Announcement

**Pedersen** · 03-18-2010, 04:09 PM

Quoth Ghel View Post

I hadn't heard that they're easy to crack. The company that requires us to use them for logging in to their site must not think so.

Then that company is probably not too smart. Mythbusters managed to get through them with a number of types of copies.

**Dreamstalker** · 03-18-2010, 08:05 PM

Quoth Andara Bledin View Post

One of the banking companies my boss uses makes her change it every 50 days or so, it has to be different from the last 8 passwords, and there are a few other rules, too. And, yes, the damn thing is written down (along with the last 6 or so) on a piece of paper within reach of the computer used to log into the bank, because it's too arcane for even someone like me, who already uses pass-phrases with numbers and characters to remember, much less your average user.

My bank does something similar...in addition, they'll force a reset if you muck it up twice (easy to do at present due to their coder making some big mistakes). No special characters allowed either... I have a "core" high-security password which is very easy for me to remember. There are only so many variations I can make...and my CC company system must be set to disallow any similarities to any previous passwords.

Drives my mom even crazier, as she tends to forget passwords quickly if there isn't a memorable pattern...she has to have them all written down, and has accidentally entered one of the old ones more than once. Luckily it was only done on first login attempts so she was able to get the correct one and not be locked out. The random-number keyfob sounds like a good idea.

**Seshat** · 03-18-2010, 09:22 PM

I have KeePass.

All my passwords are 'written down' on a USB stick I carry with me, and on my home computer.

That 'written down' set of passwords is protected by a master password, which I carry in my head.

**Cymberleah** · 03-18-2010, 09:33 PM

My favorite password generation tip is to pick a line from a song, then the first letter of each word.

So, say I use Paint it Black

I See A Red Door And I Want To Paint It Black

turns into ISARDAIWTPIB

Not too easy to guess, super simple to remember, and it's easy to pick new passwords when you need them. As long as no one knows your secret Rolling Stones fetish, you're good.

If you need numbers, you can change I to 1 or instead of A door you could have 1 door. Toss a couple special characters on the back end and you're set!

**Magpie** · 03-19-2010, 01:29 PM

I had to use my hand to scan in at one place - it wasn't a fingerprint, just the shape of my hand and how I laid it on the scanner (I think). Anyone know anything about the security of those?

Oh, and apparently another good trick for beating the fingerprint scanners that the Mythbusters forgot is to get a rubber stamp of the fingerprint made.

**Chromatix** · 03-20-2010, 12:37 PM

Both of the banks I have accounts with over here use One Time Passwords.

When I log into one of them, I have to remember my account number, but everything else comes from a little card. I take the next four-digit number from the sequence, type it in, and cross it out. For confirming transactions (as opposed to logging in), they have a separate set of codes identified by letter - these are not crossed out after use, but the bank system asks for a specific one.

The other bank uses a two-dimensional grid of codes identified by letter and number. These are not crossed out, and are used for both logging in and confirmations. I still have to remember my account number (since this account is newer, that's written down separately from the OTP card) and a PIN I choose myself.

OTPs are robust against user memory failure and keyloggers. They aren't robust against the little card being stolen, but that's treated like a credit card - you report it, it gets blocked and replaced.

Cheap fingerprint scanners are relatively easy to fool - both to fail and to hack. There are more expensive ones that are more robust, but you won't find those built into a keyboard or laptop.

**phantasy** · 03-20-2010, 03:17 PM

Quoth Andara Bledin View Post

There's nothing that destroys security faster than making your users use passwords that are difficult to remember. That said, anyone that uses a "password" that doesn't include at least one number and is anything that can be found in a dictionary is going to be hacked.

I usually choose a word from the dictionary, for example "cat" (of course I pick something longer) and use a code. Somatimes I'll change each letter to the letter that's next to it in the alphabet. For "cat", it would change to:
c=b
a=z
t=s

So "bzs" plus some random numbers and characters that would make sense to me, but to know one else. So far, no one has hacked my passwords, and I erase my cookies and such stuff in my cache becase I'm totally paranoid lol.

**Chromatix** · 03-21-2010, 12:48 AM

IBM -> HAL

**Midorikawa** · 03-28-2010, 08:09 PM

UPDATE: In an effort to further improve security, the admins in charge of this have turned their attention to the internal network. A few techs have been written up for having their passwords written down on their desk. They've cracked down on email now, which is the cause for this update.

We use a subscription based spam filtering software we contract through another company. It's completely transparent to customers and techs all the way up to Admins, who are the only ones who actually touch it.

When an IP of ours gets blacklisted for spam, we get an email about it, that we must fix the cause of, then reply to to request a delisting.

The changes apparently aren't admin exempt, as I can't email external domains, including the spam filtering company, which means that customer is staying blacklisted for a while. Great way to make my job easier.

Announcement

In which we force better security.

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment