Password De-Complexity
-
den2k88 wrote:
It still requires a device with that app, which may be unavailable
That is correct. I have it available on Windows and Android and coming soon (within a week) to iOS (iphone/ipad). Also, there is another compelling part to all of this. I've created a bluetooth device that you attach to your computer's (works on Apple, Windows and Linux) USB port. That device has a bluetooth module that you can pair with your phone, device, etc. Then, you can have the app just on your phone and press a button in C'Ya Pass app and it will type the password on your computer. I use it every day and it is so much fun. It allows you to login to the windows login from your phone or device. You can read about the initial project here at CP: Ending the Era of Weak Passwords: Never Type A Password Again (Never Memorize A Password Again)[^] It won 2nd prize in the IoT contest. :) Thanks again for asking.
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
My main problem is that if you have to access to an account but not have a smart-thing with you or the USB thingie (which I suppose must be installed and that may be not possible if roaming or with another's machine) you are by all accouts locked out. Goodbye access to you banking site / e-mail while at work if the smartphone is unavailable due to hardware failure / in the pocket of a less-than-honest person. Especially if you work on the move, as a guest in many different companies (think of industrial equipment maintenance). The only device I rely on is my head since if it fails or is missing from the rest of the body it is evident that I have more pressing problems on my hands than a password. Also remembering a pattern isn't that easy, after months you may very easily forget which is the starting coordinate and how long is the pattern, even for a single line. It still relies on brains, plus a device. Cut the dependecies and use only the brain, it's easier and allows access under any condition which isn't physically incapacitating to the individual.
DURA LEX, SED LEX GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
-
Yeah but a day's difference won't affect something that'd take weeks or months of computational power :-)
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
Just a few weeks ago a new password was rejected because it contained a
-(hex 2D). Using an underscore was OK. So, yes I noticed it (and thought WTF). Maybe the passwords has to be piped between shell commands, then passed as shell command parameters, HTML/XML encoded and decoded, and finally passed to a SQL query. To avoid escaping all the processing specific reserved characters using processing specific escaping it is just simpler to disallow them. -
In that case, "It's as easy to crack a$&12Gc# as abd12Gc4", so why prevent special characters?
There are only 10 types of people in the world, those who understand binary and those who don't.
I guess they are trying to encourage people to use passwords that are hard to crack but easy to remember, so they don't write it down on a piece of paper and stick it on their screens. I am not siding with that idea, and would personally not enforce this rule at my work place. Just trying to guess what their thinking was.
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
I guess they are trying to encourage people to use passwords that are hard to crack but easy to remember, so they don't write it down on a piece of paper and stick it on their screens. I am not siding with that idea, and would personally not enforce this rule at my work place. Just trying to guess what their thinking was.
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
No security system is absolute. His password app is still vulnerable to actual theft but I have to say that it would protect you against the hordes of bot-nets working tirelessly to crack user accounts all across the net.
if (Object.DividedByZero == true) { Universe.Implode(); } Meus ratio ex fortis machina. Simplicitatis de formae ac munus. -Foothill, 2016
Yes it is safe and botnets are now the most used method for bruteforcing. The problem is that the password itself may become unavailable to the user. With a username/password you only need a terminal, access to the service and the physical capabiltiy of inputting the credentials. With the app you need aother gizmo which may be broken or elsewhere. Not everyone uses only a couple of devices of which he's the owner - when I'm in industrial plants and have to access my e-mail to download a package with the latest fix of the software (as in built fro my phone call 30 minutes before) and the gizmo with the app isn't serviceable for whatever reason I'm elephanted.
DURA LEX, SED LEX GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
-
OriginalGriff wrote:
won't allow a hyphen in an email address... :sigh:
That is bad (code word for stupid) I suppose it can get worse (polite way of saying stupider): I've a domain name ending in .info - which is rejected as invalid by a number of places. I didn't test to see what top level domains they think are real - but, well, as we well know: There's no limit to or cure for stupid.
"The difference between genius and stupidity is that genius has its limits." - Albert Einstein
"If you are searching for perfection in others, then you seek disappointment. If you are seek perfection in yourself, then you will find failure." - Balboos HaGadol Mar 2010
Too long - everybody knows that ".com" is only three letters... :laugh:
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
-
I think you may have just explained the problem. :laugh: :laugh:
There are only 10 types of people in the world, those who understand binary and those who don't.
I had a client insist I add password protection to an innocuous app in case somebody walked by and decided to access the data on an unattended machine. I suggested they put a password on their windows as they had other apps (including main accounting) and files without passwords, also mentioned it acts as line of defense for external attacks - plus it was already built-in ans even better free of charge. He told me "that would be too hard for them to remember." Duly added the password requirement as requested, and of course walking around the office during lunch lots of PC's sitting there, windows [and often other apps] open, (and almost always the customary post-it note on the edge of the screen with the app password.) :sigh: Anyway, nice bit of extra work; why argue if they give me more money to support their own stupidity.
Sin tack ear lol Pressing the "Any" key may be continuate
-
No idea why you need special characters... I use 1234 everywhere...
Skipper: We'll fix it. Alex: Fix it? How you gonna fix this? Skipper: Grit, spit and a whole lotta duct tape.
Even on your luggage?
Software Zen:
delete this; -
Yes it is safe and botnets are now the most used method for bruteforcing. The problem is that the password itself may become unavailable to the user. With a username/password you only need a terminal, access to the service and the physical capabiltiy of inputting the credentials. With the app you need aother gizmo which may be broken or elsewhere. Not everyone uses only a couple of devices of which he's the owner - when I'm in industrial plants and have to access my e-mail to download a package with the latest fix of the software (as in built fro my phone call 30 minutes before) and the gizmo with the app isn't serviceable for whatever reason I'm elephanted.
DURA LEX, SED LEX GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
I cannot refute that such an app is not ideal for all situations. When it comes to the internet, the average user has dozens if not hundreds of user accounts and they tend to use the same user name and password combination for all of them because it is simpler. People have trouble remembering a couple of passwords let alone hundreds. I can see the benefit of such an app for everyday things, such as logging into Code Project, Amazon, Netflix, etc.... Now, in your instance, the app is more of a liability but the example is also an outlier. The real benefit might be in generating passwords for a site that stores personal data but you may only use once or twice a year such as TurboTax.
if (Object.DividedByZero == true) { Universe.Implode(); } Meus ratio ex fortis machina. Simplicitatis de formae ac munus. -Foothill, 2016
-
I guess they are trying to encourage people to use passwords that are hard to crack but easy to remember, so they don't write it down on a piece of paper and stick it on their screens. I am not siding with that idea, and would personally not enforce this rule at my work place. Just trying to guess what their thinking was.
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
The only secure password is one you can't remember. :) Seriously, don't try to remember all your passwords; use a password manager. Then you'll only need to remember one master password, and protect the password manager storage.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
-
den2k88 wrote:
It still requires a device with that app, which may be unavailable
That is correct. I have it available on Windows and Android and coming soon (within a week) to iOS (iphone/ipad). Also, there is another compelling part to all of this. I've created a bluetooth device that you attach to your computer's (works on Apple, Windows and Linux) USB port. That device has a bluetooth module that you can pair with your phone, device, etc. Then, you can have the app just on your phone and press a button in C'Ya Pass app and it will type the password on your computer. I use it every day and it is so much fun. It allows you to login to the windows login from your phone or device. You can read about the initial project here at CP: Ending the Era of Weak Passwords: Never Type A Password Again (Never Memorize A Password Again)[^] It won 2nd prize in the IoT contest. :) Thanks again for asking.
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
-
I had a client insist I add password protection to an innocuous app in case somebody walked by and decided to access the data on an unattended machine. I suggested they put a password on their windows as they had other apps (including main accounting) and files without passwords, also mentioned it acts as line of defense for external attacks - plus it was already built-in ans even better free of charge. He told me "that would be too hard for them to remember." Duly added the password requirement as requested, and of course walking around the office during lunch lots of PC's sitting there, windows [and often other apps] open, (and almost always the customary post-it note on the edge of the screen with the app password.) :sigh: Anyway, nice bit of extra work; why argue if they give me more money to support their own stupidity.
Sin tack ear lol Pressing the "Any" key may be continuate
Lopatir wrote:
He told me "that would be too hard for them to remember."
:wtf: :wtf: Believe it or not our company has been doing a lot of that stupid stuff lately. Making poor decisions just because they believe the end user is too stupid. It's driving me nuts. :mad:
There are only 10 types of people in the world, those who understand binary and those who don't.
-
You forgot the "signed in triplicate, sent in, sent back, queried, lost, found, subjected to public inquiry, lost again, and finally buried in soft peat for three months and recycled as firelighters" part. Sadly many sites are "managed" just like that.
DURA LEX, SED LEX GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
-
The only secure password is one you can't remember. :) Seriously, don't try to remember all your passwords; use a password manager. Then you'll only need to remember one master password, and protect the password manager storage.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
People who are multi-lingual have an advantage - they can create cryptically complex passwords that they can easily remember by mixing languages. Example : thendralbaarishseason I've mixed a tamil word, a hindi word, and an english word there. What's gibberish to most mono-lingual people is a very easy to remember word for me (I speak 4 languages). :-)
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
I guess they are trying to encourage people to use passwords that are hard to crack but easy to remember, so they don't write it down on a piece of paper and stick it on their screens. I am not siding with that idea, and would personally not enforce this rule at my work place. Just trying to guess what their thinking was.
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
No, they still stick them to their screens, those that don't come Monday morning, "I can't remember what I used, maybe it was my dogs name .... no, ...., wait, with or without big letters, umm, I'll call support, they were quite quick last week."
Sin tack ear lol Pressing the "Any" key may be continuate
-
No, they still stick them to their screens, those that don't come Monday morning, "I can't remember what I used, maybe it was my dogs name .... no, ...., wait, with or without big letters, umm, I'll call support, they were quite quick last week."
Sin tack ear lol Pressing the "Any" key may be continuate
When IT policy forces people to change their passwords every 60 days, no wonder they can't remember them :-)
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
using gesture or swipe input on mobiles, too hard to do some of the specials
Sin tack ear lol Pressing the "Any" key may be continuate
Not a reason to remove them, just a reason to not make them mandatory.
-
I cannot refute that such an app is not ideal for all situations. When it comes to the internet, the average user has dozens if not hundreds of user accounts and they tend to use the same user name and password combination for all of them because it is simpler. People have trouble remembering a couple of passwords let alone hundreds. I can see the benefit of such an app for everyday things, such as logging into Code Project, Amazon, Netflix, etc.... Now, in your instance, the app is more of a liability but the example is also an outlier. The real benefit might be in generating passwords for a site that stores personal data but you may only use once or twice a year such as TurboTax.
if (Object.DividedByZero == true) { Universe.Implode(); } Meus ratio ex fortis machina. Simplicitatis de formae ac munus. -Foothill, 2016
Yes absolutely, in fact when I'll get an Android phone (years from now) I'll seriously think about that app as it looks very promising now that I understood it, precisely for this kind of services like taxes online and so on.
DURA LEX, SED LEX GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
-
My main problem is that if you have to access to an account but not have a smart-thing with you or the USB thingie (which I suppose must be installed and that may be not possible if roaming or with another's machine) you are by all accouts locked out. Goodbye access to you banking site / e-mail while at work if the smartphone is unavailable due to hardware failure / in the pocket of a less-than-honest person. Especially if you work on the move, as a guest in many different companies (think of industrial equipment maintenance). The only device I rely on is my head since if it fails or is missing from the rest of the body it is evident that I have more pressing problems on my hands than a password. Also remembering a pattern isn't that easy, after months you may very easily forget which is the starting coordinate and how long is the pattern, even for a single line. It still relies on brains, plus a device. Cut the dependecies and use only the brain, it's easier and allows access under any condition which isn't physically incapacitating to the individual.
DURA LEX, SED LEX GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
Thanks for continuing the conversation.
den2k88 wrote:
which I suppose must be installed and that may be not possible if roaming or with another's machine)
This is the beauty of the extra device. The device is recognized as a keyboard so there are no drivers installed. I have literally walked up to multiple machines even ones that are completely locked down, attached the device and sent my password. This worked on Macs, Windows and Linux. There are no security issues with attaching a keyboard and no drivers installed so it works seamlessly. I was amazed myself. I have no admin rights on my computer at work and I connected the device and it worked instantly. :cool:
den2k88 wrote:
n the pocket of a less-than-honest person.
Even if they get your phone they have to : 1. reproduce your exact pattern 2. know which site to use the gen'd password on . Physical access is always a problem anyways.
den2k88 wrote:
Goodbye access to you banking site / e-mail while at work if the smartphon
I'm considering even create an HTML5 version of the app so you can generate your password locally from any browser. it's just generating a SHA256 after all. The site/key wouldn't be stored in that case. You'd just enter it one time, draw your pattern in the browser and it'd generate. That way you'd always have access. It is probably true that if you've lost your phone you have other problems to deal with anyways. These are all fantastic questions and I appreciate you asking. :thumbsup:
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
