Page 1 of 1
Passwords are dumb.
Posted: Sat Oct 16, 2021 2:01 pm
by objectinspace
My phone is one of the most secure phones ever. It always has the latest Android security update, my data partition is encrypted with a PIN. But this is not why it is so secure. It is secure because two or so years ago, I dropped it into the street and the screen cracked. Ever since, it displays nothing. The chance that anyone is gonna learn TalkBack in order to exfiltrate my data is 0. It's not even useful to anyone if they were able to wipe the data, because the screen is still trashed. So I make things easy on myself and use autofill everywhere. Why do I need autofill? Because I can't remember my passwords.
A "strong" password is one that is not a dictionary word, contains a mix f upper and lower case letters, numbers, and symbols. In other words, the harder it is to remember, the better. Worse, if you have one or two complex passwords that are easy for you to remember, you are only exposing yourself to the service itself being hacked and exposing it, forcing you to change that password for all other services you use. This is to defend against the computer's ability to guess every username/password combination that has ever been leaked for every sight, and every word in the dictionary, which it will always remember perfectly--well, as long as its dataset is up to date. And if that doesn't work, it has infinite time to guess random combinations which it can enter in fractions of a second. The human brain will always be worse at creating and retaining a password than the computer's ability to break it.
So how do we solve this problem? We store the passwords somewhere. Either by writing it down, or by using a password manager. Both of which fundamentally undermine the security of the password. Plus, then you stop remembering all your passwords, even ones you don't archive! So instead I end up resetting the password back to one of my standard ones. Was that one caught in a datamine? I don't remember. Probably not!
Passwords are dumb. They don't work. What works is a weak password paired with 2-factor authentication. So why isn't this the method used for everything?
Re: Passwords are dumb.
Posted: Sat Oct 16, 2021 2:17 pm
by AArdvark
I secured my phone by not activating the email function and by never taking it out of the house. If anyone steals my phone they have access to a bunch of Crazy Doodle photos and dog pictures and a lot of Old Time Radio episodes
Re: Passwords are dumb.
Posted: Sat Oct 16, 2021 2:20 pm
by Ice Cream Jonsey
Drew hates passwords, and *I* hate two factor authentication!!! We are now mortal enemies!!!!!! SYSOPS BEWARE
Re: Passwords are dumb.
Posted: Sat Oct 16, 2021 5:44 pm
by The Happiness Engine
How exactly does a broken screen stop "drop into debug mode, pull everything out the USB port"??
Security Indeed.
Re: Passwords are dumb.
Posted: Sat Oct 16, 2021 5:54 pm
by RealNC
1km$$by@tbB! - I keep my dolla dolla bills y'all at the bank BITCHES!
That's my way of remembering important passwords :P
Re: Passwords are dumb.
Posted: Sat Oct 16, 2021 6:02 pm
by objectinspace
The Happiness Engine wrote: Sat Oct 16, 2021 5:44 pm
How exactly does a broken screen stop "drop into debug mode, pull everything out the USB port"??
Security Indeed.
Look at you! So smart. You saw straight through my subterfuge! Well Mr. smarty, I am one step ahead of you, because the phone's USB port is also broken! It usually can charge, but the fucking thing fails to connect to the PC 9 times out of 10. (nearly) perfect security maintained!
Robb: this saddens me. How did 2FA hurt you?
Re: Passwords are dumb.
Posted: Sat Oct 16, 2021 6:38 pm
by Ice Cream Jonsey
objectinspace wrote: Sat Oct 16, 2021 6:02 pm
The Happiness Engine wrote: Sat Oct 16, 2021 5:44 pm
How exactly does a broken screen stop "drop into debug mode, pull everything out the USB port"??
Security Indeed.
Look at you! So smart. You saw straight through my subterfuge! Well Mr. smarty, I am one step ahead of you, because the phone's USB port is also broken! It usually can charge, but the fucking thing fails to connect to the PC 9 times out of 10. (nearly) perfect security maintained!
He's thought of everything! Well maybe I'll bang your phone!
Robb: this saddens me. How did 2FA hurt you?
I was partially kidding BUT consider this - there were stories going around of people calling up phone companies and socially engineering phone numbers away from people. The reps at these companies weren't trained for someone to be so evil, but people were. I think using our phones for 2FA is pretty silly when we live in a world where you could have your phone number stolen. I also think that this gave rise to scams where people used 2FA against the victim - the whole craigslist "let me just send you a code so I know you're real" but really it's a code sent to your phone that allows the hacker to get your stuff.
Related to that, I am using Brave to access my checking account and I do so multiple times a day. My stupid bank makes me use 2FA *every single time*. My computer is as secure as your phone. I lock it when I leave it for 5 minutes and I don't live near people. There is no chance someone got to my PC. Why is my bank asking for a 2FA confirmation 10 minutes after I last did 2FA? It's a fault of 2FA in my mind when it can be implemented so stupidly.
If we want to do 2FA right, let's use passwords and let's issue every American a device for their fingerprint. Or retinal scanner. A lot of this comes from the fact that I have seen poorly implemented software multiple times each day for the last 15 years and then I come to the other thread and log it. Webshit creators can't handle it with any intelligence, so yeah, let's DO it but do it correctly.
Re: Passwords are dumb.
Posted: Sat Oct 16, 2021 11:11 pm
by objectinspace
Anything can be implemented shittilly, which forcing you to log in every ten minutes certainly is. That would be annoying whether you had 2FA on or not, though the 2FA makes it worse since it adds a step, plus it's totally unnecessary. If the site recognizes the device, there isn't much need for another prompt. I agree that the phone number is a lazy solution, using keys or an authenticator app is much better. There was supposed to be a feature of Android that would make every phone a bluetooth security key, but IDK what happened with that because it never worked for me. Google has a "send a code to your phone" option which I really like because it makes you acknowledge the prompt *on the phone* with SMS, since I also text on the web I can authenticate from the same browser session, which sort of defeats the purpose. Then again, so does sending the OTP to your email, I guess. So yeah, 2FA can be dumb too, for sure. I'd still take it over having to remember a different passphrase for every website, or not remembering and constantly dealing with account resets.
Re: Passwords are dumb.
Posted: Sun Oct 17, 2021 5:08 am
by AArdvark
Maybe we should eliminate the people who would take advantage of data breaches and unsecured websites. Can't we have a world full of honest people?
Re: Passwords are dumb.
Posted: Sun Oct 17, 2021 9:27 am
by Tdarcos
Passwords are a stupid authentication method now, because we don't need them.
XKCD has a cartoon on how to solve the password problem, by using passphrases instead. Easier to remember and
much harder to crack.
You can even use only words in the dictionary, and it's still secure. Who's going to guess your password for your on-line bank account is "this bank can go fork itself" (without quotes, and the sentiment censored). That's 27^28 different (space being an additional character) possible tries to brute force that, or 1.1972515e+40 possible choices, and at 1000 attempts per second, would take 1.1972515e+37 seconds, or about 7.917688e+30 years to crack using brute force. Because, if the pass phrase can be up to, say, 50 characters and allows spaces, you can't know how long it is, and you have to try everything, because you don't know if they (accidentally or intentionally) misspelled a word, or (if numbers are allowed) used 1337 5p34k (leet speak). Consider that the universe is currently only about 1.35000e+9 years old, the universe is likely to suffer heat death long before you crack that.
If upper/lower case is significant, it's not twice as big, which is not double, or 1.5835376e+31, but is exponentially larger, 53^28 or 1.9042517e+48 possible phrases, which, at 1000 attempts per second, is 5.9760915e+40 seconds or 1.87547e+33 years to crack using brute force. Since the original number is already huge, I would not recommend making it case-sensitive. And if punctuation is optionally allowed, the base number again rises exponentially. So, if I used, "Above all else, we shall go on... and continue!" (including quotes) that's 49 characters not even making case significant, and with these characters: !@#$%^&*()_+}{|":?>< for punctuation, this raises the attack surface to 49 characters, with digits 59, raised to the power of the number of allowed characters in the pass phrase.
Make authentication easy for humans to remember, and hard for computers to solve.
Re: Passwords are dumb.
Posted: Sun Oct 17, 2021 9:43 am
by AArdvark
So youre saying my wifi logon is more secure than my bank account because my wifi lets me use up to fifty characters and my bank restricts me to 8 and 15 characters?
Re: Passwords are dumb.
Posted: Sun Oct 17, 2021 10:49 am
by Ice Cream Jonsey
Tdarcos wrote: Sun Oct 17, 2021 9:27 am
Passwords are a stupid authentication method now, because we don't need them.
XKCD has a cartoon on how to solve the password problem, by using passphrases instead. Easier to remember and
much harder to crack.
You can even use only words in the dictionary, and it's still secure.
Wrong. So many people have posted that comic that one of the leading ways people try to crack passwords is by slinging dictionary words. It's easier than random characters because you can leave out the random strings.
Re: Passwords are dumb.
Posted: Sun Oct 17, 2021 10:50 am
by Ice Cream Jonsey
AArdvark wrote: Sun Oct 17, 2021 9:43 am
So youre saying my wifi logon is more secure than my bank account because my wifi lets me use up to fifty characters and my bank restricts me to 8 and 15 characters?
Please do not listen to Tdarcos when it comes to the matters of the law, religion or password security. He should never, ever try to challenge me on those topics as he will look like a fool if he does so.
Re: Passwords are dumb.
Posted: Sun Oct 17, 2021 1:54 pm
by bryanb
Coincidentally, the password I use for everything is thisBankcangoforkitself@37. I think I'm going to have to change it because it just doesn't feel secure anymore.
Re: Passwords are dumb.
Posted: Mon Oct 18, 2021 1:37 pm
by Tdarcos
AArdvark wrote: Sun Oct 17, 2021 9:43 am
So youre saying my wifi logon is more secure than my bank account because my wifi lets me use up to fifty characters and my bank restricts me to 8 and 15 characters?
First, is your Wi-Fi password sent encrypted? But, in general, yes, even if the numbers were reversed, for the simple reason one of them has a lot more people trying to break in. At best, your router gives access to your network, and maybe examine/change your computer. And they have to be in the neighborhood to hack your Wi-Fi.
On the other hand, they can hack into the bank from any of about four billion convenient locations worldwide. And they could get anywhere from hundreds to thousands if they can into someone's account, and a hell of a lot more if they can use it to escalate privilege and go after the bank itself. But simply, using passwords requires you think of something you have to remember and yet be hard for a computer to guess, which usually turns out to be the other way around. But a passphrase can be easily remembered and because it's a lot harder to crack, is more secure than a weird set of characters that in the future can be cracked by a fast computer in anywhere from minutes to hours.
Re: Passwords are dumb.
Posted: Mon Apr 03, 2023 6:31 pm
by objectinspace
I'm resurrecting this ancient thread in light of this pair of articles, which scare the everloving shit out of me: ... p-attacks/ ... 023-4?op=1
TLDR: attackers can impersonate your cell phone number and intercept your texts (as has apparently occured at scale for some fi/T-Mobile customers). Once this happens they can do anything. They can open credit cards in your name, and reset the passwords+bypass 2FA for everything that lists your phone number as a recovery method. If this happens, it would appear you are shit out of luck: the police won't help, the banks won't help, the apps/sites will think you are the fraudster, the retailers will let people buy goods off stolen cards all day if the charge goes through, and the "support" technicians for your phone service won't believe your account is being hijacked.
I mean... fuck!
On the bright side, it does appear there are smart people working on this. Duo and Authie let you approve signin notifications from your phone with a tap which is much better than entering a code! Microsoft does as well but they go a step further and allow you to remove the password entirely. Google will send notifications to all the Android phones added on your account and can also let you set up your phone as a bluetooth security key. when you sign in, even if you do not use their authenticator. I love all of this, however it is all meaningless unless you take the step of actually removing your phone number from all your accounts.
Re: Passwords are dumb.
Posted: Mon Apr 03, 2023 7:00 pm
by objectinspace
Oh also (because I can't help myself) hope you weren't using LastPass! ... y-roundup/
Re: Passwords are dumb.
Posted: Mon Apr 03, 2023 7:21 pm
by Ice Cream Jonsey
I was. But I can't any longer, the constant breaches and other annoyances are too much. Bad product.
Re: Passwords are dumb.
Posted: Tue Apr 04, 2023 9:17 am
by Mama Blue
My 16 digit password is my 4 children's birthdates in order.
You don't know about my 3 older children bc I lost them to a fostercare adoption in 1999, but they are alive, well, and all in their 20s. My oldest daughter has my 5 year old and only grandchild, Lilly. My oldest daughter's birthday is tomorrow, she is an anthropology major at Brockport. My second nonbinary child is an MCC student majoring in comp sci. And my son

lives in Colorado. And we'll you know about my youngest.
So my passwords are their birthdays in order. If the pw requires letters, uppercase, lowercase? I spell out one of their names, since 3 of them have 4 letter names, and the other, a 5 letter name. So I don't use the last one. And I stick an exclamation point on the end!!!!
Re: Passwords are dumb.
Posted: Fri Apr 07, 2023 8:49 am
by Ice Cream Jonsey
I will write up the stupidity with Facebook and 2FA today.