What's going on with internet passwords? Why can't organizations make some standard sensible rules?
Pardon this since it's a bit of a rant, but why can't organizations get together and make some sort of common, sensible, standardized rules for passwords that actually increase security? Or dare I even say the gov't should legislate something.
I just had to reset 2 accounts in 2 days for both aeroplan and PC optimum, which you could argue are two very low risk accounts to be compromised. The culprit in each was that they required 10 character + passwords, and I rarely log into either, and I think of the 20 or so accounts I have, there are only 2 or 3 that require ones that long, so it always blind sides me. I refuse to write them down or use a password manager, since essentially now you've just put all your eggs in one basket.
My TD bank on the other hand up until a year ago was a 5 letter word, with a year attached, fueled by high school naivete from 20 years ago that "oh I'm sure no one's going to bother to hack little old me".
What's going on here? Some say you *have* to have special characters, others forbid it. Why the hell can't everyone get on the same page? The thing is too, that by forcing people to include special characters, it really doesn't make it much more secure. You increase the pool of guesses from 26 (letters) to 52 (letters/caps) to 62 (letters/caps/numbers) to 95 (letters/caps/numbers/special) it doesn't really change much. Before going on, it might be fun to guess that by increasing the pool from 26 (just lower case letters), to 95 (everything) which almost quadruples it, how much shorter does that allow you password to be for a given level of security?
Humans are horrible at exponential math, and while going from 62 to 95 by including special characters may appear to complicate the password immensly mostly because it includes characters that we use on a relatively rare basis, computers have no such prejudice. They just see it as a base62 problems vs a base95 problem.
The best tool is simply length, as the grain of rice on the chess board doubling after each square ending with you having more rice than exists in the world demonstrates.
Truly, a 20 digit numbers only password, is about as secure as a 10 digit that includes all 95 letters/ascii characters, but infinitely less complicated. This also equates to a length of 14 for letters only, 12 for letters/caps, and 11 for letters/caps/nums. So by including all those special characters, and even numbers and caps, it allows your password to be *1 to 4* characters shorter, based on a 10 character password.
I guess it's just example number 8000 about where the appearance of complexity and security trumps actual sensible measures.
MayorOfToronto wrote: ↑I didn't read your post but I'm assuming all your problems would be solved with a password manager and the password generator that comes with it.
smartie wrote: ↑
Thats why you should read OP's post
So, I read it... and I was right. Lol.
seadog83 wrote: ↑Truly, a 20 digit numbers only password, is about as secure as a 10 digit that includes all 95 letters/ascii characters, but infinitely less complicated. This also equates to a length of 14 for letters only, 12 for letters/caps, and 11 for letters/caps/nums. So by including all those special characters, and even numbers and caps, it allows your password to be *1 to 4* characters shorter, based on a 10 character password.
Also, this is completely wrong.
This message has not been approved by The Office of The Mayor of Toronto.
You are correct, technically length is the main determining factor when it comes to number of possible combinations, and technically a 10 digit password using only lower case letters has more potential combinations than a 7 digit password using every possible letter, symbol and number on the keyboard.
I believe what you are not taking into account though is: Human beings. If you ask a human to enter a password of at least 5 characters, maybe they will select their cats name "tiger". If you ask that same human to put in a password of at least 10 characters, they might just put "tigertiger", or "tiger12345". This is what my mother did forever when sites prompted her to make a more complex password, she just used (as I'm guessing many do) some easy to remember elongated version of the password she already had. So while technically a 10 digit password is 11881376 harder to crack than a 5 digit password, using the same 5 characters twice in a row, or some easy to remember variation of those 5 characters is not nearly as complicated to crack, as password crackers are programmed to look at common combinations / variations vs random characters / digits.
By forcing people to use at least 1 special characters, 1 capital letter, 1 number, etc, you force people like my mother to move from "tiger" to "Tiger1234$" or something like that, which is exponentially harder for a password cracker / hacker to guess than "tigertiger" or "tiger12345".
Confusing and arbitrary password rules are a feature, not a bug.
In general, passwords aren't cracked by a hacker running a supercomputer and trying all combinations. They lock your account after 3 tries, after all.
Accounts get hacked because:
A) people use the same password for CIBC and a pokemon forum. The pokemon forum is hacked and the hacker uses the credentials to get into CIBC.
or
B) people use "password" as their password.
or
C) people succumb to phishing attacks.
Forcing people to comply with bizarre rules prevents password reuse and easy passwords, which are the two of the biggest weaknesses.
Using a different 5 letter word + number for every password is far, far better than using Ts95cP&MdVWblmI$exsdmf&!0baQL5KYxJV&kBD$aDRJsp for all of your passwords.
TWELVES wrote: ↑
Confusing and arbitrary password rules are a feature, not a bug.
In general, passwords aren't cracked by a hacker running a supercomputer and trying all combinations. They lock your account after 3 tries, after all.
Accounts get hacked because:
A) people use the same password for CIBC and a pokemon forum. The pokemon forum is hacked and the hacker uses the credentials to get into CIBC.
or
B) people use "password" as their password.
or
C) people succumb to phishing attacks.
Forcing people to comply with bizarre rules prevents password reuse and easy passwords, which are the two of the biggest weaknesses.
Using a different 5 letter word + number for every password is far, far better than using Ts95cP&MdVWblmI$exsdmf&!0baQL5KYxJV&kBD$aDRJsp for all of your passwords.
D) service provider had terrible security practices and got hacked by an outsider or by an employee who leaked the password database, giving a true cracker unlimited time and resources to crack it.
Also, you're completely wrong about your word+number thing. Those are some of the easiest passwords to crack. http://password-checker.online-domain-tools.com/ You can test it out for yourself.
Using a long password with random characters (numbers, upper/lowercase letters, symbols) is the best option. Something a password manager can provide and store for you.
Or combine symbols and numbers with a long passphrase.
And always use 2FA/MFA when available.
This message has not been approved by The Office of The Mayor of Toronto.
The point of having different passwords is so that if one account is compromised, the other ones are not. Standardized password rules encourage people to use the same password for everything which is literally the wrong thing to do. Companies come up with different rules so that you shouldn't be able to have the same password for our BMO account and your TD account. Thus if one is compromised, that company isn't also liable for your other one being compromised. It's not to help you, it's to help them
Personally think password length and complexity doesn't matter as most hacks are done from the company side (e.g. phishing employees, backdoors, etc). You could have the most complicated password but if there's an entire list of every customer log in, what does that matter? For the customer, I think 2FA is more important as you will be notified anytime there is a log-in attempt.
Diversity is a strength in the world of security. I'm sure if everyone used the same system, it would be have to be a lowest common denominator to get everyone to agree on it, and it would then be compromised soon enough with widespread effect. The way things are now, the predators can cull the weak from the herd (4-digit PIN security), and the rest survive to improve the species.
niche54 nails it. The point of password systems is:
1. Your password should not match any of the top N million passwords used in the real world.
2. Your password should not match any password you personally have used anywhere else
3. Your password must be taken from a very large base of entropy
4. The particular system you are dealing with, may impose namespace restrictions on the glyphs usable in a password
Password managers are a solution to this. Yes your eggs are in "one basket" but, like public vs private keys (if technical, think of how TLS sessions are managed) you can use a very secure but annoying "lock" on your password management to then securely manage/exchange the weaker, shorter term or individually weak "site passwords".
In particular it's very easy for a single password management product to meet 1-2-3.
And for password managers, the server side "DB" of your account info is able to be much more protected and (if properly designed -- and most are) impossible for your access data to be readable "server side" from the cloud or the password manager provider.
As others have mentioned, the concepts of passwords as an authentication method are a bit dated, but a password manager is an abstraction layer that helps mitigate that at a single point of control.
BTW there are still major financial institutions in Canada whose real world password entropy limit is only 10**6. There's no uniformity since in some cases you are dealing with 40+ yo technology (or data models) in your auth chain.
MayorOfToronto wrote: ↑
D) service provider had terrible security practices and got hacked by an outsider or by an employee who leaked the password database, giving a true cracker unlimited time and resources to crack it.
Also, you're completely wrong about your word+number thing. Those are some of the easiest passwords to crack. http://password-checker.online-domain-tools.com/ You can test it out for yourself.
Using a long password with random characters (numbers, upper/lowercase letters, symbols) is the best option. Something a password manager can provide and store for you.
Or combine symbols and numbers with a long passphrase.
And always use 2FA/MFA when available.
My point was that password reuse is much more worrying that password strength (beyond a certain point, with word+number being beyond that point). Using the same long, strong password for every site is bad practice. I'm completely right on that, e.g. https://enterprise.verizon.com/resource ... 7_dbir.pdf.
Point D is certainly possible. But if the hacker has "unlimited time and resources" your password length doesn't matter. It's possible that you end up in the goldilocks scenario of bad enough not to allow the hack, good enough to not have plaintext passwords, bad enough not to notice the hack, and bad enough not to salt the passwords. But more likely it will be password reuse, phishing, etc. Moreover, if the database is hacked it becomes the company's responsibility not your responsibility (unless you reused passwords).
Last edited by TWELVES on Feb 21st, 2020 8:33 pm, edited 1 time in total.
TWELVES wrote: ↑
Point D is certainly possible. But if the hacker has "unlimited time and resources" your password length doesn't matter. Moreover, if the database is hacked it becomes the company's responsibility not your responsibility (unless you reused passwords).
Correct. Unless you specifically are very very special, your risk tolerance really doesn't need to worry about someone brute forcing the entire password space to find your hash.
If your password isn't in the standard rainbow tables, and you don't reuse the passwords from account to account, you are pretty much safe even if *in theory* your own personal password pattern has low entropy (like word + number).
But it's not absolute safety, it's just a risk think. If someone wants to target YOU specifically, you're probably forked either way. If you are paranoid, there are services/tools that can tell you if a particular password you use has every been hacked/leaked, anywhere ever (obviously only includes user dumps that have been "publicly" distributed.)
Kiraly wrote: ↑
Use a password manager. If you're relying on nothing more than your memory right now, your eggs are still all in one basket.
Well not really. Your's may be different, but my memory isn't an all or nothing game. At least for me, its possible to remember some things, particularly things I use almost every day like the English language or my banking password, but not others that I use incredibly rarely, such as the Indonesian language or my aeroplan password.
And fair enough point about the "human" side of it. Even the German Enigma codes weren't broken so much by technical flaws in the cryptographic method, as much as the fact that the sequence of information in the messages didn't change (ie starting with weather each day) which hugely reduces potential starting points. In "Surely you're joking mr Feynman" the esteemed physicist goes on to describe how he broke into a collegues filing cabinet containing nuclear secrets because he used a combination lock that was the natural log e.
Now, that's all well enough about the human side of it, but it's simultaneously amusing since the problem is people use stupid passwords. Yet their solution isn't to get people to use smart passwords, but to make longer stupid ones.
seadog83 wrote: ↑
Well not really. Your's may be different, but my memory isn't an all or nothing game. At least for me, its possible to remember some things, particularly things I use almost every day like the English language or my banking password, but not others that I use incredibly rarely, such as the Indonesian language or my aeroplan password.
That means your password has a pattern. Which means your important password is more* likely to be cracked if someone else got a hold of your list of unimportant and less secure passwords.
*more doesn't mean easy, it just means it has a higher percentage. I doubt anyone can take advantage of that until AI really takes off .
Now, that's all well enough about the human side of it, but it's simultaneously amusing since the problem is people use stupid passwords. Yet their solution isn't to get people to use smart passwords, but to make longer stupid ones.
That is just it though. How do you make people make smarter passwords? That is still an unsolved problem at this point. It is not surprising that companies haven't come up with one when nobody has an idea.
Password manager and randomly generated password remain the most secure one step password. Making it two steps is still the best approach this industry has so far.
Also, I'm surprised you were wondering why companies didn't come together to make a standard. Standard among the industry is actually an exception. Not the rule. It is incredibly difficult to get most people together to follow one rule.
User455957 wrote: ↑
The INTERNET can be a scary and overwhelming experience for a new user
Perhaps you can find an INTERNET guide to help you through the ways of the INTERNET
I'm not sure what YOU'RE getting at? Why DID you capitalize INTERNET so many times? If you think the internet is scary, why not make your own THREAD with your questions? I'm just honestly not sure WHAT you're trying to SAY....
