It worked!
aaaaaaaaarse!
Oh god yes, the insecurity questions. The ones you have to invent answers to unless you want all your family members and half your old school friends to be able to get in… Seriously, whose daft idea were they? Much worse than the silly password rules.
When the actual answers to the default security questions are things easily discoverable on many people’s Facebook accounts, something really needs a rethink.
Hey, I have that on my luggage!
(The combination lock is larger than the suitcase. :D)
The technology is not quite there yet, but using your camera and microphone, passwords should include: a pantone color (252 C?), a sound (a shrimp sneezing), along with a random gesticulation (perhaps a Battement dégagé?), and in the future - an odor (red gravy with sage).
Only then will we be really secure.
Well, yeah, it is strange. I don’t know why they haven’t changed the configuration on that - I’m hoping it’s because they realize having yet another level of security beyond my having to log on to the network and then log on to a server to actually access the repository and then enter a password with stupid generation rules is a bridge too far.
Alternatively, no one in a security position has noticed. I’m not telling them, that’s for certain.
As far as security questions go, answer them all with the same answer, such as the name of your first pet, even if it’s asking for your mother’s maiden name or whatever.
I’ve posted this before, but it’s worth repeating. There is a simple formula for generating unique passwords for individual sites:
Pick three letters that are meaningful to you. Maybe your first girl/boyfriend’s initials or something like that, but don’t use your own. Make the first be upper case and the last two lower case. For this example, I’ll use my first girlfriend’s initials Mar.
Pick a special character. Just one is all. For this example, I’ll use @.
Pick a string of four digits that are meaningful to you, but not your SSN or something similar. The address of the house I grew up in was 1608, so let’s use that.
The last thing you need is the first three letters of the site you are visiting. Note that this will change each time. For this example, assume I am going to create an online account with Chase Bank. I’ll use Cha.
So I now string them together as follows: my first three letters, the special character, the three letters of the site and the four digit string. This would give me a password for Chase of Mar@Cha1608. If I were going to Wells Fargo, it would be Mar@Wel1608, etc.
This password structure has all the elements required, is easy to remember and is unique for each secure site you use it on. FWIW, password strength checkers indicate that the sample passwords shown would take over a hundred years to crack.
The worst one I had recently was setting my PIN for a new RSA token at work.
- 6-8 characters, alphanumeric, not case sensitive
- Cannot repeat the same character for entire PIN
- Cannot have a repeating pair of characters
- Cannot have a repeating set of three characters
- Cannot have a set of 3 characters repeated in reverse
- Cannot use characters that appear consecutively on the keyboard
Seriously? WTF?
What ridiculous claim is this?
I was using a password on a Teletype-33 in 1968, and it had many of these same rules. (Except we didn’t have to worry about a lower-case letter – there were none.) But a minimum length of 6 characters, using both letters & numbers, and no repeating characters – those rules applied.
These special snowflake millennials seem to think they are the first at everything, and have it so hard.
And get off my lawn!
The guy in the article is 72 yrs old. How the fuck old are you to be calling him a whipper snapper millennial? Do you even use reading glasses, bro?
Doesn’t the no repeating characters rule narrow the search space for the ne’er do wells?
And they took less than a hundred years to tell you this? Then they’re just bullshitting. From what I’ve read about password crackers, that’d probably be somewhere in the few-hours range. Or nearly instantaneous, if they have access to any of your other passwords at all.
If their system had even the basic rudiments of security, it would be impossible to enforce this restriction. The fact that they are enforcing it proves that they haven’t made any attempt whatsoever at security.
The two worst I’ve seen, though, were both at universities. One was from my grad school: The administration was concerned about security in their Banner system (where students can check grades, schedule classes, and so on), so they sent out a memo saying that everyone should have passwords at least eight characters long, containing letters, numbers, and symbols, and so on… except the only passwords the system would actually accept were six-digit numbers.
The other was at the community college where I taught as an adjunct. When I was setting up my account there, it kept on telling me that my password wasn’t meeting the complexity requirements, so I kept on making it more and more complex… except that it turned out that it wasn’t meeting the complexity requirements because it was too complex, and what the system actually wanted was seven lowercase letters and a digit.
The answer to each and every one of those questions is “bullshit”. If the website insists your answers be unique they become instead:[ul]
[li]What was the name of your first pet? bullshit pet[/li][li]City Mom born in bullshit city[/li][li]City Dad born in bullshit city[/li][li]First foreign country visited bullshit country[/li][li]First & last name of childhood best friend bullshit friend[/li][li]First & Last name of first manager bullshit manager[/li][li]First & Last name of first girl/boyfriend bullshit girlfriend or bullshit boyfriend depending on your orientation[/li][li]First concert you attended bullshit concert[/li][li]What was the last name of your favorite teacher in your final year of school? bullshit teacher[/li][li]What was your childhood nickname that most people do not know? bullshit nickname[/li][li]First & last name of the maid/matron of honor at your wedding bullshit maid[/li][li]First & last name of the best man of honor at your wedding bullshit man[/li][li]First & last name of oldest niece bullshit niece[/li][li]First & last name of oldest nephew bullshit nephew[/li][/ul]Remember that you can pick which Qs to use. So pick the questions that give unambiguous clues about which noun is the bullshit noun.
This isn’t difficult, people.
Reading a one page thread and noticing someone already made your exact suggestion isn’t difficult either but people still fail to do that.
hunter2
@CarnalK: Actually, I did see you had done that. Very neatly and succinctly. I also saw the other people ahead of you who suggested “use the same made up answer every time”.
But Spiderman’s long-form complaint was after all those posts. Which implied to me that he didn’t see them either.
I thought maybe he’d appreciate a personalized answer. When I noticed he’d used brown type I had a stroke of literary genius. For a lazy hazy post-wine-with-dinner kind of “genius”. I’m sorry if you were offended.
I have ten passwords, each with three variations. The passwords are never written anywhere. My notebook has “Bank” on the page for “Password 3a.” My secrets die with me.
Wasn’t offended at all. Just ragging on you.
I think I was the first to say make all of your passwords the same in Post #11. The problem for me is that my older accounts were setup with ‘real’ answers & over time, it would be tough to remember if it’s a real answer or a “Fuck You” answer & that was created later. It was timely that I had to register for that site today & that I doubt I’d remember the real answers if & when I ever do hit the challenge questions.
The fact that multiple people, including me, have stated how to get around the ‘security’ with BS methods just proves that it’s another case of security theater.
I see a gaping security hole here.