I've used the same password for years, nobody has a hope in hell of ever
guessing it. I can remember it.

Recently some site insist on having numbers as well, so I've had to add one.

Now the bloody things want an upper case letter as well!

How the 'kinell does that make anything more secure?

Surely it's my choice, not some bell end running a web site?

This joke sums it up;

================================================== ======================
cabbage
Sorry, the password must be more than 8 characters.
boiled cabbage
Sorry, the password must contain 1 numerical character.
1 boiled cabbage
Sorry, the password cannot have blank spaces.
50frigginboiledcabbages
Sorry, the password must contain at least one upper case character.
50FRIGGINboiledcabbages
Sorry, the password cannot use more than one upper case character
consecutively.
50FrigginBoiledCabbagesShovedDownYourThroat,IfYouD ontGiveMeAccessImmediately
Sorry, the password cannot contain punctuation.
NowIAmGettingReallyP*ssedOff50FrigginBoiledCabbage sShovedDownYourThroatIfYouDontGiveMeAccessImmediat ely
Sorry, that password is already in use! -
================================================== =================================



--
Dave - The Medway Handyman

LOL

"David Lang" wrote in message
...
I've used the same password for years, nobody has a hope in hell of ever
guessing it. I can remember it.

Recently some site insist on having numbers as well, so I've had to add
one.

Now the bloody things want an upper case letter as well!

How the 'kinell does that make anything more secure?

It increases the number of possibilities so makes guessing it harder.

Surely it's my choice, not some bell end running a web site?

Plenty are too stupid to use sensible hard to guess passwords.

On 09/02/2016 23:11, Jonno wrote:
David Lang scribbled


I've used the same password for years, nobody has a hope in hell of ever
guessing it. I can remember it.

Recently some site insist on having numbers as well, so I've had to add one.

Now the bloody things want an upper case letter as well!

How the 'kinell does that make anything more secure?

Surely it's my choice, not some bell end running a web site?



Apparently Tesco are expecting online shoppers to remember parts of
their passwords, like the 1st, 4th, 5th and 8th letters/digits.
Brilliant, the person who told me had to write out the password and pick
out the digits they required. So much for security.

I have so many passwords now that I cant remember that I have to write
them down or put on a spreadsheet, not the best security.

"ss" wrote in message
...
On 09/02/2016 23:11, Jonno wrote:
David Lang scribbled


I've used the same password for years, nobody has a hope in hell of ever
guessing it. I can remember it.

Recently some site insist on having numbers as well, so I've had to add
one.

Now the bloody things want an upper case letter as well!

How the 'kinell does that make anything more secure?

Surely it's my choice, not some bell end running a web site?



Apparently Tesco are expecting online shoppers to remember parts of
their passwords, like the 1st, 4th, 5th and 8th letters/digits.
Brilliant, the person who told me had to write out the password and pick
out the digits they required. So much for security.

I have so many passwords now that I cant remember that I have to write
them down or put on a spreadsheet, not the best security.

A decent password manager fixes that problem

That way you only have to remember the master
password or use a fingerprint sensor etc for that.

In article ,
Jonno wrote:
Apparently Tesco are expecting online shoppers to remember parts of
their passwords, like the 1st, 4th, 5th and 8th letters/digits.
Brilliant, the person who told me had to write out the password and pick
out the digits they required. So much for security.

Barclays have used that for ages. A drop down menu. But perhaps they
expect most people with a bank account can spell.

--
*Why isn't there a special name for the back of your knee?

Dave Plowman London SW
To e-mail, change noise into sound.

On Tue, 9 Feb 2016 22:40:20 +0000, David Lang
wrote:

I've used the same password for years, nobody has a hope in hell of ever
guessing it. I can remember it.

Recently some site insist on having numbers as well, so I've had to add one.

Now the bloody things want an upper case letter as well!

How the 'kinell does that make anything more secure?

snip not such a joke as fact ;-(

I had dealings with webmail where the IPS password rules we

"Passwords must satisfy the following criteria to ensure they are as
secure as possible:
Mixed case: Use a combination of uppercase and lowercase characters
Numbers: Use a mixture of numbers and letters
Special characters: Use at least one of the following special
characters : "!$%^&*()-_=+}{#@':;.,/|?
Length: Your password must be at least 8 characters long
Unique Characters: Your password must contain at least 4 unique
characters and no more than 2 of the same character in a row"

So, I went for something like ... £Ab1cd2&

Them: Not allowed, you can't have the £ symbol.

Me: Where does it say that?

Them: It's not included in the list of special characters.

Me: But it doesn't say it can't be used and I have done as you have
requested with your 'Use at least one of the following special
characters' with the & ?

Them: But the pound sign isn't one of the special characters.

Me: How was I supposed to guess you consider the £ as a 'special
character' and not use it when you do use all the others. All you have
stated is I *must* use one of the one you list and I have?

Them: The pound symbol isn't in the list.

Me: I know, but if it's not allowed shouldn't you state such?

Them: It's implied because it isn't in the list ...

OK, in hindsight I can see what they meant to say but am I wrong in
suggesting they didn't actually say it ... and considering you would
think they might like to make things easier for everyone, how
difficult would it have been for them to specifically list any
characters that were excluded? They could have stated:

"Special characters: Use at least one of the following special
characters (and no other special characters not shown) :
"!$%^&*()-_=+}{#@':;.,/|?

So that's not £ or [ or ] or ~ at least?

Oh, and they even contacted me because 'Some of the passwords would be
easy to guess' ... like L10nKing$ Like why? The owner of that account
wasn't into Disney, lions, kings or even had kids!


Cheers, T i m

In article ,
says...

I've used the same password for years, nobody has a hope in hell of ever
guessing it. I can remember it.

Recently some site insist on having numbers as well, so I've had to add one.

Now the bloody things want an upper case letter as well!

Didn't they ask for a non-alphanumeric character as well?

Not trying hard enough.

On 10/02/2016 00:03, ss wrote:

I have so many passwords now that I cant remember that I have to write
them down or put on a spreadsheet, not the best security.

You could have PGP encrypted text file with all your user name and
passwords on your PC.
WinPT is what I've been using for all encryption stuff and for creating
encryption keys to use with e-mail etc. Especially useful if you are
e-mailing sensitive data to someone that uses spymail like gmail etc.

https://en.wikipedia.org/wiki/WinPT

On Wed, 10 Feb 2016 00:31:38 -0000, Sam Plusnet wrote:

In article ,
says...

I've used the same password for years, nobody has a hope in hell of ever
guessing it. I can remember it.

Recently some site insist on having numbers as well, so I've had to add one.

Now the bloody things want an upper case letter as well!

Didn't they ask for a non-alphanumeric character as well?

Not trying hard enough.


One of your competitors, who supplies me with calls on my landline,
asks for my web passworm as one of their security questions when I
call their helpdesk. I have written to their CEO pointing out the
error of their ways.
In the meantime, I have changed my passworm to neveraskforpassword in
order to make a point if I am asked again.

Probebly should have ROTted that ;-)

That's an idea ROTted passworms, does anyone do that?


--

Graham.

%Profound_observation%

On 10/02/2016 00:31, Sam Plusnet wrote:

Didn't they ask for a non-alphanumeric character as well?

Not trying hard enough.

It's nice that most things allow the @ symbol now too which is an easy
one to chuck into the middle of a password

David Lang wrote:
I've used the same password for years, nobody has a hope in hell of ever
guessing it. I can remember it.

Recently some site insist on having numbers as well, so I've had to add
one.

Now the bloody things want an upper case letter as well!

How the 'kinell does that make anything more secure?

Surely it's my choice, not some bell end running a web site?

This joke sums it up;

================================================== ======================
cabbage
Sorry, the password must be more than 8 characters.
boiled cabbage
Sorry, the password must contain 1 numerical character.
1 boiled cabbage
Sorry, the password cannot have blank spaces.
50frigginboiledcabbages
Sorry, the password must contain at least one upper case character.
50FRIGGINboiledcabbages
Sorry, the password cannot use more than one upper case character
consecutively.
50FrigginBoiledCabbagesShovedDownYourThroat,IfYouD ontGiveMeAccessImmediately

Sorry, the password cannot contain punctuation.
NowIAmGettingReallyP*ssedOff50FrigginBoiledCabbage sShovedDownYourThroatIfYouDontGiveMeAccessImmediat ely

Sorry, that password is already in use! -
================================================== =================================




I end up with extremely rude vulgar passwords in the end because of
this practice.
It is self defeating because everyone is writing their passwords down
and carrying them with them because it id becoming impossible to
remember them.

On 10/02/2016 01:40, F Murtz wrote:

I end up with extremely rude vulgar passwords in the end because of
this practice.
It is self defeating because everyone is writing their passwords down
and carrying them with them because it id becoming impossible to
remember them.

Its not as bad as it sounds, since its a way of keeping a list of
adequately complex unique passwords.

We are very good at keeping hold of bits of paper on our person - we
manage with purses / wallets etc.

All you need is some obfuscation to disguise the fact that what you have
is a password list...

It could be Aunty Ethel's phone number is not all it seems. The thing
that says Amazon Password, might actually be the Tesco one, written
backwards and only every other character used etc. Basically think of
some rule that's easy for you to use to sort the password out of the noise.


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

On 09/02/2016 22:40, David Lang wrote:

I've used the same password for years, nobody has a hope in hell of ever
guessing it. I can remember it.

The danger is, that should it be compromised through no fault of your
own, then the attacker is now able to access *all* of your online
accounts. Having a unique password per site limits the damage greatly.

Recently some site insist on having numbers as well, so I've had to add
one.

Now the bloody things want an upper case letter as well!

How the 'kinell does that make anything more secure?

By making passwords harder to guess by brute force, or by dictionary
attack.

A brute force attack will typically have an attacker (aided by a
computer doing the donkey work) attempting to guess passwords .

If you are limiting your password to lower case letters only, then there
are 26 possible values per character. Allow upper case and there are 52,
with digits 62, and so on. When you scale up the number of legal
combinations, a few extra allowable characters makes the number of
unique passwords possible a vast number of orders of magnitude more
difficult to guess.

A dictionary attack works well when an attacker has managed to lift a
copy of the password database from an insecure web server etc. That may
give them a big list of encrypted passwords. They may not be able to
decrypt them directly, but they can throw a whole dictionary through the
same encryption process and see which of the encrypted passwords they
have generated match the stolen ones.

Much depends on how clueless the writer of the software was:

https://www.youtube.com/watch?v=8ZtInClXe1Q

Surely it's my choice, not some bell end running a web site?

The problem is, that if you use a weak password, then it lets the bad
guys into bits of web sites they might not otherwise get into - that in
itself is not really much of a problem. More significantly thought it
may let them into several accounts you own on different sites. Being
able to get at several sites creates weaknesses that can be exploited by
trading one off against another. For example:





--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

"Graham." wrote in message
...
On Wed, 10 Feb 2016 00:31:38 -0000, Sam Plusnet wrote:

In article ,
says...

I've used the same password for years, nobody has a hope in hell of ever
guessing it. I can remember it.

Recently some site insist on having numbers as well, so I've had to add
one.

Now the bloody things want an upper case letter as well!

Didn't they ask for a non-alphanumeric character as well?

Not trying hard enough.


One of your competitors, who supplies me with calls on my landline,
asks for my web passworm as one of their security questions when I
call their helpdesk. I have written to their CEO pointing out the
error of their ways.

The local wholly owned subsidiary of a British bank HBOS was obscenely
worse than that. The ****wits would ring you up to try to flog you some
new product and then ask for your net banking password in the conversation,
by voice, to ensure that they were actually talking to the person that they
wanted to call and flog something to. And the terminal ****wits didn't even
understand the problem when I complained about that terminal stupidity.

In the meantime, I have changed my passworm to neveraskforpassword in
order to make a point if I am asked again.

Probebly should have ROTted that ;-)

That's an idea ROTted passworms, does anyone do that?

I just use a very decent password manager and form filler that
allows you to only enter your info once and then it will fill in
any form you like in any browser, manage your passwords
completely, invent them as complex as you like, and which
uses a single master password that you need to enter
manually to use it, and keeps the completely encrypted
database in synch across all the devices you own.

Great when you start ordering from a new online seller etc.

Only real downside is that can't do most of what it does
on Apple's iOS because of the sandbox system iOS uses.
Still manages your passwords fine, uses the fingerprint
sensor to ensure that only you can use it, just cant do
the full form filling it can do on everything else.

John Rumm wrote:
On 09/02/2016 22:40, David Lang wrote:

I've used the same password for years, nobody has a hope in hell of ever
guessing it. I can remember it.

The danger is, that should it be compromised through no fault of your
own, then the attacker is now able to access *all* of your online
accounts. Having a unique password per site limits the damage greatly.

Recently some site insist on having numbers as well, so I've had to add
one.

Now the bloody things want an upper case letter as well!

How the 'kinell does that make anything more secure?

By making passwords harder to guess by brute force, or by dictionary
attack.

A brute force attack will typically have an attacker (aided by a
computer doing the donkey work) attempting to guess passwords .

If you are limiting your password to lower case letters only, then there
are 26 possible values per character. Allow upper case and there are 52,
with digits 62, and so on.

But we're not talking about making extra characters allowable. AFAIK in
most cases it's "always" been possible for me to include digits, mixed
case, and punctuation if I want.

When you scale up the number of legal
combinations, a few extra allowable characters makes the number of
unique passwords possible a vast number of orders of magnitude more
difficult to guess.

What we're talking about is them disallowing some combinations of the
same characters that have been available all along, and therefore
*reducing* the number of legal combinations that have to be tested.


But actually things are rather more complicated than simply "guessing",
with rainbow tables and the like.

--
Mike Barnes
Cheshire, England

Jonno wrote:
Apparently Tesco are expecting online shoppers to remember parts of
their passwords, like the 1st, 4th, 5th and 8th letters/digits.
Brilliant, the person who told me had to write out the password and pick
out the digits they required. So much for security.

Those would be so much easier, if they presented a "fill in the blanks"
form rather than telling us the digit positions.

E.g. instead of presenting us with something like this, where ?
represents an input field:

Enter the 1st, 4th, 5th and 8th characters: ? ? ? ?

they could present us with:

Enter the requested characters: ? - - ? ? - - ?

But that would require a level of user focus that seems to be lacking in
the current generation of software designers.

--
Mike Barnes
Cheshire, England

"Mike Barnes" wrote in message
...
John Rumm wrote:
On 09/02/2016 22:40, David Lang wrote:

I've used the same password for years, nobody has a hope in hell of ever
guessing it. I can remember it.

The danger is, that should it be compromised through no fault of your
own, then the attacker is now able to access *all* of your online
accounts. Having a unique password per site limits the damage greatly.

Recently some site insist on having numbers as well, so I've had to add
one.

Now the bloody things want an upper case letter as well!

How the 'kinell does that make anything more secure?

By making passwords harder to guess by brute force, or by dictionary
attack.

A brute force attack will typically have an attacker (aided by a
computer doing the donkey work) attempting to guess passwords .

If you are limiting your password to lower case letters only, then there
are 26 possible values per character. Allow upper case and there are 52,
with digits 62, and so on.

But we're not talking about making extra characters allowable. AFAIK in
most cases it's "always" been possible for me to include digits, mixed
case, and punctuation if I want.

Yes, but they are now forcing people to use the
stuff that most of them wouldnt bother using.

When you scale up the number of legal
combinations, a few extra allowable characters makes the number of
unique passwords possible a vast number of orders of magnitude more
difficult to guess.

What we're talking about is them disallowing some combinations of the same
characters that have been available all along,

No they aren't. Most never allowed all the odd special characters.

and therefore *reducing* the number of legal combinations that have to be
tested.

Nope.

But actually things are rather more complicated than simply "guessing",
with rainbow tables and the like.


Sure, bit it does make sense to for the more stupid
to use more than just the letters in a particular case.

Dave Plowman (News) wrote:

Jonno wrote:

Tesco are expecting online shoppers to remember parts of
their passwords, like the 1st, 4th, 5th and 8th letters/digits.

Barclays have used that for ages.

Not for me the don't, I logon using my surname, sortcode and account
number which are burnt into my brain having been the same for 30+ years,
plus a one time code generated from my smartphone (or a PIN sentry
device plus my debit card).

On 10/02/2016 07:41, Mike Barnes wrote:
Jonno wrote:
Apparently Tesco are expecting online shoppers to remember parts of
their passwords, like the 1st, 4th, 5th and 8th letters/digits.
Brilliant, the person who told me had to write out the password and pick
out the digits they required. So much for security.

Those would be so much easier, if they presented a "fill in the blanks"
form rather than telling us the digit positions.

E.g. instead of presenting us with something like this, where ?
represents an input field:

Enter the 1st, 4th, 5th and 8th characters: ? ? ? ?

they could present us with:

Enter the requested characters: ? - - ? ? - - ?

But that would require a level of user focus that seems to be lacking in
the current generation of software designers.

I believe Santander do that.

On 09/02/16 22:40, David Lang wrote:
I've used the same password for years, nobody has a hope in hell of ever
guessing it. I can remember it.

Recently some site insist on having numbers as well, so I've had to add
one.

Now the bloody things want an upper case letter as well!

How the 'kinell does that make anything more secure?

Surely it's my choice, not some bell end running a web site?

This joke sums it up;

================================================== ======================
cabbage
Sorry, the password must be more than 8 characters.
boiled cabbage
Sorry, the password must contain 1 numerical character.
1 boiled cabbage
Sorry, the password cannot have blank spaces.
50frigginboiledcabbages
Sorry, the password must contain at least one upper case character.
50FRIGGINboiledcabbages
Sorry, the password cannot use more than one upper case character
consecutively.
50FrigginBoiledCabbagesShovedDownYourThroat,IfYouD ontGiveMeAccessImmediately

Sorry, the password cannot contain punctuation.
NowIAmGettingReallyP*ssedOff50FrigginBoiledCabbage sShovedDownYourThroatIfYouDontGiveMeAccessImmediat ely

Sorry, that password is already in use! -
================================================== =================================




well heres one for Plowperson. 1!Hate!Maggie



--
Karl Marx said religion is the opium of the people.
But Marxism is the crack cocaine.

On 10/02/16 00:03, ss wrote:
On 09/02/2016 23:11, Jonno wrote:
David Lang scribbled


I've used the same password for years, nobody has a hope in hell of ever
guessing it. I can remember it.

Recently some site insist on having numbers as well, so I've had to
add one.

Now the bloody things want an upper case letter as well!

How the 'kinell does that make anything more secure?

Surely it's my choice, not some bell end running a web site?



Apparently Tesco are expecting online shoppers to remember parts of
their passwords, like the 1st, 4th, 5th and 8th letters/digits.
Brilliant, the person who told me had to write out the password and pick
out the digits they required. So much for security.

I have so many passwords now that I cant remember that I have to write
them down or put on a spreadsheet, not the best security.

I have Figaros password manager. One password to rule them all


--
Karl Marx said religion is the opium of the people.
But Marxism is the crack cocaine.

On 10/02/16 00:48, Pet @ www.gymratz.co.uk ;¬) wrote:
On 10/02/2016 00:31, Sam Plusnet wrote:

Didn't they ask for a non-alphanumeric character as well?

Not trying hard enough.

It's nice that most things allow the @ symbol now too which is an easy
one to chuck into the middle of a password

m8!OK4U?

--
Karl Marx said religion is the opium of the people.
But Marxism is the crack cocaine.

On 10/02/16 01:40, F Murtz wrote:

I end up with extremely rude vulgar passwords in the end because of
this practice.
It is self defeating because everyone is writing their passwords down
and carrying them with them because it id becoming impossible to
remember them.


The point about a password manager is this:

If any one of your passwords that you use online is nicked, it doesn't
compromise any others.

Since you never use the master password except to unlock the password
manager, it is unlikely that anyone will get to know it.,

Since the encrypted passwords are held on only one machine, its unlikely
they will be hacked and cracked either

This is the only way to ameliorate this habit of having totally
different password requirements on sites.



--
Karl Marx said religion is the opium of the people.
But Marxism is the crack cocaine.

David Lang wrote:
I've used the same password for years, nobody has a hope in hell of ever
guessing it. I can remember it.

Recently some site insist on having numbers as well, so I've had to add one.

Now the bloody things want an upper case letter as well!


See https://xkcd.com/936/

Tim

On 10/02/16 08:38, Martin Brown wrote:
I find it annoying when they don't specify which character set is
allowed and my choice is too unusual for their password filter.

And they don't tell you what the password filter is, only why you failed it.


So you enter passwords over and over with a different error each time.



--
"What do you think about Gay Marriage?"
"I don't."
"Don't what?"
"Think about Gay Marriage."

On 09/02/2016 23:11, Jonno wrote:
David Lang scribbled


I've used the same password for years, nobody has a hope in hell of ever
guessing it. I can remember it.

Recently some site insist on having numbers as well, so I've had to add one.

Now the bloody things want an upper case letter as well!

How the 'kinell does that make anything more secure?

Surely it's my choice, not some bell end running a web site?

Apparently Tesco are expecting online shoppers to remember parts of
their passwords, like the 1st, 4th, 5th and 8th letters/digits.
Brilliant, the person who told me had to write out the password and pick
out the digits they required. So much for security.

That is actually a secure form of challenge and with practice you can
memorise a password to recall individual characters without writing it
down. The sites using this method that annoy me are the ones where you
have to hit tab to move between input fields. If you type in the entire
password and there is a keylogger and not countermeasures (or they too
have been compromised) then you are already lost.

The point is that you never disclose the entire password and on some
sites you input it using an unconventional no keyboard method.

Increasingly banking sites are using two factor password and PIN
challenges and allow you to customise the home page with a slogan and a
picture of your choice so you can easily spot a forgery.

--
Regards,
Martin Brown

On 10/02/2016 08:01, Blanco wrote:


"Mike Barnes" wrote in message
...
John Rumm wrote:
On 09/02/2016 22:40, David Lang wrote:

I've used the same password for years, nobody has a hope in hell of
ever
guessing it. I can remember it.

The danger is, that should it be compromised through no fault of your
own, then the attacker is now able to access *all* of your online
accounts. Having a unique password per site limits the damage greatly.

Recently some site insist on having numbers as well, so I've had to add
one.

Now the bloody things want an upper case letter as well!

How the 'kinell does that make anything more secure?

By making passwords harder to guess by brute force, or by dictionary
attack.

A brute force attack will typically have an attacker (aided by a
computer doing the donkey work) attempting to guess passwords .

If you are limiting your password to lower case letters only, then there
are 26 possible values per character. Allow upper case and there are 52,
with digits 62, and so on.

But we're not talking about making extra characters allowable. AFAIK
in most cases it's "always" been possible for me to include digits,
mixed case, and punctuation if I want.

Yes, but they are now forcing people to use the
stuff that most of them wouldnt bother using.

When you scale up the number of legal
combinations, a few extra allowable characters makes the number of
unique passwords possible a vast number of orders of magnitude more
difficult to guess.

What we're talking about is them disallowing some combinations of the
same characters that have been available all along,

No they aren't. Most never allowed all the odd special characters.

and therefore *reducing* the number of legal combinations that have to
be tested.

Nope.

But actually things are rather more complicated than simply
"guessing", with rainbow tables and the like.


Sure, bit it does make sense to for the more stupid
to use more than just the letters in a particular case.

I keep the more sensitive passwords in an obscure text file on an
external hard drive, but I suppose it's possible to list the most
frequently accessed files? An expert house breaker who's also a computer
whizz is the stuff of nightmares :-)

"stuart noble" wrote in message
...
On 10/02/2016 08:01, Blanco wrote:


"Mike Barnes" wrote in message
...
John Rumm wrote:
On 09/02/2016 22:40, David Lang wrote:

I've used the same password for years, nobody has a hope in hell of
ever
guessing it. I can remember it.

The danger is, that should it be compromised through no fault of your
own, then the attacker is now able to access *all* of your online
accounts. Having a unique password per site limits the damage greatly.

Recently some site insist on having numbers as well, so I've had to
add
one.

Now the bloody things want an upper case letter as well!

How the 'kinell does that make anything more secure?

By making passwords harder to guess by brute force, or by dictionary
attack.

A brute force attack will typically have an attacker (aided by a
computer doing the donkey work) attempting to guess passwords .

If you are limiting your password to lower case letters only, then
there
are 26 possible values per character. Allow upper case and there are
52,
with digits 62, and so on.

But we're not talking about making extra characters allowable. AFAIK
in most cases it's "always" been possible for me to include digits,
mixed case, and punctuation if I want.

Yes, but they are now forcing people to use the
stuff that most of them wouldnt bother using.

When you scale up the number of legal
combinations, a few extra allowable characters makes the number of
unique passwords possible a vast number of orders of magnitude more
difficult to guess.

What we're talking about is them disallowing some combinations of the
same characters that have been available all along,

No they aren't. Most never allowed all the odd special characters.

and therefore *reducing* the number of legal combinations that have to
be tested.

Nope.

But actually things are rather more complicated than simply
"guessing", with rainbow tables and the like.


Sure, bit it does make sense to for the more stupid
to use more than just the letters in a particular case.

I keep the more sensitive passwords in an obscure text file on an external
hard drive, but I suppose it's possible to list the most frequently
accessed files?

Yep.

An expert house breaker who's also a computer whizz is the stuff of
nightmares :-)

Not if you encrypt that file.

On 10/02/16 08:50, stuart noble wrote:
I keep the more sensitive passwords in an obscure text file on an
external hard drive, but I suppose it's possible to list the most
frequently accessed files? An expert house breaker who's also a computer
whizz is the stuff of nightmares :-)

http://uk.pcmag.com/password-manager...agers-for-2015


Just use a password manager.

I remember the passwords I use a lot - but the ones to give a meter
reading to the electricity company? No way.

When I set up accounts, I add the name and password to the password manager.


--
You can get much farther with a kind word and a gun than you can with a
kind word alone.

Al Capone

The Natural Philosopher wrote:
On 10/02/16 08:38, Martin Brown wrote:
I find it annoying when they don't specify which character set is
allowed and my choice is too unusual for their password filter.

And they don't tell you what the password filter is, only why you failed it.

So you enter passwords over and over with a different error each time.

And then you're supposed to forget all the ones that failed and remember
the one that passed.

--
Mike Barnes
Cheshire, England

David Lang wrote:

I've used the same password for years, nobody has a hope in hell of ever
guessing it.

Some of the worst websites simply store your password on their servers
exactly as you type it, so their administrators don't need to guess it,
they can see it, they usually know your email address too, so they
*could* take your password home on a memory stick and try logging into
eBay/facebook/banks etc. Given their crappy security practices they are
probably more likely to get hacked and your password ends up in
China/India/Russia ...

Good websites should store passwords in a "salted hashed" format so they
can tell if you got it right, but they can't see it, the complexity
requirements you see are so that even if someone hacks their server and
steals the salted/hashed copy of your password, it would take the
hackers centuries to decode it.

John Rumm wrote:
The danger is, that should it be compromised through no fault of your
own, then the attacker is now able to access *all* of your online
accounts. Having a unique password per site limits the damage greatly.

Recently some site insist on having numbers as well, so I've had to add
one.

Now the bloody things want an upper case letter as well!

How the 'kinell does that make anything more secure?

By making passwords harder to guess by brute force, or by dictionary
attack.

A brute force attack is only realistically possible if the attacker
has fast, direct access to the site/system the password is allowing
access to.

You can't realistically brute force a web site login via a web
connection, each attempt would take a significant amount of time (in
computer terms) and any half sensible site should both slow down and
eventually stop accepting inputs after a while.

--
Chris Green
·

Martin Brown wrote:
If you choose a restricted alphabet the password of length N is much
weaker. N7 is a reasonable choice anything shorter is too weak.

[a-z] = 26^N = X
[a-z,A-Z] = 52^N = X.2^N
[a-z,A-Z,0-9] = 62^N ~ X.2.38^N
[!-~] = 94^N ~ X.3.6^N

Surely only true if the password cracker using brute force *knows*
that you're using a restricted alphabet. I suppose they could assume
you are, on the basis that many people do use only letters if they're
allowed to.

--
Chris Green
·

Some now want a none alpha numeric as well I notice. This is why I've not
changed my password on my isp, as if you go into their new much improved
site they want you to update the passwords to one with numbers upper and
lowe case and non alphanumerics.
This would mean I need to alter all my mail clients info to the new stuff
afterwards.
I consider all password systems to be equal risks myself, and its giving a
false sense of security to suggest anything else

Brian

"David Lang" wrote in message
...
I've used the same password for years, nobody has a hope in hell of ever
guessing it. I can remember it.

Recently some site insist on having numbers as well, so I've had to add
one.

Now the bloody things want an upper case letter as well!

How the 'kinell does that make anything more secure?

Surely it's my choice, not some bell end running a web site?

This joke sums it up;

================================================== ======================
cabbage
Sorry, the password must be more than 8 characters.
boiled cabbage
Sorry, the password must contain 1 numerical character.
1 boiled cabbage
Sorry, the password cannot have blank spaces.
50frigginboiledcabbages
Sorry, the password must contain at least one upper case character.
50FRIGGINboiledcabbages
Sorry, the password cannot use more than one upper case character
consecutively.
50FrigginBoiledCabbagesShovedDownYourThroat,IfYouD ontGiveMeAccessImmediately
Sorry, the password cannot contain punctuation.
NowIAmGettingReallyP*ssedOff50FrigginBoiledCabbage sShovedDownYourThroatIfYouDontGiveMeAccessImmediat ely
Sorry, that password is already in use! -
================================================== =================================



--
Dave - The Medway Handyman

--
----- -
This newsgroup posting comes to you directly from...
The Sofa of Brian Gaff...

Blind user, so no pictures please!

On 10/02/2016 07:40, Mike Barnes wrote:
John Rumm wrote:
On 09/02/2016 22:40, David Lang wrote:

I've used the same password for years, nobody has a hope in hell of ever
guessing it. I can remember it.

The danger is, that should it be compromised through no fault of your
own, then the attacker is now able to access *all* of your online
accounts. Having a unique password per site limits the damage greatly.

Recently some site insist on having numbers as well, so I've had to add
one.

Now the bloody things want an upper case letter as well!

How the 'kinell does that make anything more secure?

By making passwords harder to guess by brute force, or by dictionary
attack.

A brute force attack will typically have an attacker (aided by a
computer doing the donkey work) attempting to guess passwords .

If you are limiting your password to lower case letters only, then there
are 26 possible values per character. Allow upper case and there are 52,
with digits 62, and so on.

But we're not talking about making extra characters allowable. AFAIK in
most cases it's "always" been possible for me to include digits, mixed
case, and punctuation if I want.

That rather depends on the site...

By precluding use of say an all lower case password, you thwart any
attack that will only search the (much smaller) "lower case only" search
space.

(think about how tools like L0phtCrack etc work - they try all lower
case before they try the larger search spaces, since in many cases that
will crack a substantial number of accounts)

When you scale up the number of legal
combinations, a few extra allowable characters makes the number of
unique passwords possible a vast number of orders of magnitude more
difficult to guess.

What we're talking about is them disallowing some combinations of the
same characters that have been available all along, and therefore
*reducing* the number of legal combinations that have to be tested.

I don't think that statement can be supported with maths ;-)

But actually things are rather more complicated than simply "guessing",
with rainbow tables and the like.

Indeed, but that seems rather more information than the OP needs.

(and if password hashes are properly "salted", then you can mitigate the
advantage of rainbow table attacks)


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

On 10/02/2016 09:22, wrote:
John Rumm wrote:
The danger is, that should it be compromised through no fault of your
own, then the attacker is now able to access *all* of your online
accounts. Having a unique password per site limits the damage greatly.

Recently some site insist on having numbers as well, so I've had to add
one.

Now the bloody things want an upper case letter as well!

How the 'kinell does that make anything more secure?

By making passwords harder to guess by brute force, or by dictionary
attack.

A brute force attack is only realistically possible if the attacker
has fast, direct access to the site/system the password is allowing
access to.

You can't realistically brute force a web site login via a web
connection, each attempt would take a significant amount of time (in
computer terms) and any half sensible site should both slow down and
eventually stop accepting inputs after a while.

True, but its probably safe to assume that there is a site somewhere
with your details on it that will be hacked and lose its database.

If that is one which has not secured your password sufficiently
securely, then it can be brute forced at a much higher guess rate. With
a re-used password its a quick way into the more secure sites.


--
Cheers,

John.

/================================================== ===============\
| Internode Ltd - http://www.internode.co.uk |
|-----------------------------------------------------------------|
| John Rumm - john(at)internode(dot)co(dot)uk |
\================================================= ================/

On 09/02/16 22:40, David Lang wrote:
I've used the same password for years, nobody has a hope in hell of ever
guessing it. I can remember it.

You are using windows. "They" probably already have it.

--
Adrian C

In article , Martin Brown
wrote:
On 09/02/2016 23:11, Jonno wrote:
David Lang scribbled


I've used the same password for years, nobody has a hope in hell of
ever guessing it. I can remember it.

Recently some site insist on having numbers as well, so I've had to
add one.

Now the bloody things want an upper case letter as well!

How the 'kinell does that make anything more secure?

Surely it's my choice, not some bell end running a web site?

Apparently Tesco are expecting online shoppers to remember parts of
their passwords, like the 1st, 4th, 5th and 8th letters/digits.
Brilliant, the person who told me had to write out the password and
pick out the digits they required. So much for security.

That is actually a secure form of challenge and with practice you can
memorise a password to recall individual characters without writing it
down.

I count on my fingers since mine has 13 characters. I can remember the
first two or three and cetianly the last two, but the ones in between need
a bit more work.

--
from KT24 in Surrey, England

On Wed, 10 Feb 2016 07:41:55 +0000, Mike Barnes
wrote:

Jonno wrote:
Apparently Tesco are expecting online shoppers to remember parts of
their passwords, like the 1st, 4th, 5th and 8th letters/digits.
Brilliant, the person who told me had to write out the password and pick
out the digits they required. So much for security.

Those would be so much easier, if they presented a "fill in the blanks"
form rather than telling us the digit positions.

E.g. instead of presenting us with something like this, where ?
represents an input field:

Enter the 1st, 4th, 5th and 8th characters: ? ? ? ?

they could present us with:

Enter the requested characters: ? - - ? ? - - ?

But that would require a level of user focus that seems to be lacking in
the current generation of software designers.


The latter gives away the size of the passphrase which I think is why
there has been a move away from it.

--
AnthonyL