On Tue, Jun 27, 2017 at 1:32 AM, Jim Medlen via 4D_Tech < 4d_tech@lists.4d.com> wrote:
> I concatenate 8 characters to build a ³random² > password which then has to meet a few simple rules. > contains a number > contains a lower case letter > No Double characters > Not 3 or more consecutive numbers > The password must be unique. Hi, I'm not smart enough about this to rant, but as a user, I can half-rant ;-) If you want to skip my ramblings, here's the take-away: Long, easy to remember passwords are strong than short, impossible to remember passwords. Because science. I mostly think about passwords as a user since I have to use a lot of passwords. I just checked my 1Password and see that I've got over 700 entries with passwords. Yeah, hat's a lot. But it it? Probably, but I've got a good reason. (Nothing exciting, I need to manage a ton of accounts for family members, etc.) Anyway, even if you don't have that many, chances are you've got more passwords than you can remember and keep unique. Everyone does these days. As a user, some pet peeves: * Man, I hate those complicated formulas. It just reeks of "Users? Screw users. We hate them." * Okay, you've got some complicated formula. So you'll put instructions up to tell me the rules? No? How about a little indicator that shows the parts of the rules that are matched/not matched by what I've typed? No? Oh I see, I just keep typing things in and trying them until I stop getting an error back. There should be a law.... * Okay, you've got a horrible formula and you made me figure it out by trial and error. Now I'm back...oh, I can't see what I'm typing. And what's up with hiding the password when I type? First it has to be gibberish, then you won't let me see my typing? It's got nothing to do with security over the network, it's just making the typing harder. The whole hiding the password thing kind of makes sense for anyone worried about shoulder-surfing. But I'm most often in a private/office setting,not in public. So why hide my typing from *me*? It's so user-hostile. Good ideas: -- Lots of sites now seem to use a Bootstrap style that briefly shows the password before obscuring it. -- Some sites have a little checkbox that lets you show/obscure the password. That seems like a decent compromise. * Some (rarely now) sites won't let me copy-and-paste my password in. Inevitably, they also won't allow you to see what you're typing. Who is this making more "secure"? I hate them. So much. Unpleasant sign-ins make me avoid logging into some apps and sites. That's how dramatically bad the user experience is - I end up feeling consciously unwilling to even enter the app. Oh, and what's up with recovery questions? They're generally terrible. Like "favorite island" or "favorite movie", etc. I mean, if a hacker has your post code and year of birth, they should be able to guess favorite island and favorite movie for a pretty significant % of people in a few tries. I use nonsense answers or answers to different questions entirely...or a different question as the answer and then I write everything into my 1Password. The whole idea that people can memorize everything isn't working out. We've all doubtlessly heard the standard rules for password: * Change them every x days/weeks/months. (Why? I guess because you assume every site is getting its passwords stollen regularly. Or that you are.) * Don't reuse passwords. (Great advice, but impossible to follow without a password manager. I'd be lost without 1Password.) * Don't use stupid passwords like 12345678 or password. And yet people do. Like, a huge percentage of people. * Don't use simple words from a dictionary. Why? Because if a hacker can get at the hash for the passwords, they've already got pre-built versions with the hashed forms of zillions of common words! Instead of you-need-a-quantum-computer-to-break-this difficulty, you get to this-is-totally-breakable territory instantly. * Don't write down your passwords. (Again, 1Password or one of its competitors to the rescue.) * Don't share passwords. (Why not? My wife and I each have our own 1Password and make sure that the other one knows the password to get into each other's 1Password. Helpful.) It's pretty clear that the whole password thing is failing. So if you have to use passwords, it's okay to improve on standard practice. Standard practice isn't working. After big hacks, I often read pieces that explain exactly what went wrong. And, now and then, listen to or read pieces by security researchers. Here are a couple of good strategies and ideas I've picked up that way: * Don't memorize passwords, use a password manager. * Visiting a site you don't expect to use again or use often, but it requires a password? Pick something random and don't record it. If you ever do need the password again, use their password recovery feature. (I find this suggestion somehow risqué and always feel a bit daring when I follow it. Clearly, I need to get out more.) * The biggest one: The one feature that makes passwords harder to crack is how long they are. That's it. Longer = better. Making them harder to remember or type isn't making them magically harder to crack for a computer. Something like this is a super strong password: Mary had a little lamb her fleece was white as snow Easy to remember, easy to type and nearly impossible to crack. I didn't find the reference I wanted for this, but the following page is often cited and is certainly...colorful: https://www.grc.com/haystack.htm ********************************************************************** 4D Internet Users Group (4D iNUG) FAQ: http://lists.4d.com/faqnug.html Archive: http://lists.4d.com/archives.html Options: http://lists.4d.com/mailman/options/4d_tech Unsub: mailto:4d_tech-unsubscr...@lists.4d.com **********************************************************************