back to article It's May 2. Know what that means? Yep, it's the PR orgy that is World Password Day... again

If there's anything worse than having to constantly come up with and enter passwords, it's the idiotic way in which we all do it. Yep, it's World Password Day again and that means one thing: companies of every hue and shade politely but firmly telling us we're a disgrace. Avast, for example, let us know that "unfortunately, …

  1. Jim-234

    How about we ask companies to stop letting the hackers have all the passwords instead.

    I get a little tired of people preaching about how much more work people need to do on "better" or "more random" or "more changed often" passwords when the biggest problem recently is it seems like corporate security is a total afterthought & they are just letting the hackers waltz in and grab all the data and all the password files.

    Every week there is some new report of some big company loosing a big bunch of everything... oops...

    Or leaving everyone's passwords just in a plain text database.

    How about we make the companies pay folks for the time and trouble of going in and resetting all their passwords after they loose them.

    Maybe that would help a lot more.

    1. big_D Silver badge

      Re: How about we ask companies to stop letting the hackers have all the passwords instead.

      I agree, although the national news last night sent out reporters on the streets in Munich, I think, and were telling people it was Password Day, and what was their password? It was incredible how many people blurted out their passwords on national television..

      One young woman told them, that she used the name of her boyfriend and some random numbers. Naja, better than nothing, then they manage to niggle her, until she blurts out that he is called Timo and the "random" numbers are 123...

      1. Shugyosha

        Re: How about we ask companies to stop letting the hackers have all the passwords instead.

        "It was incredible how many people blurted out their passwords on national television.."

        Yes, I'm always skeptical about exercises like this though.

        In the unlikely event that I'm accosted by a surveyor and actually stop, the conversation would be something like:

        "Hi, we're doing a survey on password security. Can you tell us what password you use?"

        "No"

        "There's a gift voucher in it for you!"

        "Sure, my password is BullshitFakePassword123."

        READ OUR SHOCKING ARTICLE ABOUT PEOPLE'S LAX ATTITUDES TO PASSWORD SECURITY!

        1. Ken Shabby
          Black Helicopters

          Re: How about we ask companies to stop letting the hackers have all the passwords instead.

          Dammit! - How did you know?

  2. Will Godfrey Silver badge
    Unhappy

    Sorry

    I was too busy trying to find even one candidate worth voting for in the local elections, and I was supposed to pick three!

  3. The Original Steve

    El Reg recommends 2FA

    Funny that, because when I just logged onto the El Reg comments...

    1. Joe W Silver badge

      Re: El Reg recommends 2FA

      Yeah, but is that a site where it would matter? Just don't reuse the password anywhere else...

      (yes, I get what you are saying, but still..)

      1. Anonymous Coward
        Anonymous Coward

        Re: El Reg recommends 2FA

        This usually gets pointed out every time there's another article on password hygiene, but reusing passwords isn't really such a bad idea. Reusing your El Reg password on some other web forum isn't going to hurt you, even if it does get stolen. The worst that will happen is someone will come here and post as you!

        Reusing passwords for low risk/low value sites keeps people from trying to memorize complex passwords and means that they can save the few good (high complexity) passwords they can remember for the places that are important.

        1. Roger Greenwood

          Re: El Reg recommends 2FA

          "someone will come here and post as you!"

          Shirley not, only if you give it to eadon.

          (We'll not forget old eadon, and he drove the fastest milkcart in the west"

          1. Anonymous Coward
            Anonymous Coward

            Re: El Reg recommends 2FA

            +1 for remembering Eadon.

            But consider that we have many new interesting characters here too, one that writes puzzling comments on AIIIILifeTechInMars and another VERY bombastic ONE.

        2. Anonymous Coward
          Anonymous Coward

          Re: El Reg recommends 2FA

          "This usually gets pointed out every time there's another article on password hygiene, but reusing passwords isn't really such a bad idea."

          But what if I want to retain my anonymous cowardliness? The ratio of shitposting to sensible commentary alone would be embarrassing enough, let alone the sheer quantity of time spent during working hours on this site.

        3. Brangdon

          Re: someone will come here and post as you

          That is, it might form part of a social engineering attack that will leading to being compromised more seriously elsewhere.

          Admittedly more likely on Facebook than here.

  4. A-nonCoward
    Childcatcher

    Can a grownup, please...?

    put in some reasonable evidence regarding funny characters as being any better, instead of a password 30 characters or longer?

    With all due respect, I find it rather silly that password requirements are happy if I use upper and lower case plus a number plus some symbol, the whole being 8 characters, but, if I use batteryHorseStaplerChernobylAaaalfa, nope, that is not good. Even stupidier if I have to change my impossible-to-remember 8-character password every three months.

    That said, I am ignorant, so, perhaps someone could say something educational, please?

    thank you.

    icon, because us ignorants are the problem, right?

    1. veti Silver badge

      Re: Can a grownup, please...?

      Two words: legacy systems.

      All the fun stuff in database development was done back in the 1980s, when "hacking" was a sport indulged for fun and kudos, not a major criminal business, and neither bandwidth nor processor power was sufficient to support dictionary attacks. The databases and textbooks we use today are linearly descended from those developed back then. It's amazing how much hasn't changed.

      It's hard to change this stuff, because basically everyone is accustomed to the present regime and has an inbuilt prejudice against radical change.

      There's also a whiff of faddishness about the advice in this area. For years it was "lower/uppercase plus numerals", then "special characters" were added to the recommendation, and now there's bitter controversy (see, e.g., TFA as opposed to your own comment) as to whether "CorrectHorseBatteryStaple" is better or worse than "5CWr`R?EV8]K". I can't blame sysadmins for being leery of any single piece of advice, unless and until it gets endorsed or forced upon them by a higher authority.

      1. veti Silver badge

        Re: Can a grownup, please...?

        In fact, I'd say the "CorrectHorseBatteryStaple" cartoon is a rare example of XKCD getting it badly wrong.

        The issue is: scaling. The XKCD approach only works because nobody targets it. If we all started doing that, attackers would quickly rewrite their algorithms to crack it (by stringing together random words - "dictionary attack" would take on a whole new meaning), and we'd very soon be much worse off than we are today.

        Maths: The average native English speaker has an active vocabulary of about 20,000 words (actually I'd be prepared to bet, a very large fraction of users would choose from a much smaller subset of words - but let's take 20,000 as a base for calculation). If you string four of those words together at random, that gives you (20,000 ^ 4 = ) 1.6e17 possible sequences. That's - not much better than an 8-character conventional password (if assembled from the 92 characters I can easily type from my keyboard, 92 ^ 8 = 5e15). A 10-character password is 250 times more secure.

        And sure, you can add random shit to it to make it harder to guess - but once you start doing that, the supposed gain in "memorability" promptly vanishes, and you're left doing a lot more typing to achieve the same level of security you could have in a much smaller field.

        1. doublelayer Silver badge

          Re: Can a grownup, please...?

          Good points in theory, but you have to consider the whole set of possible passwords as well as a single user's set. If the length limit is set at 8, then the rainbow table generator can throw together a list of hashes of 8 and 9-character passwords. If the password length is longer but constructed of larger components, a person needs a good list of all of those components. If they're all single words found in a dictionary, that might be doable, but if a user makes any type of adjustment, as simple as switching an o with a 0 or putting an & before the last word, the generation of hashes from all the words in a dictionary won't uncover it. Similarly, if a word is included that isn't in a convenient list, E.G. one the user uses as an inside reference, a term from fiction, a word from another language, etc., it becomes nearly impossible.

          I agree with you that the XKCD article isn't entirely correct, but I mainly think that the entropy of a shorter password is underestimated, making the four random words from a set of 2048 options thing look better than it really is. Still, I think that urging length is very helpful, because a password with lots of words and things that the user recognizes but others probably wouldn't makes a password much more secure.

        2. Allan George Dyer

          Re: Can a grownup, please...?

          @veti - Go back and read XKCD 936 again, carefully.

          A completely random 8 character password might have about 52 bits of entropy, but people use a small number of schemes to construct a password that deliberately meets character variety rules, thus creating passwords with much lower effective entropy.

          There is also a danger of mis-using the XKCD scheme, by choosing the mnemonic (e.g. I mustn't reuse "correcthorsebatterystaple", so I'll use... wrong... donkey...) instead of generating the words and only then coming up with the mnemonic.

          Think of it another way, first, generate an n bits random number, and then either encode it as a base-92 number ("characters I can easily type from my keyboard") or a base-2048 number ("list if 2048 common 6-10 letter words"). If you want to remember it, the base-2048 number is easier, if you are storing it in a password manager, there's no difference.

        3. Neil Barnes Silver badge

          Re: Can a grownup, please...?

          The average English speaker may[0] have a 20,000 word active directory, but a thousand words cover over sixty percent of spoken and written communication. Guess which 19,000 words will rarely be used in pass phrases?

          [0] I don't have the numbers to hand, but I bet 20,000 is optimistic for most.

          1. Arthur the cat Silver badge

            Re: Can a grownup, please...?

            a thousand words cover over sixty percent of spoken and written communication

            Amusingly the haveibeenpwned.com password checker says UpGoerFive has not been seen in the wild.

        4. JohnFen

          Re: Can a grownup, please...?

          "In fact, I'd say the "CorrectHorseBatteryStaple" cartoon is a rare example of XKCD getting it badly wrong."

          I agree. If your passphrase consists of dictionary words strung together, it really does make dictionary attacks easier even when you use multiple words.

          But my main problem with the XKCD method is that it's incompatible with my brain. It's much harder for me to remember phrases like "CorrectHorseBatteryStaple" than it is to remember a random character string. So I'm sticking with random character strings.

        5. Cuddles

          Re: Can a grownup, please...?

          "If you string four of those words together at random...

          And sure, you can add random shit to it to make it harder to guess..."

          Or, and this might sound crazy, you could string more than four words together. XKCD didn't have it wrong, it just underestimated the ability of people to understand the actual point. If you take it as instructions that you must always use exactly four words, no more, no less, then yes, it's easy to come up with other schemes that are more secure. But if you understand the actual point - that words are much easier to string together into long, easily remembered sequences than a selection of random symbols - then the fact that secure passwords are actually quite easy should be clear.

    2. big_D Silver badge

      Re: Can a grownup, please...?

      Even worse, is that your example "batteryHorseStaplerChernobylAaaalfa" is too long a password for many inconsequential websites, such as, oh, I don't know, Microsoft's outlook.com or the Office/Microsoft365 business portal...

      When I set up my business account last year, I had to chop the password I had thought of in half, before it was accepted! At least I could turn on 2FA on the thing.

      But this is very common, a lot of websites refuse to accept complex passwords, because they use special characters that weren't expected or the passwords are simply too long!

      1. Anonymous Coward
        Anonymous Coward

        Re: Can a grownup, please...?

        "But this is very common, a lot of websites refuse to accept complex passwords, because they use special characters that weren't expected or the passwords are simply too long!"

        While this is true, it shouldn't distract from the key lesson - use longer passwords.

        On sites that allow 12 characters, use 12 characters. On sites that allow 30+ characters, use at least 20 to be on the safe side or 30+ if you're paranoid. At the moment, CPU/GPU power is such that a group of miscreants or ex-cryptominers can generate 12-14 character rainbow tables pretty fast, so you need to be well above that.

        Don't use 8 or less characters unless the site doesn't allow more. It's not enough. If you don't believe others, try using cracking tools against password hashes to see how quickly they are found. A long weekend is likely enough time.

    3. Robert Carnegie Silver badge

      Re: Can a grownup, please...?

      No evidence, but by me, "special" symbols are worthless in a password. They're harder to remember, harder to type, and occasionally not accepted at all. Each can be substituted with a hexadecimal code, for instance 0x21 for !

      So, all my passwords are some upper and lower case letters and some numbers. For instance: Mow22fll (which isn't an actual password, for a start) is composed of initial letters of some words in an e-mail I just wrote (this actually isn't very random: there are better methods). I convert the letters into memorable words that I can mentally convert sack to the password text: The numerals just come along. Like the capital letter, they're mostly there just because some system security compels me to put them in, and if I always do then I don't have to remember where they're required and where not. And if some stupid system still says this is not passwordy enough, then I add... 0x21. And if you also block that then I WILL find and kill you. :-)

  5. Robert Moore
    Thumb Down

    Let me be the first to point out.

    Using two online password managers to securely save and sync your credentials

    Gives you twice the chance to have your passwords stolen from your online password manager

    1. John Brown (no body) Silver badge

      Re: Let me be the first to point out.

      "Gives you twice the chance to have your passwords stolen from your online password manager"

      A password manager/generator, for my use case, has to be cross compatible with Win10 and Win7 and Android (for work) as well as FreeBSD and Linux for home use. I should be able to sync across devices easily and not rely on any 3rd party cloudy storage. I suspect I'll never get that.

      1. Down not across

        Re: Let me be the first to point out.

        I should be able to sync across devices easily and not rely on any 3rd party cloudy storage. I suspect I'll never get that.

        KeePass, just as one example, does offer various extensions for syncing (sftp,scp if you want to avoid the 3rd party cloudy stuff) but whether they work on all platforms is another matter. Some extensions rel on platform specific libraries.

  6. Great Bu

    But the convenience....

    I think people miss out on the good side of this.

    If I forget my password for some web site that I haven't been on in months and can't remember what the stupid combination of security theater garbage they required for the password all I have to do is phone some guy in Russia who has already stolen my details from one of the numerous security breaches that happen daily and ask him what my password is.

    Much quicker than jumping through all the password reset hoops trying to remember who I said my favourite cousin was or whatever.....

    The easy answer is to just have essentially 3 passwords - one for personal stuff I actually want to keep secret (banks, email, porn sites etc.), one for work and one for all the other bumfrippery that I don't give a crap about (social media, logins for every other stupid site that needs an account (looking at you, el reg) etc..).

  7. Tony W

    Two password managers

    so that there is twice the target to attack?

  8. swschrad

    password managers? on hard drives?

    every time I've installed a password manager, the hard drive on that machine has died within months. no more.

    1. Anonymous Coward
      Anonymous Coward

      Re: password managers? on hard drives?

      Thank goodness for a well executed backup strategy.

      Or are you suggesting password managers damage hard drives?

  9. elvisimprsntr

    Use a "password manager" from one demonistrated trustful company. Easy to create random new ones, store, sync, and retrieve.

  10. ma1010
    Go

    Use a password manager and, like everything else, back them up

    I use Keepass. It runs on my Linux box at home, my Windows box at work, and my Android phone. I also keep a copy on a USB stick. I can sync between them easily. It just works. With several copies in different places, it's unlikely I'll lose them. And, as others have suggested, I use a long pass phrase, so even if someone somehow steals the database, hopefully they can't decrypt it.

    1. Colin 29

      Re: Use a password manager and, like everything else, back them up

      Me too, Dropbox to sync the encrypted database between devices

  11. David Given
    Holmes

    Two questions immediately come to mind:

    - how does El Reg handle comment authentication? The system's bespoke, right?

    - how many commentard passwords are 'password', 'swordfish', or 'correcthorsebatterystaple'?

    1. A-nonCoward

      if the system is any good, it should be impossible to find out what password is actually used.

      HTTPS should encrypt that in the way in, and then hashed or whatever when it arrives to compared with a hashed stored thing - how to make "password" be hashed differently probably connected with the email address used, thusly there should be NO duplicate hashed salted or whatever in the database, and no way to figure out how many of one given kind there are. No way to rescue your password - if lost, you make a new one.

      That's how *I* would do it, and probably Real Coders could make it even better.

      sorry.

      1. doublelayer Silver badge

        That's the right way to do it, and I'm sure el reg has done that. However, if they wanted to know how many users used password, they could find out. They have the hashes and the salts. They could go through the list, put the salt on "password", and see if it matches the hash. This wouldn't tell them what your or my password is, but if anyone used "password", they could see. So the question is answerable though nobody would bother to answer it.

      2. Anonymous Coward
        Anonymous Coward

        "if the system is any good, it should be impossible to find out what password is actually used."

        To test who uses "password", you create the hash and compare it to your stored hashes. Any matches are either "password" or a very unfortunate combination of characters that provides the same hash. With any good hashing function, this shouldn't happen...

        This is why losing hashed/salted/"encrypted" passwords is such a big issue - they really aren't hard to crack relative to brute forcing them. Guessing the hash is relatively simple, the salt just stops you being able to easily pre-compute every single password and the rest is down to the resources at your disposal - a decent CPU/GPU combination with enough storage should have you cranking out billions of password hashes a second.

  12. JohnFen

    It's a hard problem

    I don't really see an effective solution to this issue on the horizon at all. I wish I did.

    1. big_D Silver badge

      Re: It's a hard problem

      SQRL

      1. Adrian 4

        Re: It's a hard problem

        It's an easy problem to solve. You do it the same way as every other fashion-based field of human conflict such as nutrition, health, politics and education.

        1. Do as you damn well please

        2. Wait for the fashion to rotate until your solution matches it

        3. Claim prescience

        4. Rinse and repeat.

      2. JohnFen

        Re: It's a hard problem

        SQRL is certainly interesting, but it only covers the web.

  13. sitta_europea Silver badge

    But we have some other notable suggestions. Unisys reckons "maybe it should be called National PassPHRASE day! It's the WORD in PassWORD that is one thing holding people back."

    Hang on a minute, that wasn't Unisys, that was me...

    https://forums.theregister.co.uk/forum/all/2017/06/28/petya_notpetya_ransomware/#c_3219434

  14. doublelayer Silver badge

    A few problems

    I'm as irritated by bad passwords as the next security person, but let's revisit a few parts of this article:

    "An employee is likely using the same password for your internal systems as they are for Instagram."

    How am I supposed to know that? Yes, they'd be prevented from using "password", but when they've decided in their life that "F9zna/zv00w" passes all the tests for passwords and they'll just use that for everything, the only way I'd know is if I tried to log in with that and any usernames or addresses I can guess. That's not all that nice. Of course, they can be told not to reuse passwords, but that won't necessarily stop them.

    "According to OneLogin, 63 per cent of network administrators don’t require special characters or minimum length passwords. Numbers? 71 per cent don't require it. Upper and lowercase? 72 per cent."

    That's a good po... Interesting fig... Well, you just quo...

    Sorry, I can't pretend. I have no idea what these numbers mean. You tell me that 63% of admins don't require certain rules, which already sounds kind of weird, but then your next sentence says that 71% don't require it. Is "it" the same thing as covered in the last sentence? Why are the percentages eight percentage points different? Is this from a different source? Who? And the 72% don't require multiple cases? Meaning that either 29% or 37% require special characters but only 28% require multiple cases? And earlier, you told me that 75% of admins "don’t check employee passwords against password complexity algorithms." This implies that they don't check at all, but, in that case, a maximum of 25%, not 28%, 29%, or 37%, could require special characters or multiple cases. So I must be making some really stupid mistake, right? Please tell me what it is.

    "And an amazing 63 per cent have not put password rotation policies in place. What are you doing people?"

    Holding back my astonishment that, by these and previous numbers, at least 12% of admins rotate passwords but don't check them against any complexity algorithms at all, we don't rotate passwords all that frequently because it means users will respond by decreasing the security of their passwords so frequent rememorization is easier. Yes, we have complexity rules here. But once you've met those limits, you can have a more secure or less secure password. If we make them choose a new one every month, the number of users using a very strong password approaches zero. This isn't new. This has been the recommendation of many security advisors for the past few years. It has been reported here. That's what we're doing.

    For the record, my complexity recommendation is designed to maximize entropy. If you go for a short password (minimum length 10 characters or 12 if I'm nervous, the system's important, or the users are willing to be reasonable), you have to use all four types of characters. If you make the password longer, the requirement for different characters is removed as the length increases. And passwords are checked against password lists.

    1. Hans 1

      Re: A few problems

      https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes

      Password rotation, who still does that ? Oh, yeah, our IT guyz ...

    2. Brangdon

      Re: Is "it" the same thing as covered in the last sentence?

      Depends. The previous sentence is "Numbers?", and "it" does refer to numbers and should probably be "them". The intended meaning is "71% don't require a number". This is consistent with 63% not having a minimum length and 72% not requiring a mix of upper and lowercase characters. However, your reading comprehension is such that I doubt you registered the "Numbers?" sentence at all, or didn't realise it wasn't a reference to the percentages, and you also missed that the sentence before that mentions password length as well as special characters. A password complexity algorithm would estimate the entropy of a given password, which is different to merely checking whether it contains a number.

      So it's actually pretty coherent, apparent from the it/them grammar mistake.

  15. Anonymous Coward
    Anonymous Coward

    Use two online password managers

    Yeah, cos trusting a third party website with all your most sensitive information is such a good idea.

  16. Nick Kew

    Honeytrap?

    In the past week or so I've had occasion to dig into some mail logs. I find an interesting phenomenon which I've not seen before. Persistent failed attempts to log in to a couple of accounts via imaps. Accounts that have never existed, but have very, very specific names. Like "alexgfcnichols@mydomain".

    Users who have misconfigured devices that misspelled their domain? Doesn't look much like it when the attempt comes from a different IP address every couple of minutes.

    Dictionary attacks? More plausible, but where did they get the username from? It's not even a name that appears in the smtpd logs, as would happen if it appeared on a spam list.

    The thought occurred to me: would there be any mileage in setting up an "alexgfcnichols" as a honeytrap account, with p@55w0rd123? With what could I then populate this email account? I could sign it up to a legit. mailinglist or two, but beyond that a convincing selection of realistic stuff would look like a lot of work. And how evil would it be to find some ransomware to make into interesting-looking attachments?

    1. Alister

      Re: Honeytrap?

      The problem with doing that on an email server is that if they manage to log in with a username and password, the very first thing they will be doing is trying to send 50,000 spam emails through your server.

    2. doublelayer Silver badge

      Re: Honeytrap?

      If you want to try this, make sure it can't send any email but instead just logs the message and copies it to the sent mailbox. As for things to populate, you could always create some dummy addresses that send messages from public sources. I don't know if people would run attachments, but you could always try.

    3. John Brown (no body) Silver badge

      Re: Honeytrap?

      "but where did they get the username from?"

      I've seen strange ones come into my domains email where the username has come from usenet postings. eg Pan creates a message ID from the word Pan+date+time@domain. Few spammers care about sanitising or otherwise verifying their mailing list. They just care about the numbers of addressees in it, so trawling usenet groups or Google Groups and pulling anything that looks a like an email address from the headers is all they care about. I just put a reject rule in that blocks P|pan.* I've seen other spams arrive where the email address is more like the example you gave, so I assume there are other places, maybe mailing lists, which use some sort of algorithm to generate message IDs from email addresses.

  17. ciaran
    WTF?

    Spackle?

    What it this "Spackle" of which you speak with such familiarity?!

    1. Jay 2

      Re: Spackle?

      Off the top of my head I can't quite remember if it's what leftpondians call grout or pollyfilla.

      1. JohnFen

        Re: Spackle?

        In my corner of Leftpondia, anyway, "grout" and "spackle" are two different things.

  18. Securitymoose

    WTF does it matter?

    Every jumped up little upstart wants me to have a user name and password, even though the information they have on me is insignificant. What do I care if someone hacks my details in Fishermen's Wives' Knitting Monthly? Anyone with any sense doesn't tell Facebook or Google etc. anything true about themselves. For example, Apple requested a credit card before I could use iTunes. I had to submit it to get anywhere (must be illegal now?), but once set up, I removed my financial details and now only download free apps - actually, I use a secure browser and view all the equivalent internet sites through that, with adblock on.

    So that leaves bank details, Paypal and the like. They have their own two-factor security, and using different email addressees to access each improves that further.

    So, guidelines for the worried:

    1. Don't worry about password security for the numpty sites. Use a sacrificial email address instead.

    2. Always use a trusted third party for purchases on line.

    3. Use secure passwords, and change those occasionally for the really important things like banking - I suspect you will only have a few to remember.

    4. Don't store anything sensitive on your fondle-slab - use a secure browser to do your banking etc.

    5. Most apps seem to be developed by 12 year olds, who have no idea of user acceptance testing, so don't ever give anything away to them, apart from a pack of lies.

    6. Don't user GMail or Hotmaill addresses. They look unprofessional, and Google and Microsoft are allegedly notorious for blocking the wrong domains and snooping on your content. You have an ISP. They often supply more than one email address, so use everything they can let you have for free.

    7. Trust no-one, Grasshopper.

    1. doublelayer Silver badge

      Re: WTF does it matter?

      "6. Don't user GMail or Hotmaill addresses. They look unprofessional, and Google and Microsoft are allegedly notorious for blocking the wrong domains and snooping on your content. You have an ISP. They often supply more than one email address, so use everything they can let you have for free."

      No. A hundred times no. GMail and hotmail aren't great, but they have relatively good intrinsic security, stay up most of the time, and you can avoid at least some of their tracking. An ISP email is run on a system with completely untested security except sometimes when the security has been tested and it failed the test. Also, if you move or decide you don't like that ISP, your mailbox can be deleted or placed in a limbo state. Using an ISP-provided email is a security and usability disaster. Don't do that. If you really want security, set up your own email system, usually by getting a domain. If you don't want to run your own mailserver (and you would have many good reasons not to want to), you can use one of a number of domain registrars who will supply email accounts, usually at least one is included with your domain purchase. You can keep that account no matter where you are as long as your domain is still owned by you. If you must have a free account, use a service kept up by a company that does not have the ability to kill that account for other activity you do. Protonmail is a good one for this, but GMail is not that bad when compared to other options.

      1. Anonymous Coward
        Anonymous Coward

        Re: WTF does it matter?

        GMail is not that bad

        using a Gmail account means that all the content of your emails is scanned by Google for any advertising opportunities they can grab. It's really not something you should ever use to talk to businesses, banks etc.

    2. John Brown (no body) Silver badge
      Facepalm

      Re: WTF does it matter?

      "6. Don't user GMail or Hotmaill addresses. "

      On the back of a van today I saw they had a website address with a proper descriptive name of the business and below, the next line read "Email: Joe.Bloggs156@aol.com"

      I can only assume they got the email address long before the domain name, but really? See icon.

      1. David Nash Silver badge

        Re: WTF does it matter?

        On the back of a van today I saw they had a website address with a proper descriptive name of the business and below, the next line read "Email: Joe.Bloggs156@aol.com"

        I have seen that kind of thing a few times.

        It always amazes me that they think such generic email addresses look in any way profesional.

  19. Jay 2

    Use biometric authentication on mobile phone apps ?

    Erm, I always thought that use biometics for security was a bad idea as they're not the easiest things to change, and you can be (physically) coerced into using them.

    1. JohnFen

      Re: Use biometric authentication on mobile phone apps ?

      Biometrics have a legitimate role to play in the security realm, but that role isn't really authentication.

      1. doublelayer Silver badge

        Re: Use biometric authentication on mobile phone apps ?

        There's a lot of discussion of when biometrics can be used, with the "use biometrics everywhere" crowd and the "biometrics is only ever a username" crowd. The truth lies somewhere in the middle. You have to decide where the threat landscape is. If you're afraid that someone will be physically present, such as when police/a criminal have you and your mobile phone, biometrics are risky. If you will be targeted by an advanced group, then biometrics are too easy to forge and should not be used except as an additional security measure. When it's authentication over a network that you're worried about, biometrics offers the ability to ensure that people are present at a scanner you know before they can get in. If you are not worried that someone will break in but you don't want to have the thing open to access from anyone (E.G., a phone that doesn't contain anything sensitive), then biometrics can be a time-saving measure. It all depends on who might break in and how they'd do it.

  20. Anonymous Coward
    Anonymous Coward

    Please, please don't provoke system administrators!

    Or we will end up with 128+ character passwords, including numbers and all special characters plus at lease one of simplified Chines pictograms. Oh, and all this has to be changed every 6 hours and we must not reuse the last 2048 passwords.

  21. ArranH

    Are we still on this "change your password regularly" kick?

    If you use a different password for each system, changing the password does little (unless the system has already been compromised). What the forced change does result in is people writing their new password down and sticking it on their monitor, or under the keyboard. I've walked through many law firms just thinking about how easy it would be to take the post-it note off a screen and get access to all their files (not that I would, I'm a good lawyer, and am more likely to point out the flaw to partners).

    Yes, many people will use the same password on different websites. They should be encouraged to use an individual password on systems and sites that matter, meaning they only need to remember several passwords. Forcing a regular change just encourages people to be even more lazy, and write them down, and does nothing to stop brute force attacks.

  22. Hans 1

    Avast MiM

    Avast has been MiM its customers for several years, now, and only here admit why they were doing so ...

  23. dalethorn

    Y'all are being lied to. Remember Enigma? How it would not allow the same character typed to be entered into the message? That was not pure random, and so Enigma was cracked, broken. Now, these same clowns are telling you that you can select from the set of uppercase, lowercase, numeric, and punctuation characters, but NOT randomly. NO - they demand that you MIX your case and MUST add a numeric and sometimes a punctuation character. While that sounds comforting, it's not allowing you to select YOUR choices at random, and so your passwords can be easily cracked. Read about Adi Shamir's discoveries on this and other code-breaking.

  24. Colin Bain
    Angel

    Spreadsheeting the passwords around

    I use a passworded Excel spreadsheet to keep my passwords. The advantage is that it is NOT online. I tried to hack a spreadsheet once for something else and couldn't. Seemed like a no brainer, but I'm prepared to be convinced otherwise

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like