Shoe by Gary Brookins and Susie MacNelly for November 11, 2022

Absolutely, you need caps, numbers, and special characters…..

believe me Cosmo, I’ve been there many a time.

More than just a hint, please.

I worked at a place where I had to have a password to get onto my desktop. Another one to get onto the local mainframe. And one more onto the corporate mainframe. Passwords expired after 30 days. You got logged out after 10 minutes of inactivity. Passwords were always out of sync. I’d log into all three and have to do some work on my desktop. If I had to go deeper again I’d have to log in again. There were days when I spent more time logging in than actual work

Computers are not good at approximation.

Two years ago I lost the password to my MS laptop. The local shop reset it for $140. I lost no data and I did learn the backdoor method for Windows password reset. Since then I’ve dumped Windows and moved to linux. I encrypted all the hard drives as well.

I liked my old Navy Fire Control computer, (Mk 47, mod 8). It didn’t need any passwords. It ran on gears and cams to compute where to point the 5" guns. Good for surface and air targets, (up to super sonic speeds supposedly – the Navy though never wasted any high-speed drones for me to find out if that was true).

YES!!!

My recent web apps allow for caps lock. So if your password is MyNameIsFred and you type mYnAMEiSfRED, it takes it.

Allthatreallymattersispasswordlength. 35 characters and nothing can crack it.

WINDOWS PASSWORD

WINDOWS: Please enter your new password.

USER: potato

WINDOWS: Sorry, the password must be more than 8 characters.

USER: boiled potato

WINDOWS: Sorry, the password must contain 1 numerical character.

USER: 1 boiled potato

WINDOWS: Sorry, the password cannot have blank spaces.

USER: 20boiledpotatoes

WINDOWS: Sorry, the password must contain at least one uppercase character.

USER: 20BOILEDpotatoes

WINDOWS: Sorry, the password cannot use more than one uppercase character consecutively.

USER: 20BoIlEdPotatoesYouIdiotGiveMeAccessNow!

WINDOWS: Sorry, the password cannot contain punctuation.

USER: IWillHuntYouDown20BoIlEdPotatoesYouIdiotGiveMeAccessNow

WINDOWS: SORRY, THAT PASSWORD IS ALREADY IN USE

When I first started in IT 30 years ago, user password requirement was minimum six characters. If you wanted to guess a user’s password, all you had to do was know their favorite sports team or their dog’s name. Now my password must be changed daily (expires after 10 hours), minimum 16 characters, and can never be reused. And that’s just for one of my passwords.

Actually, I read a paper on that approach. The point of the password is as proof of identity. So if you say allow a pair of letters to be transposed, or other kinds of small transcription errors that happen when people type quickly, you get a big reduction in hassle to the user, with only a slight reduction in the strength of the proof. “Close enough” really does make sense from the user perspective, and doesn’t change the security principles.

No one has really worked on it, though, because the real point is that one shouldn’t use passwords for anything “serious”, while shared secrets (e.g. from a password manager) are ok, for many applications, the idea of having a human being memorize these things just makes no sense.

Or “We know who you are- – just messing with you.” Then let things happen +/- whatever.

https://xkcd.com/936/

There’s a joke about a guy who used “incorrect” as his password. If he entered it wrong, the computer would tell him what it is: “Your password is incorrect.”

I write all of my passwords down in my “Little Black Book”. Yes, that’s really the name given to it by the company that published it!