On Tue, Jun 27, 2017 at 1:32 AM, Jim Medlen via 4D_Tech <
4d_tech@lists.4d.com> wrote:
> I concatenate 8 characters to build a ³random²
> password which then has to meet a few simple rules.
> contains a number
> contains a lower case letter
> No Double characters
> Not 3 or more consecutive numbers
> The password must be unique.
Hi, I'm not smart enough about this to rant, but as a user, I can half-rant
;-) If you want to skip my ramblings, here's the take-away:
Long, easy to remember passwords are strong than short, impossible to
remember passwords.
Because science.
I mostly think about passwords as a user since I have to use a lot of
passwords. I just checked my 1Password and see that I've got over 700
entries with passwords. Yeah, hat's a lot. But it it? Probably, but I've
got a good reason. (Nothing exciting, I need to manage a ton of accounts
for family members, etc.) Anyway, even if you don't have that many, chances
are you've got more passwords than you can remember and keep unique.
Everyone does these days. As a user, some pet peeves:
* Man, I hate those complicated formulas. It just reeks of "Users? Screw
users. We hate them."
* Okay, you've got some complicated formula. So you'll put instructions up
to tell me the rules? No? How about a little indicator that shows the parts
of the rules that are matched/not matched by what I've typed? No? Oh I see,
I just keep typing things in and trying them until I stop getting an error
back. There should be a law....
* Okay, you've got a horrible formula and you made me figure it out by
trial and error. Now I'm back...oh, I can't see what I'm typing. And what's
up with hiding the password when I type? First it has to be gibberish, then
you won't let me see my typing? It's got nothing to do with security over
the network, it's just making the typing harder. The whole hiding the
password thing kind of makes sense for anyone worried about
shoulder-surfing. But I'm most often in a private/office setting,not in
public. So why hide my typing from *me*? It's so user-hostile. Good ideas:
-- Lots of sites now seem to use a Bootstrap style that briefly shows the
password before obscuring it.
-- Some sites have a little checkbox that lets you show/obscure the
password. That seems like a decent compromise.
* Some (rarely now) sites won't let me copy-and-paste my password in.
Inevitably, they also won't allow you to see what you're typing. Who is
this making more "secure"? I hate them. So much.
Unpleasant sign-ins make me avoid logging into some apps and sites. That's
how dramatically bad the user experience is - I end up feeling consciously
unwilling to even enter the app.
Oh, and what's up with recovery questions? They're generally terrible. Like
"favorite island" or "favorite movie", etc. I mean, if a hacker has your
post code and year of birth, they should be able to guess favorite island
and favorite movie for a pretty significant % of people in a few tries. I
use nonsense answers or answers to different questions entirely...or a
different question as the answer and then I write everything into my
1Password. The whole idea that people can memorize everything isn't working
out.
We've all doubtlessly heard the standard rules for password:
* Change them every x days/weeks/months. (Why? I guess because you assume
every site is getting its passwords stollen regularly. Or that you are.)
* Don't reuse passwords. (Great advice, but impossible to follow without a
password manager. I'd be lost without 1Password.)
* Don't use stupid passwords like 12345678 or password. And yet people do.
Like, a huge percentage of people.
* Don't use simple words from a dictionary. Why? Because if a hacker can
get at the hash for the passwords, they've already got pre-built versions
with the hashed forms of zillions of common words! Instead of
you-need-a-quantum-computer-to-break-this difficulty, you get to
this-is-totally-breakable territory instantly.
* Don't write down your passwords. (Again, 1Password or one of its
competitors to the rescue.)
* Don't share passwords. (Why not? My wife and I each have our own
1Password and make sure that the other one knows the password to get into
each other's 1Password. Helpful.)
It's pretty clear that the whole password thing is failing. So if you have
to use passwords, it's okay to improve on standard practice. Standard
practice isn't working. After big hacks, I often read pieces that explain
exactly what went wrong. And, now and then, listen to or read pieces by
security researchers. Here are a couple of good strategies and ideas I've
picked up that way:
* Don't memorize passwords, use a password manager.
* Visiting a site you don't expect to use again or use often, but it
requires a password? Pick something random and don't record it. If you ever
do need the password again, use their password recovery feature. (I find
this suggestion somehow risqué and always feel a bit daring when I follow
it. Clearly, I need to get out more.)
* The biggest one: The one feature that makes passwords harder to crack is
how long they are. That's it. Longer = better. Making them harder to
remember or type isn't making them magically harder to crack for a
computer. Something like this is a super strong password:
Mary had a little lamb her fleece was white as snow
Easy to remember, easy to type and nearly impossible to crack. I didn't
find the reference I wanted for this, but the following page is often cited
and is certainly...colorful:
https://www.grc.com/haystack.htm
**********************************************************************
4D Internet Users Group (4D iNUG)
FAQ: http://lists.4d.com/faqnug.html
Archive: http://lists.4d.com/archives.html
Options: http://lists.4d.com/mailman/options/4d_tech
Unsub: mailto:4d_tech-unsubscr...@lists.4d.com
**********************************************************************
