h a l f b a k e r yInexact change.
add, search, annotate, link, view, overview, recent, by name, random
news, help, about, links, report a problem
browse anonymously,
or get an account
and write.
register,
|
|
|
Please log in.
Before you can vote, you need to register.
Please log in or create an account.
|
You login to a system using a small, relatively un-secure password like "bigfoot90". This is your "little password". Easy to remember. Easy to enter on a mobile device. But easier to hack.
Your account is targeted momentarily by a hacker's algorithm. 300 attempts are made on your account in 5 seconds.
Don't worry. The system only validates 1 attempt per seconds, so 295 of those attempts received the message "RAPID ATTEMPT FAILURE". Your account isn't even locked out because only 5 attempts were made.
A few weeks later, your account is more seriously targeted by another hacker. They notice the throttling mechanism and instead make 300 attempts over the course of 300 seconds. Don't worry. Your account locks out after 30 consecutive un-throttled failed attempts.
But now you can't get in! Oh wait, yes you can, because your account has a new feature called a "big password". Unlike your little password, this password has rules... it has to be 12 characters or longer, have a number, caps, and a symbol. Not as easy to remember or enter on a smartphone (you may even have had to write it down somewhere) but at least you can get back in your locked account, no trouble.
Multiple attempts on your "big password" are throttled too, but will never lock out your account. The good news is the hackers will have to try for billions of years to brute force that one. They'll give up on your account eventually, then you'll be able to unlock your little password and start using it again.
Worst case scenario: a never-ending brute force attack on your account forces you to use a super-long, super-secure password for the rest of the account's life.
Look at it the other way: An account forces you to have a long (12+) secure (caps, numbers, symbols) password, but if your account isn't being brute force attacked, you can use a second, shorter, simpler password until your ARE attacked.
Perfect Paper Passwords
https://www.grc.com/ppp.htm system for one-time-use second-factor codes [notexactly, Jun 01 2015]
[link]
|
|
// Worst case scenario: a never-ending brute force
attack... // If they are attacking your big password,
and if, as you said, it is throttled too, then the
worst case is that you'd never be able to log in at
all. |
|
|
Hmmm, good point. Then maybe only the little password is throttled. Even at millions of attempts per second it would still take billions of years (and more) to brute force a 12+ secure password. |
|
|
One bun, but from practical experience, nobody actually cares about password security... |
|
|
Isn't it the case already that most accounts will lock
you out after a certain number of attempts? And you
can regain access by answering security questions or
confirming from another email address? |
|
|
Yahoo (mail service provider) has been trying to get my cellphone number for years. I don't have a cellphone. |
|
|
Y!: "aw, c'mon, if you forget your password we can phone it to you, we can let you know of all sorts of products you'd be interested in" |
|
|
Me: "I don't have a cellphone (and even if I did I wouldn't give you the number)" |
|
|
Y!: "We know you're hiding a cellphone, give us your fucking phone number" |
|
|
Passwords should be like in the movies. The Hero can guess any password just in time. The Bad Guys can only guess passwords, if it advances the story. |
|
|
"Opening shot: As the... " |
|
|
Since the long password is rarely used it will be forgotten. |
|
|
So, in practically all cases, the locked account will still need
to be unlocked through normal methods. |
|
|
Only rare users would keep long passwords in another safe
file, or in memory. |
|
|
WKTE. For example, if you enter the wrong
pattern/PIN/whatever too many times on an Android
phone, it will refuse to accept any more attempts and
ask you to log in with your Google account. |
|
|
it's sort of like dual auth but no phone needed. I'd use this.
bun. |
|
|
I see it as sort of the opposite of that. And I use TOTP
everywhere I can. |
|
|
//Since the long password is rarely used it will be forgotten |
|
|
10x10 grid, each square having some text like "Margaret Thatcher", "wonderful", "warm", "human being", "not","lying toerag" and so on. |
|
|
visitors make easy to remember sentence, using 4 to 10 of those words/phrases. |
|
|
Thence the program takes the first letter of the first word (or example), works out it's ascii value, then hops to one of the 10,000,000 pre-written text files, each one containing 1000 random-generated strings of text characters, picks those up, then uses the ascii value of (for example )the 7th character,then hops to that string, takes maybe 8 chars from there, does one of 80 transformations (like shuffling the string chars around, or putting the numerical value of every other char up by the Fibonacci series), then does this 1000 times.* |
|
|
And, still no one will bother using it.** |
|
|
*As I discovered in 2012, when I made the site which did this. |
|
|
** Blood pressure goes up to a level that worries the Matron, is given a pint of Sanatogen wine and some soothing fingerpainting to do... |
|
|
//
grid
site which did this // |
|
|
See [link] for similar-ish thing. |
|
|
Not a bad idea. Trick is getting people to use it, as others have said (@not_morrison_rm) |
|
|
For luddites who refuse to use an electronic random pw gen/wallet: (warning, blatant plug, I make these), go to [http://bit.ly/1FuQM0W] |
|
|
The biggest resistance people have in my experience to making strong passwords is fear they'll forget them, or the effort to write them down somewhere secure and keep them up to date. But giving them a gadget seems to help them accept at least the idea of creating one mental rule and applying it to generating something at least a *bit* better. |
|
| |