; TOT; Piggin passwords

David Lang scribbled

Apparently Tesco are expecting online shoppers to remember parts of their passwords, like the 1st, 4th, 5th and 8th letters/digits. Brilliant, the person who told me had to write out the password and pick out the digits they required. So much for security.

It increases the number of possibilities so makes guessing it harder.

Plenty are too stupid to use sensible hard to guess passwords.

I have so many passwords now that I cant remember that I have to write them down or put on a spreadsheet, not the best security.

A decent password manager fixes that problem

That way you only have to remember the master password or use a fingerprint sensor etc for that.

Barclays have used that for ages. A drop down menu. But perhaps they expect most people with a bank account can spell.

Why not just use the same one for everything other than important things like bank and Paypal, etc.

;-(

I had dealings with webmail where the IPS password rules were:

"Passwords must satisfy the following criteria to ensure they are as secure as possible: Mixed case: Use a combination of uppercase and lowercase characters Numbers: Use a mixture of numbers and letters Special characters: Use at least one of the following special characters : "!$%^&*()-_=+}{#@':;.>,

Didn't they ask for a non-alphanumeric character as well?

Not trying hard enough.

You could have PGP encrypted text file with all your user name and passwords on your PC. WinPT is what I've been using for all encryption stuff and for creating encryption keys to use with e-mail etc. Especially useful if you are e-mailing sensitive data to someone that uses spymail like gmail etc.

One of your competitors, who supplies me with calls on my landline, asks for my web passworm as one of their security questions when I call their helpdesk. I have written to their CEO pointing out the error of their ways. In the meantime, I have changed my passworm to neveraskforpassword in order to make a point if I am asked again.

Probebly should have ROTted that ;-)

That's an idea ROTted passworms, does anyone do that?

It's nice that most things allow the @ symbol now too which is an easy one to chuck into the middle of a password

I end up with extremely rude vulgar passwords in the end because of this practice. It is self defeating because everyone is writing their passwords down and carrying them with them because it id becoming impossible to remember them.

Its not as bad as it sounds, since its a way of keeping a list of adequately complex unique passwords.

We are very good at keeping hold of bits of paper on our person - we manage with purses / wallets etc.

All you need is some obfuscation to disguise the fact that what you have is a password list...

It could be Aunty Ethel's phone number is not all it seems. The thing that says Amazon Password, might actually be the Tesco one, written backwards and only every other character used etc. Basically think of some rule that's easy for you to use to sort the password out of the noise.

The danger is, that should it be compromised through no fault of your own, then the attacker is now able to access *all* of your online accounts. Having a unique password per site limits the damage greatly.

By making passwords harder to guess by brute force, or by dictionary attack.

A brute force attack will typically have an attacker (aided by a computer doing the donkey work) attempting to guess passwords .

If you are limiting your password to lower case letters only, then there are 26 possible values per character. Allow upper case and there are 52, with digits 62, and so on. When you scale up the number of legal combinations, a few extra allowable characters makes the number of unique passwords possible a vast number of orders of magnitude more difficult to guess.

A dictionary attack works well when an attacker has managed to lift a copy of the password database from an insecure web server etc. That may give them a big list of encrypted passwords. They may not be able to decrypt them directly, but they can throw a whole dictionary through the same encryption process and see which of the encrypted passwords they have generated match the stolen ones.

Much depends on how clueless the writer of the software was:

The problem is, that if you use a weak password, then it lets the bad guys into bits of web sites they might not otherwise get into - that in itself is not really much of a problem. More significantly thought it may let them into several accounts you own on different sites. Being able to get at several sites creates weaknesses that can be exploited by trading one off against another. For example:

But we're not talking about making extra characters allowable. AFAIK in most cases it's "always" been possible for me to include digits, mixed case, and punctuation if I want.

What we're talking about is them disallowing some combinations of the same characters that have been available all along, and therefore

But actually things are rather more complicated than simply "guessing", with rainbow tables and the like.

Those would be so much easier, if they presented a "fill in the blanks" form rather than telling us the digit positions.

E.g. instead of presenting us with something like this, where ? represents an input field:

Enter the 1st, 4th, 5th and 8th characters: ? ? ? ?

they could present us with:

Enter the requested characters: ? - - ? ? - - ?

But that would require a level of user focus that seems to be lacking in the current generation of software designers.

Yes, but they are now forcing people to use the stuff that most of them wouldn?t bother using.

No they aren't. Most never allowed all the odd special characters.

Nope.

Sure, bit it does make sense to for the more stupid to use more than just the letters in a particular case.

Not for me the don't, I logon using my surname, sortcode and account number which are burnt into my brain having been the same for 30+ years, plus a one time code generated from my smartphone (or a PIN sentry device plus my debit card).

Problem with doing that is that if one site gets hacked, it's not unknown for the email/password combination to then be tried elsewhere.