|
4 out of 5 customers I worked with set me a password, sent it to me and didn't allow me to change it. Said password was terrible weak, some were even <companyiworkedfor>Year!
Also "T3rr1Bl3Fuçkf4c€" would be considered a strong password, while it's weaker than "Thesiegeandinvestitureofbaronvonfrankensteinatthecastleofweissiria"
GCS d--(d-) s-/++ a C++++ U+++ P- L+@ E-- W++ N+ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
|
|
|
|
|
|
Ah, a Blue Oyster Cult fan I see. Love that album.
|
|
|
|
|
I've got a couple of FTP servers that used to get bombarded with dictionary attacks all the time. I took two steps to eliminate the vast majority of attacks:
0: IP Deny rules for China
1: A few fake accounts (Administrator, Administrador, Administrateur) with passwords such as admin, password, and 12345. These are read-only ftp accounts with a nice passwords.txt file with some choice words for the bastards.
IMHO, there should be much harsher penalties for any hackers/theives who get caught...maybe start with removing a digit or two.
"Go forth into the source" - Neal Morse
"Hope is contagious"
|
|
|
|
|
kmoorevs wrote: 1: A few fake accounts (Administrator, Administrador, Administrateur) with passwords such as admin, password, and 12345. These are read-only ftp accounts with a nice passwords.txt file with some choice words for the bastards.
That is ingenious idea. Why not make the downloadable files include a trojan virus?
|
|
|
|
|
You make the download files send just a few bytes every few seconds. Just make sure you have limits(1) on how many connections you allow to the fake accounts.
|
|
|
|
|
kmoorevs wrote: IMHO, there should be much harsher penalties for any hackers/theives who get caught...maybe start with removing a digit or two.
Nope - death is the only punishment that will work. Make sure it's by hanging and that there's a live stream of the courtyard.
|
|
|
|
|
I think removing the head from the shoulders would be a better solution.
ed
|
|
|
|
|
Passwords are a complex issue: the "stronger" a password, the more likely it is to be written down and kept near the computer - which renders it useless as a security measure to everyone who has physical access.
Conversely, "weak" passwords are more likely to be remembered, especially if the same one is used for all systems and thus aren't written anywhere.
Regular enforced changes actually make the situation worse!
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
"Common sense is so rare these days, it should be classified as a super power" - Random T-shirt
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
No doubt you are correct but it seems to me by enforcing strong passwords the user is then forced to utilize a password manager I thought the days of writing passwords on pieces of paper were over as password managers solve the problem once and for all - Cheerio
|
|
|
|
|
Password managers raise their own set of problems: most - rightly - require a login of some form, and that password is also either going to be weak or ... written down.
And a insecure password guarding a whole bunch of strong passwords is a real nightmare!
Think of the password manager in Chrome: it stores all online passwords for you, but to find out what they were all you have to do is provide your Google password!
This is why Windows 10 doesn't want to use passwords any more, preferring a PIN, fingerprint, or face recognition, and why banks use OTP codes sent to your physical phone.
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
"Common sense is so rare these days, it should be classified as a super power" - Random T-shirt
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
For sites involving a real need for security, I just use quotations from different literary works ranging from the bible to Chaucer, quotations with which I am very familiar. The catch is there are always two quotations in each password, and always from different works. Then I just write down a key in the unlikely event that I should forget one, the key being the position of the two works on my bookshelves and some guide to location within the book if it includes more than one work. An example of a key: 2,2,8,4;6,3,14. I don't even need to stand up to see the titles, which will automatically remind me of the quotations.
I keep the key list on my phone, so even if you nicked that, you would still have to burgle the house!
|
|
|
|
|
This is why I like the new MS-Edge. Microsoft scans the dark web for credential caches and reports to me when one of my userid/password combinations has been breached.
|
|
|
|
|
Chrome and Firefox do the same thing. Edge was late to that party.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
PaltryProgrammer wrote: why the software permits such as password strength I believe the answer is ignorance (or absence) of the organizations' CSO. Today, it's trivial to enforce a sensible password policy that will reduce the risk of break-ins by guessing passwords. My company uses MFA to sign in to the VPN and a one-week-cached MFA scheme for all other access. Login passwords are required to be changed every 90 days and a strong (but not inconvenient) password policy is enforced.
It's not really that hard to put basic security in place.
/ravi
|
|
|
|
|
PaltryProgrammer wrote: password strength I presume can easily be calculated Indeed :
If (length(password)<128) print "Password is too short" Correct Horse Battery Stable !!
|
|
|
|
|
Then you'd know the password of half the population
"qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm"
GCS d--(d-) s-/++ a C++++ U+++ P- L+@ E-- W++ N+ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
|
|
|
|
|
Rage wrote: Correct Horse Battery Stable !!
This would pass the dictionary test, but "Correct Horse Battery Staple!!" wouldn't.
|
|
|
|
|
Mine is "50BloodyBoiledCabbagesYouStupidIdiotGiveMeAccessNow!"
Anything that is unrelated to elephants is irrelephant Anonymous
- The problem with quotes on the internet is that you can never tell if they're genuine Winston Churchill, 1944
- Never argue with a fool. Onlookers may not be able to tell the difference. Mark Twain
|
|
|
|
|
PaltryProgrammer wrote: I seek your kind and knowledgeable assistance With what, exactly? It's all opinions and conjectures at best.
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
|
|
|
|
|
Hackers assume passwords are complex and don't try simple ones.
Make a simple password and you're safe.
Well, actually, it's more a matter of ensuring that hackers have to attempt both simple and complex passwords.
|
|
|
|
|
obligatory xkcd
Keep Calm and Carry On
|
|
|
|
|
I once worked for a customer who wanted an EDI service so their suppliers could fetch data from the service.
There was no GUI of any kind, so IT would create an account with a password and send it to their suppliers.
After about two years I found out the passwords they used were 00000001, 00000002, 00000003, etc.
The horror doesn't end there, they then saved the user name and password (which I hashed, and can't retrieve) into an Excel sheet so they could always send the password to the supplier in case they forgot
I then automated password creation so they got a reasonably secure password and show it on screen only once after creating the account.
Regenerating a password is as easy as ticking the "new password" box.
Obviously, I got the question if I could simply show the old password, which I can't and flat-out refused.
They still save passwords in Excel
We're talking about a professional IT department here in a company with 100's of employees and multiple branches in multiple countries
To be fair, their suppliers barely even know how to start a computer, let alone open an application and enter credentials.
I've had to give their suppliers support on their own applications multiple times because "it didn't work", a couple of times because their password changed and they didn't know how to re-enter it, one time because they used a date filter
On one occasion I simply called, stated my name and they just gave me their credentials so I could test them
To answer your question: it seems the average brain stores IQ in a bit, it's either off or 1
|
|
|
|
|
I announced a little fair (7)
I EYE
announced (sounds like)
a little SOME
fair
EYESOME[^]
(Word of the day!)
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
"Common sense is so rare these days, it should be classified as a super power" - Random T-shirt
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
Eye(I) actually worked that out but didn't think it was a word - well done
"I didn't mention the bats - he'd see them soon enough" - Hunter S Thompson - RIP
|
|
|
|