+ Reply to Thread
Results 1 to 8 of 8

Thread: Strong passwords counter-productive?

  1. #1
    Marketing Mentor Mikl is a Premium Member
    Join Date
    Apr 2012
    Location
    Edinburgh, Scotland
    Posts
    499
    Thanks
    125
    Thanked 407 Times in 225 Posts
    Rep Power
    14

    Strong passwords counter-productive?

    I have just registered an account at a certain e-commerce site. At first, it rejected by intended password because it wasn't "strong enough". On a closer look, I found that the site requires passwords to be at least 12 characters, and they must contain a mix of capitals, lower case and digits.

    No problem. I created an acceptable password, and succeeded in registering.

    But it now occurs to me that this particular requirement might be counter-productive, and could in fact weaken the site's security.

    Let me explain. If a 12-character string contain can any mix of 26 caps, 26 lower-case and 10 digits, that's 62 possible characters, which means there are 62^12 possible combinations, which is approximately equal to 3.23 * 10^21. So that's the number of possible passwords a brute-force attacker would have to try.

    But if you impose a rule that excludes any string that contains all caps and one that contains all l.c. letters and one that contains all digits, that means you disallow 26^12 + 26^12 + 10^12 combinations, which is roughly 1.91 * 10^17.

    Now, asuming our brute-force attacker knows that rule is in force, it means he will have 1.91 * 10^17 fewer combinations to try. So, the existence of the rule, and the fact that the rule's existence is publicly available, means that a brute-force attack is more likely to succeed. Only slightly more likely, I agree, but that's still the opposite of what the rule is intended to achieve.

    (By the way, I make no warranties for the arithmetic in this post. It's the general principle that I am trying to explain.)

    Of course, it's all a lot of nonsence because a brute-force attacker would never be allowed to try more than a few attempts before being locked out.

    Mike

  2. The Following 4 Users Say Thank You to Mikl For This Useful Post:

    Chabrenas (16 September 2014), Clinton (15 September 2014), dsieg58 (12 September 2014), Kay (12 September 2014)

  3. #2
    Publishing Mentor dsieg58 is a Premium Member
    Join Date
    Jul 2012
    Location
    Midwest-USA, Southeast Asia
    Posts
    1,024
    Thanks
    821
    Thanked 1,139 Times in 565 Posts
    Rep Power
    29
    I've also wondered at the wisdom of having ridiculously hard to remember and/or gibberish passwords, necessitating the use of password software. It seems to me if the password and/or security of a site is so convoluted that you need specialized software to remember the many hundreds of sites you now need to remember, something is wrong with the entire concept of website security. Not that I think they should do away with it, I just think it needs to be rethought and a new solution created. The password software itself, then comes in danger of brute force attack. If successful, they have the password to everything your online life depends on.

    I realize this may not be what you're talking about, but just a thought.

  4. The Following 2 Users Say Thank You to dsieg58 For This Useful Post:

    Chabrenas (16 September 2014), Mikl (13 September 2014)

  5. #3
    Top Contributor
    Join Date
    Jan 2010
    Location
    Canada
    Posts
    1,315
    Thanks
    229
    Thanked 872 Times in 448 Posts
    Rep Power
    33
    I've often felt that a simple solution to password complexity and security would be to generate passwords based on the url of the site.

    So for example, if you were logging into Facebook, your password would be based on the word facebook and another factor that is easily remembered (in case you lose your password list).

    If one were to use one's birthday such as 11-26-1985 (not my birthday).

    One could then do a simple Excel script to generate a password based on the items.

    A = 1, B = 2, C = 3, ... , O = 6 as 15 would become 1+ 5

    Facebook = 6135262
    Birthdate = 11267985
    So new number is 17403247 or 6135262 + 11267985

    The first digit is a special character matching those found on a standard keyboard. 1 = !
    The second digit remains a digit. 7 = 7
    The remaining digits are turned into letters (0 = z). 403247 = dzcbdg
    The first even letter generated by an even number becomes capitalized. Dzcbdg

    Combine it all together !7Dzcbdg and you have a fairly secure password, impervious to dictionary hacks and which would only be good for one site.

    They would be a hassle to enter, but most sites keep you logged in for at least 30 days anyways and but you could keep the formula in an Excel sheet and use it for any site without actually storing the passwords themselves and you could share it among PCs with little fear. I prefer that over a password manager where someone could hack the manager or the file could be corrupted and you lose all your passwords.

  6. The Following 5 Users Say Thank You to tke71709 For This Useful Post:

    Chabrenas (16 September 2014), Dave McM (16 September 2014), dsieg58 (12 September 2014), Kay (12 September 2014), Mikl (13 September 2014)

  7. #4
    Marketing Mentor Mikl is a Premium Member
    Join Date
    Apr 2012
    Location
    Edinburgh, Scotland
    Posts
    499
    Thanks
    125
    Thanked 407 Times in 225 Posts
    Rep Power
    14
    Thank you both for your replies. I'm glad I'm not the only one thinking along these lines.

    Another gripe is the hoops some sites make you jump through in order to recover a lost password. In the case of on-line banks and health providers, that's a good thing - the more hoops the better. But there are many sites that seem obsessed with strong security when they don't really need it at all.

    For example, I often visit our local property listing site - one that lists all houses and flats for sale in my town. I decided to register with the site so that it would remember my search criteria from one visit to the next. But to do so, I had to answer those stupid security questions (name of first pet? - I've never had a pet and hope never to have one; and so on). But, realistically, how terrible would it be if someone actually hacked my account? They would know what size house I am looking for, and the fact that I prefer not to have a garden. Not exactly a disastrous breach of my personal privacy.

    Mike

  8. The Following 4 Users Say Thank You to Mikl For This Useful Post:

    Chabrenas (16 September 2014), Dave McM (16 September 2014), dsieg58 (15 September 2014), Kay (15 September 2014)

  9. #5
    Established Member
    Join Date
    May 2011
    Location
    Chicago
    Posts
    241
    Thanks
    155
    Thanked 288 Times in 141 Posts
    Rep Power
    16
    Quote Originally Posted by Mikl View Post
    ... realistically, how terrible would it be if someone actually hacked my account?
    That's my test for coming up with passwords. I have a few simple passwords that I re-use on multiple sites where the whole concept of registration and passwords seems silly. For example, several online newspapers require that you register for free access. Why do I care if someone gains access to my user account at a half dozen newspapers accounts where there is no financial exposure (assuming that they could even figure out which other websites those passwords were for).

    That means that I only need to come up with strong passwords for the websites where it really matters to me, such as financial institutions, credit card issuers, my email accounts, my hosting account and a few e-commerce sites. Those sites probably represent less than 20% of my passwords.

  10. The Following 3 Users Say Thank You to David S For This Useful Post:

    Dave McM (16 September 2014), Mikl (17 September 2014), tke71709 (16 September 2014)

  11. #6
    New Member
    Join Date
    Feb 2013
    Posts
    29
    Thanks
    4
    Thanked 20 Times in 11 Posts
    Rep Power
    5
    That is interesting, I have never thought of it that way.
    Anyways my thoughts are, when is google going to come out with something that does away with passwords all together. I hate passwords, I would microchip myself if it could automatically login to sites for me.

  12. #7
    Top Contributor crabfoot is a Premium Member
    Join Date
    Oct 2010
    Location
    East Yorkshire
    Posts
    2,193
    Blog Entries
    8
    Thanks
    489
    Thanked 1,991 Times in 1,038 Posts
    Rep Power
    57
    Quote Originally Posted by nokkieny View Post
    That is interesting, I have never thought of it that way.
    Anyways my thoughts are, when is google going to come out with something that does away with passwords all together.
    They could do that now - but you wouldn't like it, and neither would they.


    They would have to reveal to the world how un-anonymous their anonymous tracking is, and all the tie-ins they have with other companies that don't show up in public because they exchange and trade info instead of attaching a cash value.


    Youwould like it for the first ten minutes, then start thinking "How does this company know so much about me?" - and remember, they are a company, not a government agency.

  13. #8
    Publishing Mentor dsieg58 is a Premium Member
    Join Date
    Jul 2012
    Location
    Midwest-USA, Southeast Asia
    Posts
    1,024
    Thanks
    821
    Thanked 1,139 Times in 565 Posts
    Rep Power
    29
    - and remember, they are a company, not a government agency.
    except the (US) government is tapped into them as well, not to mention selling other info to the government that isn't handed over for free. (I would guess) The only difference is the government has a minimal amount of oversight, Google doesn't, in respect to info gathering.

+ Reply to Thread

Similar Threads

  1. Multiple Accounts and passwords
    By Portgaz in forum SEO & Search Engine News
    Replies: 8
    Last Post: 14 June 2013, 4:11 am
  2. Tactics to counter ad blockers?
    By Kay in forum Making Money Online, Monetization
    Replies: 19
    Last Post: 21 January 2013, 4:03 am
  3. Potentially 6.5 million passwords hacked from linkedin
    By Slowdive in forum General & Miscellaneous
    Replies: 3
    Last Post: 11 June 2012, 8:28 am

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts