Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5

Password security

#2
C C Offline
If most people are still employing the kind of meaningful passwords that TV characters (which are supposed to be hip on security) in crime and government agency shows use -- which their colleagues guess within a minute or two anytime they have to break into a protected file or account to rescue them... Then somebody using a mundane, brute password-cracker will probably move on from mine to easier game.

But OTOH... Even office workers using gibberish PWs with non-alphabet and non-numerical symbols in them will often write them on a sticky label or something that they affix to a monitor, coffee cup, picture frame, etc. So that they can remember the difficult to remember. Which are then easily found by rivals from other departments, other companies / corporations, other government branches, or outright foreign spies just "visiting" for okayed, "legitimate" reasons.

I wasn't even trying to do something like that less than a decade ago when I was idly examining an innocuous doodad setting on the desk of a relative, and noticed what she had stuck underneath it. Should have warned her it wasn't safe enough, but she's the type who imagines all sorts of "consanguineal conspiracies" being plotted among even her immediate family members. So just telling her that I'd accidentally discovered where she kept it (and had no idea what the PW was specifically for) would have probably still triggered a firestorm of accusations (gradually developing later on if not right then and there). Wink

On the positive side, though, maybe she had lots of fake PWs blatantly scattered / tape-stuck around there to dis-informationally frustrate any real, passing snoopers on that floor.
#3
stryder Offline
Social Engineering is often used to attempt to work out a particular targets password by hackers. This is why a lot of concern was made not just about the passwords themselves but the security questions that are often applied to increase the complexity of identifying that you are the legitimate user.

When multiple companies use the same "What was your mothers maiden name?" as a question, they didn't take into consideration the nature of social networking sites and how families and friends can be a mergence of information that would have otherwise been unknown. A mother's maiden name is no longer viable as a security question and where some companies have realised that and allowed people to make their own memorable questions and answers, others still are hardcoded to use that old information, making them a particular weak point when it comes to cybersecurity.

Often it's shown that people (especially seniors) will use one common password with almost everything they do. This is a concern when you have such rigid companies that prove inflexible when dealing with cybersecurity, as if they have one data breach then that golden password will open all doors to all other sites/companies/accounts that particular person uses.

Cybersecurity has always fallen upon the companies as individuals to protect the user and again this too is a problem. Not all companies will adhere to the same level of scrutiny when it comes to protection, some might use open plaintext emails to address account problems from a website which could reveal information that should otherwise have been encrypted etc. Then there is the concern of how companies operate with their internal data handlers, nobody within a company should have access to more information than is necessary to do their job, however lapse security is often common place just to allow "ease of use".

As for storing password near computers, it should be seen a huge no-no. While some older people might have a very real concern that should one fateful day occur were something happens to them, they want their immediate family members to have access to their information/accounts etc the method that they leave a password laying around isn't necessarily the best option. (It wouldn't take much for some confidence fraudster to apply they are checking the gas or electric just to find a password near a computer or or plant a trojan by placing a dongle on their computer. Be wary of new wifi networks.)

If you want to keep a password for a fateful day, place it in a safe (you can get small safe's nowadays that are reasonably cheap and small enough to be near a computer, even fixed to the desk.) A password to the safe or key could be placed in escrow either through a safety deposit box or even a lawyer firm, if the concern is keeping your affairs in order. That way should a persons family ever need access if something happens, then it's already taken care of and it isn't left to exploitation in the meantime.

Personally I use a password management program which can be used to auto-generate passwords based upon character criteria and length (Better still if you can define what you want to salt your generated password with) I have one rememberable password to access the encrypted file, then my list of passwords and places to use them is available for use. All passwords are made as long as the password fields allow and use as many characters as are allowed (Athough all characters actually can be translated into their binary equivalent, making it just pure numerics.)

Nobody would be able to guess my passwords, they aren't based upon anything in my life or any muses, they are just pure alphanumeric's with capitalisation and special symbols thrown in for good measure. (The more the merrier in that sense increases the potential cryptology base which increases any time taken to attempt to bruteforce. It would be referred to as being a "Strong" password, not impenetrable however time consuming enough for casual attackers to find a weaker target.)
#4
cluelusshusbund Offline
Im not sure how many characters gmail allows... but ive read that they only make use of the first 18 characters you enter... which coud be outdated info... even if it ever was true.!!!

Until recently... Fidelity Investments required you to use you'r SS number for you'r username... an only allowed 12 characters for a password which wasnt case sensetive... now they allow 15 for a username an 20 for a case sensetive password.!!!

Wit the password checker i posted a link to... it says my passwords woud take 10,000+ centuries to crack.!!!
#5
C C Offline
Seems like my first encounters with required security questions / answers was still back in days when they allowed -- or I felt they allowed (after testing such myself for awhile) -- an unlimited number of continuous attempts of submitting the wrong answers for anything. So I used fake, nonsensical names for the applicable people, streets, cities, pets, etc. I could accept a human getting tired of trying after one hour of using a huge list of real places, names of people, etc. But in overly paranoid fashion I imagined some automatic answer-generator program persevering relentlessly for days (and making the attempts a lot faster).
#6
stryder Offline
(Oct 24, 2014 06:25 AM)cluelusshusbund Wrote: Im not sure how many characters gmail allows... but ive read that they only make use of the first 18 characters you enter... which coud be outdated info... even if it ever was true.!!!



I'm not entirely sure about what Gmail has currently, however passwords tend to be "hashed" (one way cryptocypher) compared to a value that can be deciphered.  The initial problem (mainly due to poor coding practices) was due to how many characters a database entry for the password string would permit.  If it only allowed 18 characters then it would strip all other characters from the string.

While storing strings of characters was/is common place, it actually makes more sense to convert the password or hash into a long number.
#7
cluelusshusbund Offline
(Oct 24, 2014 04:46 AM)stryder Wrote: Personally I use a password management program which can be used to auto-generate passwords based upon character criteria and length (Better still if you can define what you want to salt your generated password with)  I have one rememberable password to access the encrypted file, then my list of passwords and places to use them is available for use.  All passwords are made as long as the password fields allow and use as many characters as are allowed (Athough all characters actually can be translated into their binary equivalent, making it just pure numerics.)

Nobody would be able to guess my passwords, they aren't based upon anything in my life or any muses, they are just pure alphanumeric's with capitalisation and special symbols thrown in for good measure.  (The more the merrier in that sense increases the potential cryptology base which increases any time taken to attempt to bruteforce.  It would be referred to as being a "Strong" password, not impenetrable however time consuming enough for casual attackers to find a weaker target.)

Good tips an thanks for the inspiration... i started usin a password management program a couple of days ago... an i have the managment site set to log off if my computer activity is idle for 10 minutes... or if i turn the computer off.!!!


Possibly Related Threads…
Thread Author Replies Views Last Post
  Voice mimicking AI dupes Alexa & other voice recognition devices (hacking security) C C 0 64 Oct 14, 2021 05:59 PM
Last Post: C C
  Experts: infectious disease labs have shockingly terrible security C C 0 69 Jun 25, 2021 07:54 PM
Last Post: C C
  Letting Huawei into Canada's 5G could threaten U.S. security, says American senator C C 0 413 Jan 4, 2019 05:55 AM
Last Post: C C
  Pentagon halts sales of Chinese-made smartphones as security risk C C 2 508 May 14, 2018 09:43 PM
Last Post: Yazata



Users browsing this thread: 1 Guest(s)