Linked by Howard Fosdick on Sat 10th Nov 2012 07:28 UTC
Bugs & Viruses If you want to ensure you have adequate passwords but don't have the time or interest to study the topic, there's a useful basic article on how to devise strong passwords over at the NY Times. It summarizes key points in 9 simple rules of thumb. Also see the follow-up article for useful reader feedback. Stay safe!
Thread beginning with comment 541807
To view parent comment, click here.
To read all comments associated with this story, please click here.
RE: Comment by Luminair
by darknexus on Sat 10th Nov 2012 11:50 UTC in reply to "Comment by Luminair"
darknexus
Member since:
2008-07-15

Passphrases don't work everywhere. Many sites either won't let you have spaces, require you to have numbers, limit you between 8 and 12 characters, disallow certain punctuation marks, etc. In principal I actually agree with you (although I doubt people would pick more secure passphrases than they currently pick passwords now). The other thing we really need is intelligence on the part of people who design service web sites. There is no reason, for example, that a dictionary attack should ever work, ditto for brute force attacks. If someone tries a wrong password more than three times, the account should be locked and the account owner notified at once by all means of contact that they have on file. A temporary block on the IP address initiating said transaction wouldn't be unwise as well. That account will then be absolutely disabled until the account owner can take whatever steps necessary to reactivate it and, in the mean time, good luck hacking into a disabled account with a dictionary. Period. That is as it should be. Sadly, it seems like very few institutions, including banks and other financial sites, don't implement such basic security for the sake of convenience. I would think that the potential inconvenience of a three-strike password would outweigh the inconvenience if, let's say, your bank account gets hacked and someone takes all your cash. No, it won't protect against key logger trojans and other, more sophisticated forms of attack but, if you've got a key logger on your machine, no amount of strong passwording is going to help you anyway.
Security is a two-way street. Intelligence on the part of the end-user, and intelligence on the part of the system designer. Both, sadly, are lacking right now. Password safety is not rocket science, and that applies to both parties.

Reply Parent Score: 5

RE[2]: Comment by Luminair
by kwan_e on Sat 10th Nov 2012 12:13 in reply to "RE: Comment by Luminair"
kwan_e Member since:
2007-02-18

Passphrases don't work everywhere. Many sites either won't let you have spaces, require you to have numbers, limit you between 8 and 12 characters, disallow certain punctuation marks, etc.


The main reason, as I understand it, is that those rules are there because of the outdated ideas about how to make secure passwords such as having numbers etc.

But the way to go has to be passphrases, and this technique needs to be taught. A passphrase can be much longer and thus more secure without much more memorization than a normal passwords.

Even z/OS now has support for passphrases. That is how out of date plain old passwords are.

Edited 2012-11-10 12:13 UTC

Reply Parent Score: 3

RE[3]: Comment by Luminair
by Laurence on Mon 12th Nov 2012 09:23 in reply to "RE[2]: Comment by Luminair"
Laurence Member since:
2007-03-26


The main reason, as I understand it, is that those rules are there because of the outdated ideas about how to make secure passwords such as having numbers etc.

But the way to go has to be passphrases, and this technique needs to be taught. A passphrase can be much longer and thus more secure without much more memorization than a normal passwords.

Even z/OS now has support for passphrases. That is how out of date plain old passwords are.

Pass-phrases are better than *short* passwords, but most modern attacks target passphrases these days.

I've explained the technique modern attacks use and how it reduces the number of attempted permutations required in detail in this post: http://www.osnews.com/permalink?542101 .

Edited 2012-11-12 09:25 UTC

Reply Parent Score: 2

RE[2]: Comment by Luminair
by unclefester on Sun 11th Nov 2012 01:37 in reply to "RE: Comment by Luminair"
unclefester Member since:
2007-01-13

My bank locks the online account after three failed password attempts per day. You are required to phone customer service to reset the password.

Reply Parent Score: 2

RE[3]: Comment by Luminair
by darknexus on Sun 11th Nov 2012 03:20 in reply to "RE[2]: Comment by Luminair"
darknexus Member since:
2008-07-15

My bank locks the online account after three failed password attempts per day. You are required to phone customer service to reset the password.

That's good. I'm glad there are still some people out there that understand how to implement some basic security. Now, if they would just teach the rest…

Reply Parent Score: 3