Which is the better password & 4 facts about passwords

Deleted74295

@Dashrender said:

The tiniest amount of complexity added to SevenTimesSevenEqualsEleven, say SevenTimesXSevenEqualsEleven Dramatically improves the security of this password.

There is always a more secure password out there. Someone can easily add a 1995 to the end of the above password and it becomes infinitely more secure.

This is more about encouraging length rather than pointlessly short passwords for our users such as C0rP123!!

DustinB3403

SevenTimesSevenEqualsEleven is probably the better password.

And 20,000 people just lost their secure password to the internet, good going @Breffni-Potter !

JaredBusch

@Breffni-Potter said:

@Dashrender said:

The tiniest amount of complexity added to SevenTimesSevenEqualsEleven, say SevenTimesXSevenEqualsEleven Dramatically improves the security of this password.

There is always a more secure password out there. Someone can easily add a 1995 to the end of the above password and it becomes infinitely more secure.

This is more about encouraging length rather than pointlessly short passwords for our users such as C0rP123!!

Length is all that matters really. Basic dictionary attacks are not as effective when you have 4 or 5 words there. That is completely different than a short single word password.

Deleted74295

@DustinB3403 said:

SevenTimesSevenEqualsEleven is probably the better password.

And 20,000 people just lost their secure password to the internet, good going @Breffni-Potter !

I'm trying to help the 500000 people who still use Pa$$word1 as a password. , it meets the AD complexity requirements.

BRRABill

@Dashrender said:

The tiniest amount of complexity added to SevenTimesSevenEqualsEleven, say SevenTimesXSevenEqualsEleven Dramatically improves the security of this password.

Isn't that the same words with a letter in them?

If you are thinking they can figure out the words, why would this help?

wirestyle22

I always thought that if there is a lockout after 4-5 wrong passwords, dictionary attacks don't really matter. Opinions?

MattSpeller

@wirestyle22 said:

I always thought that if there is a lockout after 4-5 wrong passwords, dictionary attacks don't really matter. Opinions?

You're correct until someone takes, say, your iPhone and brute forces it offline. Substitute iPhone for laptop, or whatever other portable data container you like.

Dictionary / rainbow tables are super powerful on static data. If you have a chance to play with them I highly recommend it. At one point I had 20GB of rainbow tables and they were soooooo sweet haha.

wirestyle22

@MattSpeller said:

@wirestyle22 said:

I always thought that if there is a lockout after 4-5 wrong passwords, dictionary attacks don't really matter. Opinions?

You're correct until someone takes, say, your iPhone and brute forces it offline. Substitute iPhone for laptop, or whatever other portable data container you like.

Dictionary / rainbow tables are super powerful on static data. If you have a chance to play with them I highly recommend it. At one point I had 20GB of rainbow tables and they were soooooo sweet haha.

If a device were stolen I would remote wipe though, right?

MattSpeller

@wirestyle22 said:

@MattSpeller said:

@wirestyle22 said:

I always thought that if there is a lockout after 4-5 wrong passwords, dictionary attacks don't really matter. Opinions?

You're correct until someone takes, say, your iPhone and brute forces it offline. Substitute iPhone for laptop, or whatever other portable data container you like.

Dictionary / rainbow tables are super powerful on static data. If you have a chance to play with them I highly recommend it. At one point I had 20GB of rainbow tables and they were soooooo sweet haha.

If a device were stolen I would remote wipe though, right?

Absolutely! Once the luser finally gave up looking for it and confessed. That's anywhere from an hour to several days where I can take your device offline (disabling your remote wipe) and then it's just a count down to pwnage.

Dashrender

@BRRABill said:

@Dashrender said:

The tiniest amount of complexity added to SevenTimesSevenEqualsEleven, say SevenTimesXSevenEqualsEleven Dramatically improves the security of this password.

Isn't that the same words with a letter in them?

If you are thinking they can figure out the words, why would this help?

Because it's no longer a pure dictionary attack. The letter X (I don't think) isn't in the dictionary because it's not a word).

What I'm getting at does have very limited use - this is true, because assume the system allows for all ASCSII characters, you could put spaces between works, or underlines, etc... lots of easy to remember ways to break this away from a dictionary attack. But then again we are talking about people here - where the most common password is still password.

Dashrender

@MattSpeller said:

@wirestyle22 said:

@MattSpeller said:

@wirestyle22 said:

I always thought that if there is a lockout after 4-5 wrong passwords, dictionary attacks don't really matter. Opinions?

You're correct until someone takes, say, your iPhone and brute forces it offline. Substitute iPhone for laptop, or whatever other portable data container you like.

Dictionary / rainbow tables are super powerful on static data. If you have a chance to play with them I highly recommend it. At one point I had 20GB of rainbow tables and they were soooooo sweet haha.

If a device were stolen I would remote wipe though, right?

Absolutely! Once the luser finally gave up looking for it and confessed. That's anywhere from an hour to several days where I can take your device offline (disabling your remote wipe) and then it's just a count down to pwnage.

Obviously in the case of MDM managed devices, hopefully you have some kind of limited number of tries before the device self wipes.

dafyre

@Dashrender said:

@MattSpeller said:

@wirestyle22 said:

@MattSpeller said:

@wirestyle22 said:

I always thought that if there is a lockout after 4-5 wrong passwords, dictionary attacks don't really matter. Opinions?

You're correct until someone takes, say, your iPhone and brute forces it offline. Substitute iPhone for laptop, or whatever other portable data container you like.

Dictionary / rainbow tables are super powerful on static data. If you have a chance to play with them I highly recommend it. At one point I had 20GB of rainbow tables and they were soooooo sweet haha.

If a device were stolen I would remote wipe though, right?

Absolutely! Once the luser finally gave up looking for it and confessed. That's anywhere from an hour to several days where I can take your device offline (disabling your remote wipe) and then it's just a count down to pwnage.

Obviously in the case of MDM managed devices, hopefully you have some kind of limited number of tries before the device self wipes.

I have this on my personal phone, lol.

BRRABill

@dafyre said:

I have this on my personal phone, lol.

I don't, just because the little ones grab my phone sometimes.

Though since I really have no data on there ... what am I waiting for???????

Dashrender

@BRRABill said:

@dafyre said:

I have this on my personal phone, lol.

I don't, just because the little ones grab my phone sometimes.

Though since I really have no data on there ... what am I waiting for???????

You have backups don't you? shouldn't be an issue.

dafyre

@Dashrender said:

@BRRABill said:

@dafyre said:

I have this on my personal phone, lol.

I don't, just because the little ones grab my phone sometimes.

Though since I really have no data on there ... what am I waiting for???????

You have backups don't you? shouldn't be an issue.

This! Any pics or videos that I take are uploaded to my ownCloud server... Contats are on Google... anything else can be replaced.

BRRABill

@Dashrender said:

You have backups don't you? shouldn't be an issue.

No need for backups. No data is stored on the phone anymore.

I've caved to the @scottalanmiller method of data storage.

Dashrender

@BRRABill said:

@Dashrender said:

You have backups don't you? shouldn't be an issue.

No need for backups. No data is stored on the phone anymore.

I've caved to the @scottalanmiller method of data storage.

This doesn't make sense to me. If you, like he, takes pictures with your phone - how do you get them off the phone? Unless you just don't care about them.. or, you only take pictures assuming you can post them to wherever that moment.. if not, you skip the pic.

BRRABill

@Dashrender said:

This doesn't make sense to me. If you, like he, takes pictures with your phone - how do you get them off the phone? Unless you just don't care about them.. or, you only take pictures assuming you can post them to wherever that moment.. if not, you skip the pic.

Goes right to iCloud.

Dashrender

Not to mention that you'll still want a contact list on there. So are you saying you never add a phone number/email address/etc via the phone? You only do it via another device? cause if you do it via the phone, then you do want/need backups/syncing.

travisdh1

@Dashrender said:

@BRRABill said:

@Dashrender said:

You have backups don't you? shouldn't be an issue.

No need for backups. No data is stored on the phone anymore.

I've caved to the @scottalanmiller method of data storage.

This doesn't make sense to me. If you, like he, takes pictures with your phone - how do you get them off the phone? Unless you just don't care about them.. or, you only take pictures assuming you can post them to wherever that moment.. if not, you skip the pic.

Auto upload is where it's at man. I could completely destroy/loose my phone tomorrow and all my pictures/videos would be available online. Considering that's really all that I care about on the phone, well, great!