Security and Passwords

[Graham Smith]

Some food for thought...

Common "wisdom" says that you should have a complicated password that includes both upper and lower case letters as well as numbers and special characters and that it should be at least 8 characters long.

I was reading a report from a "black hat" group that may make this advise obsolete. Basically he said that passwords have just become something to keep casual attacks at bay. Computers have become so powerful and password cracking programs so sophisticated that nothing is safe anymore. There are free downloadable programs available today that make most passwords easy to crack.

When asked what could be done by the average person to prevent this, his answer was pretty blunt, "Nothing". He said that the only things that will stop these kind of attacks have got to be done on the host side. Companies have to beef up their web security and start to log and monitor each attempt. They have to institute things like flood control (no more than X attempts to login within a minute) and lock outs (lock the account after X number of failed login attempts).

Every web site that deals with money or personal information should be doing this now. Every financial institution should be doing this now as a bare minimum. Some web sites like Facebook already send you an email if there is an incorrect login to your account, should your bank be doing anything less? If they are, then it may be time to find a new bank.

Edited January 9, 2013 by Graham Smith

[Flatland Shooter]

My brokerage account requires a user id, password and a six digit security number that is generated on a key fob. The number is only valid for 30 seconds. Get all three correct and you are in. Miss it three times and you are locked out until you contact a representative that will verify your identity before resetting the account access.

I just wish others that I need to do business with were as diligent.

Bill

[Steve RA]

My bank does that, miss three log in attempts and you have to sign back up with a live person.

[lmccrock]

If you are talking about personal passwords, yours has to be "good enough". Make it hard, and they move on.

Personal story: I went to work some place temporarily and they gave me a laptop that had been used by a previous employee. Could not find the Windows password, so one of the lab guys used a Linux-based Windows-password cracking disk and read out the password. I forget, it was maybe 8 or 9 characters, took a couple minutes. Just for fun, I tried the same thing on a Windows box that I knew the password to, and it could not crack it, at least in a reasonable time. But that password is 14 characters long. That is hard to defend against, having access to the box and no time limit.

My present employer requires me to change passwords periodically so I keep a sticky note in my desk. I WILL forget if I have enough variety across the 'net to be safe AND I have to change it.

Mixing numbers and letters and case and symbols protects against dictionary attacks, where a list of names and words from a dictionary is used as the first choices in the attack.

Online? I get annoyed at sites that have strong password requirements for no reason. Banks, brokers, etc., ok, but not online forums and such.

[Got Juice?]

Even better is using an image as a password. Almost impossible to crack unless someone steals your USB Key.

Failing that I use a font called WEBDINGS. Most cracking programs are alpha-numeric logic based.... throw in a curve like an image or less recognizable way, and they cannot crack you.

[lmccrock]

I suppose the xkcd reference is obligatory: Password Strength

[Graham Smith]

If you are talking about personal passwords, yours has to be "good enough". Make it hard, and they move on.

That assumes a person is trying to get into your account. Problem is, there are now computer programs doing that and they don't get tired or frustrated.

[D.Hayden]

Hard to imagine an on-line financial system - that wouldn't block robo attempts - if they don't drop them asap

[Graham Smith]

Hard to imagine an on-line financial system - that wouldn't block robo attempts - if they don't drop them asap

Banks, yes. Merchants, not so much. Do you routinely do business with merchants that store your credit card info "for your convenience"? What about the security of other personal information about you?

[D.Hayden]

Hard to imagine an on-line financial system - that wouldn't block robo attempts - if they don't drop them asap

Banks, yes. Merchants, not so much. Do you routinely do business with merchants that store your credit card info "for your convenience"? What about the security of other personal information about you?

Yes, that's the bigger issue for me... a site hacked and many thousands of credit cards numbers stolen - it happens more than people know