ox45tallboy: [imgs.xkcd.com image 448x274]

/oblig

More fitting



But this is a lab trick, not a viable way to build passwords.

Smeggy Smurf: 2-78X10cgpwc&aaonboe1ewe1w is an virtually unbreakable password for the forseeable future

Yes, that's secure for about 2800 years using XKCD's second comic assumptions, and about 5 minutes using the first comic's assumptions.

ox45tallboy: An individual would instinctively respond to a series of numbers with the first number that pops into their heads. In a matter of a minute or so, a pattern could be detected that would be unique to that individual, and pretty much unreplicatable

I won't argue the variability of human minds, but that still has a weakness. If you stole the file with all the people's patterns then you'd have the makings of a grand scale of identity theft. You'd be better off with infrared blood vessel scans. Quick, passive, and I doubt even cloning would make duplicates.

ox45tallboy: Okay, I'll probably regret asking this, but why not?

I was referring to the article. correct_horse_battery_staple would probably make for a killer password if you don't mind the length.

And if you work at a certain defense contractor in the DFW area, back in the NT days we used JacNb0x as the admin password on Windows desktops. I haven't been to that site since the USS Cole got bombed, but I bet most of your desktops have that admin password to this day.

"What's striking is that the subjects, when asked, couldn't say what the password sequence was-in fact the subjects were barely able to recognize it when they saw it."

Yes but if they knew that it was going to be an important sequence to know later on then I think they would tend to start locking it in their own memory. I have a few 20+ character passwords for important things and while my fingers learned them before my mind did I have the passwords burned into my fingers and my own memory now. When I first started learning one of them I had to login to the website via mobile on the damn cell phone num pad. I didn't "know" my password by character yet but I closed my eyes and visualized me typing it on a keyboard.

A password so secure, you don't even know what it is

That's all of my passwords.

My memory sucks.

ox45tallboy: [upload.wikimedia.org image 200x302]

For those who haven't seen this book before, David Brin is the guy who wrote the awesome novel The Postman that Kevin Kostner butchered miserably into that sorry excuse for a movie.

One of the plot devices of Kiln People was the way that people verified their identity when performing such things as financial transactions. An individual would instinctively respond to a series of numbers with the first number that pops into their heads. In a matter of a minute or so, a pattern could be detected that would be unique to that individual, and pretty much unreplicatable.

I always thought that Kiln People was a far superior book. Would probably even make a decent movie. There's lots of action; a strong, fairly focused plot; and the whole dittos thing would be really easy with some colored makeup.

wildcardjack: And if you work at a certain defense contractor in the DFW area, back in the NT days we used JacNb0x as the admin password on Windows desktops. I haven't been to that site since the USS Cole got bombed, but I bet most of your desktops have that admin password to this day.

The military installation I worked at had ridiculous password requirements for our high side accounts. To the point where people just used cascading keys to create a password that could easily be remembered...

stuff like 1qaz!QAZ2wsx@WSX

Our NOC was locked away behind a pin accessed door (kept us from having other people in the building bother us unless they filed a trouble ticket). Default passwords or extremely easy passwords on all of our server crap and the pin for the door was a 9 digit keypad but had only four buttons with a noticeable amount of wear (because these were the 4 buttons used for the combo)

Meh. Passwords are merely one component of good security.

My bank[1], for example, gives me a little device the size of a simple calculator. When I log into their website I enter my username and password, then the system presents me with a "challenge" sequence of eight digits. I insert my bank card into the calculator, enter the challenge code, enter my PIN, and it computes a response code. The system only lets me proceed once I enter the correct response code. The calculator alone is useless -- it requires the bank card (which has a chip, like other cards in Europe) and my PIN. This basically eliminates any password-guessing attacks.

I run a few small servers that face the internet. None of the administrative protocols (SSH, for example) are accessible from the internet. One of the systems runs an OpenVPN server that ignores any unsigned packets: bad guys aren't able to identify that the VPN server exists as they can't send appropriately-signed packets. I connect to the server using OpenVPN (which uses certificates for authentication), then SSH through the VPN tunnel. SSH is configured to use only public keys for authentication.

Some internet-facing web applications/services that I need to access also support one-time passwords, such as those used by Google Authenticator. My Google accounts are all protected using this method, as are some other services that I host on my own servers. This essentially nullifies password-guessing attacks.

Rather than setting obnoxious password requirements, it'd probably be better to have moderate password requirements combined with some form of two-factor authentication like Google Authenticator or SMS-based one time passwords.

[1] PostFinance in Switzerland. I'm a grad student in Bern. Swiss bank accounts are considerably less sneaky than movies make them out to be.

which make resetting it a biatch...



/BTW...if I have to change it every 30 days...PLEASE don't start reminding me daily 15 days beforehand.

My biggest problem with passwords for me personally is that I can't remember them all.

I have various accounts with websites from my bank to forums to the sites I shop at. I probably have about 30 passwords out there in total. I can't remember them all so I have to write them down somewhere. I used to write them down in the back of a notebook but I figured that was a really bad idea since if someone gets hold of that they have everything. I now currently have them all on a password protected file on my computer. So that way I have to remember just one password.

But the thing is, I'm still pretty vunerable. Someone has only to crack one password to get instant access to the whole lot. The damage they could do with some would be minimal (post offensive comments using my youtube account?). The damage they could do with others would cost me a lot (purchase a ton of crap on my shopping accounts).

But seriously, does anyone here actually remember all their passwords? I can't be the only one with near to 30 passwords considering that everything is online these days and needs a password. Anyone have a better solution that just writing them down?

The answer is voice biometrics.

No more carrying around little calculators from my bank. Making an large/unusual transaction on internet banking? Phone rings...security system asks me to read out a random string...Biometric print verified? Transaction authorised.

I call my bank? Same deal. I read out my account number...they know who I claim to be from the account number I've given and can verify my claimed identity from the voice print. No more giving unsecure information like mothers maiden name, postcode....etc

No more forgetting your password, because your voice is your password.

Still susceptible to being hit over the head by a wrench though I guess.

The sound of one hand clapping: My biggest problem with passwords for me personally is that I can't remember them all.

But seriously, does anyone here actually remember all their passwords? I can't be the only one with near to 30 passwords considering that everything is online these days and needs a password. Anyone have a better solution that just writing them down?

No, you are one of many. Another maddening issue is the different password standards - no special characters and case insensitive, on a bank (!?) website. Meanwhile, other accounts require special characters, but not THOSE special characters (they're too special, I guess).

I use a password generator/keeper, but I'd like to also have the option for two factor authentication for everything. I have it for my g-mail and yahoo accounts.

wallywam1: Smeggy Smurf: I take the first letter of each word from obscure alternative country or obscene folk songs and use that as my password

Alice's Restaurant is among the best to use

2-78X10cgpwc&aaonboe1ewe1w is an virtually unbreakable password for the forseeable future

Alice's Restaurant is obscure?

Yes, it is.

This is more or less what my password is.
I made it using a Korean keyboard and remembered the keystrokes to the individual letters making up syllable groups. The korean keyboard doesn't logically follow the English one in terms of sounds or letters, so I memorized the keystrokes by action. I had no idea what the actual letters were though. It was actually a huge pain when I got a smart phone. I couldn't log into anything from my phone because I had no idea what the password was. I would sit outside pretending i'm typing onto a air keyboard and try to figure out what keys they must be.

Smeggy Smurf: I take the first letter of each word from obscure alternative country or obscene folk songs and use that as my password

Alice's Restaurant is among the best to use

2-78X10cgpwc&aaonboe1ewe1w is an virtually unbreakable password for the forseeable future

That's nice, but you're leaving out a couple of things. Mainly better genres of music. Here, here's a freebie for y'all- a very secure password that you'll memorize in about 1.27 seconds. If you use this, dittybopper will get mad at you, though, because it has been posted on a public forum and is therefore searchable by Google.

362436?OnlyIfShes53!

I like secure passwords, and I can not lie.

use lines from old songs, with a stock addition of numbers and characters

*oh!susie-qneverleavemeblue*
*hush!nowdon'tyoucry* etc.

Problem being of course when you go to a different keyboard.

Also..what do you have that needs to be so secure?

kvinesknows:
Also..what do you have that needs to be so secure?

Don't you know?

erewhon: kvinesknows:
Also..what do you have that needs to be so secure?

Don't you know?

not yet...is that an O or a 0 ?

So when the authorities demand you turn over the password to your encrypted files, you can honestly say "I have never had the password to those files so I am not refusing to give you it"

kvinesknows: erewhon: kvinesknows:
Also..what do you have that needs to be so secure?

Don't you know?

not yet...

GOOD.

For it to work as a password you'd need to be aware of it. There's a difference in somebody practicing a sequence and getting better at it and being aware of it and repeating it. As someone said above they might not be able to activly recite it, but could just type it out like they've practiced. That is still knowing that sequence is the password. At which point the rubber hose could persuade someone into spitting it out.

The only way I can think of that you could really not know the password is with a rolling one. But, I'm sure at that point someone could hack in and sync up something to retrieve the passwords.

Sorry - that's an old SCIF joke on the order of "what's a henweigh".

Basically, if someone asks what you're working on, you say innocently "Don't you know?" which generally provokes the response "Fark you", because if they bite and say "no", you reply GOOD (often ex-Army) or "Then it must not be any of your gaddam business" (TLA).

"Good" is probably because there's an Army shaggy dog story that ends that way - basically the set up is some guy with too much curiosity and some mechanical skill or luck, generally an NCO, gets curious about what's in his CO's office. So he lets himself in while the boss is away and goes through the drawers, cabinets, safe and whatnot discovering either Hustlers and booze (if it's YOUR CO) or something embarrassing (pecker pills, lace panties etc) if it's someone else's. While the guy is in there picking through the stuff, the phone rings, and it's the LTC, General or whatnot looking for the CO, the NCO obviously can't answer as to why he's in there, a loud dressing down ensues at the end of which the senior officer says "Who the hell is this?", the NCO replies "Don't you know?", the officer says "NO!" and the reply is "Good!" the guy hangs up and leaves. You can stretch it out for quite some time.

dittybopper: I am familiar with this joke. I can't say *WHY*, however.

I'd be amazed if, being in the Army, you hadn't heard it a number of times in some form.

After they made the mistake of giving me that inertia lock opener, I used it to let myself in to padlocked areas occasionally and leave mementos, eventually they got suspicious and I had to break it off before I got caught. One day the warrant asked me if I knew who had been doing it and I answered "Don't you know?", which both tickled and pissed him off at the same time.

That thing was my farking favorite toy for years. I've still got it and its companion tools in a box in the attic. I remember a guy went through the lock picking class was showing me how you open padlocks by making a widget out of a coke can. Took him several minutes to get it shaped right and weasel the lock open. I said "lock it back", he did, and thump! the lock's open. Makes a tiny bit of noise compared to a coke can pick but it's way faster. Things being what they are these days, I'm afraid to carry them around anymore, temptation or no.

BTW, were you at Devens any?

Unobtanium: The sound of one hand clapping: My biggest problem with passwords for me personally is that I can't remember them all.

But seriously, does anyone here actually remember all their passwords? I can't be the only one with near to 30 passwords considering that everything is online these days and needs a password. Anyone have a better solution that just writing them down?

No, you are one of many. Another maddening issue is the different password standards - no special characters and case insensitive, on a bank (!?) website. Meanwhile, other accounts require special characters, but not THOSE special characters (they're too special, I guess).

I use a password generator/keeper, but I'd like to also have the option for two factor authentication for everything. I have it for my g-mail and yahoo accounts.

another way is to have a common base part to all your passwords, then something specific to the purpose.

example: Base part: yellow55

then for logging into espn the pass is: yellow55espn
logging into wells Fargo bank account: yellow55wells

this should cut down on memorizing 30 some odd different codes. Still doesn't get you around the problem of different sites only using special characters, only numbers, one capital & and one special, yada. Try to come up with a base part that has a little of each, then just write down the restrictions that each site has to help you remember.

I had a password card at work that has all the things I need passwords for and next to each server/service I have written down the restrictions/requirements for the password for that site. If someone steals that card, all they know is that serverX requires an number, uppercase and lowercase but no special characters.

/csb it was the 30-day time for a new password, so I created one that started with "@". entered it and locked up the server. I got a response from IT asking what I had done, explained it and they told me not to do that (with the attitude of why would you do that, don't you know that the software treats @ as a command.). I kindly replied "then why don't you tell us users what characters we are and are not to use for this server."

erewhon: Makes a tiny bit of noise compared to a coke can pick but it's way faster.

A water impulse breaching charge makes a bit of noise compared to an inertial lock opener, but it's effective against a wider variety of locks.

Gonz: erewhon: Makes a tiny bit of noise compared to a coke can pick but it's way faster.

A water impulse breaching charge makes a bit of noise compared to an inertial lock opener, but it's effective against a wider variety of locks.

So does a dust load but you can't do it sneaking in somewhere. Subtlety is all.