Security, or is it no-security

[aicul]

I've noted that many web-based services are claiming to increase their security.

Generally speaking for the user this appears as a longer password with some form of complexity (numbers, uppercase, specials).

I just want to raise 3 points here :

- use of uppercase/lowercase is a killer for aged people that typically type in whatever case is active. So asking them to SHIFT-key is quite blind-sided.

- the idea that more complex is better is a red-herring. Go to any office space and look for post-its, anything long and crazy-looking ... is a password. So we are moving responsibility from web service to individual, but we are not giving the individual the means to keep it secure.

- security 101. think of those web sites that insist on registration. Here I typically register with a password like qwerty12345 and rely on the forgotten password button. You'd be surprised how many sites (some actually claiming to provide secure cloud disk storage) will send me my password in clear by email (rather than the better password-reset link).

All this to say that this is not security.

I can understand security but it should bridge what technology can do with what users are willing to bear (and understand). But systematically pushing the onus on users is equivalent to leaving an open door.

[SilentPanda]

Quote:

Originally Posted by aicul

- use of uppercase/lowercase is a killer for aged people that typically type in whatever case is active. So asking them to SHIFT-key is quite blind-sided.

I don't think sites should put any stipulations on your password aside from possibly a minimum length of at least 8 and a max length of 40.

Quote:

Originally Posted by aicul

- the idea that more complex is better is a red-herring. Go to any office space and look for post-its, anything long and crazy-looking ... is a password. So we are moving responsibility from web service to individual, but we are not giving the individual the means to keep it secure.

A more complex password is a better password. How do you propose the web service improve their side? There are free password applications for most every modern web browser you can use to keep track of passwords. All of my passwords are max length allowed by the site. My master password is 20 characters long and utilizes letters from song lyrics with a bit of junk thrown in. It's not hard to make a single memorable lengthy password.

As for passwords hanging around on sticky notes... I've not seen one despite having worked many years in an office with hundreds of people. And we're required to change our passwords every 3 months (used to be once a month). To be honest I'd rather have hard to guess passwords on sticky notes inside the office to make it harder for external attackers than weak passwords.

Quote:

Originally Posted by aicul

- security 101. think of those web sites that insist on registration. Here I typically register with a password like qwerty12345 and rely on the forgotten password button. You'd be surprised how many sites (some actually claiming to provide secure cloud disk storage) will send me my password in clear by email (rather than the better password-reset link).

Which sites are doing this? I don't believe I've ever had my password sent back to me in plain text. I know there are a few that do this. If so they should be notified and have it brought to light why this is a bad idea. I'd be interested in contacting the sites if you don't have time.

[Shrink]

Quote:

Originally Posted by aicul

I've noted that many web-based services are claiming to increase their security.

Generally speaking for the user this appears as a longer password with some form of complexity (numbers, uppercase, specials).

I just want to raise 3 points here :

- use of uppercase/lowercase is a killer for aged people that typically type in whatever case is active. So asking them to SHIFT-key is quite blind-sided.

- the idea that more complex is better is a red-herring. Go to any office space and look for post-its, anything long and crazy-looking ... is a password. So we are moving responsibility from web service to individual, but we are not giving the individual the means to keep it secure.

- security 101. think of those web sites that insist on registration. Here I typically register with a password like qwerty12345 and rely on the forgotten password button. You'd be surprised how many sites (some actually claiming to provide secure cloud disk storage) will send me my password in clear by email (rather than the better password-reset link).

All this to say that this is not security.

I can understand security but it should bridge what technology can do with what users are willing to bear (and understand). But systematically pushing the onus on users is equivalent to leaving an open door.

Generating long passwords with letters (upper case and lower), numbers, and even special characters mixed in is easy with an app like LastPass. A 10 or 11 character password, randomly generated, with a mixture of letters, numbers, etc. is very difficult to break, and certainly much more difficult than dictionary words.

And the best part is you don't have to remember anything...the app stores the username and password, and fills it in automatically, if you choose.

That being said, there is no such thing as perfect security, but taking careful precautions certainly makes sense to me.

BTW: As an "aged person", I can attest to the fact that it is not a "killer" to employ careful computing, use of complex passwords, and taking all other precautions is very possible for us feeble old codgers. And depending upon others to provide your security is a mistake...it's my responsibility to protect myself as best I can.

[Gutwrench]

Quote:

Originally Posted by SilentPanda

A more complex password is a better password. How do you propose the web service improve their side?

As for passwords hanging around on sticky notes... I've not seen one despite having worked many years in an office with hundreds of people.

I don't fully agree with you. There is a reasonable limit to where complex pw's cease to be effective. In real life users will start to write them down and leave them somewhere in their workspace. I'm guessing 1 out of 10 times you'll find the pw under the mouse or wrist pad.

At my office on normal day I need to signed into eight systems. Not counting Windows or Citrix. Lord help you having to map new network drives.

None of the pw's can be the same.

It must contain mixed case and at least one number and one special character and be at least ten characters long.

No character can be repeated in the string.

We must change them every thirty days.

Any new password can not contain the same character in the same location of the string as the old pw.

There are more restrictions but I don't remember them. I (we) literally need to bring up the pw requirements email each and every time we creat a new one. Worse yet when a pw is rejected the error message is cryptic and not too helpful in determining what you did wrong.

When logging into any system the profile is disabled in all systems on the third wrong pw attempt. In some systems the incorrect attempts are cumulative.

[gnasher729]

Quote:

Originally Posted by Gutwrench

I don't fully agree with you. There is a reasonable limit to where complex pw's cease to be effective. In real life users will start to write them down and leave them somewhere in their workspace. I'm guessing 1 out of 10 times you'll find the pw under the mouse or wrist pad.

Use a password that is a combination of something you remember followed by random letters. Write the random letters down. An outside hacker cannot crack it because of the random letters, your coworkers cannot hack it because they don't know the thing you remember, and they are no hackers.

[Jessica Lares]

Doesn't anyone else write passwords on a folded index card and put it in their wallet?

[SilentPanda]

Quote:

Originally Posted by gnasher729

Use a password that is a combination of something you remember followed by random letters. Write the random letters down. An outside hacker cannot crack it because of the random letters, your coworkers cannot hack it because they don't know the thing you remember, and they are no hackers.

I actually have a fairly long string of "random" characters that I have memorized and for passwords I have to update monthly, I just put the named month/year inside it. Easy enough to remember.

[Happybunny]

Quote:

Originally Posted by aicul

I've noted that many web-based services are claiming to increase their security.

Generally speaking for the user this appears as a longer password with some form of complexity (numbers, uppercase, specials).

I just want to raise 3 points here :

- use of uppercase/lowercase is a killer for aged people that typically type in whatever case is active. So asking them to SHIFT-key is quite blind-sided.

- the idea that more complex is better is a red-herring. Go to any office space and look for post-its, anything long and crazy-looking ... is a password. So we are moving responsibility from web service to individual, but we are not giving the individual the means to keep it secure.

- security 101. think of those web sites that insist on registration. Here I typically register with a password like qwerty12345 and rely on the forgotten password button. You'd be surprised how many sites (some actually claiming to provide secure cloud disk storage) will send me my password in clear by email (rather than the better password-reset link).

All this to say that this is not security.

I can understand security but it should bridge what technology can do with what users are willing to bear (and understand). But systematically pushing the onus on users is equivalent to leaving an open door.

Being one of those age impaired people, I just let those nice Nigerian/Russian people I met via e-mail handle my passwords.

[heehee]

I have so many accounts and passwords I have an excel file with a password protection on it and a bsackup file with a password incase my computer crashes.

[benthewraith]

Quote:

Originally Posted by Shrink

Generating long passwords with letters (upper case and lower), numbers, and even special characters mixed in is easy with an app like LastPass. A 10 or 11 character password, randomly generated, with a mixture of letters, numbers, etc. is very difficult to break, and certainly much more difficult than dictionary words.

And the best part is you don't have to remember anything...the app stores the username and password, and fills it in automatically, if you choose.

That being said, there is no such thing as perfect security, but taking careful precautions certainly makes sense to me.

BTW: As an "aged person", I can attest to the fact that it is not a "killer" to employ careful computing, use of complex passwords, and taking all other precautions is very possible for us feeble old codgers. And depending upon others to provide your security is a mistake...it's my responsibility to protect myself as best I can.

I feel as if I should post this discussion. It's definitely worth a read.

[Thinowns]

Quote:

Originally Posted by Jessica Lares

Doesn't anyone else write passwords on a folded index card and put it in their wallet?

hi,

just write passwords at a diary at your home. because wallet is also not secure. thanks,

[gnasher729]

Quote:

Originally Posted by SilentPanda

As for passwords hanging around on sticky notes... I've not seen one despite having worked many years in an office with hundreds of people. And we're required to change our passwords every 3 months (used to be once a month). To be honest I'd rather have hard to guess passwords on sticky notes inside the office to make it harder for external attackers than weak passwords.

Combine something you remember easily that your co-workers don't know, with six or eight random digits that you write on a sticky note. Keeps external hackers out, and keeps your co-workers out.