Except when u use the PM with an Android App that is full of holes and the 2-factor authentication worth shit therefore.
told them. Lets see how they will respond 
The true fact is the website or application should not be relying on just a standard password entry to gain access to the system. A simple measure of only allowing 3 or 9 attempts to enter your password correctly or your account is disabled and the user is notified by email, will stop any brute force attack on simple or complex passwords by any super computer! Simple.
Otherwise add 2 step verification to your accounts (like google, dropbox etc) and problem sorted!
Two things:
- Almost everyone in this discussion is focused on the point where people have to enter their credentials (rate limiting, etc), but what is more important is if the file of passwords is stolen, the passwords have to be strong all on their own.
- people suggest using a big provider like Google or Facebook, because âthey have it down alreadyâ. Great, but what if there is an attack against them that simply makes the service unavailable? Would you want your car to only work if some central agency was up? No. You want your car to be independent of everything else, to the greatest extent possible.
For these two reasons, credentials have to work like chip cards: You possess it, and it autonomously and securely prevents the info from being stolen. We need a system where the user carries around whatever credential(s) they need, and no big provider exclusively runs it and it canât be broken even if you take it away and âtortureâ it, so to speak.
Physical distance used to protect our stuff. We need something equally simple, secure and workable now. Each person must be able to authenticate themself, not through something they know (they could forget it or be unconscious, dead etc) not through something they have (it could be lost or stolen) and not through something they are (can be spoofed). What is left? Where you are relative to where you were 5 seconds ago. How do we do this? That is what we need.
If someone has a better definition of âidentityâ than your world line, I would love to hear it!
For #2 just have more than one. Itâs easy to take down the one Google, but it will be harder to simultaneously take down Google, Facebook, Twitter and LinkedIn at the same time. Of course that depends on people registering more than one to their account if not then that portion will be affected. But not the whole.
Of course an enterprise system where things are really important (not like discourse forums) youâd have your own provider.
Right you donât need any password, your life is in your Facebook
Itâs so refreshing to just be able to run openssl rand 9 -base64 to generate my new shiny 12 character password fore this site
Hereâs a crazy idea - why donât we generate passwords for users and show it to them as part of account creation? If weâre using HTTPS, we can transmit the password securely, they just need to write it down.
What a concept - let the computer compute, let users type - each of them doing what their good at.
1 Like
This article:
Password rules are bullshit
Here are all the password rules you should make your users follow
LOL 
âPassword must not be a dictionary word.â
Thank you Linux password validity checker, for declaring any string of characters longer than X to be a âdictionary wordâ despite the password selected not appearing anywhere on the system disk, consisting of multiple words, written in multiple languages, and with the added bonus of grammatical errors to boot.
Then thereâs the issue of bullshit sites, such as one for laundry detergent, requiring an extremely strong password (with composition rules revealed after the initial attempt) in order to receive a coupon. A. Coupon.
Biometrics are generally a bad idea, they are non-revocable and often non-concealable. A recent news story had a researcher analyzing high res photos of girls flashing the victory (peace) sign and using that to build a fake fingerprint that could sufficiently fool a fingerprint scanner. You canât get new fingerprints if your existing fingerprints are leaked on line.
I can also see the residue from my fingerprint on my iPhone home button. I donât know if it could be lifted and used to build a fake that could fool the sensor, but I understand and accept that the finger print reader is only maybe secure.
And after all that, what is the protocol that you use to connect the fingerprint scanner on my phone to this site? (Technically for me itâs Google Authenticatorâs 2 factor and Google OpenID)
1 Like
Incorrect. One simple rule to explain to the users: length. The others you only complain about if the user actually chooses a password that is literally âaaaaaaaaaâ or â0123456789â.
As I understand things, a complex password is a requirement to avoid a
brute force attack, right? I mean, if you donât already know it, then you
have to brute force it or just guess, right?
So, what if there is simply a more and more extended delay between
failures? Like, maybe give them 3 chances, then make them wait 2 minutes,
and then 3 minutes, and then 4, etc⌠Youâd never have time to brute
force it.
Does that make sense, or am I just a bit dim witted?
My peeve is not only password rules, but that they tend to be presented piecemeal so we have to blackbox the rules. I recently came across this flow:
On password creation, this was the rule: âPasswords are case sensative [sic], must not contain symbols and must be at least 8 characters.â
Of course, I broke a hidden rule and got the real password rule: âPassword must be 8-20 chars and include at least 3 of these options: uppercase, lowercase, numbers, or symbols.â
Password rules are annoying, but when they are incomplete or literally contradictory, ugh.
Haha I was just poking fun, I agree with everything about the conclusion you came to and I do exactly the same thing on all my login forms. That said, the article IS indeed about which password rules you hate and which ones you like, namely: minimum length, reject common passwords, enforce entropy, reject special cases. The last 5 points literally read â#1 - password rules are bullshit. #2 - #5 - here are the password rules I enforceâ - common, you gotta see the bit of humor in that
Most people in the US cannot legally ping a phone, so you would most likely have to have some kind of app to work this out; which presents its own idiosyncrasies.
Brute force can be off-line: they steal the hashed password, then use a zillion cpu special-purpose machine to try every password possible. You canât rate-limit someone elseâs hardware. The password has to be secure on its own. This is the whole problem with the internet: there is no âhereâ or âthereâ, there is just âeverywhereâ, and essentially zero distance from here to there. No one in Romania can steal my car, it is 5000 miles away! Someone in another state is not going to steal my laptop. Why bother? There is one 100 feet away from them to steal.
We need to put the nouns back in: we need âwhereâ to be meaningful, and âwhoâ and âwhyâ and âwhenâ and âhow oftenâ. Those need to be inherent in the physical design, not able to be circumvented, just like how my car is safe from everyone except a neighborhood kid, because there is a⌠neighborhood. And a⌠car. And⌠physics!
1 Like
Someone mentioned how they use the same password on a lot of sites. Let me give a short example of why that is bad:
Years and years ago, we got called in to fix a database where the original designer actually kept all the passwords in plain text. (We saw this all the time in the 90âs)
The owner of the company, while seeking quotes on getting it repaired, actually sent the entire database and website to a whole bunch of contractors in Ukraine, Pakistan, India, Viet Nam, etcâŚ
Not only did it have the passwords in plain text, it actually was integrating with clientsâ mail servers and file servers. To do this, they had a form where you could keep your own machineâs admin credentials, etc⌠in plain text.
So, basically, this brilliant âCEOâ sent the usernames and passwords of all his users and all his clients and all his clients employees to random people all over the world. (and was confused when we refused to work with him if he didnât notify everyone of the security lapse. And our Lawyers said we couldnât even report it without getting sued!)
Anyway⌠no matter how complex your password is, it just takes one ignorant egomaniac to compromise it.
1 Like
The idea wasnât the particular details, the point was to make it possible to do a physically enforceable sanity check on what happens. I cannot log in from Romania if I was in Texas 2 minutes ago. FAIL! For credentials, we store them in a device that can only be in one place at a time, like a smart card, canât be copied, is useless if stolen, and which is able to protect itself. Some intelligent person can put the reality back in to this nightmare that we unwittingly and optimistically brought upon ourselves and everyone else.
thatâs pretty smart.
Just remember, all the tried and true solutions were, at one time, roll-your-own approaches.
Iâve always felt that discussions like this are were they originate - or at least gain acceptance & tweaks.