Jump to content
Fancy running a forum? Sheffield Forum is for sale! Learn more

Password Security

Recommended Posts

https://xkcd.com/936/

 

Also, Barclays have an advert on TV, recommending people use strings of 3 words, as passwords. Wondering how secure this is?

Share this post


Link to post
Share on other sites

I can see a lot of people phoning up to unlock their account. Most people have problems remember one password!

 

A set of three words is much more secure but in most cases, not so practical. Fairly sure my bitcoin account has 12 recovery words and 2FA for standard use. My bank randomly uses 2FA for online purchases.

Share this post


Link to post
Share on other sites
Posted (edited)

Try and make it as unmemorable as possible - write it down and hide it in some obscure place - just don't forget the obscure place!

 

Use a mixture of upper and lower case and special characters - if special characters are not allowed then I would be questioning the security of the service!

 

Or use a free generator: https://passwordsgenerator.net/

😅

Edited by swarfendor437

Share this post


Link to post
Share on other sites
Posted (edited)

You don't need special characters for a secure password. It's about entropy and how long it will take to crack. If you make sure you mix in upper/lowercase and numbers in those 3 words it's much better. One of my passwords has 112 bit entropy without a single special character for example. Better to have a longer password. You sometimes find bugs, like amazon would allow any length passwords but was only storing the first 8 characters. There should be no real limit on a password field.

 

It's amazing how many people still use password or their username as their password.

 

Use a password manager or do what a friend does and never remembers any, just requests a reset every time :D 

 

While writing down passwords may sound insecure, if the person who finds it has no context about it then there's nothing wrong with it.

Edited by probedb

Share this post


Link to post
Share on other sites
4 hours ago, probedb said:

It's amazing how many people still use password or their username as their password.

 

So true, The times I've seen "password" and "12345" as peoples login password to some very secure information.

 

When I took over as admin at the last place, it was set to change every 30 days, no previous 5 passwords allowed and must contain at least 8 characters - upper and lower case and numbers etc. Odd, a lot of people wouldn't speak to me for a while!  I do like the 4 digit PIN option on Windows and macOS, it is linked to a password and if a PIN is OK for my bank card, It's OK on my home PC. 

Share this post


Link to post
Share on other sites

I’m wondering, with the 3 word passwords; what about a dictionary attack?

 

<number-of-words-in-common-use> cubed combination?

 

Of course, not accounting for separators or capitals.

 

Also, zach, hope you’re not  keeping crypto on an exchange? Do you use a hardware wallet?

Share this post


Link to post
Share on other sites
29 minutes ago, Waldo said:

Also, zach, hope you’re not  keeping crypto on an exchange? Do you use a hardware wallet?

I don't but there is only a tiny amount in it, I doubt if there's two quid in it. I usually buy and use on the same day. Call me old fashioned, I find online banking and Paypal suit all my everyday needs.

 

Just checked the bitcoin, all's OK but I'll not retire just now with it.

Share this post


Link to post
Share on other sites

A dictionary attack is possible with a word-based passphrase. In fact 3 words randomly chosen from a standard dictionary is about as secure as a randomly generated 8 character password (i.e. not very secure at all). 5 or 6 words would be much better.

Share this post


Link to post
Share on other sites
23 hours ago, andysm said:

A dictionary attack is possible with a word-based passphrase. In fact 3 words randomly chosen from a standard dictionary is about as secure as a randomly generated 8 character password (i.e. not very secure at all). 5 or 6 words would be much better.

Yeah, I was thinking if the dictionary is ordered by how commonly each word is used (and in theory more likely to be chosen by a human); it wouldn’t take that long to brute force.

 

I don’t really know enough to say if that’s feasible or not, but it would concern me. I use a password manager with long (30 character normally) random strings.

 

I’m thinking of situations where a website has a data breach and user credentials are offline, and a hacker can run a lot of checks very quickly.

Share this post


Link to post
Share on other sites
On 23/05/2020 at 19:12, zach said:

When I took over as admin at the last place, it was set to change every 30 days, no previous 5 passwords allowed and must contain at least 8 characters - upper and lower case and numbers etc. Odd, a lot of people wouldn't speak to me for a while!  I do like the 4 digit PIN option on Windows and macOS, it is linked to a password and if a PIN is OK for my bank card, It's OK on my home PC. 

My workplace had that, changing password every 30 days. I thought it less secure, because people would be ringing every couple of months, when they had not used their password.

The risk came, that the person phoning could get your details.

Share this post


Link to post
Share on other sites
9 hours ago, El Cid said:

My workplace had that, changing password every 30 days. I thought it less secure, because people would be ringing every couple of months, when they had not used their password.

The risk came, that the person phoning could get your details.

I'm  not with you, Your admin would give passwords over the phone?  in the case I mention the users were logging on every day. If somebody forgot their password, a single use password was issued but they had to then immediately change it to one that that met the password rules before they could fully login to the system. The rules that were written into the company security policy but not implemented by the previous admin.

 

I got every excuse under the Sun on how it was a bad idea. We had a meeting with the department heads where I showed the information that "could" be accessed on the system depending on their level of access. I also explained ways to come up with, and remember strong passwords. It wasn't a case of waving a big stick because I could, it was done to protect theirs, and other peoples very personal information.

 

If you think of it like this. If you work for a company, someone at your place of work has access to:-

 

Your full name

Your address

Your NI number

Your DOB

Maybe your car info (Reg number etc)

 

That is a very basic list. I don't know about you but if someone had information like that about me, I'd like them to secure it properly.

 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.