That little soft spot on the head....

[Nomen Nescio]

mpm <mpmillard@aol.com> wrote:

Why is it that web sites will force you to have a minimum 8-character password, which MUST include both upper and lowercase, and at least one special character, with additional limits on character sequences and repetition --- and yet, will block the account after three unsuccessful login attempts?
Is there any proof that these schemes work?
I mean, other than getting people to select something other that "password" or "1234"?

I say that if I have to write it down to remember it -- by definition it is less secure.

(And some of my colleagues wonder why I say "I.T." is the janitorial work of engineering!

you'd have to be soft headed to give your money to janitors in the first place!

 

bitrex <user@example.net> wrote in
newsJ5UE.15503$OM5.8852@fx15.iad:

by some metrics the same character repeated some arbitrary number
of times greater than 50:

"qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qq"

is a very strong password that would take trillions of years to
bust.

You spelled seconds incorrectly. You wrote 'trillions of years'.

We haven't even been here that long.

By 'some metrics'? What are you "Some Idiot" (The Amateurs)?

 

[mpm]

On Sunday, July 7, 2019 at 12:30:44 AM UTC-4, Jeff Liebermann wrote:

On Sat, 6 Jul 2019 20:35:48 -0700 (PDT), mpm
wrote:
....
How to delete cookies for a specific domain in IE:
https://www.thewindowsclub.com/delete-internet-cache-particular-website
....

Thanks Jeff!
That tidbit was actually quite helpful for clearing up a separate issue I was having with a different website.

 

[bitrex]

On 7/7/19 10:43 AM, DecadentLinuxUserNumeroUno@decadence.org wrote:

bitrex <user@example.net> wrote in
newsJ5UE.15503$OM5.8852@fx15.iad:

by some metrics the same character repeated some arbitrary number
of times greater than 50:

"qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq
qq"

is a very strong password that would take trillions of years to
bust.



You spelled seconds incorrectly. You wrote 'trillions of years'.

We haven't even been here that long.

By 'some metrics'? What are you "Some Idiot" (The Amateurs)?

It would take that long to brute-force it, but it's very low entropy, so
it wouldn't take a great leap of insight or time/space complexity to add
the hashes of all single-digit character runs up to some arbitrary
number to a rainbow table. That'd be the only way to crack it fast.

"who would do that and for what length would they do it out to" is a
psychological question and not a technological question, I guess

 

bitrex <user@example.net> wrote in news:NVpUE.11393$eB6.889@fx30.iad:

> It would take that long to brute-force it,

NO. The point was that it would NOT take that long.

In fact, most if not all 'brute force' ALSO use libraries of tables
of keys, so the "all the same character group" is one of those first
tested.

Many 'brute force' algorithms have tables they check first.

And even if staggerring through them all without tables, your 'same
character throughout' combination would likely arise and be found
pretty quickly.

 

[bitrex]

On 7/7/19 1:48 PM, DecadentLinuxUserNumeroUno@decadence.org wrote:

bitrex <user@example.net> wrote in news:NVpUE.11393$eB6.889@fx30.iad:

It would take that long to brute-force it,

NO. The point was that it would NOT take that long.

In fact, most if not all 'brute force' ALSO use libraries of tables
of keys, so the "all the same character group" is one of those first
tested.

Many 'brute force' algorithms have tables they check first.

Ok sure but you're re-defining what "brute force" means.

And even if staggerring through them all without tables, your 'same
character throughout' combination would likely arise and be found
pretty quickly.

How would a strict brute force search come across a 50 character
password of all the same character any faster than it came across any
other password 50 characters in length?

If your "brute force" algorithm is not actually strict brute force but
also uses table-assist or heuristic like try single-letter combinations
how is it determined how many characters the cut-off is? 25? 50? 100?

it's entirely up to the particular implementation.

Password strength is essentially about Kolmogorov complexity which is
uncomputable; there can be no universally-accepted metric of it that's
"true" in a mathematical sense. That's why I qualified my statement at
the beginning with "By some metrics"

 

[bitrex]

On 7/7/19 2:14 PM, bitrex wrote:

Password strength is essentially about Kolmogorov complexity which is
uncomputable

That is to say an algorithm which could compute a universally meaningful
"strength" metric for all possible passwords of non-trivial complexity
would be equivalent to an algorithm that could solve the halting problem
for all possible inputs which is impossible

 

bitrex <user@example.net> wrote in
news:aEqUE.30483$qC7.23486@fx11.iad:

How would a strict brute force search come across a 50 character
password of all the same character any faster than it came across
any other password 50 characters in length?

I just told you. "Brute force" 'search' NOW includes lookup tables
of "commonly used" passwords and searches those FIRST. That includes
the table not required "all characters the same" search.

Easy peasy.

It doesn't "come across" it. It goes through the tables and if
unsuccessful, THEN looks with the random, logged traditional brute
force hunt.

 

DemonicTubes <tlackie@gmail.com> wrote in
news:f9437b42-d3f3-4114-ad11-1e14b131e66d@googlegroups.com:

On Saturday, July 6, 2019 at 11:42:28 AM UTC-6, mpm wrote:
Why is it that web sites will force you to have a minimum
8-character pas
sword, which MUST include both upper and lowercase, and at least
one special character, with additional limits on character
sequences and repetition --- and yet, will block the account after
three unsuccessful login attempts?

Is there any proof that these schemes work?
I mean, other than getting people to select something other that
"passwor
d" or "1234"?

I say that if I have to write it down to remember it -- by
definition it
is less secure.

(And some of my colleagues wonder why I say "I.T." is the
janitorial work
of engineering!

Relevant xkcd:
https://xkcd.com/936/

It is worse than that. The dopes (a lot of them) actually think
they are some kind of illuminati.

Password hunt schemes to use a table of every word in the
dictionary in a four word combo... would not take too long.

Four unknown length words, however...

Antidisestablishmentarianism

At some point, even though one remembers the password, it gets
difficult to pump it in without error, especially on touch
interfaces.

 

[DemonicTubes]

On Saturday, July 6, 2019 at 11:42:28 AM UTC-6, mpm wrote:

Why is it that web sites will force you to have a minimum 8-character password, which MUST include both upper and lowercase, and at least one special character, with additional limits on character sequences and repetition --- and yet, will block the account after three unsuccessful login attempts?

Is there any proof that these schemes work?
I mean, other than getting people to select something other that "password" or "1234"?

I say that if I have to write it down to remember it -- by definition it is less secure.

(And some of my colleagues wonder why I say "I.T." is the janitorial work of engineering!

Relevant xkcd:
https://xkcd.com/936/

 

[Klaus Kragelund]

Maybe a stupid question:

If a hacker tries different combinations, won’t he (or the machine) be locked out after say 10 attempts when the maximum number of wrong password attempts has been reached?

Cheers

Klaus

 

[gray_wolf]

On 7/10/2019 4:15 PM, Klaus Kragelund wrote:

Maybe a stupid question:

If a hacker tries different combinations, won’t he (or the machine) be locked out after say 10 attempts when the maximum number of wrong password attempts has been reached?

Cheers

Klaus

With AT&T a three strike password attempt and you are talking to someone on the
phone.
Luckily I remembered my favorite my favorite singer.

 

gray_wolf <g_wolf@howling_mad.com> wrote in
news:FGsVE.6320$X%2.3749@fx32.iad:

On 7/10/2019 4:15 PM, Klaus Kragelund wrote:
Maybe a stupid question:

If a hacker tries different combinations, won’t he (or the mach
ine) be locked out after say 10 attempts when the maximum number
of wrong password attempts has been reached?

Cheers

Klaus


With AT&T a three strike password attempt and you are talking to
someone on the phone.
Luckily I remembered my favorite my favorite singer.

my favorite, my favorite, wherefore art thou my favorite?

Pavarotti, right?

 

[Lasse Langwadt Christense]

onsdag den 10. juli 2019 kl. 23.15.55 UTC+2 skrev Klaus Kragelund:

Maybe a stupid question:

If a hacker tries different combinations, won’t he (or the machine) be locked out after say 10 attempts when the maximum number of wrong password attempts has been reached?

yes, but if you get hold of the hashed password you can try all you want off-line

 

[Sylvia Else]

On 7/07/2019 4:26 am, bitrex wrote:

On 7/6/19 1:42 PM, mpm wrote:
Why is it that web sites will force you to have a minimum 8-character
password, which MUST include both upper and lowercase, and at least
one special character, with additional limits on character sequences
and repetition --- and yet, will block the account after three
unsuccessful login attempts?

Is there any proof that these schemes work?
I mean, other than getting people to select something other that
"password" or "1234"?

The login attempt restriction is to defeat someone trying to crack a
_particular_ user's password, on-line,

Which would work just as well if the limit were 10 or 20.

But any such hard limit provides a denial of service attach against a
person.

Rate limiting would be more than adequate for any reasonably strong
password.

Sylvia.

 

[Sylvia Else]

On 7/07/2019 3:42 am, mpm wrote:

Why is it that web sites will force you to have a minimum 8-character password, which MUST include both upper and lowercase, and at least one special character, with additional limits on character sequences and repetition --- and yet, will block the account after three unsuccessful login attempts?

Is there any proof that these schemes work?
I mean, other than getting people to select something other that "password" or "1234"?

I say that if I have to write it down to remember it -- by definition it is less secure.

(And some of my colleagues wonder why I say "I.T." is the janitorial work of engineering!

And then you discover that your carefully constructed long strong
password has been silently truncated to some unknown lesser number of
characters.

Or that the characters it accepts during password creation are different
from the characters it accepts during password entry*.

I've had both of those

Sylvia.

[*] Why would anyone program an acceptable character filter for password
entry?

 

[Robert Baer]

Sylvia Else wrote:

On 7/07/2019 3:42 am, mpm wrote:
Why is it that web sites will force you to have a minimum 8-character
password, which MUST include both upper and lowercase, and at least
one special character, with additional limits on character sequences
and repetition --- and yet, will block the account after three
unsuccessful login attempts?

Is there any proof that these schemes work?
I mean, other than getting people to select something other that
"password" or "1234"?

I say that if I have to write it down to remember it -- by definition
it is less secure.

(And some of my colleagues wonder why I say "I.T." is the janitorial
work of engineering! 



And then you discover that your carefully constructed long strong
password has been silently truncated to some unknown lesser number of
characters.

Or that the characters it accepts during password creation are different
from the characters it accepts during password entry*.

I've had both of those

Sylvia.

[*] Why would anyone program an acceptable character filter for password
entry?
SEE https://www.cryptool.org/en/cto-highlights/passwordmeter

 

[Tom Gardner]

On 20/07/19 03:48, Sylvia Else wrote:

And then you discover that your carefully constructed long strong password has
been silently truncated to some unknown lesser number of characters.

Or that the characters it accepts during password creation are different from
the characters it accepts during password entry*.

I've had both of those

Sylvia.

[*] Why would anyone program an acceptable character filter for password entry?

I've had similar problems with email addresses.

When communicating with a company, I use aname+compayname@gmail.com
and they all end up in anames's input folder. That provides a filtering
mechanism and also a means of tracking which company has leaked/sold
my email address.

The problems arise when different parts of the company's systems
do/don't allow the "+" in the address.

 

[Sylvia Else]

On 20/07/2019 4:05 pm, Robert Baer wrote:
> https://www.cryptool.org/en/cto-highlights/passwordmeter

Mozilla seems iffy - a 40 character random alphanumeric with both upper
and lower case still gets only 90%. But 10 such characters with a - at
the end gets 100%, when the others take a dim view of such a short password.

Sylvia.

 

[whit3rd]

On Friday, July 19, 2019 at 7:48:36 PM UTC-7, Sylvia Else wrote:

Or that the characters it accepts during password creation are different
from the characters it accepts during password entry*.

[*] Why would anyone program an acceptable character filter for password
entry?

One reason would be to prevent whitespace mistakes; another would
be to limit the character set to ASCII because there's UTF-8 entry problems on
a (for instance) smartphone 'keyboard'.

I've kept a bunch of notes compiled into an e-book, that I replicate
from time to time for the smartphone.

One peeve: apostrophe just does NOT translate from my note-taking app through the
(multiple) OS'es that lie on the file-transfer chain; it becomes a UTF-8
thing in some non-ASCII alphabet. I've fixed it twice, and it's
STILL broken.

<https://eclecticlight.co/2019/06/20/28-years-after-unicode-we-still-cant-handle-accents-pdf-macos-url-chaos/>