> On Sun, 2017-06-18 at 19:13 -0700, stan wrote: > > I completely agree, it's just as impossible to guess that a password is > "$#DfSGxS" than "sickturtlepyjamas", and I know which one is easier > to > remember and type. With the peculiar password rules, I have no choice > to but to do the insecure and write down passwords somewhere (whether > that's on paper or on file). You're not supposed to write passwords > down anywhere.
If you use a password manager, you can use a different strong random password for each site, and copy and paste it. Fifty characters is just as easy as 8, and means you don't have to worry about changing the password again (unless a website like Socialsecurity.gov forces you to, and they should eventually stop doing that). > Really, what ought to get tightened up is the software accepting logons. > There should be a limited number of attempts (3 goes and your out for a > significant time limit). Any system that lets a cracker hammer away > with repeated attempts is the thing that is broken. That works as long as the website isn't hacked. If it is, even if the passwords are hashed (which they often aren't), the hash can be cracked if the password is weak. This actually happened to my PayPal account in 2002. At the time, I was using a weak password vulnerable to a dictionary attack (but not to only several login attempts). PayPal sent me an email asking me to change my password, claiming it was just a random request and had nothing to do with a specific attack. Since I knew my password was secure against a handful of login attempts, I just changed the password and then immediately changed it back to the original one. Shortly after, my account was hacked and money was withdrawn from my bank account. PayPal admitted in a later email that there actually had been an attack where the password hashes were stolen (implying that they were lying the first time). PayPal did eventually reimburse me for the money. The point is that it's good if a website limits login attempts, but yo u can't rely on that. I always assume that the hash could become public, and choose my password accordingly. (Of course, many websites store passwords in plain text, in which case the only thing that helps is not using the same or similar password anywhere else.) _______________________________________________ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org
