Passwords are dumb.

Video Game Discussions and general topics.

Moderators: AArdvark, Ice Cream Jonsey

objectinspace
Posts: 54
Joined: Tue Aug 24, 2021 8:31 am

Passwords are dumb.

Post by objectinspace »

My phone is one of the most secure phones ever. It always has the latest Android security update, my data partition is encrypted with a PIN. But this is not why it is so secure. It is secure because two or so years ago, I dropped it into the street and the screen cracked. Ever since, it displays nothing. The chance that anyone is gonna learn TalkBack in order to exfiltrate my data is 0. It's not even useful to anyone if they were able to wipe the data, because the screen is still trashed. So I make things easy on myself and use autofill everywhere. Why do I need autofill? Because I can't remember my passwords.

A "strong" password is one that is not a dictionary word, contains a mix f upper and lower case letters, numbers, and symbols. In other words, the harder it is to remember, the better. Worse, if you have one or two complex passwords that are easy for you to remember, you are only exposing yourself to the service itself being hacked and exposing it, forcing you to change that password for all other services you use. This is to defend against the computer's ability to guess every username/password combination that has ever been leaked for every sight, and every word in the dictionary, which it will always remember perfectly--well, as long as its dataset is up to date. And if that doesn't work, it has infinite time to guess random combinations which it can enter in fractions of a second. The human brain will always be worse at creating and retaining a password than the computer's ability to break it.

So how do we solve this problem? We store the passwords somewhere. Either by writing it down, or by using a password manager. Both of which fundamentally undermine the security of the password. Plus, then you stop remembering all your passwords, even ones you don't archive! So instead I end up resetting the password back to one of my standard ones. Was that one caught in a datamine? I don't remember. Probably not!

Passwords are dumb. They don't work. What works is a weak password paired with 2-factor authentication. So why isn't this the method used for everything?

User avatar
AArdvark
Posts: 16177
Joined: Tue May 14, 2002 6:12 pm
Location: Rochester, NY

Re: Passwords are dumb.

Post by AArdvark »

I secured my phone by not activating the email function and by never taking it out of the house. If anyone steals my phone they have access to a bunch of Crazy Doodle photos and dog pictures and a lot of Old Time Radio episodes

User avatar
Ice Cream Jonsey
Posts: 28877
Joined: Sat Apr 27, 2002 2:44 pm
Location: Colorado
Contact:

Re: Passwords are dumb.

Post by Ice Cream Jonsey »

Drew hates passwords, and *I* hate two factor authentication!!! We are now mortal enemies!!!!!! SYSOPS BEWARE
the dark and gritty...Ice Cream Jonsey!

User avatar
The Happiness Engine
Posts: 868
Joined: Thu Aug 02, 2012 4:16 pm

Re: Passwords are dumb.

Post by The Happiness Engine »

...

How exactly does a broken screen stop "drop into debug mode, pull everything out the USB port"??

Security Indeed.

User avatar
RealNC
Posts: 2244
Joined: Wed Mar 07, 2012 4:32 am

Re: Passwords are dumb.

Post by RealNC »

1km$$by@tbB! - I keep my dolla dolla bills y'all at the bank BITCHES!

That's my way of remembering important passwords :P

objectinspace
Posts: 54
Joined: Tue Aug 24, 2021 8:31 am

Re: Passwords are dumb.

Post by objectinspace »

The Happiness Engine wrote: Sat Oct 16, 2021 5:44 pm ...

How exactly does a broken screen stop "drop into debug mode, pull everything out the USB port"??

Security Indeed.
Look at you! So smart. You saw straight through my subterfuge! Well Mr. smarty, I am one step ahead of you, because the phone's USB port is also broken! It usually can charge, but the fucking thing fails to connect to the PC 9 times out of 10. (nearly) perfect security maintained!

Robb: this saddens me. How did 2FA hurt you?

User avatar
Ice Cream Jonsey
Posts: 28877
Joined: Sat Apr 27, 2002 2:44 pm
Location: Colorado
Contact:

Re: Passwords are dumb.

Post by Ice Cream Jonsey »

objectinspace wrote: Sat Oct 16, 2021 6:02 pm
The Happiness Engine wrote: Sat Oct 16, 2021 5:44 pm How exactly does a broken screen stop "drop into debug mode, pull everything out the USB port"??
Security Indeed.
Look at you! So smart. You saw straight through my subterfuge! Well Mr. smarty, I am one step ahead of you, because the phone's USB port is also broken! It usually can charge, but the fucking thing fails to connect to the PC 9 times out of 10. (nearly) perfect security maintained!
He's thought of everything! Well maybe I'll bang your phone!
Robb: this saddens me. How did 2FA hurt you?
I was partially kidding BUT consider this - there were stories going around of people calling up phone companies and socially engineering phone numbers away from people. The reps at these companies weren't trained for someone to be so evil, but people were. I think using our phones for 2FA is pretty silly when we live in a world where you could have your phone number stolen. I also think that this gave rise to scams where people used 2FA against the victim - the whole craigslist "let me just send you a code so I know you're real" but really it's a code sent to your phone that allows the hacker to get your stuff.

Related to that, I am using Brave to access my checking account and I do so multiple times a day. My stupid bank makes me use 2FA *every single time*. My computer is as secure as your phone. I lock it when I leave it for 5 minutes and I don't live near people. There is no chance someone got to my PC. Why is my bank asking for a 2FA confirmation 10 minutes after I last did 2FA? It's a fault of 2FA in my mind when it can be implemented so stupidly.

If we want to do 2FA right, let's use passwords and let's issue every American a device for their fingerprint. Or retinal scanner. A lot of this comes from the fact that I have seen poorly implemented software multiple times each day for the last 15 years and then I come to the other thread and log it. Webshit creators can't handle it with any intelligence, so yeah, let's DO it but do it correctly.
the dark and gritty...Ice Cream Jonsey!

objectinspace
Posts: 54
Joined: Tue Aug 24, 2021 8:31 am

Re: Passwords are dumb.

Post by objectinspace »

Anything can be implemented shittilly, which forcing you to log in every ten minutes certainly is. That would be annoying whether you had 2FA on or not, though the 2FA makes it worse since it adds a step, plus it's totally unnecessary. If the site recognizes the device, there isn't much need for another prompt. I agree that the phone number is a lazy solution, using keys or an authenticator app is much better. There was supposed to be a feature of Android that would make every phone a bluetooth security key, but IDK what happened with that because it never worked for me. Google has a "send a code to your phone" option which I really like because it makes you acknowledge the prompt *on the phone* with SMS, since I also text on the web I can authenticate from the same browser session, which sort of defeats the purpose. Then again, so does sending the OTP to your email, I guess. So yeah, 2FA can be dumb too, for sure. I'd still take it over having to remember a different passphrase for every website, or not remembering and constantly dealing with account resets.

User avatar
AArdvark
Posts: 16177
Joined: Tue May 14, 2002 6:12 pm
Location: Rochester, NY

Re: Passwords are dumb.

Post by AArdvark »

Maybe we should eliminate the people who would take advantage of data breaches and unsecured websites. Can't we have a world full of honest people?

User avatar
Tdarcos
Posts: 9333
Joined: Fri May 16, 2008 9:25 am
Location: Arlington, Virginia
Contact:

Re: Passwords are dumb.

Post by Tdarcos »

Passwords are a stupid authentication method now, because we don't need them. XKCD has a cartoon on how to solve the password problem, by using passphrases instead. Easier to remember and much harder to crack.

You can even use only words in the dictionary, and it's still secure. Who's going to guess your password for your on-line bank account is "this bank can go fork itself" (without quotes, and the sentiment censored). That's 27^28 different (space being an additional character) possible tries to brute force that, or 1.1972515e+40 possible choices, and at 1000 attempts per second, would take 1.1972515e+37 seconds, or about 7.917688e+30 years to crack using brute force. Because, if the pass phrase can be up to, say, 50 characters and allows spaces, you can't know how long it is, and you have to try everything, because you don't know if they (accidentally or intentionally) misspelled a word, or (if numbers are allowed) used 1337 5p34k (leet speak). Consider that the universe is currently only about 1.35000e+9 years old, the universe is likely to suffer heat death long before you crack that.

If upper/lower case is significant, it's not twice as big, which is not double, or 1.5835376e+31, but is exponentially larger, 53^28 or 1.9042517e+48 possible phrases, which, at 1000 attempts per second, is 5.9760915e+40 seconds or 1.87547e+33 years to crack using brute force. Since the original number is already huge, I would not recommend making it case-sensitive. And if punctuation is optionally allowed, the base number again rises exponentially. So, if I used, "Above all else, we shall go on... and continue!" (including quotes) that's 49 characters not even making case significant, and with these characters: !@#$%^&*()_+}{|":?>< for punctuation, this raises the attack surface to 49 characters, with digits 59, raised to the power of the number of allowed characters in the pass phrase.

Make authentication easy for humans to remember, and hard for computers to solve.
Alan Francis wrote a book containing everything men understand about women. It consisted of 100 blank pages.

User avatar
AArdvark
Posts: 16177
Joined: Tue May 14, 2002 6:12 pm
Location: Rochester, NY

Re: Passwords are dumb.

Post by AArdvark »

So youre saying my wifi logon is more secure than my bank account because my wifi lets me use up to fifty characters and my bank restricts me to 8 and 15 characters?

User avatar
Ice Cream Jonsey
Posts: 28877
Joined: Sat Apr 27, 2002 2:44 pm
Location: Colorado
Contact:

Re: Passwords are dumb.

Post by Ice Cream Jonsey »

Tdarcos wrote: Sun Oct 17, 2021 9:27 am Passwords are a stupid authentication method now, because we don't need them. XKCD has a cartoon on how to solve the password problem, by using passphrases instead. Easier to remember and much harder to crack.

You can even use only words in the dictionary, and it's still secure.
Wrong. So many people have posted that comic that one of the leading ways people try to crack passwords is by slinging dictionary words. It's easier than random characters because you can leave out the random strings.
the dark and gritty...Ice Cream Jonsey!

User avatar
Ice Cream Jonsey
Posts: 28877
Joined: Sat Apr 27, 2002 2:44 pm
Location: Colorado
Contact:

Re: Passwords are dumb.

Post by Ice Cream Jonsey »

AArdvark wrote: Sun Oct 17, 2021 9:43 am So youre saying my wifi logon is more secure than my bank account because my wifi lets me use up to fifty characters and my bank restricts me to 8 and 15 characters?
Please do not listen to Tdarcos when it comes to the matters of the law, religion or password security. He should never, ever try to challenge me on those topics as he will look like a fool if he does so.
the dark and gritty...Ice Cream Jonsey!

User avatar
bryanb
Posts: 807
Joined: Sat Apr 06, 2019 2:56 pm

Re: Passwords are dumb.

Post by bryanb »

Coincidentally, the password I use for everything is thisBankcangoforkitself@37. I think I'm going to have to change it because it just doesn't feel secure anymore.

User avatar
Tdarcos
Posts: 9333
Joined: Fri May 16, 2008 9:25 am
Location: Arlington, Virginia
Contact:

Re: Passwords are dumb.

Post by Tdarcos »

AArdvark wrote: Sun Oct 17, 2021 9:43 am So youre saying my wifi logon is more secure than my bank account because my wifi lets me use up to fifty characters and my bank restricts me to 8 and 15 characters?
First, is your Wi-Fi password sent encrypted? But, in general, yes, even if the numbers were reversed, for the simple reason one of them has a lot more people trying to break in. At best, your router gives access to your network, and maybe examine/change your computer. And they have to be in the neighborhood to hack your Wi-Fi.

On the other hand, they can hack into the bank from any of about four billion convenient locations worldwide. And they could get anywhere from hundreds to thousands if they can into someone's account, and a hell of a lot more if they can use it to escalate privilege and go after the bank itself. But simply, using passwords requires you think of something you have to remember and yet be hard for a computer to guess, which usually turns out to be the other way around. But a passphrase can be easily remembered and because it's a lot harder to crack, is more secure than a weird set of characters that in the future can be cracked by a fast computer in anywhere from minutes to hours.
Alan Francis wrote a book containing everything men understand about women. It consisted of 100 blank pages.

objectinspace
Posts: 54
Joined: Tue Aug 24, 2021 8:31 am

Re: Passwords are dumb.

Post by objectinspace »

I'm resurrecting this ancient thread in light of this pair of articles, which scare the everloving shit out of me: https://www.bleepingcomputer.com/news/s ... p-attacks/
https://www.businessinsider.com/credit- ... 023-4?op=1

TLDR: attackers can impersonate your cell phone number and intercept your texts (as has apparently occured at scale for some fi/T-Mobile customers). Once this happens they can do anything. They can open credit cards in your name, and reset the passwords+bypass 2FA for everything that lists your phone number as a recovery method. If this happens, it would appear you are shit out of luck: the police won't help, the banks won't help, the apps/sites will think you are the fraudster, the retailers will let people buy goods off stolen cards all day if the charge goes through, and the "support" technicians for your phone service won't believe your account is being hijacked.

FUCK.

I mean... fuck!

On the bright side, it does appear there are smart people working on this. Duo and Authie let you approve signin notifications from your phone with a tap which is much better than entering a code! Microsoft does as well but they go a step further and allow you to remove the password entirely. Google will send notifications to all the Android phones added on your account and can also let you set up your phone as a bluetooth security key. when you sign in, even if you do not use their authenticator. I love all of this, however it is all meaningless unless you take the step of actually removing your phone number from all your accounts.

objectinspace
Posts: 54
Joined: Tue Aug 24, 2021 8:31 am

Re: Passwords are dumb.

Post by objectinspace »

Oh also (because I can't help myself) hope you weren't using LastPass! https://www.wired.com/story/lastpass-en ... y-roundup/

User avatar
Ice Cream Jonsey
Posts: 28877
Joined: Sat Apr 27, 2002 2:44 pm
Location: Colorado
Contact:

Re: Passwords are dumb.

Post by Ice Cream Jonsey »

I was. But I can't any longer, the constant breaches and other annoyances are too much. Bad product.
the dark and gritty...Ice Cream Jonsey!

Mama Blue
Posts: 203
Joined: Wed Mar 15, 2023 9:53 am

Re: Passwords are dumb.

Post by Mama Blue »

My 16 digit password is my 4 children's birthdates in order.

You don't know about my 3 older children bc I lost them to a fostercare adoption in 1999, but they are alive, well, and all in their 20s. My oldest daughter has my 5 year old and only grandchild, Lilly. My oldest daughter's birthday is tomorrow, she is an anthropology major at Brockport. My second nonbinary child is an MCC student majoring in comp sci. And my son 💙 lives in Colorado. And we'll you know about my youngest.

So my passwords are their birthdays in order. If the pw requires letters, uppercase, lowercase? I spell out one of their names, since 3 of them have 4 letter names, and the other, a 5 letter name. So I don't use the last one. And I stick an exclamation point on the end!!!!

User avatar
Ice Cream Jonsey
Posts: 28877
Joined: Sat Apr 27, 2002 2:44 pm
Location: Colorado
Contact:

Re: Passwords are dumb.

Post by Ice Cream Jonsey »

I will write up the stupidity with Facebook and 2FA today.
the dark and gritty...Ice Cream Jonsey!

Post Reply