I keep hearing this flipping advert on the Radio, just use 3 random words for your e-mail password, from Cyberaware.com. I don't know if this is something they fished out from the 80s, or perhaps it's done by people with no knowledge of modern password systems and retrictions. I just had to vent because: * Passwords usually **have** to consist of a mixture of upper and lower case letters and number, sometimes even have to include a symbol * Very long passwords are often not accepted. The example in the advert is around 23 or 24 letters, many systems won't accept that

@"DavecUK"#p12405 The typical reaction for these at home is: ![Giphy - Music Video Nostalgia GIF](https://media1.giphy.com/media/qucJWFolJN6rS/giphy.gif?cid=bb77869fmrsfnzr61wlt6cgi7vzgi7hymm8pc8289vu64l77&rid=giphy.gif&ct=g)

3 Random Words advert

DavecUK

I keep hearing this flipping advert on the Radio, just use 3 random words for your e-mail password, from Cyberaware.com. I don’t know if this is something they fished out from the 80s, or perhaps it’s done by people with no knowledge of modern password systems and retrictions. I just had to vent because:

Passwords usually have to consist of a mixture of upper and lower case letters and number, sometimes even have to include a symbol
Very long passwords are often not accepted. The example in the advert is around 23 or 24 letters, many systems won’t accept that

MediumRoastSteam

DavecUK Very long passwords are often not accepted. The example in the advert is around 23 or 24 letters, many systems won’t accept that

Most of the sites I sign up with have very long randomly generated passwords. In all honesty, I’d be very weary of a website not accepting long passwords containing all sorts of characters. IMO, shows that they are not up to date with the latest security trends.

DavecUK

In most sites, their method would result in a rejected password. Government guidance is the same, so we can guess who funded all this….

Meldrew

I have some very strong passwords. Well they must be as I can never crack half of them.

DavecUK

I use a password manager

LMSC

Same here after managing them in word for a long time. Access to the password manager needs to be authenticated by a hardware key as an added security.

DavecUK

LMSC Something you have and something you know. I also use multifactor authentication.

LMSC

DavecUK The typical reaction for these at home is:

Giphy - Music Video Nostalgia GIF

Meldrew

I have been a bit hesitant to try as I have always wondered how secure a password manager would be or if they could be vulnerable to attack.

PortafilterProcrastinator

@DavecUK I have heard that advert a lot recently too and agree it is flawed for reasons including the ones you set out.

Things like this do however always make me think of this:

(https://xkcd.com/936/)

Which is explained here:

https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength

And discussed here (as an example):

https://security.stackexchange.com/questions/62832/is-the-oft-cited-xkcd-scheme-no-longer-good-advice

All quite dated as you will see, but I have not found (not that I have spent much time looking) that the maths behind this has been debunked.

simonc

PortafilterProcrastinator exactly. It’s the websites that require 8-16 chars with a number, symbol and uppercase that are outdated. Encourages people to use simple word with number on the end and it’s easy to brute force. Significantly longer password is much harder even if no numbers or symbols.

What annoys me is websites that won’t allow certain symbols that password managers want to include.

MediumRoastSteam

2FA is the way forward.

LMSC

preferably if you can make it hardware based.

LMSC

We can’t protect anything if a state to wants to get into a system. This shouldn’t be a concern unless we have something to protect. Our intent at home is to protect us against a common hacker and make it as much difficult as possible for a pro.

DavecUK

simonc What annoys me is websites that won’t allow certain symbols that password managers want to include.

Absolutely….tell me about it.

Realistically though passwords are never hacked (unless you use Pa55word or summat), usually they are disclosed. to brute force even 12 characters a to z lower case, if they are random ,is pretty much impossible…mainly because after 3-5 attempts, you’re done.

simonc

DavecUK don’t they brute force offline somehow? I’m no expert though, just interested to try and make my password hard enough. But yes it’s the disclosure from a site breach that means you don’t want to be reusing that is more important.

DavecUK

simonc don’t they brute force offline somehow?

Don’t believe what you see in the movies. e.g. DEC/VAXes all had a backdoor, that most people didn’t know about and thus never closed. In this way their support could use that user account to get into a VAX where the admin had locked themselves out. I soon disabled that. The other way into one was on the system console itself with the original OS load tape.

Most hacks exploit back doors, or leaked passwords, brute force hacking really isn’t a thing. On mainframes, each attempt took longer and longer, by attempt 4 is was 1 hour and by attempt 5 it was a day. For many years I ran systems and had to keep them very secure.

Drewster

DavecUK On mainframes, each attempt took longer and longer, by attempt 4 is was 1 hour and by attempt 5 it was a day. For many years I ran systems and had to keep them very secure.

Many, many, many years ago, when I first started working in IT (before it was even called IT - ADP Automatic/mated Data Processing) I worked on an IBM VM “Mainframe”.

One bloke “managed” the ½ dozen Sandwich Students that passed through each year.
He was terrible at keeping his password secure. The running joke with the students was, when they inevitably found it out, to booby trap his login (Profile.exec) with a “sleep 5” - which basically paused his login for 5 seconds or until enter was pressed.

Each day/when they felt like it they added another line “Sleep 5” - so unless he pressed enter his login would take progressively longer and longer.

Periodically he would come to the techies complaining the system was taking ages to start up and we would edit his profile and delete, sometimes hundreds of, lines of “sleep 5”, change his password and advise him to keep it secure….