Biometric password
No thank you.
If something goes wrong then restoring access can be incredibly hard especially with the you-cannot-speak-to-a-human attitudes to many services that a lot of people depend upon.
Nearly a third of Britons use the name of their pet or a family member as a password, the National Cyber Security Centre has said as it advised folk to adopt what looks very much like a Register forum user's suggestion for secure password generation. A survey of 1,282 British adults commissioned by the NCSC showed that 15 per …
The trouble is that these all credentials are actually copies. When you type a password it's a copy of the password in your head or in your wallet or password manager. When you use biometric authentication you provide a copy (a photo or scan) of your fingerprints or face, you don't hand over actual body parts. Wherever a copy is involved, there's a potential for forgery and if there's no mechanism to allow for forgery and recover from it (as in a "something you are" authentication factor), I can potentially assume god-like power over your life in perpetuity.
Or, as Oscar Hammerstein wrote in another context:
And some day I'll know that moment divine,
When all the things you are, are mine!
Oh, and BTW, I think there may be an intrusive "f" in:
This shift may be essential
That's actually not true in the majority of cases. Most fingerprint, retina, and face biometric authentication tools for example, do not save an image of your respective extremity, and instead save datapoints from the output of a detection algorithm. In almost all cases, these algorithms will look for recognizable minutae in the subject. This is often more for performance and data storage costs associated, but has a bonus in that it respects your privacy by storing only the bare minimum required for often provably secure authentication. For example, for fingerprints:
These pattern recognition trends continue with the retina. It is most common to analyze the design of the sphincter and dilator musculature, which is often unique like fingerprint ridges, kinda like a round barcode. Infrared or near-infrared light can be used to detect patterns that are not present in the visible light spectrum, making them even more secure as existing cameras cannot so easily be used to mass-match irii, which is a concern of privacy advocates.
And for the face:
These are only examples, and I do not claim to be an expert on any of the mentioned technologies; retinal algorithms are probably my weakest subject of the 3 examples so I do not have as many practical examples as with the other two.
More importantly however, implementations of these algorithms vary among manufacturers and even related product lines, meaning the result of an algorithm for one product may not be so easily transferred to another product, making the data much less important should it be stolen on a low level.
Should a database of this information be breached, one would only need to modify the algorithm to make the data less useful—assuming the data is not encrypted before being stored in the database.
Overall, biometrics are generally pretty safe and do not expose you to unwarranted breaches of privacy.
PS: Despite that, I would personally only trust locally-stored authenticators, and not systems that upload that data to the Internet. I prefer hardware authentication tokens in this regard, specifically OpenPGP keys with multiple keyserver attestation.
Fingerprints can easily be acquired with court orders and an ink pad, passwords not so easy to acquire because that hits on the 5th amendment right.
Most of the "things you are" like face, iris, etc. are not considered self-incrimination and are much more easily acquired by bad actors (or good actors with court orders). Also, many biometrics frequently continue to be viable after death (for at least a short time).
Bruce Schneier, and others, have noted these problems, and in some ways they're almost self-evident once pointed out.
Bio - metric is measuring the body. Any measurement of your body contains information about you that may be more than just identification.
For example, that ratio of your d4 and d2 digits is quite strongly associated with your sexuality.
https://www.pnas.org/content/108/39/16289
So, anyone keen on hand geometry biometric log on in any country where homosexuality is punishable by imprisonment / lashes or death? (Saudi Arabia, Pakistan , Afghanistan, Iran, etc:
https://www.humandignitytrust.org/lgbt-the-law/map-of-criminalisation/ )
Then. again, whorl type fingerprints are associated with a higher incidence of cancer:
https://pubmed.ncbi.nlm.nih.gov/28973742/
And, of course, any number of medical conditions can be diagnosed from examining the eyes.
And face geometry is also associated with homosexuality:
https://pubmed.ncbi.nlm.nih.gov/24132775/
Of course, none of these actually has to be even remotely accurate or true for one to be subjected to abuse, bigotry etc., but I do wonder about why so few (i.e., none that I have encountered) papers or articles on biometric identification even mentions the medical diagnostics that can be made from these systems.
"but I do wonder about why so few (i.e., none that I have encountered) papers or articles on biometric identification even mentions the medical diagnostics that can be made from these systems."
It could be handy if you start getting ads for for cancer treatment or funeral services next time you log in to Facebook. It would save so much time!
"It could be handy if you start getting ads for for cancer treatment or funeral services next time you log in to Facebook. "
Accepted, bu how about increases to your insurance premiums, rejections from prospective employers due to the possibility of long term sick leave, refusal to provide loans or mortgages with life insurance once they find out what your biometrics could mean?
Current example of this is my daughter's Faeces Book account getting hacked and the email and phone number changed. Then they deleted the account for some reason. All automated efforts to fix this fail and there's no obvious way of contacting a human at FB to get it sorted.
She's since learnt the benefit of setting up MFA so at least she'll be better protected in future.
Still, it's a shame for her as there were a gazillion photos on there of her late mother.
And periodically my phone makes me input the pin when I hit the fingerprint sensor. So I still need a pin.
And just like periodically when you go to swipe your card the system makes you insert it in the reader and input your pin.
So Biometrics will need another factor, what could that be, oh! a password.
I use initial phrases with unique suffixes for each site not easily guessable.
Except for El Reg, my Reg password is deeply ancient. The only one left, that feels right.
Something else from the novel "Cyberbooks" I think - a character has a voice activated lock on his garage or something, it does not ever recognise his voice until he loses his temper and screams at it in apoplectic rage, Humiliation that he well deserves. It'd be a bugger on your office PC though, if we're still going to have those.
You could always use the Lector system.
All it requires is a sharp knife and a random face.
Although short term for both it would work for fingerprint readers too.
In the real world, I suspect that the majority who went for What Three Words, using a not their own address approach would use mostly memorable landmarks, their mum's house or somewhere close by etc.
A slight catch - typing English words is about 1 bit of randomicity per keystroke. Actual random letters mean a password of a certain length is much better than if it contains dictionary words.
Having said that, you can make a long passphrase but just use the initials of words as the password. It still may be not as random as you want, though.
Also, you probably will encounter systems that don't allow real words or repeated letters but do insist on mixed case, numbers, and punctuation in the password. The other day I found that Microsoft SQL Server was enforcing this. It doesn't really help if it does not stop you setting onetwo12! which it can't really (ish).
And you may have to change them every month, grr.
I favour theyw illne verge tthis O varied where necessary with 0 or O! and possibly a leading capital if so enforced. The actual letters should be random and kept on a little card very safely.
It's much easier to remember four random words than it is to remember 10 random characters; and although longer to type, it's usually *easier* to type things that are correct words than line noise (perl coders may not find it difficult however).
That's the strength of the system, not the per letter randomness, but the per "memorable bit" randomness.
Else I'd run `openssl rand -base64 21`
mUBshJeBHZyBRFG0YbVnNsAj0Jx6
But this is easier to remember:
`sort -R /usr/share/dict/words | head -4 | tr '\n' ' '`
upcover jumprock glancing taglock
and with `$ wc -l /usr/share/dict/words` showing me 240k words available - that's ~e21 options, substantially less than the long base64 approach, but substantially better than a 10 character base64 password (~e18), which is still pretty hard to remember. (It's about equivalent to a 12 char base64 password)
Of course - remembering passwords is probably not the way to go anyway - a password manager can deal with even longer, genuinely random, passwords - then you only need the password for the manager. So we're down to remembering one password, that doesn't directly log you in to anything...
I still think that a handful of words is easier to remember... Maybe I could use five words instead of four, takes me up to ~e26 (i.e. about a 15.5 digit base64 code) - takes about 4 seconds on my machine for my massively inefficient abuse of `sort` to produce a result:
$ time sort -R /usr/share/dict/words | head -5 | tr '\n' ' '
Minoan drawling insufferably hyposthenia standardizer
real 0m3.771s
I usually get one word I don't recognise, which is fine - it means that noone will guess that I'm using it, and I can learn one word to protect my password manager.
1 random letter is worth at least 4 letters of a random word, and I like to type as little as possible. ;-) RaNdOm CaSe slows me down more, so no thanks, and I can mentally cache 5 letters at a time (problem: I think Sainsbury online shopping doesn't allow spaces), though some of my txetm odnar has me struggling to remember where the next key is on the kebyarod. English doesn't have rules like "x after t except after e".
"the NCSC recommended using "strong passwords made up of three random words,""
Strong against what?
Unless that question is answered, "strong" is meaningless. There are maybe half a dozen disparate threats against passwords, each of which requires different controls to minimise it.
Quite apart from which, this idea has been around for absolute yonks, and it's only as good as the words you choose. The phrase (that's what it is - a short passphrase) must not be obvious, but must be memorable. And BTW, what is a "random word"? Randomness is a property of sets (multiple objects) not of single objects. A single object can only be arbitrary. If they mean words chosen at random from the dictionary, that still may not satisfy the first criterion very well (e.g. "it" "he" "led" - a 7 character password) and will either fail the second criterion (not very memorable) or will encourage tampering ("he led it" - an obvious 7 character password) which will thwart the first criterion. Just requiring three words doesn't stop folks choosing obvious words.
The strongest property of a password against guessing is originality, which seems to be in short supply judging from published password sets. No password is proof against brute force attack or reverse cracking from a hash offline. But the less likely it is to be duplicated by others the better. Consequently, "password rules" that set strict parameters (unless they are minimum parameters) tend to make passwords less safe, nor more, as they enforce predictability.
https://password.kaspersky.com/ suggests that badger.badger.badger would take 5 days to crack.
Whereas bork.bork.bork would take 2 years.
And bork.bork.bork.bork.bork.bork 4 four years.
On the other hand, bork.badger.bork.badger would take 10000+ centuries!
These "claims" are apparently based on "Your password will be bruteforced with an average home computer in approximately..." - not sure that concurs with a 29 character password taking significantly less time than a 24 character one. Unless bruteforcing doesn't mean what I think it means.
"On the other hand, bork.badger.bork.badger would take 10000+ centuries!"
So that would take a million years on a typical home PC.
The last article I read mentioned a tianhe supercomputer that's still 4th in the top500 list of known computers. It has over 10 million cores, lets say it's a million times more powerfull than a typical PC. Given that password cracking is an embarrassingly parallel problem, this machine may be expected to take a year. You need to consider who you are defending yourself from and what resources they may use against you, both now and in the future.
"Unless bruteforcing doesn't mean what I think it means."
You don't just build up passphrases to test from individual characters, you create a list of characters and words in order of decreasing expected probability, and combine these into candidate passphrases to test based on their probability. The word 'rhythmic' is more likely to appear in a passphrase than the letter sequence 'cmyihtrh' or 'cihtyhmr' or 'tyrcimhh' or 'yihchtrm', so it's worth testing such passphrases earlier.
For strong passphrases I would suggest 4 (or 5!) random words, with some deliberate corruption, such as mis-spelling, extra inserted characters (a couple of numerals or punctuation marks ought to be good), some random capitalisation, maybe move any word-separating characters about. You don't need much of this, but avoid obvious substitutions such as '0' for 'o' etc. You should end up with non-dictionary words which are hopefully not too difficult to remember. Stick to common punctuation marks, there are pitfalls with different character encodings.
To remember passphrases, use them, use them, USE THEM.
Or write them down, but this creates new risks.
I'm no expert BTW.
tecumseh.amazebubbles.psychoendoneuroimmunology
Error: Sorry, your password should contain at least one symbol from the following list: [, ], (, ), #. @, !, %, two numeric characters, one lowercase and one uppercase characters and be between 8 and 12 characters long.
To be fair the way that's not the way biometrics work - so they'd need access to your face and your device but why let that get in the way of a good gag about editing your visage.
But back to the point, I'm still not sure why something like the Yubikey / U2F isn't a thing - so many sites still won't support it - Paypal I'm looking at you!!
Welcome to life as a engineer in the 21st century. This one is the one issued by IT support, it unlocks my laptop. This one is issued by SRE, this gets me on to the AWS console. This one is also from SRE, gets me on to GCP - I don't know why they issued two either. This one is my personal one, its got my personal GPG keys on it. This one is my old personal one, for U2F websites I haven't switched over yet. This one has my work GPG keys on it.....
I use U2F for everything that will accept it. All M"FA shoud need 2 of 3 items, prefierably allow multiple U2F devices and/or text and and/or TOTP taken with maybe a password. U2F is about as secure as it gets. You don't got my physical key your outta luck. TWO because I want one in an alternate location in cae something bad happens.
U2F is the heat. No way to break it easily, and the private key cannot be copied, and it lotsa bits!
Just a little nod to KeePassXC, of which I'm rather fond. Almost all passwords can be truly random and ridiculously long* with a decent cross-platform manager such as this (the database [in encrypted form] can be seamlessly cloud-synced to your favourite provider/roll-your-own). But yes, the master password can be as correct a battery staple as any horse could wish for.
*(Barring nonsensical limitations on what you can use as a password: I tried something like "kl][';dtshJ~Khs%$aq:dVrL#}>¬KdR=" somewhere once and got "Your password must contain at least one number"... sigh.)
> If anyone's got a practical method of resetting your face after your encrypted mugshot is abused by crims, let us know by sticking it in the comments.
Not since the Printer's Devil pub in Uxbridge was knocked down. In the section reviewing pubs in the annual student handbook at Brunel University it was the only one with an invariant review year-on-year: "Good place to get your face customised by the locals."
This post has been deleted by its author
And some annoyingly don't let you paste the password in, forcing you to type it in, then again to verify it, at which point I usually abandon my long complex password and use a shorter easier one. I keep my passwords in encrypted documents in encrypted folders, so just copy and paste them into websites (if I can).
pwgen and vi -x here.
Firefox does a pretty good job of generating garbled passwords and storing them. PITA if you want to access a site from another machine though.
My pet hate is websites that change the rules so the password you register with uses a different rule set to the "I've forgotten My Password" process.
Did this with one or more releases of MIUI on their droid phones! "...for your protection, as many apps have access to the clipboard" Yeah, like Keepass, Lastpass and 1Password, morons!
And of course, having used all of the above, meant typing in something like MV64BPb*bBFPpQgT0G7%$Gi7Lvw9wMW$JcP% anytime I wanted to login anywhere
>Website owners are some of the biggest ones in need of educating.
About the secure storage of credential information.
Remember, this is only really a problem because of major security lapses by websites that permitted third-parties to bulk download their customer details and password files.
A second group in need of educating are web browser developers who think it is okay to include a password store that can be read by third-party webpages.
Three 'random' words if adopted widely sets up the user for dictionary based attacks and for simple brute force attack. The latter made more easy by virtue of only alphabetic characters (upper and lower case) requiring anticipation.
Every bad agent with access to a powerful computer will revel in this proposal. Shall GCHQ, supposedly on the side of the angels, similarly rejoice?
Do password cracking systems based on rainbow tables make provision for permutations of the letters in each word?
If not, would writing the pass phrase in (say) a 5x5 square left to right then reading it off top to bottom juggle the letters around enough to force the cracking software to go to brute force?
You can probably spot the phrase I've jumbled up below, but could an algorithm?
SHPEEAIRETDEWIH?
Icon: I've reached the life stage where I have to write stuff down anyway...
Just READ the XKCD. It's about entropy. There are a LOT of words, proper names, foreign words . . . Many of which are not dictionary words. I use 3 words + a number so like '43 Walruses Vomit Chartruse' Spaces if they let me. Creates really nasty entropy.Or I let keepassXC generate 24 random chars and just paste. I never use special characters unless required. Invariably I'm stuck typing the crap in by hand in a pressure situation, . . was that a star or an at sign?
Adenike Cosgrove, a cybersecurity strategist from email security biz Proofpoint, opined that passwords will probably become old hat soon, saying: "We have already seen a rise in methods such as facial recognition and other biometric authentication forms in use in place of the traditional password."
She added: "This shift may be essential, because although technical vulnerabilities may be harder to exploit in future, humans are already and will remain the most targeted link in cyber security, with the most tech-savvy individuals vulnerable to increasingly personalised and complex attacks."
.
.
All very well and good until you snuff it and your executors are trying to clear up your affairs.
Been there. Having the Grant of Probate is all very well but, if the deceased embraced the "go paperless" mindset, knowing where to send the copies is quite a challenge. Fortunately good old Dad could be relied on to use one of about four passwords, so once I was into his laptop...
I'm suspect What 3 Words works on a vocabulary of about 40k words, which probably matches an English speaker's passive vocabulary. (The earth has an area of about 5.1e14 square metres; 4e4^3 is 6.4e13, meaning that a W3W square is just under 8 square metres, which seems about right.)
Let's be really generous and assume someone asked to come up with three random words is able to pick each word from a 50k word vocabulary (I suspect, in practice, an awful lot of people would be picking, from an immediately accessible vocabulary of 5k words or less). So, like W3W, you now have 6.4e13 combinations.
On my keyboard I can comfortably type 88 different symbols (26 letters + 10 shift-digit symbols + 8 punctuation = 44, all of which can be shifted to give another 44).
Now my maths might be wrong (l seem to have some kind of long Covid neurological issue going on, so please be gentle!) but as 88^7 = 4.1e13 and 88^8 = 3.6e15 that means even a good three word passphrase would have about 50% more entropy than a 7 character password whilst an 8 character password would have 50x more entropy.
NB: I know they're trying to target the people who use "Rover123" and obviously 3 random words are vastly preferable to that --- but I think the approach misses the required entropy of a moderately secure password by a factor of at least a million (probably a billion with more common words).
You omitted the word separator, which can be any character not just '.'.
However, enforcing this rule will be difficult, so best just to insist on upper and lower case, numbers and special characters. What3words just gives people a memorable structure on which to hang their favourite convention. In this way it is relatively simple to create 12+ character passwords; without the framework, people will struggle to create a 12+ character password.
My 2 longest passwords, that I have to remember are 32 characters, both are nonsense phrases constructed out of words with filler symbols and are more easily recalled (after a few weeks of holiday) than the 16 random character passwords some insist on using.
@John_H_Woods
Quote: "...on a vocabulary of about 40k words..."
*
.......but the widely available file called "linux.words" has over 400K entries......many of which don't look like any words I can recall!!!! Does this x10 increase in the word pool not make a significant difference to the "three word math"?
*
Some examples: a-glucosidase, aasvogels, abrotanum, absolutistically, achroiocythaemia, ......
*
.....and that's just a few from the beginning up to "ACH...."!!!
My thoughts too. Basing your password on a smallish, fixed database is probably a bad idea.
I don't know if the W3W database is publicly available, but their business model is clear: get the concept used widely (including by paying for TV advertising) and then start charging.
Using w3w to provide 3 words isn't as good as it sounds. If you use a specific address/postcode you might as well just use that address/postcode as your p/w. If you generate it from a location you are stood in that gives a much wider more random choice. But then you have to find the precise location again.Even my little home has at least 9, arguably 16 possible locations. I could narrow it down to maybe 6 or 8. But what a faff. I guess if you base it on a specific part of the property that you can locate on a map it'd work, a garage say. As long as you can remember where on the property you used in 6 months or so time.
I know I used a location near mum's house- was it the garage, the shed, the garden, the back gate, the apple tree.....
These things aren't unique unfortunately. It is shared with somewhere in Altoona, Wisconsin, which could mean residents at that location being treated with some suspicion.
My address suggests that I help exiles... If it's to do with exiling oneself from the cloud then I can help with that.
I always assumed this to be obvious to most people.
If someone gets into your mailbox, they can change the mailbox password, locking you out, and then do password resets on any service associated with that mailbox.
I mean, you don’t even have to understand computers to understand that little nugget of logic
Turns out, not many people are logically minded, who knew...
Works the other way around, too. I have accounts in some places where I literally don't know the password and don't store it. The company I might order something from once every five years? It's faster just to do a password reset.
(I vaguely recall even The Bruce thinks this is a valid mode of operation, but don't quote me — or him — on that. Also, he has surprising views on on-paper passwords.)
It doesn't really help. Instead of having to remember a password for each of the 100 id's instead you need to remember 3 words for each. Alternatively you can as suggested just remember the location and look it up if needed, but who can remember dozens of "random" locations and tie each one to a particular site/id.
Not only doesn't it help. It doesn't even work as most sites will insist on password complexity so you need to add digits etc.
I've even come across one site that applied "complexity" rules to the memorable answers (normally crappy low entropy passwords). This site wanted me to give the middle name of my oldest sibling, but would only accept answers of seven or more characters including at least one digit. My parent were quite remiss in this respect as they only gave her a 3 letter name and no numbers!
This post has been deleted by its author
Does anyone here realizes that the basic password cracking programs use what is called "dictionaries"?
Any word found in a dictionary is a poor password or part thereof. Assumng 30 000 words for the basic English dictionary, how long do you think it would take a supercomputer to crack your "random" 3 word password? Probably not even 2 minutes.
Most of us here, I'm guessing, are thinking in terms of chancers and low level criminals trying to break into our accounts. If we're talking of targetted attacks by serious organised crime (or state machinery) that's a whole different level of security (though I'd always use some kind of non-dictionary component- can't be too careful)
Yes, they use dictionaries... do you know what you are protecting against when protecting against dictionary attacks?
The entropy available in three (or prefereably four) words is actually pretty impressive, assuming of course that you can generate reasonable random words from a large enough dataset.
The dictionary isn't a bad place to start, there are quite a few choices for each word...
Hmmm... having the secret limited to existing words and even reduce it to pets, names and places... the change of brute forcing is on the rise, because it limits considerably the possibilities to check... But as always the balance between security and user experience.
What about facial recognition and finger print revocation or change... Plastic surgery on the rise, or burning finger prints LoL
Once had my finger burned in the kitchen, well yes... I was locked out with fingerprint recognition... Unintended or uncontrolled revocation ;)
We've been here before, but, how the fk do you change your face or your fingerprint if it's compromised? Do I really need to wear an expression of surprised innocence and my old purple T-shirt and the fluorescent c0ck-ring to get into my bank, or the annual general meeting? I can't remember a 56 character p1ssword that contains ancient Greek and Sumerian characters. I don't really want to be chipped like a stray dog and I don't want to have a 64 char bar-code tattooed on my forehead either. I don't do two factor authentication because I don't do mobiles. My comms device is my desktop. I don't want to use the p1sswrd manager on my desktop to boot and login to my desktop because that's a logic bomb even Barbie and Ken would spot. I can download and install a pisswrd manager that demands I first create a pissword that it didn't provide but if I download another pisswrd manager it may produce a pisswrd, but that 2nd pisswrd manager demands that I download a 3rd pisswrd manager because it shouldn't manage something as critical as it's out pissrd so it recommends another 4th pissword manager to make the pisswrd for the paisswrd that pisswords the pissword to get the pissword, ... so now I have to ask the CIA if I can ask the KGB if I can ask the Chinese Intelligence service if I can ask the Iranian Intelligence if I can ask Facbook if I can ask google if I can boot up windows, because privacy and security are a human right, and obviously I'm a stupid non-technical old khun if have to have simple things like this explained to me.
Adding a symbol or two outperforms weird every time. Password checks should be entropy checks. p455w0rd! is not better than 'Humbled By 1950 Jaded Pelicans' And frankly not easier to type. mis-spel the word for even more simple fun. 'Flexable Furnature 500 Dollers'.
NOBODY is breaking modest passwords with brute force unless it's a weak hash. It's phishing and repeated reuse across multiple sites, until you get bitten. Set up on kewlstuff.com use the same password as the bank their hashes are stolen, and were md5. "Let's try this one . . ." That is assuming you crack the actual password, and not just an alternate hash match.
Password cracking is not TV easy. But as Kevin Mitnick will attest, people are often even easier.
Because of an ill-advised comment uttered approximately at the same time as a certain "Dunnild Tramp" got his own ass banned, the Twitter organization has invited me to delete said comment and thus regain access to their fine web property. But in order to do that they want to make sure I provide to them my cell phone number. But I aint got none.
So I'm like, "bother!"
Anyway who cares.
(Hack away at my Twit account - I dares ya)
I went about it a different way.
Register a domain (yourname.co.uk)
This way you can redirect any emails to your domain and easily track spam.
Example you can now have tesco@yourname.co.uk, asda@yourname.co.uk, theregister@yourname.co.uk etc.
and, each email address you register with the web site can have a unique password, Tesco could be P@ssw0rdt3s, Asda could be P@ssw0rd4sd, etc.
Also, I'd rather use something like Keepass than a browser password plugin. More secure.
I have 2 tiers of passwords. Tier 1 are all unique and are for sites/services that matter to me. Tier2 sites/services are for sites/services that require an account, but that actually don't matter to me if they are compromised. For those I use a small list of reused passwords. I use a good password manager and so far have managed to avoid them getting compromised. However, there are no guarantees, so plan accordingly and make sure that you can recover that which matters to you.
The biggest problem with Biometrics is that you cannot change them once compromised, so they are inherently useless for Tier1 but are convenient for Tier2 (eg. fingerprint to unlock my phone). If my bank decides that they need my Biometrics, then I'm moving bank. I already don't like that my passport stores biometric data but I do understand why and hope/assume that the data is well secured.
What3words uses 40 000 words in case you pick location in sea, otherwise only 25 000
https://en.wikipedia.org/wiki/What3words
Now count with me...
- It is 40 000 * 40 000 * 40 000 = 64 000 000 000 000 = 64 000 G of combinations
- It is similar like 52 power to 8 = 53 459 728 531 456. Anybody consider 8 character lower and upper case password secure?
- 2080 Ti has NTLM hash rate about 73602.4 MH/s ~ 73 GH/s (MD5 even faster) https://gist.github.com/binary1985/c8153c8ec44595fdabbf03157562763e
- So 64 000 / 73 ~ 877 / 60 = 14,6 minutes
- Well played... what3words gives you at best 15 minutes of life... you will drown in your sea location
I agree that memorable(words) passwords are better
- But it must be loooong, rather like sentence. 30 to 60 characters
- Few of the words MUST NOT be in dictionary, make intentional typo or make new word.
After the lockdown people are returning to work and finding their extra facial hair, grown during the furlough period, is borking their facial recognition on company devices. Either go home and have a shave or join the queue asking IT to reset your company device (you are 993 in the queue).
Phrases are great until a security advisor with little imagination says you need 3 letters of each case, two numbers, at least 2 punctuation marks, no spaces, and no quotes, and no angle braces. Now you're at the login prompt wondering if your password was "DumbA55L0g!n!" or "Dumb4SS1Ogin!!!" or... Should have written it on a PostIt note.
My mum changed energy suppliers and I was dismayed to find that the fresh one - only recently set up - demanded passwords 8-12 characters long consisting ONLY of letters and digits.
And it announced that letters were NOT case sensitive.
Mind you, not many black hats will want to pay her gas bill.
I have been seeing "experts" saying that passwords are on the way out. They are still here.
Certainly users are more aware of passwords. Unfortunately, there is still a number that will not.
I use 2FA in several places and so do all our VPN users but when someone mentioned that it could be used with Office365 hostility arose!
Got something electronic and not cheap handy, look at the information panel at all the potential passwords.
Model number, serial number, lots of them.
Your car chassis number?
Lot of nice random strings.
I even have a password for accounts I am recovering to delete. Vendor specific stuff you really want to lose. This is just swearing in a string.
-- Your car chassis number?
Not even the DVLA get that right. I had a lengthy postal conversation trying to convince them that the number as recorded at the MOT station was correct. In the days when humans looked at paper (or electronic) records, the spacing didn't matter.
Three random words:
- probably too constrained a space and some argue easy to dictionary attack as a hash.
- doesn't hit the complexity password rules without character substitution.
So add 'magic word' from a key phrase (My mate Boris -> Mm6)
Always prefix or suffix your three words with your magic word and punctuation : you subvert the attack space away from a straight dictionary space and meet the complexity requirements.
PLUS using regular words makes typing easier than 16 truly random characters and punctuation marks.
PLUS if you have sufficient trust in your magic word you can write down the _other_ words in an ordinary notebook (or app).
So:
Mm6=antimony+arsenic+aluminum
Mm6=taken+three+bottles
This is my 'granny' solution. It doesn't need a password app, and Granny can understand it. (YGMV - Your Granny May Vary).
.. only I don't have any, on account of even managing to kill dried flowers if I put my mind to it.
And no, I don't consider computers pets.
Anyway, I like the location idea. Not to speak any less of the XKCD approach which I have used many times in companies that needed a bit of gentle help, but the location idea attaches something physical to it. Nice.