ebay's password policy ...
... doesn't allow spaces in your password! But it allows non-white space characters in it. So, I've set mine to G6^10aPPq9&£v$pil0¬ but I'm having trouble remembering it!
eBay has been criticised for its advice to consumers on choosing a strong password in the wake of a megabreach that prompted it to tell millions of users to change their passwords. The online tat bazaar admitted on Wednesday that a database containing "eBay customers’ name, encrypted password, email address, physical address, …
I went a more secure route and stuck all my passwords in a KeePass file stored on a shared cloud drive with the password to the file on a piece of paper in a sealed envelope stored in my safe deposit box along with the deed to my house, wills (both regular and living) and some other very important documents. The key has been entrusted to my attorney.
This way someone won't just stumble upon my password by rifling though papers (As kids are wont to do) and I can update my passwords in a matter of seconds while still allowing family and trusted persons to get to my data in case I am incapacitated.
I do the same thing with one extra step (which maybe you're already doing)...
Whilst not trying to promote security through obscurity, there's no doubt that obscurity does add one layer to some extent... and so I suggest renaming the KeePass file to give it an extension of anything other than the default. Call it a jpeg, or a .bin or whatever and at least if someone manages to hack in to your cloud drive and grab all the content, there's not a big neon sign flashing "KeePass file here!!"
The people I would want to be able to access the file are barely technically literate enough to open the file, adding that extra step of figuring out which file to rename is just going to cause problems and delays. This is also why I only have two files on the shared device: The password database and a portable copy of KeePass. It becomes pretty obvious what the database file is. I did this so that if the KeePass project dies or the file format changes too much, they can still access the database without any trouble.
Besides, I change all my passwords every 90 days (You get used to it after a while), if a attacker has the capability to crack the file in that little time, they wouldn't be stopped by a triviality like a changed file extension. I haven't done anything to get anyone with those kinds of resources to waste that much of them on me, of course they would just go the easy way and get an (illegal) court order from the FISC and get my data right form the source.
So they want me to remember a different password, made up of random letters, numbers, symbols, and I'm not meant to use the same password on other sites...
I was going to put "f*ck you ebay" as my password, but that was rejected... That's more secure than "reset1"!!!
Angers me when companies like this make lives harder for a false sense of them doing their job... More so because we know it's a load of smoke and mirrors, but my grandmother doesn't...
To be frank - if there was an option that just said "delete account" on the password change screen, I'd have been tempted.
</rant>
This post has been deleted by its author
This post has been deleted by its author
> eBay is OK with pasting passwords like that, but ironically PayPal won't allow it!
If you use KeePass you can get around that sort of thing. You can customise the AutoType function to produce anything you want.
You need to work out what keypresses you need to get from the new password to the confirmation password, normally just Tab will do it.
Use the password generator to get your new random password and put 'Auto-Type: {PASSWORD}{TAB}{PASSWORD}' (without the quotes) into the Notes field. Put the cursor in the first password field in the browser, go back to KeePass and do right-click/AutoType and it will fill in both password fields. The keyboard emulation gets around Cut/Paste blocking.
This even works for changing the password at login when you're Remote Desktopped into a Windows server.
Remember to clear the Auto-Type command from the notes field when you're done.
I had a long and fruitless conversation with PayPal's dim witted support people about exactly this password paste problem yesterday. No way am I going to type a 20 character gibberish password TWICE and have a faint hope of getting it right. So I type a shorter one instead. Well done half wits -- you REDUCED the security of my PayPal account. It took three e-mails for them to even understand the problem then they fell back on defending the status quo and repeatedly failed to answer my question "how does this improve security as you claim?". I'm tempted to bin my PayPal account but then I don't think I would be able to use eBay. And no matter how sordid eBay seems, life without it would be inconvenient.
"....won't allow you to cut'n'paste into the password field, so stopping you using a password manager, in the interests of 'security'"
Right. This is a stunningly stupid situation.
Te change password form does not allow you to cut and paste, and to make the change, you have to type it twice, without being able to see what you're typing. So they're urging you to use a password that's complex and long, while at the same time inducing you to use one that's as simple and sort as possible.
At some point it's no longer worth using the service.
When I went to change my eBay (US) password, I found you can not cut and paste discovdered
That may have been reasonable advice at the time, but it's unlikely to be much good now.
My current approach is to use a phrase or sentence then pick out individual letters to create a password. Not always the exact letter, not always the first letter.
For example "Natxl,nat1l". As a bonus, I find such passwords relatively easy to remember.
I'd been pondering a password change session after Heartbleed, but decided yesterday after the eBay news that it was time to update them all.
I use a 'root' collection of letters and numbers based on a phrase I can remember, plus a memorable date (NOT a birthday!), but also vary a section of the password (it may be at the start, in the middle, or at the end) based on the site name (eg. Amazon = AMA, eBay = EBA, The Register = REG) etc. That seems to tick all the boxes of non-dictionary, lengthly, complex, AND memorable.
I used to include some form of non-alpha character in my passwords (eg. *&^%$£) but have come across enough sites that won't accept these that I've given up on that for now :-(
It'll take me a few days to work through the majority of them, the obscure/occasional ones I might leave until I next visit the site.
I use a 'root' collection of letters and numbers based on a phrase I can remember, plus a memorable date (NOT a birthday!), but also vary a section of the password (it may be at the start, in the middle, or at the end) based on the site name (eg. Amazon = AMA, eBay = EBA, The Register = REG) etc. That seems to tick all the boxes of non-dictionary, lengthly, complex, AND memorable.
And here I thought I was the only one who did this. Nothing new under the sun I suppose!
The other thing I do is I have a number of password-like phrases with lower/upper alphas, numbers, and punctuation tossed in and assign a name for each. Then I can build new passwords by picking two or three of the chunks and concatenating them. So I have unique passwords for each site but I don't have to remember 150 different passwords or use a password safe.
The WORST password requirements I have ever come across are two:
1. When my 401K provider at the time first setup their online system (early 2000s), passwords were limited to being no longer than *6* characters, alphanumerics only. They eventually got a clue.
2. One of my creidt card sites allowed numbers and lower case letters ONLY (I'm not kidding, it specifically stated that uppercase letters would be lowercased.) The only thing that kept me from rage-cancelling my account at that point was that the maximum length was 32 characters so it was still possible to make a strong password. They also have since gotten a clue.
Typical American Business. Incur a major problem, hide it as long as possible, start thinking about plausible deniability and damage control, get caught or are forced to come out of hiding, down play the issue, indicate that you have been reborn from the experience and are now there to help. Crying is a nice touch. If all else fails, someone then needs to resign. Why did eBay wait so long to inform its users? Look at what Target did at Xmas. That was certainly a dodge for business purposes. Look at the massive recalls from GM and Toyota for issues they had long known to exist. Sometimes I wonder what would happen if companies simply stepped up to the plate and did the right thing, in a timely manner, if it would not greatly reduce the collateral damage and in the long run improve their business.
I love how LastPass has a special function to assess your passwords and givers you a score based on how many times you use the same password, the strength of the password and so on. It also looks at your accounts to tell you if and when you should change your password after the heartbleed fiasco.
Yup, I like LastPass, even if the interface sucks.
... what exactly does a 'strong' password (as defined here) protect you from? This is a serious question - I just don't understand this "password long, symbols, numbers not a word" mantra. It just forces the user to write things down, store it elsewhere, reset it all of the time, etc.
- If the password isn't encrypted, it doesn't matter how complex it is.
- If the password is able to be decrypted, it doesn't matter how complex it is.
- If your encryption model depends on 'everyone' having an equally strong password - good luck with that - it won't matter how complex yours is.
- If there is a key logger (video camera, machine compromised, whatever), it doesn't matter how complex it is.
- If you are successfully phished, it doesn't matter how complex it is.
- If you are re-using a compromised password, it doesn't matter how complex it is.
- If someone is attempting a dictionary attack on your account, the security model 'should' stop the attack well before it can 'guess' the password, so it 'shouldn't' matter how complex it is.
- Further to this, if someone is simply guessing your password, the above should also kick in - the 'obvious' password examples given aren't anymore obvious than a thousand other things...
What am I missing?
What you missing, I think, is how people go about "decrypting" passwords. You actually do it the other way, you encrypt your guesses until you find one that matches. You have to test the guesses one at a time, for each password. Never the less, this can be done frighteningly fast on consumer hardware. And that's where the difference between bestjetpilot and ju2*kG2#1f9p becomes important.
Actually bestjetpilot was not in the one password list I looked at, but best and jetpilot certainly were. It's not really a terrible password, but hardly something to hold up as an ideal. Where as ju2*kG2#1f9p is just about impossible to guess. The only way would be to try every combination of symbols, which really would take hundreds of years.
Thanks - yes, I was thinking it might be a hashing issue - though if encrypted and then hashed it must protect those simple passwords some more. I guess my own feeling is that a somewhat complex string of memorable words is still a safer bet for most people than storing a bunch of super duper complex forgettable passwords - but I am (clearly) no expert.
You would think a 16 character all upper case password would be weak, very weak. But look at the maths, before trying all 16 letter combinations a black hat would need to go through the 15s, 14s, 13s, 12s, etc down to perhaps 4 characters.
There are 43,608,742,899,428,874,059,776 ways to arrange 16 upper case letters so even if the password was AAAAAAAAAAAAAAAA (pretty stupid huh?) the attacker would first need to eliminate all 1,677,259,342,285,725,925,376 15 letter combinations which at 1,000,000 attempts per second would take just over 53 million years. (and 2 million years for all 14 letter jobs and so on).
Plainly this is not a problem one need worry about, the real dangers are social engineering and use of the same password for several purposes. Also anybody who writes a login which allows unlimited rapid password guesses should be taken out and shot.
Having said all that there is no reason to ever use weak passwords and ones with real words like "bestjetpilot" can be found with dictionary attacks that utilize multiple words.
The real danger is from hash list cracks where if the hash method is known it's easy (if time consuming) to build a database where you generate millions of hashes and store every unique hash and it's progenitor password. Then if your black hat gets a stolen list of hashes all he need do is look up in the database for a match, the password will probably not be correct but if it makes the same hash it will be accepted.
A password Cracking program doesn't try all shorter than 16 letter combinations 1st.
It check all the words in dictionary and Celebrity names.
Pairs and triplets.
Versions with letters replaced by visually similar numbers
Versions of all above with various prefix and suffix numbers.
Probably alphabetic sequential and keyboard layout sequential such as ABCDE and QWERT
This all very much less than testing EVERY possibility and gets the majority of passwords quickly.
(No I've not done this, I'm sure a regular miscreant though will do it well).
I do let Firefox remember non-critical passwords. I wouldn't trust anything involving money to any password manager.
I do write them ALL down in a safe place with user name, site name and email used. Whoever survives me may need them.
It check all the words in dictionary and Celebrity names.
Pairs and triplets.
all the words in the dictionary? quickly? Maths again I'm afraid, my spellcheck dictionary has over 100,000 words but let's say a password centric dictionary has just 20,000 words that gives 8,000,000,000,000 triplets and 400,000,000 pairs but it's worse than that as each word needs an all caps, all lower case and lower case with a starting cap versions, then number prefixes and suffixes means for just that lot at 1,000,000 guesses a second would take about 15 years.
To have any chance of working in a reasonable timeframe you'd want to limit the dictionary to 2,000 to 3,000 words max (2 to 7 hours using the same assumptions). So that's a few hundred celebrities, a couple of hundred common names, stuff likes signs of the zodiac, towns and cities, names of sports teams, lots of swearwords and that leaves space for about 1,000 to 1,500 common words. With a little common sense it should be trivial to think of a password that's reasonably resistant to dictionary attack. It helps if you can't spell properley (sic).
A dictionary attack might want to try substituting zeros for O's ones for l's etc - I couldn't be bothered to work out what proportion of words on average have letters suitable for substitution but I'd imagine it would probably double the time taken.
Really unless you use a really stupid short password the chances of it being guessed are pretty slim, after stupidity the dangers are mainly:
1) social engineering where you are coerced probably unknowingly to disclose your password or reveal enough for someone to make a good guess.
2) multiple use of the same or similar passwords for disparate purposes.
3) theft of login database contents.
As for writing the passwords down, yes absolutely, if someone has gained access to wherever you keep them then your passwords are probably the least of your worries.
You had a good point, but then kind of ruined it by claiming an attacker would "have" to go through every combination from A to ZZZZZZZZZZZZZZZ before trying AAAAAAAAAAAAAAAA. They won't do it that way, because AAAAAAAAAAAAAAAA will be in their password dictionary. A 16 character, all capital letter password would be as strong as you say only if it was random, or at least meaningful only to the creator (like the initials of their best friends or something).
Just out of orneryness I'd like to make a password
"AAAAAAAAAAAAAAAABAAAAAAf*ckU!L33TSkrptkiddie"
so that after 53 million (or BEEELLIONTM ) years the hacker would know what I thought of them....
Of course, after that time, the computing platform may well have disappeared, as a result of a RealTimeTM Wolf-Rayet star having gone BANG! nearby...
(Apologies to CAMRA...heyyyyyy, where's my ale??????)...
In a properly implemented system there is no reason to prevent the use of any characters in a password. The password should just be pushed right into the hashing algorithm and converted to hex right away.
I suspect that a lot of bad passwords are created because of weird draconian restrictions like 8-16 upper or lower case letters only.
I used to use various Unix and SQL commands as my passwords as they were easy to remember, sufficiently complex and would be very hard to pick out via key logger.
A couple of people mentioned that, already famous, comic.
As I'm not in the least a security expert, I need to honestly ask: is that a good or a bad advice? At first I thought it sounded reasonable enough, but the tooltip gives a vibe of irony... so it's a good or a bad idea to apply that generation algorithm in the real world?
Thanks!
It's less good advice today than it might have been when it was first published in 2011. Last year, 2013, Bruce Schneier, who is consistently pretty damn good on security, posted this article, pointing to a "Really Good Article on How Easy it Is to Crack Passwords" which casts serious doubt on the continued usefulness of the XKCD approach, and he (BS) recommends instead using an approach he first described in 2008. I suspect he's right.
From a technical standpoing it's terrible, downright stupid advice. "correct" "horse" "battery" and "staple" are all extremely common words (well within top 5000 or so according to the various sources I found via Google). Using a top 5000 word dictionary you could crack passwords like this in days.
When I saw that comic I couldn't tell if he was serious or trolling, and most of his cult following seemed to be on the fence as well. But the advice is definitely wrong.
That being said, like someone else mentioned, just tacking on a few more words would make it much stronger. And like a lot of people have stated on this forum, you usually don't need to worry about someone cracking your password as much as accidentally handing it to them.
I usually use alpha-numerics.
For example my Ebay, Paypal AND email are set to the same one for ease of access, and so is my "goat" account to detect if someone has compromised any of the others.
A good one to use is hex/date hex/date hex/date ie AF1776BC2063 of course 1776 is the signing of the US Constitution and 2063 is the date of "First Contact" in the Trek Universe.
Substitute your own variants here, remember folks dictionary searches are the most common type of compromise.
I also read somewhere that teams of scammers working from home (often unwittingly via proxy) are being used to break CAPTCHAs 4 hours a day.
It seems that a length of 14 alone, e.g. '11111111111111', will get rated as Strong, but to get Best you need a lower case letter, upper case letter, number and special character, e.g. 'bT@11111111111' or 'Kevin6@gmail.com'. I wonder if anyone decided to use their email address as their password on this website's advice?
Why don't they let you see the password instead of the ******? A check box to see it would be handy, since most of the time I'm at home with no one looking over my shoulder, and most passwords are hijacked remotely.
My advice to anyone having difficultly remembering passwords is to have them written in a book next to the computer. Seriously, if someone is sat in your house in front of your computer all bets are off anyway. Obviously this advice does not extend to keeping that book in a laptop bag or your pocket... But most of the time people are sat in their houses online, even if they are using a laptop/tablet.
The password reset form that eBay currently uses does not allow cut and paste of passwords from a password manager, discouraging the use of complex, long and cryptic passwords.
It also mistakes non-alpha characters as "whitespace", limiting you to letters and numbers.
So, if you change your password, you may be forced to choose a less secure one than you had before.
To top it off, you can't change your email address to one that has your name in it (that must be good for discouraging fraudsters) and you can no longer link to PayPal (I suspect because PayPal has moved all non-US customers to country-specific sites and eBay is hardcoded to the US one).
These problems have been apparent for years, but eBay has no interest in fixing them.
Personally I frequently run into 'password too long' errors when making new passwords for places that have my financial information. Some places really don't like 50 character passwords.
Passwords that are truly random mixes of numbers, upper and lower case letters and symbols are hard for humans to remember but relatively easy for computers to guess. That being the case I tend more towards mnemonically friendly nonsensical phrases written in 13375p34k. I end up with passwords that even my wife couldn't guess and that would take millennia to brute force but which I can easily remember.