ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Enforce Full or Selective Complexity on Passwords?

    Scheduled Pinned Locked Moved IT Discussion
    45 Posts 9 Posters 10.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @thanksajdotcom
      last edited by

      @thanksaj said:

      @Carnival-Boy said:

      How common is a brute force attack on AD? How would it work?

      Honestly, the biggest threat is always internal. If a company doesn't have any public facing servers, the chances for an attack even being possible are slim. Having strong passwords was always most important to prevent employees from using each others' passwords, or figuring them out.

      And against password hash shipping.

      1 Reply Last reply Reply Quote 0
      • T
        technobabble @coliver
        last edited by

        @coliver said:

        password_strength.png

        Never got this image. Use 4 random words and now dictionary attack doesn't work?

        Also whatever happened to use scary passwords but use Lastpass or Keepass to hold all that crap passwords?

        thanksajdotcomT 1 Reply Last reply Reply Quote 0
        • thanksajdotcomT
          thanksajdotcom @technobabble
          last edited by

          @technobabble said:

          @coliver said:

          password_strength.png

          Never got this image. Use 4 random words and now dictionary attack doesn't work?

          Also whatever happened to use scary passwords but use Lastpass or Keepass to hold all that crap passwords?

          LastPass isn't for everything. You can't login to Windows with LastPass. There are a lot of things you can't use LastPass for.

          T 1 Reply Last reply Reply Quote 0
          • T
            technobabble @thanksajdotcom
            last edited by

            @thanksaj you can use your phone to access lastpass and see a note that tells you what the windows password is.

            thanksajdotcomT 1 Reply Last reply Reply Quote 0
            • C
              Carnival Boy
              last edited by

              One day I will forget my KeePass master password and my life will be over 😞

              1 Reply Last reply Reply Quote 2
              • thanksajdotcomT
                thanksajdotcom @technobabble
                last edited by

                @technobabble said:

                @thanksaj you can use your phone to access lastpass and see a note that tells you what the windows password is.

                Yeah, you could. But what happens on the day you forget your cellphone? What you're describing is kind of a h4x0r way of using LastPass. Not really how it was meant to be used. Or what it was meant to be used for.

                T 1 Reply Last reply Reply Quote 0
                • T
                  technobabble @thanksajdotcom
                  last edited by

                  @thanksaj said:

                  @technobabble said:

                  @thanksaj you can use your phone to access lastpass and see a note that tells you what the windows password is.

                  Yeah, you could. But what happens on the day you forget your cellphone? What you're describing is kind of a h4x0r way of using LastPass. Not really how it was meant to be used. Or what it was meant to be used for.

                  Says who...it has notes for a reason. But just because you don't approve of the product being used that way doesn't mean it can't be used that way. Personal preference is just personal.

                  Also can anyone comment on the 4 words and how they beat a dictionary attack, thanks.

                  coliverC thanksajdotcomT 2 Replies Last reply Reply Quote 0
                  • coliverC
                    coliver @technobabble
                    last edited by coliver

                    @technobabble said:

                    @thanksaj said:

                    @technobabble said:

                    @thanksaj you can use your phone to access lastpass and see a note that tells you what the windows password is.

                    Yeah, you could. But what happens on the day you forget your cellphone? What you're describing is kind of a h4x0r way of using LastPass. Not really how it was meant to be used. Or what it was meant to be used for.

                    Says who...it has notes for a reason. But just because you don't approve of the product being used that way doesn't mean it can't be used that way. Personal preference is just personal.

                    Also can anyone comment on the 4 words and how they beat a dictionary attack, thanks.

                    From my knowledge a dictionary attack goes through every word in its dictionary from a-z to identify the password. It would then have to go through every word it its dictionary coupled with every other word in its dictionary. Depending on the size of the dictionary (huge) it needs to find 4 words that match to meet the password. The combinations would be in the... hundreds of trillions? I haven't done permutations in awhile so someone who is good at math should check my work.

                    thanksajdotcomT T 2 Replies Last reply Reply Quote 1
                    • thanksajdotcomT
                      thanksajdotcom @technobabble
                      last edited by

                      @technobabble said:

                      @thanksaj said:

                      @technobabble said:

                      @thanksaj you can use your phone to access lastpass and see a note that tells you what the windows password is.

                      Yeah, you could. But what happens on the day you forget your cellphone? What you're describing is kind of a h4x0r way of using LastPass. Not really how it was meant to be used. Or what it was meant to be used for.

                      Says who...it has notes for a reason. But just because you don't approve of the product being used that way doesn't mean it can't be used that way. Personal preference is just personal.

                      Also can anyone comment on the 4 words and how they beat a dictionary attack, thanks.

                      Like I said, it's certainly one way to apply the features they've built into their products, but it's not really LastPass doing something special. There are plenty of places you can store secure notes. I wasn't saying you were wrong if you did that. I'm just saying that if someone at LastPass was trying to convince you why you should use their product, you wouldn't hear that mentioned as a reason.

                      T 1 Reply Last reply Reply Quote 0
                      • thanksajdotcomT
                        thanksajdotcom @coliver
                        last edited by

                        @coliver said:

                        @technobabble said:

                        @thanksaj said:

                        @technobabble said:

                        @thanksaj you can use your phone to access lastpass and see a note that tells you what the windows password is.

                        Yeah, you could. But what happens on the day you forget your cellphone? What you're describing is kind of a h4x0r way of using LastPass. Not really how it was meant to be used. Or what it was meant to be used for.

                        Says who...it has notes for a reason. But just because you don't approve of the product being used that way doesn't mean it can't be used that way. Personal preference is just personal.

                        Also can anyone comment on the 4 words and how they beat a dictionary attack, thanks.

                        From my knowledge a dictionary attack goes through every word in its dictionary from a-z to identify the password. It would then have to go through every word it its dictionary coupled with every other word in its dictionary. Depending on the size of the dictionary (huge) it needs to find 4 words that match to meet the password. The combinations would be in the... hundreds of trillions? I haven't done permutations in awhile so someone who is good at math should check my work.

                        Yeah, the English language is pretty large, and always growing thanks to new words that are invented and words from other languages we just adopt. So it could very easily be trillions of possibilities.

                        1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller
                          last edited by

                          Dictionaries can still be used with long passwords but they become much more complex. Things like spaces add to that. And any complexity like punctuation does too. It defeats dictionary attacks the same way that long strings always make guessing harder.

                          Complexity does not impact a dictionary attack unless you are using random characters which defeats human memorization.

                          thanksajdotcomT 1 Reply Last reply Reply Quote 1
                          • thanksajdotcomT
                            thanksajdotcom @scottalanmiller
                            last edited by

                            @scottalanmiller said:

                            Dictionaries can still be used with long passwords but they become much more complex. Things like spaces add to that. And any complexity like punctuation does too. It defeats dictionary attacks the same way that long strings always make guessing harder.

                            Complexity does not impact a dictionary attack unless you are using random characters which defeats human memorization.

                            Post-It under the keyboard anyone? 😛

                            1 Reply Last reply Reply Quote 0
                            • T
                              technobabble @coliver
                              last edited by

                              @coliver said:

                              @technobabble said:

                              @thanksaj said:

                              @technobabble said:

                              @thanksaj you can use your phone to access lastpass and see a note that tells you what the windows password is.

                              Yeah, you could. But what happens on the day you forget your cellphone? What you're describing is kind of a h4x0r way of using LastPass. Not really how it was meant to be used. Or what it was meant to be used for.

                              Says who...it has notes for a reason. But just because you don't approve of the product being used that way doesn't mean it can't be used that way. Personal preference is just personal.

                              Also can anyone comment on the 4 words and how they beat a dictionary attack, thanks.

                              From my knowledge a dictionary attack goes through every word in its dictionary from a-z to identify the password. It would then have to go through every word it its dictionary coupled with every other word in its dictionary. Depending on the size of the dictionary (huge) it needs to find 4 words that match to meet the password. The combinations would be in the... hundreds of trillions? I haven't done permutations in awhile so someone who is good at math should check my work.

                              Ah ha...well now that makes sense to me...thanks for taking the time to share!

                              1 Reply Last reply Reply Quote 0
                              • T
                                technobabble @thanksajdotcom
                                last edited by

                                @thanksaj said:

                                @technobabble said:

                                @thanksaj said:

                                @technobabble said:

                                @thanksaj you can use your phone to access lastpass and see a note that tells you what the windows password is.

                                Yeah, you could. But what happens on the day you forget your cellphone? What you're describing is kind of a h4x0r way of using LastPass. Not really how it was meant to be used. Or what it was meant to be used for.

                                Says who...it has notes for a reason. But just because you don't approve of the product being used that way doesn't mean it can't be used that way. Personal preference is just personal.

                                Also can anyone comment on the 4 words and how they beat a dictionary attack, thanks.

                                Like I said, it's certainly one way to apply the features they've built into their products, but it's not really LastPass doing something special. There are plenty of places you can store secure notes. I wasn't saying you were wrong if you did that. I'm just saying that if someone at LastPass was trying to convince you why you should use their product, you wouldn't hear that mentioned as a reason.

                                Why are you still arguing with me about my personal preference? I never mentioned that LastPass tried to convince me of anything. Can we move on?

                                thanksajdotcomT 1 Reply Last reply Reply Quote 0
                                • thanksajdotcomT
                                  thanksajdotcom @technobabble
                                  last edited by

                                  @technobabble said:

                                  @thanksaj said:

                                  @technobabble said:

                                  @thanksaj said:

                                  @technobabble said:

                                  @thanksaj you can use your phone to access lastpass and see a note that tells you what the windows password is.

                                  Yeah, you could. But what happens on the day you forget your cellphone? What you're describing is kind of a h4x0r way of using LastPass. Not really how it was meant to be used. Or what it was meant to be used for.

                                  Says who...it has notes for a reason. But just because you don't approve of the product being used that way doesn't mean it can't be used that way. Personal preference is just personal.

                                  Also can anyone comment on the 4 words and how they beat a dictionary attack, thanks.

                                  Like I said, it's certainly one way to apply the features they've built into their products, but it's not really LastPass doing something special. There are plenty of places you can store secure notes. I wasn't saying you were wrong if you did that. I'm just saying that if someone at LastPass was trying to convince you why you should use their product, you wouldn't hear that mentioned as a reason.

                                  Why are you still arguing with me about my personal preference? I never mentioned that LastPass tried to convince me of anything. Can we move on?

                                  I didn't say they did, and I wasn't arguing with you. If you want to do that, go right ahead. I have no issue with it, and you're welcome to do it that way if you want.

                                  1 Reply Last reply Reply Quote 0
                                  • C
                                    Carnival Boy
                                    last edited by

                                    One day we'll be telling our grandkids about how computers did recognise our retinas or whatever and we had to remember stacks of physical passwords and they'll be like "man, that must have sucked!". I'll probably tell them whilst they're flicking through my record collection.

                                    thanksajdotcomT 1 Reply Last reply Reply Quote 2
                                    • thanksajdotcomT
                                      thanksajdotcom @Carnival Boy
                                      last edited by

                                      @Carnival-Boy said:

                                      One day we'll be telling our grandkids about how computers did recognise our retinas or whatever and we had to remember stacks of physical passwords and they'll be like "man, that must have sucked!". I'll probably tell them whilst they're flicking through my record collection.

                                      ROFL! Yeah, probably...

                                      1 Reply Last reply Reply Quote 0
                                      • gjacobseG
                                        gjacobse
                                        last edited by

                                        Was at a Cyber Security Training today. the Detective with the local Cyber Crimes unit; attached to the FBI suggested to completely DROP Passwords and go with Pass PHRASES... And use nothing short of 16 characters... He commonly uses 43 characters..(or more).

                                        Of course I have run into SEVERAL sites only allow 8 ... I plan to ask him on that one..

                                        scottalanmillerS 2 Replies Last reply Reply Quote 1
                                        • scottalanmillerS
                                          scottalanmiller @gjacobse
                                          last edited by

                                          @g.jacobse said:

                                          Was at a Cyber Security Training today. the Detective with the local Cyber Crimes unit; attached to the FBI suggested to completely DROP Passwords and go with Pass PHRASES... And use nothing short of 16 characters... He commonly uses 43 characters..(or more).

                                          This is just another way of stating that people need to drop the complexity. The assumption is that without the need for complexity, passphrases become easy. This has been the standard answer for security professionals for over a decade. When we say "no complexity requirements" we also assume "good end user training" and that should always teach people to use phases, not words.

                                          1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller @gjacobse
                                            last edited by

                                            @g.jacobse said:

                                            Of course I have run into SEVERAL sites only allow 8 ... I plan to ask him on that one..

                                            Any site with that requirement should be questioned as to the need for something so insecure and ridiculous. Chances are that limitation is created by using a clear text UNIX password system from decades ago that was never updated and nothing, truly nothing, should be running on that today. If they are, you don't need what they are offering.

                                            1 Reply Last reply Reply Quote 1
                                            • 1
                                            • 2
                                            • 3
                                            • 2 / 3
                                            • First post
                                              Last post