Those idiot password changes

Hi w10 and w7,

I have been bitching about this for ages.

Time to rethink mandatory password changes

https://www.ftc.gov/news-events/blog...ssword-changes

If you pick a good solid password that is not hacked by the
bad guys first attempt at running tables at you, why change
your password just to give him a second chance to
find you in his tables? Changing your passwords constantly is
not a good security feature.

Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases. Mine are up to 30 characters.

-T

In message , T writes:
Hi w10 and w7,

I have been bitching about this for ages.

Time to rethink mandatory password changes

https://www.ftc.gov/news-events/blog...-rethink-manda
tory-password-changes

If you pick a good solid password that is not hacked by the
bad guys first attempt at running tables at you, why change
your password just to give him a second chance to
find you in his tables? Changing your passwords constantly is
not a good security feature.

Agreed.

Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases. Mine are up to 30 characters.

Well, best as a combination of security and chance that you'll remember
them. Best for security alone are as near totally random as you can get,
but they're going to be impossible to remember.

-T
--
J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf

....Every morning is the dawn of a new error...

On 06/12/2018 05:45 PM, J. P. Gilliver (John) wrote:
In message , T writes:
Hi w10 and w7,

I have been bitching about this for ages.

Time to rethink mandatory password changes

https://www.ftc.gov/news-events/blog...-rethink-manda
tory-password-changes

If you pick a good solid password that is not hacked by the
bad guys first attempt at running tables at you, why change
your password just to give him a second chance to
find you in his tables?Â* Changing your passwords constantly is
not a good security feature.

Agreed.

Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases.Â* Mine are up to 30 characters.

Well, best as a combination of security and chance that you'll remember
them. Best for security alone are as near totally random as you can get,
but they're going to be impossible to remember.

-T


Make up something is Latin with lots of spaces in it.

Did you notice in the ftc article what uses do when asked
to change their password? They just add or change a number.
I have one lady that just adds a dollar sign to the old
password. She is up to five dollar signs no.

I have run tables at Windows passwords before. When
I get this mandatory 90 change s***, I just shake my head

On 6/12/2018 5:34 PM, T wrote:

Keep in mind though that picking an easy password is even worse. The
best ones are run on phrases. Mine are up to 30 characters.

I was surprised to find that W10 allows me to pick a ONE character
password on this tablet. Most all of my other devices/apps require at
least eight characters. So I picked "p" (for 'p' assword) on this W10
tablet. Sure makes it quick to get into. And easy to remember. And
reasonably safe since whomever unlawfully comes into possession of this
tablet would never think of trying anything that easy...

On 06/12/2018 06:42 PM, wryutirjgkhmmfioertuyie wrote:
On 6/12/2018 5:34 PM, T wrote:

Keep in mind though that picking an easy password is even worse. The
Â*best ones are run on phrases.Â* Mine are up to 30 characters.

I was surprised to find that W10 allows me to pick a ONE character
password on this tablet. Most all of my other devices/apps require at
least eight characters. So I picked "p" (for 'p' assword) on this W10
tablet. Sure makes it quick to get into. And easy to remember. And
reasonably safe since whomever unlawfully comes into possession of this
tablet would never think of trying anything that easy...


I had a guy tell me he uses "8' as his password as they
would never guess something so simple. I told him how
the rainbow tables worked and how he would be dead meat
in a microsecond.

A lot of folks ask me to turn off their Windows passwords.
I make sure there is nothing private on their computers
first including ordering on line, then I oblige them.

Orly use security where it is needed. Otherwise it is
just obnoxious.

wryutirjgkhmmfioertuyie wrote:
On 6/12/2018 5:34 PM, T wrote:

Keep in mind though that picking an easy password is even worse. The
best ones are run on phrases. Mine are up to 30 characters.

I was surprised to find that W10 allows me to pick a ONE character
password on this tablet. Most all of my other devices/apps require at
least eight characters. So I picked "p" (for 'p' assword) on this W10
tablet. Sure makes it quick to get into. And easy to remember. And
reasonably safe since whomever unlawfully comes into possession of this
tablet would never think of trying anything that easy...


"would never think of trying"

Kali, rainbow tables, etc.

This is what machines are for. They don't think.
They just grind through the algorithmic possibilities.

What screws up cracking passwords, is
having to add punctuation to the character
set of the search. If you stick to an alphabetic
password, I would expect it to be cracked
in no time at all. If numbers and punctuation
are included, that helps a lot. You either have
to order some BluRay sized rainbox tables,
or do it with a graphics card. A box full of
high end graphics cards can also crack passwords
fairly quickly. (Day or two). On my low
end graphics card, it would probably take
a few months for even a simple password.

There's a standard format for password dumping.

https://tools.kali.org/password-attacks/creddump

root@kali:~# pwdump system sam
Administrator:500:41aa818b512a8c0e72381e4c174e281b :1896d0a309184775f67c14d14b5c365a:::

^ ^
| |
username:uid:LM-hash : NTLM-hash:comment:homedir:

The NTLM-hash is apparently the one you try to crack.

The idea is, you'd boot the tablet with
a Kali USB stick and collect some info.
The pwdump command would dump a table of
all the accounts present. The above is the
first account found.

Paul

On 6/12/2018 5:34 PM, T wrote:
Hi w10 and w7,

I have been bitching about this for ages.

Time to rethink mandatory password changes

https://www.ftc.gov/news-events/blog...ssword-changes

If you pick a good solid password that is not hacked by the
bad guys first attempt at running tables at you, why change
your password just to give him a second chance to
find you in his tables? Changing your passwords constantly is
not a good security feature.

Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases. Mine are up to 30 characters.

-T


I get someone's PGP public key from a key server. It does not matter
whose key. My passwords are then extracted from the plain-text
representation of that key. Each password is extracted from a different
part of the key.

Here are a few lines from a public PGP key. The actual key runs 20
lines; some are even longer.
tCxNYXR0aGV3IFJpY2hhcmRzb24gPEplcnNleSwgQ2hhbm5lbC BJc2xhbmRzPokA
lQIFEC6FPm4CsC8HBxL+vQEBl74D/2/ZkU9M6Doc69jFrig3jHFMlYNWIu7pWniV
jtj2PwRgMT5O83IUoLy3kxmzEM5DELZ1fAEg+6DMxCDka3S8B7 S769fcto/nTLaA
kItWzjqPZKjg5AnXQEI6mRg8N30MNK5+ViT/VfRhgpyjSqxWhAehN4Q+PxX5MBF3
xaGaXD5CtCxNYXR0aGV3IFJpY2hhcmRzb24gPG1hdHRoZXdAaX Rjb25zdWx0LmNv

A possible extract from this would be
5AnXQEI6mRg8N
which is from the fourth line, starting at the 13th character. This
contains numerals, upper-case letters, and lower-case letters. I
generally remove the + and /, but some Web sites want me to include
special characters.

Obviously, I cannot remember any such a password. I keep a plain-text
file of all my passwords. That file is PGP encrypted, but then I only
have to remember a single password to decrypt it. I use a strong
file-erase application to erase a decrypted copy of the file.

--
David E. Ross
http://www.rossde.com/

First you say you do, and then you don't.
And then you say you will, but then won't.
You're undecided now, so what're you goin' to do?
From a 1950s song
That should be Donald Trump's theme song. He obviously
does not understand "commitment", whether it is about
policy or marriage.

On 6/12/2018 7:01 PM, Paul wrote:
wryutirjgkhmmfioertuyie wrote:

W10 allows me to pick a ONE character password on this tablet. So I
picked "p". Sure makes it quick to get into. And reasonably safe
since whomever unlawfully comes into possession
of this
tablet would never think of trying anything that easy...

"would never think of trying"

My key words above are "reasonably safe".

Kali, rainbow tables, etc. This is what machines are for. They don't
think. They just grind through the algorithmic possibilities.

I'm not worried about the CIA or a hacker breaking my tablet's password.
Since this tablet seldom leaves the house my greatest danger is losing
it by burglary. And most burglars would not waste time trying to break
my password. They would just reset and sell the tablet as quickly as
possible.

The idea is, you'd boot the tablet with a Kali USB stick and collect
some info. The pwdump command would dump a table of all the accounts
present.

And if my burglar did turn out to be a hacker he would need to be quick
about it. I'd know the device was gone within a few hours and quickly
change my app passwords. Further since I use 2-factor authentication
he'd need my phone to use or change any passwords obtained.

So why make things difficult for me to open my tablet? Excessive
security just wastes my time.

Actually my greatest threat would probably be a grandkid blindly
punching the keyboard one at a time and hitting "p"... 8-O

BTW one annoying feature I find about my new Chromebook is that it
REQUIRES a 6 digit pin or my full Google password (13 characters). And
the Google password is required at least once a day. And there is no
automatic locking so if I forget to push the lock key it stays unlocked.
Now THAT IS a real security threat at my age...

Good day Sir.

On 2018-06-12 20:34, T wrote:

Hi w10 and w7,

I have been bitching about this for ages.

Yup, same here; I just gave up a few years ago and do like everyone
else, +1 every 3 months...

Time to rethink mandatory password changes
https://www.ftc.gov/news-events/blog...ssword-changes

You're a bit late, that article is from March 2016 ;-)

This is more recent, and says the NIST guy apologizes for screwing-up 20
years ago:

http://www.alphr.com/security/100656...l-burr-apology

If you pick a good solid password that is not hacked by the
bad guys first attempt at running tables at you, why change
your password just to give him a second chance to
find you in his tables? Changing your passwords constantly is
not a good security feature.

The problem is you cannot keep remembering new good passwords every 90
days for 15 different apps, at some point it's too much.

The best ones are run on phrases. Mine are up to 30 characters.

Unfortunately not all websites/etc accept 30 character passwords :-(

Regards,

--
! _\|/_ Sylvain /
! (o o) Memberavid-Suzuki-Fdn/EFF/Red+Cross/SPCA/Planetary-Society
oO-( )-Oo Windows-NT is the O/S of the future (and always will be.)

On 06/12/2018 09:43 PM, B00ze wrote:


http://www.alphr.com/security/100656...l-burr-apology

Thank you!

The problem is you cannot keep remembering new good passwords every 90
days for 15 different apps, at some point it's too much.

Folks typically just add to the end of it:

MirosoftSucks!1
MirosoftSucks!11
MirosoftSucks!111
MirosoftSucks!1111

and on and on and so forth,

That one is a really easy one to crack as I is quite common.
I see a lot of expletives about gMail too.

The best ones are run on phrases. Mine are up to 30 characters.

Unfortunately not all websites/etc accept 30 character passwords :-(

For those I keep 15 character scrambles in a very, very highly
encrypted locked of my own doing. I copy and paste them. No
way I can type them in correct!

On Wed, 13 Jun 2018 03:40:28 +0100, 😉 Good Guy 😉 wrote:

On 13/06/2018 01:34, T wrote:
Hi w10 and w7,



You are a rogue trader and it's no surprise you don't like your victims
using passwords. Frankly, you should be arrested from defrauding
customers by providing bogus IT services.

/--- This email has been checked for viruses by
Windows Defender software.
//https://www.microsoft.com/en-gb/windows/
comprehensive-security/

I see you have enhanced the gratuitous nonsense at the end of your posts,
but you are still a pest - go away.

T wrote:
Hi w10 and w7,

I have been bitching about this for ages.

Time to rethink mandatory password changes

https://www.ftc.gov/news-events/blog...ssword-changes

If you pick a good solid password that is not hacked by the
bad guys first attempt at running tables at you, why change
your password just to give him a second chance to
find you in his tables? Changing your passwords constantly is
not a good security feature.

Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases. Mine are up to 30 characters.


I'm surprised no-one has mentioned password managers. You only need to
remember one (secure) password and all your passwords are available on all
your devices. Safely, securely and under your own control. Simples!

I used keepassX for a while, but the browser integration was unusable. Now,
I use enpass which works on pretty much any combination of OS and browser.

I don't have to know any of my passwords and they're all just random
strings. I wanted them all to be at least 30 characters long, but too many
places restrict the maximum length, which is a massive red flag. Sigh.

On 6/12/2018 9:42 PM, wryutirjgkhmmfioertuyie wrote:
On 6/12/2018 5:34 PM, T wrote:

Keep in mind though that picking an easy password is even worse. The
Â*best ones are run on phrases.Â* Mine are up to 30 characters.

I was surprised to find that W10 allows me to pick a ONE character
password on this tablet. Most all of my other devices/apps require at
least eight characters. So I picked "p" (for 'p' assword) on this W10
tablet. Sure makes it quick to get into. And easy to remember. And
reasonably safe since whomever unlawfully comes into possession of this
tablet would never think of trying anything that easy...

Windows accepts a nul character for a password. Using a nul character,
your system logs in and you do not need to enter a password.

I have three computers, and non have passwords. One never leaves the
upstairs studio, and only my wife and I live in this house.

While my laptop travels it is never left anywhere, and my tablet has
nothing worth stealing.

--
2018: The year we learn to play the great game of Euchre

On Tue, 12 Jun 2018 17:34:09 -0700, T wrote:

Hi w10 and w7,

I have been bitching about this for ages.

Time to rethink mandatory password changes

https://www.ftc.gov/news-events/blog...ssword-changes

If you pick a good solid password that is not hacked by the
bad guys first attempt at running tables at you, why change
your password just to give him a second chance to
find you in his tables? Changing your passwords constantly is
not a good security feature.

Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases. Mine are up to 30 characters.

Run-on sentences are an excellent idea, I'll have to try that.

"J. P. Gilliver (John)" on Wed, 13 Jun 2018
01:45:16 +0100 typed in alt.windows7.general the following:

Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases. Mine are up to 30 characters.

Well, best as a combination of security and chance that you'll remember
them. Best for security alone are as near totally random as you can get,
but they're going to be impossible to remember.

I've heard it suggested that you keep an encrypted file on a thumb
drive, and all you do is cut and past that random phrase to the
password field.
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?