{"id":440,"date":"2015-11-23T09:19:24","date_gmt":"2015-11-23T17:19:24","guid":{"rendered":"http:\/\/www.emaren.com\/?p=440"},"modified":"2015-11-24T00:41:42","modified_gmt":"2015-11-24T08:41:42","slug":"password-password","status":"publish","type":"post","link":"https:\/\/nealon.uk\/blog\/password-password\/","title":{"rendered":"My password is password"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" class=\"alignright size-medium wp-image-443\" src=\"http:\/\/www.emaren.com\/wp-content\/uploads\/2015\/11\/IMG_0593-300x281.jpg\" alt=\"IMG_0593\" width=\"300\" height=\"281\" srcset=\"https:\/\/nealon.uk\/blog\/wp-content\/uploads\/2015\/11\/IMG_0593-300x281.jpg 300w, https:\/\/nealon.uk\/blog\/wp-content\/uploads\/2015\/11\/IMG_0593-1024x960.jpg 1024w\" sizes=\"auto, (max-width: 300px) 100vw, 300px\" \/>Or why you should stop worrying about passwords and just enable two-factor authentication&#8230;.<\/p>\n<p>If, like me, you have several e-mail accounts, a few forum accounts, bank and credit card accounts, eBay, paypal, Apple, gym and numerous others, you probably have a small number of passwords that have some level of re-use or even variations on a theme.<\/p>\n<p>For example, your gmail might be Pa55w0rd!, your bank account Pa$$w0rd! your credit card P4ssw0rd123 etc.<\/p>\n<p>If you can find any variant of it in the <a href=\"http:\/\/www.whatsmypass.com\/the-top-500-worst-passwords-of-all-time\">top 500 worst passwords list<\/a>, then you have a problem.<\/p>\n<p>Unless you are using two-factor authentication that is.\u00c2\u00a0<!--more--><\/p>\n<p>If I tell you that my g-mail password is &#8216;Password123!&#8217;, it will not get you anywhere. Actually that is not true, it will get you somewhere, it will get you to a screen that is requesting a six-digit code. That code is sent to me as a text message. Or nowadays requires that I type in a code that is generated by the google authenticator.<\/p>\n<p>So despite you cracking my password, unless you are also in possession of my phone, then you will not be able to login to my e-mail. or my Facebook account, or my bank account, or my credit card account or an ever growing number of on-line services.<\/p>\n<p>Each system has their own version of this two-factor authentication, each relies on you not only having my password, but also my phone, which must also be unlocked.<\/p>\n<p>Even if I was stupid enough to set the PIN on my phone to &#8216;1234&#8217;, you would need physical possession of it too. My PIN is actually six digits long and I only use it when I reboot my phone, otherwise I use my thumb print. When I have to enter my PIN I can barely remember it&#8230;.<\/p>\n<p><em>Literally, my e-mail password has no use to a hacker, unless they have access to my unlocked phone too.\u00c2\u00a0<\/em><\/p>\n<p>Think that through for a moment. In all of the hysteria about passwords and their complexity, with two-factor authentication, the password can literally be &#8216;password&#8217; or &#8216;123456&#8217;. It does not matter at all. Because unless the hacker has your phone, there is no way passed the login box.<\/p>\n<p>Recently I signed up for an on-line account for something, the password requirements were some of the worst I have ever encountered.<\/p>\n<p>At least 8 characters long, at least one numeric, a mix of lower and upper case and at least one special character.<\/p>\n<p>I immediately thought of\u00c2\u00a0Password123!<\/p>\n<p>Obviously it passed all of the tests, but it is a really, really stupid choice.<\/p>\n<p>The requirements are literally guiding a potential hacker,<\/p>\n<p>The word needed is over-long, this is going to pretty much ensure that the potential user uses &#8216;123&#8217; or 111 or 321 or 666 near the end of a 5\/6 letter common word.<\/p>\n<p>You need a capital letter, well, duh, the first letter is incredibly obvious.<\/p>\n<p>You need a special character. \u00c2\u00a0Hmmmm, let me think ! or ? are just about the only choices.<\/p>\n<p>Obviously, if this site had two-factor authentication, it would not matter, but it did not, it had an overly complex password requirement that almost forced the user into making a bad choice.<\/p>\n<p>in reality, rather than use a bad password, I tried to use the OSX\/Safari password manager. It suggested that I use &#8216;Z`@Ju7=dEKy54Ss@&#8217; which seemed like an excessively tough password to crack. But, sadly the site rejected my super secure, insanely un-typable password because &#8216;@&#8217; was not a valid character. Fixing it to &#8216;Z`AJu7=dEKy54SsA&#8217; still broke it as the &#8216; character was also no legal<\/p>\n<p>Z`@Ju7=dEKy54Ss@<\/p>\n<p>became\u00c2\u00a0Z`AJu7=dEKy54SsA<\/p>\n<p>became\u00c2\u00a0ZLAJu7=dEKy54SsA<\/p>\n<p>and the &#8216;=&#8217; sign failed<\/p>\n<p>so I tried\u00c2\u00a0ZLAJu7EdEKy54SsE<\/p>\n<p>only for the site to reject that, because it was too long.<\/p>\n<p>Password123! it is then&#8230;&#8230;<\/p>\n<p>Passwords are dead, we need a better level of security, two-factor via text messages or one of the several revolving code generations from RSA (SecurID) or Google&#8217;s own version that require an app on a smart phone and a one-time link to setup seem to be a much better idea than any password rule set.<\/p>\n<p>So, really, long live &#8216;Password123!&#8217;, I use it everywhere that there is two factor authentication and it does not matter who knows it&#8230;..<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Or why you should stop worrying about passwords and just enable two-factor authentication&#8230;. If, like me, you have several e-mail accounts, a few forum accounts, bank and credit card accounts, eBay, paypal, Apple, gym and numerous others, you probably have a small number of passwords that have some level of re-use or even variations on [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[34],"tags":[102,103,101],"class_list":["post-440","post","type-post","status-publish","format-standard","hentry","category-technology","tag-102","tag-authentication","tag-passwords"],"_links":{"self":[{"href":"https:\/\/nealon.uk\/blog\/wp-json\/wp\/v2\/posts\/440","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nealon.uk\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nealon.uk\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nealon.uk\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/nealon.uk\/blog\/wp-json\/wp\/v2\/comments?post=440"}],"version-history":[{"count":1,"href":"https:\/\/nealon.uk\/blog\/wp-json\/wp\/v2\/posts\/440\/revisions"}],"predecessor-version":[{"id":442,"href":"https:\/\/nealon.uk\/blog\/wp-json\/wp\/v2\/posts\/440\/revisions\/442"}],"wp:attachment":[{"href":"https:\/\/nealon.uk\/blog\/wp-json\/wp\/v2\/media?parent=440"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nealon.uk\/blog\/wp-json\/wp\/v2\/categories?post=440"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nealon.uk\/blog\/wp-json\/wp\/v2\/tags?post=440"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}