How breakable is your password?
Discussion
The problem with complicated unique password rules is that they have to be written down and stored somewhere.
In work and increasingly for personal use I am using Microsoft Authenticator but I'm sure that there are downsides to this but I've tried reading up and the documentation and explanations are impenetrable.
So...
If I use Microsoft Authenticator and it populates passwords when I use websites is it using these passwords this for my phone and the web browsers I use on my PC or is my PC saving these passwords?
In Microsoft Authenticator all my passwords are in my Microsoft section but what are the other sections?
Microsoft Authenticator is backed up but is everything backed up but if I lose my phone or it is broken what do I do?
Having Microsoft Authenticator on just one phone seems to be madness in case anything happens to the phone so how can Microsoft Authenticator be used on multipole phones and if all copies are backing up does one write over the other?
Are all authenticator apps equal?
In work and increasingly for personal use I am using Microsoft Authenticator but I'm sure that there are downsides to this but I've tried reading up and the documentation and explanations are impenetrable.
So...
If I use Microsoft Authenticator and it populates passwords when I use websites is it using these passwords this for my phone and the web browsers I use on my PC or is my PC saving these passwords?
In Microsoft Authenticator all my passwords are in my Microsoft section but what are the other sections?
Microsoft Authenticator is backed up but is everything backed up but if I lose my phone or it is broken what do I do?
Having Microsoft Authenticator on just one phone seems to be madness in case anything happens to the phone so how can Microsoft Authenticator be used on multipole phones and if all copies are backing up does one write over the other?
Are all authenticator apps equal?
snuffy said:
And yet, for years, it was recommended that you do just this with passwords. Thankfully, almost all organisations have stopped this nonsense. You had to conclude that any place still doing it is really not up to their job.
In my previous role, I often got security questionnaires from customers putting work out to tender. These were large financial institutions. They still frequently included a question about forced password changes, even though by that time it had already been widely accepted to be poor practice. Lot of inertia in these practices and processes. Sheepshanks said:
21TonyK said:
Issue is work need my PW to change every couple of months so like many I use the same short phrase and just change the number on the end.
Does work not require a second factor?Actual said:
The problem with complicated unique password rules is that they have to be written down and stored somewhere.
In work and increasingly for personal use I am using Microsoft Authenticator but I'm sure that there are downsides to this but I've tried reading up and the documentation and explanations are impenetrable.
So...
If I use Microsoft Authenticator and it populates passwords when I use websites is it using these passwords this for my phone and the web browsers I use on my PC or is my PC saving these passwords?
In Microsoft Authenticator all my passwords are in my Microsoft section but what are the other sections?
Microsoft Authenticator is backed up but is everything backed up but if I lose my phone or it is broken what do I do?
Having Microsoft Authenticator on just one phone seems to be madness in case anything happens to the phone so how can Microsoft Authenticator be used on multipole phones and if all copies are backing up does one write over the other?
Are all authenticator apps equal?
My preference, because I use Apple devices, is iCloud Keychain - however you can install the iCloud app on Windows PCs to be able to access the passwords and codes on that machine.In work and increasingly for personal use I am using Microsoft Authenticator but I'm sure that there are downsides to this but I've tried reading up and the documentation and explanations are impenetrable.
So...
If I use Microsoft Authenticator and it populates passwords when I use websites is it using these passwords this for my phone and the web browsers I use on my PC or is my PC saving these passwords?
In Microsoft Authenticator all my passwords are in my Microsoft section but what are the other sections?
Microsoft Authenticator is backed up but is everything backed up but if I lose my phone or it is broken what do I do?
Having Microsoft Authenticator on just one phone seems to be madness in case anything happens to the phone so how can Microsoft Authenticator be used on multipole phones and if all copies are backing up does one write over the other?
Are all authenticator apps equal?
Strong passwords are generated and stored by the app and recent versions of IOS will now also act as a 2FA authenticator within the app so you don't need a separate authenticator app.
The details are all stored in the cloud so if something happens to the phone then it will just download from Apple's servers to a replacement, and the passwords and 2FA authenticator codes in your account are available on all your Apple devices. There is even a facility to have shared 'family' passwords which are shared directly between family member's devices.
And with the recent update to IOS, if you turn on Stolen Device Protection then unless you are at a familiar location such as home or work, then you cannot access the passwords in iCloud Keychain with the phone passcode but it needs Face ID or Touch ID biometric authentication, so a thief who has 'shoulder surfed' your phone PIN cannot get into the rest of your passwords.
snuffy said:
21TonyK said:
Issue is work need my PW to change every couple of months so like many I use the same short phrase and just change the number on the end.
That's wrong thinking on their part. Most organisations have stopped that because it's nonsense to enforce that type of thing.It’s from the Wargames era when someone might find out your password and then login sneakily… but these days you’d hope IP ranges, MAC addresses, unusual behaviour, AI screening etc would all spot this issue.
I always liked using the random ascii characters in passwords but most places won’t allow them.
Most brute force systems won’t even use them but it makes the complexity go off the scale… deffo think they should be opened up for use.
Mr Whippy said:
It’s from the Wargames era when someone might find out your password and then login sneakily… but these days you’d hope IP ranges, MAC addresses, unusual behaviour, AI screening etc would all spot this issue.
Trouble is, some of those systems from the Wargames era are still in use!A system I used up to a couple of years ago (and I have no doubt is still in operation) involved your desktop PC simply running an emulator of a dumb terminal to access a mainframe system that had been designed in the late 1960s.
It did require a password change every month, but was perfectly happy with you changing the password and then immediately changing it back to the previous one - and most people either did that or had an 'even' month and a 'odd' month password.
And this was for a system where you could transfer very large sums of money.
Never use a password that's stupid if you have to tell it to somebody. Two examples:
Where I used to work, many years ago, a very small place. I was the IT admin. There was an issue when I was out of the office, the MD rang me and asked for the main server Admin password. Ah, yes, hmm, okay, it's "Underpaid". That did not go well.
And another time, someone at work told a story about how his missus had asked for the wi-fi password, and his young daughter chimed up "I know it mummy, it's wet minge"
Where I used to work, many years ago, a very small place. I was the IT admin. There was an issue when I was out of the office, the MD rang me and asked for the main server Admin password. Ah, yes, hmm, okay, it's "Underpaid". That did not go well.
And another time, someone at work told a story about how his missus had asked for the wi-fi password, and his young daughter chimed up "I know it mummy, it's wet minge"
snuffy said:
Never use a password that's stupid if you have to tell it to somebody. Two examples:
Where I used to work, many years ago, a very small place. I was the IT admin. There was an issue when I was out of the office, the MD rang me and asked for the main server Admin password. Ah, yes, hmm, okay, it's "Underpaid". That did not go well.
And another time, someone at work told a story about how his missus had asked for the wi-fi password, and his young daughter chimed up "I know it mummy, it's wet minge"
One of our old network engineers did that for some of our kit as an "in joke" with the Networks Manager after a night out at the pub. Made some passwords "BadgerfWhere I used to work, many years ago, a very small place. I was the IT admin. There was an issue when I was out of the office, the MD rang me and asked for the main server Admin password. Ah, yes, hmm, okay, it's "Underpaid". That did not go well.
And another time, someone at work told a story about how his missus had asked for the wi-fi password, and his young daughter chimed up "I know it mummy, it's wet minge"
ker" and "ElephantClunge" ... didn't go down too well. Also on topic, there have been sites that tell you how secure your password are for years.
The graphic is a good general basis but can be wildly inaccurate.
Part of the problem is Windows itself.
Out of the box - (ie. how SME's would use it) you get AD with complex or not password, and lenght, max age etc.
No 2FA stuff built in. No ability to use a password manager either.
So you end up with staff doing as mentioned above, month+year or similar. Until Microsoft stop messing around that's likely how it'll stay, and no matter what you do for other sites, you'll still have a crap password.
Out of the box - (ie. how SME's would use it) you get AD with complex or not password, and lenght, max age etc.
No 2FA stuff built in. No ability to use a password manager either.
So you end up with staff doing as mentioned above, month+year or similar. Until Microsoft stop messing around that's likely how it'll stay, and no matter what you do for other sites, you'll still have a crap password.
Password cracking - soooo last decade.
Nowadays you just subvert the build process of an obscure but ubiquitous open-source library so that the SSH daemon will execute any code you want as root on the target Linux system provided you present a certificate with the right format, and *boom*, you own the world, or at least any Linux bit of it with port 22 open - except, that is, if those pesky kids at Microsoft doing a bit of open source work spot what you're up to before your cunning wheeze makes it into any mainstream distros.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff