Remove this Banner Ad

Dear Programmers: Please don't do this.

🥰 Love BigFooty? Join now for free.

Chief

Chief

~ Shmalpha ~
Carlton Board Knockout Tipping BigFooty Knockout Comp Winner 10k Posts 100,000 Posts TheBrownDog Zombie Lover A Star Wars Fan Carlton Blues - Matthew Kreuzer Sponsor 2016
Dec 1, 1999
141,343
134,807
Gates' Payroll
AFL Club
Carlton
I present to you the ASIC Connect password rules:


Your password must be a minimum length of nine characters, consisting of three of the following - lowercase (a-z) and uppercase (A-Z) alphabetic characters, numeric characters (0-9) or special characters (! $ # %). It cannot contain any 2 consecutive characters that appear in your user ID, first name or last name. It must not be one of your 8 previous passwords.
 
Chief said:
I present to you the ASIC Connect password rules:


Your password must be a minimum length of nine characters, consisting of three of the following - lowercase (a-z) and uppercase (A-Z) alphabetic characters, numeric characters (0-9) or special characters (! $ # %). It cannot contain any 2 consecutive characters that appear in your user ID, first name or last name. It must not be one of your 8 previous passwords.
Click to expand...


aside from the cannot contain 2 consecutive characters it's pretty standard?

the bolded always ring an alarm bell to me and makes me hope the passwords aren't being stores in plain text. it is possible to check hashed passwords against previously hashed passwords, but still makes me nervy. I would think an organisation like ASIC is far too big and professional to not salt and hash passwords.
 

Log in to remove this Banner Ad

I work on a plethora of systems and each security team sets their own standards including similar to what Chief said here. Most of these pedantic hitleresque security teams think they are making their systems more secure ....

However, all this means that most people have NO option but to write them all down - thus making the security teams attempt to be secure null and void.
 
My Password has lowercase, uppercase, a number and a symbol.

The only password requirement that shits me is the 'Must be between x-x characters' bullshit. They want me to have some safe password, but limit it a certaining amount (most of the time very small) of characters.
 
Max Rockatansky said:
I work on a plethora of systems and each security team sets their own standards including similar to what Chief said here. Most of these pedantic hitleresque security teams think they are making their systems more secure ....

However, all this means that most people have NO option but to write them all down - thus making the security teams attempt to be secure null and void.
Click to expand...

the amount of places i have worked at which have all their passwords just stored in a text or excel file is scary.

i have about 100 different logins, using about 15 different "base" passwords each slightly tailored to each site they are used on. i can usually remember all of them but if i need to track one down the username and password are kept in two separate text files, both encrypted using PGP. probably just as easy to use KeePass but i prefer this. Potential overkill but **** it.

People just don't understand password security. They don't understand when you forget your password and you get it back in plain text it's absolutely terrible security. "But it's only a minor site, who cares if someone steals that password".... Not realising that if you use the same password for everything (and it's crazy how many people do that) any person who gets that password now has access to everything.
 
The Passenger said:
aside from the cannot contain 2 consecutive characters it's pretty standard?

the bolded always ring an alarm bell to me and makes me hope the passwords aren't being stores in plain text. it is possible to check hashed passwords against previously hashed passwords, but still makes me nervy. I would think an organisation like ASIC is far too big and professional to not salt and hash passwords.
Click to expand...
It is ridiculously complex.
Mr Eagle said:
Numbers and letters? Fine.
Insisting on uppercase or special characters is annoying.
9 characters minimum amplifies the annoyance.
Not a previous password even moreso.
And 'no two consecutive characters from...' is just stupid.
Click to expand...
"consisting of three of the following"

Is that one of each of three of your choosing? Three of each? Can only select characters from three out of the four kinds of characters?

And by the time you get to the end of the rules you've forgotten the half of what you read.
 

Remove this Banner Ad

Chief said:
I had KeePass on a USB stick, but now I use LastPass.
Click to expand...


Be very careful with LastPass. Remember that your password database is hosted externally and you are relying on their security controls to keep you safe.
I would much prefer to keep my password database local.

LastPass recently patched a vulnerability - http://nakedsecurity.sophos.com/201...-security-patch-against-password-leakage-bug/. If you are going to use LastPass ensure that you are running the latest version
 
Quivorir said:
My Password has lowercase, uppercase, a number and a symbol.
Click to expand...
Mine's a bit better. Mine one has been crested in the blood of a virginial lamb and sacrificed to the Dark Gods in order to attain an unholy protection. And it has the number 69 :p:D
 
Agree with the OP...

I've read several articles that suggest complex password conditions make things harder for users without providing better security when compared with simpler yet longer passwords, such as one below:

Using really long passwords, with random normal words/spelling, placed in an order you understand is more secure than shorter complex passwords:

ie
SHORT: P@$s^VV0rD
LONG: travis centerman boak power captain all australian

http://arstechnica.com/security/201...ore-annoying-less-effective-than-length-ones/



Password complexity rules more annoying, less effective than lengthy ones

Symbol, number, and cap requirements: do not want. Might not need.

Few Internet frustrations are so familiar as the password restriction. After creating a few (dozen) logins for all our Web presences, the use of symbols, mixed cases, and numbers seems less like a security measure and more like a torture device when it comes to remembering a complex password on a little-used site. But at least that variety of characters keeps you safe, right? As it turns out, there is some contrary research that supports both how frustrating these restrictions are and suggests it’s possible that the positive effect of complexity rules on security may not be as great as long length requirements.
Click to expand...

http://arstechnica.com/security/201...ore-annoying-less-effective-than-length-ones/

* However, once quantum computing becomes more mainstream all the above is blown out of the water anyway if the crims get hold of quantum machines to "brute force" the passwords on digital systems. The "brute" part will be removed and cracking passwords will be like cracking coconuts with a sledge hammer. We'll need quantum systems to hold of quantum attacks. AFAIK (been a while since I read any articles on it).

---------------------------------------------------
You're better off storing your passwords by writing them down on a piece of paper and storing them next to your PC (or on you)... instead of storing them anywhere in a file on the PC or online.

There is a higher chance that your elec
tronic files will be compromised to steal your passwords rather than someone stealing your physical piece of paper. Also, anyone stealing your physical piece of paper is probably easy to find (ie someone you know or someone local) that than someone on the other side of the world.

*** The above is more suitable for personal passwords rather than businesses etc.
 
kaysee said:
* However, once quantum computing becomes more mainstream all the above is blown out of the water anyway if the crims get hold of quantum machines to "brute force" the passwords on digital systems. The "brute" part will be removed and cracking passwords will be like cracking coconuts with a sledge hammer. We'll need quantum systems to hold of quantum attacks. AFAIK (been a while since I read any articles on it).
Click to expand...
They need to steal the password files first. Can't brute force if it locks up after three failed attempts.

Like you said, best to write them all down but not as convenient.
 

🥰 Love BigFooty? Join now for free.

Duritz said:
My password for bigfooty is just the same as my username and no ones ever hacked into my account.
Click to expand...

Yeah but who would want to know your intimate details, or pretend to be you? I mean really, with your rep... whooooooooo??????????

And no money to steal either....

:):p:):rainbow::rainbow:
 

Remove this Banner Ad

Dear Programmers: Please don't do this.

Similar threads

BigFootyNews
News & Events Don’t fight the cyber-battle blindfolded -
Replies
0
Views
25
BigFootyNews
BigFootyNews
Satan
AWS causing sites to go down . Big footy still up
Replies
0
Views
121
Satan
Satan
BigFootyNews
News & Events NSW desktop review finds dearth of data breach policies -
Replies
0
Views
274
BigFootyNews
BigFootyNews
MagpieExcalibur
does anyone know how to straighten Hisense tv stand legs?
Replies
0
Views
341
MagpieExcalibur
MagpieExcalibur
BigFootyNews
News & Events Vocus ISP Dodo's email system breached on Friday -
Replies
0
Views
80
BigFootyNews
BigFootyNews
BigFootyNews
News & Events Euro cops take down cybercrime network with 49 million fake accounts -
Replies
0
Views
51
BigFootyNews
BigFootyNews
BigFootyNews
News & Events US needs to do more make cyber attackers pay, Trump adviser says -
Replies
0
Views
261
BigFootyNews
BigFootyNews

🥰 Love BigFooty? Join now for free.

Back
Top