|
No password-reset option? Write a mail, ask them how they store their passwords - I'd not be using a site that feels insecure.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
It's the Belastingdienst (tax authorities).
I don't really have a choice in this
There is a reset option, but it involves making a phone call and waiting for a (or two?) letter(s) with your new username and password.
One can only wonder why...
|
|
|
|
|
Sander Rossel wrote: I don't really have a choice in this There's always a choice; even for those without a phone, as it is not mandated by law that you own one.
Sander Rossel wrote: There is a reset option, but it involves making a phone call and waiting for a (or two?) letter(s) with your new username and password.
One can only wonder why... Because they don't trust your email-address, and no-one steals letters from a letterbox - it is so much safer.
It's usually delivered in a few days
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
I have the choice to do it easy, by email.
Or I can do it the hard way, visiting them at their physical address.
That's not really a choice to me
Haven't you heard, your snail mail is now delivered with super secure SHA-512 encryption!
|
|
|
|
|
I'll be mailing them about their password-rules again then, asking for the idiot who is responsible, and their motivation.
These are expensive "academics" and still they make mistakes that one expects from a first-year student.
Bastard Programmer from Hell
If you can't read my code, try converting it here[^]
|
|
|
|
|
...and the decryption key is provided on the back of the envelope...?
|
|
|
|
|
The mailman will read it out loud at the door
|
|
|
|
|
It's just like the change your password every 30 days policy I have at work.
It means that everyone picks a password then simply increments a number at the end of every 30 days.
This means that if anyone cracks your password without you realising - they can hack your account well into the future.
Security measures should be there to slow down unauthorised access and as you have pointed out some modern security practises have actually decreased security.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
For that reason we have the policy that your new password must be at least x% different from your old password...
But I've seen the increment as well.
In one such scenario I've even seen that an entire team got one account to access some server.
Every month the person who changed the password would send out an email saying "the new password increment is now 19" (this was important, because after 3 failed attempts you'd be blocked and in for a world of pain trying to get it back).
|
|
|
|
|
Sander Rossel wrote: For that reason we have the policy that your new password must be at least x% different from your old password... Which is another security flaw as it would imply that the passwords are saved in an encrypted format at best.
If the passwords were hashed(with or without a salt) there would be no way(other than brute force guesses without taking into account collisions) to compare the new password to the old password.
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
Yeah, never thought about it like that, but it should not even be possible to check if a new password contains/looks like an old one...
Anyway, Windows supports it, so I guess it's alright
|
|
|
|
|
Speaking of Windows, to change the password you have to provide the current, as well as the new password. I suspect the comparison is done at this stage, because storing non-hashed passwords (at least in AD) supposes to settle a special policy, which fortunately is not applied by default.
"I'm neither for nor against, on the contrary." John Middle
|
|
|
|
|
Thanks for that info - that did not occur to me
“That which can be asserted without evidence, can be dismissed without evidence.”
― Christopher Hitchens
|
|
|
|
|
I once created a really long password using all the allowable characters. When it came time to change it, the new password was rejected because it had too many of the same characters as the previous one. If the sysadmin had not been able to override that rule, I'd never have been able to use that system again.
|
|
|
|
|
Rejecting new passwords based on the old indicate they are, at best, keeping the old hashes. If the new PW is "George7", they also try "George6", "George5", ... during the validation.
Hey, what could possible go wrong with that?
|
|
|
|
|
Yeah - DoD password requirements are oppressive.
A study was done a number of years ago regarding password complexity. The finding was that as complexity increases, security is reduced - because people have to write their passwords down in order to remember them, thus completely defeating the security that the demanded complexity affords.
I got you beat though - along with the complexity requirements (at least 16 characters, no more than three consecutive letters or numbers, must include numbers, a mix up upper and lower case letters and special characters, no group of letter can create a word, and every time you change it, it can't be more than 50% similar to one of the last 10 passwords you used), my employer forces a password change every 15 days.
This is done for our time sheet app. I mean seriously - WTF!? My strategy is to simply create a GUID in Visual Studio and submit it until one passes their absurd validation, and then save it in a text file.
".45 ACP - because shooting twice is just silly" - JSOP, 2010 ----- You can never have too much ammo - unless you're swimming, or on fire. - JSOP, 2010 ----- When you pry the gun from my cold dead hands, be careful - the barrel will be very hot. - JSOP, 2013
modified 25-Feb-18 10:08am.
|
|
|
|
|
It's very important that no one ever gets access to those time sheets because then everyone can see how much time you spend on coming up with new passwords!
That sounds insane and counterproductive though!
Here's a suggestion for your next password: M@n@g3M3NTi$In$@ne!
|
|
|
|
|
Pick a word (eight character?), convert it to base-64, done.
|
|
|
|
|
Don't use real data!
What was the name of your first school: Trantor High
Where were you born: Qronos
Mothers maiden name: Iron
and so on.
Yes, you have to keep them somewhere but good luck to anyone trying to guess them!
Keep your friends close. Keep Kill your enemies closer.
The End
|
|
|
|
|
I did that last time, made a screenshot of the form with four(!) questions and answers and saved it in a folder on my desktop.
Couldn't care less if that account got hacked, jokes on the hacker, the customer account is now yours I don't want anything to do with it!
|
|
|
|
|
I recall not too long ago, a bank I wanted to use to transfer money to another person demanded I identify myself. A list of ridiculous questions appeared, including a demand that I identify the current address of my ex-wife. We split 30 years ago and I haven't heard (thankfully) since! Morons everywhere, and we let them program computers and vote!
Will Rogers never met me.
|
|
|
|
|
Roger Wright wrote: including a demand that I identify the current address of my ex-wife Maybe it was a trick question?
So, you haven't been paying your alimony Mr. Wright...
But seriously, what were they thinking?
It's not even any of their business where anyone except you live!
An infringement on your ex's privacy by a bank that she has nothing to do with.
|
|
|
|
|
I just default to 1234567890
User: Technical term used by developers. See Idiot.
|
|
|
|
|
That's not very secure, you old fool!
|
|
|
|
|
Are you my great great great great great grandson? I lose track.
User: Technical term used by developers. See Idiot.
|
|
|
|