Welcome, Guest: Join Nairaland / LOGIN! / Trending / Recent / New
Stats: 2,598,430 members, 6,030,924 topics. Date: Friday, 04 December 2020 at 12:12 AM

Let's Stop Talking About Password Strength - Programming (2) - Nairaland

Nairaland Forum / Science/Technology / Programming / Let's Stop Talking About Password Strength (18247 Views)

How Can I Reset ATT Email Password? / A Cheat-sheet For Password Crackers / Secure User Password In Login And Registration Page (2) (3) (4)

(1) (2) (3) (Reply) (Go Down)

Re: Let's Stop Talking About Password Strength by Kobicove(m): 11:22am On Nov 18
Using a different password for every website you know only makes your life more complicated...there is no way you will be able to remember all of them undecided

2 Likes

Re: Let's Stop Talking About Password Strength by Bloghomies(m): 11:22am On Nov 18
V
Re: Let's Stop Talking About Password Strength by seunmohmoh(f): 11:22am On Nov 18
Make I dey observe.
Re: Let's Stop Talking About Password Strength by SharpestDesigns(m): 11:22am On Nov 18
W
Re: Let's Stop Talking About Password Strength by Bloghomies(m): 11:23am On Nov 18
My password is complex, and somewhat different from my numerous accounts.
Re: Let's Stop Talking About Password Strength by Afam4eva(m): 11:26am On Nov 18
I think we need to to back to when people could choose whatever password they deem please whether it's easy to guess or not. It's their freaking choice. These days, people forget their passwords like everyday. What's the point of using complicated passwords if you won't remember them.
Re: Let's Stop Talking About Password Strength by Proudlyngwa(m): 11:28am On Nov 18
Who password EPP



Wetin I get to hide
Re: Let's Stop Talking About Password Strength by ModestGal(f): 11:29am On Nov 18
H
Re: Let's Stop Talking About Password Strength by wonlasewonimi: 11:29am On Nov 18
Afam4eva:
I think we need to to back to when people could choose whatever password they deem please whether it's easy to guess or not. It's their freaking choice. These days, people forget their passwords like everyday. What's the point of using complicated passwords if you won't remember them.

What I recommend as a practice is to use a passphrase as against complex password. For example one of my password is Ilovebigyansh!

1 Like

Re: Let's Stop Talking About Password Strength by Nobody: 11:30am On Nov 18
EvilSec:

Password = email address? This is an horror story o>_<o~

Horror indeed shocked

1 Like

Re: Let's Stop Talking About Password Strength by seunoj: 11:31am On Nov 18
EvilSec:
Near the top of most security recommendations is to use "strong passwords". We need to stop doing this.

Yes, weak passwords can be a problem. If a website gets hacked, weak passwords are easier to crack. It's not that this is wrong advice.

On the other hand, it's not particularly good advice, either. It's far down the list of important advice that people need to remember. "Weak passwords" are nowhere near the risk of "password reuse". When your Facebook or email account gets hacked, it's because you used the same password across many websites, not because you used a weak password.

Important websites, where the strength of your password matters, already take care of the problem. They use strong, salted hashes on the backend to protect the password. On the frontend, they force passwords to be a certain length and a certain complexity. Maybe the better advice is to not trust any website that doesn't enforce stronger passwords (minimum of 8 characters consisting of both letters and non-letters).

To some extent, this "strong password" advice has become obsolete. A decade ago, websites had poor protection (MD5 hashes) and no enforcement of complexity, so it was up to the user to choose strong passwords. Now that important websites have changed their behavour, such as using bcrypt, there is less onus on the user.


But the real issue here is that "strong password" advice reflects the evil, authoritarian impulses of the infosec community. Instead of measuring insecurity in terms of costs vs. benefits, risks vs. rewards, we insist that it's an issue of moral weakness. We pretend that flaws happen because people are greedy, lazy, and ignorant. We pretend that security is its own goal, a benefit we should achieve, rather than a cost we must endure.

We like giving moral advice because it's easy: just be "stronger". Discussing "password reuse" is more complicated, forcing us discuss password managers, writing down passwords on paper, that it's okay to reuse passwords for crappy websites you don't care about, and so on.

What I'm trying to say is that the moral weakness here is us. Rather then give pertinent advice we give lazy advice. We give the advice that victim shames them for being weak while pretending that we are strong.

So stop telling people to use strong passwords. It's crass advice on your part and largely unhelpful for your audience, distracting them from the more important things.

Do not leave control in the hand of end user.
Build systems that enforces control with proper password security settings; pwd complexity, reusuability, change frequency, etc. That's how to help the end user.
User education is still necessary whether lazy or pertinent. How do u help/prevent a user from using osame pwd on multiple sites?
Re: Let's Stop Talking About Password Strength by naijadrivablog: 11:32am On Nov 18
slawormiir:
Damnnn niggarrrr
Isoright....

We way dey open face book like water...as them dey kill am we dey open another one
So you mean say make we dey go through stress of using different password

grin I know na. HushOMIIR cheesy
Re: Let's Stop Talking About Password Strength by Nobody: 11:32am On Nov 18
True

Strong and complex passwords are hard to remember
Re: Let's Stop Talking About Password Strength by Smashspesh(m): 11:40am On Nov 18
You won't see them huncle "Afonja" "Ipob" "Almajiri" e.t.c., inputs in this kind of thread.

No wonder they called a live stream photoshopped

3 Likes

Re: Let's Stop Talking About Password Strength by Nobody: 11:41am On Nov 18
I've been following some OSINT podcasts lately. And this was one of their advice. Infact they advised the use of KeePass and the likes with unique 40 character passwords for each of your online accounts. According to one of the speakers, if you know all the characters of your password and know the password of all your accounts then you most likely aren't using secure passwords and are reusing them

1 Like 1 Share

Re: Let's Stop Talking About Password Strength by Omezif(m): 11:43am On Nov 18
Strong password is better to avoid hacking, Some strong passwords beyond the knowledge of hackers, use it in any website if it's agree to accept it no hacker will see it.
Re: Let's Stop Talking About Password Strength by Opexzy: 11:55am On Nov 18
EvilSec:
Near the top of most security recommendations is to use "strong passwords". We need to stop doing this.

Yes, weak passwords can be a problem. If a website gets hacked, weak passwords are easier to crack. It's not that this is wrong advice.

On the other hand, it's not particularly good advice, either. It's far down the list of important advice that people need to remember. "Weak passwords" are nowhere near the risk of "password reuse". When your Facebook or email account gets hacked, it's because you used the same password across many websites, not because you used a weak password.

Important websites, where the strength of your password matters, already take care of the problem. They use strong, salted hashes on the backend to protect the password. On the frontend, they force passwords to be a certain length and a certain complexity. Maybe the better advice is to not trust any website that doesn't enforce stronger passwords (minimum of 8 characters consisting of both letters and non-letters).

To some extent, this "strong password" advice has become obsolete. A decade ago, websites had poor protection (MD5 hashes) and no enforcement of complexity, so it was up to the user to choose strong passwords. Now that important websites have changed their behavour, such as using bcrypt, there is less onus on the user.


But the real issue here is that "strong password" advice reflects the evil, authoritarian impulses of the infosec community. Instead of measuring insecurity in terms of costs vs. benefits, risks vs. rewards, we insist that it's an issue of moral weakness. We pretend that flaws happen because people are greedy, lazy, and ignorant. We pretend that security is its own goal, a benefit we should achieve, rather than a cost we must endure.

We like giving moral advice because it's easy: just be "stronger". Discussing "password reuse" is more complicated, forcing us discuss password managers, writing down passwords on paper, that it's okay to reuse passwords for crappy websites you don't care about, and so on.

What I'm trying to say is that the moral weakness here is us. Rather then give pertinent advice we give lazy advice. We give the advice that victim shames them for being weak while pretending that we are strong.

So stop telling people to use strong passwords. It's crass advice on your part and largely unhelpful for your audience, distracting them from the more important things.

Nice:

Everyone is guilty of password reuse. Google password manager is a good thing to work with and if you use a Samsung phone too...Samsung do have one too. With Google password manager you could careless about remembering your passwords. Browsers like chrome and Firefox even suggests password to people. If you should check these password suggestions, you will realise they are not expecting you to remember them on subsequent use.

On the other hand, platform owners should do well to make sure they use the right cryptographic means to store passwords which is hashing with the recent algorithm like bcrypt. With this, it will be almost impossible to know the actual password in case of data breech, even with a brute force attack on the hash.

1 Like

Re: Let's Stop Talking About Password Strength by MemoriesAndMe: 11:59am On Nov 18
OP, you are referring to just websites, do you know many organizations create and use custom applications that are specific to them and their employees? Most of these focus more on functionality versus security, which is where the warning of using strong passwords is very valuable.

Also, do you know that several web servers get hacked because the developers simply failed to use strong passwords? Some developers simply want to focus more on functionalities and may even forget to go back to codes where they have used clear text passwords, which is how many hackers succeed in their exploits.

So, the warning that the use of strong passwords should be repeated as often as possible until it becomes a part of everyone, even the less tech savvy ones.
Re: Let's Stop Talking About Password Strength by Karleb(m): 12:03pm On Nov 18
shocked
What kind of juju did you do to get this to front page.
Re: Let's Stop Talking About Password Strength by gungab(m): 12:12pm On Nov 18
That's why I use suggest password for some site
Re: Let's Stop Talking About Password Strength by RenaissanceGuy: 12:15pm On Nov 18
Using Google Chrome, I don't have to worry about passwords. I simply allow them suggest passwords for me when I'm opening a new web account and then they save it automatically on my Google password.
Re: Let's Stop Talking About Password Strength by ibolord(m): 12:15pm On Nov 18
Isiewu@×#$%^*!)?"×www1>]?$$
Favourite password grin

2 Likes

Re: Let's Stop Talking About Password Strength by zeemahn(m): 12:51pm On Nov 18
EvilSec:

Also 2FA is mostly bypassed either through phishing with tools like evilginx or modliishka or if the site is crap "lacks rate limiting, etc".

What course did you take to learn all these stuffs about cyber security?
Re: Let's Stop Talking About Password Strength by Abrahamdgreat(m): 1:00pm On Nov 18
zeemahn:


What course did you take to learn all these stuffs about cyber security?
You don't need any course to learn it... My advice is start with burp suite and make your research on all the technogies it scans and uses and terms... And also keep updated on the latest web security happenings.

Although there are many courses that you can take that would help, but the truth is that the would overwhelm a beginner (I know cos I was dere)

1 Like

Re: Let's Stop Talking About Password Strength by EvilSec: 1:21pm On Nov 18
Kobicove:
Using a different password for every website you know only makes your life more complicated...there is no way you will be able to remember all of them undecided
What is important is that you don't reuse passwords for sites you care about. I have one password for all the sites I don't care about, but my email and banking passwords are unique and complex. I also have 2FA enabled.
Re: Let's Stop Talking About Password Strength by dgitrader(m): 1:31pm On Nov 18
@ all the posters. Let me share with you how to have strong password and still avoid reuse issues.

I use similar codes for 3 classes of websites I registered with. The classification is personal and based on how sensitive I see my data on the site.

Below are some examples from bottom to top in tense of sensitivity...

Vanguard News.com ...... VNews*123*
Chopfood.com...... Cfood*123*



Facebook.com......... bookF:*666!
Nairaland......... LandNaira:*:555!


Email........ Yahoo+606(yah)+!
Banksite....... ZEnith+2626(Zen)+!



Not forgettable, easy, and coded. Note: those are not random numbers, they are embedded on the sites spellings. If you understand u can have upto 50 and not ever forget one.

3 Likes

Re: Let's Stop Talking About Password Strength by SirWhiteFish: 1:56pm On Nov 18
BigDawsNet:
A teenager at a funeral asks the priest for the wifi password.
The priest is shocked and asks the boy "Have you no respect for the dead?"

The boy hears the priests and responds, "Is that uppercase or lowercase?"

Re: Let's Stop Talking About Password Strength by wonder233: 2:14pm On Nov 18
It is "stricter". There is nothing like"strictier". There is also nothing like "more stricter". You either say "stricter" or "more strict"
Bahat:
Nice writeup, I would recommend changing of pass often and not recycle password use on different sites. Although most of us are guilty of password recycle.
Maybe making stronger pass with site recommendation makes decryption more strictier and longer time to decrypt.

Even changing of password is up to the enduser. It's not easy having 10 different passwords on your head.
I remember 2fa is not the best mechanism as its been bypassed on different occasions

1 Like

Re: Let's Stop Talking About Password Strength by FreeMejoor1(m): 2:15pm On Nov 18
Abrahamdgreat:

I can help u create any phishlet for any site regardless of the MITM prevention techniques they are using... Ain't cheap though
how much

(1) (2) (3) (Reply)

Pros And Cons Of Dating A Programmer Or Just A Geek / C# - Capturing File Name From A FileUpload Control In Asp.net / What Was The First Programming Language You Learned And Why?

(Go Up)

Sections: politics (1) business autos (1) jobs (1) career education (1) romance computers phones travel sports fashion health
religion celebs tv-movies music-radio literature webmasters programming techmarket

Links: (1) (2) (3) (4) (5) (6) (7) (8) (9) (10)

Nairaland - Copyright © 2005 - 2020 Oluwaseun Osewa. All rights reserved. See How To Advertise. 112
Disclaimer: Every Nairaland member is solely responsible for anything that he/she posts or uploads on Nairaland.