[TheFinalEpic]

Quote:

3. Online banking and payment services are very convenient but their password requirements are a pain in the ass because they vary so much across different services. I find myself constantly having to create new passwords to fulfill the requirements of a website that are different (not necessarily stricter) from all the existing services. Worse, when I set up auto payments, I don't end up logging in for several months. When I eventually do (e.g. to enter a new credit card), I forget the special password that I created and often end up getting locked out due to trying too many passwords and having to call the company. This wouldn't be a problem if these websites showed the password requirements during login to help me remember, but these IT departments are not run by people who care about efficiency or practicality. They'd rather let the customer service department handle the calls to unblock logins after too many failed retry attempts.

I've actually had the exact opposite experience, that there are banks here that believe that a maximum of 6 character password is adequate.

I left that bank, but the time it would take to brute force a 6 character password with current technology is about as long as it took you to read this sentence. And that is with special characters and such, if its anything simpler than that, it would be an instant crack.

I think that the point made about the fact that software developers don't even really know what they are doing is super accurate.

[Handsome Creepy Eel]

Don't pretty much all login services have automatic timeouts, i.e. if you fail the password 3 times you get locked out for 5-10-XYZ minutes? Or do hackers somehow bypass that restriction and manage to spam a billion combinations a second anyway?

[kuqezi]

(07-22-2018 12:03 AM)Handsome Creepy Eel Wrote:  

Don't pretty much all login services have automatic timeouts, i.e. if you fail the password 3 times you get locked out for 5-10-XYZ minutes? Or do hackers somehow bypass that restriction and manage to spam a billion combinations a second anyway?

A bit off topic here but...yes and no.

Yes, there is a lock out after some retries but sometimes tied to a specific device/ip/mac etc.

No, because it's easier to spoof IPs and MACs and come from different NAT exit points etc.

I won't go further in this since it gets pretty hairy technically.
Cheers!

[kuqezi]

(07-21-2018 04:17 PM)TheFinalEpic Wrote:  

Quote:

3. Online banking and payment services are very convenient but their password requirements are a pain in the ass because they vary so much across different services. I find myself constantly having to create new passwords to fulfill the requirements of a website that are different (not necessarily stricter) from all the existing services. Worse, when I set up auto payments, I don't end up logging in for several months. When I eventually do (e.g. to enter a new credit card), I forget the special password that I created and often end up getting locked out due to trying too many passwords and having to call the company. This wouldn't be a problem if these websites showed the password requirements during login to help me remember, but these IT departments are not run by people who care about efficiency or practicality. They'd rather let the customer service department handle the calls to unblock logins after too many failed retry attempts.

I've actually had the exact opposite experience, that there are banks here that believe that a maximum of 6 character password is adequate.

I left that bank, but the time it would take to brute force a 6 character password with current technology is about as long as it took you to read this sentence. And that is with special characters and such, if its anything simpler than that, it would be an instant crack.

I think that the point made about the fact that software developers don't even really know what they are doing is super accurate.

The password itself needs to be complicated but as you correctly point out passwords nowadays with multi-threading and multi-cores are not that difficult to break...granted brute force is not always optimal.

The key things today are multi factor authentication and one time passwords together with strong encryption.

Sorry for going off-topic again on my own thread.