Passwords

[Kittyhawk]

I don't have a computer, just a tablet and I understand the need that startup should be password protected in case my tablet should fall into the wrong hands, but why do the few websites that I am signed up to require a password to access?
The latest is my doctors practice which has gone online and I can peruse all my records, make appointments, order repeat prescriptions etc. etc. And they tell me that all my sensitive information can only be accessed via a login ( invariably my email address) and a password which has to be at least 8 characters long because they take my on site security seriously. So one more password to either remember or write down - or in my case, not.
I fill in the login box with my email address and then hit 'Forgot Password'. Within a second they email me a temporary password which is active for anywhere between 5 minutes and two hours. I cut/paste it into the password box and I'm good to go. It may take a second or two longer but I'm not that pressed for time and the convenience of not having to remember passwords is well worth it. I do that with all the sites I'm signed up to.
The problem is, if I can tap the 'forgot password' button, so can anybody else so I don't see the point of these passwords in the first place.

 

[artie]

Anyone can press "forgot password" but not anyone should have access to your email.

A good tip is to take a song you like and take the first letter of the first 8-10 words and use this for your password. You'll never forget it

If they insist on some numbers put in the day you were born, or the month, or the year.

 

[AES]

Agree 110% Kittyhawk.

Yes, there IS identity theft (and cash theft too), BUT, IMO "the whole world" has "gone password crazy". AND "they" presume to dictate what characters, how many, etc, etc, I can have in my PW!

I contrast I have a (plastic) sort of credit card for one of the petrol companies that run a chain of filling stations throughout the country here. It's at least 20 years old and came issued with a password which cannot be changed. It's FOUR digits. Like just about every other password, you're limited to 3 attempts a logging in (at the filling station) before you're refused.

So I don't know what the chances are of someone finding/stealing that card and trying to buy petrol on my card, but I do know that over that past 20-odd years I have lost my wallet (WITH that credit card) and no one else has ever bought petrol with my card.

It seems to me that because "a lot" of people use simple stuff like birth dates, wife's or dog's name, etc (so that they don't forget them), I use my old military service number which a) I cannot forget, and b) which anyone else would have the devil of a job to find out.

We have now reached the stage where there are special programmes and website gizmos which will store your passwords for you so that you can't forget/easily retrieve them.

As above, I KNOW that both identity AND financial theft takes place on a daily basis, but I believe, most often to those who act in a really naive fashion when "approached" by scammers, phishers, etc.

So to me anyway, "BAH. HUMBUG".

Rant over

 

[Geoff_S]

To receive your temporary password you will need to sign into your email account … with your email password. Am I missing something?

 

[Phil Pascoe]

It's not the email password he's forgotten, it a password for a particular site - Amazon, BBC, whatever.

I must admit the one that really irritates me is "to change your password enter the last password you remember using". If I remembered the last one I wouldn't need another one.

 

[niemeyjt]

If you must use a password instead of a more secure mechanism to login to a system, ensure you use a different password on each and every system - and if you cannot remember them, use a password manager to store them - preferably not the browser.

And aim for 16 characters or more - not just 8.

 

[DrPhill]

Use a password manager. I use proton pass, which I believe you can get on a free account. This will store all your passwords (secured using a single password). **Other password managers are available.**
Password managers can generate new random passwords for each site, and even auto fill them for you on websites. This way you get:

• A unique 'hard' password for every site.
• Passwords stored safely encrypted in the cloud (on Proton pass at least, and probably on others).
• Passwords inserted for you so you don't have to remember.
• One password to remember (your password manager). Make this a good one.

Whats not to like?

 

[Kittyhawk]

Whats not to like?

What's not to like is that I used to have a password management program called Dashlane. It was free and worked ok but now, like most, they upgrade with a whole bunch of 'improvements' that I don't like or want and since they are doing this for my supposed benefit I now have to pay for the service - a lot.
It just seems to me that having a 'forgot password' function on sites kind of defeats the purpose of having a password.
Knock knock.
Who's there?
Chris.
What's the password?
Dunno. I forgot.
Hold on, I'll get you another one..

 

[Inspector]

My iPhone has facial recognition to let me in and my banking and credit card apps both have facial recognition to get in. I've never looked but maybe there is a password manager that uses facial recognition that will work on your tablet assuming it has a camera that faces you. I find it hard to forget my face.

Pete

 

[AES]

Use a password manager. I use proton pass, which I believe you can get on a free account. This will store all your passwords (secured using a single password). **Other password managers are available.**
Password managers can generate new random passwords for each site, and even auto fill them for you on websites. This way you get:

• A unique 'hard' password for every site.
• Passwords stored safely encrypted in the cloud (on Proton pass at least, and probably on others).
• Passwords inserted for you so you don't have to remember.
• One password to remember (your password manager). Make this a good one.

Whats not to like?

Well sorry, confirmed PC Luddite and all that, but to answer your Q, in my case "Just about everything"! And as for 16 (was it?) characters? Again in my case, "NOT a chance mate!"

 

[Spectric]

A password is nothing more than a digital key that confirms you to the site and helps prevent unwanted access. They can be a right pain but are important to protect you from fraud and scams.

The problem is, if I can tap the 'forgot password' button, so can anybody else so I don't see the point of these passwords in the first place.

But the temporary password is sent to your email so only you can access it.

 

[Kittyhawk]

But the temporary password is sent to your email so only you can access it.

Exactly!
So if sites automatically send a new password within milliseconds of pushing the 'forgot password' button, isn't this a preferred option to trying to remember screeds of passwords?
In fact it could be argued that getting a new password each time you log in is actually safer because the sent password only remains valid for a few minutes.

 

[niemeyjt]

Well sorry, confirmed PC Luddite and all that, but to answer your Q, in my case "Just about everything"! And as for 16 (was it?) characters? Again in my case, "NOT a chance mate!"

The recommendation of 16 has a background - older Microsoft systems used to store the passwords in two blocks of seven which if the system were compromised are easily broken. One hope these are now upgraded - but who knows?

Nowadays there are tools to crack passwords very quickly off a compromised system - also why passwords should be unique.

And don't forget - change your WiFi also using same rules - the way my ISP set the default is insecure.

Have al look at https://haveibeenpwned.com/

 

[Spectric]

In fact it could be argued that getting a new password each time you log in is actually safer because the sent password only remains valid for a few minutes.

That is very true because a fresh password is safer than one that has been in use for ages and it also will not reflect any of your personal knowledge, ie people do tend to use data they can remember easily such as dates and names whereas a random sequence of numbers & characters has no association with yourself.

 

[MorrisWoodman12]

Apparently passwords are old hat now: passkeys are the in thing though I've still to get my head around them and their supposed advantages.
I'm still a password user and to make things easier to remember have used an old address, e.g. the one I grew up in just with the spaces removed and maybe rearranged e.g. Road257Western. If non-alpha characters are required then add them at the front or end. Whereas I agree with Spectric an address from 60 years ago is hardly going to be associated with you

 

[Agent_zed]

Exactly!
So if sites automatically send a new password within milliseconds of pushing the 'forgot password' button, isn't this a preferred option to trying to remember screeds of passwords?
In fact it could be argued that getting a new password each time you log in is actually safer because the sent password only remains valid for a few minutes.

The problem with this is that if someone gets hold of your email password they can just have a search through your emails and see what you have subscribed to/signed up for, and then go and do password resets on each of these.

This is the reason for A. having the strongest password you can on your email and B. using 2 factor authentification (2FA). 2FA is an additional step and normally requires a phone to authenticate you are who you say you are.

If you log into your email with 2FA it will send a code to your phone. You can choose to then get it to remember the computer you are on has been verfied as a safe place for your email login. Then for example If someone from china has your email address and password and tries to log in, again it will send a code to your phone, at which point you think 'did I just try and sign in from guangdong province?' to which it is likely a no. The hacker won't get any further and you will know to change your password asap. This means that even if your computer is compromised and they get your email/password they still won't get in.

 

[Terrytpot]

My iPhone has facial recognition to let me in and my banking and credit card apps both have facial recognition to get in. I've never looked but maybe there is a password manager that uses facial recognition that will work on your tablet assuming it has a camera that faces you. I find it hard to forget my face.

Pete

Bitwarden is the one I use although annoyingly the facial recognition only works on my iPad but not my iPhone…

 

[Skydivermel]

Below is some advise I put together sometime ago for a group of folks in my village. This may help some on here.

Also check out your email address on https://haveibeenpwned.com/ and your password on https://haveibeenpwned.com/Passwords

Use Strong Passwords
There is a lot of confusing and contradicting information about password security best practices on the internet. In an effort to clear up that confusion, let’s break down the basics of how using a strong password improves your security.

Whenever creating a password, the first item that you will want to consider is the length of the password. The list below shows the estimated time it takes to crack a password using a four-core i5 processor. A more powerful processor will take less time.

7 characters will take .29 milliseconds to crack.
8 characters will take 5 hours to crack.
9 characters will take 4 months to crack.
10 characters will take 1 decade to crack.
12 characters will take 2 centuries to crack.

So as you can see, adding a single character to your password can significantly increase the security of your login. A password that it is at least 12 characters long, random and includes a large pool of characters like “ISt8XXa!28X3” will make it very difficult to crack.

Unfortunately, some hackers are leveraging GPUs and stronger CPUs to decrease the amount of time needed to crack passwords. So to strengthen your logins, also be mindful of your password entropy. The higher the password entropy is, the more difficult the password will be to crack.

For example, based on just the length requirement, a password like “abcdefghijkl” is 12 characters, which is great and should take 200 years to crack. However, since the password uses sequential strings of letters, it makes the password much more predictable compared with a password like “rfybolaawtpm” which has randomized characters.

Randomizing characters decreases the predictability and increases the strength of the password. But both of these passwords have one thing in common that ultimately reduces the password entropy. Both are only using lower case letters, limiting the pool of possible characters to 26. That’s why it’s vital to include alphanumeric, upper-case letters and common ASCII characters to increase the pool of characters needed to crack the password to 92.

Example:

Password entropy

Password entropy is a measurement of how unpredictable a password is.
The formula for entropy is:


E stands for "entropy," which is the opposite of an ordered pattern. Entropy is good: the bigger the E, the harder a password is to crack.
________________________________________
We calculate password entropy by first looking at the pool of characters a password is made from.
For example, the password password would have a possible pool of 26 characters from the English alphabet.
Changing the password to Password would increase your pool to 52 characters. I made a table below to outline the rest.



Type Pool of Characters Possible
Lowercase 26
Lower & Upper Case 52
Alphanumeric 36
Alphanumeric & Upper Case 62
Common ASCII Characters 30
Diceware Words List 7,776
English Dictionary Words 171,000
________________________________________
Password strength is determined with this chart:
< 28 bits = Very Weak; might keep out family members
28 - 35 bits = Weak; should keep out most people, often good for desktop login passwords
36 - 59 bits = Reasonable; fairly secure passwords for network and company passwords
60 - 127 bits = Strong; can be good for guarding financial information
128+ bits = Very Strong; often overkill

While a password with 40-50 bits of entropy may be semi-safe now, it is only a matter of time until GPUs become more powerful, and password cracking takes less time!
________________________________________
Here is an example:

If your keyboard has 95 unique characters and you are randomly constructing a password from that whole set, then R = 95.
If you have a 12-character password, then L = 12.
The number R to the L power is 540,360,087,662,636,962,890,625 -- which is how many passwords you have available.
That's the same as 278.9 -- and the log2 of that is 78.9. In info-security lingo, it's 78.9 bits of entropy. That approaches the "exponential wall," where a password could be nigh on impossible to crack.

Hope this helps.

 

[stuart little]

Ebay has become a PITA lately. It won't let me buy anything unless I clear my 'cache' & cookies, and then sign in AGAIN, AND get a PIN sent to my mobile (which is all I use it for), which I then have to wait for it to find the network, then search for a signal. I didn't ask for 2FA (or FA anything else!). Now I want to get rid of "FA, anybody know how?

 

[niemeyjt]

2FA is now mandated in many financial applications - and maybe ebay fall under same category.

Look up Payment Services Directive for more info.