Security, or is it no-security

aicul · Feb 25, 2013

I've noted that many web-based services are claiming to increase their security.

Generally speaking for the user this appears as a longer password with some form of complexity (numbers, uppercase, specials).

I just want to raise 3 points here :

- use of uppercase/lowercase is a killer for aged people that typically type in whatever case is active. So asking them to SHIFT-key is quite blind-sided.

- the idea that more complex is better is a red-herring. Go to any office space and look for post-its, anything long and crazy-looking ... is a password. So we are moving responsibility from web service to individual, but we are not giving the individual the means to keep it secure.

- security 101. think of those web sites that insist on registration. Here I typically register with a password like qwerty12345 and rely on the forgotten password button. You'd be surprised how many sites (some actually claiming to provide secure cloud disk storage) will send me my password in clear by email (rather than the better password-reset link).

All this to say that this is not security.

I can understand security but it should bridge what technology can do with what users are willing to bear (and understand). But systematically pushing the onus on users is equivalent to leaving an open door.

SilentPanda · Feb 25, 2013

aicul said:
- use of uppercase/lowercase is a killer for aged people that typically type in whatever case is active. So asking them to SHIFT-key is quite blind-sided.

I don't think sites should put any stipulations on your password aside from possibly a minimum length of at least 8 and a max length of 40.

aicul said:
- the idea that more complex is better is a red-herring. Go to any office space and look for post-its, anything long and crazy-looking ... is a password. So we are moving responsibility from web service to individual, but we are not giving the individual the means to keep it secure.

A more complex password is a better password. How do you propose the web service improve their side? There are free password applications for most every modern web browser you can use to keep track of passwords. All of my passwords are max length allowed by the site. My master password is 20 characters long and utilizes letters from song lyrics with a bit of junk thrown in. It's not hard to make a single memorable lengthy password.

As for passwords hanging around on sticky notes... I've not seen one despite having worked many years in an office with hundreds of people. And we're required to change our passwords every 3 months (used to be once a month). To be honest I'd rather have hard to guess passwords on sticky notes inside the office to make it harder for external attackers than weak passwords.

aicul said:
- security 101. think of those web sites that insist on registration. Here I typically register with a password like qwerty12345 and rely on the forgotten password button. You'd be surprised how many sites (some actually claiming to provide secure cloud disk storage) will send me my password in clear by email (rather than the better password-reset link).

Which sites are doing this? I don't believe I've ever had my password sent back to me in plain text. I know there are a few that do this. If so they should be notified and have it brought to light why this is a bad idea. I'd be interested in contacting the sites if you don't have time.

Shrink · Feb 25, 2013

aicul said:
I've noted that many web-based services are claiming to increase their security.

Generally speaking for the user this appears as a longer password with some form of complexity (numbers, uppercase, specials).

I just want to raise 3 points here :

- use of uppercase/lowercase is a killer for aged people that typically type in whatever case is active. So asking them to SHIFT-key is quite blind-sided.

- the idea that more complex is better is a red-herring. Go to any office space and look for post-its, anything long and crazy-looking ... is a password. So we are moving responsibility from web service to individual, but we are not giving the individual the means to keep it secure.

- security 101. think of those web sites that insist on registration. Here I typically register with a password like qwerty12345 and rely on the forgotten password button. You'd be surprised how many sites (some actually claiming to provide secure cloud disk storage) will send me my password in clear by email (rather than the better password-reset link).

All this to say that this is not security.

I can understand security but it should bridge what technology can do with what users are willing to bear (and understand). But systematically pushing the onus on users is equivalent to leaving an open door.

Generating long passwords with letters (upper case and lower), numbers, and even special characters mixed in is easy with an app like LastPass. A 10 or 11 character password, randomly generated, with a mixture of letters, numbers, etc. is very difficult to break, and certainly much more difficult than dictionary words.

And the best part is you don't have to remember anything...the app stores the username and password, and fills it in automatically, if you choose.

That being said, there is no such thing as perfect security, but taking careful precautions certainly makes sense to me.

BTW: As an "aged person", I can attest to the fact that it is not a "killer" to employ careful computing, use of complex passwords, and taking all other precautions is very possible for us feeble old codgers. And depending upon others to provide your security is a mistake...it's my responsibility to protect myself as best I can.

Gutwrench · Feb 25, 2013

SilentPanda said:
A more complex password is a better password. How do you propose the web service improve their side?

As for passwords hanging around on sticky notes... I've not seen one despite having worked many years in an office with hundreds of people.

I don't fully agree with you. There is a reasonable limit to where complex pw's cease to be effective. In real life users will start to write them down and leave them somewhere in their workspace. I'm guessing 1 out of 10 times you'll find the pw under the mouse or wrist pad.

At my office on normal day I need to signed into eight systems. Not counting Windows or Citrix. Lord help you having to map new network drives.

None of the pw's can be the same.

It must contain mixed case and at least one number and one special character and be at least ten characters long.

No character can be repeated in the string.

We must change them every thirty days.

Any new password can not contain the same character in the same location of the string as the old pw.

There are more restrictions but I don't remember them. I (we) literally need to bring up the pw requirements email each and every time we creat a new one. Worse yet when a pw is rejected the error message is cryptic and not too helpful in determining what you did wrong.

When logging into any system the profile is disabled in all systems on the third wrong pw attempt. In some systems the incorrect attempts are cumulative.

gnasher729 · Feb 27, 2013

Gutwrench said:
I don't fully agree with you. There is a reasonable limit to where complex pw's cease to be effective. In real life users will start to write them down and leave them somewhere in their workspace. I'm guessing 1 out of 10 times you'll find the pw under the mouse or wrist pad.

Use a password that is a combination of something you remember followed by random letters. Write the random letters down. An outside hacker cannot crack it because of the random letters, your coworkers cannot hack it because they don't know the thing you remember, and they are no hackers.

Jessica Lares · Feb 27, 2013

Doesn't anyone else write passwords on a folded index card and put it in their wallet?

SilentPanda · Feb 27, 2013

gnasher729 said:
Use a password that is a combination of something you remember followed by random letters. Write the random letters down. An outside hacker cannot crack it because of the random letters, your coworkers cannot hack it because they don't know the thing you remember, and they are no hackers.

I actually have a fairly long string of "random" characters that I have memorized and for passwords I have to update monthly, I just put the named month/year inside it. Easy enough to remember.

Happybunny · Feb 27, 2013

aicul said:
I've noted that many web-based services are claiming to increase their security.

Generally speaking for the user this appears as a longer password with some form of complexity (numbers, uppercase, specials).

I just want to raise 3 points here :

- use of uppercase/lowercase is a killer for aged people that typically type in whatever case is active. So asking them to SHIFT-key is quite blind-sided.

- the idea that more complex is better is a red-herring. Go to any office space and look for post-its, anything long and crazy-looking ... is a password. So we are moving responsibility from web service to individual, but we are not giving the individual the means to keep it secure.

- security 101. think of those web sites that insist on registration. Here I typically register with a password like qwerty12345 and rely on the forgotten password button. You'd be surprised how many sites (some actually claiming to provide secure cloud disk storage) will send me my password in clear by email (rather than the better password-reset link).

All this to say that this is not security.

I can understand security but it should bridge what technology can do with what users are willing to bear (and understand). But systematically pushing the onus on users is equivalent to leaving an open door.

Being one of those age impaired people, I just let those nice Nigerian/Russian people I met via e-mail handle my passwords.

heehee · Feb 27, 2013

I have so many accounts and passwords I have an excel file with a password protection on it and a bsackup file with a password incase my computer crashes.

benthewraith · Feb 27, 2013

Shrink said:
Generating long passwords with letters (upper case and lower), numbers, and even special characters mixed in is easy with an app like LastPass. A 10 or 11 character password, randomly generated, with a mixture of letters, numbers, etc. is very difficult to break, and certainly much more difficult than dictionary words.

And the best part is you don't have to remember anything...the app stores the username and password, and fills it in automatically, if you choose.

That being said, there is no such thing as perfect security, but taking careful precautions certainly makes sense to me.

BTW: As an "aged person", I can attest to the fact that it is not a "killer" to employ careful computing, use of complex passwords, and taking all other precautions is very possible for us feeble old codgers. And depending upon others to provide your security is a mistake...it's my responsibility to protect myself as best I can.

I feel as if I should post this discussion. It's definitely worth a read.

Thinowns · Mar 12, 2013

Jessica Lares said:
Doesn't anyone else write passwords on a folded index card and put it in their wallet?

hi,

just write passwords at a diary at your home. because wallet is also not secure. thanks,

gnasher729 · Mar 13, 2013

SilentPanda said:
As for passwords hanging around on sticky notes... I've not seen one despite having worked many years in an office with hundreds of people. And we're required to change our passwords every 3 months (used to be once a month). To be honest I'd rather have hard to guess passwords on sticky notes inside the office to make it harder for external attackers than weak passwords.

Combine something you remember easily that your co-workers don't know, with six or eight random digits that you write on a sticky note. Keeps external hackers out, and keeps your co-workers out.

Search

Search

Security, or is it no-security

aicul

macrumors 6502a

SilentPanda

Moderator emeritus

Shrink

macrumors G3

Gutwrench

Suspended

gnasher729

Suspended

Jessica Lares

macrumors G3

SilentPanda

Moderator emeritus

Happybunny

macrumors 68000

heehee

macrumors 68020

benthewraith

macrumors 68040

Thinowns

macrumors newbie

gnasher729

Suspended

Our Staff