|
For that reason we have the policy that your new password must be at least x% different from your old password...
But I've seen the increment as well.
In one such scenario I've even seen that an entire team got one account to access some server.
Every month the person who changed the password would send out an email saying "the new password increment is now 19" (this was important, because after 3 failed attempts you'd be blocked and in for a world of pain trying to get it back).
|
|
|
|
|
Sander Rossel wrote: For that reason we have the policy that your new password must be at least x% different from your old password... Which is another security flaw as it would imply that the passwords are saved in an encrypted format at best.
If the passwords were hashed(with or without a salt) there would be no way(other than brute force guesses without taking into account collisions) to compare the new password to the old password.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
Yeah, never thought about it like that, but it should not even be possible to check if a new password contains/looks like an old one...
Anyway, Windows supports it, so I guess it's alright
|
|
|
|
|
Speaking of Windows, to change the password you have to provide the current, as well as the new password. I suspect the comparison is done at this stage, because storing non-hashed passwords (at least in AD) supposes to settle a special policy, which fortunately is not applied by default.
"I'm neither for nor against, on the contrary." John Middle
|
|
|
|
|
Thanks for that info - that did not occur to me
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
I once created a really long password using all the allowable characters. When it came time to change it, the new password was rejected because it had too many of the same characters as the previous one. If the sysadmin had not been able to override that rule, I'd never have been able to use that system again.
|
|
|
|
|
Rejecting new passwords based on the old indicate they are, at best, keeping the old hashes. If the new PW is "George7", they also try "George6", "George5", ... during the validation.
Hey, what could possible go wrong with that?
|
|
|
|
|
Yeah - DoD password requirements are oppressive.
A study was done a number of years ago regarding password complexity. The finding was that as complexity increases, security is reduced - because people have to write their passwords down in order to remember them, thus completely defeating the security that the demanded complexity affords.
I got you beat though - along with the complexity requirements (at least 16 characters, no more than three consecutive letters or numbers, must include numbers, a mix up upper and lower case letters and special characters, no group of letter can create a word, and every time you change it, it can't be more than 50% similar to one of the last 10 passwords you used), my employer forces a password change every 15 days.
This is done for our time sheet app. I mean seriously - WTF!? My strategy is to simply create a GUID in Visual Studio and submit it until one passes their absurd validation, and then save it in a text file.
".45 ACP - because shooting twice is just silly" - JSOP, 2010 ----- You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010 ----- When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013
modified 25-Feb-18 10:08am.
|
|
|
|
|
It's very important that no one ever gets access to those time sheets because then everyone can see how much time you spend on coming up with new passwords!
That sounds insane and counterproductive though!
Here's a suggestion for your next password: M@n@g3M3NTi$In$@ne!
|
|
|
|
|
Pick a word (eight character?), convert it to base-64, done.
|
|
|
|
|
Don't use real data!
What was the name of your first school: Trantor High
Where were you born: Qronos
Mothers maiden name: Iron
and so on.
Yes, you have to keep them somewhere but good luck to anyone trying to guess them!
Keep your friends close. Keep Kill your enemies closer.
The End
|
|
|
|
|
I did that last time, made a screenshot of the form with four(!) questions and answers and saved it in a folder on my desktop.
Couldn't care less if that account got hacked, jokes on the hacker, the customer account is now yours I don't want anything to do with it!
|
|
|
|
|
I recall not too long ago, a bank I wanted to use to transfer money to another person demanded I identify myself. A list of ridiculous questions appeared, including a demand that I identify the current address of my ex-wife. We split 30 years ago and I haven't heard (thankfully) since! Morons everywhere, and we let them program computers and vote!
Will Rogers never met me.
|
|
|
|
|
Roger Wright wrote: including a demand that I identify the current address of my ex-wife Maybe it was a trick question?
So, you haven't been paying your alimony Mr. Wright...
But seriously, what were they thinking?
It's not even any of their business where anyone except you live!
An infringement on your ex's privacy by a bank that she has nothing to do with.
|
|
|
|
|
I just default to 1234567890
User: Technical term used by developers. See Idiot.
|
|
|
|
|
That's not very secure, you old fool!
|
|
|
|
|
Are you my great great great great great grandson? I lose track.
User: Technical term used by developers. See Idiot.
|
|
|
|
|
Don't think so, as my grand grand grand grand grandpa isn't on the internet
|
|
|
|
|
I just provide the same answer to all those questions. I need remember only one thing. And its very memorable.
|
|
|
|
|
Yeah, that's probably a better "question", a second password that you never use in case you lose your first.
Because that's basically what it is
|
|
|
|
|
What does dividing a letter by two even mean? As a developer I'd think of its ASCII integer value, but mere mortals wouldn't be asked that question. Its position in the alphabet? For odd-numbered letters, do you then round up, or down?
(Once again, I'm probably overthinking this, and it wasn't the point to your post anyway...)
The problem with these "secret questions" is that the answer isn't always necessarily difficult to answer. Wasn't there a well-publicized case a few years ago of some government official who managed to get some hacker to successfully go through an email password reset procedure, because all of the questions could be googled (like what high school did he go to, or the name of his dog, all of which he had answered at one point or another in various interviews or they were part of his page on Wikipedia...)?
Of course being a "nobody" myself, I don't have to worry about that aspect, but still - when I'm asked these questions for an important site, the answer I provide is as long and complex and non-memorable as the output of a password generator. Which defeats the "easy to answer" purpose of these questions, but I believe those are a bad idea to begin with.
|
|
|
|
|
|
Sander Rossel wrote: Funny how you were only wondering about the dividing a letter part though
You don't wanna know how my brain works.
|
|
|
|
|
Just use Keepass, or another keeper, and use their algorithm supplied passwords for those 'questions.' Far more secure, if security is your wish.
|
|
|
|
|
Don't provide real answers. Just put in a password, so to speak, as the answer. All this password stuff is so ridiculous it actually makes things less secure.
Everyone is born right handed. Only the strongest overcome it.
Fight for left-handed rights and hand equality.
|
|
|
|