News, tips, advice, support for Windows, Office, PCs & more
Home icon Home icon Home icon Email icon RSS icon

We're community supported and proud of it!

  • Should you give Microsoft all of your passwords?

    Home Forums AskWoody blog Should you give Microsoft all of your passwords?

    Viewing 24 reply threads
    • Author
      Posts
      • #2365254
        Brian Livingston
        AskWoody MVP

        PUBLIC DEFENDER By Brian Livingston A new feature of Microsoft’s Edge browser is causing our readers to ask, “Is this MS initiative going to place our
        [See the full post at: Should you give Microsoft all of your passwords?]

      • #2365287
        agoldhammer
        AskWoody Plus

        The only passwords that I allow to be saved by a browser are those for streaming services and this is for convenience only.  I’ve used PasswordSafe for management and while it’s not quite as easy to use compared to some other solutions, it works fine for my needs and has been ported to Android OS so I can have it on my phone.  The other nice advantage is that it is free!

      • #2365288
        Chris Greaves
        AskWoody Plus

        Who is “You”?

        If you mean me, well, the answer is no.
        As it is, I suspect, for 95% or more of the residents of AskWoody village.

        5% of the village may well be IT managers for companies, and IMNSHO those folks should never store a password outside the company.

        For the life of me I can’t see why the 95% of us can’t/won’t/don’t maintain passwords in a secure document.

        I mean, if you begrudge spending thirty seconds to retrieve “5zgpwozp” from Passwords.doc (*) (not its real name) for your once-a-year foray into submitting your tax returns online, then you haven’t appreciated the time-saving of submitting tax returns online instead of bicycling down to the post office.
        As for those twice-a-week online banking transactions, is it that hard to associate a mnemonic password to a bank account?

        I can’t see the rationale behind making up secure passwords and than handing them over to any one, or any thing.

        (*) 77 passwords in the table at last count

        Cheers
        Chris

        Unless you're in a hurry, just wait.

      • #2365294
        wdburt1
        AskWoody Plus

        There are many web sites where I wouldn’t care if the name and/or password is hacked, including more than a few that apparently require a username and password only because it makes their owners feel important. The Firefox feature that offers to save and automatically fill in a username and password is useful in these situations.

        1 user thanked author for this post.
        • #2365507
          doriel
          AskWoody Lounger

          There are many web sites where I wouldn’t care if the name and/or password is hacked

          Of course, I do the same, I store passwords for printers in chrome – its basically the same password for approx. 100 IP addresses. Its faster than typing it all the time.
          Also, I store my password for AskWoody, created wesbsites and ohter blogs. I dont consider that to be so risky nor painfull to lose some login to the website.
          Those logins that I value the most, I dont store anywhere. I always type ’em.

          Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

          HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

          PRUSA i3 MK3S+

          1 user thanked author for this post.
      • #2365308
        Mele20
        AskWoody Lounger

        The Firefox feature that offers to save and automatically fill in a username and password is useful in these situations.

        Yes! I’ve been using Fx and its forks since Netscape died. I’ve never been much of a IE or Edge user and would never touch Google junk. I trust Mozilla and its main fork I use as my default browser (Basilisk) to treat my saved logins in an honorable way. I also write all logins down on paper. I have about 50 pages of written down logins …front and back of each page so actually about 100 pages of saved logins since I got my first computer in 1999.

        I had third party software years ago to manage and save the logins and then disaster struck the software so I began writing each down on paper and also letting Fx, and later Basilisk, save and manage them. I couldn’t possibly memorize all of them and I don’t believe in ever using the same login for more than one site.

        2 users thanked author for this post.
        • #2365317
          anonymous
          Guest

          I used to keep all my passwords written down in a little notebook.  One day I lost that notebook.

      • #2365368
        J9438
        AskWoody Plus

        After reading Brian’s statement in the newsletter, “Unfortunately, websites that send a verification code by calling or texting your mobile phone are NOT SAFE. The security firm Positive Technologies recently demonstrated how to take over a Coinbase cryptocurrency wallet using known flaws in the global cellular network”. (What a shock). I did some Goggling on the alternates, Authenticator App, and FOB key. I was surprised on one comment in where a reader used Authenticator App and then had to reset or buy a new phone. He was completely locked out of all his accounts because the Authenticator was on his phone! So the FOB looks like the way to go unless it too has a weakness and where do I even get one??

        • #2365459
          dg1261
          AskWoody_MVP

          I did some Goggling on the alternates, Authenticator App, and FOB key. I was surprised on one comment in where a reader used Authenticator App and then had to reset or buy a new phone. He was completely locked out of all his accounts because the Authenticator was on his phone!

          That’s easily mitigated: just keep a copy of the QR code.

          When setting up an Authenticator token, the website will generate a unique QR code on screen, at which you point your camera. In addition to snapping the QR code with the Authenticator app, also take a regular photo or screenshot of it. If you ever have to reset or change your phone, just reinstall the Authenticator app and point it at your saved copy of the QR code. Job done.

          And for those who don’t know, the Google Authenticator app can be used for more than just Google. All TOTP (“Time-based One Time Passcode”) apps work the same, so the authenticator apps from Google, Microsoft, Facebook, Authy, et al, are interchangeable. You only need one, and it can be configured with TOTP tokens for multiple sites.

          Beyond TOTP, and if it’s a Google account you’re talking about, note Google can also generate a series of “Backup Verification Codes” that you can print and store offline, to be used when your normal 2FA method isn’t available. That’s always a good safety measure.

          1 user thanked author for this post.
      • #2365373
        MrChaz
        AskWoody Lounger

        Certainly not, do you give the local authority/ council your car or house keys? Just because people use their services, doesn’t mean you should immediately trust the provider with sensitive info. Use an encrypted password manager and store locally over multiple locations is my advice. One password to remember to access your password database..simplicity works here

        illegitimi Non Carborundum
        • #2365427
          Ascaris
          AskWoody MVP

          It’s a little different if the provider of the password service is also the provider of the operating system. You are already trusting them to the highest level… The OS, by design and necessity, has access to everything you do on that device. If you don’t want to have the passwords out there “in the cloud” where they could be inadvertently exposed, or if for some other reason you don’t consider it secure enough, that’s one thing, but if you don’t trust MS to not do something bad with them if they have them, you shouldn’t be using Windows or Edge at all.

          If you know me and the things I write about, you know that I have little trust in Microsoft, but stealing my passwords is one thing I would not worry about with them.

          Group "L" (KDE Neon Linux 5.22.4 User Edition)

      • #2365389
        b
        AskWoody MVP

        To bring us up to modern times, the Redmond company announced on January 21 that version 88 and higher of its Edge browser can now save usernames and passwords that people enter at websites.

        Edge’s storing of your credentials is off by default. Users must enable it by selecting Settings, Profiles, Passwords and configuring the options as shown in Figure 1. The user must also be signed in to a Microsoft account or a work or school account.

        That’s not what Microsoft announced this year at all.

        Edge (even legacy Edge) has always been able to save website usernames and passwords, and it’s always been on by default. No Microsoft or work/school account has ever been required for that.

        What’s new this year is the Password Generator and Password Monitor (which do require Microsoft or work/school accounts), as clearly explained in the announcement:

        Help keep your online accounts secure with password generator and Password Monitor

        Windows 10 Pro version 21H2 build 19044.1151 + Microsoft 365 (group ASAP)

      • #2365462
        bbearren
        AskWoody MVP

        I don’t/won’t use Edge, so, no.

        Create a fresh drive image before making system changes/Windows updates, in case you need to start over!
        "When you're troubleshooting, start with the simple and proceed to the complex."—M.O. Johns
        "Experience is what you get when you're looking for something else."—Sir Thomas Robert Deware

      • #2365475
        oldfry
        AskWoody Plus

        Re: Authenicator App and being locked out…

        To avoid lockouts, you need to backup your encrypted Authenticator file just like you need to backup your encrypted password file.   And when you do backup these sensitive files, encrypt them again.  For example, mine are backed up within an encrypted disk.   And keep multiple backed up copies in different locations.   Make sure you pick Password Managers and Authenticator Apps that give you a means to back them up, such as storing the user data in an encrypted file.

        1 user thanked author for this post.
      • #2365528
        J9438
        AskWoody Plus

        One other question on Brian’s post “using known flaws in the global cellular network”

        Was or will this flaw be fixed? Since text 2FA is so much simpler to set up and use than the Authenticator App or FOB key, seems like an important fix. As an additional alternative to cell text I have found sites usually also offer the 2FA to a land line or email, which I suppose does not have this flaw, providing of course you can opt out of the cell text. The only problem to that is that the 3 choices seem to be offered together after entering a password so a hacker could still use the cell text option, unless the cell text option could be blocked.

      • #2365650
        dg1261
        AskWoody_MVP

        Was or will [known flaws in the global cellular network] be fixed?

        If you’re in the US, don’t hold your breath. The telcos hold too much power and resist any attempt to force them to spend money fixing their product.

        Like the banking and credit card industries (witness how they dragged their feet implementing chip-and-pin), the US telco industry lags behind the rest of the world.

        Since text 2FA is so much simpler to set up and use than the Authenticator App …

        I would disagree. Setting up a TOTP authenticator is nearly as easy as setting up text-based 2FA.

        Install and launch the authenticator app, then tell the service provider (e.g., Google, Facebook, or Microsoft) that you want to set up 2FA, and they’ll display a QR code with an embedded secret key. Point your smartphone’s camera at the QR code, and voila! The only thing left to do is tell the provider what 6-digit code your authenticator is showing, just so the provider can confirm both of you are using the same secret key — a desirable safety measure before they go ahead and enable 2FA on your account.

        As for using an authenticator, I find it much easier than texts — just pop open the authenticator and the code is right there, waiting for you to copy it. You don’t have to wait for a text to arrive, which at times may take several minutes or never arrive at all. I’ve also been in places where I have a wired ethernet connection on a computer to get into my email, but no cell connection. In that scenario, waiting for a texted code would be futile. In contrast, the authenticator app doesn’t need a cell connection to work.

        The only problem to that is that the 3 choices seem to be offered together after entering a password so a hacker could still use the cell text option, unless the cell text option could be blocked.

        That depends on what service you’re talking about, but with Google accounts the answer is yes, the text option can be disabled.

        On my account I have three 2FA methods enabled but not the voice/text option. When logging in from an unknown device, the 2FA prompt appears after the username and password are entered, but the prompt has a “Try another way” link that lets me select the second or third method if my primary method is not available. The voice or text option is not offered under “Try another way” because I don’t have that option set up.

        1

         

        4 users thanked author for this post.
      • #2365708
        J9438
        AskWoody Plus

        known flaws in the global cellular network” Was or will this flaw be fixed?

        If you’re in the US, don’t hold your breath.

        Since probably the vast majority of cell text 2FA users have no idea about this flaw everyone who reads this should sit down and write their legislators and demand a fix.

        Setting up a TOTP authenticator is nearly as easy as setting up text-based 2FA.

        First, thank you for the detailed explanation of setting authenticator. I had looked up Microsoft before and got hung up on the QR scan as I did not think my iPhone did QR scanning, but from your explanation it looks like the Authenticator app itself has the scan function.
        But getting past that, my signing in is mostly non Microsoft stuff such as bank, insurance, retail sites and it seems like I would have to have app for all of those if they even allow it and would have to go through that long set up procedure for each. Whereas now on all that accept 2FA I just go to the security page and enter my phone to set up. 99% of the time the text comes immediately, but you made a good point if no cell reception. I found an article in PCWorld that compared the 3 types and it said cell text is the easiest to use but least secure, FOB key the hardest to set up but most secure and authenticator app in the middle.

        The best solution is to jail all the crooks that make us go through all this gauntlet!!!!

      • #2365710
        J9438
        AskWoody Plus

        I just thought of a possible flaw in authenticator app. If you lose your phone or if it is stolen and you are using cell text 2FA you call your provider immediately and cut off the service and that cuts off cell text 2FA access. However, since the thief still has a locally working phone he can still access your account with the authenticator codes on the phone. You would then have to call all your accounts using those codes to block access. Does that make sense? Seems nothing is failproof!

        • #2365713
          doriel
          AskWoody Lounger

          However, since the thief still has a locally working phone he can still access your account with the authenticator codes on the phone.

          In this case, you should immediatelly block your phone from the second device. Usually from PC. You can lock iOS phone remotly, phone with Android and Google account too. I suppose you can lock phone with MS Account too somehow, but I have no experience with that.

          Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

          HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

          PRUSA i3 MK3S+

          1 user thanked author for this post.
      • #2365711
        doriel
        AskWoody Lounger

        So the conclusion is this?
        The 2FA via SMS is not safe, because attacker could see your SMS code on the lock screen. But still needs to know your “Whatever account” password to gain access.
        + Attacker must have your phone and break the password, lets say 10 alphanumeric characters or worse.

        MS Authenticator seems good, but if someone stoles you phone and unlocks it, they can gain access everywhere. Without any password.
        + Attacker must break 4-6 numbers, or gesture/picture/fingerprint.

        If FOB is lost and no password needed, you are doomed.
        + Attacker must have the FOB, then has access instantly, or needs to crack passowrd, again, lets say 10 alphanumeric characters or worse.

        Neither way is totally safe. I would say its adequatelly safe. And thats all. The less you put into online world, the more secure you are.

        Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

        HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

        PRUSA i3 MK3S+

        2 users thanked author for this post.
      • #2365741
        J9438
        AskWoody Plus

        After some more research it seems the cell text flaw is with the “SS7 Global Network”. Goggle showed couple recent articles where some software companies said they had solutions that could be implemented through MNO’s (Mobile Network Operators). Goggle showed articles as early as 2016 talking about the problem and how some banks had lost lots of money due to this. About time for a fix isn’t it??

      • #2365765
        DaveBoston
        AskWoody Lounger

        I have a question related to this thread. General audience media stories always say to use a complex password so dictionary (or brute force) attacks that try hundreds or thousands of passwords will not figure your password out. In my experience with banking, etc. if my password is entered incorrectly 3 or 4 times, the account is locked and requires a visit or live phone call to reset using security questions.  I asked an officer at my bank branch and they said this type of attack would not succeed at their bank.

        My question is, do these attacks succeed and if so how? I can understand that knitting-tips.com might not have great security rules, but major banks, etc. do.

        Can someone at AskWoody or in the audience explain this disconnect? Thanks!

        1 user thanked author for this post.
        • #2365778
          b
          AskWoody MVP

          Most brute force attacks occur offline, against a leaked or stolen password database.

          In case of an offline attack where the attacker has access to the encrypted material, one can try key combinations without the risk of discovery or interference. However database and directory administrators can take countermeasures against online attacks, for example by limiting the number of attempts that a password can be tried, by introducing time delays between successive attempts, increasing the answer’s complexity (e.g. requiring a CAPTCHA answer or verification code sent via cellphone), and/or locking accounts out after unsuccessful login attempts.

          Brute-force attack — Countermeasures [Wikipedia]

          Windows 10 Pro version 21H2 build 19044.1151 + Microsoft 365 (group ASAP)

          3 users thanked author for this post.
      • #2365799
        dg1261
        AskWoody_MVP

        Livingston’s newsletter article makes the argument for using a password manager (instead of letting the browser store them), and using 2FA when available:

        The best security, which you should always use when it’s available, is two-factor authentication (2FA). After you enter a username and password, a website sends a code to a different device — the second factor. Done right, this is almost totally unhackable.

        That’s somewhat misleading, though.

        First, 2FA doesn’t have to involve a website sending a code. That may be true for text-based 2FA, but authenticators, security fobs, and biometrics (face ID, fingerprint/palm readers, iris scan) don’t require a website to send a code anywhere. That’s part of their strength because texts can be intercepted en route to your phone.

        Second, it’s a little cavalier to say something is “almost totally unhackable”. As doriel points out, you can be vulnerable if your second factor is compromised — which isn’t a rare or unthinkable possibility.

        But the whole point of 2FA is to make it more difficult for the bad guys, even if you can’t make it impossible for them.

        The “factors” in 2FA fall into three categories:

        • something you know (e.g., password, mother’s maiden name, combination lock code)
        • something you have (e.g., house key, phone, security fob, safe deposit box key)
        • something you are (e.g., fingerprint, iris scan, face ID)

        Two-Factor Authentication requires items from two different categories, with the theory being that it is much more difficult for a bad guy to steal items from two categories than two items from one category. So even if you lose your phone or fob, a bad guy would still need to know your account name and password (and the stronger, the better) to make use of your stolen Authenticator token.

         

        But getting past that, my signing in is mostly non Microsoft stuff such as bank, insurance, retail sites and it seems like I would have to have app for all of those if they even allow it

        Remember, TOTP apps are the same. You don’t need a separate app for each site. One TOTP app can serve different tokens for different sites.

        (Aside: some TOTP apps have an extra security option of requiring a PIN to open the app. Google Authenticator does not, so it’s not my preferred choice. But my main point is under the hood they all generate the ever-changing 6-digit code the same way.)

        As for sites that support TOTP authentication … IME, few banks do. It boggles the mind.

         

        if my password is entered incorrectly 3 or 4 times, the account is locked and requires a visit or live phone call to reset using security questions.

        Note that’s about how your bank handles password attacks. That won’t help stop a hacker if he already has your valid password. But 2FA will.

        Note that asking for “security questions” isn’t 2FA. If your bank asks for your password and then follows it up with a security question, both items fall into the same category of “something you know”. That’s often called Two-Step Authentication, which is better than one step but not as strong as Two-Factor. It’s not as strong because if somebody knows you well enough to know your password, they may also know your favorite pet’s name, etc.

         

        1 user thanked author for this post.
      • #2365874
        Paul T
        AskWoody MVP

        That’s often called Two-Step Authentication, which is better than one step but not as strong as Two-Factor. It’s not as strong because if somebody knows you well enough to know your password, they may also know your favorite pet’s name, etc.

        Which is why you use a password manager and make up answers to those questions, saving said answers in the password manager. Even you can’t guess the correct answer.

        Strong random passwords and any sort of 2FA is much better than a password you can remember.

        cheers, Paul

        1 user thanked author for this post.
      • #2365928
        J9438
        AskWoody Plus

        if my password is entered incorrectly 3 or 4 times, the account is locked

        Don’t forget your laptop that you accidently leave in your unlocked car with your saved passwords while the thief is watching. Your laptop does not lock out after 3 tries. I found a website (don’t remember which one but you can Google search) that does a test brute force attack on any password you want to test. It tells you how long it would take to break it. Basically it said a password with random numbers, letters, etc of 12 characters would take over a 100 years to break with today’s super computers. A simple 4 character common name would be instant. However, that time gets less as computers get faster.

        Even with 3 try lockout it is better to have a long password so if your bank’s data base gets hacked a password of “keic8ue3e9fc8ueuod87fi4eui” is much less likely to be used than “rover”. Of course you cannot type “kdji4eoi9de9ud9” every time so either use a password manager or write the password in a text file that you can copy/paste at log in.

        2 users thanked author for this post.
        • #2365930
          doriel
          AskWoody Lounger

          When talking about passwords, its a fact, that the longer the passowrd is, the longer it takes to “guess” it. The function depending on number of characters is exponetial, not linear. It means, that with every character added to your password you make it much harder to crack it.

          One guess takes milisecon (for example).
          One alphanumerical character password:
          36 possibilities; 36 x 1ms = 36 ms

          Two alphanumerical character password:
          36 ^ 2 possibilities; 1296ms

          Ten alphanumerical character password:
          36 ^ 10 possibilities; 3656158440062976ms = 115 936 years
          For curiosity, that is.. (Wolframalpha link here)

          time

          So even “Strongpassword123” (length 17) is better, than “kdji4eoi9de9ud9” (length 15). Its not nesscessary to have difficult password, but its important to have a long password.

          Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

          HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

          PRUSA i3 MK3S+

          4 users thanked author for this post.
      • #2366064
        Paul T
        AskWoody MVP

        The GRC.com website has a Password Haystacks section for checking length and complexity.

        “Strongpassword123” (length 17) is better, than “kdji4eoi9de9ud9”

        Except that an attacker would try a dictionary attack as well as random and the longer password will be found relatively quickly. If you are going to use common words you need to add more length and / or extra characters, e.g. “Strong.;password#123” or “Strongverylongpassword123”

        cheers, Paul

        2 users thanked author for this post.
        • #2366071
          doriel
          AskWoody Lounger

          Or at least some unexpected uppercase: StrongpaSSworD123 should be enough. There is too many combinations even for the dictionary attack.

          Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

          HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

          PRUSA i3 MK3S+

          1 user thanked author for this post.
          • #2366098
            zat_so
            AskWoody Plus

            Shouldn’t the discussion take into consideration that the attacker will (very likely) not know the length of the password, and so will have to start at some minimum length and work his way up? Most websites that I’ve seen require at least 6 characters, so if your password is 12 characters, wouldn’t the attacker have to try all 6-character passwords, then all 7-character passwords, and so on? The cumulative time for that seems to be beyond the reach of anyone and anything available, even if dictionary words are used.

            2 users thanked author for this post.
            • #2370145
              doriel
              AskWoody Lounger

              I agree with your post, when using dictionary attack.

              I think its not good to be “paranoid” too much – the probability of braking password is very small. Relax and set 10-character password. If your password was geussed, you used some obvious password like Password123.

              Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

              HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

              PRUSA i3 MK3S+

              • #2370153
                Paul T
                AskWoody MVP

                The issue is less about guessing passwords as using the same password on multiple sites, so ones from a breach are automatically valid.

                Using a password manager to generate long passwords is just a good way to manage your online accounts.

                cheers, Paul

                1 user thanked author for this post.
      • #2366112
        anonymous
        Guest

        No.

        Really?  Why even discuss this?

        Google’s about to begin changing user passwords if they show up on some compromised pwd’s lists.  Read that again.  “We changed your password to protect you from yourself!”  Stay dumb, your phone is your brain, we do your thinking, you don’t know how.

        Passwords written on sticky notes are more secure than those trusted to any online so called manager.

        The idea that companies can trash the small remaining trust they may have by compromising security and privacy is a snake eating its tail.  Lawsuits don’t matter, they have more money than many small countries combined.  Unfortunately, it’s a very, very long snake.

        Additionally, if they can raid your accounts based on some initiative a half asleep team conjured up, what else are they doing that’s hidden from users?  Unless a third party is managing pwds or they’re somehow hidden, there’s no privacy at all.

        https://www.ghacks.net/2021/05/19/google-chrome-may-soon-change-compromised-passwords-for-you-automatically/

        1 user thanked author for this post.
        • #2366120
          b
          AskWoody MVP

          Google’s about to begin changing user passwords if they show up on some compromised pwd’s lists.  Read that again.  “We changed your password to protect you from yourself!”

          Despite the ghacks.net headline, it’s not automatic:

          Google announced today that it is bringing a new security feature to the company’s Chrome web browser that informs users about compromised passwords and lets them change these passwords to a secure new password instantly.

          Chrome users who prefer to stay in control can do so, for instance by ignoring the feature.

          Windows 10 Pro version 21H2 build 19044.1151 + Microsoft 365 (group ASAP)

          1 user thanked author for this post.
      • #2366146
        J9438
        AskWoody Plus

        wouldn’t the attacker have to try all 6-character passwords, then all 7-character passwords,

        I tried a gobbledygook 7 char password on the password tester on security.org and it quoted 19 minutes to break. So I think the hacker would have plenty of time to go through all combinations up to 10 which shows a month to crack and then 11 chars 4 years. I don’t think the hacker sits their waiting, but probably more like a chat situation where your stolen laptop is started while working on your offline bank account. 12 chars looks like the minimum  at 400 years.

        1 user thanked author for this post.
        • #2370147
          doriel
          AskWoody Lounger

          Did you consider, that most servers restrict the ammount of attempts allowed to try the password?

          For the webhosting I use, there is limit of 200 requests per minute.

          Its not realistic to try guess user password continually for one hour. Not even two minutes (in the real world). Im not saying every server uses this mechanism, but the critical ones do.

          Dell Latitude E6530, Intel Core i5 @ 2.6 GHz, 4GB RAM, W10 20H2 Enterprise

          HAL3000, AMD Athlon 200GE @ 3,4 GHz, 8GB RAM, Fedora 29

          PRUSA i3 MK3S+

      • #2366151
        J9438
        AskWoody Plus

        Why even discuss this?

        Unfortunately, whether we like it or not, we are in Cyber World War I. Whether some companies diligently enhance their cyber defense or other companies do nothing and let insurance pay the price or whether individuals diligently work on their security or just remain dumb and indifferent until disaster hits home, it still is better for all of us to keep discussing ways to enhance our security whether through long passwords, or 2FA, or add on software or whatever.

        Every security technique seems to have an Achilles heal, but at least we can keep on fighting until some day truth and honesty wins and the hackers find that Karma or some ultimate out of this world justice, or whatever proves that crime does not pay in the long run.

      • #2367574
        Paul T
        AskWoody MVP

        12 chars looks like the minimum  at 400 years

        12 is not long enough. 18 to 20 is the place to start, then it will take several centuries – assuming it is guessed in 10% of the time it takes to perform an exhaustive search.

        cheers, Paul

        1 user thanked author for this post.
    Viewing 24 reply threads

    Please follow the -Lounge Rules- no personal attacks, no swearing, no politics or religion.

    Reply To: Should you give Microsoft all of your passwords?

    You can use BBCodes to format your content.
    Your account can't use Advanced BBCodes, they will be stripped before saving.