Announcement

Collapse
No announcement yet.

Blonde password

Collapse
X
Collapse
 
  • Page of 2
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 template Next
  • #1

    Blonde password

    **Blonde Password...**

    During a recent password audit, it was found that a blonde was using
    the following password:

    **MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacram ento**

    When asked why such a long password,

    she said she was told that it had to be

    at least 8 characters long ...

    and include at least one capital.
    Last edited by Fat Tone; 21 December 2009, 04:03. Reason: murc is putting that space in Sacramento. Dunno why.
    FT.
    Tags: None
  • #2
    Oh that the people in my office used passwords that good.
    I had to program our tax collection system to prevent users from logging in on two different machines at the same time because their solution to forgetting their passwords was to get someones else's password and log in as them


    Sacramento
    **MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacram ento**

    Well that's just weird.
    Chuck
     秋音的爸爸

    Comment

    • #3
      "For every action, there is an equal and opposite criticism."

      Comment

      • #4


        ...
        Diplomacy, it's a way of saying “nice doggie”, until you find a rock!

        Comment

        • #5


          The password requirement for the online banking for ING in Poland is ridiculous: at least 13 characters, multiple symbols, multiple capitals, ... But then they don't ask you to enter it, no, that would be too easy... They show a random screen like:
          Code:
          _ ._ _ . . . _ . _ . _ . . _ _ . . . _ . _ . _ . . . _ . . . _ . _ . _ . .
          You only need to enter the characters of the password where there is a _; but this of course implies a website with one textbox for each character you have to type. And you sit there counting just what character the 7th one is in you password... If you have a complex password (and you must), it takes forever before you finally entered it.


          Jörg
          pixar
          Dream as if you'll live forever. Live as if you'll die tomorrow. (James Dean)

          Comment

          • #6
            Originally posted by VJ View Post

            ...but this of course implies a website with one textbox for each character you have to type...
            It also implies that they store passwords in clear text, which there is no reason ever to do.
            The proper thing is to store hashes of the passwords and then hash the incoming pw text and compare the hash values.
            They are ripe for having their customers passwords stolen the way they are doing it now.

            **Sacramento**
            **MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacram ento**
            **ickeyMinniePlutoHueyLouieDeweyDonaldGoofySacrame nto**
            **ckeyMinniePlutoHueyLouieDeweyDonaldGoofySacramen to**
            **keyMinniePlutoHueyLouieDeweyDonaldGoofySacrament o**
            **eyMinniePlutoHueyLouieDeweyDonaldGoofySacramento **
            **yMinniePlutoHueyLouieDeweyDonaldGoofySacramento* *
            **MinniePlutoHueyLouieDeweyDonaldGoofySacramento**
            12345678901234567890123456789012345678901234567890
            abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWX YZ

            Got me curious

            Odd, it doesn't do it if you wrap the text in the code tag, or if it is numbers
            Last edited by cjolley; 21 December 2009, 07:30.
            Chuck
             秋音的爸爸

            Comment

            • #7
              Originally posted by cjolley View Post
              It also implies that they store passwords in clear text, which there is no reason ever to do.
              The proper thing is to store hashes of the passwords and then hash the incoming pw text and compare the hash values.
              They are ripe for having their customers passwords stolen the way they are doing it now.
              Well, I hadn't actually thought of that...
              (a good thing I choose passwords that have no relation to my other passwords )

              But I thought there existed also some forms of incremental hashing...?

              Jörg
              pixar
              Dream as if you'll live forever. Live as if you'll die tomorrow. (James Dean)

              Comment

              • #8
                Originally posted by VJ View Post
                But I thought there existed also some forms of incremental hashing...?
                Don't know about incremental hashing that would allow checking characters in random positions, but I'm no mathematician.
                I guess they could hash each character, would seem an odd way to do it though...
                What would be the point?
                Chuck
                 秋音的爸爸

                Comment

                • #9
                  The missing characters look random, but maybe they are not...?
                  But usually, the simplest explanation is the right one... In this day and age... For a bank!
                  pixar
                  Dream as if you'll live forever. Live as if you'll die tomorrow. (James Dean)

                  Comment

                  • #10
                    At previous job I got a call from a woman with a master degree, leading some professional institution. You really need to show me how to change password, because I was listening to radio today and they said: Go to computer of your boss and log-in, the password is probably 1234567. That was her password untill then.

                    What I don't like is that my bank introduced password for unsaved transactions and transactions abroad where you have to type two characters from it, using an onscreen clickable keyboard. The problem is that this is hard to remember, so most people will carry it with their computer.

                    Comment

                    • #11
                      I know that all single byte character passwords to at least 16 characters have been hashed completely. The hash is like 60GB... we are going with 32 character passwords for the Local Root account. No, we are not expecting to have to remember the password, ever.
                      Hey, Donny! We got us a German who wants to die for his country... Oblige him. - Lt. Aldo Raine

                      Comment

                      • #12
                        Originally posted by MultimediaMan View Post
                        I know that all single byte character passwords to at least 16 characters have been hashed completely. The hash is like 60GB...
                        So basically, any single byte password less than 16 characters can be discovered from the passwordfile? (ok, there is not a 1-1 relation, but one could log on)

                        Originally posted by MultimediaMan View Post
                        we are going with 32 character passwords for the Local Root account. No, we are not expecting to have to remember the password, ever.
                        But that is why there are monitors... and post-its!
                        pixar
                        Dream as if you'll live forever. Live as if you'll die tomorrow. (James Dean)

                        Comment

                        • #13
                          Hashing passwords correctly involves more than just running md5 on the password.
                          There should also be a "salt" added to the password before the hashing is done. Kind of like a shared secret. So that a hash table lookup by a cracker does not retrieve the password it's self, but only the result of a "calculation" performed on the real password.

                          The way we do it is pretty simplistic. The application performs an md5 on the entered password (plus some salt). That 32 byte hash is the user's db password. Oracle then performs it's password magic, what ever that is, and that is what the database stores. This makes it so that the users don't know their own db passwords. They can't use anything but the app to log into the database using the password they know.

                          Make the salt a 64 bit trapdoor function and only the CIA and half the population of Russia could crack your passwords
                          Last edited by cjolley; 22 December 2009, 08:12.
                          Chuck
                           秋音的爸爸

                          Comment

                          • #14
                            From the users' point of view, how do US banks protect on-line banking? My Swiss bank has an extremely sophisticated system which I would guess is almost uncrackable (except by a zillion-to-one chance), but is a bit of a pain. My Cypriot bank has a much simpler system of which they are inordinately proud but it's quite dangerous, IMHO. To access an account, they have a simple ID/password, using 128-bit encoding, but to transfer any money out of your account, they have a 6-digit one-off password gizmo.
                            Brian (the devil incarnate)

                            Comment

                            • #15
                              Well, for the accounts we (county government) have it's pretty sophisticated.
                              We each have a timer thingy, key fob sized, that gives us a pin to enter along with our password.
                              The pin changes every 30 seconds, so you wait until the current pin rolls over then log in using the new pin and your password. That gives the clocks on the server and pin generator time to sync up. Wait too long to log in and the pins will have changed and you have to start over.
                              Last edited by cjolley; 22 December 2009, 08:53.
                              Chuck
                               秋音的爸爸

                              Comment

                              Previous 1 2 template Next
                              Working...
                              X