; TOT; Piggin passwords

Several banking sites do something like that - Santander for instance.

Whereas Lloyds offer three drop down boxes to choose a character from.

Although it is damned annoying when the problem is that CAPS LOCK is on.

It could halves the password space to give away that information but OTOH the only person likely to do this is the owner of the password!

The surname/sortcode/account is used to identify *not* to authenticate.

The smartphone needs a fingerprint to unlock, the banking app (or pinsentry plus debit card) needs a pin before it generates the code, which is what authenticates.

And I don;t understand why they do that, it's uneccassary most peole if tehy know theier passwrod also know they lengh so why not use teh whole screen for blank characters like you have on forms.

Yes But I still think sitting at a computer (especailly a public one) and mumbling your password while counting on your fingers is far less secure.

Well the O/P did say he's used "the same password for years", and I doubt he's alone in that, I was just explaining why it doesn't matter how unguessable he thinks the password is, as he can't be sure nobody else sees or stores it ...

TMH, I'll hold your coat!

Absolutely, I have a simple password 'algorithm' for all those shopping sites where all it's protecting is my name and address and order history. (I never allow them to save credit card details)

eBay password used to acess PayPal as well until they split up so mine is secure, as is my PayPal one. Well, I think they're secure, certainly much more difficult to guess/break than my standard one I use for sites I don't care about.

That is my main issue with stuff on the cloud. If someone has direct access to the 'cloud computer' then they're in an excellent position to brute force your password [manager].

I share my encrypted secure (passwords and other things) files directly between my laptop and my desktop machines. Whenever the laptop is at home the files are synchronised. Thus I have the encrypted files with me just about all of the time.

If I'm away without my laptop then I can ssh to my home desktop machine (two step process via another site, access not allowed directly to my home machine) and look at the encrypted files that way. I have an ssh client on my tablet and my phone.

Lastpass claim (and something they *sell* on, so could be challenged in court if needs be) is that the only communications to their cloud are of the already encrypted vault. Encrypted data at rest is probably as good as you are going to get. If you're not happy with that, you're probably going to struggle in modern life. Especially given the UK governments happiness to store goodness knows what there anyway.

Immaterial since my phone and PC have local copies of the vault.

Had a long discussion about password managers with my ISO at work recently. His view - like mine - is that *used correctly* they can achieve a good balance between security and convenience.

Drifting OT, but after Lastpass were bought out by LogMeIn last year, to

*howls* of outrage, it was interesting to notice that no alternative system (to my knowledge) implemented a Lastpass import mechanism. I am thinking in particular of Keepass, which was heavily touted as the next best thing. No direct Lasptpass-> Keepass import. Rather a series of online tutorials, which require a bit of reading.

Which isn't stored anywhere.

So ? Lastpass stores your vault encrypted in the cloud. Takes seconds to provision a new device with it. As long as you complete the 2FA challege, of course.

See above

Trusting in memory is like trusting in hardware.

To be honest, all of this discussion is moot anyway. Almost by definition the self-selecting group posting here are well up the tree when it comes to online risks. The chances of any uk.d-i-y poster being the victim of a password-related fraud is far smaller than for the general population anyway.

Paranoia all of it. The whole world can have access to anything of mine apart from bank stuff, .....and the pin-ups.

you mean pay pal and amazon amonst others. I'm not too bothered as they always ask for the 3 digit code and sometimes I;ve had to re-enter my password the I get a visa check on some sites.

It's those companies that want the info over the phone that I don't like.

snipped-for-privacy@isbd.net scribbled

Ebay keep asking for permission to tie my account with PayPal. No way is that happening, Ebay have been hacked a couple of times already.

If the organisation can access the password in plaintext, they are best avoided anyway.

use a manager that will display your passwords in plain text, if asked. You can then retype them

there is no real other way - if it were that easy we would already have done it.

You dont need to be an IT expert to answer the basic question - if someo0nbe or something at the other end of an insecure connection wants to know its me at the other, how can they do it?

And that's before we even ask the question 'am I the same person today as I was yesterday'

Much the best thing is to permanently disable caps-lock.

You have that problem too then? A bit like the joke the OP posted.

Scary the idea of passwords being held in the clear but that is why I have independent ones for every site. The low security ones for reading free newspapers and the like would not take too much guessing. Things that allow writing are a bit more secure and then there are a small number of really tough ones for banking and the like.

Choose your favourite song or poem and a generating rule and you can have very memorable passwords that are all but unguessable.

Depends on how much resources the attackers are willing to deploy. Salted hashed is about as good as it gets, but if the attacker knows the code used (or has grabbed that too) then all bets are off. That or spear phishing I presume is how Impact Team did Ashley Madison.

I recall my university mainframe originally had default PW=Userid until some enterprising individual grabbed the password hash file and the userid file and then used it to print a list of all default PW=Userid accounts and their resources to the system monitor console.

I taught my wife to use the same system as I use. Her works password even written down for a service engineer requires him to look at the piece of paper and the keyboard to enter it since unless you know the generating rule there is apparently neither rhyme nor reason to it.

They have a corporate policy of monthly password changes with no reuse (ever) which I think is ludicrous. Plenty of screens have postit's on and usually it is the senior managers that are worst offenders.

Our son, who has a credit card dedicated only to on line purchases, was cloned last week after only 3 months of a new card. As his computer security is professional grade, it could have only come from one of the on line suppliers storing information or having poor security. The credit card company picked up the transaction for $250 instantly.

Suggests the weren't PCI-DSS compliant from the off ...

When I was at Uni, I discovered - due to a policy ruling - that *all* lecturers had been assigned logins on the PDP-11 system. Given that 70% of lecturers would have had problems turning a terminal on, let alone using it, it meant that *also* discovering that lecturers had been allocated a default *blank* password meant 3 years of happy hacking.

The PDP was a smaller resource. The main computing hub was PR1ME computers. I subsequently discovered that (again) all lecturers had been created logins whether needed or not. The computing centre staff were a but sharper with those. By default, lecturers passwords were set to their surnames. Just for added lols, lecturers accounts weren't deleted at the end of the year.

Given our PR1ME access was metered, it was useful to have other accounts to log in with. However it was not much work to work out how the metering system worked, and hack that to keep giving myself extra connect and CPU time.

Strangely, it wasn't anything computing related which caused a visit from the ministry ...