Password De-Complexity
-
You forgot the "signed in triplicate, sent in, sent back, queried, lost, found, subjected to public inquiry, lost again, and finally buried in soft peat for three months and recycled as firelighters" part. Sadly many sites are "managed" just like that.
DURA LEX, SED LEX GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
-
The only secure password is one you can't remember. :) Seriously, don't try to remember all your passwords; use a password manager. Then you'll only need to remember one master password, and protect the password manager storage.
"These people looked deep within my soul and assigned me a number based on the order in which I joined." - Homer
People who are multi-lingual have an advantage - they can create cryptically complex passwords that they can easily remember by mixing languages. Example : thendralbaarishseason I've mixed a tamil word, a hindi word, and an english word there. What's gibberish to most mono-lingual people is a very easy to remember word for me (I speak 4 languages). :-)
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
I guess they are trying to encourage people to use passwords that are hard to crack but easy to remember, so they don't write it down on a piece of paper and stick it on their screens. I am not siding with that idea, and would personally not enforce this rule at my work place. Just trying to guess what their thinking was.
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
No, they still stick them to their screens, those that don't come Monday morning, "I can't remember what I used, maybe it was my dogs name .... no, ...., wait, with or without big letters, umm, I'll call support, they were quite quick last week."
Sin tack ear lol Pressing the "Any" key may be continuate
-
No, they still stick them to their screens, those that don't come Monday morning, "I can't remember what I used, maybe it was my dogs name .... no, ...., wait, with or without big letters, umm, I'll call support, they were quite quick last week."
Sin tack ear lol Pressing the "Any" key may be continuate
When IT policy forces people to change their passwords every 60 days, no wonder they can't remember them :-)
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
using gesture or swipe input on mobiles, too hard to do some of the specials
Sin tack ear lol Pressing the "Any" key may be continuate
Not a reason to remove them, just a reason to not make them mandatory.
-
I cannot refute that such an app is not ideal for all situations. When it comes to the internet, the average user has dozens if not hundreds of user accounts and they tend to use the same user name and password combination for all of them because it is simpler. People have trouble remembering a couple of passwords let alone hundreds. I can see the benefit of such an app for everyday things, such as logging into Code Project, Amazon, Netflix, etc.... Now, in your instance, the app is more of a liability but the example is also an outlier. The real benefit might be in generating passwords for a site that stores personal data but you may only use once or twice a year such as TurboTax.
if (Object.DividedByZero == true) { Universe.Implode(); } Meus ratio ex fortis machina. Simplicitatis de formae ac munus. -Foothill, 2016
Yes absolutely, in fact when I'll get an Android phone (years from now) I'll seriously think about that app as it looks very promising now that I understood it, precisely for this kind of services like taxes online and so on.
DURA LEX, SED LEX GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
-
My main problem is that if you have to access to an account but not have a smart-thing with you or the USB thingie (which I suppose must be installed and that may be not possible if roaming or with another's machine) you are by all accouts locked out. Goodbye access to you banking site / e-mail while at work if the smartphone is unavailable due to hardware failure / in the pocket of a less-than-honest person. Especially if you work on the move, as a guest in many different companies (think of industrial equipment maintenance). The only device I rely on is my head since if it fails or is missing from the rest of the body it is evident that I have more pressing problems on my hands than a password. Also remembering a pattern isn't that easy, after months you may very easily forget which is the starting coordinate and how long is the pattern, even for a single line. It still relies on brains, plus a device. Cut the dependecies and use only the brain, it's easier and allows access under any condition which isn't physically incapacitating to the individual.
DURA LEX, SED LEX GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
Thanks for continuing the conversation.
den2k88 wrote:
which I suppose must be installed and that may be not possible if roaming or with another's machine)
This is the beauty of the extra device. The device is recognized as a keyboard so there are no drivers installed. I have literally walked up to multiple machines even ones that are completely locked down, attached the device and sent my password. This worked on Macs, Windows and Linux. There are no security issues with attaching a keyboard and no drivers installed so it works seamlessly. I was amazed myself. I have no admin rights on my computer at work and I connected the device and it worked instantly. :cool:
den2k88 wrote:
n the pocket of a less-than-honest person.
Even if they get your phone they have to : 1. reproduce your exact pattern 2. know which site to use the gen'd password on . Physical access is always a problem anyways.
den2k88 wrote:
Goodbye access to you banking site / e-mail while at work if the smartphon
I'm considering even create an HTML5 version of the app so you can generate your password locally from any browser. it's just generating a SHA256 after all. The site/key wouldn't be stored in that case. You'd just enter it one time, draw your pattern in the browser and it'd generate. That way you'd always have access. It is probably true that if you've lost your phone you have other problems to deal with anyways. These are all fantastic questions and I appreciate you asking. :thumbsup:
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
-
Even on your luggage?
Software Zen:
delete this;That's the stupidest combination I've ever heard in my life! That's the kind of thing an idiot would have on his luggage!
DURA LEX, SED LEX GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
-
Thanks for continuing the conversation.
den2k88 wrote:
which I suppose must be installed and that may be not possible if roaming or with another's machine)
This is the beauty of the extra device. The device is recognized as a keyboard so there are no drivers installed. I have literally walked up to multiple machines even ones that are completely locked down, attached the device and sent my password. This worked on Macs, Windows and Linux. There are no security issues with attaching a keyboard and no drivers installed so it works seamlessly. I was amazed myself. I have no admin rights on my computer at work and I connected the device and it worked instantly. :cool:
den2k88 wrote:
n the pocket of a less-than-honest person.
Even if they get your phone they have to : 1. reproduce your exact pattern 2. know which site to use the gen'd password on . Physical access is always a problem anyways.
den2k88 wrote:
Goodbye access to you banking site / e-mail while at work if the smartphon
I'm considering even create an HTML5 version of the app so you can generate your password locally from any browser. it's just generating a SHA256 after all. The site/key wouldn't be stored in that case. You'd just enter it one time, draw your pattern in the browser and it'd generate. That way you'd always have access. It is probably true that if you've lost your phone you have other problems to deal with anyways. These are all fantastic questions and I appreciate you asking. :thumbsup:
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
I appreciate your answers, and you designed both the device and the software very well. So it attaches like a keyboard, nice... evil ideas cross my mind (not regardin your device but the possible use of this information :D).
DURA LEX, SED LEX GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
-
When IT policy forces people to change their passwords every 60 days, no wonder they can't remember them :-)
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
Ah, security taken to the point of absurdity. I can see it now.... Next week our company is moving to ten-factor authentication. Upon login, you will need to provide a password (1). Then you will receive an email with a link to a website(2) which you will provide your telephone number(3). If the telephone number provided is on record, you will receive a passcode(4) via text message. After correctly entering the passcode on the original login splash screen, the system will provide you a unique ten digit key(5) which you will need to complete your authentication process. Do not write down the ten digit key. Go to the bio-metric authentication closet. Enter your ten digit key on the key-pad. The bio-metric closet will open to let you in. Once inside the closet, you will need to use the scanners to provide your fingerprints(6), retina scan(7), plus a blood(8) and stool sample(9). Once you have completed the process and have been successfully authenticated, the system will provide you a unique, one-time-use, 22 character passcode(10) that will allow you to login to your computer. Do not write the passcode down and the passcode will also expire after 120 seconds. If you fail to login to your station before the temporary passcode expires, you will have to repeat the process. Then the CIO will brag that he has the most secure network in the world.
if (Object.DividedByZero == true) { Universe.Implode(); } Meus ratio ex fortis machina. Simplicitatis de formae ac munus. -Foothill, 2016
-
Sounds great. When will you have it ready for my Blackberry and my PC (with no touch interface on the latter - can I draw the pattern with my mouse)?
- I would love to change the world, but they won’t give me the source code.
Forogar wrote:
PC (with no touch interface on the latter - can I draw the pattern with my mouse)?
Yes, PC is available right now at: C'YaPass: F*orget All Your Passwords | Get C'YaPass[^] You can draw with the mouse. My laptop has a touch screen and it works that way too. Blackberry on the other hand....probably not going to happen. :)
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
-
I appreciate your answers, and you designed both the device and the software very well. So it attaches like a keyboard, nice... evil ideas cross my mind (not regardin your device but the possible use of this information :D).
DURA LEX, SED LEX GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
den2k88 wrote:
I appreciate your answers, and you designed both the device and the software very well.
You just made my day. :thumbsup::thumbsup::thumbsup:
den2k88 wrote:
evil ideas cross my mind (not regardin your device but the possible use of this information
I know. I have been contemplating this. With a little code on the device, which is very easy to write I can connect the device to your computer and then send a code over bluetooth from my phone, that runs a command while you are logged on. Since the thing is just a keyboard it will type the command on your screen. So imagine if I distracted you and pushed a button on my phone your computer suddenly types a bunch of commands. Could be a cool practical joke. :) But, let's keep this between ourselves. And oh, that device can move the mouse too. :-\
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
-
raddevus wrote:
more difficult to remember for users.
That's fine. So, don't make it required. My problem is they are preventing you from using a special character.
There are only 10 types of people in the world, those who understand binary and those who don't.
-
People who are multi-lingual have an advantage - they can create cryptically complex passwords that they can easily remember by mixing languages. Example : thendralbaarishseason I've mixed a tamil word, a hindi word, and an english word there. What's gibberish to most mono-lingual people is a very easy to remember word for me (I speak 4 languages). :-)
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
A-Z, lowercase only, no symbols, no digits. Methinks your password would be easier to crack than you might think.
dandy72 wrote:
A-Z, lowercase only, no symbols, no digits. Methinks your password would be easier to crack than you might think.
Trivial to introduce a few upper case letters. My point was that it's more complex than had I used English only words for the same length. Also even with lower case, a 25 length string is harder to crack than a 10 char password that uses both cases, numbers, and symbols.
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
And a couple I've noticed that won't allow a hyphen in an email address... :sigh: No prizes for guessing which "special character" is in my domain name?
Bad command or file name. Bad, bad command! Sit! Stay! Staaaay...
-
dandy72 wrote:
A-Z, lowercase only, no symbols, no digits. Methinks your password would be easier to crack than you might think.
Trivial to introduce a few upper case letters. My point was that it's more complex than had I used English only words for the same length. Also even with lower case, a 25 length string is harder to crack than a 10 char password that uses both cases, numbers, and symbols.
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
Nish Nishant wrote:
25 length string is harder to crack than a 10 char password that uses both cases, numbers, and symbols.
Are you sure about that? A 25-character password * a pool of (26 possible characters) can be brute-forced in 650 tries. A 10-character password * a pool of (26 upper + 26 lower + 10 digits + ~20 symbols) require 820 tries to be guessed correctly. Having written this...I'm tired and my mind has turned to mush a few hours ago and this looks wrong (I know exponentials have to be introduced in there), but even then I think the basic point of my over-simplification is still correct...is it not? I'm sure the correct math will come to me after I've made a fool of myself... :-)
-
Nish Nishant wrote:
25 length string is harder to crack than a 10 char password that uses both cases, numbers, and symbols.
Are you sure about that? A 25-character password * a pool of (26 possible characters) can be brute-forced in 650 tries. A 10-character password * a pool of (26 upper + 26 lower + 10 digits + ~20 symbols) require 820 tries to be guessed correctly. Having written this...I'm tired and my mind has turned to mush a few hours ago and this looks wrong (I know exponentials have to be introduced in there), but even then I think the basic point of my over-simplification is still correct...is it not? I'm sure the correct math will come to me after I've made a fool of myself... :-)
dandy72 wrote:
Having written this...I'm tired and my mind has turned to mush a few hours ago and this looks wrong (I know exponentials have to be introduced in there), but even then I think the basic point of my over-simplification is still correct...is it not?
Sorry, your math's not right :-) A char-set of 26 chars with a length of 25 gives 2.36e+35 permutations. A char-set of 82 chars with a length of 10 gives 1.37e+19 permutations. The former is way stronger :-)
Regards, Nish
Website: www.voidnish.com Blog: voidnish.wordpress.com
-
Oh, very good point. That's ridiculous that they don't allow it. What? I use my app exclusively for my own passwords and I'm always annoyed when sites tell me that I have to use a special char, because with my app my passwords now look like: 1. cf82bb8b015707c5cef11942b88bb058d3795f4dcae551e65ea72891333a1384 2. ea50612a6d5dde56c7a826cc03317e99c2f2f5547b0bd0b5e985ac27883b8242 Those are extremely strong because they are long and not based upon words. Those silly password checkers will say they are of medium complexity. :sigh: The industry has a lot to learn.
My book, Launch Your Android App, is available at Amazon.com (only $2.99USD over 350 pages). Get my Android app on Google Play and F*orget All Your Passwords.
Best passwords ever, so easy to remember and having characters
[0-9a-f]is definitely something no hacker would try, because base-16 is so uncommon within computers. Everyone knows that h4x0rZ use base-23. -
Cool, and exactly how one does remember that password? On a device, which may be unavailable at any time? Oh right, you can put it on the "cloud", and how do you protect the access to that account? Basically a slighlty altered and less reliable folded paper with passwords in the wallet.
DURA LEX, SED LEX GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
You know there is an app called "Google Authenticator". It is service-to-service connected with the service for which you are authenticating and generate a new, relatively short password every minute, so you don't need to remember anything. Short-term one-time passwords (OTP) seems like good idea, but don't prevent device theft.
