Password Security & Implications?

[smogsy]

Hi all,

I personally do not use any password managers & think that password managers are a a very bad idea. However i use my brain to create unique password combinations for every single site/service.

upon doing so i have found that sites that should have very high security infrastructure is lacking. For Example

Some Banks
Does not allow Symbols

Paypal
has max limit for 13 characters when creating a password
But using their login service Through a site to purchase an item allows 13+?
essentially locking people's accounts.

Many other services
Have Different A-Z 0-9 Limits.
Length Limits

I know this down to how they encrypt the data, Or NOT in some cases.

my questions are:
Should Banks be forced to support symbols? as they increase security ten fold

Should their be a global standard any Payment site should follow?
Eg
Character limit 25
Characters allowed All, Including Symbols
Must use SHA-256bit encryption

Just curious on your thoughts

 

[One]

https://xkcd.com/936/

 

[smogsy]

very true, but you cant use that on almost any site as length limit is so low. most site only allow 12-16

 

[One]

Just pick smaller words.

andthedogwas

 

[markonius]

Out of interest why do you think Password Managers are a very bad idea? Anyone with enough access to your system to see the password database when its open is probably already in a position to see what your typing anyway so you're still insecure even without the password manager.

But to answer your question, it does annoy me when sites have rules for secure passwords especially when the rules sometimes mean they ban a good password while allowing an insecure one. I generate a unique 40 character password for each site, made up of just lower and upper case letters. One site disallowed one of those passwords, but let me have "password0" because the requirement was that a password must have at least 1 number. I don't think any rules should be enforced with regards to what password you chose. Let people use whatever password they want but have notices about "We strongly advise that you pick a password with 2 symbols, 1 number" etc. Algorithms used for encryption are already standardized in industry I think, or they should be.

 

[FerretBoy]

I have 426 passwords in my manager. No chance I could remember 426 unique passwords. I would have to re-use passwords and that is a bigger security risk

 

[Ceryndrion]

If you want a funny example of how bad things like this can be.

The company that I work for, that provides domains and email and other rubbish, has one set of rules when creating a password for a new mailbox, but when changing the password, a lesser set of rules.

 

[antijoke]

Lastpass + two factor authentication and job done.

 

[Dynix]

Nothing wrong with password manages providing you (1) use a strong Master Password and (2) either use a local manager or a 'cloud' one who encrypt client side and only store the encrypted wallet on their servers (3) use two-factor auth for added protection (4) use some common sense.

396 websites in my wallet and there's no way I could remember the unique password for all of them given they all have a minimum length of 12 and almost all a mixture of symbols/letters/numbers.

 

[Scam]

In my opinion two factor authentication is much more important than a 'good' password. At the end of the day the most likely way that your account will be compromised is by a password database/store getting hacked or leaked. If that happens, two factor authentication will protect you.

I don't like the idea of a password manager, it feels like putting all your eggs in one basket.

 

[smogsy]

Out of interest why do you think Password Managers are a very bad idea? Anyone with enough access to your system to see the password database when its open is probably already in a position to see what your typing anyway so you're still insecure even without the password manager.

But to answer your question, it does annoy me when sites have rules for secure passwords especially when the rules sometimes mean they ban a good password while allowing an insecure one. I generate a unique 40 character password for each site, made up of just lower and upper case letters. One site disallowed one of those passwords, but let me have "password0" because the requirement was that a password must have at least 1 number. I don't think any rules should be enforced with regards to what password you chose. Let people use whatever password they want but have notices about "We strongly advise that you pick a password with 2 symbols, 1 number" etc. Algorithms used for encryption are already standardized in industry I think, or they should be.

because managing passwords with another piece of software seems pretty flawed to me. your securing a password with another password when you boil it down to the root.

yes you can have a master secure password,
One Extreme example

Hacking group takes over X password manager, updates it to listen to master password entry.

Next time you enter your master password, every password is affected.

yes this is an extreme example, but to me its very much like putting all your eggs in one basket to me.

lose the middleman & use your brain as your password manager? its not hard. I use Muscle Memory

i would like universal password rules though as an example

Password max of 30 Characters
Any Letter/Number/Symbol
Must have a Number
must use 2 factor authentication

 

[neil_g]

https://xkcd.com/936/

I recently got told that this method was no longer a good idea due to it being popular and having normal dictionary words

 

[paradigm]

I recently got told that this method was no longer a good idea due to it being popular and having normal dictionary words

That would only be true if whatever brute-force mechanism you were using to break the password was aware of how many words made up your string.

For all intents and purposes all a brute force attack would be able to do is attack it as a single 25 char password.

 

[Deleted member 77746]

Two factor authentication with a lock on the phone should be sufficient at present as long as someone doesn't know your phone password or finger print.

 

[One]

That would only be true if whatever brute-force mechanism you were using to break the password was aware of how many words made up your string.

For all intents and purposes all a brute force attack would be able to do is attack it as a single 25 char password.

Yeah, if we're talking brute force vs dicionary attack then 4 words would still be a stronger password than 10-16 character string.

Characters available is what 70ish, whereas there are thousands of words. 4^1000 > 16^70.

 

[Kreeeee]

.

 

[Antar Bolaeisk]

One of the things I'll generally do when registering on a new site is to test out the password reset process to see if they'll spit out a plain text password back at me.

It's scary the number of high profile sites that still do this.

 

[mrk]

Most services (banks, paypal and the like) support two factor authentication. This makes requiring symbols pointless, as even if you guess a random password, you still need to authenticate using 2-step.

 

[beh]

It does make my life very easy though if people keep believing that comic as it takes less than half a second for me to crack those types of passwords, regardless of how many words it was made up of.

If someone uses that exact xkcd password then it might take you half a second if you know they're a fan of that comic. Otherwise, a similar password with a decent hashing function that uses key stretching (PBKDF2/bcrypt) is going to take you a lot longer than that.

 

[Malevolence]

Just out of curiosity, how much longer would it take you if people simply capitalised each word, substituted the 'o' for '0', the 'i' for '1' in the phrase and added a -*- at the beginning and end?