Half a croissant, on a plate, with a sign in front of it saying '50c'
h a l f b a k e r y
Go ahead. Stick a fork in it.

idea: add, search, annotate, link, view, overview, recent, by name, random

meta: news, help, about, links, report a problem

account: browse anonymously, or get an account and write.

user:
pass:
register,


                             

Please log in.
Before you can vote, you need to register. Please log in or create an account.

Little Password, Big Password

Little for convenience, Big for security
  (+5)
(+5)
  [vote for,
against]

You login to a system using a small, relatively un-secure password like "bigfoot90". This is your "little password". Easy to remember. Easy to enter on a mobile device. But easier to hack.

Your account is targeted momentarily by a hacker's algorithm. 300 attempts are made on your account in 5 seconds. Don't worry. The system only validates 1 attempt per seconds, so 295 of those attempts received the message "RAPID ATTEMPT FAILURE". Your account isn't even locked out because only 5 attempts were made.

A few weeks later, your account is more seriously targeted by another hacker. They notice the throttling mechanism and instead make 300 attempts over the course of 300 seconds. Don't worry. Your account locks out after 30 consecutive un-throttled failed attempts.

But now you can't get in! Oh wait, yes you can, because your account has a new feature called a "big password". Unlike your little password, this password has rules... it has to be 12 characters or longer, have a number, caps, and a symbol. Not as easy to remember or enter on a smartphone (you may even have had to write it down somewhere) but at least you can get back in your locked account, no trouble.

Multiple attempts on your "big password" are throttled too, but will never lock out your account. The good news is the hackers will have to try for billions of years to brute force that one. They'll give up on your account eventually, then you'll be able to unlock your little password and start using it again.

Worst case scenario: a never-ending brute force attack on your account forces you to use a super-long, super-secure password for the rest of the account's life.

Look at it the other way: An account forces you to have a long (12+) secure (caps, numbers, symbols) password, but if your account isn't being brute force attacked, you can use a second, shorter, simpler password until your ARE attacked.

napoleonbag, May 15 2015

Perfect Paper Passwords https://www.grc.com/ppp.htm
system for one-time-use second-factor codes [notexactly, Jun 01 2015]

[link]






       // Worst case scenario: a never-ending brute force attack... // If they are attacking your big password, and if, as you said, it is throttled too, then the worst case is that you'd never be able to log in at all.
scad mientist, May 15 2015
  

       Hmmm, good point. Then maybe only the little password is throttled. Even at millions of attempts per second it would still take billions of years (and more) to brute force a 12+ secure password.
napoleonbag, May 15 2015
  

       One bun, but from practical experience, nobody actually cares about password security...
not_morrison_rm, May 16 2015
  

       Isn't it the case already that most accounts will lock you out after a certain number of attempts? And you can regain access by answering security questions or confirming from another email address?
MaxwellBuchanan, May 16 2015
  

       Yahoo (mail service provider) has been trying to get my cellphone number for years. I don't have a cellphone.   

       Y!: "aw, c'mon, if you forget your password we can phone it to you, we can let you know of all sorts of products you'd be interested in"   

       Me: "I don't have a cellphone (and even if I did I wouldn't give you the number)"   

       Y!: "We know you're hiding a cellphone, give us your fucking phone number"   

       Me: . . .
FlyingToaster, May 16 2015
  

       Passwords should be like in the movies. The Hero can guess any password just in time. The Bad Guys can only guess passwords, if it advances the story.   

       "Opening shot: As the... "
popbottle, May 17 2015
  

       Since the long password is rarely used it will be forgotten.   

       So, in practically all cases, the locked account will still need to be unlocked through normal methods.   

       Only rare users would keep long passwords in another safe file, or in memory.
sophocles, May 18 2015
  

       WKTE. For example, if you enter the wrong pattern/PIN/whatever too many times on an Android phone, it will refuse to accept any more attempts and ask you to log in with your Google account.
notexactly, May 31 2015
  

       it's sort of like dual auth but no phone needed. I'd use this. bun.
white, May 31 2015
  

       I see it as sort of the opposite of that. And I use TOTP everywhere I can.
notexactly, May 31 2015
  

       //Since the long password is rarely used it will be forgotten   

       <rant>   

       10x10 grid, each square having some text like "Margaret Thatcher", "wonderful", "warm", "human being", "not","lying toerag" and so on.   

       visitors make easy to remember sentence, using 4 to 10 of those words/phrases.   

       Thence the program takes the first letter of the first word (or example), works out it's ascii value, then hops to one of the 10,000,000 pre-written text files, each one containing 1000 random-generated strings of text characters, picks those up, then uses the ascii value of (for example )the 7th character,then hops to that string, takes maybe 8 chars from there, does one of 80 transformations (like shuffling the string chars around, or putting the numerical value of every other char up by the Fibonacci series), then does this 1000 times.*   

       And, still no one will bother using it.**   

       </rant>   

       *As I discovered in 2012, when I made the site which did this.   

       ** Blood pressure goes up to a level that worries the Matron, is given a pint of Sanatogen wine and some soothing fingerpainting to do...
not_morrison_rm, May 31 2015
  

       // … grid … site which did this //   

       See [link] for similar-ish thing.
notexactly, Jun 01 2015
  

       Not a bad idea. Trick is getting people to use it, as others have said (@not_morrison_rm)   

       For luddites who refuse to use an electronic random pw gen/wallet: (warning, blatant plug, I make these), go to [http://bit.ly/1FuQM0W]   

       The biggest resistance people have in my experience to making strong passwords is fear they'll forget them, or the effort to write them down somewhere secure and keep them up to date. But giving them a gadget seems to help them accept at least the idea of creating one mental rule and applying it to generating something at least a *bit* better.
Russtopia, Jun 03 2015
  
      
[annotate]
  


 

back: main index

business  computer  culture  fashion  food  halfbakery  home  other  product  public  science  sport  vehicle