Either my name, my password or my soul is invalid – but which? Try as I might, it won't go in. I have entered pretty much everything else so far but this time I'm getting a definitive "no". I respect that, of course, but it leaves me jolly frustrated. Despite all my powers of persuasion, I'm left standing in the cold with one hand on my lock. Yes, lock. The site keeps rejecting my …
DNA to replace passwords? Has no one seen Gattaca?
I was also going to say that replicating DNA is "easy" for those that know how. But even easier would be to say "bleed on this will you?"
Gattaca? I thought it was a dreary Corporate training film....
There's DNA in piss* isn't there? That's always an option
* there is in faeces, hey, if they want a sample, might as well have something I'll be dumping at some point during the day anyway. I prefer to get lightheaded and trippy in my own time.
I recently had to do a factory reset on my Android phone. When it came to signing in to my Google account afterwards, I discovered that my randomly-generated password contained a character which is not available in the stock Android keyboard. Now that's secure! ;-)
Let's call out the bollox of using email addresses as login IDs. A user ID and a password taken together are a long string. Doesn't it make it easier to guess the string if you're given half of it? And an email address is one thing that you do tend to give out. It's a mitigation, but no more, if you're able to set up individual addresses for individual sites but the basic rule should be to have email address as a separate field.
Example 1. PayPal. The ID is the email address. OK, I can set up a unique address for this but I then find that hands out that address to merchants. Evidence? I had to change the PayPal ID (a pain in itself) because a merchant to whom I purposely hadn't given an email address decided it was a good idea to spam me using my PayPal ID. So PayPal, acting as a banker in that it's able to handle my money, is happy to hand out half my login credentials to a 3rd party. I'd like to think that they've stopped that crap under GDPR but I don't expect they have.
Then there's the assumption that an email address is a guaranteed to be unique and permanent ID personal. It's neither.
It doesn't necessarily have to be a unique individual address. Companies who adopt this tactic are quite happy to tell you to contact them on something like sales@numptiesrus.crap.
And it certainly doesn't have to be permanent, especially if it's an ISP provided address.
Example 2. I have a login at IBM which includes the name of my second (or last but one) ISP who, before I left them, had been taken over at least 3 times and hasn't been a valid, or at least a used, email address for at least 10 years. They won't allow it to be changed but do at least allow a separate, working, address to be provided.
But an email address is the only thing that is close to 100% going to be unique to you and nobody else. JohnSmith? Millions of them. InitSurname? Millions of them. XYZyyymmdd? Thousands of them. youremail@yourdomaim? ONE. By definition.
I had to set up a user list for just 30ish people. I hadn't got past 'A' before getting a clash with almost all naming methodologies.
"I should have known he'd come up with a daft suggestion like that. This is the bloke who would casually sabotage his own monthly New Password prompts by changing his password 11 times immediately and, for the twelfth, reset it to his old one again so he could carry on as before. He even kept his 11 non-passwords on a sticky note attached to his display bezel so that he could run through the same routine in the same order every month."
I have no idea how "pro" security IT don't see incoherent/retarded AND different across multiple systems password rules in the SAME company, with different expiration dates of course, would do anything in favor of security !
Every single staff I know in mine is doing as follows:
- get the magic prefix that works on all systems
- increment the number every change
End of the day, there is virtually NO change in passwords ! It's not possible nor manageable !
I've noticed that many government sites which deal with things like your tax and NI record, and also most banks, will not accept special characters in passwords. Some don't even call for a capital letter as long as you have a numeral in there.
It may be just me but I would have thought that banks and the government might think safer passwords were a good idea?
It's not really safer. And some systems choke on non-alphanumeric symbols in a password - I suspect one of our systems can't take a !
A password of 8 genuinely random letters is safe. I standardise on Abcdef78 - as format, not as actual password - as concession to stupid system rules (and with all consonants, like I think I said above), and I put ! at the end if I really have to. But a password of a word with $ for S isn't safe because hackers have already got all those combinations in their dictionary.
Yes, you cant even put a <CR> into the box where you add more information which makes it close to impossible to write anything even remotely readable when it is more than a few word in length.
And as for prohibiting the percent sign! Words fail me - it is a fscking finance site!
I have several times put a complaint into the feedback link - never got a response either.
I had a huge problem signing up on the HMRC site in the first place as I was in Qatar. The password mail took 3-4 weeks to arrive but was only valid for 2 weeks. When I called them up to ask what I was supposed to do they suggested I got it sent to someone in the UK who could phone it to me. I think they have completely lost the plot. After all, what is the point of insisting they send out a super secret code then because they fscked up the expiry telling people to send it to someone else!
I had a similar issue when I tried to sign up with Samsung several years ago (I had a good reason, I wanted a firmware update for my TV so I could get into the engineering console). Anyway it refused to let me create an account so eventually I had to resort to a less legitimate source. I've since found out that it was my DEA system that caused the problem. Samsung will not let you register an email address with 'samsung' anywhere in it. Of course it never actually tells you that :-/
I used to see a lot of schools. In September everyone's password had either expired because it ran out at the end of the previous month, or been forgotten. If the former there'd be a queue to call IT support for the first day or two. If the latter it'd be post-it search time or a call to IT......
Except for the teachers that had a memorable password and stuck a number on the end. They'd be the ones logged in and getting lesson plans and stuff printed before the kids came in. The others would be huddled in a panic waiting for their turn to talk to IT and trying to remember what it was they'd spent hours planning a couple or three weeks earlier.
Stupid email address checks are the worst.... Most annoying* is FaceBook, which prevents you from using email addresses whose name is "mail", ... tough luck if your address is "mail@<mydomain>.com".
* Though in hindsight, maybe it's a good idea to have a "fb@<mydomain>.com" that FaceBook cannot link to any of my online activity...
One of my clients has insisted that users can have the same username, this client also insists that username and password can be the same. They want to make it as simple as possible for the users to login, I might as well throw my security certifications in the bin.
I still work for them, mostly because they pay lots of cash.
Anonymous obvs.
One that hasn't been hit with security vulnerability disclosures? Oh wait, they all have. Nevermind. ;)
It's not especially easy to use, and password data replication is a largely manual affair, but I like VeraCrypt (which, of course, also had vulnerability problems a few years ago). For me, it hits the sweet spot between the strong encryption that I like and the PITA factor that I believe is actually called for in some circumstances (the more sensitive the asset, the more difficult it should be to access it).
"Anyone got advice on password managers?"
Run it locally. KeepassX is what I use but then I use a single laptop most of the time so it's not too much trouble to occasionally copy the file if I need to but I'm planning on using a Nextcloud server at home so that will make synchronisation even easier. I believe Android & iThing versions are also available.
Could be worse.
One place I worked at used
<firstname>.<lastname>@<country>.<division>.<companyname>.com
Luckily, in my case <country> was just uk, but any number of services couldn't cope with the total length of the string, and many more borked at the dots. It's annoying to find there isn't room in the box to type the whole email address.
Kept the spam down though.
I regularly get spam emails to my <myemail>@gmail.com - which were actually addressed to <my.email>@gmail.com
There also appears to be 3 other people somehow with the same <myemail> , 1 in the UK and a couple in the USA, which is deeply disturbing.
The drawback of having a relatively simple email address.
I'm not sure the Dvorak layout increased my speed (it did decrease my RSI) but if you switch back to Qwerty and type "Thisismypassword" you'll actually enter "Kjg;g;mtra;;,soh" or something similar and I've never met a password checker that doesn't think that a "strong" password.
I once worked at an organisation that rolled out logon ids that were First Initial, Last Initial, Payroll Number (eg lh891234). Except for our small department who had started before this roll-out. Whenever we contacted the HelpDesk we had to go through the rigmarol of "your ID is your payroll number..." No it isn't! "Yes it is, your ID is your payroll number..." No! Listen to me!
It was a struggle, but we eventually forced them to migrate us to the "standard" logon ID scheme.
" your ID is your payroll number..." No! Listen to me!"
The company running a course I was taking couldn't make up their minds what my real name was. Their correspondence had me down as firstname lastname middle name and lastname middlename firstname.
Start the course and the lecturer says he's set accounts up in the form of firstname.lastname.
No combination of the above variations worked. I had to ask the lecturer what the system thought my login was, and he couldn't understand the question, simply repeating "Firstname dot lastname".
We set up a completely new id in the end.
I just don't understand why so many sites try to force you to weaken your passwords by specifying you must have at least one upper case character one number and one non alphanumeric character. there are ten numbers, there are in reality something like 16 special characters that is ever likely to get used...
Just enforce a decent length password. and for the love of god don't ...ing limit the password length at say 32 characters, if the function you use to hash the password can't handle arbitrary long input (within reason) then fix your hash function don't force the user to limit the password.
Doesnt even have to knick your phone, can re-route using SS7, NIST, NCSC et al. have recommended against SMS second factor for an age.
IMHO, the best second factor available at the minute is the OAuth2.0 TOTP.
However why people are still dreaming up passwords i dont know, just plug the rules into your pwd manager hit generate, et voila ... PLus it evades the 5$ wrench method. I dont even know what most of my passwords are!
password size limit is redundant, a hash comes out the same length no matter the input.
forcing types is useless, length trumps complexity. even if its all lower case a 14 char pwd takes longer to brute force than an 8 char alpha num with specials and uppers.
force a minimum of 12 chars, tie this to the pwnedpassword database, and dissalow anything that was breached, or in a sector/site specific common words list, and roberts your parents male sibling
I'm not quite sure I like this. Is it saying that I can't have password = 5000358745115 because someone else on planet Earth once had that password?
It's not actually my password, it is the bar code of Tesco Omega 3 linseed oil tablets - which may not do you any good, it turns out.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
