That little soft spot on the head....

[mpm]

Why is it that web sites will force you to have a minimum 8-character password, which MUST include both upper and lowercase, and at least one special character, with additional limits on character sequences and repetition --- and yet, will block the account after three unsuccessful login attempts?

Is there any proof that these schemes work?
I mean, other than getting people to select something other that "password" or "1234"?

I say that if I have to write it down to remember it -- by definition it is less secure.

(And some of my colleagues wonder why I say "I.T." is the janitorial work of engineering!

 

[bitrex]

On 7/6/19 1:42 PM, mpm wrote:

Why is it that web sites will force you to have a minimum 8-character password, which MUST include both upper and lowercase, and at least one special character, with additional limits on character sequences and repetition --- and yet, will block the account after three unsuccessful login attempts?

Is there any proof that these schemes work?
I mean, other than getting people to select something other that "password" or "1234"?

The login attempt restriction is to defeat someone trying to crack a
_particular_ user's password, on-line, while the enforced length and
character requirements are to try to defeat someone trying to crack
hashed passwords en-masse from e.g. an archive of millions of hashed
passwords stolen in a data breach situation.

and the difference between an easily-cracked password in seconds and one
that takes trillions of years can be non-intuitive. you might be
surprised what with high-performance cracking software using massive
hash tables can bust within seconds or minutes. all 8 character random
alphanumeric sequences of simply lowercase letters and numbers are AFAIK
trivially bustable off-line in milliseconds, the state space is not that
large and the hashes can be pre-computed.

I say that if I have to write it down to remember it -- by definition it is less secure.

(And some of my colleagues wonder why I say "I.T." is the janitorial work of engineering!

by some metrics the same character repeated some arbitrary number of
times greater than 50:

"qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"

is a very strong password that would take trillions of years to bust.

 

[bitrex]

On 7/6/19 2:26 PM, bitrex wrote:

On 7/6/19 1:42 PM, mpm wrote:
Why is it that web sites will force you to have a minimum 8-character
password, which MUST include both upper and lowercase, and at least
one special character, with additional limits on character sequences
and repetition --- and yet, will block the account after three
unsuccessful login attempts?

Is there any proof that these schemes work?
I mean, other than getting people to select something other that
"password" or "1234"?

The login attempt restriction is to defeat someone trying to crack a
_particular_ user's password, on-line, while the enforced length and
character requirements are to try to defeat someone trying to crack
hashed passwords en-masse from e.g. an archive of millions of hashed
passwords stolen in a data breach situation.

and the difference between an easily-cracked password in seconds and one
that takes trillions of years can be non-intuitive. you might be
surprised what with high-performance cracking software using massive
hash tables can bust within seconds or minutes. all 8 character random
alphanumeric sequences of simply lowercase letters and numbers are AFAIK
trivially bustable

an md5 rainbow table of all 10 digit lower case alphanumeric passwords
is only about 300 gigs of data, in fact. it allows all hashed passwords
of that qualification 10 digits and shorter to be busted relatively
instantly. 300 gigs of data is not a lot of data by 2019 standards

 

[mpm]

On Saturday, July 6, 2019 at 2:26:33 PM UTC-4, bitrex wrote:

On 7/6/19 1:42 PM, mpm wrote:
Why is it that web sites will force you to have a minimum 8-character password, which MUST include both upper and lowercase, and at least one special character, with additional limits on character sequences and repetition --- and yet, will block the account after three unsuccessful login attempts?

Is there any proof that these schemes work?
I mean, other than getting people to select something other that "password" or "1234"?

The login attempt restriction is to defeat someone trying to crack a
_particular_ user's password, on-line, while the enforced length and
character requirements are to try to defeat someone trying to crack
hashed passwords en-masse from e.g. an archive of millions of hashed
passwords stolen in a data breach situation.

and the difference between an easily-cracked password in seconds and one
that takes trillions of years can be non-intuitive. you might be
surprised what with high-performance cracking software using massive
hash tables can bust within seconds or minutes. all 8 character random
alphanumeric sequences of simply lowercase letters and numbers are AFAIK
trivially bustable off-line in milliseconds, the state space is not that
large and the hashes can be pre-computed.


I say that if I have to write it down to remember it -- by definition it is less secure.

(And some of my colleagues wonder why I say "I.T." is the janitorial work of engineering!

by some metrics the same character repeated some arbitrary number of
times greater than 50:

"qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"

is a very strong password that would take trillions of years to bust.

OK, so you can "look it up" in a pre-calculated table of hashes.
But that route assumes the attacker has somehow breached the password file on the server. And, I guess that does happen often enough to be a real concern.
(Again... janitors. Can't secure shit.)

Regardless, I highly doubt my "standard" password would be present in any pre-calculated table.

 

[Jasen Betts]

On 2019-07-06, mpm <mpmillard@aol.com> wrote:

Why is it that web sites will force you to have a minimum 8-character password, which MUST include both upper and lowercase, and at least one special character, with additional limits on character sequences and repetition --- and yet, will block the account after three unsuccessful login attempts?

Is there any proof that these schemes work?

I've watched attackers try to guess passwords, the disallowed ones are
popular guesses.

> I say that if I have to write it down to remember it -- by definition it is less secure.

that depends on your physical security... perhaps don't write it down
verbatim

--
When I tried casting out nines I made a hash of it.

 

[bitrex]

On 7/6/19 6:46 PM, bitrex wrote:

On 7/6/19 6:36 PM, mpm wrote:
On Saturday, July 6, 2019 at 2:26:33 PM UTC-4, bitrex wrote:
On 7/6/19 1:42 PM, mpm wrote:
Why is it that web sites will force you to have a minimum
8-character password, which MUST include both upper and lowercase,
and at least one special character, with additional limits on
character sequences and repetition --- and yet, will block the
account after three unsuccessful login attempts?

Is there any proof that these schemes work?
I mean, other than getting people to select something other that
"password" or "1234"?

The login attempt restriction is to defeat someone trying to crack a
_particular_ user's password, on-line, while the enforced length and
character requirements are to try to defeat someone trying to crack
hashed passwords en-masse from e.g. an archive of millions of hashed
passwords stolen in a data breach situation.

and the difference between an easily-cracked password in seconds and one
that takes trillions of years can be non-intuitive. you might be
surprised what with high-performance cracking software using massive
hash tables can bust within seconds or minutes. all 8 character random
alphanumeric sequences of simply lowercase letters and numbers are AFAIK
trivially bustable off-line in milliseconds, the state space is not that
large and the hashes can be pre-computed.


I say that if I have to write it down to remember it -- by
definition it is less secure.

(And some of my colleagues wonder why I say "I.T." is the janitorial
work of engineering! 

by some metrics the same character repeated some arbitrary number of
times greater than 50:

"qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"

is a very strong password that would take trillions of years to bust.

OK, so you can "look it up" in a pre-calculated table of hashes.
But that route assumes the attacker has somehow breached the password
file on the server.  And, I guess that does happen often enough to be
a real concern.
(Again... janitors.  Can't secure shit.)

Regardless, I highly doubt my "standard" password would be present in
any pre-calculated table.


"standard password"?

anyway, test it out and see. this tool runs locally it doesn't transmit
any data over the 'net:

https://www.cryptool.org/en/cto-highlights/passwordmeter

Combining Wompanoag Indian names from around New England, as an example

"wampanoagwompatucket"

results in an intrinsically pretty strong password by most metrics
without using any special characters, rather like the "code talkers" of
World War 2

 

[bitrex]

On 7/6/19 6:36 PM, mpm wrote:

On Saturday, July 6, 2019 at 2:26:33 PM UTC-4, bitrex wrote:
On 7/6/19 1:42 PM, mpm wrote:
Why is it that web sites will force you to have a minimum 8-character password, which MUST include both upper and lowercase, and at least one special character, with additional limits on character sequences and repetition --- and yet, will block the account after three unsuccessful login attempts?

Is there any proof that these schemes work?
I mean, other than getting people to select something other that "password" or "1234"?

The login attempt restriction is to defeat someone trying to crack a
_particular_ user's password, on-line, while the enforced length and
character requirements are to try to defeat someone trying to crack
hashed passwords en-masse from e.g. an archive of millions of hashed
passwords stolen in a data breach situation.

and the difference between an easily-cracked password in seconds and one
that takes trillions of years can be non-intuitive. you might be
surprised what with high-performance cracking software using massive
hash tables can bust within seconds or minutes. all 8 character random
alphanumeric sequences of simply lowercase letters and numbers are AFAIK
trivially bustable off-line in milliseconds, the state space is not that
large and the hashes can be pre-computed.


I say that if I have to write it down to remember it -- by definition it is less secure.

(And some of my colleagues wonder why I say "I.T." is the janitorial work of engineering!

by some metrics the same character repeated some arbitrary number of
times greater than 50:

"qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"

is a very strong password that would take trillions of years to bust.

OK, so you can "look it up" in a pre-calculated table of hashes.
But that route assumes the attacker has somehow breached the password file on the server. And, I guess that does happen often enough to be a real concern.
(Again... janitors. Can't secure shit.)

Regardless, I highly doubt my "standard" password would be present in any pre-calculated table.

remember I believe there are various sophisticated ways of chaining
pre-computed hashes to recursively break passwords that have any
monotonic subdivision pre-computed, exponentially faster, it doesn't
have to be just the whole thing, atomically. IDK how that works exactly
you'd have to ask an info security/cryptography person.

 

[bitrex]

On 7/6/19 6:36 PM, mpm wrote:

On Saturday, July 6, 2019 at 2:26:33 PM UTC-4, bitrex wrote:
On 7/6/19 1:42 PM, mpm wrote:
Why is it that web sites will force you to have a minimum 8-character password, which MUST include both upper and lowercase, and at least one special character, with additional limits on character sequences and repetition --- and yet, will block the account after three unsuccessful login attempts?

Is there any proof that these schemes work?
I mean, other than getting people to select something other that "password" or "1234"?

The login attempt restriction is to defeat someone trying to crack a
_particular_ user's password, on-line, while the enforced length and
character requirements are to try to defeat someone trying to crack
hashed passwords en-masse from e.g. an archive of millions of hashed
passwords stolen in a data breach situation.

and the difference between an easily-cracked password in seconds and one
that takes trillions of years can be non-intuitive. you might be
surprised what with high-performance cracking software using massive
hash tables can bust within seconds or minutes. all 8 character random
alphanumeric sequences of simply lowercase letters and numbers are AFAIK
trivially bustable off-line in milliseconds, the state space is not that
large and the hashes can be pre-computed.


I say that if I have to write it down to remember it -- by definition it is less secure.

(And some of my colleagues wonder why I say "I.T." is the janitorial work of engineering!

by some metrics the same character repeated some arbitrary number of
times greater than 50:

"qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"

is a very strong password that would take trillions of years to bust.

OK, so you can "look it up" in a pre-calculated table of hashes.
But that route assumes the attacker has somehow breached the password file on the server. And, I guess that does happen often enough to be a real concern.
(Again... janitors. Can't secure shit.)

Regardless, I highly doubt my "standard" password would be present in any pre-calculated table.

"standard password"?

anyway, test it out and see. this tool runs locally it doesn't transmit
any data over the 'net:

<https://www.cryptool.org/en/cto-highlights/passwordmeter>

 

[mpm]

On Saturday, July 6, 2019 at 7:01:02 PM UTC-4, Jasen Betts wrote:

On 2019-07-06, mpm wrote:
Why is it that web sites will force you to have a minimum 8-character password, which MUST include both upper and lowercase, and at least one special character, with additional limits on character sequences and repetition --- and yet, will block the account after three unsuccessful login attempts?

Is there any proof that these schemes work?

I've watched attackers try to guess passwords, the disallowed ones are
popular guesses.

I say that if I have to write it down to remember it -- by definition it is less secure.

that depends on your physical security... perhaps don't write it down
verbatim

--
When I tried casting out nines I made a hash of it.

FWIW: This whole mini-rant started when, this morning, I tried to log on to see my 401k account. Even though I write the user name and password down VERBATIM, Transamerica can't seem to log me in.

They suck.
And I'm pretty sure their entire I.T. security "staff" are a bunch of children.
Literally. (With apologies to those children out there who can actually program better!)

I think this is about 9th or 10th time it's happened.
And I don't have the problem on other sites.

So yeah, I get a little pissed when they remind me to include all the special f-ckin' characters, etc... And then even when I do reset the password.... it still doesn't work.

To paraphrase Nicholas Taleb, maybe Transamerica should hire some actual janitors to handle their I.T. department. It's not that they would necessarily do a better job (although it's hard to imagine otherwise), it's that you really wouldn't expect them to!

 

[mpm]

On Saturday, July 6, 2019 at 10:57:54 PM UTC-4, Jeff Liebermann wrote:

Your header shows that you're using G2 reader which puts you on an
Android tablet. No clue what you're using for a web browser or OS for
logging into TransAmerica. Try the following process

Actually, Windows-7 w/ IE-11.

The failed login notwithstanding, the reset password really ought to work.
(They send you a link to your email on file.)

Pathetic.

I already left them a nasty-gram, so toxically worded, I might actually regret it (a little) when I get them on the phone Monday. If I had my way, our company would switch benefits elsewhere. All their offerings are TA-based (as expected), so not much to choose from, and their fund performances relative to most of their peers is often on life support. Frankly, I only do it for the employer match.

Which lately, it seems like it would be a more efficient system for my employer to just give the money directly to TA and leave me out of it. It is just barely worth the effort sometimes.

OK. Rant over.
I'll suck it up on Monday and deal with the god-damn T/A janitors again.
AGAIN!

 

Jeff Liebermann <jeffl@cruzio.com> wrote in
news:kdm2ied2kf37j79sg1raibr9iihackfuoj@4ax.com:

This whole mini-rant started when, this morning, I tried to log
on to see my 401k account. Even though I write the user name
and password down VERBATIM, Transamerica can't seem to log me in.

Are you using THEIR app? Most have apps and do not like web browser
access. Even if you've been doing it that way all along, many have
apps and prefer their customers use the app. (and update it)

 

[Jeff Liebermann]

On Sat, 6 Jul 2019 17:17:39 -0700 (PDT), mpm <mpmillard@aol.com>
wrote:

This whole mini-rant started when, this morning, I tried to log
on to see my 401k account. Even though I write the user name
and password down VERBATIM, Transamerica can't seem to log me in.
(...)
I think this is about 9th or 10th time it's happened.
And I don't have the problem on other sites.

Your header shows that you're using G2 reader which puts you on an
Android tablet. No clue what you're using for a web browser or OS for
logging into TransAmerica. Try the following process, even though
some of it may seem rather illogical:

1. In your browser, clear the cookies associated with Transamerica.
For Firefox, click on the site information icon (small "i" inside a
circle on the URL line to the left of the lock symbol). At the bottom
of the window, click on "Clear cookies and Site Data". It may take
two or three seconds of the "Clear cookies..." option to appear. It
will only appear if you have cookies for transamerica stored. You
should see "transamerica.com" and "www.transamerica.com" listed. Click
"remove" and they'll both be removed. Bug me if you need instructions
for other browsers.

2. When you try to login to transamerica.com again, inscribe the
correct user name, but intentionally mangle the password. Make sure
this intentionally wrong password is at least 2 characters longer than
your real password. It will fail to login, which is what I would
expect. Now, try again, this time using the real password.

If the above process works, please report it to Transamerica support.
I don't want to get involved in yet another time burners with the
janitors. If not, save it for the next time you have a similar
problem and try it again.


--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

 

[Jeff Liebermann]

On Sat, 6 Jul 2019 20:35:48 -0700 (PDT), mpm <mpmillard@aol.com>
wrote:

On Saturday, July 6, 2019 at 10:57:54 PM UTC-4, Jeff Liebermann wrote:

Your header shows that you're using G2 reader which puts you on an
Android tablet. No clue what you're using for a web browser or OS for
logging into TransAmerica. Try the following process

Actually, Windows-7 w/ IE-11.

How to delete cookies for a specific domain in IE:
<https://www.thewindowsclub.com/delete-internet-cache-particular-website>

The failed login notwithstanding, the reset password really ought to work.
(They send you a link to your email on file.)

I've noticed that such features often malfunction on weekends when the
IT staff is absent. Things should magically start working again on
Monday morning.

I don't think it's a pop-up blocker problem, but it might be worth
turning it off in IE 11 just to see what pops up.
Gear icon -> Internet Options -> Privacy -> Pop-up Blocker -> Uncheck

You might also try logging in with a different browser.

I'll suck it up on Monday and deal with the god-damn T/A janitors again.
AGAIN!

Good luck.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

 

Robert Baer <robertbaer@localnet.com> wrote in
news:GSeUE.10283$472.1002@fx12.iad:

Almost.....remember, many sites require digits, mixed case and
some
special characters.

You obviously only give a cursory glance at threads posted here.
READ the thread. He already spoke on the requisites (in the very first
post).

And for those where money is involved... ALL of them do.

 

Robert Baer <robertbaer@localnet.com> wrote in
news:aXeUE.10284$472.7027@fx12.iad:

DecadentLinuxUserNumeroUno@decadence.org wrote:
Jeff Liebermann <jeffl@cruzio.com> wrote in
news:kdm2ied2kf37j79sg1raibr9iihackfuoj@4ax.com:

This whole mini-rant started when, this morning, I tried to log
on to see my 401k account. Even though I write the user name
and password down VERBATIM, Transamerica can't seem to log me
in.

Are you using THEIR app? Most have apps and do not like web
browser
access. Even if you've been doing it that way all along, many
have apps and prefer their customers use the app. (and update it)

Then again, "apps" easily get f*cked and one cannot see any
difference..

You say some of the most stupid things sometimes.

Aren't you the dope that was on a PC under a text only interface
and phone modems due to your paranoia about ten years ago?

Don't see too many android hack news segments about bank or
investment firm apps.

Ooops... statistical dope too, eh?

You think a browser based access is safer?
Oh wait.... more noticeable if it is hacked?

Nice try. Nice try, Double Oh Nothing.

 

[Robert Baer]

DecadentLinuxUserNumeroUno@decadence.org wrote:

Jeff Liebermann <jeffl@cruzio.com> wrote in
news:kdm2ied2kf37j79sg1raibr9iihackfuoj@4ax.com:

This whole mini-rant started when, this morning, I tried to log
on to see my 401k account. Even though I write the user name
and password down VERBATIM, Transamerica can't seem to log me in.

Are you using THEIR app? Most have apps and do not like web browser
access. Even if you've been doing it that way all along, many have
apps and prefer their customers use the app. (and update it)

Then again, "apps" easily get f*cked and one cannot see any difference..

 

[Robert Baer]

bitrex wrote:

On 7/6/19 6:46 PM, bitrex wrote:
On 7/6/19 6:36 PM, mpm wrote:
On Saturday, July 6, 2019 at 2:26:33 PM UTC-4, bitrex wrote:
On 7/6/19 1:42 PM, mpm wrote:
Why is it that web sites will force you to have a minimum
8-character password, which MUST include both upper and lowercase,
and at least one special character, with additional limits on
character sequences and repetition --- and yet, will block the
account after three unsuccessful login attempts?

Is there any proof that these schemes work?
I mean, other than getting people to select something other that
"password" or "1234"?

The login attempt restriction is to defeat someone trying to crack a
_particular_ user's password, on-line, while the enforced length and
character requirements are to try to defeat someone trying to crack
hashed passwords en-masse from e.g. an archive of millions of hashed
passwords stolen in a data breach situation.

and the difference between an easily-cracked password in seconds and
one
that takes trillions of years can be non-intuitive. you might be
surprised what with high-performance cracking software using massive
hash tables can bust within seconds or minutes. all 8 character random
alphanumeric sequences of simply lowercase letters and numbers are
AFAIK
trivially bustable off-line in milliseconds, the state space is not
that
large and the hashes can be pre-computed.


I say that if I have to write it down to remember it -- by
definition it is less secure.

(And some of my colleagues wonder why I say "I.T." is the
janitorial work of engineering! 

by some metrics the same character repeated some arbitrary number of
times greater than 50:

"qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"

is a very strong password that would take trillions of years to bust.

OK, so you can "look it up" in a pre-calculated table of hashes.
But that route assumes the attacker has somehow breached the password
file on the server.  And, I guess that does happen often enough to be
a real concern.
(Again... janitors.  Can't secure shit.)

Regardless, I highly doubt my "standard" password would be present in
any pre-calculated table.


"standard password"?

anyway, test it out and see. this tool runs locally it doesn't
transmit any data over the 'net:

https://www.cryptool.org/en/cto-highlights/passwordmeter

Combining Wompanoag Indian names from around New England, as an example

"wampanoagwompatucket"

results in an intrinsically pretty strong password by most metrics
without using any special characters, rather like the "code talkers" of
World War 2

Almost.....remember, many sites require digits, mixed case and some
special characters.

 

[Robert Baer]

bitrex wrote:

On 7/6/19 6:36 PM, mpm wrote:
On Saturday, July 6, 2019 at 2:26:33 PM UTC-4, bitrex wrote:
On 7/6/19 1:42 PM, mpm wrote:
Why is it that web sites will force you to have a minimum
8-character password, which MUST include both upper and lowercase,
and at least one special character, with additional limits on
character sequences and repetition --- and yet, will block the
account after three unsuccessful login attempts?

Is there any proof that these schemes work?
I mean, other than getting people to select something other that
"password" or "1234"?

The login attempt restriction is to defeat someone trying to crack a
_particular_ user's password, on-line, while the enforced length and
character requirements are to try to defeat someone trying to crack
hashed passwords en-masse from e.g. an archive of millions of hashed
passwords stolen in a data breach situation.

and the difference between an easily-cracked password in seconds and one
that takes trillions of years can be non-intuitive. you might be
surprised what with high-performance cracking software using massive
hash tables can bust within seconds or minutes. all 8 character random
alphanumeric sequences of simply lowercase letters and numbers are AFAIK
trivially bustable off-line in milliseconds, the state space is not that
large and the hashes can be pre-computed.


I say that if I have to write it down to remember it -- by
definition it is less secure.

(And some of my colleagues wonder why I say "I.T." is the janitorial
work of engineering! 

by some metrics the same character repeated some arbitrary number of
times greater than 50:

"qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"

is a very strong password that would take trillions of years to bust.

OK, so you can "look it up" in a pre-calculated table of hashes.
But that route assumes the attacker has somehow breached the password
file on the server.  And, I guess that does happen often enough to be
a real concern.
(Again... janitors.  Can't secure shit.)

Regardless, I highly doubt my "standard" password would be present in
any pre-calculated table.


"standard password"?

anyway, test it out and see. this tool runs locally it doesn't transmit
any data over the 'net:

https://www.cryptool.org/en/cto-highlights/passwordmeter

Thanks!
BUT it ain't too swift; passes an e-mail with flying colors..

 

[bitrex]

On 7/7/19 1:47 AM, Robert Baer wrote:

bitrex wrote:
On 7/6/19 6:36 PM, mpm wrote:
On Saturday, July 6, 2019 at 2:26:33 PM UTC-4, bitrex wrote:
On 7/6/19 1:42 PM, mpm wrote:
Why is it that web sites will force you to have a minimum
8-character password, which MUST include both upper and lowercase,
and at least one special character, with additional limits on
character sequences and repetition --- and yet, will block the
account after three unsuccessful login attempts?

Is there any proof that these schemes work?
I mean, other than getting people to select something other that
"password" or "1234"?

The login attempt restriction is to defeat someone trying to crack a
_particular_ user's password, on-line, while the enforced length and
character requirements are to try to defeat someone trying to crack
hashed passwords en-masse from e.g. an archive of millions of hashed
passwords stolen in a data breach situation.

and the difference between an easily-cracked password in seconds and
one
that takes trillions of years can be non-intuitive. you might be
surprised what with high-performance cracking software using massive
hash tables can bust within seconds or minutes. all 8 character random
alphanumeric sequences of simply lowercase letters and numbers are
AFAIK
trivially bustable off-line in milliseconds, the state space is not
that
large and the hashes can be pre-computed.


I say that if I have to write it down to remember it -- by
definition it is less secure.

(And some of my colleagues wonder why I say "I.T." is the
janitorial work of engineering! 

by some metrics the same character repeated some arbitrary number of
times greater than 50:

"qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"

is a very strong password that would take trillions of years to bust.

OK, so you can "look it up" in a pre-calculated table of hashes.
But that route assumes the attacker has somehow breached the password
file on the server.  And, I guess that does happen often enough to be
a real concern.
(Again... janitors.  Can't secure shit.)

Regardless, I highly doubt my "standard" password would be present in
any pre-calculated table.


"standard password"?

anyway, test it out and see. this tool runs locally it doesn't
transmit any data over the 'net:

https://www.cryptool.org/en/cto-highlights/passwordmeter
  Thanks!
  BUT it ain't too swift; passes an e-mail with flying colors..

No that web app is fairly basic it doesn't know what an email address
looks like or to parse for them. pretty sure many sites will allow you
just fine to use an email address as a password so long as it isn't the
one you used to register with, anyway. Not that you probably should do
that, either.

just tested to see if a certain major search engine provider accepts
balls@dicks.net as a password on account creation. Yes it does.

 

[Sylvia Else]

On 7/07/2019 8:36 am, mpm wrote:

Regardless, I highly doubt my "standard" password would be present in any pre-calculated table.

It's not very secure if you use it in multiple places, since you have to
reveal it to each of them.

Password managers are your friend.

Sylvia.