If you can read this, either the style sheet didn't load or you have an older browser that doesn't support style sheets. Try clearing your browser cache and refreshing the page.

(Time)   Google reveals the ten worst ******** ideas. Wait, why is ******** showing up like that? I tried to type ******** and it keeps doing it. Guys, seriously, can you see it when I type ********? This is really freaking me out   (techland.time.com) divider line 141
    More: PSA, Google, security question, Google Apps  
•       •       •

22648 clicks; posted to Main » on 11 Aug 2013 at 10:30 AM (49 weeks ago)   |  Favorite    |   share:  Share on Twitter share via Email Share on Facebook   more»



141 Comments   (+0 »)
   
View Voting Results: Smartest and Funniest

First | « | 1 | 2 | 3 | » | Last | Show all
 
2013-08-11 09:12:22 AM
Mine's GUEST but the twist is it's in all caps so no one could ever guess it.
 
2013-08-11 09:16:48 AM
imgs.xkcd.com
 
2013-08-11 09:24:50 AM
So if I type Fark is the home of a slack-jawed yokel then I can see it but you all can't? That's neat how it knows to blank out only Fark is the home of a slack-jawed yokel.

Does Fark is the home of a slack-jawed yokel show up as a bunch of stars for you guys? I'm glad my password isn't out there like a billboard by an overpass of the information megahighway.
 
2013-08-11 09:27:09 AM
Two guys walk into a forest with guns looking to bag some deer, one was named hunter1 and the other was *******
 
2013-08-11 09:52:05 AM
And yet,there are still sites that don't allow spaces or special characters in passwords.

I'm looking at you, AT&T.
 
2013-08-11 10:08:16 AM
Phew!

"administrator" is still safe!
 
2013-08-11 10:31:30 AM

cmunic8r99: And yet,there are still sites that don't allow spaces or special characters in passwords.

I'm looking at you, AT&T.


Hell, there are sites that only allow 8 characters
 
2013-08-11 10:33:50 AM
********?  That's the combination for my luggage!
 
2013-08-11 10:37:14 AM
Know what's awesome? When a site disables copy/paste on the password and repeat password fields, so you have to type it. Which isn't a big deal, until you see they've masked the password, so you can't tell what you're typing. Nothing like re-typing a KeePass random generated password over and over and over and over until the goddamn thing accepts it.
 
2013-08-11 10:37:37 AM

Mister Peejay: ********?  That's the combination for my luggage!


I found the alarm code at a highly secure facility set to that.    That's Amazing!
 
2013-08-11 10:38:49 AM

SurfaceTension: [imgs.xkcd.com image 740x601]


I wonder how many people actually use correcthorsebatterystaple as their password someplace?

You know they're out there.
 
2013-08-11 10:39:45 AM
humungousboobedmidgetporn?

/oh, shiat
 
2013-08-11 10:41:15 AM
I like the idea to lie about your security answers. So, when you eventually get on the phone with a rep to reset your password and she asks you what your mother's maiden name is, you can guess a couple of times. That won't seem suspicious at all.

/"Johnson, but with a zero instead of an o?"
 
2013-08-11 10:41:20 AM
My password is MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento - they told me it had to be 8 characters with one capital.
 
2013-08-11 10:42:01 AM
That list is hardly relevant.
In order to compromise your account, a person would have to know that personal information. This is extremely unlikely to be known by a stranger.
How would a stranger or hacker or criminal find this stuff out?
It's all pretty arbitrary.

Pet namesA notable date, such as a wedding anniversaryA family member's birthdayYour child's nameAnother family member's nameYour birthplaceA favorite holidaySomething related to your favorite sports teamThe name of a significant other
 
2013-08-11 10:42:57 AM

SurfaceTension: [imgs.xkcd.com image 740x601]


I've always thought that xkcd thing a bit suspect.  So, my password is one of:

battery correct horse staple
battery correct staple horse
battery horse correct staple
battery horse staple correct
battery staple correct horse
battery staple horse correct
correct battery horse staple
correct battery staple horse
correct horse battery staple
correct horse staple battery
correct staple battery horse
correct staple horse battery
horse battery correct staple
horse battery staple correct
horse correct battery staple
horse correct staple battery
horse staple battery correct
horse staple correct battery
staple battery correct horse
staple battery horse correct
staple correct battery horse
staple correct horse battery
staple horse battery correct
staple horse correct battery

 How helpful.
 
2013-08-11 10:44:19 AM
Why does no one ever mention the 'secret question' BS?

You can put all the work you want into your password, but the gaping security hole that is the secret question is always easy to crack because the answer is either a place or name that is in common usage. The question will even help you narrow your search.

/Or so i've been told.
 
2013-08-11 10:46:15 AM
I always use someone else's Fark handle for a password. To make it more secure, it's the handle of someone on everyone's ignore list.
 
2013-08-11 10:47:05 AM
1...2...3...4...5..

www.nordinho.net
 
2013-08-11 10:47:06 AM
Your nine digit zip code . . .backwards . . . throw in a coupe of letters, maybe your initials.
 
2013-08-11 10:47:35 AM
Fark does the same thing... if you type your password in the comment box, it blanks it out... see:
********
 
2013-08-11 10:48:01 AM

HotIgneous Intruder: That list is hardly relevant.
In order to compromise your account, a person would have to know that personal information. This is extremely unlikely to be known by a stranger.
How would a stranger or hacker or criminal find this stuff out?
It's all pretty arbitrary.

Pet namesA notable date, such as a wedding anniversaryA family member's birthdayYour child's nameAnother family member's nameYour birthplaceA favorite holidaySomething related to your favorite sports teamThe name of a significant other


Just at random? They wouldn't.

It makes it much easier to get a password if they're specifically targeted with social engineering schemes.
 
2013-08-11 10:49:39 AM

J. Frank Parnell: Why does no one ever mention the 'secret question' BS?

You can put all the work you want into your password, but the gaping security hole that is the secret question is always easy to crack because the answer is either a place or name that is in common usage. The question will even help you narrow your search.

/Or so i've been told.


Well, these answers are supposed to stored on a different server, so that if they are compromised, there is no easy way to track them back to the associated user account without gaining access to multiple databases. It's the same thing with the "verification image" a lot of places add to login pages, they aren't supposed to be on the same servers.
 
2013-08-11 10:49:54 AM

HotIgneous Intruder: That list is hardly relevant.
In order to compromise your account, a person would have to know that personal information. This is extremely unlikely to be known by a stranger.
How would a stranger or hacker or criminal find this stuff out?
It's all pretty arbitrary.

Pet namesA notable date, such as a wedding anniversaryA family member's birthdayYour child's nameAnother family member's nameYour birthplaceA favorite holidaySomething related to your favorite sports teamThe name of a significant other


This assumes that a cracker is specifically going for you. Most are simply looking to grab as many accounts as they can, and statistically, this list is as good as it gets for that strategy.

Even if someone is going after you specifically, they're still likely to try this list first, or at least a small part of it (say, the first 10). It will still pass fairly often, and it takes less work, which is good for two reasons: work involves a risk of drawing unwanted attention, and frankly, more work is more work.
 
2013-08-11 10:50:37 AM
True story.

Years back, I used to use a certain local dialup BBS.  My password for a while was hitting 789456123 on the number pad - with numlock off.  Worked just fine.

Now, I forget the exact sequence of events, but IIRC we put in a new modem, which wasn't compatible with the old comm software, so we installed Telix (which freakin' rocked at the time), and that's when I learned that the old comm software was stripping some of the control characters out but Telix would happlly transmit  them.  Couldn't log in anymore.

*sigh*

Park hard drive, shut down, undo cables, lift monitor off of case and set on the floor, disassemble case, pull 2400 baud modem out, reinstall 1200 baud modem, put all back together, log in, change password, log out, park hard drive, shut down, undo cables, lift monitor off of case...

/who else remembers having to park hard drives?
 
2013-08-11 10:51:00 AM

SurfaceTension: [imgs.xkcd.com image 740x601]


I like XKCD and all, but the problem with that is Randall assumes a brute force attack.  Dictionary attacks are more common these days, and that'd suss out "correcthorsebatterystaple" very quickly.
 
2013-08-11 10:53:22 AM
I have no gate key
 
2013-08-11 10:53:43 AM
My passwords are always based on a recurring daydream I have...
 
2013-08-11 10:53:53 AM
oh look. It's this article again.
 
2013-08-11 10:54:02 AM

YodaBlues: Well, these answers are supposed to stored on a different server, so that if they are compromised, there is no easy way to track them back to the associated user account without gaining access to multiple databases. It's the same thing with the "verification image" a lot of places add to login pages, they aren't supposed to be on the same servers.


What i'm saying is your options for 'secret questions' are things like what school you went to, or what your mothers maiden name was. And it's no problem at all for some program to brute force that by trying every school in your country or even every last name until it finds the right one.
 
2013-08-11 10:55:03 AM
**** ****** ** *********** ***************** ** * ******* *************

/***** * *******
//**** *** **** ** ********
 
2013-08-11 10:55:04 AM

YodaBlues: Know what's awesome? When a site disables copy/paste on the password and repeat password fields, so you have to type it.


That's so you don't paste the same incorrect password twice, setting your password to something that isn't what you think it is. The root cause of this is password masking, which is almost completely useless (since if anyone can see your screen they can see your hands). Trying to talk about sane security practices with security "professionals" is a great way to lose your hair. They're obsessed with preventing brute-force password attacks by making users suffer.

Examples:

locking out the account after three unsuccessful attempts: why not 20? what's the difference between 3 and 20 in the context of a brute force attack which has to guess 1000s of times?
forcing password changes every month: if an attacker has your password for a month, that is plenty of time to do whatever he or she needs to do, and if they figured out how to get your last password, they will get this new one too
password complexity rules: a capital letter, a number and a punctuation character? see xkcd comic, does not help. Better to make it a minimum of 20 characters, but doesn't "rt)_=hUZ!$" look more secure than "sneakerbabysharksalesman"?

All of these attempts to make passwords more complex just force users to share passwords with multiple systems, come up with strategies to subvert the complexity requirements, or write them down on sticky notes and stick them under their keyboards.
 
2013-08-11 10:55:13 AM
Use a foreign word mixed with numbers.
 
2013-08-11 10:56:52 AM

The_Original_Roxtar: Fark does the same thing... if you type your password in the comment box, it blanks it out... see:
********


**********

Hey, you're right! I wonder if it does the same thing with Social Security numbers.

***-**-****

Yep.
 
2013-08-11 10:56:52 AM

HeartBurnKid: SurfaceTension: [imgs.xkcd.com image 740x601]

I like XKCD and all, but the problem with that is Randall assumes a brute force attack.  Dictionary attacks are more common these days, and that'd suss out "correcthorsebatterystaple" very quickly.


I'm not so sure.  That's four words, so it would have to exhaust the dictionary, then exhaust the dictionary ^2, then exhaust the dictionary ^3, then work through the dictionary ^4.

Easier, but still unlikely.

/and it assumes that the words you use are IN the dictionary
 
2013-08-11 10:58:19 AM

cmunic8r99: And yet,there are still sites that don't allow spaces or special characters in passwords.

I'm looking at you, AT&T.




Yes, sites that limit the characters you can use, or the amount of characters, are annoying. My formula is: two rhyming nonsensical words followed by the name of the website. Essentially something like HorseySchmorseyNetflix for Netflix. So it's long, includes captial letters, is easy to remember, and unique to each login.

But then you get places like American Airlines who recently made a change to REDUCE their password length to a limit of 12 characters or something, and my rage bursts. What is a company gaining by reducing their password size?

//1st world problems, I know
 
2013-08-11 10:58:22 AM

skinink: Use a foreign word mixed with numbers.


So "Kennwort1" is good? Cause no hackers speak German?
 
2013-08-11 11:00:06 AM

CluelessMoron: SurfaceTension: [imgs.xkcd.com image 740x601]

I've always thought that xkcd thing a bit suspect.  So, my password is one of:

battery correct horse staple
battery correct staple horse
battery horse correct staple
battery horse staple correct
battery staple correct horse
battery staple horse correct
correct battery horse staple
correct battery staple horse
correct horse battery staple
correct horse staple battery
correct staple battery horse
correct staple horse battery
horse battery correct staple
horse battery staple correct
horse correct battery staple
horse correct staple battery
horse staple battery correct
horse staple correct battery
staple battery correct horse
staple battery horse correct
staple correct battery horse
staple correct horse battery
staple horse battery correct
staple horse correct battery

 How helpful.


You could immediately remove any combination that doesn't use the phrase "battery staple", since the device used to commit it to memory joins those two words in that order ("that's a battery-staple").  Reducing the possibilities to:

correct horse battery staple
horse correct battery staple
battery staple correct horse
battery staple horse correct
correct battery staple horse
horse battery staple correct

Six possibilities.  Not bad.

Rules for passwords on accounts I use for work are a headache.  X character minimum, must contain a capital letter, a number, and a symbol, cannot spell any English word forward or backward, cannot use the same character more than twice in a row, cannot be any password that you have used in the past year, etc.  And they are forced to change about once every three months.  And since I have accounts on multiple systems, I have multiple passwords.  And they roll-over and change at different times of the year.  There's no way to keep track of the currently used, meaningless string of letters, numbers, and symbols without writing them down, which makes the system about 1% as secure as the one described in the comic.
 
2013-08-11 11:03:23 AM

J. Frank Parnell: YodaBlues: Well, these answers are supposed to stored on a different server, so that if they are compromised, there is no easy way to track them back to the associated user account without gaining access to multiple databases. It's the same thing with the "verification image" a lot of places add to login pages, they aren't supposed to be on the same servers.

What i'm saying is your options for 'secret questions' are things like what school you went to, or what your mothers maiden name was. And it's no problem at all for some program to brute force that by trying every school in your country or even every last name until it finds the right one.


You do know you can make up the answers, right?

eg:  what high school did you go to?  Zoolander's School for Ants
 
2013-08-11 11:03:29 AM

skinink: Use a foreign word mixed with numbers.




That's my strategy
 
2013-08-11 11:05:13 AM
Song lyrics are great, especially if you throw in a special character.

362436?OnlyIfShes53!
 
2013-08-11 11:05:38 AM

YodaBlues: Well, these answers are supposed to stored on a different server, so that if they are compromised, there is no easy way to track them back to the associated user account without gaining access to multiple databases.


I have never heard that in my life. People aren't going to brute-force your password, they are going to hack into the server and get everybody's password. No one cares about your account at bangbus.com, and if they did they would get your password through social engineering. You're more likely to have an attacker steal your actual physical computer (with "keep me logged in" giving them access to everything) than brute-force one site's password for a single user.

Storing the info on multiple databases or multiple servers is added expense with no benefit, the attacker has the app's config file with connection details for both. They are in your base, killing your dudes, not scratching their heads typing shiat into a web browser.

I wonder when the last time a password for a web site was brute-forced. In 20 years of systems work, I have never seen it. I've seen plenty of rooted servers, though. But, of course, root passwords have no complexity requirements, because IT admins don't need anyone telling them what to do.
 
2013-08-11 11:08:24 AM
Just use the first letter of each word to a favorite verse in a song or poem or book or whatever
Take the Fish Song:
Ai123wawff?DamIdgadTnsiV

And it's 1-2-3 what are we fighting for?  Don't ask me I don't give a damn.  The next stop is Vietnam.
 
2013-08-11 11:08:25 AM
 
2013-08-11 11:10:21 AM
Anagrams, mothafarka.
 
2013-08-11 11:10:51 AM

Tyrone Slothrop: The_Original_Roxtar: Fark does the same thing... if you type your password in the comment box, it blanks it out... see:
********

**********

Hey, you're right! I wonder if it does the same thing with Social Security numbers.

***-**-****

Yep.


It also does it with any credit card numbers...

**** **** **** ****  ex **/**   (***)
 
2013-08-11 11:12:53 AM
hunter2

... Why is my password showing up?

/hunter2 my hunter2ing while you hunter2 my hunter2.
 
2013-08-11 11:13:34 AM
HotIgneous Intruder
That list is hardly relevant.
In order to compromise your account, a person would have to know that personal information. This is extremely unlikely to be known by a stranger.
How would a stranger or hacker or criminal find this stuff out?


Besides the already mentioned "it makes untargeted dictionary attacks more likely to succeed", for a targeted attack:
Facebook, Youtube, Twitter, Instagram, Google, ..

mccallcl
I like the idea to lie about your security answers. So, when you eventually get on the phone with a rep to reset your password and she asks you what your mother's maiden name is, you can guess a couple of times. That won't seem suspicious at all.


I always lie on those insecurity questions.
Problem is that I haven't standardized on what I use, so the one time I had to phone someone to reset a PIN I entered wrongly 3 times, I couldn't answer it besides "either some random gibberish or something derogatory about those kind of questions".
I think they then asked me about my birth date and reset the PIN's "fail" counter; I often lie about the birthdate, too, but in this case I must have used the real one

It probably wouldn't have been so easy if it was about giving full access to an account instead of just getting three more tries to enter the number.

Then again, I know for a fact that those dolts store your passwords in plain text:
It's really great to SSL-encrypt the account registration form and then send you an unencrypted registration confirmation email containing your password in plain text.
The company was DHL, by the way.
 
2013-08-11 11:13:39 AM
I will take a song lyric, phrase from a movie, or a title and use it for a password, substituting numbers and characters. Looks like nonsense unless you know what it represents
Talw$atg1g
There's a lady who's sure all that glitters is gold
 
2013-08-11 11:13:54 AM
Buddy of mine rolls 2 sets of D&D dice.
Writes it down on a Post-it, and keeps the Post-it in the drawer.
Doesn't save it in the computer memory.
Worked for him for 35 years.
Same password, never compromised.
 
Displayed 50 of 141 comments

First | « | 1 | 2 | 3 | » | Last | Show all

View Voting Results: Smartest and Funniest


This thread is closed to new comments.

Continue Farking
Submit a Link »






Report