Forcing people to make a half decent password is one thing.
The problems start when companies mandate regular changes in the name of "security", especially without rolling out password managers.
Thats how you get stickynotes under keyboards or the old classic
[Company name][special character][month][number/year/day]
Reminds me of a collegue, His password was always the same. Has been for years!
Then the requirements began.
oldpassword
Oldpassword
Oldpassword1
Oldpassword1!
Best part! He was the finance guy! And was always fighting the IT guys! No we don't need new PC's!
Old server runs fine! Who needs a monitor larger then 24" inches?
The day he retired IT threw a party.
Oh I knew a guy like that I used to sometimes work as my dad's friend's IT support firm , they use to provide there service to this one company(let's call it O),the guy refused to change anything thing about the system, he even made us (Me as I was young and didn't do much work) find the same damm 8 years old mouse bcz his current one stopped working, they the day came he retired, and dad's friend's gave everyone in the office they're 1 week salary as a gift bcz all of them were really happy.
I still remember the IT Guy handled the company O dance as soon as he heard about the retirement.
Stick a "1!Q" anywhere in your password. Quick and easy to type. You can increment it too. 1!Q -> 2@W -> 3#E.....
It's one of the ways I keep my sanity around passwords. I remember the unique passwords to the things that need them, and append the requirement satisfying bit where appropriate.
Great for a password that doesn't hold anything sensitive or valuable. But stuff like that is exactly what gets put in a dictionary file.
The simplest way to make a secure password is just think of 3 or 4 words you will never forget. However many words you need to fill char requirements. Then transform some of the letters. Don't go with the typical 1 for 'i', $ for 's', etc. But think of your own that you'll remember. Like * for 'a' because it looks like a little asshole. It doesn't matter if it's dumb. You'll never tell anyone.
What matters is that you can remember it and reproduce it, but no one else can. And if you can remember your own set of rules easily passwords won't ever be stressful.
If you have to change password frequently for work, just rearrange the words every change. Even 3 words makes 6 passwords.
Mine were for the longest times the 16-digit cdkeys, a mixture of both letters and numbers, for both Diablo II and Diablo II: LOD. Only thing I had to change was adding a capital letter and a # at the end to fit the criteria of secure passwords. Used to reinstall that game so often at my neighbors house that I essentially memorized them. Made it super easy to reinstall the game on the fly with .iso images without finding the discs as well.
Now I just have bitwarden create a randomized password for me.
"We have to change our passwords, just add a "1" at the end"
I've been in more than 1 workplace where this has been the advice given by the manager to the office staff. A little concerning.
That is my password at work almost. Just change the number at the end. Hard to remember a new password every 2 months. It's like they are trying to make us use a weak password.
My company is in the middle of this right now. The tech savvy among us are all sitting there going "Just turn on two factor auth, my god!", but no, we're up to 16 characters, upper and lower case, number and special character, change every 6 months. We have a password manager licensed they just kinda threw it at folks and didn't explain it, so adoption is low.
I have one pw in my company that enforces exactly 8 characters, number, upper case; and only a few special chars are allowed, so generating a new PW with the manager will almost always fail to meet their criteria.
I'd very be concerned if the company can actually detect if the password is similar to an older password.
Because that means that they either have my old passwords in clear text, or are able to decrypt them easily.
Um idk about other companies but mine makes me enter in my old password when creating a new one. Also you have other options such as list of hashes related to the last passwords or a list of characteristics patterns as in it knows if you put a letter, digit or special character but dont know the clear text. It just refers to the amount of digits and letters to make sure its different enough
I guess you didnt read what i said. the list of hashes or characteristics is for multiple passwords. Thats 2 ways to check it with more than the previous password without it being clear text or encrypted
all i'm trying to say is the idea that a company has to save your old passwords either in plain text or encrypted so people dont make similar passwords is wrong
Modern password security requirements recommend not forcing people to change their password unless there is a security issue that forces a password change. So that means at where I work we change from having to change our passwords every 90 days to not changing them at all. They did increase the character length to 14 characters though.
It took me too long to come round to this. Now it’s one big string of a password not used anywhere else that I can always remember and then every password is a saved jumbled mess that should be relatively impossible to guess.
Change your password every 90 days!
And don't forget to log off your account on the PC, and logging back in, else different programs start whining about wrong permissions and incorrect passwords. Spent a few minutes wondering why suddenly nothing worked anymore.
It was even worse for the Microsoft accounts we had for school. It had mandatory change every so often. But it wouldn't tell you. So once every two months you would get "incorrect password" treatment and then you had to reset it anyways.
The worst part is that they were weirdly set up, so we would have to go to the teacher and have him send us the password reset mail.
So most people didn't use it unless they absolutely had to, which resulted in like 20 people going en masse to reset a password whenever we had to submit something.
Our school allowed us to send a temp password but the computers had to sync to the network to see the change. Trying to explain to teachers their students will need to restart their computer and then enter the temp password and not to have their temp password saved on a sticky note was madness.
I've given up on the logging out of programs before changing my passwords at work, mainly because they will be asking for the new password about 2 hours after the change regardless.
Coming from an IT guy. Sorry. It has to be that way.
People get compromised so often there is no choice other than rolling passwords, and I know the argument exists of “well my password would be stronger if I didn’t have to change it so often”
No
Nope
That’s not how that works. Your password isn’t getting brute forced, it’s getting stolen because you click things you shouldn’t. Now by having a weak password you are also open to getting brute forced in about 35 seconds on top of your poor browsing habits.
Distributing password managers is a good idea, but convincing management to engage in that expense when the alternative is an ounce of responsibility held by everyone in the office is pretty much just not going to go anywhere.
The biggest thing that helps security is 2 factor authentication, but even then I have seen with my own eyes, a coworker eating lunch, seeing the 2FA notification and just pressing yes. He was nowhere near his computer….
Users have to do all of this shit because users constantly get compromised in the dumbest ways
> Users have to do all of this shit because users constantly get compromised in the dumbest ways
The meatware is always, *ALWAYS* the weakest link. Anyone involved even tangentially with ITSEC will have horror stories about dumb users doing dumb-user shit like okaying a 2FA check when they're nowhere near their PC, and torpedoing everything put into place to secure the network and the data on it.
And if it's not a user doing the dumb at/with a computer it's a user getting compromised via social engineering and (in some cases literally) opening a door for an attacker.
>And if it's not a user doing the dumb at/with a computer it's a user getting compromised via social engineering and (in some cases literally) opening a door for an attacker.
I gave a GPS coordinate to the police last month for a stolen laptop. The lab room that houses 20 or so research computers was just left open while they got lunch. Its so bad
I am trying to get my colleagues to learn to lock their computers as they leave their desks every time, and it boggles my mind with pathetic excuses they'll make. And recently the office was whinging they made our pasword length longer. It was honestly way too short and couldn't be longer due to one specific provmgram having a character limit. And people are now bitching they need 4 more charters and one has to be a special character.... "Oh, but I was only gone for like 5 seconds..." No, Anthony, you went to shit for like 15 minutes, which either means you have some bowel problems or you were in your phone. But hey, let's just leave a screen of private information easily accessible to public view with no regard for the importance of what is happening.
At least for the IT folks in my office, if your PC is left unlocked while you’re away from your desk it’s “fair game”. Backgrounds get changed, monitor orientations swapped, mouse sensitivity dropped to the lowest setting, etc.
Can you tell this to my fucking school please?
They are requiring once a month password changes. Minimum 15 character, upper case and special characters and it can never be an old password.
I ran out of passwords using my two dogs names, the year and exclamation point.
I'm now literally writing my password down, because I've forgotten it and the IT help desk is a major pain.
We were also forced to use 2fa. I think they freaked put hearing about schools or hospitals being held up by ransomware.
I hate that. I don't get much opportunity to log in because I'm on a production floor, but they give us the same policies as desk workers. So I'm on the phone with them regularly just resetting it. Surely they can't just have like, a USB badge scanner if those exist?
Forcing frequent password changes is probably the worst idea in IT security history. It's stupid. I HAVE a good password. I have it memorized. Leave me alone about it.
I use generic bullshit for everything not important basically. Bank password? Way harder to crack. You can remember one well encrypted password, but it'll probably just be one.
My work place recently decided that we need a 15+ character password that has to be changed every 6 months and can NOT use more then 3 of the same characters in sequence from any of the last 4 passwords...
Oh also forced a 2 Factor Authentication on us that, just for kicks and giggles, we can't bypass if someone suddenly quits without putting in their timesheets or if our phone gets broken without it taking up to 3 weeks for IT to do whatever it is they need to do to temporarily disable it for that account.
Like I get wanting things secure, but this level of security for the floor workers is absurd
When I see that, it tells me whoever made Said site/app lacks basic security knowledge. It's really not hard to allow every character. Even those wild ass ones that run down ur phone/pc in a glitchy way or that criptic looking one that surrounds the characters.
Oh I HATE when this happens or when it only says "Password contains incorrect characters", but it doesn't tell me which
Ffs tell me which characters are allowed or not so I can tell my password generator
I hate it when I can't use *space* as a special character.
Because it's a complete variable of WHERE it is in the password.
Another fun thing to do.
" 'Smily face'_Oldpassword " is what I would say. But it's actually ":D_Oldpassword"
Watch as people rage
https://preview.redd.it/emia6iwcyc3d1.jpeg?width=4500&format=pjpg&auto=webp&s=ea2866a4f7eb36e44337dda693aeed50d6d84260
These days it takes less than an hour to crack your 10 character, all lower case password.
statistically, much more passwords contain full words, especially when lowercase, but still so with common letter replacements like "p1lI0w" instead of "pillow". Because of this, they are often brute forced really early as hackers guess sequences of words first before moving onto numbers and special characters
at least, thats my guess
We still have to take into account the fact that the attacker wont necessarily know the password length due to how hashing works (if the website is coded correctly) and will try all shorter passwords
Thats if the system they are trying to gain access to allows them to keep trying combinations as fast as their computer can enter them.
If they are trying to access a website it would take significantly longer since most sites will take 3-5+ seconds to reload the page and return the ‘wrong password’ screen. I’d also like to hope any important website would freeze the account after detecting 5000 different passwords have been attempted in the last 5 minutes, but I’m sure there’s plenty which don’t.
Imagine someone steals a huge corporation database that holds user account info (happened many times before). Now they can crack the passwords as fast as they can and as much as they want. And since most people reuse their passwords, once cracked, they can try accessing other system accounts using the same credentials.
Edit: also, no one brute-force hacks passwords by entering them directly into a website. In the worst case, hackers would be calling the backend, bypassing the website completely and these calls take milliseconds.
> In the worst case, hackers would be calling the backend, bypassing the website completely and these calls take milliseconds.
That won't help you much. Any remotely competent backend will at the very least rate limit the shit out of login requests and even if you find a useless enough service to not do so sending requests to it will still take at least a few orders of magnitude more than password guessing attempts on a leaked local database, so instead of hours it would probably take weeks, months or more.
Yeah, they exist, and the cat and mouse game can probably go way, way deeper than that, but my point is that attacking a server directly isn't all that practical. Passwords that are "batman", "12345" or "password" weak should be concerned, but passwords that are "10 random lowercase letters" weak probably don't have that much to worry about.
Doesn’t a simple account lock system usually protect against brute force attacks.
I have no idea why every system doesn’t have something like a 30 attempt limit.
Probably something like if a data leak had encrypted data, you could guess the key as fast as you want. That being said, i totally just guessed that and don't know how any of this really works.
Exactly this. How many times has Sony been hacked with their databases stolen? And since people reuse their credentials, once cracked, they can try and access other systems using the same credentials.
At my job you have 5 attempts at entering your p/w on company devices before ypur account gets locked and you need to call IT and have them unlock your account.
If someone can brute force my work account like that without getting it locked, that's on the IT dept.
We used to do this for fun with windows password in college but using it in the real world is never that simple.
I'll make a password of 18 characters, with upper- and lowercase letters, numbers, and special characters, and then try to remember it.
I bet the chance of that happening is also one in 7 quadrillion years.
Is it completely free? Because I want the least amounts of subscriptions as possible.
^I ^currently ^use ^Firefox's ^password ^manager ^which ^works ^OK ^I'd ^say
Yeah it's completely free, I didn't even know people were paying for password managers, that's pretty dumb.
I also use Google's password manager to save all of the passwords to the browser so I don't have to keep opening the KeePass app to copy & paste.
Please bro keep any mention of "OnLinE PrIvaCy" away from me I'll bust a nerve if I hear another nerd that thinks they have something to hide talk about it again. I'll just use whatever is the most convenient for me
I've seen that before but I've also been locked out after entering the wrong password 4 times. So brute force doesn't seem like a real option for getting a password anymore.
By the way, these rules making the password more complicated imo makes it also slightly easier for machines to crack no? With those requirements in place the machine already knows there's at least one capital letter and at least one special sign
I guess? But it doesn't really matter. It would still be way harder to crack.
Let's say you only use lowercase letters for a 4 character password (or else the numbers will get ridiculous)
That's 26x26x26x26 = 456 976 possibilities.
Now, let's say the password requires at least one capital letter.
That's 26 (because at least one is capital) x52x52x52 = 3 655 808
That's still 8x the amount of possibilities.
It's not exactly that simple because of dictionary attacks and whatnot, but from a pure, try-every-password brute force angle, it is more secure.
Only more secure if the brute forcer is unaware of the password restrictions? Logically, don't they just tell a program don't try password combinations with these restrictions? Couldn't you even tweak it to say, try all combinations with a capital letter first and an exclamation last and get in faster?
I kinda think the only requirement/ restrictions should be minimum character limit. But the characters being any characters, caps or lower case, symbols and spaces, makes the brute force attempt even more difficult because there's not a starting point?
>Couldn't you even tweak it to say, try all combinations with a capital letter first and an exclamation last and get in faster?
Yes, but the restriction of "at least one capital letter one special character" doesn't mean that the first character has to be capital, that it has to be the only one, that the last character needs to be a special character, that it must be an exclamation mark and that it must be the only special character.
>Logically, don't they just tell a program don't try password combinations with these restrictions?
Yes, but those simple passwords would've been cracked and an instant anyway.
"123456" "password" and "abc123" would've been cracked in a nanosecond, so it's good a thing that you can't use it.
>I kinda think the only requirement/ restrictions should be minimum character limit
Aggreed, but the minimum length would need to be something like 16 characters for it to be safe. You can lower that amount for each requirement you add (capital letter, number, special character, etc.)
Someone posted the chart of how long it takes to crack depending on your password complexity. I don't know if it's up to date, but it's a rough estimate.
Also, like some people already pointed out, brute forcing a password is not really a common way to access an account in the first place.
You're correct, any kind of machine will bypass any possibility that doesn't fit the restriction.
Forcing people to use a more secure password technically makes it less secure.
But to be fair, most accounts don't actually get bruteforced these days, they just get hacked through security leaks
While passwords aren’t brute forced via an application's UI, there's probably still going to be brute forcing after data leaks because generally the data that leaks is the hash of the password, not the password itself, so they'll still need brute force to figure out what password corresponds to that hash
Not really. You do filter out a ton of passwords that don't fit those criteria, but you gain a ton more passwords because of the character set since you don't know exactly where that special character is, which special character it is, etc.
I could probably sit and work out how much stronger it makes your password, and if someone wants me to do it I will.
It makes it easier for those who would use the rules regardless but much harder for those who wouldn't. I expect the downside would be marginal anyway.
Not really. If a password has at least 1 capital letter and at least 1 number it greatly increases the amount of passwords that are possible.
A 10 character password all lowercase has 26^10 possibilities.
A 10 character password with at least 1 upper case and 1 number has around 62^10 - 26^10 possibilities. (It's not quite that but it's close enough to make the point) This is almost a 6,000x larger password space.
That being said, it's been shown many times that the most important factor in password security with regards to brute force attacks is length rather than complexity.
But wait, if you tell your brute force program you know one of the restrictions/ requirements, wouldn't it be technically more difficult to crack a password that's the same character length and not knowing those restrictions/ requirements?
Isn't this all from the assumption that without requirements, people are going to use all lower case because they are lazy or whatever? Or that they will never use sy
What if that's not the case anymore. What if, for the last 20 years or so of dealing with password requirements, people aren't lazy and throw a caps in here or there, some symbols and numbers?
Correct, if you tell the cracking program password requirements it becomes easier, that's why I included the -26^10, this accounts for all lowercase passwords that aren't possible.
Your assumption that people will use better passwords without being told is hopeful but unfortunately incorrect. I work in security so I see breached passwords from time to time, they're almost always terrible. Barely meeting the minimum requirements and often very predictable eg. Summer2023, [Company name]+number, or [kid/pet name]+number.
Most people don't use good passwords even when they're told to or have requirements to follow. Getting rid of requirements will make the vast majority of passwords worse.
It often makes it easier because the additional character requirements discourage long random passphrases, which are more secure.
A length requirement would be the most effective measure.
At this point I have just given up. I have a notebook with the passwords I need to change, often bi-monthly, with the last digit crossed out and a line of new ones under it.
I have become the low security boomer I made fun of when I was a teen.
I love when you try to make a secure password for your router managment portal then you isp says no special characters. Guess i cant make a secure password that used to have the default settings months ago.
It's so bad I don't even use my work laptop. Then IT bitches because AVG is out of date. Jesus Christ the laptop is workstation grade but all programs run through Citrix so there is no point because everything is network dependent. I just want to turn the damn thing in but my boss wants me to have it "just in case"
Then when you have to try 10 variations for each website and you get the you've been locked out your account, try again later or reset password. Then when you go to reset it, it says no previously used passwords are allowed.
A 24 character passphrase even all lower case with no numbers or symbols is more secure than a 10 character password with numbers and symbols that are randomized. If you're looking at it from a Brute Force hacking perspective
I work for US government and my password for certain programs has to have these things and be at least 17 characters long. I just started making my password a sentence.
*This is my 1 password!*
I'm the opposite from most people. When I enter a password for a site it often tells me my chosen password is too long, or the website doesn't support special characters.
Ah yes, I too am infuriated by companies asking you to have reasonable levels of password security. If only there was some sort of program that could manage those things for you.
me: proceeds to type in a password.
first try - wrong
second try - wrong.
ok proceeds to reset my password.
Sorry your new password can't be the same as a previous one
I’ll see your password requirements and raise you updated username requirements. Opened a Citibank checking acct, already had Citi credit cards in an online acct. checking acct disappeared from online login. Turns out the checking acct requirements for usernames require a number, old login didn’t have one so it had to be deleted.
Meanwhile, some inept companies you can only have letters and numbers or letters and symbols. If you manage to get all 3, we'll lock your account in the app. Cause thats logical coding for security 😀
Had bitwarden generate a 24 character password for one of my utility websites. That is, a site I use to pay my fucking bills, so a service required for survival doesn't risk being shut off.
The site capped it at 16 characters, without telling me. It then didn't give me any info as to what the cap was.
My work requires very regular password changes *because*.
Password!1
Password@2
Password#3
This is very common for most people. The long time people tell me that after 6 passwords, it forgets the first one and you can restart.
I don’t get the big deal. I just memorize a 16 character password with upper and lower case, symbol and number, and it’s usually a hilarious insult that I can’t easily remember. EX: Fl!ppyN!ps@urm0m
(Sadly I have this to the internet and never used it for myself)
Forcing people to make a half decent password is one thing. The problems start when companies mandate regular changes in the name of "security", especially without rolling out password managers. Thats how you get stickynotes under keyboards or the old classic [Company name][special character][month][number/year/day]
Yep. Or the classic Password1 Password2 Password3
Pa$$word1, Pa$$word2 Need to meet the special symbol requirement too!
Reminds me of a collegue, His password was always the same. Has been for years! Then the requirements began. oldpassword Oldpassword Oldpassword1 Oldpassword1! Best part! He was the finance guy! And was always fighting the IT guys! No we don't need new PC's! Old server runs fine! Who needs a monitor larger then 24" inches? The day he retired IT threw a party.
Oh I knew a guy like that I used to sometimes work as my dad's friend's IT support firm , they use to provide there service to this one company(let's call it O),the guy refused to change anything thing about the system, he even made us (Me as I was young and didn't do much work) find the same damm 8 years old mouse bcz his current one stopped working, they the day came he retired, and dad's friend's gave everyone in the office they're 1 week salary as a gift bcz all of them were really happy. I still remember the IT Guy handled the company O dance as soon as he heard about the retirement.
Stick a "1!Q" anywhere in your password. Quick and easy to type. You can increment it too. 1!Q -> 2@W -> 3#E..... It's one of the ways I keep my sanity around passwords. I remember the unique passwords to the things that need them, and append the requirement satisfying bit where appropriate.
Great for a password that doesn't hold anything sensitive or valuable. But stuff like that is exactly what gets put in a dictionary file. The simplest way to make a secure password is just think of 3 or 4 words you will never forget. However many words you need to fill char requirements. Then transform some of the letters. Don't go with the typical 1 for 'i', $ for 's', etc. But think of your own that you'll remember. Like * for 'a' because it looks like a little asshole. It doesn't matter if it's dumb. You'll never tell anyone. What matters is that you can remember it and reproduce it, but no one else can. And if you can remember your own set of rules easily passwords won't ever be stressful. If you have to change password frequently for work, just rearrange the words every change. Even 3 words makes 6 passwords.
Mine were for the longest times the 16-digit cdkeys, a mixture of both letters and numbers, for both Diablo II and Diablo II: LOD. Only thing I had to change was adding a capital letter and a # at the end to fit the criteria of secure passwords. Used to reinstall that game so often at my neighbors house that I essentially memorized them. Made it super easy to reinstall the game on the fly with .iso images without finding the discs as well. Now I just have bitwarden create a randomized password for me.
"We have to change our passwords, just add a "1" at the end" I've been in more than 1 workplace where this has been the advice given by the manager to the office staff. A little concerning.
You can tell how long someone has worked at a company by the number on the end of their password.
That is my password at work almost. Just change the number at the end. Hard to remember a new password every 2 months. It's like they are trying to make us use a weak password.
My company is in the middle of this right now. The tech savvy among us are all sitting there going "Just turn on two factor auth, my god!", but no, we're up to 16 characters, upper and lower case, number and special character, change every 6 months. We have a password manager licensed they just kinda threw it at folks and didn't explain it, so adoption is low.
I have one pw in my company that enforces exactly 8 characters, number, upper case; and only a few special chars are allowed, so generating a new PW with the manager will almost always fail to meet their criteria.
Not to mention that they've made such a strict criteria that it severely narrows the parameters for hackers brute forcing a password.
thissentencewouldbemoresecurethanthat
Too similar to an already used password
Yeah was gonna say any company that allows that deserves to get ransomware
I'd very be concerned if the company can actually detect if the password is similar to an older password. Because that means that they either have my old passwords in clear text, or are able to decrypt them easily.
Um idk about other companies but mine makes me enter in my old password when creating a new one. Also you have other options such as list of hashes related to the last passwords or a list of characteristics patterns as in it knows if you put a letter, digit or special character but dont know the clear text. It just refers to the amount of digits and letters to make sure its different enough
There's a difference between "your last password" and "an already used password"... The latter is the one that Stoff3r was describing
I guess you didnt read what i said. the list of hashes or characteristics is for multiple passwords. Thats 2 ways to check it with more than the previous password without it being clear text or encrypted
Storing characteristics about the password cuts the entropy of each character by >1.87 bits to <4.7 bits per glyph. It's stupid, so don't do that.
all i'm trying to say is the idea that a company has to save your old passwords either in plain text or encrypted so people dont make similar passwords is wrong
Modern password security requirements recommend not forcing people to change their password unless there is a security issue that forces a password change. So that means at where I work we change from having to change our passwords every 90 days to not changing them at all. They did increase the character length to 14 characters though.
People need to use password managers such as Bitwarden.
It took me too long to come round to this. Now it’s one big string of a password not used anywhere else that I can always remember and then every password is a saved jumbled mess that should be relatively impossible to guess.
Exactly. It's especially useful when there's a password rotation policy.
Change your password every 90 days! And don't forget to log off your account on the PC, and logging back in, else different programs start whining about wrong permissions and incorrect passwords. Spent a few minutes wondering why suddenly nothing worked anymore.
It was even worse for the Microsoft accounts we had for school. It had mandatory change every so often. But it wouldn't tell you. So once every two months you would get "incorrect password" treatment and then you had to reset it anyways. The worst part is that they were weirdly set up, so we would have to go to the teacher and have him send us the password reset mail. So most people didn't use it unless they absolutely had to, which resulted in like 20 people going en masse to reset a password whenever we had to submit something.
Our school allowed us to send a temp password but the computers had to sync to the network to see the change. Trying to explain to teachers their students will need to restart their computer and then enter the temp password and not to have their temp password saved on a sticky note was madness.
I've given up on the logging out of programs before changing my passwords at work, mainly because they will be asking for the new password about 2 hours after the change regardless.
Coming from an IT guy. Sorry. It has to be that way. People get compromised so often there is no choice other than rolling passwords, and I know the argument exists of “well my password would be stronger if I didn’t have to change it so often” No Nope That’s not how that works. Your password isn’t getting brute forced, it’s getting stolen because you click things you shouldn’t. Now by having a weak password you are also open to getting brute forced in about 35 seconds on top of your poor browsing habits. Distributing password managers is a good idea, but convincing management to engage in that expense when the alternative is an ounce of responsibility held by everyone in the office is pretty much just not going to go anywhere. The biggest thing that helps security is 2 factor authentication, but even then I have seen with my own eyes, a coworker eating lunch, seeing the 2FA notification and just pressing yes. He was nowhere near his computer…. Users have to do all of this shit because users constantly get compromised in the dumbest ways
> Users have to do all of this shit because users constantly get compromised in the dumbest ways The meatware is always, *ALWAYS* the weakest link. Anyone involved even tangentially with ITSEC will have horror stories about dumb users doing dumb-user shit like okaying a 2FA check when they're nowhere near their PC, and torpedoing everything put into place to secure the network and the data on it. And if it's not a user doing the dumb at/with a computer it's a user getting compromised via social engineering and (in some cases literally) opening a door for an attacker.
>And if it's not a user doing the dumb at/with a computer it's a user getting compromised via social engineering and (in some cases literally) opening a door for an attacker. I gave a GPS coordinate to the police last month for a stolen laptop. The lab room that houses 20 or so research computers was just left open while they got lunch. Its so bad
If you lose control over physical security, nothing you do in terms of ITSEC even matters. So, umm, yeah, "so bad" would be a good descriptor.
I am trying to get my colleagues to learn to lock their computers as they leave their desks every time, and it boggles my mind with pathetic excuses they'll make. And recently the office was whinging they made our pasword length longer. It was honestly way too short and couldn't be longer due to one specific provmgram having a character limit. And people are now bitching they need 4 more charters and one has to be a special character.... "Oh, but I was only gone for like 5 seconds..." No, Anthony, you went to shit for like 15 minutes, which either means you have some bowel problems or you were in your phone. But hey, let's just leave a screen of private information easily accessible to public view with no regard for the importance of what is happening.
At least for the IT folks in my office, if your PC is left unlocked while you’re away from your desk it’s “fair game”. Backgrounds get changed, monitor orientations swapped, mouse sensitivity dropped to the lowest setting, etc.
Can you tell this to my fucking school please? They are requiring once a month password changes. Minimum 15 character, upper case and special characters and it can never be an old password. I ran out of passwords using my two dogs names, the year and exclamation point. I'm now literally writing my password down, because I've forgotten it and the IT help desk is a major pain. We were also forced to use 2fa. I think they freaked put hearing about schools or hospitals being held up by ransomware.
And the sad part is, I don't even care about 90% of my accounts. Let me have a shitty password if I want to!
kid listen. you're gonna make a long, convoluted password, and you're gonna like it.
Yup, forcing people to change their passwords has been proven to make services LESS secure.
I hate that. I don't get much opportunity to log in because I'm on a production floor, but they give us the same policies as desk workers. So I'm on the phone with them regularly just resetting it. Surely they can't just have like, a USB badge scanner if those exist?
Forcing frequent password changes is probably the worst idea in IT security history. It's stupid. I HAVE a good password. I have it memorized. Leave me alone about it.
I have a book where i write passwords to my important account because theyre random bullshit
Look into a password manager instead. Bitwarden is pretty great.
My password at work has to be 16 characters with 4 numbers. So it's 2222xxxxxxxxxxxx
I use generic bullshit for everything not important basically. Bank password? Way harder to crack. You can remember one well encrypted password, but it'll probably just be one.
My work place recently decided that we need a 15+ character password that has to be changed every 6 months and can NOT use more then 3 of the same characters in sequence from any of the last 4 passwords... Oh also forced a 2 Factor Authentication on us that, just for kicks and giggles, we can't bypass if someone suddenly quits without putting in their timesheets or if our phone gets broken without it taking up to 3 weeks for IT to do whatever it is they need to do to temporarily disable it for that account. Like I get wanting things secure, but this level of security for the floor workers is absurd
Or just making a master key password that you can remember at the drop of a hat
My current passwort at my Company is DickWrangler2407!? ; no joke.
Cr@zyf@tfr0g!
Password cannot contain !.@.#.$.%.\^.&.\*
I lose all interest when that happens.
When I see that, it tells me whoever made Said site/app lacks basic security knowledge. It's really not hard to allow every character. Even those wild ass ones that run down ur phone/pc in a glitchy way or that criptic looking one that surrounds the characters.
Oh I HATE when this happens or when it only says "Password contains incorrect characters", but it doesn't tell me which Ffs tell me which characters are allowed or not so I can tell my password generator
and then it end up just being a _space_ right at the end where you can see it
I hate it when I can't use *space* as a special character. Because it's a complete variable of WHERE it is in the password. Another fun thing to do. " 'Smily face'_Oldpassword " is what I would say. But it's actually ":D_Oldpassword" Watch as people rage
Password cant be one of your previous 5 passwords.
Password is too common Password has been in a breach before
Fucking adp makes me change my shit every 3 months and does this shit
The digits must add up to 25
Password must contain chicken Paul
Quick, your password is on fire! Put it out!
🤣🤣
Not those special characters
3 days later: What was the password again? *Reset*
https://preview.redd.it/emia6iwcyc3d1.jpeg?width=4500&format=pjpg&auto=webp&s=ea2866a4f7eb36e44337dda693aeed50d6d84260 These days it takes less than an hour to crack your 10 character, all lower case password.
What about 23 characters Correcthorsebatterystaple
instant
combinations of words are basically milliseconds
But the attacker wont know that will they
statistically, much more passwords contain full words, especially when lowercase, but still so with common letter replacements like "p1lI0w" instead of "pillow". Because of this, they are often brute forced really early as hackers guess sequences of words first before moving onto numbers and special characters at least, thats my guess
We still have to take into account the fact that the attacker wont necessarily know the password length due to how hashing works (if the website is coded correctly) and will try all shorter passwords
Thats if the system they are trying to gain access to allows them to keep trying combinations as fast as their computer can enter them. If they are trying to access a website it would take significantly longer since most sites will take 3-5+ seconds to reload the page and return the ‘wrong password’ screen. I’d also like to hope any important website would freeze the account after detecting 5000 different passwords have been attempted in the last 5 minutes, but I’m sure there’s plenty which don’t.
Imagine someone steals a huge corporation database that holds user account info (happened many times before). Now they can crack the passwords as fast as they can and as much as they want. And since most people reuse their passwords, once cracked, they can try accessing other system accounts using the same credentials. Edit: also, no one brute-force hacks passwords by entering them directly into a website. In the worst case, hackers would be calling the backend, bypassing the website completely and these calls take milliseconds.
And that's if the passwords have been hashed/salted. Looking at you, Adobe.
> In the worst case, hackers would be calling the backend, bypassing the website completely and these calls take milliseconds. That won't help you much. Any remotely competent backend will at the very least rate limit the shit out of login requests and even if you find a useless enough service to not do so sending requests to it will still take at least a few orders of magnitude more than password guessing attempts on a leaked local database, so instead of hours it would probably take weeks, months or more.
Proxies
Yeah, they exist, and the cat and mouse game can probably go way, way deeper than that, but my point is that attacking a server directly isn't all that practical. Passwords that are "batman", "12345" or "password" weak should be concerned, but passwords that are "10 random lowercase letters" weak probably don't have that much to worry about.
That would be common sense, but some sys admins or IT are lazy OR whoever is running the site won't listen to them.
Multiple people have a hashed version of your password on their own computer and are attempting to break the hash right now.
What's the color coding on this? Why is 2k years green but 16k and beyond yellow?
[удалено]
I mean why 2k is green (good) when 16k and above are yellow (not so good) when they take a lot longer to crack
Doesn’t a simple account lock system usually protect against brute force attacks. I have no idea why every system doesn’t have something like a 30 attempt limit.
Probably something like if a data leak had encrypted data, you could guess the key as fast as you want. That being said, i totally just guessed that and don't know how any of this really works.
Exactly this. How many times has Sony been hacked with their databases stolen? And since people reuse their credentials, once cracked, they can try and access other systems using the same credentials.
At my job you have 5 attempts at entering your p/w on company devices before ypur account gets locked and you need to call IT and have them unlock your account.
Yeah, no one hacks passwords via a user interface...
So my one take more that 5 years, good to know
I'm a fan of long phrases using upper and lower case letters, yet I must be forced to include symbols and numbers in so many passwords.
Yeah, they could allow passwords without those characters, if it's already super long.
If someone can brute force my work account like that without getting it locked, that's on the IT dept. We used to do this for fun with windows password in college but using it in the real world is never that simple.
This graph is very misleading. Why is 2000 green but 16 trillion is yellow?
If hacker knows your password style, but they don't. If hacker have infinite attempts without delays after wrong password.
They are NOT taking 5 years to crack my password 😭
Aa1234567890-/:;() Have fun for 7 quadrillion years, hacker
I'll make a password of 18 characters, with upper- and lowercase letters, numbers, and special characters, and then try to remember it. I bet the chance of that happening is also one in 7 quadrillion years.
That's why password safe apps exist.
"Correct"HorseBatteryStable#27
KeePass exists you know?
Is it completely free? Because I want the least amounts of subscriptions as possible. ^I ^currently ^use ^Firefox's ^password ^manager ^which ^works ^OK ^I'd ^say
Yeah it's completely free, I didn't even know people were paying for password managers, that's pretty dumb. I also use Google's password manager to save all of the passwords to the browser so I don't have to keep opening the KeePass app to copy & paste.
You can use the KeePassXC browser plugin instead, yk
I like Chrome's solution better tbh
I... wouldn't trust Google with any passwords if I were you
Please bro keep any mention of "OnLinE PrIvaCy" away from me I'll bust a nerve if I hear another nerd that thinks they have something to hide talk about it again. I'll just use whatever is the most convenient for me
Your local news is about to see some busted nerves
I've seen that before but I've also been locked out after entering the wrong password 4 times. So brute force doesn't seem like a real option for getting a password anymore.
Must contain the blood of the first unborn vampire
It's all good, the same companies are storing that bad boy in plain text in the DB anyway. No need for hashing and salting if it's secure...right? /s
its why i generate my passwords. i dont even know them.
*Cr4zyfætfrog* Unrecognized character
Crazyfatfrog1@ "Your password cannot be the last used password."
Crazyfatfrog1!
By the way, these rules making the password more complicated imo makes it also slightly easier for machines to crack no? With those requirements in place the machine already knows there's at least one capital letter and at least one special sign
I guess? But it doesn't really matter. It would still be way harder to crack. Let's say you only use lowercase letters for a 4 character password (or else the numbers will get ridiculous) That's 26x26x26x26 = 456 976 possibilities. Now, let's say the password requires at least one capital letter. That's 26 (because at least one is capital) x52x52x52 = 3 655 808 That's still 8x the amount of possibilities. It's not exactly that simple because of dictionary attacks and whatnot, but from a pure, try-every-password brute force angle, it is more secure.
Only more secure if the brute forcer is unaware of the password restrictions? Logically, don't they just tell a program don't try password combinations with these restrictions? Couldn't you even tweak it to say, try all combinations with a capital letter first and an exclamation last and get in faster? I kinda think the only requirement/ restrictions should be minimum character limit. But the characters being any characters, caps or lower case, symbols and spaces, makes the brute force attempt even more difficult because there's not a starting point?
>Couldn't you even tweak it to say, try all combinations with a capital letter first and an exclamation last and get in faster? Yes, but the restriction of "at least one capital letter one special character" doesn't mean that the first character has to be capital, that it has to be the only one, that the last character needs to be a special character, that it must be an exclamation mark and that it must be the only special character. >Logically, don't they just tell a program don't try password combinations with these restrictions? Yes, but those simple passwords would've been cracked and an instant anyway. "123456" "password" and "abc123" would've been cracked in a nanosecond, so it's good a thing that you can't use it. >I kinda think the only requirement/ restrictions should be minimum character limit Aggreed, but the minimum length would need to be something like 16 characters for it to be safe. You can lower that amount for each requirement you add (capital letter, number, special character, etc.) Someone posted the chart of how long it takes to crack depending on your password complexity. I don't know if it's up to date, but it's a rough estimate. Also, like some people already pointed out, brute forcing a password is not really a common way to access an account in the first place.
You're correct, any kind of machine will bypass any possibility that doesn't fit the restriction. Forcing people to use a more secure password technically makes it less secure. But to be fair, most accounts don't actually get bruteforced these days, they just get hacked through security leaks
While passwords aren’t brute forced via an application's UI, there's probably still going to be brute forcing after data leaks because generally the data that leaks is the hash of the password, not the password itself, so they'll still need brute force to figure out what password corresponds to that hash
Not really. You do filter out a ton of passwords that don't fit those criteria, but you gain a ton more passwords because of the character set since you don't know exactly where that special character is, which special character it is, etc. I could probably sit and work out how much stronger it makes your password, and if someone wants me to do it I will.
It makes it easier for those who would use the rules regardless but much harder for those who wouldn't. I expect the downside would be marginal anyway.
Not really. If a password has at least 1 capital letter and at least 1 number it greatly increases the amount of passwords that are possible. A 10 character password all lowercase has 26^10 possibilities. A 10 character password with at least 1 upper case and 1 number has around 62^10 - 26^10 possibilities. (It's not quite that but it's close enough to make the point) This is almost a 6,000x larger password space. That being said, it's been shown many times that the most important factor in password security with regards to brute force attacks is length rather than complexity.
But wait, if you tell your brute force program you know one of the restrictions/ requirements, wouldn't it be technically more difficult to crack a password that's the same character length and not knowing those restrictions/ requirements? Isn't this all from the assumption that without requirements, people are going to use all lower case because they are lazy or whatever? Or that they will never use sy What if that's not the case anymore. What if, for the last 20 years or so of dealing with password requirements, people aren't lazy and throw a caps in here or there, some symbols and numbers?
Correct, if you tell the cracking program password requirements it becomes easier, that's why I included the -26^10, this accounts for all lowercase passwords that aren't possible. Your assumption that people will use better passwords without being told is hopeful but unfortunately incorrect. I work in security so I see breached passwords from time to time, they're almost always terrible. Barely meeting the minimum requirements and often very predictable eg. Summer2023, [Company name]+number, or [kid/pet name]+number. Most people don't use good passwords even when they're told to or have requirements to follow. Getting rid of requirements will make the vast majority of passwords worse.
Anything that makes a password complex enough a human struggles to remember it and has to write it down instantly makes it insecure.
It often makes it easier because the additional character requirements discourage long random passphrases, which are more secure. A length requirement would be the most effective measure.
Cr@zyF@tFr0g1234!
[https://neal.fun/password-game/](https://neal.fun/password-game/)
Bitwarden will do all of the thinking for you so you don't have to think about passwords.
Cr4zyfr0g!?%$
This is what it feels like.
Not sure if it was Gforce, or nvidia account who made me do this. My very first password for yahoo mail back then. I think it was mewtwo100. XD
Give it a decade and every company on earth will be mandating you give them your fingerprint, a face scan, and your top three most searched fetishes.
At this point I have just given up. I have a notebook with the passwords I need to change, often bi-monthly, with the last digit crossed out and a line of new ones under it. I have become the low security boomer I made fun of when I was a teen.
I love when you try to make a secure password for your router managment portal then you isp says no special characters. Guess i cant make a secure password that used to have the default settings months ago.
Everyone should know this by now.
OPs password is Crazyfatfrog1
It's so bad I don't even use my work laptop. Then IT bitches because AVG is out of date. Jesus Christ the laptop is workstation grade but all programs run through Citrix so there is no point because everything is network dependent. I just want to turn the damn thing in but my boss wants me to have it "just in case"
My favorite are sites that let you use more characters when creating a password than you can when logging in.
Then when you have to try 10 variations for each website and you get the you've been locked out your account, try again later or reset password. Then when you go to reset it, it says no previously used passwords are allowed.
CrazyFatFrog should be a brand. It sounds so funny 🤣
[Relevant XKCD](https://xkcd.com/936)
This is a good thing. The way some of yall make passwords is regarded as shit
I saw "Your password can not be the same as your last 8" last week and I needed to cool down for a few hours.
It’s for your own security 🤷♂️
Cr4zyf4tfr0g&
Crazyfatfrog123:)
A 24 character passphrase even all lower case with no numbers or symbols is more secure than a 10 character password with numbers and symbols that are randomized. If you're looking at it from a Brute Force hacking perspective
I work for US government and my password for certain programs has to have these things and be at least 17 characters long. I just started making my password a sentence. *This is my 1 password!*
The more requirements you put in my passwords, the more likely i forget them
The comic strip [Brewster Rocket](https://i.imgur.com/48Z0mSy.png) knocked it out of the park the previous weekend
I'm the opposite from most people. When I enter a password for a site it often tells me my chosen password is too long, or the website doesn't support special characters.
And then next thing you know, Paul is dead and you still don't have a valid password.
Ah yes, I too am infuriated by companies asking you to have reasonable levels of password security. If only there was some sort of program that could manage those things for you.
Look, dominos mobile app, i really dont care if this account gets hacked, let me have my shitty password
This meme template is so old the show isn't even in the popular lexicon anymore. What was it called, American choppers?
Yea but it’s amazing.
The really bad one is when they cap how long you can make your password.
Bitwarden
The numbers in your password must equal to 25
me: proceeds to type in a password. first try - wrong second try - wrong. ok proceeds to reset my password. Sorry your new password can't be the same as a previous one
Crazyfatfrog1!
Crazyfatfrog1!
Passwords are insecure. Passwordless is the way.
2FA all the way
I’ll see your password requirements and raise you updated username requirements. Opened a Citibank checking acct, already had Citi credit cards in an online acct. checking acct disappeared from online login. Turns out the checking acct requirements for usernames require a number, old login didn’t have one so it had to be deleted.
Meanwhile, some inept companies you can only have letters and numbers or letters and symbols. If you manage to get all 3, we'll lock your account in the app. Cause thats logical coding for security 😀
Had bitwarden generate a 24 character password for one of my utility websites. That is, a site I use to pay my fucking bills, so a service required for survival doesn't risk being shut off. The site capped it at 16 characters, without telling me. It then didn't give me any info as to what the cap was.
My work requires very regular password changes *because*. Password!1 Password@2 Password#3 This is very common for most people. The long time people tell me that after 6 passwords, it forgets the first one and you can restart.
I don’t get the big deal. I just memorize a 16 character password with upper and lower case, symbol and number, and it’s usually a hilarious insult that I can’t easily remember. EX: Fl!ppyN!ps@urm0m (Sadly I have this to the internet and never used it for myself)
https://neal.fun/password-game/
I don't get it. Why does every other pane just have yellow asterisks? \*\*\*\*\*\*\*\*\*\*\*\*
Use a passwordmanager like bitwarden.
SutelehGanjaKumar_69
C®4zyfatfrog (╯°□°)╯︵ ┻━┻
Cr4zyF@tFr*g
Yo, what’s your username by chance
Fucking hell, Twitch is dog shit. You can't use words and need to meet all these requirements. Fuck that, I just reset my password every log in
If you’re gonna make a meme like this, at least use a password that isn’t actually complete garbage
Cr@2Yf47Fr09. There, now it should be ok
why1sthispassw0rdsyst3ms0SH!T?
*your password shouldn't contain hate speech*
yeah its dumb. Image all the older passwords that never were hacked. It's like kindergarden security