Let's all thank the BBC


(Andrew Porter) #1

For perpetuating the myth that complex passwords are more secure.


(Andy Wootton) #2

They are, for some values of secure. Sadly, idiots are the biggest risk. I worked in security: “I’ll tell you what I do every month, when I’m forced to change my password”
“No, DONT TELL ME!”

My bank emailed me my post-code in an unencrypted email, so I’d know it was really them. This is fraud protection advice to customers.


(Andrew Porter) #3

They’re not though.

Show me any cracking suite that limits itself to alpha only - they don’t.

Once you force a user to choose something that isn’t their choice you have introduced a weakness - the user. The user will forget the password - forcing the far more vulnerable password recovery process, or they will write it down, or use similar (or the same) password everywhere - simply because it’s easier to remember.

Length is the only variable that matters when it comes to passwords. Let the user pick their own 16 character or longer passPHRASE instead.

Even if it’s something really stupid like “thisisfredsamazonpassword”, it’s vastly more secure than your typical 8 minimum with upper/lower combination and one non-alpha rule.

A cracker would need to know your password is only lower case alpha in the first place to benefit from then limiting an attack to just these 26 letters.

But this is all daft anyway - unless someone has obtained encrypted password data - brute force is the last avenue of access. Key logging trojans and viruses are where I’ve seen more breakins than any other means.

Remote brute force attacks should be blocked very quickly by the host.

If someone has encrypted password data and cracks a forced rule password such as “mandy!956” the first thing they will do is try the email address and password combination on other sites. And because remembering complex passwords is hard, there’s is a good chance Mandy will have used that password elsewhere.

Equally for key logged passwords.

So everyone should be encouraged to have long passphrase passwords that are unique per site, and the simplest way to achieve this is let the user pick their password unhindered by anything other than length restrictions.


(Andrew Porter) #4

BTW one of my bug bears is the nationwide. They email me from nationwide-communications.co.uk

How can I trust that ? I log in to nationwide.co.uk.

I get 100s of emails in my spam folder from apple-security.com, apple-id.com etc… scams - and here’s nationwide doing the same.

I’ve emailed them (no reply) suggesting it would be far more secure and verifiable for them to use comms.nationwide.co.uk

Clearly there’s no one with half a clue there.

They even say - you can be certain this email is from the nationwide because it has your postcode in it. Yeah - can’t be fake then. Ejits.


(Andy Wootton) #5

I responded to your mention of complexity. Autogeneration is a completely different matter. That’s crazy. It’s garanteed to force most people to write the password down. I once worked in a roadmap IT team and had autogenerated passwords forced on us from above. I don’t think it lasted the day. We “escalated”, with a big shovel.


(Stuart Langridge) #6

Bruce Schneier once said that writing down your password isn’t necessarily a terrible idea. We are, in general, quite good at maintaining the security of small bits of paper with writing on them.

I’m not wholly sure I believe this, but he might have one-ninth of a point…


(Andy Wootton) #7

A Post-It on the bottom of the keyboard was a favourite with the electricity traders when I started as InfoSec Officer, and that was after money laundering training. Yes, it was called that.