If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Rate Thread | Display Modes |
#1
|
|||
|
|||
Those idiot password changes
Hi w10 and w7,
I have been bitching about this for ages. Time to rethink mandatory password changes https://www.ftc.gov/news-events/blog...ssword-changes If you pick a good solid password that is not hacked by the bad guys first attempt at running tables at you, why change your password just to give him a second chance to find you in his tables? Changing your passwords constantly is not a good security feature. Keep in mind though that picking an easy password is even worse. The best ones are run on phrases. Mine are up to 30 characters. -T |
Ads |
#2
|
|||
|
|||
Those idiot password changes
In message , T writes:
Hi w10 and w7, I have been bitching about this for ages. Time to rethink mandatory password changes https://www.ftc.gov/news-events/blog...-rethink-manda tory-password-changes If you pick a good solid password that is not hacked by the bad guys first attempt at running tables at you, why change your password just to give him a second chance to find you in his tables? Changing your passwords constantly is not a good security feature. Agreed. Keep in mind though that picking an easy password is even worse. The best ones are run on phrases. Mine are up to 30 characters. Well, best as a combination of security and chance that you'll remember them. Best for security alone are as near totally random as you can get, but they're going to be impossible to remember. -T -- J. P. Gilliver. UMRA: 1960/1985 MB++G()AL-IS-Ch++(p)Ar@T+H+Sh0!:`)DNAf ....Every morning is the dawn of a new error... |
#3
|
|||
|
|||
Those idiot password changes
On 06/12/2018 05:45 PM, J. P. Gilliver (John) wrote:
In message , T writes: Hi w10 and w7, I have been bitching about this for ages. Time to rethink mandatory password changes https://www.ftc.gov/news-events/blog...-rethink-manda tory-password-changes If you pick a good solid password that is not hacked by the bad guys first attempt at running tables at you, why change your password just to give him a second chance to find you in his tables?Â* Changing your passwords constantly is not a good security feature. Agreed. Keep in mind though that picking an easy password is even worse. The best ones are run on phrases.Â* Mine are up to 30 characters. Well, best as a combination of security and chance that you'll remember them. Best for security alone are as near totally random as you can get, but they're going to be impossible to remember. -T Make up something is Latin with lots of spaces in it. Did you notice in the ftc article what uses do when asked to change their password? They just add or change a number. I have one lady that just adds a dollar sign to the old password. She is up to five dollar signs no. I have run tables at Windows passwords before. When I get this mandatory 90 change s***, I just shake my head |
#4
|
|||
|
|||
Those idiot password changes
On 6/12/2018 5:34 PM, T wrote:
Keep in mind though that picking an easy password is even worse. The best ones are run on phrases. Mine are up to 30 characters. I was surprised to find that W10 allows me to pick a ONE character password on this tablet. Most all of my other devices/apps require at least eight characters. So I picked "p" (for 'p' assword) on this W10 tablet. Sure makes it quick to get into. And easy to remember. And reasonably safe since whomever unlawfully comes into possession of this tablet would never think of trying anything that easy... |
#5
|
|||
|
|||
Those idiot password changes
On 06/12/2018 06:42 PM, wryutirjgkhmmfioertuyie wrote:
On 6/12/2018 5:34 PM, T wrote: Keep in mind though that picking an easy password is even worse. The Â*best ones are run on phrases.Â* Mine are up to 30 characters. I was surprised to find that W10 allows me to pick a ONE character password on this tablet. Most all of my other devices/apps require at least eight characters. So I picked "p" (for 'p' assword) on this W10 tablet. Sure makes it quick to get into. And easy to remember. And reasonably safe since whomever unlawfully comes into possession of this tablet would never think of trying anything that easy... I had a guy tell me he uses "8' as his password as they would never guess something so simple. I told him how the rainbow tables worked and how he would be dead meat in a microsecond. A lot of folks ask me to turn off their Windows passwords. I make sure there is nothing private on their computers first including ordering on line, then I oblige them. Orly use security where it is needed. Otherwise it is just obnoxious. |
#6
|
|||
|
|||
Those idiot password changes
wryutirjgkhmmfioertuyie wrote:
On 6/12/2018 5:34 PM, T wrote: Keep in mind though that picking an easy password is even worse. The best ones are run on phrases. Mine are up to 30 characters. I was surprised to find that W10 allows me to pick a ONE character password on this tablet. Most all of my other devices/apps require at least eight characters. So I picked "p" (for 'p' assword) on this W10 tablet. Sure makes it quick to get into. And easy to remember. And reasonably safe since whomever unlawfully comes into possession of this tablet would never think of trying anything that easy... "would never think of trying" Kali, rainbow tables, etc. This is what machines are for. They don't think. They just grind through the algorithmic possibilities. What screws up cracking passwords, is having to add punctuation to the character set of the search. If you stick to an alphabetic password, I would expect it to be cracked in no time at all. If numbers and punctuation are included, that helps a lot. You either have to order some BluRay sized rainbox tables, or do it with a graphics card. A box full of high end graphics cards can also crack passwords fairly quickly. (Day or two). On my low end graphics card, it would probably take a few months for even a simple password. There's a standard format for password dumping. https://tools.kali.org/password-attacks/creddump root@kali:~# pwdump system sam Administrator:500:41aa818b512a8c0e72381e4c174e281b :1896d0a309184775f67c14d14b5c365a::: ^ ^ | | username:uid:LM-hash : NTLM-hash:comment:homedir: The NTLM-hash is apparently the one you try to crack. The idea is, you'd boot the tablet with a Kali USB stick and collect some info. The pwdump command would dump a table of all the accounts present. The above is the first account found. Paul |
#7
|
|||
|
|||
Those idiot password changes
On 6/12/2018 5:34 PM, T wrote:
Hi w10 and w7, I have been bitching about this for ages. Time to rethink mandatory password changes https://www.ftc.gov/news-events/blog...ssword-changes If you pick a good solid password that is not hacked by the bad guys first attempt at running tables at you, why change your password just to give him a second chance to find you in his tables? Changing your passwords constantly is not a good security feature. Keep in mind though that picking an easy password is even worse. The best ones are run on phrases. Mine are up to 30 characters. -T I get someone's PGP public key from a key server. It does not matter whose key. My passwords are then extracted from the plain-text representation of that key. Each password is extracted from a different part of the key. Here are a few lines from a public PGP key. The actual key runs 20 lines; some are even longer. tCxNYXR0aGV3IFJpY2hhcmRzb24gPEplcnNleSwgQ2hhbm5lbC BJc2xhbmRzPokA lQIFEC6FPm4CsC8HBxL+vQEBl74D/2/ZkU9M6Doc69jFrig3jHFMlYNWIu7pWniV jtj2PwRgMT5O83IUoLy3kxmzEM5DELZ1fAEg+6DMxCDka3S8B7 S769fcto/nTLaA kItWzjqPZKjg5AnXQEI6mRg8N30MNK5+ViT/VfRhgpyjSqxWhAehN4Q+PxX5MBF3 xaGaXD5CtCxNYXR0aGV3IFJpY2hhcmRzb24gPG1hdHRoZXdAaX Rjb25zdWx0LmNv A possible extract from this would be 5AnXQEI6mRg8N which is from the fourth line, starting at the 13th character. This contains numerals, upper-case letters, and lower-case letters. I generally remove the + and /, but some Web sites want me to include special characters. Obviously, I cannot remember any such a password. I keep a plain-text file of all my passwords. That file is PGP encrypted, but then I only have to remember a single password to decrypt it. I use a strong file-erase application to erase a decrypted copy of the file. -- David E. Ross http://www.rossde.com/ First you say you do, and then you don't. And then you say you will, but then won't. You're undecided now, so what're you goin' to do? From a 1950s song That should be Donald Trump's theme song. He obviously does not understand "commitment", whether it is about policy or marriage. |
#8
|
|||
|
|||
Those idiot password changes
On 6/12/2018 7:01 PM, Paul wrote:
wryutirjgkhmmfioertuyie wrote: W10 allows me to pick a ONE character password on this tablet. So I picked "p". Sure makes it quick to get into. And reasonably safe since whomever unlawfully comes into possession of this tablet would never think of trying anything that easy... "would never think of trying" My key words above are "reasonably safe". Kali, rainbow tables, etc. This is what machines are for. They don't think. They just grind through the algorithmic possibilities. I'm not worried about the CIA or a hacker breaking my tablet's password. Since this tablet seldom leaves the house my greatest danger is losing it by burglary. And most burglars would not waste time trying to break my password. They would just reset and sell the tablet as quickly as possible. The idea is, you'd boot the tablet with a Kali USB stick and collect some info. The pwdump command would dump a table of all the accounts present. And if my burglar did turn out to be a hacker he would need to be quick about it. I'd know the device was gone within a few hours and quickly change my app passwords. Further since I use 2-factor authentication he'd need my phone to use or change any passwords obtained. So why make things difficult for me to open my tablet? Excessive security just wastes my time. Actually my greatest threat would probably be a grandkid blindly punching the keyboard one at a time and hitting "p"... 8-O BTW one annoying feature I find about my new Chromebook is that it REQUIRES a 6 digit pin or my full Google password (13 characters). And the Google password is required at least once a day. And there is no automatic locking so if I forget to push the lock key it stays unlocked. Now THAT IS a real security threat at my age... |
#9
|
|||
|
|||
Those idiot password changes
Good day Sir.
On 2018-06-12 20:34, T wrote: Hi w10 and w7, I have been bitching about this for ages. Yup, same here; I just gave up a few years ago and do like everyone else, +1 every 3 months... Time to rethink mandatory password changes https://www.ftc.gov/news-events/blog...ssword-changes You're a bit late, that article is from March 2016 ;-) This is more recent, and says the NIST guy apologizes for screwing-up 20 years ago: http://www.alphr.com/security/100656...l-burr-apology If you pick a good solid password that is not hacked by the bad guys first attempt at running tables at you, why change your password just to give him a second chance to find you in his tables? Changing your passwords constantly is not a good security feature. The problem is you cannot keep remembering new good passwords every 90 days for 15 different apps, at some point it's too much. The best ones are run on phrases. Mine are up to 30 characters. Unfortunately not all websites/etc accept 30 character passwords :-( Regards, -- ! _\|/_ Sylvain / ! (o o) Memberavid-Suzuki-Fdn/EFF/Red+Cross/SPCA/Planetary-Society oO-( )-Oo Windows-NT is the O/S of the future (and always will be.) |
#10
|
|||
|
|||
Those idiot password changes
On 06/12/2018 09:43 PM, B00ze wrote:
http://www.alphr.com/security/100656...l-burr-apology Thank you! The problem is you cannot keep remembering new good passwords every 90 days for 15 different apps, at some point it's too much. Folks typically just add to the end of it: MirosoftSucks!1 MirosoftSucks!11 MirosoftSucks!111 MirosoftSucks!1111 and on and on and so forth, That one is a really easy one to crack as I is quite common. I see a lot of expletives about gMail too. The best ones are run on phrases. Mine are up to 30 characters. Unfortunately not all websites/etc accept 30 character passwords :-( For those I keep 15 character scrambles in a very, very highly encrypted locked of my own doing. I copy and paste them. No way I can type them in correct! |
#11
|
|||
|
|||
Those idiot password changes
On Wed, 13 Jun 2018 03:40:28 +0100, 😉 Good Guy 😉 wrote:
On 13/06/2018 01:34, T wrote: Hi w10 and w7, You are a rogue trader and it's no surprise you don't like your victims using passwords. Frankly, you should be arrested from defrauding customers by providing bogus IT services. /--- This email has been checked for viruses by Windows Defender software. //https://www.microsoft.com/en-gb/windows/ comprehensive-security/ I see you have enhanced the gratuitous nonsense at the end of your posts, but you are still a pest - go away. |
#12
|
|||
|
|||
Those idiot password changes
T wrote:
Hi w10 and w7, I have been bitching about this for ages. Time to rethink mandatory password changes https://www.ftc.gov/news-events/blog...ssword-changes If you pick a good solid password that is not hacked by the bad guys first attempt at running tables at you, why change your password just to give him a second chance to find you in his tables? Changing your passwords constantly is not a good security feature. Keep in mind though that picking an easy password is even worse. The best ones are run on phrases. Mine are up to 30 characters. I'm surprised no-one has mentioned password managers. You only need to remember one (secure) password and all your passwords are available on all your devices. Safely, securely and under your own control. Simples! I used keepassX for a while, but the browser integration was unusable. Now, I use enpass which works on pretty much any combination of OS and browser. I don't have to know any of my passwords and they're all just random strings. I wanted them all to be at least 30 characters long, but too many places restrict the maximum length, which is a massive red flag. Sigh. |
#13
|
|||
|
|||
Those idiot password changes
On 6/12/2018 9:42 PM, wryutirjgkhmmfioertuyie wrote:
On 6/12/2018 5:34 PM, T wrote: Keep in mind though that picking an easy password is even worse. The Â*best ones are run on phrases.Â* Mine are up to 30 characters. I was surprised to find that W10 allows me to pick a ONE character password on this tablet. Most all of my other devices/apps require at least eight characters. So I picked "p" (for 'p' assword) on this W10 tablet. Sure makes it quick to get into. And easy to remember. And reasonably safe since whomever unlawfully comes into possession of this tablet would never think of trying anything that easy... Windows accepts a nul character for a password. Using a nul character, your system logs in and you do not need to enter a password. I have three computers, and non have passwords. One never leaves the upstairs studio, and only my wife and I live in this house. While my laptop travels it is never left anywhere, and my tablet has nothing worth stealing. -- 2018: The year we learn to play the great game of Euchre |
#14
|
|||
|
|||
Those idiot password changes
On Tue, 12 Jun 2018 17:34:09 -0700, T wrote:
Hi w10 and w7, I have been bitching about this for ages. Time to rethink mandatory password changes https://www.ftc.gov/news-events/blog...ssword-changes If you pick a good solid password that is not hacked by the bad guys first attempt at running tables at you, why change your password just to give him a second chance to find you in his tables? Changing your passwords constantly is not a good security feature. Keep in mind though that picking an easy password is even worse. The best ones are run on phrases. Mine are up to 30 characters. Run-on sentences are an excellent idea, I'll have to try that. |
#15
|
|||
|
|||
Those idiot password changes
"J. P. Gilliver (John)" on Wed, 13 Jun 2018
01:45:16 +0100 typed in alt.windows7.general the following: Keep in mind though that picking an easy password is even worse. The best ones are run on phrases. Mine are up to 30 characters. Well, best as a combination of security and chance that you'll remember them. Best for security alone are as near totally random as you can get, but they're going to be impossible to remember. I've heard it suggested that you keep an encrypted file on a thumb drive, and all you do is cut and past that random phrase to the password field. -- pyotr filipivich Next month's Panel: Graft - Boon or blessing? |
Thread Tools | |
Display Modes | Rate This Thread |
|
|