ADVERTISEMENT

Current Password Complexity Requirements Are Useless

kc78

kc78

Seminole Insider
Nov 25, 2002
26,281
1,832
853
The man who wrote the paper that has become the guideline for password requirements across the world says its all junk and he regrets ever writing it. Adding in Capitalization, special characters, etc... and changing it every 90 days doesn't help because we're still choosing easily guessable passwords. Changing every 90 days simply leads to guessable patterns.

Your best option, choose a passphrase made up of 4 or 5 moderately length words.

https://www.usatoday.com/story/news...medium=Social&utm_campaign=usatn-crosspost-fb
 
For sure, and most people write them down and keep that sheet near their desk.

I must have 15 different passwords at work, most of which need to be changed every 90-180 days.

I'd like to give that guy something to regret...
 
  • Like
Reactions: DFSNOLE and GoNolesTX
I worked for the Army Corp of Engineers. Had to be at least 9 or more characters with a mix of at least two lowercase letters, two uppercase letters, two numbers, and two special characters. They also would not let any standard words, no more than 2 letters, numbers or characters together. Expires in 90 days, and can't reuse.
 
Obligatory XKCD:

password_strength.png
 
  • Like
Reactions: funksouljon, NDallasRuss, Bill From Tampa and 1 other person
DFSNOLE said:
All it does for me is make me forget my passwords. I got an email the other day from my doctor's office with a visit summary. I can't access it because I can't remember what I used for a password or the answer to the security question. It's so secure that even I can't get into it.
Click to expand...
Half the stuff I "need" to access is unavailable to me. Shenanigans!!!
 
  • Like
Reactions: DFSNOLE
Aren't most hacks now truly random keygens? If so, there's 26 letters, (52 if you capitalize), 10 digits, and however many special characters. The only thing that can make the password more secure is making it longer. And even then, it will just take longer to guess.
 
I actually keep an evernote file (can access from cloud and uses thumbprint to open) with all my passwords. I just change up the passwords that I have written in a particular way that I recognize, and that if I ever lost my phone or laptop (which use thumbprint ir password to open) that it would be too much of a pain in the ass to try and hack. Not the best way to protect myself, but its damn convenient. Aint nobody got time for dat.
 
Ha, one of my clients sent in a quickbooks file that had an awesome password that resulted from his aggravation with getting logged in when he was in a hurry, only to face a series of password changes and downloads from his server & quickbooks program. I couldn't get in the file with the old password, so called his office to get the new one; his wife wouldn't tell me, said "you're gonna have to talk to him for that."
In his fit of anger, his new password was EatA12"Di** (with the inappropriate letters as the last 2 characters).
I thought it was a very creative way to fit in upper case, lower case, numbers, and a character.
 
"Your password is baloney1"?

"Well it was just baloney, but they made me add a nummmmber."
 
PoopandBoogers said:
I actually keep an evernote file (can access from cloud and uses thumbprint to open) with all my passwords. I just change up the passwords that I have written in a particular way that I recognize, and that if I ever lost my phone or laptop (which use thumbprint ir password to open) that it would be too much of a pain in the ass to try and hack. Not the best way to protect myself, but its damn convenient. Aint nobody got time for dat.
Click to expand...
I do the same with OneNote. The list keeps growing... :eek:
 
skramer100 said:
Just do January 17, February 17, etc
Click to expand...

Yes, because that's an obviously secure password.

I do suggest making easy to remember passwords, but they should be a pass phrase or collection of words. The majority of concerns over password are not from someone guessing (Although if you do have someone you don't trust or an ex you may want to consider that as well) but from a password algorithm finding your password easily. An 8 character password only has 8 levels of entropy and any computer can hack those easily. A passphrase is going to be closer to 48 and be almost impossible.

You could do something like
ItsGreatToHatetheFloridaGators!Jan2017

and you'll have an easy to remember password with about 38 levels of entropy and meets your complexity requirements. According to HowSecureIsMyPassword.net (I wouldn't ever put your real password in there) it would take 385 SexDecillion Years to crack that password.

Now if someone ever does guess that password, simply changing the Month and Year portion will make it easy to guess so you may want to make it slightly more difficult to find patterns, but that's going to be much harder to crack than an 8 character password with mixture of special characters, numbers, etc...

For comparison, this random 8 character password takes only 19 minutes and would be extremely hard to remember.

*!15Cx*R

Password1 would be cracked almost instantly.
 
kc78 said:
Yes, because that's an obviously secure password.

I do suggest making easy to remember passwords, but they should be a pass phrase or collection of words. The majority of concerns over password are not from someone guessing (Although if you do have someone you don't trust or an ex you may want to consider that as well) but from a password algorithm finding your password easily. An 8 character password only has 8 levels of entropy and any computer can hack those easily. A passphrase is going to be closer to 48 and be almost impossible.

You could do something like
ItsGreatToHatetheFloridaGators!Jan2017

and you'll have an easy to remember password with about 38 levels of entropy and meets your complexity requirements. According to HowSecureIsMyPassword.net (I wouldn't ever put your real password in there) it would take 385 SexDecillion Years to crack that password.

Now if someone ever does guess that password, simply changing the Month and Year portion will make it easy to guess so you may want to make it slightly more difficult to find patterns, but that's going to be much harder to crack than an 8 character password with mixture of special characters, numbers, etc...

For comparison, this random 8 character password takes only 19 minutes and would be extremely hard to remember.

*!15Cx*R

Password1 would be cracked almost instantly.
Click to expand...

Only real problem with your suggestion is that it's never correct to capitalize the name of *that* school. Plus, their nickname is spelled goiters.
 
  • Like
Reactions: NoleLizards, kc78, DFSNOLE and 1 other person
The plant I work in gives you 3 tries... THREE... after that you have to personally go to the plant IT guy and he resets it.

My password could be 1 letter.... but no, its gotta be 10 characters: 1 Cap, 1 number, and 1 special character
 
coloradonoles said:
The plant I work in gives you 3 tries... THREE... after that you have to personally go to the plant IT guy and he resets it.

My password could be 1 letter.... but no, its gotta be 10 characters: 1 Cap, 1 number, and 1 special character
Click to expand...

Just use an easy to remember passphrase like I mentioned above. Extra secure, extra easy to remember. Truly 10 characters isn't enough if you're worried about someone hacking it.
 
Just started using Lastpass App. It will populate your user name and password for the accounts you load on the app. It's great for those accounts that you may go on once or twice a year.
 
coloradonoles said:
I do. But how could anyone ever hack it? Unless you guess in the first 3 tries its locked out.
Click to expand...

Password cracking doesn't actually take place against the server itself. The lockout rule is really only useful if you're trying to stop someone from guessing your password manually.

Password cracking takes place when your authentication packets are sniffed while moving from you to the server or when the encrypted list of passwords itself are stolen from a hacked authentication server.

By themselves the encrypted password that is detected is useless, however you can run those hash's against a known cryptographic list.

So basically, if you know what type of authentication system is being used, you have access to the alorgorithm to generate the one way hash's. So while it's impossible to reverse the hash back to the original password, you can essentially try to match the hash by running an offline process that tries to find a word or value that matches to that hash. Many of these systems run through simple passwords in a matter of seconds and continue in flexibility trying more and more complex passwords as they go along.

With modern computers, a simple 8 character password is cracked almost instantly. A 48 character password is going to be almost impossible.
 
You should make your password 2444666668888888. Then your password would be one 2, three 4, five 6, seven 8.
 
BOwens21 said:
You should make your password 2444666668888888. Then your password would be one 2, three 4, five 6, seven 8.
Click to expand...

That one's actually not terrible, but not great either. And it's not going to make it past the complex password requirements of most websites. It would take 3 days for a computer to crack that one. If someone's running an attack on a password list they found, it's probably going to be cracked.

However if you changed it to the following you would get past most complexity filters and it would take 552 Quadrillion Years to be cracked apparently.

Two444666668888888!
 
kc78 said:
That one's actually not terrible, but not great either. And it's not going to make it past the complex password requirements of most websites. It would take 3 days for a computer to crack that one. If someone's running an attack on a password list they found, it's probably going to be cracked.

However if you changed it to the following you would get past most complexity filters and it would take 552 Quadrillion Years to be cracked apparently.

Two444666668888888!
Click to expand...
It was a joke. I do IT for a law enforcement agency in FL. FDLE/FBI requirements are ridiculous. I spend way too much time resetting passwords for people. If it's somebody that knows better I like to mess with them and set it to something like F$U!$@w3$0m3. One system that I am admin for at our office requires at least 14 characters with at least 2 each of upper, lower, number and symbol.

And most of our systems will lock you out after 3-5 failed attempts.
 
  • Like
Reactions: kc78
BOwens21 said:
It was a joke. I do IT for a law enforcement agency in FL. FDLE/FBI requirements are ridiculous. I spend way too much time resetting passwords for people. If it's somebody that knows better I like to mess with them and set it to something like F$U!$@w3$0m3. One system that I am admin for at our office requires at least 14 characters with at least 2 each of upper, lower, number and symbol.

And most of our systems will lock you out after 3-5 failed attempts.
Click to expand...

Gotcha. The lockout attempts are way too low. At the very least they need to update them so they don't count if you retype the same password again. Most people simply assume they typed it wrong. And the forced resets simply make people configure easy to remember, pattern driven password schemes.
 
kc78 said:
Gotcha. The lockout attempts are way too low. At the very least they need to update them so they don't count if you retype the same password again. Most people simply assume they typed it wrong. And the forced resets simply make people configure easy to remember, pattern driven password schemes.
Click to expand...
It's a requirement from FDLE/FBI.
 
Not related to passwords but in my field of IT I have to do a lot of problems solving when the systems are not working, etc etc. I take great note for future references but as I got older I have run into a problem. Now if I can only remember where I stored them
 
BTW when my company first started with the &#$(&#@#($& security policy everyone is talking about. I was so pissed that this was my first new pwd, Kissmybutt10. I had to get it reset for some unknown reason and had to approach my security person who happened to be a woman. She asked what my old pwd was and I told her. She about fell out of her chair laughing so hard. She thanked me for making her day.
 
4everFSU said:
BTW when my company first started with the &#$(&#@#($& security policy everyone is talking about. I was so pissed that this was my first new pwd, Kissmybutt10. I had to get it reset for some unknown reason and had to approach my security person who happened to be a woman. She asked what my old pwd was and I told her. She about fell out of her chair laughing so hard. She thanked me for making her day.
Click to expand...

 
  • Like
Reactions: 4everFSU and DFSNOLE
BOwens21 said:
It's a requirement from FDLE/FBI.
Click to expand...

I meant in general. The recommended lockout is 3, and the lockout settings on all systems do not take into account some standard reasons passwords are entered incorrectly. I'm saying that the "standard" for how the systems work in general should be updated. I understand the purpose of the lockout system, there's some tweaks that could be made to make it still secure but easier for users to reduce frustration.
 
  • Like
Reactions: BOwens21
You must log in or register to reply here.
ADVERTISEMENT

Latest posts

ADVERTISEMENT
Top Bottom
Back