• Today is “What drives me insane about passwords” day

    Home » Forums » Newsletter and Homepage topics » Today is “What drives me insane about passwords” day

    Author
    Topic
    #2444698

    May 5th was World password day. A day that Microsoft wanted us to ditch our passwords completely and move to authentication apps, fido keys and other
    [See the full post at: Today is “What drives me insane about passwords” day]

    Susan Bradley Patch Lady

    Viewing 16 reply threads
    Author
    Replies
    • #2444730

      During my career, people’s lack of security with passwords drives me insane. They happily share their password with others. Happy until someone misuses it and they get to chat with investigators. The punishment is usually identical. I’ve never heard of anyone pointing out the culprit. “He’s a friend. You don’t dob on a mate and I get the sack either way”.

      In my retirement job I supported a fleet of laptops for schools. There I learnt where bad password habits started. Password sharing was common, including teachers giving their logon access to students.

      At home, Google’s 2FA to access causes the occasional blue word. I use Brave and have it set to clear everything when closed. I have an iNaturalist account and use log in with Google for access. The time that suits me to identify species is early morning before my wife rises. I charge my phone in the morning. I suspect you can guess the rest but the main result is I am not using my iNaturalist account as frequently as I would like due to 2FA.

      The temptation exists to buy a Yubikey. I am concerned what may be the result if it is lost.

       

       

      Group A (but Telemetry disabled Tasks and Registry)
      Win 7 64 Pro desktop
      Win 10 64 Home portable

      1 user thanked author for this post.
    • #2444729

      I have no cell phone. Are all “Authenticator apps” dependent on cell phones? I will never voluntarily own a cell phone. Passwords are best. I’m not keen on handing over biometric data to big tech. They know too much already, and I sure as hell never want a Microsoft account.

       

      5 users thanked author for this post.
      • #2444791

        I have no cell phone. Are all “Authenticator apps” dependent on cell phones? I will never voluntarily own a cell phone. Passwords are best.

        The short answer is no, because there are desktop apps that serve the same purpose.

        But first, let’s be clear that authenticator apps and passwords are two different things. Authenticator apps provide a second-step for Two-Factor Authentication (2FA). Passwords are traditionally the first step. (If anyone is not sure how this works, perhaps my tutorial will help bring this into focus.)

        The most popular authenticator apps are smartphone based, such as Google Authenticator, Microsoft Authenticator, Facebook Authenticator, etc. They are not tied to a phone number, they merely use a random, super-long secret string and encrypt it with the current time to calculate a time-based one-time passcode. This is used as a way to prove you and your account on the web service have the same secret string.

        But there are desktop apps that can do the same calculation, so you don’t need to use a smartphone if you don’t want.

        And BTW, in case this isn’t clear to everyone, this means that authenticator apps do not need to know anything about you or communicate with any cloud server anywhere, so they do not need to collect any personally identifiable information. (Whether they surreptitiously do is another matter, but they don’t need to. It’s not a requirement for them to function.)

        2 users thanked author for this post.
    • #2444755

      I have 18 pages of passwords (if I have doc viewer send it to pdf). I do not keep a copy on my working ssd. It is “elsewhere”. Backups of it are “further elsewhere”. If I simplify this, I would have to give some “simplifying program” all of this info, thus putting it in jeopardy. No thanks. This has worked fine for me for decades.

      imho, simply adding a # or other special character would far reduce likelihood of someone guessing it.

      - ThinkPad T570-20HA, i7-7600U, 2.8GHz, UEFI/GPT, 16GB, Sammy 256GB M.2 NVMe PM961. HP laserjets (M254dw, P1102w, P1606dn), Epson 2480 scanner -

      • #2444801

        That sounds like a challenge. Guessing is not the problem. Hackers don’t try to guess the owners password. They use computers to crack the password (or work around it if the system has a vulnerability or a keystroke recorder can be used).

        Take one of your passwords and test it here

        Substitute a hash or other character but reduce by one letter so your amended password is the same length (the longer the password, the less susceptible it is to cracking).

        I tested it with ‘banana’. That can be cracked instantly.

        ‘#anana’ – can be crack in 100 milliseconds

        Some people use passphrases (e.g. ‘My first dog was named bowser’). Testing that

        ‘this_is_my_password’ – can be cracked in three trillion years.

        ‘this_is_my_passwor#’ – can be cracked in three trillion years.

        Protection depends more on the length of the password (or passphrase) than the use of special characters but they can help increase complexity a little.

         

         

        Group A (but Telemetry disabled Tasks and Registry)
        Win 7 64 Pro desktop
        Win 10 64 Home portable

        1 user thanked author for this post.
        • #2444806

          They can also crack a database of stored hash values from one database and then use it to see if you’ve reused a password in another site.

          Susan Bradley Patch Lady

          2 users thanked author for this post.
        • #2444937

          Thanks. I looked at that password site and found it uses the “getclicky.com” tracker – which I have always set as “untrusted” in my NoScript extension. Luckily the site still works without it.

          My approach to passwords:

          1. Use random 20 character passwords, including lower case and upper case letters plus numbers and special characters.
          2. Generate and store these in Keepass 2.x
          3. Protect Keepass with an easily remembered but highly complex password – “3 sextillion years to crack”
          4. Store the Keepass database in Dropbox also with a highly complex password – “5 hundred quadrillion years to crack”.
          5. Point each of my computer’s Keepass applications to that online Dropbox file so I can access and manage it from any of my devices.
          6. The result: The only password I ever have to remember is the one for Keepass . I have around 300 entries in Keepass, all unique.
          7. Use 2FA wherever feasible.
          8. Add the HIBPOfflineCheck plugin to Keepass.
          9. Monitor and download the “pwned-passwords-sha1-ordered-by-hash-v8.txt” file listed at https://haveibeenpwned.com/Passwords.
          10. Run the latest breaches against my entire Keepass database of passwords and change my passwords accordingly.

          Win10 Pro x64 21H2, Win10 Home 21H2, Linux Mint + a cat with 'tortitude'.

        • #2444939

          My approach to passwords:

          is that one password for #3 (for Keepass) and another (i.e., different) password for #4 (for Dropbox)?

        • #2444941

          Yes. Once the Dropbox application is first installed on each device and specifically signed in, it automatically activates every time I turn on that device. I don’t have to enter that password.

          Win10 Pro x64 21H2, Win10 Home 21H2, Linux Mint + a cat with 'tortitude'.

        • #2444977

          I have been using Strongbox App for a couple years. Very happy with it, similar scenario to Keepass. My db is on icloud. 24 character db password upper lower case numbers symbols.  That password is only in my head. I haven’t forgotten it.  Strongbox generates strong passwords, keeps them, logs me on to all my accounts, all unique pw’s, I can also keep sensitive info – e.g. photos of our passports.

          Isn’t this db huge???

          Monitor and download the “pwned-passwords-sha1-ordered-by-hash-v8.txt” file listed at https://haveibeenpwned.com/Passwords.

          How do you do this? I’d like to check mine.  I am not comfortable putting my passwords into those password checking websites, no thanks : o

          Run the latest breaches against my entire Keepass database of passwords and change my passwords accordingly.

          What is this? Thanks, Donna

          Add the HIBPOfflineCheck plugin to Keepass.

        • #2445143

          I’m the same. I want to do the check entirely locally offline.

          The HIBPOfflineCheck is a plugin that I think is only specific to the Windows version of KeePass. https://github.com/mihaifm/HIBPOfflineCheck

          It integrates into KeePass and a couple clicks will check all passwords hashes against those in the downloaded text file – which is huge, but you don’t have to download a new one very often.  https://haveibeenpwned.com/Passwords   Scroll down the page. The needed file is the “SHA-1 (ordered by hash” file.

          I looked at the Strongbox site and noticed that the Pro version does do an audit against the Have I Been Pwnd breaches but couldn’t find if it’s offline capable or not.

          Win10 Pro x64 21H2, Win10 Home 21H2, Linux Mint + a cat with 'tortitude'.

      • #2444913

        imho, simply adding a # or other special character would far reduce likelihood of someone guessing it.

        Having a complex password doesn’t help if the site storing your password does not use strong encryption to store your password and they get hacked. Then no guessing is required.

        About a decade ago I entered a “throwaway” email address I use to sign in to computer help forums at the HaveIBeenPwned site at https://haveibeenpwned.com/ and discovered my login information had been stolen in two separate data breaches of the Adobe and Malwarebytes forums where hackers managed to get their hands on both email addresses and weakly encrypted passwords that were decrypted back to plain text. Both Adobe and Malwarebytes sent an email asking me to change my login password ASAP but a few months later I got a threatening spam email (which I ignored and immediately deleted) showing both my email address and the hacked password I had been using on one of those sites.

        Note that HaveIBeenPwned (HIBP) is managed by Troy Hunt, a Microsoft Regional Director, and many similar services like Mozilla’s free Firefox Monitor use the HaveIBeenPwned database for alerting subscribers if their personal data is compromised in a data breach. HIBP takes several precautions (e.g., using k-Anonymity to protect your privacy when searching for stolen passwords) – see the June 2021 Sophos Naked Security article “Have I Been Pwned” Breach Site Partners With… the FBI! for more information.

    • #2444807

      As I have said elsewhere, my strategy is:

      1. Have a long password with all sorts of characters in it, plus maybe a few squirrel noises
      2. Write it down in a small notebook
      3. Use an obscure language and an equally obscure script
      4. Hide it in the basement behind the door that bears the sign, “Beware The Leopard”.

      OK, #4 is a little weird! 🙂

      I would have gone to Yubikey or some such device, but I am notorious for losing little metal thingies, and what a pain THAT would be to recover from!

      No, items 1-3 are fine for me, and give me an excuse to use the degree in the Humanities that I was never able to make much of a living off of. :))

      …and no, I’m _not_ saying where I hide the book. Use your imagination for YOUR place of employ/home!

      Win7 Pro SP1 64-bit, Dell Latitude E6330, Intel CORE i5 "Ivy Bridge", 12GB RAM, Group "0Patch", Multiple Air-Gapped backup drives in different locations. Linux Mint Greenhorn
      --
      "Sure I had a plan; Everybody's got a plan until you get hit in the teeth."

      -A Very Famous Boxer

      • #2445403

        Nothing wrong with writing down passwords in a small notebook. But, every now and then xerox the pages in the notebook and store the copies far away from the original notebook.

        Get up to speed on router security at RouterSecurity.org and Defensive Computing at DefensiveComputingChecklist.com

    • #2444829

      For authentication I use *Itsme*. That means that Itsme, through my smart phone, requires scanning and checking my fingerprint (*) to log me in to my bank account, or government and social security websites, or my medical database. No complex passwords or hilarious phrases needed.

      Up to now no worries. I’m sure Itsme has extremely high security (I hope), considering it was developed and introduced by the belgian banks federation and the government.

      (*) No, I’m not telling which finger. Though I’d love to divulge which toeprint, but alas, I’m too old and stiff to manage that.


      [2022-02] Corsair One i300, 64 GB RAM, RTX 3080 Ti, Samsung 1800R 48" 3840x1080, 1 2TB M2 SSD, 1 1TB SATA SSD, 1 5TB USB3 HDD.

      [2015-02] Clevo P17SM-A, 32GB RAM, GTX 970M, ext LG 27" 1920x1080,
      500 GB SSD, 1TB SATA HDD, 4 5TB USB3.0 HDD's, 4 2TB USB3.0 HDD's,
      1 3TB USB3.0 HDD, 1 1TB eSATA HDD.

      1 user thanked author for this post.
    • #2444835

      And BTW, in case this isn’t clear to everyone, this means that authenticator apps do not need to know anything about you or communicate with any cloud server anywhere, so they do not need to collect any personally identifiable information. (Whether they surreptitiously do is another matter, but they don’t need to. It’s not a requirement for them to function.)

      Various cloudserviced, Microsoft, Google and the Zuckerberg-toys already have all our data, so some more restrictions will be welcome. Starting with real tracker- and cookiemonsters.

      [] 🌹 #нетвойнесУкраиной 🌹 #不与乌克兰开战 🌹 []
    • #2444893

      I’ve been using password managers with form-filling capabilities for a very long time. I tend not to store those data in the cloud, and they’re local only. I unwilling to trust any single company with cloud storage of all my credentials. Thefts of massive databases started decades ago, brought about by careless users or IT people. This article, “The top data breaches of 2021” is a handy reference point.

      Finance, social and tech founder. Managing director of new crowd sourced games in pre-release development. Director on a new consortium to bring fractional ownership of heritage antiquities to the blockchain. My planet-wide talk show for people craving new stories by which to live is Casual Saints.
    • #2444895

      Take one of your passwords and test it here

      Merci. Interesting site. Using my usual random-password generator, the site verified that my usual 30-character password is pretty good, and the site said. “It would take a computer about 3 hundred undecillion years to crack your password”. I didn’t know the definition of undecillion and had to look it up.

      Finance, social and tech founder. Managing director of new crowd sourced games in pre-release development. Director on a new consortium to bring fractional ownership of heritage antiquities to the blockchain. My planet-wide talk show for people craving new stories by which to live is Casual Saints.
    • #2444894

      When will DNA be required to log on?

       

      • #2445071

        Using a non-changeable “password”? Bad idea. Especially DNA, it’s spread everywhere! Every hair or dead skin cell you lose can compromise your access!

        Martin

        1 user thanked author for this post.
    • #2444946

      If one uses one’s Microsoft Account password to login into one’s Wndows 10 laptop, how does one change the password for both the laptop and the Microsoft Account?

      In other words, where does one start? Does one start with Window 10 on the laptop and go to Settings|Account|Sign-in Option|Password? And does that automatically change the password for the Microsoft Account?

      Or does one start with the Microsoft Account and change the password there? And then does that automatically change the password for logging into the laptop?

      How can this be done correctly, so that one does not get locked out of the laptop and/or the Microsoft account?

    • #2444982

      In other words, where does one start? Does one start with Window 10 on the laptop and go to Settings|Account|Sign-in Option|Password? And does that automatically change the password for the Microsoft Account? Or does one start with the Microsoft Account and change the password there? And then does that automatically change the password for logging into the laptop? How can this be done correctly, so that one does not get locked out of the laptop and/or the Microsoft account?

      MS is pushing that there is no local account so that is the start. MS account is used to log in which requires Internet Access 100%. Only Pro and Enterprise allow to work around that for a set period of time. MS wants this to easier track people. With local accounts, it is hard to track. With MS account, it is easier.

       

      When you change your password, you changed the MS account password. The password is never saved on the laptop. It is in the cloud. If you change it, and you lose internet to laptop (IE wifi card fails) in most case you will not be able to log into the laptop.

      • #2445011

        When you change your password, you changed the MS account password. The password is never saved on the laptop. It is in the cloud. If you change it, and you lose internet to laptop (IE wifi card fails) in most case you will not be able to log into the laptop.

        So, let’s say one is on Win 10 Pro and let’s forget about changing the password, for the time being.  The password to log into the laptop is the same one that one uses to log into the Microsoft Account and it was set up this way when the laptop was first used when it was brand new.  In this case, if one turns off the WiFi, or uses the laptop out of range of the WiFi box (I forget what it’s called) or the WiFi service to the WiFi box is down, then it will be impossible to log into the laptop?

        If that’s the case, what is the Settings|Accounts|Sign-in options|Password for?  I have thought that’s where a new password would go and where the old password has been so it can be accessed that way for a login.

      • #2445073

        This is why they also push for “PINs”, as those are unique to the machine they are set on. Think of PINs as local machine passwords.

        Martin

        • This reply was modified 2 weeks, 2 days ago by ve2mrx. Reason: Clarified PINs
    • #2444980

      I have no cell phone. Are all “Authenticator apps” dependent on cell phones?

      So true. I do not want to be tracked, listened to, catalogue etc…All cell phones are listen and record everything.  I never own a cell phone as well after I worked in the phone business for years as a listener for over 25 years. From that point, I decided never to get a phone. Now these listener jobs are most gone since computers do a better job at listen to all conversation and tagging any that need to be investigated.  Before there were buildings with thousands of people sitting and listen to people 24 hours.

      From I heard, you can use some apps that do not require cell phone. But 2FA has become to easy to bypass from my experience working as a listener. This is the main reason why 2FA is being push out to replace password. This is my opinion but others might not agree with it.

    • #2444997

      To me, this shows a big blind spot in the computer industry. “Everybody” has a smart phone so everybody assumes that everybody else has a smart phone, and they use their smart phones in the same way. That leads to the presumption that “you are your phone”, and where you use that for everything, whether phone calls (remember those?), text, apps for all sorts of things, but also for payments and as an authentication token. Unfortunately, if you lose your phone, then you’re in a world of hurt, partially from not from having all those functions in hand, but also what happens if somebody else might have access to all of that.

      For Susan’s comments specifically, the problem is that there’s an expectation of 1:1 relationship between both users and user IDs as well as users and phones. And obviously, there are a lot of places where that simply doesn’t work. In particular, there are places that are both appropriate and necessary for more than one person to have access. Sometimes, it’s a matter of managing access, sometimes it’s that multiple people need the same access.

      There are also differences between how things behave in a commercial environment and how things behave in a home environment. Although the idea of everybody in a family having their own smart phone is widespread, there are plenty of places where that’s impractical or undesirable, and where shared access is needed. Even for something as simple as a telephone, in a family environment, it’s appropriate to have a shared phone, where incoming calls can be interacted with by anybody in the house, rather than forcing the call to somebody specifically.

      One other thing that I can think of — I’ve done some work with a “digital will”, of what would happen if, for some reason, I’m not available, either temporarily or permanently. In a case like that, it’s appropriate and necessary to be able to get to most of my accounts, and where the necessary information is not locked away in a form that only I know it.

      1 user thanked author for this post.
    • #2445020

      How do you do this? I’d like to check mine.  I am not comfortable putting my passwords into those password checking websites

      You are not putting the passwords into haveibeenpwned, your browser hashes the password and sends the hash to the site. If a bad guy intercepted the hash it would be useless.
      https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity

      cheers, Paul

      3 users thanked author for this post.
      • #2445070

        It took me some digging and reading before trusting HIBP with my passwords too! But I do now!

        Martin

      • #2445145

        If using KeePass (standalone program, not a browser extension) with the “offline” plugin and having downloaded the text file noted in my posts above, then there is no need to use the browser at all. The browser can be completely closed. The computer can be completely offline. Run KeePass and activate the plugin via the UI and all the passwords in one’s database gets checked in a single pass against the file and nothing is transmitted over the internet. That’s why I do it this way. 🙂

        Win10 Pro x64 21H2, Win10 Home 21H2, Linux Mint + a cat with 'tortitude'.

    • #2445069

      First, I am against password-less logon like Microsoft is pushing. That would be removing one factor.

      Second, I cheat at OTP activation by recording the otp:// url in my password manager. This way, I can activate more than one token for backup. As long as I don’t reuse passwords, keep my password manager safe and don’t lose my 2FA sources, someone at the other end of the world can’t log in.

      Of course, I don’t use SMS 2FA for anything I care about… Oh, I use none of those online password managers! Only local ones (sync’d by encrypted file).

      Martin

    • #2445093

      Do you know if anyone in the FIDO group has heard from someone like you or your friend? It is a concern that the input was/is not sufficiently diverse.

    • #2445446

      I’m surprised nobody mentioned Yubikey yet…

      I have two and I love their integration with websites. It allows you to enter the 2FA with a single touch of the key. Above all, they can store securely OTP keys  and with the companion app (mobile/computers) you can generate 2FA codes. Since you keep the key with you, it is never stored on the phone or computer!

      Martin

    Viewing 16 reply threads
    Reply To: Today is “What drives me insane about passwords” day

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.