Online password requirements have gotten ridiculous

[Borg]

I can believe this is true of average people on the internet, but in the works of fiction I mention people are trying to break into the computers of people like company CEO's, terrorists, master criminals, and police detectives. The trick always turns out to be to figure out what is the most important thing in that person's life and their password always ends up being related to that.

I just got back from a weekend trip to my home state where I helped a very non-technical friend with setting up his Facebook account on a tablet. Someone else had helped him change his password a while back to just the names of his two sons. Even better, he kept his passwords (including that one) written on the back of the tablet in felt marker!

I use imaginary words with the extra mandatory odd unmatching capital letter, number, special character, do imaginary words make it more difficult? The imaginary words are familiar to me, but unknown to others, so easy for me to remember. Do they more commonly look for words or just an assortment of letters and characters?

My strongest one looks like something you would see on a license plate. It's next to impossible to figure out unless you already know what the phrase is.

 

[jhae2.718]

Honestly, passwords are horrible and shouldn't be used. Not sure what the best alternative is though...good luck getting people to use PKI properly.

 

[Greg Bernhardt]

Honestly, passwords are horrible and shouldn't be used. Not sure what the best alternative is though...good luck getting people to use PKI properly.

Two factor login is better. Then you don't need a complicated password.

 

[WWGD]

Why can't one use something like fingerprints instead of passwords?

 

[epenguin]

Pws have been a nightmare for me. First I believed what I was told, never wrote them down, thought of clever word associations that linked a word to this bank, that other thing, write a clever hint in a list. Result: I was so secure I was locked out of my bank accounts etc. sometimes repeatedly, and sometimes for long times because the banks in the .UK take 2 or 3 weeks to send you a letter and I am away for long times, sometimes they have passed their use-by date by the time I see them. Etc. Etc.

The hints were often not good enough because even when I remembered the word it was impossible to remember upper/lower case assignments etc, etc. And anyway passwords were only half of it - when you remembered the password you'd forgotten the username!

I did a few things.

First now in UK, I imagine everywhere, every damned thing you do, buy a cinema ticket online, send flowers, buy a rail ticket, write a letter to a newspaper,... you have to have a password.

Eventually I decided I wouldn't worry about anyone impersonating me for thse purposes and I just use the same one which used to be strong for all these purposes. Then I have another one like that for all 'clever' sites like PF.

For a very few sensitive sites I use a 6-word + special characters generated randomly by a program called Dice or something similar. Completely nonsensical yet memorable.

I learned various tricks, e.g. it is not a good idea to type directly into boxes where you can't see what you typed because capitals etc. may not be what you think... I always type in Word then copy and paste, does anyone do different?

I read that things like Tr0ub4dor&3 are losing their effectiveness as hackers are fully aware of them.

But now I am surprised no one has mentioned PASSWORD MANAGERS. I have nearly all my passwords in one of these now, and it has the added convenience you call up the bank etc. sites from within it. I think mine is among those reccommended by CNET. It's putting a lot of trust in the integrity in more than one sense of some organisation one knows little of, not a good principle in principle. And I ought to have more than one of them. Must get that seen to.

 

[collinsmark]

Why can't one use something like fingerprints instead of passwords?

Biometric authentication has its place, and there is lots of research going into the technology. And maybe in some, limited applications it makes sense.

But the disadvantages for using biometrics such as fingerprints as the sole form of authentication for a large population are twofold (maybe more):

1. Biometric authentication, let's say fingerprints, doesn't bode well for individuals who do not have fingers.
2. When technology is hacked (use your imagination -- lifting prints off a doorknob and making a fake finger, etc. Or easier still, just stealing the metrics out of another system's database), the security failure is not easy to rectify. it's not like the legitimate user can just go out and get new fingerprints.

 

[WWGD]

Biometric authentication has its place, and there is lots of research going into the technology. And maybe in some, limited applications it makes sense.

But the disadvantages for using biometrics such as fingerprints as the sole form of authentication for a large population are twofold (maybe more):

1. Biometric authentication, let's say fingerprints, doesn't bode well for individuals who do not have fingers.
2. When technology is hacked (use your imagination -- lifting prints off a doorknob and making a fake finger, etc. Or easier still, just stealing the metrics out of another system's database), the security failure is not easy to rectify. it's not like the legitimate user can just go out and get new fingerprints.

How about requiring more than one trait, say fingerprints and some form of eye identification, together with, say, a birthdate password --easy for the legit users, harder for hackers? Besides, are there that many people without fingers out there?

 

[collinsmark]

How about requiring more than one trait, say fingerprints and some form of eye identification, together with, say, a birthdate password --easy for the legit users, harder for hackers? Besides, are there that many people without fingers out there?

I know many individuals who have lost an arm or an eye somewhere along the line. Perhaps I don't have a personal acquaintance who has lost both hands, but I know that it happens. And they need bank accounts to Facebook access to PF access just like anybody else.

More to the point though, what if somebody hacks your identity. Changing the simple, birthday password might not get you very far since that's easy to re-hack.

Or worse. Heaven's forbid, what if somewhere along the line you lose a finger and need to change your identification strategy? How do you prove that you're you? (How do you mimic the "Enter old password: " functionality?)

You could have other biometrics on file, in case the need arises to swap fingers or eyes or some-such, but then those too could be stolen/hacked from the database they are stored in. [Edit: or by whatever method was used to steal the biometric the first time around; i.e., the doorknob might have more than one of your fingerprints on it.]

There's no security problem with any of this as long as there's an option to use a strong password (no simple, birthday passwords) instead of a biometric. But since it would then be possible gain access by using a single password, that brings us back to square 1.

 

[WWGD]

I know many individuals who have lost an arm or an eye somewhere along the line. Perhaps I don't have a personal acquaintance who has lost both hands, but I know that it happens. And they need bank accounts to Facebook access to PF access just like anybody else.

More to the point though, what if somebody hacks your identity. Changing the simple, birthday password might not get you very far since that's easy to re-hack.

Or worse. Heaven's forbid, what if somewhere along the line you lose a finger and need to change your identification strategy? How do you prove that you're you? (How do you mimic the "Enter old password: " functionality?)

You could have other biometrics on file, in case the need arises to swap fingers or eyes or some-such, but then those too could be stolen/hacked from the database they are stored in. [Edit: or by whatever method was used to steal the biometric the first time around; i.e., the doorknob might have more than one of your fingerprints on it.]

There's no security problem with any of this as long as there's an option to use a strong password (no simple, birthday passwords) instead of a biometric. But since it would then be possible gain access by using a single password, that brings us back to square 1.

But, what are the odds someone will steal both and will have the technology to do something about it; isn't this technology harder to come about?

Or one can ultimately have a triple of birthdates, together with names, say dad's first name, mom's first name , dad's birthdate , mom's birthdate. Easy to remember, hard to hack; around 18600 choices for each birthday, and you can write them down , or call, or e-mail them if you forget, or just write it down somewhere , of course not stating in the sheet that it is part of the password.

 

[collinsmark]

But, what are the odds someone will steal both and will have the technology to do something about it; isn't this technology harder to come about?

Yes, the biometric authentication systems are getting better. But, so are other technologies like 3d printing.

http://spectrum.ieee.org/tech-talk/biomedical/imaging/print-3-d-fingerprints-for-better-biometrics

Don't get me wrong. Biometrics have their place. But for reasons already discussed, I don't think you'll see them replacing strong passwords.

Or one can ultimately have a triple of birthdates, together with names, say dad's first name, mom's first name , dad's birthdate , mom's birthdate. Easy to remember, hard to hack; around 18600 choices for each birthday, and you can write them down , or call, or e-mail them if you forget, or just write it down somewhere , of course not stating in the sheet that it is part of the password.

Or one could just remember a list of words to create a strong, easy to remember password, such as what was discussed in this thread.

 

[WWGD]

@Collinsmark, I guess I just spent some time reinventing the wheel :).

 

[DataGG]

But now I am surprised no one has mentioned PASSWORD MANAGERS. I have nearly all my passwords in one of these now, and it has the added convenience you call up the bank etc. sites from within it. I think mine is among those reccommended by CNET. It's putting a lot of trust in the integrity in more than one sense of some organisation one knows little of, not a good principle in principle. And I ought to have more than one of them. Must get that seen to.

I did mention PASSWORD MANAGERS, in post #15. They're absolutely fantastic. Support 2-factor-authentication and are all around very stable and usefull... All one needs is a strong Master-Password, which really isn't that hard to get...

My internet security is absolutely better, now that I use them... Now, the question is: Does NSA have backdoors on LastPass? Some say they do, some say they don't...