Register FAQ / Rules Forum Spy Search Today's Posts Mark Forums Read
Go Back   MacRumors Forums > Mac Community > Community Discussion > Current Events

Reply
 
Thread Tools Search this Thread Display Modes
Old Feb 25, 2013, 07:52 AM   #1
aicul
macrumors 6502a
 
Join Date: Jun 2007
Location: no cars, only boats
Security, or is it no-security

I've noted that many web-based services are claiming to increase their security.

Generally speaking for the user this appears as a longer password with some form of complexity (numbers, uppercase, specials).

I just want to raise 3 points here :

- use of uppercase/lowercase is a killer for aged people that typically type in whatever case is active. So asking them to SHIFT-key is quite blind-sided.

- the idea that more complex is better is a red-herring. Go to any office space and look for post-its, anything long and crazy-looking ... is a password. So we are moving responsibility from web service to individual, but we are not giving the individual the means to keep it secure.

- security 101. think of those web sites that insist on registration. Here I typically register with a password like qwerty12345 and rely on the forgotten password button. You'd be surprised how many sites (some actually claiming to provide secure cloud disk storage) will send me my password in clear by email (rather than the better password-reset link).

All this to say that this is not security.

I can understand security but it should bridge what technology can do with what users are willing to bear (and understand). But systematically pushing the onus on users is equivalent to leaving an open door.
__________________
I twitter as icotcot (actually I got bored and stopped twittering)
aicul is offline   0 Reply With Quote
Old Feb 25, 2013, 08:21 AM   #2
SilentPanda
Moderator emeritus
 
SilentPanda's Avatar
 
Join Date: Oct 2002
Location: The Bamboo Forest
Quote:
Originally Posted by aicul View Post
- use of uppercase/lowercase is a killer for aged people that typically type in whatever case is active. So asking them to SHIFT-key is quite blind-sided.
I don't think sites should put any stipulations on your password aside from possibly a minimum length of at least 8 and a max length of 40.

Quote:
Originally Posted by aicul View Post
- the idea that more complex is better is a red-herring. Go to any office space and look for post-its, anything long and crazy-looking ... is a password. So we are moving responsibility from web service to individual, but we are not giving the individual the means to keep it secure.
A more complex password is a better password. How do you propose the web service improve their side? There are free password applications for most every modern web browser you can use to keep track of passwords. All of my passwords are max length allowed by the site. My master password is 20 characters long and utilizes letters from song lyrics with a bit of junk thrown in. It's not hard to make a single memorable lengthy password.

As for passwords hanging around on sticky notes... I've not seen one despite having worked many years in an office with hundreds of people. And we're required to change our passwords every 3 months (used to be once a month). To be honest I'd rather have hard to guess passwords on sticky notes inside the office to make it harder for external attackers than weak passwords.

Quote:
Originally Posted by aicul View Post
- security 101. think of those web sites that insist on registration. Here I typically register with a password like qwerty12345 and rely on the forgotten password button. You'd be surprised how many sites (some actually claiming to provide secure cloud disk storage) will send me my password in clear by email (rather than the better password-reset link).
Which sites are doing this? I don't believe I've ever had my password sent back to me in plain text. I know there are a few that do this. If so they should be notified and have it brought to light why this is a bad idea. I'd be interested in contacting the sites if you don't have time.
__________________
My 24 hour web cam! ʕノᴥʔノ ︵ ┻━┻
SilentPanda is offline   0 Reply With Quote
Old Feb 25, 2013, 08:30 AM   #3
Shrink
macrumors Demi-God
 
Shrink's Avatar
 
Join Date: Feb 2011
Location: New England, USA
Quote:
Originally Posted by aicul View Post
I've noted that many web-based services are claiming to increase their security.

Generally speaking for the user this appears as a longer password with some form of complexity (numbers, uppercase, specials).

I just want to raise 3 points here :

- use of uppercase/lowercase is a killer for aged people that typically type in whatever case is active. So asking them to SHIFT-key is quite blind-sided.

- the idea that more complex is better is a red-herring. Go to any office space and look for post-its, anything long and crazy-looking ... is a password. So we are moving responsibility from web service to individual, but we are not giving the individual the means to keep it secure.

- security 101. think of those web sites that insist on registration. Here I typically register with a password like qwerty12345 and rely on the forgotten password button. You'd be surprised how many sites (some actually claiming to provide secure cloud disk storage) will send me my password in clear by email (rather than the better password-reset link).

All this to say that this is not security.

I can understand security but it should bridge what technology can do with what users are willing to bear (and understand). But systematically pushing the onus on users is equivalent to leaving an open door.
Generating long passwords with letters (upper case and lower), numbers, and even special characters mixed in is easy with an app like LastPass. A 10 or 11 character password, randomly generated, with a mixture of letters, numbers, etc. is very difficult to break, and certainly much more difficult than dictionary words.

And the best part is you don't have to remember anything...the app stores the username and password, and fills it in automatically, if you choose.

That being said, there is no such thing as perfect security, but taking careful precautions certainly makes sense to me.

BTW: As an "aged person", I can attest to the fact that it is not a "killer" to employ careful computing, use of complex passwords, and taking all other precautions is very possible for us feeble old codgers. And depending upon others to provide your security is a mistake...it's my responsibility to protect myself as best I can.
__________________
Two things are infinite, the universe and human stupidity; and I'm not sure about the universe. -- Albert Einstein
Shrink is offline   1 Reply With Quote
Old Feb 25, 2013, 05:45 PM   #4
Gutwrench
macrumors 6502a
 
Join Date: Jan 2011
Quote:
Originally Posted by SilentPanda View Post
A more complex password is a better password. How do you propose the web service improve their side?

As for passwords hanging around on sticky notes... I've not seen one despite having worked many years in an office with hundreds of people.
I don't fully agree with you. There is a reasonable limit to where complex pw's cease to be effective. In real life users will start to write them down and leave them somewhere in their workspace. I'm guessing 1 out of 10 times you'll find the pw under the mouse or wrist pad.

At my office on normal day I need to signed into eight systems. Not counting Windows or Citrix. Lord help you having to map new network drives.

None of the pw's can be the same.

It must contain mixed case and at least one number and one special character and be at least ten characters long.

No character can be repeated in the string.

We must change them every thirty days.

Any new password can not contain the same character in the same location of the string as the old pw.

There are more restrictions but I don't remember them. I (we) literally need to bring up the pw requirements email each and every time we creat a new one. Worse yet when a pw is rejected the error message is cryptic and not too helpful in determining what you did wrong.

When logging into any system the profile is disabled in all systems on the third wrong pw attempt. In some systems the incorrect attempts are cumulative.
Gutwrench is offline   0 Reply With Quote
Old Feb 27, 2013, 02:52 AM   #5
gnasher729
macrumors G5
 
gnasher729's Avatar
 
Join Date: Nov 2005
Quote:
Originally Posted by Gutwrench View Post
I don't fully agree with you. There is a reasonable limit to where complex pw's cease to be effective. In real life users will start to write them down and leave them somewhere in their workspace. I'm guessing 1 out of 10 times you'll find the pw under the mouse or wrist pad.
Use a password that is a combination of something you remember followed by random letters. Write the random letters down. An outside hacker cannot crack it because of the random letters, your coworkers cannot hack it because they don't know the thing you remember, and they are no hackers.
gnasher729 is offline   0 Reply With Quote
Old Feb 27, 2013, 03:38 AM   #6
Jessica Lares
macrumors 603
 
Jessica Lares's Avatar
 
Join Date: Oct 2009
Location: Near Dallas, Texas, USA
Doesn't anyone else write passwords on a folded index card and put it in their wallet?
__________________
Have You Hugged Your Mac Today?
Daily Expressions | iMac G4 | Late 2011 13" MacBook Pro | iPod Nano (7G) | iPad Mini | iPod Touch (5G) | iPhone 5S
Jessica Lares is offline   0 Reply With Quote
Old Feb 27, 2013, 06:39 AM   #7
SilentPanda
Moderator emeritus
 
SilentPanda's Avatar
 
Join Date: Oct 2002
Location: The Bamboo Forest
Quote:
Originally Posted by gnasher729 View Post
Use a password that is a combination of something you remember followed by random letters. Write the random letters down. An outside hacker cannot crack it because of the random letters, your coworkers cannot hack it because they don't know the thing you remember, and they are no hackers.
I actually have a fairly long string of "random" characters that I have memorized and for passwords I have to update monthly, I just put the named month/year inside it. Easy enough to remember.
__________________
My 24 hour web cam! ʕノᴥʔノ ︵ ┻━┻
SilentPanda is offline   0 Reply With Quote
Old Feb 27, 2013, 06:45 AM   #8
Happybunny
macrumors 65816
 
Happybunny's Avatar
 
Join Date: Sep 2010
Location: 's-Hertogenbosch Netherlands
Quote:
Originally Posted by aicul View Post
I've noted that many web-based services are claiming to increase their security.

Generally speaking for the user this appears as a longer password with some form of complexity (numbers, uppercase, specials).

I just want to raise 3 points here :

- use of uppercase/lowercase is a killer for aged people that typically type in whatever case is active. So asking them to SHIFT-key is quite blind-sided.

- the idea that more complex is better is a red-herring. Go to any office space and look for post-its, anything long and crazy-looking ... is a password. So we are moving responsibility from web service to individual, but we are not giving the individual the means to keep it secure.

- security 101. think of those web sites that insist on registration. Here I typically register with a password like qwerty12345 and rely on the forgotten password button. You'd be surprised how many sites (some actually claiming to provide secure cloud disk storage) will send me my password in clear by email (rather than the better password-reset link).

All this to say that this is not security.

I can understand security but it should bridge what technology can do with what users are willing to bear (and understand). But systematically pushing the onus on users is equivalent to leaving an open door.
Being one of those age impaired people, I just let those nice Nigerian/Russian people I met via e-mail handle my passwords.
__________________
'You cannot undo history, but you can learn from it'
Happybunny is offline   0 Reply With Quote
Old Feb 27, 2013, 06:47 AM   #9
heehee
macrumors 68020
 
heehee's Avatar
 
Join Date: Jul 2006
Location: Same country as Santa Claus
I have so many accounts and passwords I have an excel file with a password protection on it and a bsackup file with a password incase my computer crashes.
heehee is offline   0 Reply With Quote
Old Feb 27, 2013, 07:01 AM   #10
benthewraith
macrumors 68030
 
benthewraith's Avatar
 
Join Date: May 2006
Location: Miami, FL
Send a message via AIM to benthewraith Send a message via MSN to benthewraith
Quote:
Originally Posted by Shrink View Post
Generating long passwords with letters (upper case and lower), numbers, and even special characters mixed in is easy with an app like LastPass. A 10 or 11 character password, randomly generated, with a mixture of letters, numbers, etc. is very difficult to break, and certainly much more difficult than dictionary words.

And the best part is you don't have to remember anything...the app stores the username and password, and fills it in automatically, if you choose.

That being said, there is no such thing as perfect security, but taking careful precautions certainly makes sense to me.

BTW: As an "aged person", I can attest to the fact that it is not a "killer" to employ careful computing, use of complex passwords, and taking all other precautions is very possible for us feeble old codgers. And depending upon others to provide your security is a mistake...it's my responsibility to protect myself as best I can.
I feel as if I should post this discussion. It's definitely worth a read.
__________________
Late-2013 13" rMBP, 2.4GHz, 8 GB RAM 250GB SSD,
benthewraith is offline   0 Reply With Quote
Old Mar 12, 2013, 03:37 PM   #11
Thinowns
macrumors newbie
 
Join Date: Mar 2013
Quote:
Originally Posted by Jessica Lares View Post
Doesn't anyone else write passwords on a folded index card and put it in their wallet?
hi,

just write passwords at a diary at your home. because wallet is also not secure. thanks,
Thinowns is offline   0 Reply With Quote
Old Mar 13, 2013, 03:33 AM   #12
gnasher729
macrumors G5
 
gnasher729's Avatar
 
Join Date: Nov 2005
Quote:
Originally Posted by SilentPanda View Post
As for passwords hanging around on sticky notes... I've not seen one despite having worked many years in an office with hundreds of people. And we're required to change our passwords every 3 months (used to be once a month). To be honest I'd rather have hard to guess passwords on sticky notes inside the office to make it harder for external attackers than weak passwords.
Combine something you remember easily that your co-workers don't know, with six or eight random digits that you write on a sticky note. Keeps external hackers out, and keeps your co-workers out.
gnasher729 is offline   0 Reply With Quote


Reply
MacRumors Forums > Mac Community > Community Discussion > Current Events

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Similar Threads
thread Thread Starter Forum Replies Last Post
Chinese Security Team Exploits Safari Security Flaw at PWN2OWN MacRumors Mac Blog Discussion 30 Mar 17, 2014 01:12 PM
Security Researchers Detail New Combination of Touch ID and iOS 7 Security Feature Bypasses MacRumors iOS Blog Discussion 66 Oct 7, 2013 07:49 PM
Security Error? cjuni iMac 0 Jun 21, 2013 01:02 PM
OS X and other services (security) geek2b OS X 1 May 28, 2013 04:47 AM
i5 security ? Staven iPhone Tips, Help and Troubleshooting 1 Mar 1, 2013 12:23 AM

Forum Jump

All times are GMT -5. The time now is 11:31 AM.

Mac Rumors | Mac | iPhone | iPhone Game Reviews | iPhone Apps

Mobile Version | Fixed | Fluid | Fluid HD
Copyright 2002-2013, MacRumors.com, LLC