Discussion:
Those idiot password changes
Add Reply
T
2018-06-13 00:34:09 UTC
Reply
Permalink
Raw Message
Hi w10 and w7,

I have been bitching about this for ages.

Time to rethink mandatory password changes

https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes

If you pick a good solid password that is not hacked by the
bad guys first attempt at running tables at you, why change
your password just to give him a second chance to
find you in his tables? Changing your passwords constantly is
not a good security feature.

Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases. Mine are up to 30 characters.

-T
J. P. Gilliver (John)
2018-06-13 00:45:16 UTC
Reply
Permalink
Raw Message
Post by T
Hi w10 and w7,
I have been bitching about this for ages.
Time to rethink mandatory password changes
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-manda
tory-password-changes
If you pick a good solid password that is not hacked by the
bad guys first attempt at running tables at you, why change
your password just to give him a second chance to
find you in his tables? Changing your passwords constantly is
not a good security feature.
Agreed.
Post by T
Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases. Mine are up to 30 characters.
Well, best as a combination of security and chance that you'll remember
them. Best for security alone are as near totally random as you can get,
but they're going to be impossible to remember.
Post by T
-T
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)***@T+H+Sh0!:`)DNAf

...Every morning is the dawn of a new error...
T
2018-06-13 00:59:01 UTC
Reply
Permalink
Raw Message
Post by J. P. Gilliver (John)
Post by T
Hi w10 and w7,
I have been bitching about this for ages.
Time to rethink mandatory password changes
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-manda
tory-password-changes
If you pick a good solid password that is not hacked by the
bad guys first attempt at running tables at you, why change
your password just to give him a second chance to
find you in his tables?  Changing your passwords constantly is
not a good security feature.
Agreed.
Post by T
Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases.  Mine are up to 30 characters.
Well, best as a combination of security and chance that you'll remember
them. Best for security alone are as near totally random as you can get,
but they're going to be impossible to remember.
Post by T
-T
Make up something is Latin with lots of spaces in it.

Did you notice in the ftc article what uses do when asked
to change their password? They just add or change a number.
I have one lady that just adds a dollar sign to the old
password. She is up to five dollar signs no.

I have run tables at Windows passwords before. When
I get this mandatory 90 change s***, I just shake my head
Wolf K
2018-06-13 01:30:01 UTC
Reply
Permalink
Raw Message
Post by J. P. Gilliver (John)
Post by T
Hi w10 and w7,
I have been bitching about this for ages.
Time to rethink mandatory password changes
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-manda
tory-password-changes
If you pick a good solid password that is not hacked by the
bad guys first attempt at running tables at you, why change
your password just to give him a second chance to
find you in his tables?  Changing your passwords constantly is
not a good security feature.
Agreed.
Post by T
Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases.  Mine are up to 30 characters.
Well, best as a combination of security and chance that you'll remember
them. Best for security alone are as near totally random as you can get,
but they're going to be impossible to remember.
Post by T
-T
A good source of phrases is your own history. Eg, this sequence derives
from a couple of sentences about my life: mbswbligsihttttfthomtbaf.
Convert a few letters to numerics or capitals, and may look "as near
totally random" as you desire: mbswb11gs1HtTttft60Mt6af
--
Wolf K
kirkwood40.blogspot.com
Ethics is knowing the difference between what you have a right to do and
what is right to do. Potter Stewart
Nil
2018-06-14 07:30:17 UTC
Reply
Permalink
Raw Message
Post by Wolf K
A good source of phrases is your own history. Eg, this sequence
mbswbligsihttttfthomtbaf. Convert a few letters to numerics or
mbswb11gs1HtTttft60Mt6af
Hey, I thought I invented that! I knew I should have patented it.
pyotr filipivich
2018-06-13 15:36:49 UTC
Reply
Permalink
Raw Message
Post by J. P. Gilliver (John)
Post by T
Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases. Mine are up to 30 characters.
Well, best as a combination of security and chance that you'll remember
them. Best for security alone are as near totally random as you can get,
but they're going to be impossible to remember.
I've heard it suggested that you keep an encrypted file on a thumb
drive, and all you do is cut and past that random phrase to the
password field.
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?
T
2018-06-13 18:13:34 UTC
Reply
Permalink
Raw Message
Post by pyotr filipivich
Post by J. P. Gilliver (John)
Post by T
Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases. Mine are up to 30 characters.
Well, best as a combination of security and chance that you'll remember
them. Best for security alone are as near totally random as you can get,
but they're going to be impossible to remember.
I've heard it suggested that you keep an encrypted file on a thumb
drive, and all you do is cut and past that random phrase to the
password field.
LUKS encrypt the flash drive an Bob's Your Uncle. Doesn't
work with Windows though
Chris
2018-06-13 19:41:25 UTC
Reply
Permalink
Raw Message
Post by T
Post by pyotr filipivich
Post by J. P. Gilliver (John)
Post by T
Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases. Mine are up to 30 characters.
Well, best as a combination of security and chance that you'll remember
them. Best for security alone are as near totally random as you can get,
but they're going to be impossible to remember.
I've heard it suggested that you keep an encrypted file on a thumb
drive, and all you do is cut and past that random phrase to the
password field.
LUKS encrypt the flash drive an Bob's Your Uncle. Doesn't
work with Windows though
Best hope you don't lose it :)
wryutirjgkhmmfioertuyie
2018-06-13 01:42:55 UTC
Reply
Permalink
Raw Message
Keep in mind though that picking an easy password is even worse. The
best ones are run on phrases. Mine are up to 30 characters.
I was surprised to find that W10 allows me to pick a ONE character
password on this tablet. Most all of my other devices/apps require at
least eight characters. So I picked "p" (for 'p' assword) on this W10
tablet. Sure makes it quick to get into. And easy to remember. And
reasonably safe since whomever unlawfully comes into possession of this
tablet would never think of trying anything that easy...
T
2018-06-13 01:53:35 UTC
Reply
Permalink
Raw Message
Post by wryutirjgkhmmfioertuyie
Keep in mind though that picking an easy password is even worse. The
 best ones are run on phrases.  Mine are up to 30 characters.
I was surprised to find that W10 allows me to pick a ONE character
password on this tablet. Most all of my other devices/apps require at
least eight characters. So I picked "p" (for 'p' assword) on this W10
tablet. Sure makes it quick to get into. And easy to remember. And
reasonably safe since whomever unlawfully comes into possession of this
tablet would never think of trying anything that easy...
I had a guy tell me he uses "8' as his password as they
would never guess something so simple. I told him how
the rainbow tables worked and how he would be dead meat
in a microsecond.

A lot of folks ask me to turn off their Windows passwords.
I make sure there is nothing private on their computers
first including ordering on line, then I oblige them.

Orly use security where it is needed. Otherwise it is
just obnoxious.
Paul
2018-06-13 02:01:04 UTC
Reply
Permalink
Raw Message
Post by wryutirjgkhmmfioertuyie
Keep in mind though that picking an easy password is even worse. The
best ones are run on phrases. Mine are up to 30 characters.
I was surprised to find that W10 allows me to pick a ONE character
password on this tablet. Most all of my other devices/apps require at
least eight characters. So I picked "p" (for 'p' assword) on this W10
tablet. Sure makes it quick to get into. And easy to remember. And
reasonably safe since whomever unlawfully comes into possession of this
tablet would never think of trying anything that easy...
"would never think of trying"

Kali, rainbow tables, etc.

This is what machines are for. They don't think.
They just grind through the algorithmic possibilities.

What screws up cracking passwords, is
having to add punctuation to the character
set of the search. If you stick to an alphabetic
password, I would expect it to be cracked
in no time at all. If numbers and punctuation
are included, that helps a lot. You either have
to order some BluRay sized rainbox tables,
or do it with a graphics card. A box full of
high end graphics cards can also crack passwords
fairly quickly. (Day or two). On my low
end graphics card, it would probably take
a few months for even a simple password.

There's a standard format for password dumping.

https://tools.kali.org/password-attacks/creddump

***@kali:~# pwdump system sam
Administrator:500:41aa818b512a8c0e72381e4c174e281b:1896d0a309184775f67c14d14b5c365a:::

^ ^
| |
<username>:<uid>:<LM-hash> : <NTLM-hash>:<comment>:<homedir>:

The NTLM-hash is apparently the one you try to crack.

The idea is, you'd boot the tablet with
a Kali USB stick and collect some info.
The pwdump command would dump a table of
all the accounts present. The above is the
first account found.

Paul
wryutirjgkhmmfioertuyie
2018-06-13 04:32:13 UTC
Reply
Permalink
Raw Message
Post by Paul
W10 allows me to pick a ONE character password on this tablet. So I
picked "p". Sure makes it quick to get into. >> And reasonably safe
since whomever unlawfully comes into possession
of this
Post by Paul
tablet would never think of trying anything that easy...
"would never think of trying"
My key words above are "reasonably safe".
Post by Paul
Kali, rainbow tables, etc. This is what machines are for. They don't
think. They just grind through the algorithmic possibilities.
I'm not worried about the CIA or a hacker breaking my tablet's password.
Since this tablet seldom leaves the house my greatest danger is losing
it by burglary. And most burglars would not waste time trying to break
my password. They would just reset and sell the tablet as quickly as
possible.
Post by Paul
The idea is, you'd boot the tablet with a Kali USB stick and collect
some info. The pwdump command would dump a table of all the accounts
present.
And if my burglar did turn out to be a hacker he would need to be quick
about it. I'd know the device was gone within a few hours and quickly
change my app passwords. Further since I use 2-factor authentication
he'd need my phone to use or change any passwords obtained.

So why make things difficult for me to open my tablet? Excessive
security just wastes my time.

Actually my greatest threat would probably be a grandkid blindly
punching the keyboard one at a time and hitting "p"... 8-O

BTW one annoying feature I find about my new Chromebook is that it
REQUIRES a 6 digit pin or my full Google password (13 characters). And
the Google password is required at least once a day. And there is no
automatic locking so if I forget to push the lock key it stays unlocked.
Now THAT IS a real security threat at my age...
pyotr filipivich
2018-06-13 15:36:49 UTC
Reply
Permalink
Raw Message
Post by wryutirjgkhmmfioertuyie
Post by Paul
W10 allows me to pick a ONE character password on this tablet. So I
picked "p". Sure makes it quick to get into. >> And reasonably safe
since whomever unlawfully comes into possession
of this
Post by Paul
tablet would never think of trying anything that easy...
"would never think of trying"
My key words above are "reasonably safe".
Post by Paul
Kali, rainbow tables, etc. This is what machines are for. They don't
think. They just grind through the algorithmic possibilities.
I'm not worried about the CIA or a hacker breaking my tablet's password.
Since this tablet seldom leaves the house my greatest danger is losing
it by burglary. And most burglars would not waste time trying to break
my password. They would just reset and sell the tablet as quickly as
possible.
Post by Paul
The idea is, you'd boot the tablet with a Kali USB stick and collect
some info. The pwdump command would dump a table of all the accounts
present.
And if my burglar did turn out to be a hacker he would need to be quick
about it. I'd know the device was gone within a few hours and quickly
change my app passwords. Further since I use 2-factor authentication
he'd need my phone to use or change any passwords obtained.
So why make things difficult for me to open my tablet? Excessive
security just wastes my time.
Actually my greatest threat would probably be a grandkid blindly
punching the keyboard one at a time and hitting "p"... 8-O
Bingo.

I had to use an assembly language simulator for a programming
class. Stepping through a loop, I just started 'walking across the
keyboard" - avoiding the keys I knew "caused things" {Q for example.)
Found all manner of useful things - m for map memory{dump the current
state to output} was the most useful.
Post by wryutirjgkhmmfioertuyie
BTW one annoying feature I find about my new Chromebook is that it
REQUIRES a 6 digit pin or my full Google password (13 characters). And
the Google password is required at least once a day. And there is no
automatic locking so if I forget to push the lock key it stays unlocked.
Now THAT IS a real security threat at my age...
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?
wryutirjgkhmmfioertuyie
2018-06-13 15:54:19 UTC
Reply
Permalink
Raw Message
21:32:13
Post by wryutirjgkhmmfioertuyie
Actually my greatest threat would probably be a grandkid blindly
punching the keyboard one at a time and hitting "p"... 8-O
Bingo.
I had to use an assembly language simulator for a programming class.
Stepping through a loop, I just started 'walking across the keyboard"
- avoiding the keys I knew "caused things" {Q for example.) Found all
manner of useful things - m for map memory{dump the current state to
output} was the most useful.
Actually I was just trying to be funny. My grandkid would have to hit
ONLY "p" (my password) and "Enter"- in that order - to open my tablet.
Any extra keys would screw things up. So odds are pretty good this
tablet is safe from grandkids too... that is to break into, not to break
up... 8-O
pyotr filipivich
2018-06-14 00:25:48 UTC
Reply
Permalink
Raw Message
Post by wryutirjgkhmmfioertuyie
21:32:13
Post by wryutirjgkhmmfioertuyie
Actually my greatest threat would probably be a grandkid blindly
punching the keyboard one at a time and hitting "p"... 8-O
Bingo.
I had to use an assembly language simulator for a programming class.
Stepping through a loop, I just started 'walking across the keyboard"
- avoiding the keys I knew "caused things" {Q for example.) Found all
manner of useful things - m for map memory{dump the current state to
output} was the most useful.
Actually I was just trying to be funny. My grandkid would have to hit
ONLY "p" (my password) and "Enter"- in that order - to open my tablet.
Any extra keys would screw things up. So odds are pretty good this
tablet is safe from grandkids too... that is to break into, not to break
up... 8-O
I put a simple 2 char password on the box at home. "Paranoia" -
so that the cat cannot walk across the keyboard and "do something".
One of the catch phrases of the program was "You program should be
able to handle having the cat walk across the keyboard without
crashing in flames."
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?
Keith Nuttle
2018-06-13 12:46:41 UTC
Reply
Permalink
Raw Message
Post by wryutirjgkhmmfioertuyie
Keep in mind though that picking an easy password is even worse. The
 best ones are run on phrases.  Mine are up to 30 characters.
I was surprised to find that W10 allows me to pick a ONE character
password on this tablet. Most all of my other devices/apps require at
least eight characters. So I picked "p" (for 'p' assword) on this W10
tablet. Sure makes it quick to get into. And easy to remember. And
reasonably safe since whomever unlawfully comes into possession of this
tablet would never think of trying anything that easy...
Windows accepts a nul character for a password. Using a nul character,
your system logs in and you do not need to enter a password.

I have three computers, and non have passwords. One never leaves the
upstairs studio, and only my wife and I live in this house.

While my laptop travels it is never left anywhere, and my tablet has
nothing worth stealing.
--
2018: The year we learn to play the great game of Euchre
wryutirjgkhmmfioertuyie
2018-06-13 15:41:16 UTC
Reply
Permalink
Raw Message
Post by Keith Nuttle
I have three computers, and non have passwords. One never leaves
the upstairs studio
My neighbor's computers were never supposed to leave his house either
except that one day they did... in a burglary.
Post by Keith Nuttle
While my laptop travels it is never left anywhere
And while you and your laptop are traveling those burglars have access
to your unsecured computers. You likely won't be aware of the theft
until you return home days later.

Have a burglar alarm? These days they do smash and grabs. Kick in the
door, and grab the electronics before the cops can get there, in my town
sometimes an hour later. Have a dog? He's dead.

As an aside: My neighbors wife had her car broken into at work. The
perps took her garage door opener and car registration for her address.
They drove to her house opened the garage door, drove in, shut the door,
and took their time removing all her electronics among other things. I
walked by while it was happening and was unaware. Moral to this story?
Hide your garage door opener and/or remove your address from any
documents in your car.
T
2018-06-13 18:19:49 UTC
Reply
Permalink
Raw Message
Post by wryutirjgkhmmfioertuyie
Have a burglar alarm? These days they do smash and grabs. Kick in the
door, and grab the electronics before the cops can get there, in my town
sometimes an hour later. Have a dog? He's dead.
Fortunately, I live in a place where most leave their doors
(car and house) unlocked. Any a** h*** who breaks into my or my
neighbors better be able to run a lot faster than 800 feet per
second. (It is open season on a** h***s out here and they
know it.) It is a nice place to live.

That being said. My office computer is LUKS encrypted
to protect both my and my customer sensitive information.
wryutirjgkhmmfioertuyie
2018-06-13 22:39:04 UTC
Reply
Permalink
Raw Message
Any a** h*** who breaks into my or my neighbors better be able to run
a lot faster than 800 feet per second.
Problem is burglars check to see if you're home before breaking in. Thus
there's usually nobody there to shoot at when you get home and find your
stuff missing.
T
2018-06-14 15:46:19 UTC
Reply
Permalink
Raw Message
Post by wryutirjgkhmmfioertuyie
Any a** h*** who breaks into my or my neighbors better be able to run
a lot faster than 800 feet per second.
Problem is burglars check to see if you're home before breaking in. Thus
there's usually nobody there to shoot at when you get home and find your
stuff missing.
True. It also helps to have nosey neighbors. The bad guys
stay away.
David E. Ross
2018-06-13 02:35:47 UTC
Reply
Permalink
Raw Message
Post by T
Hi w10 and w7,
I have been bitching about this for ages.
Time to rethink mandatory password changes
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
If you pick a good solid password that is not hacked by the
bad guys first attempt at running tables at you, why change
your password just to give him a second chance to
find you in his tables? Changing your passwords constantly is
not a good security feature.
Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases. Mine are up to 30 characters.
-T
I get someone's PGP public key from a key server. It does not matter
whose key. My passwords are then extracted from the plain-text
representation of that key. Each password is extracted from a different
part of the key.

Here are a few lines from a public PGP key. The actual key runs 20
lines; some are even longer.
tCxNYXR0aGV3IFJpY2hhcmRzb24gPEplcnNleSwgQ2hhbm5lbCBJc2xhbmRzPokA
lQIFEC6FPm4CsC8HBxL+vQEBl74D/2/ZkU9M6Doc69jFrig3jHFMlYNWIu7pWniV
jtj2PwRgMT5O83IUoLy3kxmzEM5DELZ1fAEg+6DMxCDka3S8B7S769fcto/nTLaA
kItWzjqPZKjg5AnXQEI6mRg8N30MNK5+ViT/VfRhgpyjSqxWhAehN4Q+PxX5MBF3
xaGaXD5CtCxNYXR0aGV3IFJpY2hhcmRzb24gPG1hdHRoZXdAaXRjb25zdWx0LmNv

A possible extract from this would be
5AnXQEI6mRg8N
which is from the fourth line, starting at the 13th character. This
contains numerals, upper-case letters, and lower-case letters. I
generally remove the + and /, but some Web sites want me to include
special characters.

Obviously, I cannot remember any such a password. I keep a plain-text
file of all my passwords. That file is PGP encrypted, but then I only
have to remember a single password to decrypt it. I use a strong
file-erase application to erase a decrypted copy of the file.
--
David E. Ross
<http://www.rossde.com/>

First you say you do, and then you don't.
And then you say you will, but then won't.
You're undecided now, so what're you goin' to do?
From a 1950s song
That should be Donald Trump's theme song. He obviously
does not understand "commitment", whether it is about
policy or marriage.
😉 Good Guy 😉
2018-06-13 02:40:28 UTC
Reply
Permalink
Raw Message
Post by T
Hi w10 and w7,
You are a rogue trader and it's no surprise you don't like your victims
using passwords. Frankly, you should be arrested from defrauding
customers by providing bogus IT services.
Post by T
/--- This email has been checked for viruses by
Windows Defender software.
//https://www.microsoft.com/en-gb/windows/comprehensive-security/
--
With over 950 million devices now running Windows 10, customer
satisfaction is higher than any previous version of windows.
Dave
2018-06-13 12:08:55 UTC
Reply
Permalink
Raw Message
Post by 😉 Good Guy 😉
Post by T
Hi w10 and w7,
You are a rogue trader and it's no surprise you don't like your victims
using passwords. Frankly, you should be arrested from defrauding
customers by providing bogus IT services.
Post by T
/--- This email has been checked for viruses by
Windows Defender software.
//https://www.microsoft.com/en-gb/windows/
comprehensive-security/

I see you have enhanced the gratuitous nonsense at the end of your posts,
but you are still a pest - go away.
VanguardLH
2018-06-13 03:21:10 UTC
Reply
Permalink
Raw Message
I have been bitching about this for ages. Time to rethink mandatory
password changes
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
If you pick a good solid password that is not hacked by the
bad guys first attempt at running tables at you, why change
your password just to give him a second chance to
find you in his tables? Changing your passwords constantly is
not a good security feature.
Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases. Mine are up to 30 characters.
Use a *different* password at every site (domain). Not some
transformation of the same password but a completely different one.

Use a *different* password at every host (unless it's a workstation on a
domain and you want to reuse your user profile from the PDC).

You could use software but then have to trust someone else with your
passwords, unless they are locally encrypted using a passphrase you
choose (but then you have to remember the passphrase). I prefer to use
an algorithm that I can remember, so I don't need to install the
software (not an option if a host is not your property) everywhere I go.

Always use strong passwords. Not something stupid, like in the Comcast
commercial where the parents tell their kid to set "YouMustStillVisitUs"
as their password.

Don't save passwords in software (e.g., web browsers) other than on the
hosts to which only you have physical access.

Use a different password for the system (BIOS) and OS login. When using
a system password, lock the case.

Don't bother with an automatic expiration of passwords configured in the
OS. That encourages uses to create new passwords that are similar to
their old passwords, or to use simple passwords that they can remember.
If someone leaves a company, the sysadmin should be disabling their
account, not rely on eventual expiration of that employee's password.

Forcing users to keep changing passwords not only provokes them into
using simple and memorable passwords that are more easily hacked but
also prods them into leaving cheatsheets around with a list of their
passwords. Walk around to see how many employees have recorded their
passwords on a sticky note stuck to the bottom of their keyboard or the
side of a desk drawer that can be seen when the drawer is opened.
Expiration of passwords also impacts productivity. A user cannot login
to do their work. A presentation is interrupted by the orator has to
create a new password (that they may not remember having to do it in a
hurry and on-the-fly) to continue the presentation. If the lock on your
shed shows no signs of tampering, do you change the lock every month?

If the ex-employee was logging into the domain, the sysadmin disables
the roaming profile on the PDC. If the ex-employee has local admin
privileges on a workstation, the sysadmin will have to physically visit
that ex-employee's workstations to login using the sysadmin's
admin-level account to disable the ex-employee's admin-level accounts.

Social engineering still works. Some sites will require users to enter
a CAPTCHA string before a visitor can see some content they want (e.g.,
porn sites where visitors will jump through hoops to see the porn).
These CAPTCHA images are grabbed from other sites and then presented to
the visitor of the porn site. They use the intelligence of their
visitors to break the CAPTCHAs at other sites. CAPTCHAs that are merely
arithmetic strings are stupid as those can be simply copied (from the
display or from the web page code) and then pasted into a calculator
app. Many CAPTCHAs have audio playback. Well, even you know when
calling some call center that they use software that can recognize what
you say instead of relying on you pressing buttons on the phone.

CAPTHCAs aren't secure. They were never meant to be a form of security.
They are to differentiate between humans and bots. Using CAPTCHAs for
logins is to nuisance a user by interrupting a login, so the user thinks
there is added security. Any site can use a login that logarithmically
increases the interval between retries making it take unbearably long,
especially for computers trying to hack, to perform multiple retries.

https://www.sitepoint.com/captcha-are-not-a-security-measure/

Also, no matter how long is the bitlength of a passphrase or how
convoluted the hashing algorithm, you're relying on chance that a hacker
doesn't get your password. They could succeed on the very first attempt
even when using random strings. That's how probability works.
pyotr filipivich
2018-06-13 15:36:49 UTC
Reply
Permalink
Raw Message
Post by VanguardLH
I have been bitching about this for ages. Time to rethink mandatory
password changes
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
If you pick a good solid password that is not hacked by the
bad guys first attempt at running tables at you, why change
your password just to give him a second chance to
find you in his tables? Changing your passwords constantly is
not a good security feature.
Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases. Mine are up to 30 characters.
Use a *different* password at every site (domain). Not some
transformation of the same password but a completely different one.
Use a *different* password at every host (unless it's a workstation on a
domain and you want to reuse your user profile from the PDC).
You could use software but then have to trust someone else with your
passwords, unless they are locally encrypted using a passphrase you
choose (but then you have to remember the passphrase). I prefer to use
an algorithm that I can remember, so I don't need to install the
software (not an option if a host is not your property) everywhere I go.
Always use strong passwords. Not something stupid, like in the Comcast
commercial where the parents tell their kid to set "YouMustStillVisitUs"
as their password.
Don't save passwords in software (e.g., web browsers) other than on the
hosts to which only you have physical access.
Use a different password for the system (BIOS) and OS login. When using
a system password, lock the case.
Now all I need is a record of all the various passwords, with a
strong password needed to access it.
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?
nospam
2018-06-13 15:49:26 UTC
Reply
Permalink
Raw Message
Post by pyotr filipivich
Now all I need is a record of all the various passwords, with a
strong password needed to access it.
that's called a password manager.
pyotr filipivich
2018-06-14 00:25:48 UTC
Reply
Permalink
Raw Message
Post by nospam
Post by pyotr filipivich
Now all I need is a record of all the various passwords, with a
strong password needed to access it.
that's called a password manager.
One more program to download, install, setup and configure.

I think I'll stick with a paper notebook.
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?
nospam
2018-06-14 02:00:57 UTC
Reply
Permalink
Raw Message
Post by pyotr filipivich
Post by nospam
Post by pyotr filipivich
Now all I need is a record of all the various passwords, with a
strong password needed to access it.
that's called a password manager.
One more program to download, install, setup and configure.
hardly an obstacle. maybe a minute, if that long.
Post by pyotr filipivich
I think I'll stick with a paper notebook.
not as safe, plus you're far less likely to use long cryptic passwords
because they're hard to type.
pyotr filipivich
2018-06-14 03:19:33 UTC
Reply
Permalink
Raw Message
Post by nospam
Post by pyotr filipivich
Post by nospam
Post by pyotr filipivich
Now all I need is a record of all the various passwords, with a
strong password needed to access it.
that's called a password manager.
One more program to download, install, setup and configure.
hardly an obstacle. maybe a minute, if that long.
"The slothful man saith, There is a lion without, I shall be slain
in the streets."
Post by nospam
Post by pyotr filipivich
I think I'll stick with a paper notebook.
not as safe, plus you're far less likely to use long cryptic passwords
because they're hard to type.
But then again, I don't have to worry about the notebook being
"hacked".
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?
nospam
2018-06-14 03:26:44 UTC
Reply
Permalink
Raw Message
Post by pyotr filipivich
Post by nospam
Post by pyotr filipivich
I think I'll stick with a paper notebook.
not as safe, plus you're far less likely to use long cryptic passwords
because they're hard to type.
But then again, I don't have to worry about the notebook being
"hacked".
actually you do, since it's not encrypted. anyone can look at it and
find out your passwords.

there are also no backups. if you lose the notebook, or your house
burns down, there go your passwords, and in the former case, someone
else now knows what they are.

with a password manager, it will take a few billion years to crack the
master password, assuming it isn't lame, like monkey123 or qwerty.

there can also be an unlimited number of backups scattered across the
planet, so outside of an alien invasion where the earth is completely
destroyed, your passwords will be safe, and if that were to happen, not
knowing your passwords will be a relatively minor issue, should you
somehow survive.
Chris
2018-06-14 08:56:26 UTC
Reply
Permalink
Raw Message
Post by pyotr filipivich
Post by nospam
Post by pyotr filipivich
Post by nospam
Post by pyotr filipivich
Now all I need is a record of all the various passwords, with a
strong password needed to access it.
that's called a password manager.
One more program to download, install, setup and configure.
hardly an obstacle. maybe a minute, if that long.
"The slothful man saith, There is a lion without, I shall be slain
in the streets."
Post by nospam
Post by pyotr filipivich
I think I'll stick with a paper notebook.
not as safe, plus you're far less likely to use long cryptic passwords
because they're hard to type.
But then again, I don't have to worry about the notebook being
"hacked".
You do have worry about not having it with you when you need it, though.
pyotr filipivich
2018-06-14 23:20:03 UTC
Reply
Permalink
Raw Message
Post by Chris
Post by pyotr filipivich
Post by nospam
Post by pyotr filipivich
Post by nospam
Post by pyotr filipivich
Now all I need is a record of all the various passwords, with a
strong password needed to access it.
that's called a password manager.
One more program to download, install, setup and configure.
hardly an obstacle. maybe a minute, if that long.
"The slothful man saith, There is a lion without, I shall be slain
in the streets."
Post by nospam
Post by pyotr filipivich
I think I'll stick with a paper notebook.
not as safe, plus you're far less likely to use long cryptic passwords
because they're hard to type.
But then again, I don't have to worry about the notebook being
"hacked".
You do have worry about not having it with you when you need it, though.
Considering that I don't use the "device" for anything requiring a
login...
--
pyotr filipivich
Next month's Panel: Graft - Boon or blessing?
Chris
2018-06-15 07:39:09 UTC
Reply
Permalink
Raw Message
Post by pyotr filipivich
Post by Chris
Post by pyotr filipivich
Post by nospam
Post by pyotr filipivich
Post by nospam
Post by pyotr filipivich
Now all I need is a record of all the various passwords, with a
strong password needed to access it.
that's called a password manager.
One more program to download, install, setup and configure.
hardly an obstacle. maybe a minute, if that long.
"The slothful man saith, There is a lion without, I shall be slain
in the streets."
Post by nospam
Post by pyotr filipivich
I think I'll stick with a paper notebook.
not as safe, plus you're far less likely to use long cryptic passwords
because they're hard to type.
But then again, I don't have to worry about the notebook being
"hacked".
You do have worry about not having it with you when you need it, though.
Considering that I don't use the "device" for anything requiring a
login...
Then what's the paper notebook for?

B00ze
2018-06-13 04:43:29 UTC
Reply
Permalink
Raw Message
Good day Sir.
Post by T
Hi w10 and w7,
I have been bitching about this for ages.
Yup, same here; I just gave up a few years ago and do like everyone
else, +1 every 3 months...
Post by T
Time to rethink mandatory password changes
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
You're a bit late, that article is from March 2016 ;-)

This is more recent, and says the NIST guy apologizes for screwing-up 20
years ago:

http://www.alphr.com/security/1006567/password-rules-bill-burr-apology
Post by T
If you pick a good solid password that is not hacked by the
bad guys first attempt at running tables at you, why change
your password just to give him a second chance to
find you in his tables? Changing your passwords constantly is
not a good security feature.
The problem is you cannot keep remembering new good passwords every 90
days for 15 different apps, at some point it's too much.
Post by T
The best ones are run on phrases. Mine are up to 30 characters.
Unfortunately not all websites/etc accept 30 character passwords :-(

Regards,
--
! _\|/_ Sylvain / ***@hotmail.com
! (o o) Member:David-Suzuki-Fdn/EFF/Red+Cross/SPCA/Planetary-Society
oO-( )-Oo Windows-NT is the O/S of the future (and always will be.)
T
2018-06-13 05:02:52 UTC
Reply
Permalink
Raw Message
Post by B00ze
http://www.alphr.com/security/1006567/password-rules-bill-burr-apology
Thank you!
Post by B00ze
The problem is you cannot keep remembering new good passwords every 90
days for 15 different apps, at some point it's too much.
Folks typically just add to the end of it:

MirosoftSucks!1
MirosoftSucks!11
MirosoftSucks!111
MirosoftSucks!1111

and on and on and so forth,

That one is a really easy one to crack as I is quite common.
I see a lot of expletives about gMail too.
Post by B00ze
Post by T
The best ones are run on phrases. Mine are up to 30 characters.
Unfortunately not all websites/etc accept 30 character passwords :-(
For those I keep 15 character scrambles in a very, very highly
encrypted locked of my own doing. I copy and paste them. No
way I can type them in correct!
Chris
2018-06-13 12:09:05 UTC
Reply
Permalink
Raw Message
Post by T
Hi w10 and w7,
I have been bitching about this for ages.
Time to rethink mandatory password changes
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
If you pick a good solid password that is not hacked by the
bad guys first attempt at running tables at you, why change
your password just to give him a second chance to
find you in his tables? Changing your passwords constantly is
not a good security feature.
Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases. Mine are up to 30 characters.
I'm surprised no-one has mentioned password managers. You only need to
remember one (secure) password and all your passwords are available on all
your devices. Safely, securely and under your own control. Simples!

I used keepassX for a while, but the browser integration was unusable. Now,
I use enpass which works on pretty much any combination of OS and browser.

I don't have to know any of my passwords and they're all just random
strings. I wanted them all to be at least 30 characters long, but too many
places restrict the maximum length, which is a massive red flag. Sigh.
wryutirjgkhmmfioertuyie
2018-06-13 15:39:58 UTC
Reply
Permalink
Raw Message
Post by Chris
I'm surprised no-one has mentioned password managers. You only need
to remember one (secure) password and all your passwords are
available on all your devices.
Safely, securely and under your own control.
Are you SURE?? Any chance they also can be hacked?

https://www.cbsnews.com/news/lastpass-password-manager-hacked/

And:

"Of course, for every expert who says he can't live without a password
manager, there's another who says he'd gladly go the rest of his life
without ever using one. That's the case for Terry Cutler, co-founder and
chief technology officer of Montreal-based cybersecurity consultancy
Digital Locksmiths.

"I'm not a fan of password-management tools at all," Cutler said in an
email interview. "If the tool got hacked, then all of your codes would
be taken."

Tyler Reguly, manager of security research at cybersecurity firm
Tripwire in Portland, Oregon, agreed with Cutler. He argued that
password managers may do more harm than good, especially for home users.

“Password managers are society's method of moving bad habits to the
computer," Reguly said. "It's bad form to 'write down' passwords, so
instead we 'store' them on our computer. 'Store' is simply the digital
equivalent to 'write down.'"

Figuring out which tools are secure, and which ones aren't, isn't
necessarily an easy task. As Ken Westin, a security researcher with
Tripwire, pointed out, it's hard to know just how secure password
managers really are.

"Personally, I don't trust online password managers," Westin said in an
email message. "This isn't because I think they're insecure; it's
because I don't know how secure they are, how they store my information
and if my data is properly encrypted."

Because of this uncertainty, Westin said he wouldn't store his most
sensitive information in Web-based password managers. For managing
passwords to financial accounts and email accounts, Westin recommended
using a tool that isn't connected to the Internet.

"For maximum safety, the passwords to these services [financial and
email accounts] should be kept in an offline, encrypted password manager
application, like KeePass, that requires authentication to open and is
backed up regularly and securely," Westin said."

https://www.tomsguide.com/us/password-manager-pros-cons,news-19018.html
nospam
2018-06-13 15:49:27 UTC
Reply
Permalink
Raw Message
Post by wryutirjgkhmmfioertuyie
Post by Chris
I'm surprised no-one has mentioned password managers. You only need
to remember one (secure) password and all your passwords are
available on all your devices.
Safely, securely and under your own control.
Are you SURE?? Any chance they also can be hacked?
nothing is 100% secure. anything can be hacked given sufficient
motivation and resources.

the point is that you're *much* better off with a password manager than
without, if for no other reason that it lets you use *much* *better*
passwords than you otherwise would have.

nobody is going to remember ***@wmJ*5T_!<# or 'h9/LMtCTbz7,@R&,
especially when each site is different, so they choose something easy
to remember, such as password, qwerty, 12345, etc., and use reuse it on
multiple sites, or in the case of equifax, admin/admin (they really did
that).
Post by wryutirjgkhmmfioertuyie
https://www.cbsnews.com/news/lastpass-password-manager-hacked/
the master password was compromised, but not the individual passwords
for each site.

there are also password managers that store locally, not in the cloud,
completely eliminating that attack vector.
Chris
2018-06-13 19:36:25 UTC
Reply
Permalink
Raw Message
Post by wryutirjgkhmmfioertuyie
Post by Chris
I'm surprised no-one has mentioned password managers. You only need
to remember one (secure) password and all your passwords are
available on all your devices.
Safely, securely and under your own control.
Are you SURE?? Any chance they also can be hacked?
https://www.cbsnews.com/news/lastpass-password-manager-hacked/
The two products I mentioned (Keepass and enpass) don't use an online
server, so are immune to that type of hack.

I tried to hack my own database file and despite even knowing my own
password I wasn't able to get access to it.

Nothing is perfectly secure, but I'm way down the list of easy targets.
[Snip]
Post by wryutirjgkhmmfioertuyie
"For maximum safety, the passwords to these services [financial and
email accounts] should be kept in an offline, encrypted password manager
application, like KeePass, that requires authentication to open and is
backed up regularly and securely," Westin said."
https://www.tomsguide.com/us/password-manager-pros-cons,news-19018.html
Which is exactly as I was recommending. The best password managers are ones
with encrypted database files that are stored locally.
wryutirjgkhmmfioertuyie
2018-06-13 22:39:12 UTC
Reply
Permalink
Raw Message
Post by Chris
The two products I mentioned (Keepass and enpass) don't use an
online server, so are immune to that type of hack...
The best password managers are ones with encrypted database files
that are stored locally.
But apparently they are not immune to local corruption either:

"KeePass has quite some features to avoid database file corruption"...

..."However, data corruption can still be caused by other programs, the
system or broken storage devices"...

..."KeePass of course can't do anything when the data becomes
corrupted/unreadable at a later point of time"

https://keepass.info/help/base/repair.html

Dunno. That sounds a bit scary to me. I can't imagine the problems I'd
have if I lost all my passwords in one crash and couldn't log in
anymore. Also I'd be nervous about putting all my passwords in some
strange software's hands. Who knows for sure what it really does
(paranoia on). YMMV.

I just use a simple formula that includes certain place number
characters of the web site intermingled with employee numbers from past
employment. I keep the formula in my head so don't have to write the
full passwords down. It's certainly not 30 character strong but with
two-factor authentication (on the sensitive sites) it's reasonably
secure. YMMV.
Nil
2018-06-14 00:40:38 UTC
Reply
Permalink
Raw Message
No computer file is immune.
Post by wryutirjgkhmmfioertuyie
Dunno. That sounds a bit scary to me. I can't imagine the problems
I'd have if I lost all my passwords in one crash and couldn't log
in anymore.
There's a handy little invention called "The Backup"! Keepass files are
very small.
wryutirjgkhmmfioertuyie
2018-06-14 02:05:03 UTC
Reply
Permalink
Raw Message
Post by Nil
No computer file is immune.
Corruption in a 30 password file that pretty much controls most aspects
of one's online life would IMO be a big deal.
Post by Nil
I can't imagine the problems I'd have if I lost all my passwords
There's a handy little invention called "The Backup"!
Ah. Sarcasm. Love it. And if you unknowingly made a backup of the
corrupted file?

My software free formula type password memory system has yet to crash or
be corrupted. It works for me. But as I've liberally pointed out many
times in this thread...YMMV.
nospam
2018-06-14 02:48:07 UTC
Reply
Permalink
Raw Message
Post by wryutirjgkhmmfioertuyie
Post by Nil
I can't imagine the problems I'd have if I lost all my passwords
There's a handy little invention called "The Backup"!
Ah. Sarcasm. Love it. And if you unknowingly made a backup of the
corrupted file?
then you use an older copy, prior to the corruption. simple.

keep in mind that you'd normally be accessing it every day, so you'll
instantly know if there's any corruption in the unlikely event it
occurred.
Nil
2018-06-14 04:58:39 UTC
Reply
Permalink
Raw Message
Post by wryutirjgkhmmfioertuyie
Post by Nil
There's a handy little invention called "The Backup"!
Ah. Sarcasm. Love it. And if you unknowingly made a backup of the
corrupted file?
Then you go to your next oldest backup (which is still quite recent),
of course. That's how all backups are to be used. But surely you
already knew that. Right? Right??
Paul
2018-06-14 05:14:10 UTC
Reply
Permalink
Raw Message
Post by Nil
Post by wryutirjgkhmmfioertuyie
Post by Nil
There's a handy little invention called "The Backup"!
Ah. Sarcasm. Love it. And if you unknowingly made a backup of the
corrupted file?
Then you go to your next oldest backup (which is still quite recent),
of course. That's how all backups are to be used. But surely you
already knew that. Right? Right??
I had two backups ruined by bad RAM.
But, I had others :-) Really old and scummy,
but still backups.

For you people out there unfamiliar with failures
like this, run Verify on your backup tool
occasionally, and verify what got backed up
is intact. Backups use checksums as a means to
verify what was written.

The bad RAM in my system, seemed to be in an
area in low RAM used as a write buffer. One day
the system crashed after writing 15GB of data.
And you could reproduce it. Reboot, try and
write 15GB of data, and it would crash. That
was the first good hint that something was wrong.

Run a Verify occasionally, just to see whether
your "goods" are "good".

That doesn't guarantee that a file wasn't in a
corrupted state when it was backed up. That
case is just another level of corruption. If
you don't keep a lot of versions around, there's
a chance you actually have *nothing* good on hand.

I learned about this sort of thing, from a tape
drive at work. People were making a ton of backups
at their desk, with a loaner 8mm helical scan drive.
I asked about "when was the last time that thing
had a cleaning tape", and I got this blank look.
When we inserted the stack of tapes, one at a time,
all the tapes were *blank*. That's how dirty the
heads were. Just because you're holding a tape in
your hand, doesn't mean there is anything on it.
That's where Verify comes in. While hard drives
are not tape drives, there's still value in Verify.

Paul
wryutirjgkhmmfioertuyie
2018-06-14 05:34:13 UTC
Reply
Permalink
Raw Message
Post by Nil
if you unknowingly made a backup of the corrupted file?
Then you go to your next oldest backup
Getting complicated. Now you have to keep a folder somewhere with
several old backup files? Not necessary with my password system which
relies only on my wetware, and not some third party's software.
Post by Nil
(which is still quite recent),
It might not be that recent. For non-sensitive sites (like iHeart Radio)
I often let the browser remember the password. So I might not need that
password again for several weeks when needed for a new device or
browser. But with my password formula I just pull it out of my head. No
backups needed. Easy peasy.
Nil
2018-06-14 07:35:45 UTC
Reply
Permalink
Raw Message
Post by wryutirjgkhmmfioertuyie
Getting complicated. Now you have to keep a folder somewhere with
several old backup files? Not necessary with my password system
which relies only on my wetware, and not some third party's
software.
Post by Nil
(which is still quite recent),
It might not be that recent. For non-sensitive sites (like iHeart
Radio) I often let the browser remember the password. So I might
not need that password again for several weeks when needed for a
new device or browser. But with my password formula I just pull it
out of my head. No backups needed. Easy peasy.
OK, your system works for you. I find Keepass quite useful. It lets me
use very random passwords that I could never remember, and it will also
store any password, not just for web sites.

And I find it to be no inconvenience in the least to make backups of it
and my other data. I don't add or change passwords very often so any
backup is likely to be current. I have never, in my several years of
its use, had a corrupt file. I think you're fear of that is
exaggerated.
wryutirjgkhmmfioertuyie
2018-06-14 16:27:36 UTC
Reply
Permalink
Raw Message
Post by Nil
OK, your system works for you. I find Keepass quite useful.
Translation: YMMV. Strongly agreed.
Post by Nil
It lets me use very random passwords that I could never remember,
My formula password system generates 13 character passwords. They're
certainly not Keepass quality passwords but IMO I don't need that level
of security. Also 2FA greatly adds to that security.
Post by Nil
and it will also store any password, not just for web sites.
My system works with any name, not just web sites. But I usually use the
web site name to generate the password. Most sites use the same password
whether accessed by browser or app.
Post by Nil
And I find it to be no inconvenience in the least to make backups of
it and my other data.
Inconvenience wasn't my problem. Temporary loss of my online life due to
a malfunction of a strange piece of software that I have no way of
fixing. Or for that matter knowing what its stealth capabilities in
regards to my sensitive password/site data might be.

But in reality I'm probably in more danger from the companies on the
other end of the passwords. I now have three letters on file telling me
of breaches that exposed my data...
nospam
2018-06-14 13:11:17 UTC
Reply
Permalink
Raw Message
Post by wryutirjgkhmmfioertuyie
Post by Nil
if you unknowingly made a backup of the corrupted file?
Then you go to your next oldest backup
Getting complicated. Now you have to keep a folder somewhere with
several old backup files? Not necessary with my password system which
relies only on my wetware, and not some third party's software.
a good backup system does that automatically.
Post by wryutirjgkhmmfioertuyie
Post by Nil
(which is still quite recent),
It might not be that recent. For non-sensitive sites (like iHeart Radio)
I often let the browser remember the password. So I might not need that
password again for several weeks when needed for a new device or
browser. But with my password formula I just pull it out of my head. No
backups needed. Easy peasy.
you might not need *that* password, but the rest of the database will
be accessed on a daily basis, so you will instantly know if it's
corrupted, which is extremely unlikely.
Chris
2018-06-14 08:55:50 UTC
Reply
Permalink
Raw Message
Post by wryutirjgkhmmfioertuyie
Post by Chris
The two products I mentioned (Keepass and enpass) don't use an
online server, so are immune to that type of hack...
The best password managers are ones with encrypted database files
that are stored locally.
"KeePass has quite some features to avoid database file corruption"...
..."However, data corruption can still be caused by other programs, the
system or broken storage devices"...
..."KeePass of course can't do anything when the data becomes
corrupted/unreadable at a later point of time"
https://keepass.info/help/base/repair.html
That's why you have back-ups, as others have said. I used Keepass for about
two years using it every day on two computers, one tablet and a phone.
Syncing was reliable and I had no errors in that time.

Since then, I've used enpass for about two years with the same experience.
Post by wryutirjgkhmmfioertuyie
Dunno. That sounds a bit scary to me. I can't imagine the problems I'd
have if I lost all my passwords in one crash and couldn't log in
anymore. Also I'd be nervous about putting all my passwords in some
strange software's hands. Who knows for sure what it really does
(paranoia on). YMMV.
Keepass is fully open source and has been verified. Enpass is based on the
open source protects walletx and sqlcypher. I'm not sure if it's been
externally verified.
Post by wryutirjgkhmmfioertuyie
I just use a simple formula that includes certain place number
characters of the web site intermingled with employee numbers from past
employment. I keep the formula in my head so don't have to write the
full passwords down. It's certainly not 30 character strong but with
two-factor authentication (on the sensitive sites) it's reasonably
secure. YMMV.
I tried that for a while, but some websites weren't compatible with my
algorithm: either too long or unsupported characters (like numbers, duh!).
So I was having to remember multiple algorithms which got tedious or I used
weaker passwords.

With a password manager I needn't worry and I can free up some of my brain
cells :)
wryutirjgkhmmfioertuyie
2018-06-14 16:27:50 UTC
Reply
Permalink
Raw Message
I used Keepass for about two years using it every day on two
computers, one tablet and a phone. Syncing was reliable and I had no
errors in that time.
Does Keepass do updates? Do you think one might be as effective as a W10
update... 8-O
Since then I've used enpass for about two years with the same
experience.
I've used my formula system for 30+ years. Long before Keepass/Enpass
was a gleam in the developers eye. And I have had lots of errors over
the years due to my somewhat faulty wetware. But then I can just rethink
and retype to fix them.
I tried that [formula passwords] for a while, but some websites
Me too. Just had to rethink my formula. Good for the wetware. Use it or
lose it...
With a password manager I needn't worry and I can free up some of my
brain cells :)
YMMV. Strongly agree...
Chris
2018-06-14 17:57:21 UTC
Reply
Permalink
Raw Message
Post by wryutirjgkhmmfioertuyie
I used Keepass for about two years using it every day on two
computers, one tablet and a phone. Syncing was reliable and I had no
errors in that time.
Does Keepass do updates?
Sure. Not that often as it's a pretty simple app.

Do you think one might be as effective as a W10
Post by wryutirjgkhmmfioertuyie
update... 8-O
Unlikely. Microsoft's effectiveness is legendary!
Post by wryutirjgkhmmfioertuyie
Since then I've used enpass for about two years with the same
experience.
I've used my formula system for 30+ years. Long before Keepass/Enpass
was a gleam in the developers eye. And I have had lots of errors over
the years due to my somewhat faulty wetware. But then I can just rethink
and retype to fix them.
I tried that [formula passwords] for a while, but some websites
Me too. Just had to rethink my formula. Good for the wetware. Use it or
lose it...
Doing that limits you to the lowest common denominator. Resulted in making
passwords too short. Plus, then you need to reset the password for the
tens/hundreds of sites with the old system. Life's too short.
Post by wryutirjgkhmmfioertuyie
With a password manager I needn't worry and I can free up some of my
brain cells :)
YMMV. Strongly agree...
Indeed.
SilverSlimer
2018-06-13 13:32:23 UTC
Reply
Permalink
Raw Message
Post by T
Hi w10 and w7,
I have been bitching about this for ages.
Time to rethink mandatory password changes
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
If you pick a good solid password that is not hacked by the
bad guys first attempt at running tables at you, why change
your password just to give him a second chance to
find you in his tables? Changing your passwords constantly is
not a good security feature.
Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases. Mine are up to 30 characters.
Run-on sentences are an excellent idea, I'll have to try that.
T
2018-06-13 18:21:42 UTC
Reply
Permalink
Raw Message
Post by SilverSlimer
Post by T
Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases. Mine are up to 30 characters.
Run-on sentences are an excellent idea, I'll have to try that.
Throw some spaces in too.

"All Hail Todd!" is already taken. What??? No I don't use that
password and I am not stupid enough to write it in the Internet.
SilverSlimer
2018-06-13 20:17:47 UTC
Reply
Permalink
Raw Message
Post by T
Post by SilverSlimer
Post by T
Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases. Mine are up to 30 characters.
Run-on sentences are an excellent idea, I'll have to try that.
Throw some spaces in too.
"All Hail Todd!" is already taken. What??? No I don't use that
password and I am not stupid enough to write it in the Internet.
If they're allowed, that's a pretty good idea too.
T
2018-06-14 16:12:55 UTC
Reply
Permalink
Raw Message
Post by SilverSlimer
Post by T
Post by SilverSlimer
Post by T
Keep in mind though that picking an easy password is even worse.
The best ones are run on phrases. Mine are up to 30 characters.
Run-on sentences are an excellent idea, I'll have to try that.
Throw some spaces in too.
"All Hail Todd!" is already taken. What??? No I don't use that
password and I am not stupid enough to write it in the Internet.
If they're allowed, that's a pretty good idea too.
mail.zoho.com does not. gMail does.
...w¡ñ§±¤ñ
2018-06-14 07:04:40 UTC
Reply
Permalink
Raw Message
Post by T
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
Sideline note.
The author, L. Cranor, of the 2016 article was the FTC Chief Technology
Officer until Jan. 2017.
That position is still vacant and hasn't been formally filled for 18
months(the last CTO prior to Cranor was only an attorney temporarily
appointed as 'acting' CTO)
--
...w¡ñ§±¤ñ
ms mvp windows 2007-2016, insider mvp 2016-2018
Paul
2018-06-14 07:36:04 UTC
Reply
Permalink
Raw Message
Post by ...w¡ñ§±¤ñ
Post by T
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
Sideline note.
The author, L. Cranor, of the 2016 article was the FTC Chief Technology
Officer until Jan. 2017.
That position is still vacant and hasn't been formally filled for 18
months(the last CTO prior to Cranor was only an attorney temporarily
appointed as 'acting' CTO)
You can have that job, if you can guess the password.

That's why the position is still vacant.

Paul
Nil
2018-06-14 07:47:28 UTC
Reply
Permalink
Raw Message
On 14 Jun 2018, =?UTF-8?B?Li4ud8Khw7HCp8KxwqTDsQ==?=
Post by ...w¡ñ§±¤ñ
Sideline note.
The author, L. Cranor, of the 2016 article was the FTC Chief
Technology Officer until Jan. 2017.
That position is still vacant and hasn't been formally filled for
18 months(the last CTO prior to Cranor was only an attorney
temporarily appointed as 'acting' CTO)
"Technology"!?!?! Bah. That's awfully close to "Science" and "Facts".
Nobody wants those things any more. If it's not simple, catchy, with no
boring details or nuance, and can fit in a tweet, they're not
interested.
T
2018-06-14 17:43:19 UTC
Reply
Permalink
Raw Message
Post by Nil
"Technology"!?!?! Bah. That's awfully close to "Science" and "Facts".
Nobody wants those things any more. If it's not simple, catchy, with no
boring details or nuance, and can fit in a tweet, they're not
interested.
I have noticed this. If I eMail certain customer explanations
of thing they solicit from me, they won't read it if it goes
over two sentences.

This is REALLY AGGRAVATING when they ask for proposals. They
just discard them after you put hours into them. I have
thought of charging for my time. "I couldn't read it on
my phone". "And you could use your computer, why?"
AGGRAVATING!
Nil
2018-06-14 18:57:28 UTC
Reply
Permalink
Raw Message
Post by T
I have noticed this. If I eMail certain customer explanations
of thing they solicit from me, they won't read it if it goes
over two sentences.
This is REALLY AGGRAVATING when they ask for proposals. They
just discard them after you put hours into them. I have
thought of charging for my time. "I couldn't read it on
my phone". "And you could use your computer, why?"
AGGRAVATING!
I believe this phenomenon has its own acronym: TLDR. People no longer
have the patience or attention span to read or absorb detailed
information. Everything has to be fed to them in small, pre-digested
bites.

This has become a problem in general. If I write anything more than a
paragraph of text, many (most?) people won't bother to scroll down and
read the rest. If I ask, say, 3 questions, I'll get an answer to the
first one and they probably never even see the last two.

My family has become like this. They won't completely read my emails,
and they rarely answer the phone. They respond to text messaging only,
which is totally inadequate for real communication.
T
2018-06-14 19:23:53 UTC
Reply
Permalink
Raw Message
Post by Nil
Post by T
I have noticed this. If I eMail certain customer explanations
of thing they solicit from me, they won't read it if it goes
over two sentences.
This is REALLY AGGRAVATING when they ask for proposals. They
just discard them after you put hours into them. I have
thought of charging for my time. "I couldn't read it on
my phone". "And you could use your computer, why?"
AGGRAVATING!
I believe this phenomenon has its own acronym: TLDR. People no longer
have the patience or attention span to read or absorb detailed
information. Everything has to be fed to them in small, pre-digested
bites.
This has become a problem in general. If I write anything more than a
paragraph of text, many (most?) people won't bother to scroll down and
read the rest. If I ask, say, 3 questions, I'll get an answer to the
first one and they probably never even see the last two.
My family has become like this. They won't completely read my emails,
and they rarely answer the phone. They respond to text messaging only,
which is totally inadequate for real communication.
My experience too.

That first question thing drives me INSANE! My vendors do
this to me ALL-THE-TIME.

Sometimes there is the occasional "word wall", which is frustrating
to grudge through, but that is rare these days.
Ant
2018-06-14 19:47:04 UTC
Reply
Permalink
Raw Message
Post by T
Post by Nil
Post by T
I have noticed this. If I eMail certain customer explanations
of thing they solicit from me, they won't read it if it goes
over two sentences.
This is REALLY AGGRAVATING when they ask for proposals. They
just discard them after you put hours into them. I have
thought of charging for my time. "I couldn't read it on
my phone". "And you could use your computer, why?"
AGGRAVATING!
I believe this phenomenon has its own acronym: TLDR. People no longer
have the patience or attention span to read or absorb detailed
information. Everything has to be fed to them in small, pre-digested
bites.
This has become a problem in general. If I write anything more than a
paragraph of text, many (most?) people won't bother to scroll down and
read the rest. If I ask, say, 3 questions, I'll get an answer to the
first one and they probably never even see the last two.
My family has become like this. They won't completely read my emails,
and they rarely answer the phone. They respond to text messaging only,
which is totally inadequate for real communication.
My experience too.
That first question thing drives me INSANE! My vendors do
this to me ALL-THE-TIME.
Sometimes there is the occasional "word wall", which is frustrating
to grudge through, but that is rare these days.
Ditto. They always think it is too long to read. [sighs]
--
Quote of the Week: "I never kill insects. If I see ants or spiders in
the room, I pick them up and take them outside. Karma is everything."
--Holly Valance
Note: A fixed width font (Courier, Monospace, etc.) is required to see this signature correctly.
/\___/\ Ant(Dude) @ http://antfarm.home.dhs.org
/ /\ /\ \ Please nuke ANT if replying by e-mail privately. If credit-
| |o o| | ing, then please kindly use Ant nickname and URL/link.
\ _ /
( )
J. P. Gilliver (John)
2018-06-14 20:14:03 UTC
Reply
Permalink
Raw Message
Post by Ant
Post by T
Post by Nil
Post by T
I have noticed this. If I eMail certain customer explanations
of thing they solicit from me, they won't read it if it goes
over two sentences.
This is REALLY AGGRAVATING when they ask for proposals. They
just discard them after you put hours into them. I have
thought of charging for my time. "I couldn't read it on
my phone". "And you could use your computer, why?"
AGGRAVATING!
I believe this phenomenon has its own acronym: TLDR. People no longer
have the patience or attention span to read or absorb detailed
information. Everything has to be fed to them in small, pre-digested
bites.
This has become a problem in general. If I write anything more than a
paragraph of text, many (most?) people won't bother to scroll down and
I used to find this at work, too.
Post by Ant
Post by T
Post by Nil
read the rest. If I ask, say, 3 questions, I'll get an answer to the
first one and they probably never even see the last two.
My family has become like this. They won't completely read my emails,
and they rarely answer the phone. They respond to text messaging only,
which is totally inadequate for real communication.
My experience too.
That first question thing drives me INSANE! My vendors do
this to me ALL-THE-TIME.
This _sometimes_ works: say at the beginning of the communication,
something like "This communication contains five questions. I have
numbered them [thus]." It requires you to go back through your email
before sending, actually putting in [1] etc., and then going back again
to say what the total is. It often still doesn't work, but at least then
they have no _excuse_ for not having read it.
Post by Ant
Post by T
Sometimes there is the occasional "word wall", which is frustrating
to grudge through, but that is rare these days.
Ditto. They always think it is too long to read. [sighs]
But it takes them longer in the end, because they come back and ask for
something that was explained in the first communication. They also
suggest things ... they don't read "I have already tried" statements.
--
J. P. Gilliver. UMRA: 1960/<1985 MB++G()AL-IS-Ch++(p)***@T+H+Sh0!:`)DNAf

Her [Valerie Singleton's] main job on /Blue Peter/ was to stop unpredictable
creatres running amok. And that was just John Noakes.
- Alison Pearson, RT 2014/9/6-12
T
2018-06-14 21:16:37 UTC
Reply
Permalink
Raw Message
Post by J. P. Gilliver (John)
Post by Ant
Post by T
Post by Nil
I have noticed this.  If I eMail certain customer explanations
of thing they solicit from me, they won't read it if it goes
over two sentences.
This is REALLY AGGRAVATING when they ask for proposals.  They
just discard them after you put hours into them.  I have
thought of charging for my time.  "I couldn't read it on
my phone".  "And you could use your computer, why?"
AGGRAVATING!
I believe this phenomenon has its own acronym: TLDR. People no longer
have the patience or attention span to read or absorb detailed
information. Everything has to be fed to them in small, pre-digested
bites.
This has become a problem in general. If I write anything more than a
paragraph of text, many (most?) people won't bother to scroll down and
I used to find this at work, too.
Post by Ant
Post by T
Post by Nil
read the rest. If I ask, say, 3 questions, I'll get an answer to the
first one and they probably never even see the last two.
My family has become like this. They won't completely read my emails,
and they rarely answer the phone. They respond to text messaging only,
which is totally inadequate for real communication.
My experience too.
That first question thing drives me INSANE!  My vendors do
this to me ALL-THE-TIME.
This _sometimes_ works: say at the beginning of the communication,
something like "This communication contains five questions. I have
numbered them [thus]." It requires you to go back through your email
before sending, actually putting in [1] etc., and then going back again
to say what the total is. It often still doesn't work, but at least then
they have no _excuse_ for not having read it.
Post by Ant
Post by T
Sometimes there is the occasional "word wall", which is frustrating
to grudge through, but that is rare these days.
Ditto. They always think it is too long to read. [sighs]
But it takes them longer in the end, because they come back and ask for
something that was explained in the first communication. They also
suggest things ... they don't read "I have already tried" statements.
I have gotten testy at times. I do the numbering thing like
you. But I add

"Please answer all question. If you choose not to answer
a particular question, please add 'do not choose to answer'
to the question"

it gets their attention.
Loading...