|
According to the article link below people are utilizing weak passwords even in critical environments What I do not understand is why the software permits such as password strength I presume can easily be calculated and so the weak prohibited Voila Problem Solved There must be a logical reason which eludes me otherwise this obvious solution would be in place I seek your kind and knowledgeable assistance - Cheerio
These systems are facing billions of attacks every month as hackers try to guess passwords | ZDNet[^]
|
|
|
|
|
Because companies employ people who do not understand how to manage password security. So their applications get hacked.
|
|
|
|
|
It seems my question is not clear I will attempt to restate it here I do not understand why people need to be involved in the management of password security as it seems to me it can be automated More specifically when a person first enters a chosen password to create an account the software can calculate its strength as I know some sites do and reject it if it is found to be weak which I have never observed occur as I always utilize strong passwords - Cheerio
|
|
|
|
|
Yes, but the software to do it needs to be written by somebody.
|
|
|
|
|
4 out of 5 customers I worked with set me a password, sent it to me and didn't allow me to change it. Said password was terrible weak, some were even <companyiworkedfor>Year!
Also "T3rr1Bl3Fuçkf4c€" would be considered a strong password, while it's weaker than "Thesiegeandinvestitureofbaronvonfrankensteinatthecastleofweissiria"
GCS d--(d-) s-/++ a C++++ U+++ P- L+@ E-- W++ N+ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
|
|
|
|
|
|
Ah, a Blue Oyster Cult fan I see. Love that album.
|
|
|
|
|
I've got a couple of FTP servers that used to get bombarded with dictionary attacks all the time. I took two steps to eliminate the vast majority of attacks:
0: IP Deny rules for China
1: A few fake accounts (Administrator, Administrador, Administrateur) with passwords such as admin, password, and 12345. These are read-only ftp accounts with a nice passwords.txt file with some choice words for the bastards.
IMHO, there should be much harsher penalties for any hackers/theives who get caught...maybe start with removing a digit or two.
"Go forth into the source" - Neal Morse
"Hope is contagious"
|
|
|
|
|
kmoorevs wrote: 1: A few fake accounts (Administrator, Administrador, Administrateur) with passwords such as admin, password, and 12345. These are read-only ftp accounts with a nice passwords.txt file with some choice words for the bastards.
That is ingenious idea. Why not make the downloadable files include a trojan virus?
|
|
|
|
|
You make the download files send just a few bytes every few seconds. Just make sure you have limits(1) on how many connections you allow to the fake accounts.
|
|
|
|
|
kmoorevs wrote: IMHO, there should be much harsher penalties for any hackers/theives who get caught...maybe start with removing a digit or two.
Nope - death is the only punishment that will work. Make sure it's by hanging and that there's a live stream of the courtyard.
|
|
|
|
|
I think removing the head from the shoulders would be a better solution.
ed
|
|
|
|
|
Passwords are a complex issue: the "stronger" a password, the more likely it is to be written down and kept near the computer - which renders it useless as a security measure to everyone who has physical access.
Conversely, "weak" passwords are more likely to be remembered, especially if the same one is used for all systems and thus aren't written anywhere.
Regular enforced changes actually make the situation worse!
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
"Common sense is so rare these days, it should be classified as a super power" - Random T-shirt
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
No doubt you are correct but it seems to me by enforcing strong passwords the user is then forced to utilize a password manager I thought the days of writing passwords on pieces of paper were over as password managers solve the problem once and for all - Cheerio
|
|
|
|
|
Password managers raise their own set of problems: most - rightly - require a login of some form, and that password is also either going to be weak or ... written down.
And a insecure password guarding a whole bunch of strong passwords is a real nightmare!
Think of the password manager in Chrome: it stores all online passwords for you, but to find out what they were all you have to do is provide your Google password!
This is why Windows 10 doesn't want to use passwords any more, preferring a PIN, fingerprint, or face recognition, and why banks use OTP codes sent to your physical phone.
"I have no idea what I did, but I'm taking full credit for it." - ThisOldTony
"Common sense is so rare these days, it should be classified as a super power" - Random T-shirt
AntiTwitter: @DalekDave is now a follower!
|
|
|
|
|
For sites involving a real need for security, I just use quotations from different literary works ranging from the bible to Chaucer, quotations with which I am very familiar. The catch is there are always two quotations in each password, and always from different works. Then I just write down a key in the unlikely event that I should forget one, the key being the position of the two works on my bookshelves and some guide to location within the book if it includes more than one work. An example of a key: 2,2,8,4;6,3,14. I don't even need to stand up to see the titles, which will automatically remind me of the quotations.
I keep the key list on my phone, so even if you nicked that, you would still have to burgle the house!
|
|
|
|
|
This is why I like the new MS-Edge. Microsoft scans the dark web for credential caches and reports to me when one of my userid/password combinations has been breached.
|
|
|
|
|
Chrome and Firefox do the same thing. Edge was late to that party.
"These people looked deep within my soul and assigned me a number based on the order in which I joined."
- Homer
|
|
|
|
|
PaltryProgrammer wrote: why the software permits such as password strength I believe the answer is ignorance (or absence) of the organizations' CSO. Today, it's trivial to enforce a sensible password policy that will reduce the risk of break-ins by guessing passwords. My company uses MFA to sign in to the VPN and a one-week-cached MFA scheme for all other access. Login passwords are required to be changed every 90 days and a strong (but not inconvenient) password policy is enforced.
It's not really that hard to put basic security in place.
/ravi
|
|
|
|
|
PaltryProgrammer wrote: password strength I presume can easily be calculated Indeed :
If (length(password)<128) print "Password is too short" Correct Horse Battery Stable !!
|
|
|
|
|
Then you'd know the password of half the population
"qwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnmqwertyuiopasdfghjklzxcvbnm"
GCS d--(d-) s-/++ a C++++ U+++ P- L+@ E-- W++ N+ o+ K- w+++ O? M-- V? PS+ PE- Y+ PGP t+ 5? X R+++ tv-- b+(+++) DI+++ D++ G e++ h--- r+++ y+++* Weapons extension: ma- k++ F+2 X
|
|
|
|
|
Rage wrote: Correct Horse Battery Stable !!
This would pass the dictionary test, but "Correct Horse Battery Staple!!" wouldn't.
|
|
|
|
|
Mine is "50BloodyBoiledCabbagesYouStupidIdiotGiveMeAccessNow!"
Anything that is unrelated to elephants is irrelephant Anonymous
- The problem with quotes on the internet is that you can never tell if they're genuine Winston Churchill, 1944
- Never argue with a fool. Onlookers may not be able to tell the difference. Mark Twain
|
|
|
|
|
PaltryProgrammer wrote: I seek your kind and knowledgeable assistance With what, exactly? It's all opinions and conjectures at best.
"One man's wage rise is another man's price increase." - Harold Wilson
"Fireproof doesn't mean the fire will never come. It means when the fire comes that you will be able to withstand it." - Michael Simmons
"You can easily judge the character of a man by how he treats those who can do nothing for him." - James D. Miles
|
|
|
|
|
Hackers assume passwords are complex and don't try simple ones.
Make a simple password and you're safe.
Well, actually, it's more a matter of ensuring that hackers have to attempt both simple and complex passwords.
|
|
|
|