Why some companies think ridiculously requirments hard passwords make my account more secure??

[aqarwaen29]

Why some companies think ridiculously requirments hard passwords make more secure?? if I need to keep my password just in notepad to able access my account? and every hacker who hacks into my computer can see my password?

for example this forum would need this kind passwords.....H6W]9-y[_E@e"&Q3    or q?P.df;3Z{KR])k$

 

btw it is not my password

 why not provide option to let pick easier passwords and you toggle some box and you agree with theys terms if u want easier password instead hard one...

[Avocado Diaboli]

Security. Also, if you have trouble remembering complex passwords, use a password manager.

[Latvian Video]

7 minutes ago, Avocado Diaboli said:

Security. Also, if you have trouble remembering complex passwords, use a password manager.

the one built into browsers should be enough, and I use KeePass to back them up, incase something happens to my pc

[trag1c]

More possible characters and symbols makes it much harder to brute force as there are more possible combinations along with longer passwords. Any randomness makes it much harder for someone to use something like social engineering to guess your password. Password managers exist for a reason. You just have to remember 1 really strong password for the manager and then generate the rest. Something like Keepass can generate passwords and allow you to copy them to the clip board so that you can paste into the log in. After a certain period it will clear your clip board so that a bad actor cant use that to find out. 

 

I only remember a few lengthy passwords for several different encrypted keepass databases. (Separated by category like work, home etc.) From there I generate passwords with every possible character/symbol allowed by a login too the max length allowed. This makes the passwords pretty much impossible to crack by anyone except for maybe a nation state. Even the email/username is randomly generated just to throw some extra spice into the mix. Every account I have gets its own email alias so that a bad actor is forced to go digging even for that.

 

Also you can never have too many tin foil hats.

[LIGISTX]

26 minutes ago, aqarwaen29 said:

Why some companies think ridiculously requirments hard passwords make more secure?? if I need to keep my password just in notepad to able access my account? and every hacker who hacks into my computer can see my password?

for example this forum would need this kind passwords.....H6W]9-y[_E@e"&Q3    or q?P.df;3Z{KR])k$

 

btw it is not my password

 why not provide option to let pick easier passwords and you toggle some box and you agree with theys terms if u want easier password instead hard one...

Use a password manager, so every website will use its own unique password, and you don’t have to remember any of them.

 

1password is a popular option these days. Just make sure to use 2 factor authentication everywhere possible, especially your password manager…

[IPD]

Funny.  It's always on their end where my account data gets compromised.  Almost like I'm having to compensate for their  incompetence by having to concoct more confusing passwords...

[tikker]

1 hour ago, aqarwaen29 said:

why not provide option to let pick easier passwords and you toggle some box and you agree with theys terms if u want easier password instead hard one...

For this one, most likely because it's not so much about protecting your account, but about protecting their data and infrastructure. E.g. management will likely take a breach easier if it turns out the compromised account's password was H6W]9-y[_E@e"&Q3q?P.df;3Z{KR])k$ (so either a more serious flaw or someone who needs more phising training) than if your company secrets got ransomwared because you allowed someone to use 123 as their password.

 

I'm usually more annoyed that things like "your password cannot be longer than 8/12 characters" still occur. For some reason it's also very often 8 or 12 specifically...

[JZStudios]

1 hour ago, trag1c said:

More possible characters and symbols makes it much harder to brute force as there are more possible combinations along with longer passwords. Any randomness makes it much harder for someone to use something like social engineering to guess your password. Password managers exist for a reason. You just have to remember 1 really strong password for the manager and then generate the rest. Something like Keepass can generate passwords and allow you to copy them to the clip board so that you can paste into the log in. After a certain period it will clear your clip board so that a bad actor cant use that to find out. 

 

I only remember a few lengthy passwords for several different encrypted keepass databases. (Separated by category like work, home etc.) From there I generate passwords with every possible character/symbol allowed by a login too the max length allowed. This makes the passwords pretty much impossible to crack by anyone except for maybe a nation state. Even the email/username is randomly generated just to throw some extra spice into the mix. Every account I have gets its own email alias so that a bad actor is forced to go digging even for that.

 

Also you can never have too many tin foil hats.

Isn't this all kinda moot when their database gets hacked and the documents of 3 million are leaked? I just don't trust password managers that much, then again I also don't have any real secret accounts. But I know people who keep passwords just in an excel spreadsheet on their PC.

[trag1c]

2 minutes ago, JZStudios said:

Isn't this all kinda moot when their database gets hacked and the documents of 3 million are leaked? I just don't trust password managers that much, then again I also don't have any real secret accounts. But I know people who keep passwords just in an excel spreadsheet on their PC.

Kind of sort of. In no way are any of my other accounts or passwords affected because of this method so all I have to change is one password. Because of the random names and emails there is also no real link for anyone to follow up to try to breach other accounts that I have. Effectively its all contained to that one breach and the information contained within that one account. A big problem in a lot of breaches is that it can reveal information that can be used to breach other accounts that are more valuable like banking logins. If you use one password and account for everything you're essentially done for since they have everything they need to really screw with you but having everything isolated like I do makes it so they really have to go ham to break into anything valuable. 

 

There is nothing you can really do about breaches that are external of your own tech environment but you can certainly have technologies and policies in place that mitigate the impact of that breach. Essentially zero trust policy. Assume everything and everyone is shit and prepare for that.

[BuckGup]

2 hours ago, Latvian Video said:

the one built into browsers should be enough, and I use KeePass to back them up, incase something happens to my pc

Hell no, never use the built in browser password keychain. Any piece of software can easily access all of them 

[Helpful Tech Witch]

1 hour ago, JZStudios said:

Isn't this all kinda moot when their database gets hacked and the documents of 3 million are leaked? I just don't trust password managers that much, then again I also don't have any real secret accounts. But I know people who keep passwords just in an excel spreadsheet on their PC.

Password managers ened to end encrypt data. the passwords stored on their servers are encrypted, so even if theres a large data breach then your passwords arent leaked.

[Alan G]

I've been using Password Safe for a lot of years.  It has a nice port to my Android phone and tablet and it's not integrated into the browser at all.  You can configure it to create any kind of password with numbers, symbols and length that you need.  Only thing you have to remember is the single master password to open up your password data set.  It also has a note feature where you can track credit card numbers and PINs in encrypted format.  Best of all it's free.

[The_russian]

3 hours ago, Latvian Video said:

the one built into browsers should be enough, and I use KeePass to back them up, incase something happens to my pc

Using the browser’s password manager is a bad idea, if someone gets physical access to your computer you are screwed. I had a flash drive laying around at one point, not sure what happened to it but anyways it was loaded with a few programs that would scrape credentials from the computer, one of those being for login information saved through the browser. It took only a few seconds to run and would show usernames, passwords, what website the credentials were for, what time they were saved, and more. Point is don’t use the browser’s password manager since it is not secure.

[Video Beagle]

3 hours ago, LIGISTX said:

1password is a popular option these days.

They went subscription which made my hapyness for them go down.

[IPD]

it's the characters that annoys me, not the length.

 

if my password was: "flower baseball chocolate eyedrops" - that's still a more difficult brute force crack than 16 digits of caps/lower/symbols.  And that only goes up exponentially when you add another plain language word on (or made-up word).

[Paul Thexton]

11 hours ago, IPD said:

it's the characters that annoys me, not the length.

 

if my password was: "flower baseball chocolate eyedrops" - that's still a more difficult brute force crack than 16 digits of caps/lower/symbols.  And that only goes up exponentially when you add another plain language word on (or made-up word).

Yep. See the anti patterns section in this Microsoft published document. 

 

https://www.microsoft.com/en-us/research/wp-content/uploads/2016/06/Microsoft_Password_Guidance-1.pdf#page8

[thrasher_565]

On 10/27/2021 at 11:05 AM, CCWong said:

No. Any website/webservice worth their salt are going to be using salts and peppers. What you enter is going to be hashed and encrypted, so an infiltrator wouldn't actually get access to your password, they'd get access to an encrypted hash of your password that is also most likely salted. Given time and resources, yes, they could likely determine what your password is, but its not a guarantee. When you enter your password on a site, its not checking if your password matches what was stored, its checking if the stored one would be equal to your input after being salted, hashed, and encrypted (or whatever process they're using).

 

Dropbox created a blog after their breach to explain how they were toughening up their password storage policy:

https://dropbox.tech/security/how-dropbox-securely-stores-your-passwords

what about me calling ups and giving them my viza card number to pay a duty fee? they even say they record the call... just waiting to be hacked...fuck ups....

 

i dont get password mangers ether you have some unkowen server some ware storing this data and one password for many different sites is less sucre then many different passwords for each site. or using facebook to long in to just about any site it seems...

 

some sites have a max character limit for w/e reason and some dont allow copy and past.

[rrats]

https://xkcd.com/936/

 

I feel like this is bit relevant to the discussion

 

Edited November 3, 2021 by rrats

[mariushm]

This forum doesn't have such complicated requirements , just some mix of lowercase, uppercase, maybe a special character. 

Could easily achieve this by making your own internal rule about passwords .. for example start any password with name of website in uppercase followed by a special character ex for this website LTT#REGULAR PASSWORD  or linustechtips@@StupidPassword

 

By making requirements to have some mix of letters, it forces people to think more than just entering a password like 123456 or the name of their cat or just a common word that would make the account easy to hack. 

[IPD]

25 minutes ago, rrats said:

https://xkcd.com/936/

 

I feel like this is bit relevant to the discussion

 

Yep.  That's pretty much what I was thinking of, but couldn't remember where/when I saw it.

[DoctorNick]

What do you mean H6W]9-y[_E@e"&Q3 is easy to remember just remember this phrase: Hello sex Workers for 9-years under Erik @ erik quote & quake 3 

[TheEggComputer]

On 10/27/2021 at 11:45 AM, aqarwaen29 said:

Why some companies think ridiculously requirments hard passwords make more secure?? if I need to keep my password just in notepad to able access my account? and every hacker who hacks into my computer can see my password?

for example this forum would need this kind passwords.....H6W]9-y[_E@e"&Q3    or q?P.df;3Z{KR])k$

 

btw it is not my password

 why not provide option to let pick easier passwords and you toggle some box and you agree with theys terms if u want easier password instead hard one...

It is more secure though. Sometimes adding a single extra character and randomizing it can make it take longer to crack. Let’s say you had the password “Sheeprgreat69”. And let’s assume since there are dictionary words in there that the password would take, (in this fictional example) 2 weeks to crack. If you were to change it to “$he3prGre@t69!” Then it could possible take longer to crack, say 4 years.

(btw this is not my password lol I just made up a random sentence)

[IPD]

sounds like a reason to use obscure, made up words^.

[Paul Thexton]

20 minutes ago, coneve1414 said:

If you were to change it to “$he3prGre@t69!” Then it could possible take longer to crack, say 4 years.

The real solution, as the xkcd comic pointed out a long time ago (and he was by no means the first person do so), is to use variable length pass phrases, rather than fixed length, highly formulaic (must have one upper case, x number of special chars, x number of numbers) passwords.

[Spindel]

25 minutes ago, coneve1414 said:

It is more secure though. Sometimes adding a single extra character and randomizing it can make it take longer to crack. Let’s say you had the password “Sheeprgreat69”. And let’s assume since there are dictionary words in there that the password would take, (in this fictional example) 2 weeks to crack. If you were to change it to “$he3prGre@t69!” Then it could possible take longer to crack, say 4 years.

(btw this is not my password lol I just made up a random sentence)

The thing that would be even harder to crack would be to just use "SheepgreatSheepgreat" or "thisismylongpasswordasaphrase" no need for special characters and easier to remember. 

 

lenght > complexity when cracking