Home |
Search |
Today's Posts |
|
UK diy (uk.d-i-y) For the discussion of all topics related to diy (do-it-yourself) in the UK. All levels of experience and proficency are welcome to join in to ask questions or offer solutions. |
Reply |
|
LinkBack | Thread Tools | Display Modes |
#1
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
I've used the same password for years, nobody has a hope in hell of ever
guessing it. I can remember it. Recently some site insist on having numbers as well, so I've had to add one. Now the bloody things want an upper case letter as well! How the 'kinell does that make anything more secure? Surely it's my choice, not some bell end running a web site? This joke sums it up; ================================================== ====================== cabbage Sorry, the password must be more than 8 characters. boiled cabbage Sorry, the password must contain 1 numerical character. 1 boiled cabbage Sorry, the password cannot have blank spaces. 50frigginboiledcabbages Sorry, the password must contain at least one upper case character. 50FRIGGINboiledcabbages Sorry, the password cannot use more than one upper case character consecutively. 50FrigginBoiledCabbagesShovedDownYourThroat,IfYouD ontGiveMeAccessImmediately Sorry, the password cannot contain punctuation. NowIAmGettingReallyP*ssedOff50FrigginBoiledCabbage sShovedDownYourThroatIfYouDontGiveMeAccessImmediat ely Sorry, that password is already in use! - ================================================== ================================= -- Dave - The Medway Handyman |
#2
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
LOL
|
#3
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
"David Lang" wrote in message ... I've used the same password for years, nobody has a hope in hell of ever guessing it. I can remember it. Recently some site insist on having numbers as well, so I've had to add one. Now the bloody things want an upper case letter as well! How the 'kinell does that make anything more secure? It increases the number of possibilities so makes guessing it harder. Surely it's my choice, not some bell end running a web site? Plenty are too stupid to use sensible hard to guess passwords. |
#4
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
On 09/02/2016 23:11, Jonno wrote:
David Lang scribbled I've used the same password for years, nobody has a hope in hell of ever guessing it. I can remember it. Recently some site insist on having numbers as well, so I've had to add one. Now the bloody things want an upper case letter as well! How the 'kinell does that make anything more secure? Surely it's my choice, not some bell end running a web site? Apparently Tesco are expecting online shoppers to remember parts of their passwords, like the 1st, 4th, 5th and 8th letters/digits. Brilliant, the person who told me had to write out the password and pick out the digits they required. So much for security. I have so many passwords now that I cant remember that I have to write them down or put on a spreadsheet, not the best security. |
#5
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
"ss" wrote in message ... On 09/02/2016 23:11, Jonno wrote: David Lang scribbled I've used the same password for years, nobody has a hope in hell of ever guessing it. I can remember it. Recently some site insist on having numbers as well, so I've had to add one. Now the bloody things want an upper case letter as well! How the 'kinell does that make anything more secure? Surely it's my choice, not some bell end running a web site? Apparently Tesco are expecting online shoppers to remember parts of their passwords, like the 1st, 4th, 5th and 8th letters/digits. Brilliant, the person who told me had to write out the password and pick out the digits they required. So much for security. I have so many passwords now that I cant remember that I have to write them down or put on a spreadsheet, not the best security. A decent password manager fixes that problem That way you only have to remember the master password or use a fingerprint sensor etc for that. |
#6
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
In article ,
Jonno wrote: Apparently Tesco are expecting online shoppers to remember parts of their passwords, like the 1st, 4th, 5th and 8th letters/digits. Brilliant, the person who told me had to write out the password and pick out the digits they required. So much for security. Barclays have used that for ages. A drop down menu. But perhaps they expect most people with a bank account can spell. -- *Why isn't there a special name for the back of your knee? Dave Plowman London SW To e-mail, change noise into sound. |
#7
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
On Tue, 9 Feb 2016 22:40:20 +0000, David Lang
wrote: I've used the same password for years, nobody has a hope in hell of ever guessing it. I can remember it. Recently some site insist on having numbers as well, so I've had to add one. Now the bloody things want an upper case letter as well! How the 'kinell does that make anything more secure? snip not such a joke as fact ;-( I had dealings with webmail where the IPS password rules we "Passwords must satisfy the following criteria to ensure they are as secure as possible: Mixed case: Use a combination of uppercase and lowercase characters Numbers: Use a mixture of numbers and letters Special characters: Use at least one of the following special characters : "!$%^&*()-_=+}{#@':;.,/|? Length: Your password must be at least 8 characters long Unique Characters: Your password must contain at least 4 unique characters and no more than 2 of the same character in a row" So, I went for something like ... £Ab1cd2& Them: Not allowed, you can't have the £ symbol. Me: Where does it say that? Them: It's not included in the list of special characters. Me: But it doesn't say it can't be used and I have done as you have requested with your 'Use at least one of the following special characters' with the & ? Them: But the pound sign isn't one of the special characters. Me: How was I supposed to guess you consider the £ as a 'special character' and not use it when you do use all the others. All you have stated is I *must* use one of the one you list and I have? Them: The pound symbol isn't in the list. Me: I know, but if it's not allowed shouldn't you state such? Them: It's implied because it isn't in the list ... OK, in hindsight I can see what they meant to say but am I wrong in suggesting they didn't actually say it ... and considering you would think they might like to make things easier for everyone, how difficult would it have been for them to specifically list any characters that were excluded? They could have stated: "Special characters: Use at least one of the following special characters (and no other special characters not shown) : "!$%^&*()-_=+}{#@':;.,/|? So that's not £ or [ or ] or ~ at least? Oh, and they even contacted me because 'Some of the passwords would be easy to guess' ... like L10nKing$ Like why? The owner of that account wasn't into Disney, lions, kings or even had kids! Cheers, T i m |
#8
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
|
#9
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
On 10/02/2016 00:03, ss wrote:
I have so many passwords now that I cant remember that I have to write them down or put on a spreadsheet, not the best security. You could have PGP encrypted text file with all your user name and passwords on your PC. WinPT is what I've been using for all encryption stuff and for creating encryption keys to use with e-mail etc. Especially useful if you are e-mailing sensitive data to someone that uses spymail like gmail etc. https://en.wikipedia.org/wiki/WinPT |
#10
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
On Wed, 10 Feb 2016 00:31:38 -0000, Sam Plusnet wrote:
In article , says... I've used the same password for years, nobody has a hope in hell of ever guessing it. I can remember it. Recently some site insist on having numbers as well, so I've had to add one. Now the bloody things want an upper case letter as well! Didn't they ask for a non-alphanumeric character as well? Not trying hard enough. One of your competitors, who supplies me with calls on my landline, asks for my web passworm as one of their security questions when I call their helpdesk. I have written to their CEO pointing out the error of their ways. In the meantime, I have changed my passworm to neveraskforpassword in order to make a point if I am asked again. Probebly should have ROTted that ;-) That's an idea ROTted passworms, does anyone do that? -- Graham. %Profound_observation% |
#11
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
On 10/02/2016 00:31, Sam Plusnet wrote:
Didn't they ask for a non-alphanumeric character as well? Not trying hard enough. It's nice that most things allow the @ symbol now too which is an easy one to chuck into the middle of a password |
#12
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
David Lang wrote:
I've used the same password for years, nobody has a hope in hell of ever guessing it. I can remember it. Recently some site insist on having numbers as well, so I've had to add one. Now the bloody things want an upper case letter as well! How the 'kinell does that make anything more secure? Surely it's my choice, not some bell end running a web site? This joke sums it up; ================================================== ====================== cabbage Sorry, the password must be more than 8 characters. boiled cabbage Sorry, the password must contain 1 numerical character. 1 boiled cabbage Sorry, the password cannot have blank spaces. 50frigginboiledcabbages Sorry, the password must contain at least one upper case character. 50FRIGGINboiledcabbages Sorry, the password cannot use more than one upper case character consecutively. 50FrigginBoiledCabbagesShovedDownYourThroat,IfYouD ontGiveMeAccessImmediately Sorry, the password cannot contain punctuation. NowIAmGettingReallyP*ssedOff50FrigginBoiledCabbage sShovedDownYourThroatIfYouDontGiveMeAccessImmediat ely Sorry, that password is already in use! - ================================================== ================================= I end up with extremely rude vulgar passwords in the end because of this practice. It is self defeating because everyone is writing their passwords down and carrying them with them because it id becoming impossible to remember them. |
#13
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
On 10/02/2016 01:40, F Murtz wrote:
I end up with extremely rude vulgar passwords in the end because of this practice. It is self defeating because everyone is writing their passwords down and carrying them with them because it id becoming impossible to remember them. Its not as bad as it sounds, since its a way of keeping a list of adequately complex unique passwords. We are very good at keeping hold of bits of paper on our person - we manage with purses / wallets etc. All you need is some obfuscation to disguise the fact that what you have is a password list... It could be Aunty Ethel's phone number is not all it seems. The thing that says Amazon Password, might actually be the Tesco one, written backwards and only every other character used etc. Basically think of some rule that's easy for you to use to sort the password out of the noise. -- Cheers, John. /================================================== ===============\ | Internode Ltd - http://www.internode.co.uk | |-----------------------------------------------------------------| | John Rumm - john(at)internode(dot)co(dot)uk | \================================================= ================/ |
#14
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
On 09/02/2016 22:40, David Lang wrote:
I've used the same password for years, nobody has a hope in hell of ever guessing it. I can remember it. The danger is, that should it be compromised through no fault of your own, then the attacker is now able to access *all* of your online accounts. Having a unique password per site limits the damage greatly. Recently some site insist on having numbers as well, so I've had to add one. Now the bloody things want an upper case letter as well! How the 'kinell does that make anything more secure? By making passwords harder to guess by brute force, or by dictionary attack. A brute force attack will typically have an attacker (aided by a computer doing the donkey work) attempting to guess passwords . If you are limiting your password to lower case letters only, then there are 26 possible values per character. Allow upper case and there are 52, with digits 62, and so on. When you scale up the number of legal combinations, a few extra allowable characters makes the number of unique passwords possible a vast number of orders of magnitude more difficult to guess. A dictionary attack works well when an attacker has managed to lift a copy of the password database from an insecure web server etc. That may give them a big list of encrypted passwords. They may not be able to decrypt them directly, but they can throw a whole dictionary through the same encryption process and see which of the encrypted passwords they have generated match the stolen ones. Much depends on how clueless the writer of the software was: https://www.youtube.com/watch?v=8ZtInClXe1Q Surely it's my choice, not some bell end running a web site? The problem is, that if you use a weak password, then it lets the bad guys into bits of web sites they might not otherwise get into - that in itself is not really much of a problem. More significantly thought it may let them into several accounts you own on different sites. Being able to get at several sites creates weaknesses that can be exploited by trading one off against another. For example: -- Cheers, John. /================================================== ===============\ | Internode Ltd - http://www.internode.co.uk | |-----------------------------------------------------------------| | John Rumm - john(at)internode(dot)co(dot)uk | \================================================= ================/ |
#15
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
"Graham." wrote in message ... On Wed, 10 Feb 2016 00:31:38 -0000, Sam Plusnet wrote: In article , says... I've used the same password for years, nobody has a hope in hell of ever guessing it. I can remember it. Recently some site insist on having numbers as well, so I've had to add one. Now the bloody things want an upper case letter as well! Didn't they ask for a non-alphanumeric character as well? Not trying hard enough. One of your competitors, who supplies me with calls on my landline, asks for my web passworm as one of their security questions when I call their helpdesk. I have written to their CEO pointing out the error of their ways. The local wholly owned subsidiary of a British bank HBOS was obscenely worse than that. The ****wits would ring you up to try to flog you some new product and then ask for your net banking password in the conversation, by voice, to ensure that they were actually talking to the person that they wanted to call and flog something to. And the terminal ****wits didn't even understand the problem when I complained about that terminal stupidity. In the meantime, I have changed my passworm to neveraskforpassword in order to make a point if I am asked again. Probebly should have ROTted that ;-) That's an idea ROTted passworms, does anyone do that? I just use a very decent password manager and form filler that allows you to only enter your info once and then it will fill in any form you like in any browser, manage your passwords completely, invent them as complex as you like, and which uses a single master password that you need to enter manually to use it, and keeps the completely encrypted database in synch across all the devices you own. Great when you start ordering from a new online seller etc. Only real downside is that can't do most of what it does on Apple's iOS because of the sandbox system iOS uses. Still manages your passwords fine, uses the fingerprint sensor to ensure that only you can use it, just cant do the full form filling it can do on everything else. |
#16
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
John Rumm wrote:
On 09/02/2016 22:40, David Lang wrote: I've used the same password for years, nobody has a hope in hell of ever guessing it. I can remember it. The danger is, that should it be compromised through no fault of your own, then the attacker is now able to access *all* of your online accounts. Having a unique password per site limits the damage greatly. Recently some site insist on having numbers as well, so I've had to add one. Now the bloody things want an upper case letter as well! How the 'kinell does that make anything more secure? By making passwords harder to guess by brute force, or by dictionary attack. A brute force attack will typically have an attacker (aided by a computer doing the donkey work) attempting to guess passwords . If you are limiting your password to lower case letters only, then there are 26 possible values per character. Allow upper case and there are 52, with digits 62, and so on. But we're not talking about making extra characters allowable. AFAIK in most cases it's "always" been possible for me to include digits, mixed case, and punctuation if I want. When you scale up the number of legal combinations, a few extra allowable characters makes the number of unique passwords possible a vast number of orders of magnitude more difficult to guess. What we're talking about is them disallowing some combinations of the same characters that have been available all along, and therefore *reducing* the number of legal combinations that have to be tested. But actually things are rather more complicated than simply "guessing", with rainbow tables and the like. -- Mike Barnes Cheshire, England |
#17
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
Jonno wrote:
Apparently Tesco are expecting online shoppers to remember parts of their passwords, like the 1st, 4th, 5th and 8th letters/digits. Brilliant, the person who told me had to write out the password and pick out the digits they required. So much for security. Those would be so much easier, if they presented a "fill in the blanks" form rather than telling us the digit positions. E.g. instead of presenting us with something like this, where ? represents an input field: Enter the 1st, 4th, 5th and 8th characters: ? ? ? ? they could present us with: Enter the requested characters: ? - - ? ? - - ? But that would require a level of user focus that seems to be lacking in the current generation of software designers. -- Mike Barnes Cheshire, England |
#18
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
"Mike Barnes" wrote in message ... John Rumm wrote: On 09/02/2016 22:40, David Lang wrote: I've used the same password for years, nobody has a hope in hell of ever guessing it. I can remember it. The danger is, that should it be compromised through no fault of your own, then the attacker is now able to access *all* of your online accounts. Having a unique password per site limits the damage greatly. Recently some site insist on having numbers as well, so I've had to add one. Now the bloody things want an upper case letter as well! How the 'kinell does that make anything more secure? By making passwords harder to guess by brute force, or by dictionary attack. A brute force attack will typically have an attacker (aided by a computer doing the donkey work) attempting to guess passwords . If you are limiting your password to lower case letters only, then there are 26 possible values per character. Allow upper case and there are 52, with digits 62, and so on. But we're not talking about making extra characters allowable. AFAIK in most cases it's "always" been possible for me to include digits, mixed case, and punctuation if I want. Yes, but they are now forcing people to use the stuff that most of them wouldnt bother using. When you scale up the number of legal combinations, a few extra allowable characters makes the number of unique passwords possible a vast number of orders of magnitude more difficult to guess. What we're talking about is them disallowing some combinations of the same characters that have been available all along, No they aren't. Most never allowed all the odd special characters. and therefore *reducing* the number of legal combinations that have to be tested. Nope. But actually things are rather more complicated than simply "guessing", with rainbow tables and the like. Sure, bit it does make sense to for the more stupid to use more than just the letters in a particular case. |
#19
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
Dave Plowman (News) wrote:
Jonno wrote: Tesco are expecting online shoppers to remember parts of their passwords, like the 1st, 4th, 5th and 8th letters/digits. Barclays have used that for ages. Not for me the don't, I logon using my surname, sortcode and account number which are burnt into my brain having been the same for 30+ years, plus a one time code generated from my smartphone (or a PIN sentry device plus my debit card). |
#20
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
On 10/02/2016 07:41, Mike Barnes wrote:
Jonno wrote: Apparently Tesco are expecting online shoppers to remember parts of their passwords, like the 1st, 4th, 5th and 8th letters/digits. Brilliant, the person who told me had to write out the password and pick out the digits they required. So much for security. Those would be so much easier, if they presented a "fill in the blanks" form rather than telling us the digit positions. E.g. instead of presenting us with something like this, where ? represents an input field: Enter the 1st, 4th, 5th and 8th characters: ? ? ? ? they could present us with: Enter the requested characters: ? - - ? ? - - ? But that would require a level of user focus that seems to be lacking in the current generation of software designers. I believe Santander do that. |
#21
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
On 09/02/16 22:40, David Lang wrote:
I've used the same password for years, nobody has a hope in hell of ever guessing it. I can remember it. Recently some site insist on having numbers as well, so I've had to add one. Now the bloody things want an upper case letter as well! How the 'kinell does that make anything more secure? Surely it's my choice, not some bell end running a web site? This joke sums it up; ================================================== ====================== cabbage Sorry, the password must be more than 8 characters. boiled cabbage Sorry, the password must contain 1 numerical character. 1 boiled cabbage Sorry, the password cannot have blank spaces. 50frigginboiledcabbages Sorry, the password must contain at least one upper case character. 50FRIGGINboiledcabbages Sorry, the password cannot use more than one upper case character consecutively. 50FrigginBoiledCabbagesShovedDownYourThroat,IfYouD ontGiveMeAccessImmediately Sorry, the password cannot contain punctuation. NowIAmGettingReallyP*ssedOff50FrigginBoiledCabbage sShovedDownYourThroatIfYouDontGiveMeAccessImmediat ely Sorry, that password is already in use! - ================================================== ================================= well heres one for Plowperson. 1!Hate!Maggie -- Karl Marx said religion is the opium of the people. But Marxism is the crack cocaine. |
#22
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
On 10/02/16 00:03, ss wrote:
On 09/02/2016 23:11, Jonno wrote: David Lang scribbled I've used the same password for years, nobody has a hope in hell of ever guessing it. I can remember it. Recently some site insist on having numbers as well, so I've had to add one. Now the bloody things want an upper case letter as well! How the 'kinell does that make anything more secure? Surely it's my choice, not some bell end running a web site? Apparently Tesco are expecting online shoppers to remember parts of their passwords, like the 1st, 4th, 5th and 8th letters/digits. Brilliant, the person who told me had to write out the password and pick out the digits they required. So much for security. I have so many passwords now that I cant remember that I have to write them down or put on a spreadsheet, not the best security. I have Figaros password manager. One password to rule them all -- Karl Marx said religion is the opium of the people. But Marxism is the crack cocaine. |
#23
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
On 10/02/16 00:48, Pet @ www.gymratz.co.uk ;¬) wrote:
On 10/02/2016 00:31, Sam Plusnet wrote: Didn't they ask for a non-alphanumeric character as well? Not trying hard enough. It's nice that most things allow the @ symbol now too which is an easy one to chuck into the middle of a password m8!OK4U? -- Karl Marx said religion is the opium of the people. But Marxism is the crack cocaine. |
#24
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
On 10/02/16 01:40, F Murtz wrote:
I end up with extremely rude vulgar passwords in the end because of this practice. It is self defeating because everyone is writing their passwords down and carrying them with them because it id becoming impossible to remember them. The point about a password manager is this: If any one of your passwords that you use online is nicked, it doesn't compromise any others. Since you never use the master password except to unlock the password manager, it is unlikely that anyone will get to know it., Since the encrypted passwords are held on only one machine, its unlikely they will be hacked and cracked either This is the only way to ameliorate this habit of having totally different password requirements on sites. -- Karl Marx said religion is the opium of the people. But Marxism is the crack cocaine. |
#25
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
David Lang wrote:
I've used the same password for years, nobody has a hope in hell of ever guessing it. I can remember it. Recently some site insist on having numbers as well, so I've had to add one. Now the bloody things want an upper case letter as well! See https://xkcd.com/936/ Tim |
#26
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
On 10/02/16 08:38, Martin Brown wrote:
I find it annoying when they don't specify which character set is allowed and my choice is too unusual for their password filter. And they don't tell you what the password filter is, only why you failed it. So you enter passwords over and over with a different error each time. -- "What do you think about Gay Marriage?" "I don't." "Don't what?" "Think about Gay Marriage." |
#27
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
On 09/02/2016 23:11, Jonno wrote:
David Lang scribbled I've used the same password for years, nobody has a hope in hell of ever guessing it. I can remember it. Recently some site insist on having numbers as well, so I've had to add one. Now the bloody things want an upper case letter as well! How the 'kinell does that make anything more secure? Surely it's my choice, not some bell end running a web site? Apparently Tesco are expecting online shoppers to remember parts of their passwords, like the 1st, 4th, 5th and 8th letters/digits. Brilliant, the person who told me had to write out the password and pick out the digits they required. So much for security. That is actually a secure form of challenge and with practice you can memorise a password to recall individual characters without writing it down. The sites using this method that annoy me are the ones where you have to hit tab to move between input fields. If you type in the entire password and there is a keylogger and not countermeasures (or they too have been compromised) then you are already lost. The point is that you never disclose the entire password and on some sites you input it using an unconventional no keyboard method. Increasingly banking sites are using two factor password and PIN challenges and allow you to customise the home page with a slogan and a picture of your choice so you can easily spot a forgery. -- Regards, Martin Brown |
#28
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
On 10/02/2016 08:01, Blanco wrote:
"Mike Barnes" wrote in message ... John Rumm wrote: On 09/02/2016 22:40, David Lang wrote: I've used the same password for years, nobody has a hope in hell of ever guessing it. I can remember it. The danger is, that should it be compromised through no fault of your own, then the attacker is now able to access *all* of your online accounts. Having a unique password per site limits the damage greatly. Recently some site insist on having numbers as well, so I've had to add one. Now the bloody things want an upper case letter as well! How the 'kinell does that make anything more secure? By making passwords harder to guess by brute force, or by dictionary attack. A brute force attack will typically have an attacker (aided by a computer doing the donkey work) attempting to guess passwords . If you are limiting your password to lower case letters only, then there are 26 possible values per character. Allow upper case and there are 52, with digits 62, and so on. But we're not talking about making extra characters allowable. AFAIK in most cases it's "always" been possible for me to include digits, mixed case, and punctuation if I want. Yes, but they are now forcing people to use the stuff that most of them wouldnt bother using. When you scale up the number of legal combinations, a few extra allowable characters makes the number of unique passwords possible a vast number of orders of magnitude more difficult to guess. What we're talking about is them disallowing some combinations of the same characters that have been available all along, No they aren't. Most never allowed all the odd special characters. and therefore *reducing* the number of legal combinations that have to be tested. Nope. But actually things are rather more complicated than simply "guessing", with rainbow tables and the like. Sure, bit it does make sense to for the more stupid to use more than just the letters in a particular case. I keep the more sensitive passwords in an obscure text file on an external hard drive, but I suppose it's possible to list the most frequently accessed files? An expert house breaker who's also a computer whizz is the stuff of nightmares :-) |
#29
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
"stuart noble" wrote in message ... On 10/02/2016 08:01, Blanco wrote: "Mike Barnes" wrote in message ... John Rumm wrote: On 09/02/2016 22:40, David Lang wrote: I've used the same password for years, nobody has a hope in hell of ever guessing it. I can remember it. The danger is, that should it be compromised through no fault of your own, then the attacker is now able to access *all* of your online accounts. Having a unique password per site limits the damage greatly. Recently some site insist on having numbers as well, so I've had to add one. Now the bloody things want an upper case letter as well! How the 'kinell does that make anything more secure? By making passwords harder to guess by brute force, or by dictionary attack. A brute force attack will typically have an attacker (aided by a computer doing the donkey work) attempting to guess passwords . If you are limiting your password to lower case letters only, then there are 26 possible values per character. Allow upper case and there are 52, with digits 62, and so on. But we're not talking about making extra characters allowable. AFAIK in most cases it's "always" been possible for me to include digits, mixed case, and punctuation if I want. Yes, but they are now forcing people to use the stuff that most of them wouldnt bother using. When you scale up the number of legal combinations, a few extra allowable characters makes the number of unique passwords possible a vast number of orders of magnitude more difficult to guess. What we're talking about is them disallowing some combinations of the same characters that have been available all along, No they aren't. Most never allowed all the odd special characters. and therefore *reducing* the number of legal combinations that have to be tested. Nope. But actually things are rather more complicated than simply "guessing", with rainbow tables and the like. Sure, bit it does make sense to for the more stupid to use more than just the letters in a particular case. I keep the more sensitive passwords in an obscure text file on an external hard drive, but I suppose it's possible to list the most frequently accessed files? Yep. An expert house breaker who's also a computer whizz is the stuff of nightmares :-) Not if you encrypt that file. |
#30
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
On 10/02/16 08:50, stuart noble wrote:
I keep the more sensitive passwords in an obscure text file on an external hard drive, but I suppose it's possible to list the most frequently accessed files? An expert house breaker who's also a computer whizz is the stuff of nightmares :-) http://uk.pcmag.com/password-manager...agers-for-2015 Just use a password manager. I remember the passwords I use a lot - but the ones to give a meter reading to the electricity company? No way. When I set up accounts, I add the name and password to the password manager. -- You can get much farther with a kind word and a gun than you can with a kind word alone. Al Capone |
#31
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
The Natural Philosopher wrote:
On 10/02/16 08:38, Martin Brown wrote: I find it annoying when they don't specify which character set is allowed and my choice is too unusual for their password filter. And they don't tell you what the password filter is, only why you failed it. So you enter passwords over and over with a different error each time. And then you're supposed to forget all the ones that failed and remember the one that passed. -- Mike Barnes Cheshire, England |
#32
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
David Lang wrote:
I've used the same password for years, nobody has a hope in hell of ever guessing it. Some of the worst websites simply store your password on their servers exactly as you type it, so their administrators don't need to guess it, they can see it, they usually know your email address too, so they *could* take your password home on a memory stick and try logging into eBay/facebook/banks etc. Given their crappy security practices they are probably more likely to get hacked and your password ends up in China/India/Russia ... Good websites should store passwords in a "salted hashed" format so they can tell if you got it right, but they can't see it, the complexity requirements you see are so that even if someone hacks their server and steals the salted/hashed copy of your password, it would take the hackers centuries to decode it. |
#33
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
John Rumm wrote:
The danger is, that should it be compromised through no fault of your own, then the attacker is now able to access *all* of your online accounts. Having a unique password per site limits the damage greatly. Recently some site insist on having numbers as well, so I've had to add one. Now the bloody things want an upper case letter as well! How the 'kinell does that make anything more secure? By making passwords harder to guess by brute force, or by dictionary attack. A brute force attack is only realistically possible if the attacker has fast, direct access to the site/system the password is allowing access to. You can't realistically brute force a web site login via a web connection, each attempt would take a significant amount of time (in computer terms) and any half sensible site should both slow down and eventually stop accepting inputs after a while. -- Chris Green · |
#34
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
Martin Brown wrote:
If you choose a restricted alphabet the password of length N is much weaker. N7 is a reasonable choice anything shorter is too weak. [a-z] = 26^N = X [a-z,A-Z] = 52^N = X.2^N [a-z,A-Z,0-9] = 62^N ~ X.2.38^N [!-~] = 94^N ~ X.3.6^N Surely only true if the password cracker using brute force *knows* that you're using a restricted alphabet. I suppose they could assume you are, on the basis that many people do use only letters if they're allowed to. -- Chris Green · |
#35
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
Some now want a none alpha numeric as well I notice. This is why I've not
changed my password on my isp, as if you go into their new much improved site they want you to update the passwords to one with numbers upper and lowe case and non alphanumerics. This would mean I need to alter all my mail clients info to the new stuff afterwards. I consider all password systems to be equal risks myself, and its giving a false sense of security to suggest anything else Brian "David Lang" wrote in message ... I've used the same password for years, nobody has a hope in hell of ever guessing it. I can remember it. Recently some site insist on having numbers as well, so I've had to add one. Now the bloody things want an upper case letter as well! How the 'kinell does that make anything more secure? Surely it's my choice, not some bell end running a web site? This joke sums it up; ================================================== ====================== cabbage Sorry, the password must be more than 8 characters. boiled cabbage Sorry, the password must contain 1 numerical character. 1 boiled cabbage Sorry, the password cannot have blank spaces. 50frigginboiledcabbages Sorry, the password must contain at least one upper case character. 50FRIGGINboiledcabbages Sorry, the password cannot use more than one upper case character consecutively. 50FrigginBoiledCabbagesShovedDownYourThroat,IfYouD ontGiveMeAccessImmediately Sorry, the password cannot contain punctuation. NowIAmGettingReallyP*ssedOff50FrigginBoiledCabbage sShovedDownYourThroatIfYouDontGiveMeAccessImmediat ely Sorry, that password is already in use! - ================================================== ================================= -- Dave - The Medway Handyman -- ----- - This newsgroup posting comes to you directly from... The Sofa of Brian Gaff... Blind user, so no pictures please! |
#36
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
On 10/02/2016 07:40, Mike Barnes wrote:
John Rumm wrote: On 09/02/2016 22:40, David Lang wrote: I've used the same password for years, nobody has a hope in hell of ever guessing it. I can remember it. The danger is, that should it be compromised through no fault of your own, then the attacker is now able to access *all* of your online accounts. Having a unique password per site limits the damage greatly. Recently some site insist on having numbers as well, so I've had to add one. Now the bloody things want an upper case letter as well! How the 'kinell does that make anything more secure? By making passwords harder to guess by brute force, or by dictionary attack. A brute force attack will typically have an attacker (aided by a computer doing the donkey work) attempting to guess passwords . If you are limiting your password to lower case letters only, then there are 26 possible values per character. Allow upper case and there are 52, with digits 62, and so on. But we're not talking about making extra characters allowable. AFAIK in most cases it's "always" been possible for me to include digits, mixed case, and punctuation if I want. That rather depends on the site... By precluding use of say an all lower case password, you thwart any attack that will only search the (much smaller) "lower case only" search space. (think about how tools like L0phtCrack etc work - they try all lower case before they try the larger search spaces, since in many cases that will crack a substantial number of accounts) When you scale up the number of legal combinations, a few extra allowable characters makes the number of unique passwords possible a vast number of orders of magnitude more difficult to guess. What we're talking about is them disallowing some combinations of the same characters that have been available all along, and therefore *reducing* the number of legal combinations that have to be tested. I don't think that statement can be supported with maths ;-) But actually things are rather more complicated than simply "guessing", with rainbow tables and the like. Indeed, but that seems rather more information than the OP needs. (and if password hashes are properly "salted", then you can mitigate the advantage of rainbow table attacks) -- Cheers, John. /================================================== ===============\ | Internode Ltd - http://www.internode.co.uk | |-----------------------------------------------------------------| | John Rumm - john(at)internode(dot)co(dot)uk | \================================================= ================/ |
#38
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
On 09/02/16 22:40, David Lang wrote:
I've used the same password for years, nobody has a hope in hell of ever guessing it. I can remember it. You are using windows. "They" probably already have it. -- Adrian C |
#39
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
In article , Martin Brown
wrote: On 09/02/2016 23:11, Jonno wrote: David Lang scribbled I've used the same password for years, nobody has a hope in hell of ever guessing it. I can remember it. Recently some site insist on having numbers as well, so I've had to add one. Now the bloody things want an upper case letter as well! How the 'kinell does that make anything more secure? Surely it's my choice, not some bell end running a web site? Apparently Tesco are expecting online shoppers to remember parts of their passwords, like the 1st, 4th, 5th and 8th letters/digits. Brilliant, the person who told me had to write out the password and pick out the digits they required. So much for security. That is actually a secure form of challenge and with practice you can memorise a password to recall individual characters without writing it down. I count on my fingers since mine has 13 characters. I can remember the first two or three and cetianly the last two, but the ones in between need a bit more work. -- from KT24 in Surrey, England |
#40
Posted to uk.d-i-y
|
|||
|
|||
; TOT; Piggin passwords
On Wed, 10 Feb 2016 07:41:55 +0000, Mike Barnes
wrote: Jonno wrote: Apparently Tesco are expecting online shoppers to remember parts of their passwords, like the 1st, 4th, 5th and 8th letters/digits. Brilliant, the person who told me had to write out the password and pick out the digits they required. So much for security. Those would be so much easier, if they presented a "fill in the blanks" form rather than telling us the digit positions. E.g. instead of presenting us with something like this, where ? represents an input field: Enter the 1st, 4th, 5th and 8th characters: ? ? ? ? they could present us with: Enter the requested characters: ? - - ? ? - - ? But that would require a level of user focus that seems to be lacking in the current generation of software designers. The latter gives away the size of the passphrase which I think is why there has been a move away from it. -- AnthonyL |
Reply |
Thread Tools | Search this Thread |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Forum | |||
OT - Job seekers getting asked for Facebook passwords | Home Repair | |||
Passwords | Woodworking | |||
crack hotmail passwords | Home Repair | |||
crack msn passwords | Home Repair | |||
Ebay Hacked Again - Passwords - Credit Cards? | Woodworking |