Jump to content

Password Strength and Security

Vulpinus

By Vulpinus,
in General Discussion Forum

 Share
You are about to reply to a thread that has been inactive for 1776 days.

Please take a moment to consider if this thread is worth bumping.

Recommended Posts

PhantomPixel

PhantomPixel

Posted
Posted
On 9/13/2018 at 3:51 PM, Dakota Linden said:

Greetings all! 

I cannot address any issues regarding PW strength and security, (not my job, so I have absolutely no clue), but I can confirm that SL WILL lock you out of your account and you will be required to contact Support for assistance if too many attempts are made with the wrong password.

So while computers may be able to blow through 350 billion guesses in a couple of minutes, as a proof of concept,  real world application may lock the attempts out at a certain point long before the "computer" hits the correct combination. 

 

I am curious what this limit is. I was trying to remember a password for an old account a few days ago and must have easily tried 60+ different possibilities of what I might have chosen as a password at that point and never received any message from the viewer or website that I now had to contact support.

Link to comment
Share on other sites
LittleMe Jewell

LittleMe Jewell

Posted
Posted
20 hours ago, PhantomPixel said:

I am curious what this limit is. I was trying to remember a password for an old account a few days ago and must have easily tried 60+ different possibilities of what I might have chosen as a password at that point and never received any message from the viewer or website that I now had to contact support.

I highly doubt that they will tell you the exact number as that would not be good security practice.  Suffice it to say that if you enter it wrong too many times, your account will get locked and you will have to deal with LL - either via chat or support ticket - and you'll have to provide proof that you truly are the account owner.

  • Like 1
  • Thanks 1
Link to comment
Share on other sites
Bradford Mint

Bradford Mint

Posted
Posted
On 9/14/2018 at 7:08 PM, Fionalein said:

I'll just leave this external sources reccomendations on passwords here:

https://xkcd.com/936/

 

Yep so the next website you visit specifies that your password must contain a capital letter and a number...

Batterystaple1

Next site, must be only 8 digits with a symbol

Battery#

Next site, between 8 to 10 digits number but no symbols other than _ % and must contain one of them

Batteryst%

and so on, then look at the password cache and discover that you have 276 passwords stored, many of them with enforced policies that don't match your own personal rules of choosing passwords and it's just utterly broken. :)

  • Like 1
Link to comment
Share on other sites
Fionalein

Fionalein

Posted
Posted (edited)
4 minutes ago, Bradford Mint said:

Yep so the next website you visit specifies that your password must contain a capital letter and a number...

Batterystaple1

Next site, must be only 8 digits with a symbol

Battery#

Next site, between 8 to 10 digits number but no symbols other than _ % and must contain one of them

Batteryst%

and so on, then look at the password cache and discover that you have 276 passwords stored, many of them with enforced policies that don't match your own personal rules of choosing passwords and it's just utterly broken. :)

Oh wait you're one of those folks taht reuse the same password over and over?

We need no two factor authorisation for you then, sorry that would be a waste of resources.

Edited by Fionalein
Link to comment
Share on other sites
Bradford Mint

Bradford Mint

Posted
Posted

No, you miss the point.  While the xkcd cartoon is fun and makes a point, beyond a mere handful of passwords, the scheme fails as soon as you encounter sites that enforce a policy that disallows your own choice of picking supposedly strong passwords.

I'm sure that you have also encountered sites where the enforced policy would be considered weaker than the password type you would prefer to use and as such, you are forced to pick *something* to meet their policy even though it's different to any scheme that you'd reasonably remember.

Thus, the issue of maintaining unique passwords against any personal chosen scheme becomes more challenging and the issue of storing passwords comes to the fore.  Now you're forced to stick 276 passwords into a password manager which now has to be trusted and yet provides a nice tasty treat for any attack, notwithstanding the related issues of having access to the password database for a user who is mobile, as i'm sure you'll agree, it's quite infeasible to expect people to remember every password against a multitude of policies that force people to go off-piste from their normal scheme, especially for rarely used sites.

 

 

  • Like 1
Link to comment
Share on other sites
HarrisonMcKenzie

HarrisonMcKenzie

Posted
Posted

Just gonna leave this here. You can make sequences of impossibly complex passwords that are unique to every site and service you use, but if you have to use a password manager because no human can actually use those passwords, then you are effectively making one password for every service. And the password to that password manager is probably laughably weak.

At the end of the day, if a hacker is going to hack your account, they are going to hack your account. There really isn't a damn thing you can do about it, regardless of how secure you think your passwords are. So instead of worrying about what you can't prevent anyways, why not just make normal, unguess-able passwords and call it a day?

Link to comment
Share on other sites
MoiraKathleen

MoiraKathleen

Posted
Posted

I read an article a couple of years ago that suggested the most important thing to keep secure (besides access to a password manager) was your email account, especially the email account you use with your financial institutions and other sensitive/important sites.  The reason they gave for that was so many sites will email you when your password or other security items are changed, or when the site suspects suspicious log in attempts.

I do use additional authentication when sites offer it, but so far they have all involved messages being sent to my cell phone, and when I lost my phone earlier in the summer it was really a pain to figure out how to get into some of the sites to change that - especially the Apple site to flag my phone as lost (until I remembered the message sent would show up on my iPad as well). 

I can understand a message with a code being sent to your phone when you're trying to access a site on your PC or tablet, but when you're trying to access the site on your mobile device, and the message with the code is being sent to that same device, it's not clear to me how that is additional security over the user name  and password.

Link to comment
Share on other sites
LittleMe Jewell

LittleMe Jewell

Posted
Posted
2 minutes ago, moirakathleen said:

I can understand a message with a code being sent to your phone when you're trying to access a site on your PC or tablet, but when you're trying to access the site on your mobile device, and the message with the code is being sent to that same device, it's not clear to me how that is additional security over the user name  and password.

Typically the web sites do not know the details of the phone(i.e. the phone number) that you are accessing the web site from - thus they do not know it is the same phone that they will be sending the code to.

Link to comment
Share on other sites
MoiraKathleen

MoiraKathleen

Posted
Posted
2 minutes ago, LittleMe Jewell said:

Typically the web sites do not know the details of the phone(i.e. the phone number) that you are accessing the web site from - thus they do not know it is the same phone that they will be sending the code to.

I figured that, it just always makes me smile and shake my head when it happens. 

Link to comment
Share on other sites
Bradford Mint

Bradford Mint

Posted
Posted
2 hours ago, moirakathleen said:

I can understand a message with a code being sent to your phone when you're trying to access a site on your PC or tablet, but when you're trying to access the site on your mobile device, and the message with the code is being sent to that same device, it's not clear to me how that is additional security over the user name  and password.

The question to ask is "if someone the other side of the world has my username and password, can they log in on their device?"

Where an additional factor is concerned, they would also need the additional factor, in this case, your phone. So even if the phone is the same device as the one accessing the service, as long as the channel to handle that additional authentication factor is separate, there's an additional level of security.

Simply put, without the extra factor, the person with your credentials on the other side of the world isn't going to get anywhere fast.

Link to comment
Share on other sites
  • 8 months later...
Lancewae Barrowstone

Lancewae Barrowstone

Posted
Posted

The great threat to human generated passwords, of course, is when the hosting site is breached and their database of hashed passwords stolen.  Then, it’s a matter of minutes before it can be subjected to any variety of offline cracking techniques and myriad dictionaries, and 70% of passwords likely cracked within minutes.  The mention of MD5 here is not a comforting thought.  

So, either our personal passwords are exceedingly, exceptionally and cleverly tough strings of pure jibberish, or our host site is using the top current strongest hashing technique to front line shield us, or else, we are just going to get pwned. That's probably the best way to think about this when considering your password regime.

You would expect robust cracking attempts on sties where banking and currency are involved, including Second Life.  Under such attacks only a tiny percentage of hashes (in the single digits) will be unresolved. 

Link to comment
Share on other sites
You are about to reply to a thread that has been inactive for 1776 days.

Please take a moment to consider if this thread is worth bumping.

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
 Share
Go to topic listing
×
×
  • Create New...