Forum menu
[quote=fifeandy ]Edit: And what sort of nutter walks about with an image of a talking horse and a battery with a staple in it in their head?!
The sort of nutter who doesn't get their online accounts hacked (if we ignore the flaw jimw points out - in reality it's nutters with an image of a talking candle and a flower with a sheep in it who don't get hacked).
What really bugs me about online passwords are those sites which insist on certain features in your password. I'm guessing that at least 99% of passwords on sites which require a capital letter simply have the first letter capitalised.
Dictionary attack isn't exactly difficult.
I'm against the systems that prevent you using your last 10 variations. Kinda obvious how that one is going to play out.
[quote=squirrelking ]Dictionary attack isn't exactly difficult.
What's that a reply to?
I'm against the systems that prevent you using your last 10 variations. Kinda obvious how that one is going to play out.
in combination with mandated numerics?
Someone has tried scamming me today.
I received a Text that said it was from Barclays, you know how it comes up with the name before you open it, that part said Barclays,
It read " did you make a payment of 1100.00 GBP - DateAGuy.com If no, please call immediately on 0843 289 8403 for a refund "
Needless to say, I rang the number out of curiosity and it answered " welcome to customer service " so I put it down.
Barclays fraud said it quite common to receive texts like this. The fraudsters hope you will call them then they put you through various questions to get your details.
squirrelking - MemberI'm against the systems that prevent you using your last 10 variations. Kinda obvious how that one is going to play out.
Something I use- maybe paypal?- tells you if you enter an old password. Being a normal person, some of my other password protected things still use the same password as I used to use on ebay. So if someone's trying to guess my password it's just said "ah hah, that's a password this dude uses, just not for me!". Seems odd
Can't be that crap..... someone is talking about it!
It must be crap - I can't even remember which bank it was advertising.
That might be more about your memory than the advert?
squirrelking ยป Dictionary attack isn't exactly difficult.
What's that a reply to?I'm against the systems that prevent you using your last 10 variations. Kinda obvious how that one is going to play out.
in combination with mandated numerics?
Reply to the XKCD cartoon.
Usually, yes. Easy bit of social engineering to find out a few details and then use spouse/child names and then a few zeros and a number to bring you to a viable password.
Amazing what you can find out very quickly.
[quote=squirrelking ]Reply to the XKCD cartoon.
I'm still not sure which bit - but a dictionary attack on 4 conjoined words is still quite tricky - and that's working from the starting point of knowing the password protocol being used. Security through obscurity is always a bit dodgy, but in this case it adds more entropy and I suspect XKCD password generation still isn't common enough to be a useful attack vector.
Easy bit of social engineering to find out a few details and then use spouse/child names and then a few zeros and a number to bring you to a viable password.
Of course - and mandated numerals etc. does help get rid of some of the most obvious passwords. However the human factor is almost always the weakest link - mandating random computer generated passwords is one way of guaranteeing that the password is written down (I had this in a previous job, and could always tell when I was due a password change when I no longer needed to refer to the post-it).
Thing is though, for home use I reckon written down passwords would actually be much safer. You can have individual passwords for each site, complete nonsense that is easily referred to and can simply be left in an anonymous notepad in a drawer or safe if you feel so inclined. If you want to be a bit more secure, encrypt a couple of thumb drives with your password list on and crack on. Leave an unencrypted copy off site so if you need it you can get at it but nobody can connect them with you.
Corporate environments have no excuse, why not just use a swipe card/site pass and PIN to authenticate?