ?
represents an input field:

Enter the 1st, 4th, 5th and 8th characters: ? ? ? ?

they could present us with:

Enter the requested characters: ? - - ? ? - - ?

On Wed, 10 Feb 2016 10:23:43 +0000, charles wrote:

I count on my fingers since mine has 13 characters.

You're from Norfolk?

On 10/02/2016 07:41, Mike Barnes wrote:
Jonno wrote:
Apparently Tesco are expecting online shoppers to remember parts of
their passwords, like the 1st, 4th, 5th and 8th letters/digits.
Brilliant, the person who told me had to write out the password and pick
out the digits they required. So much for security.

Those would be so much easier, if they presented a "fill in the blanks"
form rather than telling us the digit positions.

E.g. instead of presenting us with something like this, where ?
represents an input field:

Enter the 1st, 4th, 5th and 8th characters: ? ? ? ?

they could present us with:

Enter the requested characters: ? - - ? ? - - ?

But that would require a level of user focus that seems to be lacking in
the current generation of software designers.

It would also be poorer security, since it discloses the length of the
secret word, which may be all an attacker needs to select one of several
possible options.

Its the same reason that when you fail to log into a system it does not
(or at least should not) distinguish between an unknown account name and
a wrong password - thus preventing giving useful information to an
attacker.


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

In article ,
Andy Burns wrote:
Dave Plowman (News) wrote:

Jonno wrote:

Tesco are expecting online shoppers to remember parts of
their passwords, like the 1st, 4th, 5th and 8th letters/digits.

Barclays have used that for ages.

Not for me the don't, I logon using my surname, sortcode and account
number which are burnt into my brain having been the same for 30+ years,
plus a one time code generated from my smartphone (or a PIN sentry
device plus my debit card).

What - details anyone could know from a cheque, etc?

The old way - which still works here - is surname, online banking
membership number, passcode number and memorable word. The memorable word
bit asks for a random two letters from it, using a drop down menu.

The only details of which that would be easy to find being the surname.

Or, of course, the PIN sentry device.

--
*Why is the time of day with the slowest traffic called rush hour?

Dave Plowman London SW
To e-mail, change noise into sound.

In article ,
Andy Burns wrote:
Some of the worst websites simply store your password on their servers
exactly as you type it, so their administrators don't need to guess it,
they can see it, they usually know your email address too, so they
*could* take your password home on a memory stick and try logging into
eBay/facebook/banks etc. Given their crappy security practices they are
probably more likely to get hacked and your password ends up in
China/India/Russia ...

Surely most would realise whether it could cost you if your password was
found out or not? Only an idiot would use the same password for a bank
account etc as Facebook.

Except, of course for paranoids like the turnip. Those who think
themselves so important that the world is interested in their tiniest
detail.

--
*Save the whale - I'll have it for my supper*

Dave Plowman London SW
To e-mail, change noise into sound.

On Wednesday, 10 February 2016 08:24:14 UTC, The Natural Philosopher wrote:
On 10/02/16 01:40, F Murtz wrote:

I end up with extremely rude vulgar passwords in the end because of
this practice.
It is self defeating because everyone is writing their passwords down
and carrying them with them because it id becoming impossible to
remember them.


The point about a password manager is this:

If any one of your passwords that you use online is nicked, it doesn't
compromise any others.

unless it's the one used for the password manager.


Since you never use the master password except to unlock the password
manager, it is unlikely that anyone will get to know it.,

unless they nick the device you use for whatever.


Since the encrypted passwords are held on only one machine, its unlikely
they will be hacked and cracked either

what happens if that machine dies, or gets stolen.


This is the only way to ameliorate this habit of having totally
different password requirements on sites.

My system works I have a 'crib' sheet written in a particualar app
which has all my passwords stored crypitaclly.
so if yuo found out that

Ferritors monthly, users name dave, password "61"

how would you get to my Ferritors monthly subscription ?
what would you type for the password ?

but when I've forgotten my password I go to that document type in my master password and I see the number 61, and then I remmeber.....
as a kid at school, me and my mates had codes.
And rather than say to my mates corrrr.. look at the arse on that...
I'd wink and say sixty-one and nod in a direction which actually means
look at her/that "sexybum".

sort of cockney slang.

of course you might not know that any passwrod I use for finacail stuff such as buying/selling I always spell in reverse or I always add 01 to the beginning or at the end or I use a "-" every 3 characters or it always ends in uppercase.

If you have a reasonable memory and can set yourself rules then having lots of passwords isn't as big a problem as it might seem.

In article ,
whisky-dave wrote:
Barclays have used that for ages. A drop down menu. But perhaps they
expect most people with a bank account can spell.

what does spelling have to do with it the best passwords aren't
spellable they even tell you not to use words in teh dictonary, how many
wordss can you spell that arn't in the dictionary that yuo can remmeber.

who can;t remebr how to spell password.

I rest my case. ;-)

--
*Suicidal twin kills sister by mistake.

Dave Plowman London SW
To e-mail, change noise into sound.

On 10/02/2016 11:22, John Rumm wrote:
On 10/02/2016 07:41, Mike Barnes wrote:
Jonno wrote:
Apparently Tesco are expecting online shoppers to remember parts of
their passwords, like the 1st, 4th, 5th and 8th letters/digits.
Brilliant, the person who told me had to write out the password and pick
out the digits they required. So much for security.

Those would be so much easier, if they presented a "fill in the blanks"
form rather than telling us the digit positions.

E.g. instead of presenting us with something like this, where ?
represents an input field:

Enter the 1st, 4th, 5th and 8th characters: ? ? ? ?

they could present us with:

Enter the requested characters: ? - - ? ? - - ?

But that would require a level of user focus that seems to be lacking in
the current generation of software designers.

It would also be poorer security, since it discloses the length of the
secret word, which may be all an attacker needs to select one of several
possible options.

Several banking sites do something like that - Santander for instance.

Whereas Lloyds offer three drop down boxes to choose a character from.

Its the same reason that when you fail to log into a system it does not
(or at least should not) distinguish between an unknown account name and
a wrong password - thus preventing giving useful information to an
attacker.

Although it is damned annoying when the problem is that CAPS LOCK is on.

It could halves the password space to give away that information but
OTOH the only person likely to do this is the owner of the password!

--
Regards,
Martin Brown

Dave Plowman (News) wrote:

Andy Burns wrote:

I logon [to Barclays] using my surname, sortcode and account
number which are burnt into my brain having been the same for 30+ years,

What - details anyone could know from a cheque, etc?

The surname/sortcode/account is used to identify *not* to authenticate.

The smartphone needs a fingerprint to unlock, the banking app (or
pinsentry plus debit card) needs a pin before it generates the code,
which is what authenticates.

On Wednesday, 10 February 2016 11:22:11 UTC, John Rumm wrote:
On 10/02/2016 07:41, Mike Barnes wrote:
Jonno wrote:
Apparently Tesco are expecting online shoppers to remember parts of
their passwords, like the 1st, 4th, 5th and 8th letters/digits.
Brilliant, the person who told me had to write out the password and pick
out the digits they required. So much for security.

Those would be so much easier, if they presented a "fill in the blanks"
form rather than telling us the digit positions.

E.g. instead of presenting us with something like this, where ?
represents an input field:

Enter the 1st, 4th, 5th and 8th characters: ? ? ? ?

they could present us with:

Enter the requested characters: ? - - ? ? - - ?

But that would require a level of user focus that seems to be lacking in
the current generation of software designers.

It would also be poorer security, since it discloses the length of the
secret word,

And I don;t understand why they do that, it's uneccassary most peole if tehy know theier passwrod also know they lengh so why not use teh whole screen for blank characters like you have on forms.

which may be all an attacker needs to select one of several
possible options.

Yes But I still think sitting at a computer (especailly a public one) and mumbling your password while counting on your fingers is far less secure.



Its the same reason that when you fail to log into a system it does not
(or at least should not) distinguish between an unknown account name and
a wrong password - thus preventing giving useful information to an
attacker.


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

Dave Plowman (News) wrote:

Surely most would realise whether it could cost you if your password
was found out or not?

Well the O/P did say he's used "the same password for years", and I
doubt he's alone in that, I was just explaining why it doesn't matter
how unguessable he thinks the password is, as he can't be sure nobody
else sees or stores it ...

Only an idiot would use the same password for a bank account etc as
Facebook.

TMH, I'll hold your coat!

Jonno wrote:
Jethro_uk scribbled


3) If cloud based, you can access your passwords anywhere in the world.

How secure is the 'cloud' ?

That is my main issue with stuff on the cloud. If someone has direct
access to the 'cloud computer' then they're in an excellent position
to brute force your password [manager].

I share my encrypted secure (passwords and other things) files
directly between my laptop and my desktop machines. Whenever the
laptop is at home the files are synchronised. Thus I have the
encrypted files with me just about all of the time.

If I'm away without my laptop then I can ssh to my home desktop
machine (two step process via another site, access not allowed
directly to my home machine) and look at the encrypted files that way.
I have an ssh client on my tablet and my phone.

--
Chris Green
·

On 10/02/2016 11:45, whisky-dave wrote:
On Wednesday, 10 February 2016 08:24:14 UTC, The Natural Philosopher wrote:
On 10/02/16 01:40, F Murtz wrote:

I end up with extremely rude vulgar passwords in the end because of
this practice.
It is self defeating because everyone is writing their passwords down
and carrying them with them because it id becoming impossible to
remember them.


The point about a password manager is this:

If any one of your passwords that you use online is nicked, it doesn't
compromise any others.

unless it's the one used for the password manager.


Since you never use the master password except to unlock the password
manager, it is unlikely that anyone will get to know it.,

unless they nick the device you use for whatever.


Since the encrypted passwords are held on only one machine, its unlikely
they will be hacked and cracked either

what happens if that machine dies, or gets stolen.


This is the only way to ameliorate this habit of having totally
different password requirements on sites.

My system works I have a 'crib' sheet written in a particualar app
which has all my passwords stored crypitaclly.
so if yuo found out that

Ferritors monthly, users name dave, password "61"

how would you get to my Ferritors monthly subscription ?
what would you type for the password ?

but when I've forgotten my password I go to that document type in my master password and I see the number 61, and then I remmeber.....
as a kid at school, me and my mates had codes.
And rather than say to my mates corrrr.. look at the arse on that...
I'd wink and say sixty-one and nod in a direction which actually means
look at her/that "sexybum".

sort of cockney slang.

of course you might not know that any passwrod I use for finacail stuff such as buying/selling I always spell in reverse or I always add 01 to the beginning or at the end or I use a "-" every 3 characters or it always ends in uppercase.

If you have a reasonable memory and can set yourself rules then having lots of passwords isn't as big a problem as it might seem.


Paranoia all of it. The whole world can have access to anything of mine
apart from bank stuff, .....and the pin-ups.

On 10/02/16 10:53, Jonathan wrote:
On Wednesday, February 10, 2016 at 2:49:55 AM UTC, Rod Speed wrote:
"Graham." wrote in message
...

I just use a very decent password manager and form filler that
allows you to only enter your info once and then it will fill in
any form you like in any browser, manage your passwords
completely, invent them as complex as you like, and which
uses a single master password that you need to enter
manually to use it, and keeps the completely encrypted
database in synch across all the devices you own.

Great when you start ordering from a new online seller etc.

What happens when you upgrade to a new computer?

copy the password database across to it.

Its encrypted...



Jonathan



--
Karl Marx said religion is the opium of the people.
But Marxism is the crack cocaine.

On 10/02/16 10:59, AnthonyL wrote:
On Wed, 10 Feb 2016 11:22:44 +1100, "Blanco"
wrote:



"ss" wrote in message
...
On 09/02/2016 23:11, Jonno wrote:
David Lang scribbled


I've used the same password for years, nobody has a hope in hell of ever
guessing it. I can remember it.

Recently some site insist on having numbers as well, so I've had to add
one.

Now the bloody things want an upper case letter as well!

How the 'kinell does that make anything more secure?

Surely it's my choice, not some bell end running a web site?



Apparently Tesco are expecting online shoppers to remember parts of
their passwords, like the 1st, 4th, 5th and 8th letters/digits.
Brilliant, the person who told me had to write out the password and pick
out the digits they required. So much for security.

I have so many passwords now that I cant remember that I have to write
them down or put on a spreadsheet, not the best security.

A decent password manager fixes that problem

That way you only have to remember the master
password or use a fingerprint sensor etc for that.


The password manager concept is also being pulled apart. Mine can
generate passwords but the often are not accepted by the host.


use a manager that will display your passwords in plain text, if asked.
You can then retype them

I can copy username and password to clipboard but increasingly sites
do not allow these to be pasted.

Whilst I may know my passphrases fairly well I find it a struggle to
pick out the 3rd, 7th and 9th characters without writing it down -
though I have them written down in my password manager with the
position type above, though the editor is not fixed font so another
pain.

Other sites require the entry to be via their little keyboard which
jumbles the numbers up so I have to look for each one in a weird
position.

And as a part of extra security my password manager will not accept
biometric finger print access - no doubt for fear that someone has
pinched my finger for nefarious purposes.

I do try to have different passwords for different sites especially
where banking/finance are involved.

I'm with the OP on this. It's becoming a PITA and I hope someone
comes up with a better way.


there is no real other way - if it were that easy we would already have
done it.

You dont need to be an IT expert to answer the basic question - if
someo0nbe or something at the other end of an insecure connection wants
to know its me at the other, how can they do it?

And that's before we even ask the question 'am I the same person today
as I was yesterday'








--
Karl Marx said religion is the opium of the people.
But Marxism is the crack cocaine.

On 10/02/2016 08:44, The Natural Philosopher wrote:
On 10/02/16 08:38, Martin Brown wrote:

I find it annoying when they don't specify which character set is
allowed and my choice is too unusual for their password filter.

And they don't tell you what the password filter is, only why you failed
it.

So you enter passwords over and over with a different error each time.

You have that problem too then? A bit like the joke the OP posted.

--
Regards,
Martin Brown

On 10/02/2016 09:18, Andy Burns wrote:
David Lang wrote:

I've used the same password for years, nobody has a hope in hell of ever
guessing it.

Some of the worst websites simply store your password on their servers
exactly as you type it, so their administrators don't need to guess it,
they can see it, they usually know your email address too, so they
*could* take your password home on a memory stick and try logging into
eBay/facebook/banks etc. Given their crappy security practices they are
probably more likely to get hacked and your password ends up in
China/India/Russia ...

Scary the idea of passwords being held in the clear but that is why I
have independent ones for every site. The low security ones for reading
free newspapers and the like would not take too much guessing. Things
that allow writing are a bit more secure and then there are a small
number of really tough ones for banking and the like.

Choose your favourite song or poem and a generating rule and you can
have very memorable passwords that are all but unguessable.

Good websites should store passwords in a "salted hashed" format so they
can tell if you got it right, but they can't see it, the complexity
requirements you see are so that even if someone hacks their server and
steals the salted/hashed copy of your password, it would take the
hackers centuries to decode it.

Depends on how much resources the attackers are willing to deploy.
Salted hashed is about as good as it gets, but if the attacker knows the
code used (or has grabbed that too) then all bets are off. That or spear
phishing I presume is how Impact Team did Ashley Madison.

http://krebsonsecurity.com/2015/07/o...adison-hacked/

I recall my university mainframe originally had default PW=Userid until
some enterprising individual grabbed the password hash file and the
userid file and then used it to print a list of all default PW=Userid
accounts and their resources to the system monitor console.

I taught my wife to use the same system as I use. Her works password
even written down for a service engineer requires him to look at the
piece of paper and the keyboard to enter it since unless you know the
generating rule there is apparently neither rhyme nor reason to it.

They have a corporate policy of monthly password changes with no reuse
(ever) which I think is ludicrous. Plenty of screens have postit's on
and usually it is the senior managers that are worst offenders.

--
Regards,
Martin Brown

The Natural Philosopher wrote:
On 10/02/16 10:53, Jonathan wrote:
On Wednesday, February 10, 2016 at 2:49:55 AM UTC, Rod Speed wrote:
"Graham." wrote in message
...

I just use a very decent password manager and form filler that
allows you to only enter your info once and then it will fill in
any form you like in any browser, manage your passwords
completely, invent them as complex as you like, and which
uses a single master password that you need to enter
manually to use it, and keeps the completely encrypted
database in synch across all the devices you own.

Great when you start ordering from a new online seller etc.

What happens when you upgrade to a new computer?

copy the password database across to it.

Its encrypted...



Jonathan



And the hard drive has died?

On 10/02/2016 00:30, T i m wrote:

Oh, and they even contacted me because 'Some of the passwords would be
easy to guess' ... like L10nKing$ Like why? The owner of that account
wasn't into Disney, lions, kings or even had kids!

Any password that is on a password list is likely to be easy.
You can download such lists so you can crack poorly implemented sites, etc.

The chances of anyone guessing say two words and a number concatenated
within the three or so tries a secure site should allow are pretty low
without needing any specials.

Now if its a password for say a document, where they can take as long as
they like to crack it, its a different matter.

On 2/10/2016 2:10 PM, The Natural Philosopher wrote:
On 10/02/16 10:59, AnthonyL wrote:
On Wed, 10 Feb 2016 11:22:44 +1100, "Blanco"
wrote:



"ss" wrote in message
...
On 09/02/2016 23:11, Jonno wrote:
David Lang scribbled


I've used the same password for years, nobody has a hope in hell
of ever
guessing it. I can remember it.

Recently some site insist on having numbers as well, so I've had
to add
one.

Now the bloody things want an upper case letter as well!

How the 'kinell does that make anything more secure?

Surely it's my choice, not some bell end running a web site?



Apparently Tesco are expecting online shoppers to remember parts of
their passwords, like the 1st, 4th, 5th and 8th letters/digits.
Brilliant, the person who told me had to write out the password and
pick
out the digits they required. So much for security.

I have so many passwords now that I cant remember that I have to write
them down or put on a spreadsheet, not the best security.

A decent password manager fixes that problem

That way you only have to remember the master
password or use a fingerprint sensor etc for that.


The password manager concept is also being pulled apart. Mine can
generate passwords but the often are not accepted by the host.


use a manager that will display your passwords in plain text, if asked.
You can then retype them

I can copy username and password to clipboard but increasingly sites
do not allow these to be pasted.

Whilst I may know my passphrases fairly well I find it a struggle to
pick out the 3rd, 7th and 9th characters without writing it down -
though I have them written down in my password manager with the
position type above, though the editor is not fixed font so another
pain.

Other sites require the entry to be via their little keyboard which
jumbles the numbers up so I have to look for each one in a weird
position.

And as a part of extra security my password manager will not accept
biometric finger print access - no doubt for fear that someone has
pinched my finger for nefarious purposes.

I do try to have different passwords for different sites especially
where banking/finance are involved.

I'm with the OP on this. It's becoming a PITA and I hope someone
comes up with a better way.


there is no real other way - if it were that easy we would already have
done it.

You dont need to be an IT expert to answer the basic question - if
someo0nbe or something at the other end of an insecure connection wants
to know its me at the other, how can they do it?

And that's before we even ask the question 'am I the same person today
as I was yesterday'

Which is why more and more banks, as well as Microsoft, use two factor
authentication.

"Jonno" wrote in message
...
Blanco scribbled



A decent password manager fixes that problem

That way you only have to remember the master
password or use a fingerprint sensor etc for that.


**** using fingerprints.

Much more convenient to use for the master access
to the password manager or for your net banking
and tap payment systems than a PIN or master
password, particularly if there is a fallback to a master
password if the fingerprint sensor stops working.

On 10/02/16 14:15, Tim Streater wrote:
In article , Martin Brown
wrote:

Although it is damned annoying when the problem is that CAPS LOCK is on.

Much the best thing is to permanently disable caps-lock.

+1. Here it allows me to enter 'spècïâl' characters, inßtead, now

--
Karl Marx said religion is the opium of the people.
But Marxism is the crack cocaine.

On 10/02/16 14:37, Martin Brown wrote:
On 10/02/2016 08:44, The Natural Philosopher wrote:
On 10/02/16 08:38, Martin Brown wrote:

I find it annoying when they don't specify which character set is
allowed and my choice is too unusual for their password filter.

And they don't tell you what the password filter is, only why you failed
it.

So you enter passwords over and over with a different error each time.

You have that problem too then? A bit like the joke the OP posted.

yep. it was so true it almost wasn't funny.


--
No Apple devices were knowingly used in the preparation of this post.

On 10/02/16 14:56, Capitol wrote:
As his computer security is professional grade, it could have only come
from one of the on line suppliers storing information or having poor
security.

Not necessarily.

For example, you might have used a card in a compromised machine, or
someone who collects this info might have some or all of the info from a
dropped credit card receipt. My cards have always had the same 12 digits
FIRST and then the last 4 are changed with a new card. My receipts show
in fact the last four digits ONLY. Not hard too work out my car number
from a dropped receipt...and maybe an old card



Armed with a thousand card numbers and only a 3 digit security code on
the back, its very likely you will hit on at least one card that you get
'right first time' and which can then be raped.

"computer security is professional grade" reminds me of the time my
security consultant visited a Very Large Company to audit their
(Internet) firewall. It was, he said, rather good, but pointless,
because several employees had attached dial in modems to their DDI
extensions and their PCS in order to allow total access to their normal
company network work environment when working from home...


--
No Apple devices were knowingly used in the preparation of this post.

On 10/02/16 15:22, F Murtz wrote:
The Natural Philosopher wrote:
On 10/02/16 10:53, Jonathan wrote:
On Wednesday, February 10, 2016 at 2:49:55 AM UTC, Rod Speed wrote:
"Graham." wrote in message
...

I just use a very decent password manager and form filler that
allows you to only enter your info once and then it will fill in
any form you like in any browser, manage your passwords
completely, invent them as complex as you like, and which
uses a single master password that you need to enter
manually to use it, and keeps the completely encrypted
database in synch across all the devices you own.

Great when you start ordering from a new online seller etc.

What happens when you upgrade to a new computer?

copy the password database across to it.

Its encrypted...



Jonathan



And the hard drive has died?

You mean you don't have daily backups?


--
"It is an established fact to 97% confidence limits that left wing
conspirators see right wing conspiracies everywhere"

On 10/02/16 15:52, dennis@home wrote:
On 10/02/2016 00:30, T i m wrote:

Oh, and they even contacted me because 'Some of the passwords would be
easy to guess' ... like L10nKing$ Like why? The owner of that account
wasn't into Disney, lions, kings or even had kids!

Any password that is on a password list is likely to be easy.
You can download such lists so you can crack poorly implemented sites, etc.

The chances of anyone guessing say two words and a number concatenated
within the three or so tries a secure site should allow are pretty low
without needing any specials.

Now if its a password for say a document, where they can take as long as
they like to crack it, its a different matter.

The first root password to try is always gandalf.


--
"It is an established fact to 97% confidence limits that left wing
conspirators see right wing conspiracies everywhere"

"Jonathan" wrote in message
...
On Wednesday, February 10, 2016 at 2:49:55 AM UTC, Rod Speed wrote:
"Graham." wrote in message
...

I just use a very decent password manager and form filler that
allows you to only enter your info once and then it will fill in
any form you like in any browser, manage your passwords
completely, invent them as complex as you like, and which
uses a single master password that you need to enter
manually to use it, and keeps the completely encrypted
database in synch across all the devices you own.

Great when you start ordering from a new online seller etc.

What happens when you upgrade to a new computer?

You install it on that too. The database is fully encrypted so
you can either just manually copy that to the new computer
or if you are using the version that keeps the password
database in synch across all your devices, or keeps the
encrypted database in the cloud, just add the new device.

You can also have the whole thing on a USB stick or any
other form of removable media and just move that to the
new computer and keep it somewhere secure when you
aren't in the house etc too.

On 10/02/16 16:08, Jethro_uk wrote:
On Wed, 10 Feb 2016 15:52:36 +0000, dennis@home wrote:

On 10/02/2016 00:30, T i m wrote:

Oh, and they even contacted me because 'Some of the passwords would be
easy to guess' ... like L10nKing$ Like why? The owner of that account
wasn't into Disney, lions, kings or even had kids!

Any password that is on a password list is likely to be easy.
You can download such lists so you can crack poorly implemented sites,
etc.

The chances of anyone guessing say two words and a number concatenated
within the three or so tries a secure site should allow are pretty low
without needing any specials.

Now if its a password for say a document, where they can take as long as
they like to crack it, its a different matter.

The problem is, if the attackers get unfettered access to the database
(as has happened a lot) then they also have all the time in the world to
crack the encrypted passwords.


But that may in fact be still an impossible task.

I had occasion to actually use salted hashes, and no two salted hashes
of the same password are the same..

https://en.wikipedia.org/wiki/Salt_%28cryptography%29

That's *if* they were encrypted. Goodness knows how many websites store
passwords in plaintext (underscoring my point previously that once you
press "enter" you have no idea what happens to your password).

Not many for anything important. however there are many that use old,
short key but 'library' password routines.

The problem with the big Adobe style hacks, is that access to very
little imporantinfo on yer adobe account, becomes a huge issue if you
have the same username and password on a really important site, like
your bank or something



--
If you tell a lie big enough and keep repeating it, people will
eventually come to believe it. The lie can be maintained only for such
time as the State can shield the people from the political, economic
and/or military consequences of the lie. It thus becomes vitally
important for the State to use all of its powers to repress dissent, for
the truth is the mortal enemy of the lie, and thus by extension, the
truth is the greatest enemy of the State.

Joseph Goebbels

AnthonyL wrote:
On Wed, 10 Feb 2016 07:41:55 +0000, Mike Barnes
wrote:

Jonno wrote:
Apparently Tesco are expecting online shoppers to remember parts of
their passwords, like the 1st, 4th, 5th and 8th letters/digits.
Brilliant, the person who told me had to write out the password and pick
out the digits they required. So much for security.

Those would be so much easier, if they presented a "fill in the blanks"
form rather than telling us the digit positions.

E.g. instead of presenting us with something like this, where ?
represents an input field:

Enter the 1st, 4th, 5th and 8th characters: ? ? ? ?

they could present us with:

Enter the requested characters: ? - - ? ? - - ?

But that would require a level of user focus that seems to be lacking in
the current generation of software designers.


The latter gives away the size of the passphrase which I think is why
there has been a move away from it.

All you can tell is that it's at least eight characters, which is what
you can tell from the first method.

--
Mike Barnes
Cheshire, England

John Rumm wrote:
On 10/02/2016 07:41, Mike Barnes wrote:
Jonno wrote:
Apparently Tesco are expecting online shoppers to remember parts of
their passwords, like the 1st, 4th, 5th and 8th letters/digits.
Brilliant, the person who told me had to write out the password and pick
out the digits they required. So much for security.

Those would be so much easier, if they presented a "fill in the blanks"
form rather than telling us the digit positions.

E.g. instead of presenting us with something like this, where ?
represents an input field:

Enter the 1st, 4th, 5th and 8th characters: ? ? ? ?

they could present us with:

Enter the requested characters: ? - - ? ? - - ?

But that would require a level of user focus that seems to be lacking in
the current generation of software designers.

It would also be poorer security, since it discloses the length of the
secret word

How does it do that? In the example above the length could be anything
from eight upwards.

--
Mike Barnes
Cheshire, England

The Natural Philosopher wrote:
The problem with the big Adobe style hacks, is that access to very
little imporantinfo on yer adobe account, becomes a huge issue if you
have the same username and password on a really important site, like
your bank or something

Which is why nobody with any sense would do that.

--
Mike Barnes
Cheshire, England

"AnthonyL" wrote in message
...
On Wed, 10 Feb 2016 11:22:44 +1100, "Blanco"
wrote:



"ss" wrote in message
...
On 09/02/2016 23:11, Jonno wrote:
David Lang scribbled


I've used the same password for years, nobody has a hope in hell of
ever
guessing it. I can remember it.

Recently some site insist on having numbers as well, so I've had to
add
one.

Now the bloody things want an upper case letter as well!

How the 'kinell does that make anything more secure?

Surely it's my choice, not some bell end running a web site?



Apparently Tesco are expecting online shoppers to remember parts of
their passwords, like the 1st, 4th, 5th and 8th letters/digits.
Brilliant, the person who told me had to write out the password and
pick
out the digits they required. So much for security.

I have so many passwords now that I cant remember that I have to write
them down or put on a spreadsheet, not the best security.

A decent password manager fixes that problem

That way you only have to remember the master
password or use a fingerprint sensor etc for that.


The password manager concept is also being pulled apart.

Not possible with a well designed one.

Mine can generate passwords but the often are not accepted by the host.

Mine has never generated a password that has not
been accepted, presumably because a lot more
work has gone into the character set that it uses.

I can copy username and password to clipboard but
increasingly sites do not allow these to be pasted.

The best password managers are indistinguishable
from someone typing the password and username.
Perfectly possible to make it look like a human typing.

Whilst I may know my passphrases fairly well I find it a struggle to
pick out the 3rd, 7th and 9th characters without writing it down -

And that is another thing a well designed password
manager can do for you completely automatically.

though I have them written down in my password manager with the
position type above, though the editor is not fixed font so another pain.

Clearly a well designed password manager can use a fixed font.

Other sites require the entry to be via their little keyboard which
jumbles the numbers up so I have to look for each one in a weird
position.

And a password manager can do that too.

And as a part of extra security my password manager will not
accept biometric finger print access - no doubt for fear that
someone has pinched my finger for nefarious purposes.

No reason why the password manager
can't use 2 factor security for itself. And
use anything it likes like the camera to
check if it’s the owner too.

I do try to have different passwords for different sites
especially where banking/finance are involved.

I not only try, I succeed in doing that.

I'm with the OP on this. It's becoming a PITA and
I hope someone comes up with a better way.

The better way is here now, the best password managers.

"Jonno" wrote in message
...
Tim Streater scribbled


In article , Jonno
wrote:

Blanco scribbled

A decent password manager fixes that problem

That way you only have to remember the master
password or use a fingerprint sensor etc for that.

**** using fingerprints.

As I suspected, you are a bot and so have no fingerprints.


I only have one set of fingerprints. I can change passwords all day
long, I can't change my fingerprints. We know websites are constantly
under attack to obtain passwords. What happens if someone gets a copy
of my fingerprints? I don't mean a photograph, in case you're thinking
along those lines.

Not possible to use them with the best fingerprint systems.

When it's done on a phone, the phone can monitor what you
are up to using the camera and can refuse to accept anything
if you stop it watching what you are doing. It can also check
that its you using the fingerprint sensor and not someone
else and can have a two factor access system too.

John Rumm wrote:
On 10/02/2016 07:40, Mike Barnes wrote:
What we're talking about is them disallowing some combinations of the
same characters that have been available all along, and therefore
*reducing* the number of legal combinations that have to be tested.

I don't think that statement can be supported with maths ;-)

I think it can. If "password" is a legal password, the bad guy has to
take the (admittedly small) time taken to test for it. If it's not
legal, he doesn't have to test for it.

--
Mike Barnes
Cheshire, England

"Jonno" wrote in message
...
Jethro_uk scribbled


3) If cloud based, you can access your passwords anywhere in the world.


How secure is the 'cloud' ?

Doesn't matter with an encrypted database.

How secure is your access to the 'cloud' ?

Doesn't matter with an encrypted database.

On Wednesday, 10 February 2016 16:44:31 UTC, Blanco wrote:


The better way is here now, the best password managers.

Does that include the free ones that facebook and the like advertise, you just stick your passwords in it and they'll sort everything out for you for free.