IWETHEY v. 0.3.0 | TODO
1,095 registered users | 0 active users | 0 LpH | Statistics
Login | Create New User
IWETHEY Banner

Welcome to IWETHEY!

New password management
general web password for sites you dont give a rats ass about.
Specific passwords for shit you do care about. a passphrase with vowels replaced by numerals.
Banking/financial password, one that given a weeks access to your house and paperwork can never be sussed out. 14 character minimum, no passphrase, upper case lower case special characters, lots.
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 59 years. meep
New Chase doesn't allow special characters.
YAN to hate them.
New Too many sites do passwords wrong.
A website that uses passwords should do nothing to a supplied password other than hash it, unaltered. What you're given is what you're given and no characters should be forbidden. If someone wants to include a space, a left-brace, an acute-a, a copyright symbol and the Chinese character for water, it should work.

Obviously you should have strength checks to help stop users being idiots, but even a length check should be very very generous. 256 characters is a hideously long password, but not so long as to be problematic to hash.

Wade.
New Number substitution isn't recommended any more.
http://optimwise.com/passwords-with-simple-character-substitution-are-weak/

From 2010:

A common piece of password advice is to substitute characters, such as numbers or special characters, for letters. For example, password becomes p@$$w0rd. These are sometimes called “leetspeak” passwords, because “elite” hackers originally used such character substitutions.

Unfortunately, leetspeak passwords are far from secure. For years, password cracking applications have been able to recognize most character substitutions, decipher the underlying word, and crack the password.

Here are a few excerpts about how leetspeak and character substitution passwords are weak. Links to the source pages follow each excerpt:

[...]


Something I've never understood:

I thought sensible places locked one out after N (often N=3) attempts at entering a password. If that is the case, what difference does it make how complex the password is? Don't dictionary attacks only work if the hacker gets an infinite number of attempts?

NIST's Guide to Enterprise Password Management (38 page .pdf) mentions preventing infinite guessing, but doesn't explain why that isn't good enough.

The problem with complex passwords that are unique to each site (and expire periodically) is that they're very difficult to remember so users write them down somewhere (phone, wallet, post-it notes on monitors, etc.) which compromises security worse than if passwords were simple and trivial to remember.

Cheers,
Scott.
(Who expects face/finger/iris recognition (maybe with a 4 digit PIN) will eventually make all of this obsolete).
New I like writing down
I always keep pieces of paper in my wallet that I want to keep safe. It's called "money".
--

Drew
New so you go in person to pay all your bills? Nice to have that much free time
Any opinions expressed by me are mine alone, posted from my home computer, on my own time as a free American and do not reflect the opinions of any person or company that I have had professional relations with in the past 59 years. meep
New Not the point
People say keeping passwords written down is insecure. I've learned to secure my wallet because I know it has valuable contents. If my wallet is stolen I count on having to deactivate all my credit cards anyway.
--

Drew
New Having my wallet messed with in middle school taught me that it's not good to depend on it...
But I get your point.

I know someone who has passwords on his electronic PDA on his phone. ;-)

Cheers,
Scott.
New not necessarily
users write them down somewhere (phone, wallet, post-it notes on monitors, etc.) which compromises security worse than if passwords were simple and trivial to remember.

Not necessarily. My written passwords are physically remote from my computers. Anyone has access to both, then I'm already in big trouble.

cordially,
New Re your last line: yes, that
--

Drew
     so I was careless... - (rcareaga) - (29)
         does the mail app know about the new password? dumb question I know -NT - (boxley)
         Maybe had nothing to do with you - (drook)
         this is starting to look nasty - (rcareaga) - (3)
             resolved? - (rcareaga) - (2)
                 Glad you got it worked out. Two factor? - (Another Scott)
                 Do you know for sure that you were actually compromised? - (drook)
         a day later... - (rcareaga)
         sheesh! - (rcareaga) - (21)
             Likely scenario - (scoenye) - (10)
                 concur - (rcareaga) - (9)
                     Password storage. - (static)
                     Here's where I got my rule - (drook) - (4)
                         XKCD to the rescue - (static) - (3)
                             :-) -NT - (Another Scott)
                             That, too - (drook) - (1)
                                 Ford Credit will only take 8 -NT - (malraux)
                     Re: concur - (mvitale) - (2)
                         Entertaining story. - (Another Scott)
                         I get annoyed at password restrictions. - (static)
             password management - (boxley) - (9)
                 Chase doesn't allow special characters. - (mmoffitt) - (1)
                     Too many sites do passwords wrong. - (static)
                 Number substitution isn't recommended any more. - (Another Scott) - (6)
                     I like writing down - (drook) - (3)
                         so you go in person to pay all your bills? Nice to have that much free time -NT - (boxley) - (2)
                             Not the point - (drook) - (1)
                                 Having my wallet messed with in middle school taught me that it's not good to depend on it... - (Another Scott)
                     not necessarily - (rcareaga) - (1)
                         Re your last line: yes, that -NT - (drook)

Houston, we have a problem.
68 ms