|
Sounds great. When will you have it ready for my Blackberry and my PC (with no touch interface on the latter - can I draw the pattern with my mouse)?
- I would love to change the world, but they won’t give me the source code.
|
|
|
|
|
Forogar wrote: PC (with no touch interface on the latter - can I draw the pattern with my mouse)?
Yes, PC is available right now at: C'YaPass: F*orget All Your Passwords | Get C'YaPass[^]
You can draw with the mouse.
My laptop has a touch screen and it works that way too.
Blackberry on the other hand....probably not going to happen.
|
|
|
|
|
It seems a good idea.
I am iOS user so I didn't give a try to your app.
However, I think you should add the user name to the site key.
This would add some additional text to hash and it would help if someone forget it.
|
|
|
|
|
Thanks for checking it out.
I am waiting on my Apple dev account and then you'll be able to run it from any iOS (macOS, iPhone, iPad, etc) and I hope you'll try it.
You can make the site/key anything (any string of chars) you want it to be.
So you can make it:
bill@ymail.comV1
superHappy15@banksite5
12345
abcde
whateverHelpsYouRemember
I've kept it open so only you know your site/keys.
thanks again for checking it out and for commenting.
|
|
|
|
|
OK it makes sense.
Thank you for the feedback.
|
|
|
|
|
No security system is absolute. His password app is still vulnerable to actual theft but I have to say that it would protect you against the hordes of bot-nets working tirelessly to crack user accounts all across the net.
if (Object.DividedByZero == true) { Universe.Implode(); }
Meus ratio ex fortis machina. Simplicitatis de formae ac munus. -Foothill, 2016
|
|
|
|
|
Yes it is safe and botnets are now the most used method for bruteforcing. The problem is that the password itself may become unavailable to the user. With a username/password you only need a terminal, access to the service and the physical capabiltiy of inputting the credentials. With the app you need aother gizmo which may be broken or elsewhere. Not everyone uses only a couple of devices of which he's the owner - when I'm in industrial plants and have to access my e-mail to download a package with the latest fix of the software (as in built fro my phone call 30 minutes before) and the gizmo with the app isn't serviceable for whatever reason I'm elephanted.
DURA LEX, SED LEX
GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X
If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver
When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
|
|
|
|
|
I cannot refute that such an app is not ideal for all situations. When it comes to the internet, the average user has dozens if not hundreds of user accounts and they tend to use the same user name and password combination for all of them because it is simpler. People have trouble remembering a couple of passwords let alone hundreds. I can see the benefit of such an app for everyday things, such as logging into Code Project, Amazon, Netflix, etc.... Now, in your instance, the app is more of a liability but the example is also an outlier. The real benefit might be in generating passwords for a site that stores personal data but you may only use once or twice a year such as TurboTax.
if (Object.DividedByZero == true) { Universe.Implode(); }
Meus ratio ex fortis machina. Simplicitatis de formae ac munus. -Foothill, 2016
|
|
|
|
|
Yes absolutely, in fact when I'll get an Android phone (years from now) I'll seriously think about that app as it looks very promising now that I understood it, precisely for this kind of services like taxes online and so on.
DURA LEX, SED LEX
GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X
If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver
When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
|
|
|
|
|
You know there is an app called "Google Authenticator". It is service-to-service connected with the service for which you are authenticating and generate a new, relatively short password every minute, so you don't need to remember anything. Short-term one-time passwords (OTP) seems like good idea, but don't prevent device theft.
|
|
|
|
|
When people use funny characters in their password my code doesn't work
string sql = "insert into users (username, password) values ('" + TextBox19.Text + "', '" + TextBox6.Text + "')";
How can I stop users using funny characters?
|
|
|
|
|
I think you may have just explained the problem.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
I had a client insist I add password protection to an innocuous app in case somebody walked by and decided to access the data on an unattended machine.
I suggested they put a password on their windows as they had other apps (including main accounting) and files without passwords, also mentioned it acts as line of defense for external attacks - plus it was already built-in ans even better free of charge.
He told me "that would be too hard for them to remember."
Duly added the password requirement as requested, and of course walking around the office during lunch lots of PC's sitting there, windows [and often other apps] open, (and almost always the customary post-it note on the edge of the screen with the app password.)
Anyway, nice bit of extra work; why argue if they give me more money to support their own stupidity.
Sin tack ear lol
Pressing the "Any" key may be continuate
|
|
|
|
|
Lopatir wrote: He told me "that would be too hard for them to remember."
Believe it or not our company has been doing a lot of that stupid stuff lately. Making poor decisions just because they believe the end user is too stupid. It's driving me nuts.
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
Because they want you to read your password over the phone to one of their support drones, and "special" characters make that harder to do?
Because their code is vulnerable to SQLi, and they don't want you to enter a password of Robert'); DROP TABLE Students;-- ?
If you ask them, they'll probably tell you it's to increase the security of the site, and they'd lose their certification if they removed the restriction. (Don't bother asking what certification; they won't be able to tell you.)
That'll also be the reason why they don't let you paste your password from a password manager; why they restrict the password to a maximum of 8 characters; and why the password isn't case-sensitive.
Whatever the reason, it suggests they're not handling and storing your data properly, and you should probably avoid using that site. If you can't avoid it, make sure you use a unique password that you don't use on any other site, because it's almost certainly going to be stored in plain text. And if at all possible, avoid giving them any personal information, since it's going to end up on a "pastebin" dump before long.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
All my passwords are based on a special secret alphabet that I crafted in my voodoo laboratory. Just saying...
|
|
|
|
|
Just a few weeks ago a new password was rejected because it contained a - (hex 2D). Using an underscore was OK.
So, yes I noticed it (and thought WTF).
Maybe the passwords has to be piped between shell commands, then passed as shell command parameters, HTML/XML encoded and decoded, and finally passed to a SQL query. To avoid escaping all the processing specific reserved characters using processing specific escaping it is just simpler to disallow them.
|
|
|
|
|
You forgot the "signed in triplicate, sent in, sent back, queried, lost, found, subjected to public inquiry, lost again, and finally buried in soft peat for three months and recycled as firelighters" part. Sadly many sites are "managed" just like that.
DURA LEX, SED LEX
GCS d--- s-/++ a- C++++ U+++ P- L- E-- W++ N++ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t++ 5? X R++ tv-- b+ DI+++ D++ G e++>+++ h--- ++>+++ y+++* Weapons extension: ma- k++ F+2 X
If you think 'goto' is evil, try writing an Assembly program without JMP. -- TNCaver
When I was six, there were no ones and zeroes - only zeroes. And not all of them worked. -- Ravi Bhavnani
|
|
|
|
|
+1 for the HHGTTG reference.
- I would love to change the world, but they won’t give me the source code.
|
|
|
|
|
If their website cannot handle unicode passwords, they certainly deserve to have their computer nerd card revoked.
if (Object.DividedByZero == true) { Universe.Implode(); }
Meus ratio ex fortis machina. Simplicitatis de formae ac munus. -Foothill, 2016
|
|
|
|
|
It's easier to crack a$&12Gc# than to crack donalduckwasmyfavcharacterasakidinnewyork.
|
|
|
|
|
Nish Nishant wrote: It's easier to crack donalduckwasmyfavcharacterasakidinnewyork than to crack donalduckwasmyfavcharacterasakidinnewyork!.
FTFY
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
Yeah but a day's difference won't affect something that'd take weeks or months of computational power
|
|
|
|
|
In that case, "It's as easy to crack a$&12Gc# as abd12Gc4", so why prevent special characters?
There are only 10 types of people in the world, those who understand binary and those who don't.
|
|
|
|
|
I guess they are trying to encourage people to use passwords that are hard to crack but easy to remember, so they don't write it down on a piece of paper and stick it on their screens.
I am not siding with that idea, and would personally not enforce this rule at my work place. Just trying to guess what their thinking was.
|
|
|
|