Passwords...

[Fox-F8]

can always write or I'm sure there is a program out there that well keep trying a very long list of commonly used passwords to hack things. i remember when i was in a parking lot and i had my ipod touch that can do wireless internet. so there was only one network in the area and it was a cellphone store. after a couple minutes of trying random passwords like abc and what not. I then tried cellphone because it was a cellphone store and that was the password....

 

[GracyKaye]

So I guess Unicorns123!@# is one of the best passwords out there since it has nothing to do with any of my pets, boyfriends, or where I was born! OH wait..... O_O I have a unicorn for a pet.. :[ Time to think of a new pass

 

[RyderRider15]

Still fail to see why we have to use mixed casing.

Explaining that requires some maths.

No it doesn't it requires explaining why its not the users job to protect their own account(s) / password(s).

 

[hughes111]

If you wish to make it simple, do so at your own risk(s).

Simple: First letter is a cap. Last is a digit.

Easy.


I on the other hand and a lot of you (I hope), won't go with the simple option!

 

[matth1138]

Still fail to see why we have to use mixed casing.

Explaining that requires some maths.

No it doesn't it requires explaining why its not the users job to protect their own account(s) / password(s).

Because, it's quite clear that after the events of this month, users WON'T protect their own account password. Nor will they choose strong passwords unless encouraged/forced to.

The policy will not change.

 

[lauriejennifer]

Not to beat a dead horse or anything (or resurrect one), but I saw this a few weeks ago on xkcd and immediately thought about this thread and smirked. The mouse over text is really the kicker: http://www.xkcd.com/936/

Mouse-over text: "To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize."


Heh.

 

[Ducman69]

Pass phrase security there is a little misleading though.

Any of the letters could be capitalized, not just the first, and any of the letters could be substituted or not in various combinations, etc. Likewise, algorithms that factor in common substitutions, case changes, numbers, dictionary words, etc as shown in the first can be used on common phrases/words as well to help in brute strength cracking.

IMO, the best is a combination of mixed case sensitivity first initials of a pass phrase using 1337 speak common substitutions!

Example: Bend Over Here It Comes Again * 1337 + Anniversary = WIN!
b0h!cA41006

Nice thing too is if your password expires (or you just prefer changing it every 90 days just in case), you can just change the date to something else only you would know, and its significantly different enough from what you had.

 

[matth1138]

Not to beat a dead horse or anything (or resurrect one), but I saw this a few weeks ago on xkcd and immediately thought about this thread and smirked. The mouse over text is really the kicker:
Mouse-over text: "To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize."
Heh.

OK, LJ, I'm going to call shenanigans on this one. You saw it a few weeks ago and immediately thought about this thread? And then waited a few weeks to post it? Right.

Trust me, as someone whose site has been hacked and utterly destroyed because someone used a six character, all lower case password based on real words, I can say I probably do understand information theory a little bit. Especially when psychology trumps information theory, and explains that people are lazy and will only do the absolute minimum unless forced to do otherwise.

Do you know why this site was hacked? Let me break it down for you like a fraction:

1. Another site was hacked.
2. Their user database was stolen.
3. A de-hashing program was applied to the user database. Everyone with a short, simple, dictionary based password was cracked very quickly. Anyone else's password was just a matter of time.
4. Someone with admin rights over here recycled an easily de-hashed password.
5. Bad things happened.

What you and the xkcd crew are arguing via this cartoon is that a 20+ character dictionary based password is safer than a 7 character "strong" password. That MAY be true in theory, but in practice, de-hashing programs run dictionary words first, and that is why simple passwords are broken faster than complex ones. A 10 character "strong" password will resist de-hashing longer than a 10 character dictionary word password.

Furthermore, what you are inferring is that people would complain about the requirements less if I required a 20 character password instead of 7 characters with one cap. I don't think I need to mentally explore the outcry that would happen if I did something like that....

The password requirements for this site are marginally higher than a lot of other forums, but less stringent than any work computer I've ever used, and MUCH less stringent than most financial institutions I've encountered.

You want it easy? Guess what, your user name is probably more than 7 characters long, just use that and capitalize the first letter. Otherwise, take some responsibility for your passwords, make them long, make them strong, and don't recycle them. I'd recommend a password manager that you can sync with Dropbox as a solution.

 

[ParisianZee]

To the THUNDERDOME !

(lol)

C'mon guys play nice.

 

[extreme601]

It's fair enough though, I don't see why people kick up such a fuss about it. Passwords are MEANT to be strong to stop unauthorised entry, why make them easy and useless?

 

[lauriejennifer]

Not to beat a dead horse or anything (or resurrect one), but I saw this a few weeks ago on xkcd and immediately thought about this thread and smirked. The mouse over text is really the kicker:
Mouse-over text: "To anyone who understands information theory and security and is in an infuriating argument with someone who does not (possibly involving mixed case), I sincerely apologize."
Heh.

OK, LJ, I'm going to call shenanigans on this one. You saw it a few weeks ago and immediately thought about this thread? And then waited a few weeks to post it? Right.

Trust me, as someone whose site has been hacked and utterly destroyed because someone used a six character, all lower case password based on real words, I can say I probably do understand information theory a little bit. Especially when psychology trumps information theory, and explains that people are lazy and will only do the absolute minimum unless forced to do otherwise.

Do you know why this site was hacked? Let me break it down for you like a fraction:

1. Another site was hacked.
2. Their user database was stolen.
3. A de-hashing program was applied to the user database. Everyone with a short, simple, dictionary based password was cracked very quickly. Anyone else's password was just a matter of time.
4. Someone with admin rights over here recycled an easily de-hashed password.
5. Bad things happened.

What you and the xkcd crew are arguing via this cartoon is that a 20+ character dictionary based password is safer than a 7 character "strong" password. That MAY be true in theory, but in practice, de-hashing programs run dictionary words first, and that is why simple passwords are broken faster than complex ones. A 10 character "strong" password will resist de-hashing longer than a 10 character dictionary word password.

Furthermore, what you are inferring is that people would complain about the requirements less if I required a 20 character password instead of 7 characters with one cap. I don't think I need to mentally explore the outcry that would happen if I did something like that....

The password requirements for this site are marginally higher than a lot of other forums, but less stringent than any work computer I've ever used, and MUCH less stringent than most financial institutions I've encountered.

You want it easy? Guess what, your user name is probably more than 7 characters long, just use that and capitalize the first letter. Otherwise, take some responsibility for your passwords, make them long, make them strong, and don't recycle them. I'd recommend a password manager that you can sync with Dropbox as a solution.

As much as it's kinda flattering in a way to be mistaken for some sort of mastermind, I'm actually offended more than anything. You were very quick to assume some sort of elaborate malicious intent on my part, and also completely misunderstood both my motive and my point.

Since I have to defend my honor here, this was my thought process:

I saw the comic. I immediately thought, 'haha! That's funny, because this very argument was just happening over at motovlog.com! I should totally mention this link. They'll surely have a sense of humor about it, too, and think it was ironic. I'll have to remember to do that when I get home (can't post it from my phone). " But, I'm in the process of moving and am very busy at work and life happens and I forget. When I do actually remember (which is rare), I am not at my computer. Finally (it takes a while), I happen to be home AND remember. Part of the problem is that i don't check motovlog.com very often. I was simply forgetful, because in the broader scope of my life, this thread has very little importance; it was not because it meant so much to me that I had this grandiose plot and was biding my time. I wish my lighthearted spaciness was so intricate, but it's not. It's just forgetfulness and busyness.

My posting it was simply because I thought it was funny, not even that I agreed with it. In fact, I honestly figured that since I very much don't understand information theory and all that, I was probably missing a deeper joke that the whole comic was probably tongue-in-cheek.

For the record, I was actually on your side from the beginning, Matt. My post history (and lack of post history) on this thread and others like it should make this clear. Not sure why you're so jumpy about this, but please consider the source. I was surprised and hurt by your accusation. I thought you knew me better than that.

 

[ParisianZee]

Matt is jumpy because he is jumpy about stuff. I've already had, let's say, a lightly heated discussion with him about whatever and I wouldn't do that again. If you look at his posts in general, he tends to be a bit harsh. I believe, however, that it's just how he is, and that he's an otherwise nice guy who doesn't mean any harm by that.

That being said, I think those discussions affect motovlog.com negatively, and everyone knows motovlog.com is already badly hurt, and isn't the fun loving nice community it once was. I wouldn't know why, but it isn't, so there's that.

I think everyone should take a step back, calm down, and try to post fun stuff, be helpful, hell, try to be as we were a few months back.

Also, I'm sorry, but this new dark theme doesn't help. It looks like a battle ground now. The brighter, simpler theme we had before made me want to participate in tons of cool stuff. This theme makes me scared of being kniffed in the back. It looks like a geek's theme, a world of warcraft kind of theme. A big bang theory kind of theme.

So there.

 

[matth1138]

As much as it's kinda flattering in a way to be mistaken for some sort of mastermind, I'm actually offended more than anything. You were very quick to assume some sort of elaborate malicious intent on my part, and also completely misunderstood both my motive and my point.

Since I have to defend my honor here, this was my thought process:

I saw the comic. I immediately thought, 'haha! That's funny, because this very argument was just happening over at motovlog.com! I should totally mention this link. They'll surely have a sense of humor about it, too, and think it was ironic. I'll have to remember to do that when I get home (can't post it from my phone). " But, I'm in the process of moving and am very busy at work and life happens and I forget. When I do actually remember (which is rare), I am not at my computer. Finally (it takes a while), I happen to be home AND remember. Part of the problem is that i don't check motovlog.com very often. I was simply forgetful, because in the broader scope of my life, this thread has very little importance; it was not because it meant so much to me that I had this grandiose plot and was biding my time. I wish my lighthearted spaciness was so intricate, but it's not. It's just forgetfulness and busyness.

My posting it was simply because I thought it was funny, not even that I agreed with it. In fact, I honestly figured that since I very much don't understand information theory and all that, I was probably missing a deeper joke that the whole comic was probably tongue-in-cheek.

For the record, I was actually on your side from the beginning, Matt. My post history (and lack of post history) on this thread and others like it should make this clear. Not sure why you're so jumpy about this, but please consider the source. I was surprised and hurt by your accusation. I thought you knew me better than that.

LJ, I'm sorry. I think no more highly or less of you because of your post. In defense of my poor reaction, you had posted a comic criticizing password requirements in a thread that was created...to criticize the password requirements. When you, a friend, jumped on that bandwagon, I reacted poorly. I hope your forgiveness comes soon.

Matt is jumpy because he is jumpy about stuff. I've already had, let's say, a lightly heated discussion with him about whatever and I wouldn't do that again. If you look at his posts in general, he tends to be a bit harsh. I believe, however, that it's just how he is, and that he's an otherwise nice guy who doesn't mean any harm by that.

While I don't consider myself "jumpy," I do consider myself to be someone who sees the world in terms of black and white. I have no problems calling it like I see it. And I certainly have a weakness by not being compassionate it my counter-arguments. And I get easily frustrated when communicating with someone who I perceive as being antagonistic. However, as I've demonstrated even with BTV, I'll apologize where it's warranted and where I've been wrong.

I think everyone should take a step back, calm down, and try to post fun stuff, be helpful, hell, try to be as we were a few months back.

Also agreed. The password requirements remain the same, as does the forum theme (for now.)

End of discussion, thread locked.