Password Problems

TheWoodler

Second @DoublePolaroid’s accessibility tips.

Another thing you can do to help with typing: there’s often a barred eye symbol to the right of the Password field (or Give Us Your Three Random Characters From Your Password Upon Pain Of Death field). Click to show and click again to hide. That’s saved me many a mistype!

Prism

It is annoying that so many sites still require complex passwords to be used when all recommendations for that were dropped by the NCSC a few years ago. Their current advice is not to use complexity requirements in passwords, in fact in most cases not to use passwords at all.

Thumbs_Up

All this talk about passwords and secure countermeasures got me thinking about a WW2 story about the German Lorenz SZ40 cipher machine. I will be brief and have condense this.

Hopefully you all have heard or read about the Enigma machine and it’s ability to encrypt a message at 15 million million times.

The Lorenz SZ40 machine could encrypt messages at 1,600 million billion times.

Now to read those messages the the first digital, programmable, and electronic computer was built.

It could take up to 4 hours to read the coded message. On a modern computer with special software it will take 46 seconds.

Homage to William Tutte and Tommy Flowers and his team.

To those who use personal computers for their banking should be aware of keylogging malware, having the most fiendish password won’t stop hackers getting access. People who use android mobiles should be mindful as well.

 

DE_612183

I use an iphone - a lot of companies use face id to access accounts so you just click on the app and smile at it

Daliah

Password Manager (I use Lastpass) in combination with biometric login is what I use.

JohnWinder

wiseonesomeofthetime said:

There is a risk though. If I was to forget that password, I would have to spend a lot of time trying to regain access to accounts I cannot access via biometrics. 

I also personally do not record that password anywhere but in my head. 

You could use a product that offers 'emergency access'. You authorise a trusted person to have access to your PW manager. To get that access they have to submit a request, which is then emailed to you for rejection if you don't want them to have access. If you don't reply, the PW manager assumes you're dead, and your trusted person has access (wherein they or you who are actually still alive can change the master password to one you can remember). You can set it up so the period that must pass between 'request' and 'reject' from you is as long as you like. But you need that 'trusted' person in the first place.

Daliah

wiseonesomeofthetime said:

There is a risk though. If I was to forget that password, I would have to spend a lot of time trying to regain access to accounts I cannot access via biometrics. 

Nothing is totally free of risk. Whilst forgetting your master login credential would be a monstrous pain, there are lots more risky, more likely, and much more serious, things in life. 

JohnWinder

wiseonesomeofthetime said:

I just need to remember the one to access the password manager. 

There is a risk though. If I was to forget that password, I would have to spend a lot of time trying to regain access to accounts I cannot access via biometrics. 

I also personally do not record that password anywhere but in my head. 

Or, what about this: you establish an email account that no one knows about and you never use and has no identifying features, choosing one that can send 'out of office' replies. You compose an 'out of office' reply which is your PW manager master password. If you forget it, you simply send yourself an email and back comes the password. 

Or, you 'pepper' your master password (which is %dfj20?#hiermgi) by adding to the end of it one word or number sequence you can remember. You hide the '%dfj20?#hiermgi' fairly well, but if anyone finds it they're still missing the 'pepper'. The number sequence could be the phone number of a 'friend' in your contacts list who actually doesn't exist, but the baddies don't know who your friends aren't. Use my name; I'll never be your friend!

IvanOpinion

Prism said:

It is annoying that so many sites still require complex passwords to be used when all recommendations for that were dropped by the NCSC a few years ago. Their current advice is not to use complexity requirements in passwords, in fact in most cases not to use passwords at all.

Indeed, and it looks like the big companies are starting to adopt alternate methods.

At the minute the 3 most important things when it comes to passwords are length, length and length. I personally do not use passwords less than 16 characters now.

There is an argument that complex passwords make sites less secure because people need clues and password managers to remember them. I would say that, on computers I am asked to look at, in the majority of cases the password manager is actually the single point of weakness. Similarly, there are much easier ways to gain access to peoples phones and accounts than worrying about password managers.

But I fully sympathise with the OP since I am prone to fat fingering

JohnWinder

Mmmm, length. Not sure writing the number '1' sixteen times is a great choice. I think we need to consider the randomness of the choice of characters and the number of possible characters in each of the sixteen spaces.