back to article Look, pal, it’s YOUR password so it’s YOUR fault that it's gone AWOL

Dear Mr Dabbs. Thank you for your business. Please see invoice enclosed. This doesn’t bode well: I am not the sort of person who is able to make private purchases on account. As much as I’d love to swan into a shop, point at various things and drawl “Send them over, will you, darlings?” as I saunter off into a waiting limo, …

COMMENTS

This topic is closed for new posts.
  1. chizz

    Amen brudder!

    ... that is all!

    1. Anonymous Coward
      Anonymous Coward

      Re: Amen brudder!

      The real issue with a lot of these password rules, especially the frequent change rules, is that they encourage people to write their passwords down on paper or into an unencrypted file.

      1. Anonymous Coward
        Anonymous Coward

        Re: Amen brudder!

        "The real issue with a lot of these password rules, especially the frequent change rules, is that they encourage people to write their passwords down on paper or into an unencrypted file."

        Yep...After the 15th time of being asked to change my passwords for a fairly basic admin system I just couldn't figure out what greater than 6 character string with at least one uppercase, one lower case, one special character and one number in it I could remember I simply mashed the keyboard with my palm and wrote down the result on a post it note attached to my monitor.

        My reasoning is that this system in no way needs a password, it certainly doesn't need to be this secure, and the alarm, locks and deadbolts on the doors and windows in the office are probably more secure against attack than my PC is.

      2. phuzz Silver badge

        Re: Amen brudder!

        If the place where you keep the paper is secure, then that's a pretty good way of storing a password. No hacker is going to be able to guess it, they'd have to break into your house/office to get hold of it, and if someone is going to those lengths, well...

        1. Anonymous Coward
          Anonymous Coward

          Re: Amen brudder!

          "If the place where you keep the paper is secure, then that's a pretty good way of storing a password."

          This.

          Physical security trumps digital security, in an office environment not so good, but ideal for home use.

          Obfuscate or salt them simply if you like, to avoid casual theft.

        2. Acme Fixer

          Re: Amen brudder!

          Meh... All they have to do is dig through the trash on the first of the month.

      3. Acme Fixer

        Re: Amen brudder!

        You forgot the Post-it note on the monitor, or underneath the keyboard. I know from experience.

        IT security people are a bunch of I D 10 Ts

  2. Captain Scarlet Silver badge
    Terminator

    Password hell

    Reminds me of our outsources helpdesk, I look away for a second and it decides "You've been idle for to long BYE" along with anything on the screen no matter how long.

  3. Frankee Llonnygog

    Password rules

    Llonnygog's law: The complexity of password rules is in inverse proportion to the sensitivity of information being protected.

    1. Martin Budden Bronze badge
      Thumb Up

      Re: Password rules

      Let's take Llonnygog's Law to its logical extreme to see how it holds up: for 15 years during the Cold War, the code meant to prevent unauthorized launching of the United States' arsenal of Minuteman nuclear missiles was apparently "00000000". Yep, Llonnygog's Law holds up pretty well!

  4. Tom7

    Website policy stupidity

    My electricity provider's website is the worst. I have to log in to it once every three months to pay my electricity bill. Its password rules are arcane and impenetrable, and inevitably wind up with me having a password that is impossible to remember when you only use it every three months.

    I usually deal with this situation by typing random rubbish in as a password, then hitting the "I forgot my password" button next time I need to log in. But they've cunningly found a way of thwarting this method. When I signed up, I had to also choose a "memorable word." Seriously. Pick a word that's memorable, that you won't have forgotten in three months time when you come to log in next.

    The end result is, of course, that I don't log in, I call them and pay over the phone. I wonder how many people ever manage to pay their bill through the website.

    1. Nick Ryan Silver badge

      Re: Website policy stupidity

      The other "security" function is that these dumb sites force you to record a memorable place, date and name. All in the interest of security of course. Anybody sane in security (can't be many left) knows that this usually leads to a less secure system than a more secure one.

      And as for "Verified by Visa" (or the equivalent for MC), I have never, ever, entered my password correctly on that. Every time I click "Forgotten Password", enter some trivial details, enter another junk password that I'll never remember and that's it. Does this aid security in any way? No

      1. I ain't Spartacus Gold badge

        Re: Website policy stupidity

        Verified by VISA is truly craptastic.

        Although, to be fair to it, there is one mildly useful security feature. It shows me a password, that supposedly only VISA know. So I know that the vendor have connected to VISA's servers. However, given the piss-poorety of the design of that, I'm sure that's probably printed in large flashing letters on top of their building, along with my credit card number and d.o.b. whenever I use the 'serivce'.

      2. Irongut

        Re: Website policy stupidity

        My bank insist on knowing the answers to 5 security questions, a random one of which is asked alongside the Verified by VISA password. The problem is I can't actually answer a couple of them - e.g. Q. What was the name of your first pet? A. I've never had a pet so wtf am I supposed to say?

        The last time I phoned them the computer asked me for the position of two letters in my password - only the two letters it asked for aren't in my password! Or the password I used before the current one, or any password I remember. Fortunately it eventually let me though to a human who confirmed it was wrong.

        1. Anonymous Coward
          Anonymous Coward

          Re: Website policy stupidity

          "Q. What was the name of your first pet?"

          My first pet was called Bob and that triggered "pet name too short".

          " A. I've never had a pet so wtf am I supposed to say?"

          The questions can be too Yankified as well. They seem to have a fascination with memories of school days that simply doesn't exist for me.

          1. John Miles

            re: A. I've never had a pet so wtf am I supposed to say?"

            how about "PetsIHaveHadNone" (or similar)- usually gives you chance to enter something more secure than Rover/Spot etc.

          2. Acme Fixer

            Re: Website policy stupidity

            So, put in your wife, gf, or relative's name instead. I suppose that Mickey Mouse would trigger some kind of flag, as would Bart Simpson. Oh, yeah, those are both "Yankified"...

        2. SoaG

          @Irongut

          I recently set up an online account over the phone with an institution I'd never dealt with previously. They asked me a number of verification questions, including an either-or for which both options were wrong. Which was actually the point. A fraudster would make a 50-50 bluff and then call back later and try the other option if he got it wrong, whereas the real account holder would know the correct answer and say 'neither'.

          I agree that pre-defined verification questions are terrible. The most likely person to attempt to fraudulently access any website under my name is my ex-wife (again) and she knows all the answers to the usual questions. Much better to let me write-in a question with a non-obvious answer.

      3. PaulR79

        Re: Website policy stupidity

        @Nick Ryan The thing with set questions like those is that you are in charge of what you put for an answer. Memorable place? Potato. Memorable date? Pluto. I've similarly ignored answering truthfully to standard questions for a while to throw off anyone that might be capable of guessing the answer to security questions.

        1. Anonymous Coward
          Anonymous Coward

          @PaulR79

          I just answer 'fuckyou' for the answer to every one. If it won't let you, be creative with your swear words. You get the added benefit, that if asked for them on the phone by some annoying customer service monkey you get to say 'fuckyou' to them.

          1) what the fuck business to they have knowing these personal details. More info on me you can sell.

          2) the very nature of the questions are EXACTLY the kinda thing you'll find the answer to on facepuke in 30 seconds.

          There's the other twist to this, like google/yahoo do when you sign in to mail sometimes:

          'in order to make your mail more secure and aid you recovering if you forget your password, please tell us your mobile phone number'

          ah.. yeh my mobile number.. cause that's a nice bit of info there for you to sell eh. Not the colour of my eyes or how many fingers I have... no.. my mobile number, so you can flog it to the PIP scammers. fuck you. fuck you all.

      4. Anonymous Coward
        Anonymous Coward

        Re: Website policy stupidity

        "And as for "Verified by Visa" (or the equivalent for MC), I have never, ever, entered my password correctly on that. Every time I click "Forgotten Password", enter some trivial details, enter another junk password that I'll never remember and that's it."

        I did that a couple of times, until I found that they accepted "shitvisa666".... Not forgotten it once since.

        1. Pookietoo

          Re: "shitvisa666"

          My usual response to that sort of thing is "Fuck0ffV1sa/Yah00/wh0ever", which is not only memorable but also heartfelt.

          1. Martin-73 Silver badge

            Re: "shitvisa666"

            It appears that my idea isn't unique then

        2. Acme Fixer

          Re: Website policy stupidity

          Gee, thanks for your password! :-p

      5. Havin_it
        Facepalm

        Re: Website policy stupidity

        My bank's clientèle must have moaned a lot about the extra hassle of VbV, at least that's the best theory I can come up with, because a month or two after rollout, the password prompt was binned. Now there's just a few seconds' wait and a throbber while the vendor/PSP site contacts the bank, then it's job done.

        Or it could be the vendors themselves, having gotten their ears bent with all too much "What the hell's this, I already put my card number in!" etc. Either way, if true it amounts to a damning indictment of my fellow patrons (not to mention majority shareholders, hint hint) of the bank in question.

        Other, more charitable theories welcome.

    2. Joe 35

      Re: Website policy stupidity

      You can never be too careful. A password is obviously needed in case someone was to maliciously pay your bill for you.

      1. frank ly

        @Joe 35 Re: Website policy stupidity

        I encountered that problem 3 years ago when I tried to pay my (ill in hospital) Mother's phone bill, we were both with Virgin Media. They wouldn't accept my encyclopaedic knowledge of her and her account details. Eventually I drove 100 miles to her house and made the phone call from her phone, thus 'proving' my bona-fides and obtaining details for making a direct transfer from my bank account. I'm surprised that they didn't accuse me of being a burglar who'd broken into her house.

        1. Where not exists

          Re: @Joe 35 Website policy stupidity

          And that is the failure on online, paperless billing. If you become ill and someone needs to pick up the pieces for you, well, good luck. They're probably not going to even know what bills are coming in, let alone being able to get them paid for you. I had to do this for an unrelated friend. If her billing had been electronic rather than on paper she would have been confronted with all manner of late fees, collection threats and service terminations after her hospitialization.

    3. Solmyr ibn Wali Barad

      Re: Website policy stupidity

      Around here, major banks are doing a bit of community service, and are providing website authentication services on very amicable terms. Authorization tokens from the online banks are accepted by most utilities and e-tailers.

      Bank credentials have to be guarded with utmost care, obviously, but the password hell is neatly avoided.

      1. Gazman
        Unhappy

        Re: Website policy stupidity

        Tokens seem like a good idea until you get the new HSBC calculator-style one for Australia.

        Step 1) Turn on device with (stupid finger breaking) key press combination

        Step 2) Enter PIN to activate device (!!!)

        Step 3) Enter last eight digits of your account number (!!!)

        If suitably annoyed, add:

        Step 4) Run over device repeatedly with car before closing account.

        1. Martin Budden Bronze badge
          Coat

          Re: Website policy stupidity

          Step 5) Discover that a non-run-over device is required to close account.

      2. Tom7

        Re: Website policy stupidity

        Haha. My bank sends out a one-time-code-generating fob to use when logging in to internet banking. Each time you login, you put your PIN into the fob and it spits back a login code. It's great.

        But... somehow they IMPROVE on the security of this scheme by also asking what the make and model of my first car is.

  5. Anonymous Coward
    Anonymous Coward

    Google authenticator

    That reminds me of the beef I have with the Google authenticator and OTP devices in general: it may have escaped the people who designed this that we're not using ATMs but genuine computer thingies with lots of keys.

    Why the f*ck do I have to type in 6 digits if you can get more variations out of 4 alphanum characters, even if I remove the ones that could be confused such as 1 and l? Hello? Forgot that we actually enterd the twentyFIRST century?

    On the plus side, that is an example of an OTP that works, even if it is bound to time instead of a challenge-response approach, so well done Google (for once)...

  6. ukgnome

    No end of Sharepearean sonnets will protect me from eBay’s lead windows or a Ministry of Defence civil servant leaving his laptop in a taxi.

    Is that a deliberate error? Or an open source bard?

    1. Alistair Dabbs

      >> Is that a deliberate error?

      Oh how I wish my errors were deliberate.

    2. dogged

      Having initially missed the typo, I just spent three fruitless minutes seeing if that phrase would work in Iambic Pentameter thinking Mr Dabbs had done something clever.

      Dammit.

  7. Anonymous Coward
    Anonymous Coward

    Password huh...

    I don't care about my eBay password being stolen, my acount wasn't raided, the complex password isn't being used elsewhere and I've changed it now. What I care about is the time it took eBay to tell me it had been swiped, therefore increasing the exposure of my account being used fraudulently, but most importantly, they've let some scumbag have my name, address, phone, D.O.B and probably other info too!! Just about all they need to impersonate me for fanancial gain.

    Authorities should fine them a very large ammount and put it in a fund to help fraud victims who have lost personal info from their eBay accounts for the next few years.

    1. Anonymous Coward
      Anonymous Coward

      Re: Password huh...

      I'd like ANYONE to tell me why you'd ever store customers personal info in an unencrypted form like eBay did (and a lot of others probably do).

      1. I ain't Spartacus Gold badge
        Unhappy

        Re: Password huh...

        I'd like ANYONE to tell me why you'd ever store customers personal info in an unencrypted form like eBay did (and a lot of others probably do).

        Oh I can do that. It's cheaper.

        Just like it's amazing the number of companies where helpdesk/tech support can see your password on their screen when you phone up. Because basic security is just too much effort.

        1. Asylum Sam

          Re: Password huh...

          I especially like 1and1 internets phone security, where they insist that you give them your full login password OVER THE PHONE

    2. I ain't Spartacus Gold badge

      Re: Password huh...

      That's a bit like BT's pisspoor excuse for a security announcement about the hack of btinternet.com.

      We have a very old company email addy on there, that's still used. When it's not drowning in spam from other btinternet addresses. They forced a password reset. Didn't email us to say they were doing it, just invalidated the password on their pop server, and waited for us to guess.

      Nothing on the service status on bt.com either. That service is always up, they only occasionally post a problem when it covers one exchange and after it's solved.

      Great. I reset the password. But remember something I'd seen on El Reg. It was of course the bloody password reset database that had been hacked.

      Surprise! Surprise! We had to reset the password the next day. Again no error message, or warning email / letter. This time I changed the security details.

      At least this vindicates my policy of always lying on security questions! This email was set up ten years before I joined the company.

    3. Donut4000

      Re: Password huh...

      I found out about the eBay leak from the Beeb, and changed my password to something new and horrible when I got home. A week letter (yesterday), I get an email from eBay saying they'd been hacked and I should change my password. This wasn't another, newer hack, but the original one - the one the media had been having a field day over, with eBay keeping firmly schtum throughout. I'd like to say better late than never, but I think that would be a load of balls....

  8. I ain't Spartacus Gold badge
    FAIL

    That's a nice mobile phone scam you've got there

    I've not heard of that mobile scam before. I wonder how they allow their tills to ship out phones on credit like that? It's just asking for trouble.

    Reminds me of my temping days in the mobile industry.

    I was working for an insurance company, doing mobilie insurance at £5-15 a month, for a chain of shops. Bronze, silver and gold. I'd bene there a mere week, when they sacked the person who processed credit card transactions. So I got that job. As a temp. With private access to the credit card terminal and about 10,000 files with people's card numbers and addresses on. Nothing I did was ever checked. Plus tens of thousands of other files with the direct debits and all the banking info.

    After two weeks I noticed that they'd fucked up, and were only renewing the Direct debit after a year on Gold subscriptions. Even though the contracts were for at least 2 years. They rewarded me for this act of genius on my £6 an hour temp heaven by saying thanks, and sacking me 2 weeks later. I think at that time there payment processing team entirely staffed by temps was down from 6 to 2. So I dread to think what state it was in. We saw our manager about twice a day.

    However, we were so well run that we had the trust of the banks. We were allowed to process Direct Debits without presenting any evidence to the bank. We maintained our signed copy of the Direct Debit mandate, the bank never checked them. And obviously we had nothing to check the signature against, even though it was often in a different coloured pen (for some reason). I used to get a call from the banks' call centres every couple of hours, with a customer querying a payment on their other line. Sometimes just because we weren't called the same as the mobile company, but mostly because the salesman had filled out the insurance agreement after the customer had left, to meet his bonus targets.

    Then I got one of the funniest documents I've seen in my working career. Internal audit had audited one of the stores. And posted it to the separate company who ran their insurance, rather than their own head office. Top work there chaps! The shop hadn't counted their Pay&Go top up cards (back when they were scratch card things in cellophane). Or done a stock take of any kind. In over 2 years. Apparently the staff would take a handful of them whenever they went down the pub, and sell them cheap for beer money. Probably a few handsets as well.

    There were several signed, but un-processed, customer direct debit mandates for contracts and insurance. Some from months ago. With all the good details on. Some were on the side by the till, in the actual shop, on open display. Others were in the kitchen and break room. Some had made it as far as the office. The kitchen hadn't been cleaned in ages. There was rotting food in the fridge and on the work surfaces.

    The report conclusion: Above average. 75%!

    After being dumped, at 4 o'clock on a Friday afternoon, thanks for helping the temp get a post for next week old chaps, I think I only did one more temp job before getting something permanent, and none since. So I have just over a month of experience in the mobile phone industry (from the late 90s), and it doesn't seem that much has changed.

    1. Tom7

      Re: That's a nice mobile phone scam you've got there

      I once managed to get my landlady to pay for a course I was taking. The school called me to chase payment, which was in installments by direct debit. I knew I had my bank account details written down on a piece of paper somewhere on my desk, so I scouted about until I found a bank account number on my desk. Unfortunately, my landlady had an account at the same bank and what I'd found were her details.

      I rattled these off to the school, who passed them on to the bank, who dutifully started transferring money out of her account, despite the name on the account being 100% wrong.

      It was only three months (and three payments) later that my landlady noticed these payments on her account statement. She queried it with the bank, who queried it with the school, who queried it with me. Both the bank and I had very red faces.

  9. This post has been deleted by its author

  10. BigAndos

    I still can't believe they clearly didn't have two factor authentication on their remote DB access, that just seems shoddy. RSA tokens etc are pretty widespread technology these days!

  11. GlenP Silver badge

    You Couldn't Make it Up

    I signed up on one site which required the usual additional security:

    Where were you born?

    What was the name of your first school?

    What was your mother's maiden name?

    Fair enough except for the following paragraph:

    You MUST ensure your answers are unique to this site!

    Bit difficult without the aid of time travel to change those answers.

    1. Roger Greenwood

      Re: You Couldn't Make it Up

      Just lie like everyone else - how are they going to check?

      Then when they get hacked it doesn't matter.

      It is also nice to get birthday wishes every month.

      1. I ain't Spartacus Gold badge

        Re: You Couldn't Make it Up

        It is also nice to get birthday wishes every month.,

        I've picked one new birthday, so I can actually remember my fake d.o.b. Rather than just picking randomly as I did before.

        Except for restaurant mailing list sign-ups. Those have to be carefully picked, so you get nice vouchers, spread around when they're useful. So a couple of them are near my actual birthday. Though sadly the last one to regularly remember my birthday have closed down their branch here. So no more birthday tapas for me.

  12. MooseMonkey
    WTF?

    eBay

    eBay = Twunts

    Thats not big, it's not clever, but neither are they anymore.

  13. Cosmo

    Happened to me with Vodafone

    A very similar thing happened to me with Vodafone. To be fair, their security system worked reasonably well. Two days after the HTC One M8 was released, I got a text message telling me that one was ordered and on its way soon. Great! Except that I hadn't ordered one.

    So I log into my account to find out that someone has logged in, ordered a phone in my name, but changed my address to one in Purfleet in Essex. I fortunately got the order cancelled and got my account reset.

    However, I then had the hassle of creating a new account, mating it to my phone and then found out that Vodafone had helpfully reset my content control settings, so I was blocked from putting on a cheeky bet on the Grand National. Grrr.

    This happened just before the Heartbleed saga kicked off, but I think that it's more likely that a rogue employee fancied himself a shiny new phone and picked some details at random to "borrow"

    1. Alistair Dabbs

      Re: Happened to me with Vodafone

      In this most recent instance, they had a record of the specific shop that the mobile handsets had been picked up from, along with the date, my address and an unusual variation on my full name. The customer services man was polite and reassuring that I had nothing to worry about but also very firm in refusing to provide me with any more details about what had happened.

  14. cracked
    Pint

    I always wanted to be Mr Tickle

    1. Alistair Dabbs

      >> I always wanted to be Mr Tickle

      Is that a pertinent comment or a quote from the Rolf Harris trial?

      1. cracked

        Re: >> I always wanted to be Mr Tickle

        Mr Tickle has been involved with Rolf Harris!!!? I thought it was that nice man off of Dad's Army! I'm never buying a Mr Bump themed bandage EVER again!

        Friday Note to El-Reg Footer Writers: Go to the pub. even the f**king writers don't read your sh1t!

        ... Once up on a time, many, many years ago - when this place had fewer readers than journalists ... anyway ;-) ... reading all the way to the very bottom of articles was rewarded with a T-Shirt. Not that I ever read to the very bottom of any articles to have won any T-Shirts ...

        ;-)

        1. Alistair Dabbs

          Re: >> I always wanted to be Mr Tickle

          >> Friday Note to El-Reg Footer Writers: Go to the pub. even the f**king writers don't read your sh1t!

          Not true. Not only do I read that sh1t, I write that sh1t myself.

          1. cracked
            Pirate

            Re: >> I always wanted to be Mr Tickle

            Yes, and I can see now just how stressful life as an El-Reg Footer Writer is ...

            ... so there was me, giving one of the finest examples of your work the bigun ... and you prove just how stressed you are, by completely forgetting you'd done it!

            Next you'll find yourself down the pub, winding down after another exhausting day at the El-Reg Footer Writing coal face, only to accidentally let slip your user name and password ... and before you know it Mr Cullen and CabbageBoy will have been dragged away for aiding and abetting identity fraud!

            Friday Note to El-Reg Management: Shorter working hours for El-Reg Footer Writers is a must!

            ;-)

    2. I ain't Spartacus Gold badge

      One of the companies in my industry have 3 Mr Tickles. They were founded by a Mr Tickle, and two of his sons have since joined the business.

      There was a Mr Himmler in the accounts department of my last company. I was always surprised he hadn't changed it, given he was in the Hamburg office.

  15. Dan 55 Silver badge
    Boffin

    It's 2014 and websites still can't generate login certificates...

    What's wrong with the likes of e-bay, Amazon, or banks generating a certificate to allow access when you first open an account, which the browser stores, and from then on no need for passwords at all because your browser offers up the certificate when you go to the website.

    Then there's the problem of getting in when you've deleted your certificate or got another computer, which could be solved by auto-generating a 50 character password (hashed and salted of course) and telling the owner to print it out and file it away with other important papers. Just making people treat something in the same way as other important things usually means they end up taking it seriously.

    Just about anything is an improvement on letting people using simple passwords because they can't be bothered to remember complicated ones or allowing any computer in the world infinite attempts to guess your password and get at your money or enough of your info to steal your ID.

    1. I ain't Spartacus Gold badge

      Re: It's 2014 and websites still can't generate login certificates...

      Dan 55,

      Certificates are too difficult to handle. I can't see the banks wanting to have to support ordinary users installing them manually.

      Also I can remember how much hassle it was to get Android to talk to our company proxy, in order to get emails. And the banks are increasingly moving their customers onto mobile devices.

      1. Wensleydale Cheese

        Re: It's 2014 and websites still can't generate login certificates...

        "Certificates are too difficult to handle. I can't see the banks wanting to have to support ordinary users installing them manually."

        That's a deficiency of the current implementation.

        What we need is a system with decent interfaces which make handling certificates a doddle.

      2. Dan 55 Silver badge

        Re: It's 2014 and websites still can't generate login certificates...

        There's no real reason why certificates for just one website can't be shown in the password manager, only instead of a password in the password column there could be an icon of a certificate.

  16. mdubash

    Why complicate things? Use a password manager like KeePass and run it on all your machines and phones. Easy...

    1. cosymart

      Why would I want to keep ass?

      1. Old Handle

        You don't wanna LOSE your ass, do you?

        1. Martin Budden Bronze badge
          Coat

          An ass can be a very useful creature to keep, but mind it doesn't munch your carrot-copter.

    2. Velv Silver badge
      Facepalm

      Love the theory...

      I have just this week done said, although with a different product.

      My experience so far is mixed, not so much with the password manager but with the websites. I set the password manager to use 16 characters, and all four character types.

      About half the websites I visited to set a new password wouldn't accept such a complex password.

  17. Stevie Silver badge

    Bah!

    Password aging is a stupid brute force answer to a subtle problem and only ever inconveniences the legitimate owner of the credentials said passwords 'protect'.

    What is needed is more sophistication as to looking at how people *use* their credentials and detecting out-of-band usage. This is not new tech. Credit card companies have been able to do this with remarkably few false hits since the mid eighties to my certain knowledge.

    Nor is using one technique to 'secure' credential usage adequate.

    The mistake isn't in thinking any software solution is secure, it is in thinking that a password/userid is a person in the first place.

  18. Jamie Jones Silver badge
    Happy

    Password audit

    Many years ago, I was working for a company that decided we were to run password crackers/scanners on all the 60,000 or so users.(All that effort when the systems generally, and operating procedures were full of more holes than *Insert name of something here that is known to have lots of holes*)

    Cue the mountain of support calls this generated, but there was one that really stood out.

    It turned out that the guy had moved to another job in another city (but same company). His old account had been set to redirect all email to his new account, and his old account (which had a crackable password) was still live a year later (due to slack support procedures).

    I received an email which read:

    "How can you tell me my password, '6inches', is easily guessable? Havee you or any of your staff ever slept with me?"

  19. G7mzh

    The company I used to work for forced a new password every few weeks, and the system came up with various excuses why the one you chose wasn't valid. The result was that people gave up and simply used each others' login details until they could be bothered to think of one the machine liked.

    The other thing that always makes me roll my eyes is when you're trying to pay a bill over the phone and the payee wants all sorts of security checks. Why they need to know all that when I'm trying to give them money is beyond me. I used to work in a collections office and we didn't care _who_ was paying the account, as long as they were paying with their own money.

  20. Anonymous Coward
    Anonymous Coward

    For those favourite teacher, mother's maiden name, favourite colour, first pet security-type questions I never forget because I use the same word as the answer for all of them.

  21. All names Taken
    Paris Hilton

    I soon discovered that so were any combinations that included what it recognised as names of streets, places, English regions and nearby restaurants. The inclusion of any proper noun, even with substituted numbers for letters, rendered an entire password invalid.

    Maybe the programers want to be sure that no password is used by more than one login username?

    Just a thought ...

  22. Anonymous Coward
    Anonymous Coward

    Going the extra to close the sale

    Inner leg and DNA sample? Talk about data slurp...

    Pics or it didn't happen.

  23. Roger Mew

    Easy to stop

    The copy of passport is dead easy, IF the company have not seen your real passport AND got a real signature from you on the photocopy then its not even proof. Here in France you can get free of charge your photocopy notarized. That is a photo copy that is recorded and stamped. Now if the thief were to produce just a photo copy then when the person goes out back to "photocopy" said document they surreptitiously photograph the person or even tell the person they need to do that and then call the police.

    If you are silly enough to let Tom, Dick, or Harriet have your docs and walk away with them you deserve your punishment.

  24. Dr Andrew A. Adams
    Holmes

    "Remember, our security is your top priority." FTFY.

  25. Mark 110

    2 factor

    Is there not a market for a widespread 2 factor, or just physical authentication service. I would use it.

    Give me a key fob (or mobile phone app) with a number changing every minute that I can use on all participating websites. I'd pay £20 a year for the inherent security and lack of password hassle. Blizzard implemented something similar for stopping WoW hacking, but I just want one app for all my authentication.

    Its got to be a viable business opportunity.

  26. sarahemmm

    Maybe I'm thick, but

    when I log in to my work pc, if I get my password wrong 3 times in a row, I'm locked out. Surely, unless a password is so ridiculous that you can guess it in 3 goes, the same system should prevent all these dictionary hacks??

    1. Martin-73 Silver badge

      Re: Maybe I'm thick, but

      Given that some browsers autofill the passwords (I DO use this feature on some of the lower security sites, because I am of the opinion that if someone has physical access to my pc, I have bigger problems), and will do so repeatedly even when you're trying to change the stored password [glares at firefox], maybe an expiry of 10 false attempts might be better, possibly with a dire warning when you get down to 3 remaining.

      Maybe something along the lines of "You have entered a string of passwords, all identical. You are about to get eaten by a grue"

      1. Jamie Jones Silver badge

        Re: Maybe I'm thick, but

        The idea was originally to protect against offline dictionary attacks - in cases where a hacker manages to get hold of the encrypted/hashed password database (just like the recent eBay case), but you are largely correct in that this fact is now largely overlooked by people who seem to think you can throw a few million password attempts at an online system a) without being noticed and b) in a manageable timeframe.

        Though bare in mind that any over-zealous incorrect password account suspending setup can itself be a problem, as a malicious person could use it to lock a legitimate user out

  27. Kiwi Silver badge

    Skype..

    Not too long ago set up a Skype account, using a phrase much like the Shakesperean one mentioned in the article. About 7 words, a sentence but one that only really makes sense to me (well,maybe to others but you wouldn't guess it no matter how well you know me), and with random number/letter substitutions as well as random replacements for spaces. Skype said it was too guessable.

    So I went with a sequence of characters that IIRC makes it into the top 10 (and certainly top 20) passwords at least by style. 8 characters, involving upper and lower case letters, numbers and punctuation.. That it's !QAZxsw2 doesn't at ALL matter to Skype, it's perfectly acceptable. Bloody common, but acceptable.

    Really, when it comes down to password security, if you close out the account after x tries (and make x reasonably low, eg 100) so that any re-activation has to be done via email or some other contact with "support", then we should be able to use whatever password we want so we can remember it (or just do what I do, reset it every bloody time because I can no longer remember them and resetting them takes less effort!)

  28. Medixstiff

    So after reading the first few comments...

    I have to ask, does no-one else use a password safe?

    1. Michael Wojcik Silver badge

      Re: So after reading the first few comments...

      No. You are the only person in the entire world who has ever used a password safe.

      Had you read a few more comments, you'd've seen other people humblebragging their use of password safes, as several commentators do for every single Reg story that mentions passwords. This is an IT site. Most readers here know about password safes. Some use them, some don't like them, some can't be bothered.

  29. Roj Blake Silver badge

    ID Theft / Fraud

    It's like when the banks decided to replace fraud (which they pick up the bill for) with identity theft (for which they can sell insurance).

    1. Jamie Jones Silver badge
      Thumb Up

      Re: ID Theft / Fraud

      Exactly!

      It should be the banks problem - not mine - if they mistakenly think a fraudster is me...

      Mitchell and Webb: Identity theft

  30. stu 4

    Verified by Visa

    It was ALWAYS about shifting blame to the consumer and NEVER about security.

    Shackled by the credit card protection act, they were desperate for a way out - so lets make a system which 'looks' like it adds security, when actually it adds FA security at all.

    As El Reg pointed out themselves:

    http://www.theregister.co.uk/2010/01/27/3d-insecure/

    ANYONE can reset a VbyV when they've nicked yer wallet - all you need are basic details in anyones wallet.

    And WTF is with the 3 boxes for letters of your password???? They don't auto-tab to the next one.

    I mean FFS, you type one in, then you have to mouse to the next box... and work your way through your password again mentally and work that one out.... click the mouse again... arseholes.

    VbA: verified by arseholes.

    1. Anonymous Coward
      Anonymous Coward

      Re: Verified by Visa

      In a previous life I worked at a place where our CMS, POS and Memberships were all run by one sprawling bit of bought in software. I administered it locally, but any heavy lifting I had to ring the vendor for. The vendor was some 2 bit hashed together outfit, with one dev, one "creative" and a PA.

      Best memory from that is being forwarded an unencrypted e-mail from said vendors with an Excel attachment. In the attachment were names, usernames, passwords and account permissions of all the users in plain text.

      So I could have happily RDP'd into the CEO's PC, logged in as him and utterly ruined all the financials :) That being just one symptom of the place, I didn't stay past a year...

      Brilliant..

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019