I carry physical tokens for some of the computers I use. They are cards with chips like debit cards, that require both the physical presence of the card in the card reader, along with a password to access. I would not use this for a personal system!
I carry physical tokens for some of the computers I use. They are cards with chips like debit cards, that require both the physical presence of the card in the card reader, along with a password to access. I would not use this for a personal system!
Nothing wrong with dictionary words, even sticking to the 3000 most common words gives acceptable levels of entropy with just 5 words (~10^17) and is much easier to remember. You'd need 9 alphanumeric characters to equal the entropy (assuming 72 possible states, for lowercase, uppercase, 10 digits and 10 common punctuation symbols), and that's 9 entities to remember vs 5
It might stop the brute force hacks but what about when someone manages to steal the biometric data from a compromised app or website then 3D prints it onto a plastic thumb? At least you can change your password...
I get a bit annoyed by companies implying users are always at fault with regards to data loss.
I've only ever had any breaches of my data thanks to companies being slack.
With regards personal responsibility, nowadays you're probably safer writing down very complicated passwords and keeping them safe in your house - less likely to be burgled than having an easy password worked out.
Grab that. Get that. Check it out. Bring that here. Grab anything useful. Take anything good.
Well done if you can remember a different random 10 character string for every site and mailbox and app you use that needs one - unless you use a password manager when the compromise of one password compromises the lot! Passwords like that tend to get written down.
As was posted recently, a dictionary word still gives a high level of entropy. Combine two or three to form a phrase, joined by some non alphanumeric character and you have a reasonably secure set up. The real protection to weaker passwords is a lockout system that locks the user out for a set period of time after (say) three unsuccessful attempts.
(\__/)
(='.'=)
(")_(")
Been helped or just 'Like' a post? Use the Thanks button!
My broadband speed - 750 Meganibbles/minute
Or in the case of the company I work for, someone decided that our handhelds that hold customer data should be secured with "1234".a large number of users still regularly use passwords such as 'password' or '12345' to secure their access/data
It's fine blaming users and everything, but when the companies can be the issue with sloppy processes in place? Anyway, I'm happy with my passwords that are all completely and utterly random and recovery of them should I forget is protected by 2FA.
Microsoft isn't getting my biometric data, even if stored locally, I simply don't trust them with it.
Just toss in another dictionary word. Counting on my keyboard, there's about 34 difference punctuation characters easily available. Factor in that, for a password with 5 words & a punctuation character, there's 6 possible permutations for the order (doesn't matter what order the words are in, since they're unknown to the brute force attempt), and you've gained a factor of 204 increase in entropy. Add in another word, OTOH, and even limited to the 3000 most common words (and most adults know >20,000!) you've added a factor of 3000 to the entropy (>14 times better!).
Dictionary words, all lowercase. Strongest password there is that can still be remembered.
peterb (29-12-2017)
Although the idea of not using and having to remember passwords is appealing, I'm not sold on the tech yet. I'll wait and see what comes next.
If you want good password, just get a sentence, and put first letter for every word. Like iywgp,jgas,apflfew frome previous. Easy do remember, and be like random, so very strong if have more that few character. Adding a big letter and numbers easily.
'12345'? That's amazing! I have the same combination on my luggage!
As for it being time to kill the password, it's clear to me that technology is not yet at a point for it to be reliably feasible. Even if it was, I'd most likely prefer to stay with the password route due to the sensitivity of biometric data as Saracen said.
This ^ with bells and whistles and big FO klaxon and neon flashing lights. Biometric data cannot be changed but can be hacked. Plus I don't want generic websites getting any of my biometric information - I'll stick with passwords thanks, and so should we all. It's a crack-pot idea to do this, and so open to big-brother exploitation. MS gets everyone's face and other info... then sets up cameras in public places to recognise you and advertise, track, monitor etc etc. NO THANK YOU. (and I don't think that's being fanciful, iirc FB already have publicly admitted they are working on targetted public-space advertising in a similar way)
There are currently 1 users browsing this thread. (0 members and 1 guests)