Passwords ~ I have just been reading an article

  wee eddie 10:23 07 Aug 2015
Locked

on creating unbreakable passwords in another magazine (Computeractive).

It occurred to me that, as the whole article was based on the supposition that a potential Hacker had unlimited/unrestricted access to the Password Log-in Area, and that he/she would be able to run software that tried all potential combinations of Password.

Then there was a potentially simple solution.

Should the number of Passwords entered be restricted to a specified number of attempts. If that number was exceeded, then access could be denied for a period of time.

As the software needs to make millions of attempts to find even the simplest Password. A restriction to, say, 100 attempts would be effective in thwarting the software while not really intimidating someone who has inadvertently mistyped their Password..

Access denial does not have to be more than an hour to make the task of the potential Hacker frustrating and very longwinded while not seriously delaying a potential customer.

Does this make sense? What do you think?

  OTT_B 11:38 07 Aug 2015

Any chance of a link to the article?

  Fruit Bat /\0/\ 12:16 07 Aug 2015

Had a lecture from a hacker last week he explained and showed how easy it is to crack passwords even if you use letters numbers and symbols.

A sentence is the safest way, unfortunately a lot of sites (banks and credit card companies included, will not accept spaces and insist on 8 to 15 digits including 1 capital and 1 number.

He cracked one of these codes in less than 2 minutes.

The lecture also included surveillance devices and how you can be tracked and hacked by any wifi device you carry away from your home location and used to overwlm your home wifi fooling you nto thing you are connected to your own router when in fact you are connect to the hackers wifi device and unsecure.

Also showed how cars with tyre pressure sensors,( which send out a unique wireless signal can be tracked to with in a few yards.

All scary stuff - we're well beyond "1984" here.

  robin_x 13:45 07 Aug 2015

Time-delays for logins are sensible, but modern hackers don't work that way.

They gain access to the system, via murky nefarious means, and steal all the encrypted login details.

Then they can run their cracking software on their own computers with no time delays.

See howsecureismypassword

Or they just send Phishing emails pretending to be Facebook or Paypal or your Bank or whoever, and a significant, worthwhile percentage will use the dodgy links in the email to try and login and therefore just give their passwords away.

  wee eddie 14:45 07 Aug 2015

Robin: If one assumes that a potential hacker has unrestricted access to your Passwords, which he/she does not as the password is saved on someone else's site, then regardless of the password's complexity, his software will crack it.

Then one might as well go back to a relatively simple Password. Obviously, not one that can be cracked at the first 100 attempts, but a little more individual and complex that that.

It seems to me that the industry is not examining the problem in a logical manner

  wee eddie 14:51 07 Aug 2015

Fruit Bat: Very impressive but I wonder how long it would take him to crack a password he only had 100 attempts, and then had to wait awhile to try again.

2 minutes, with decent Software, would probably equate to about 20,000,000 attempts. Divide that by 100 and he has to do it 200,000 times. Not an economically viable operation if he had to wait an hour between each attempt, even if he automated the search.

  bumpkin 16:45 07 Aug 2015

I understand wee eddies point in principal, I would suggest though that if the genuine user cannot enter their correct pasword after 10 attempts them maybe a 15min lockout. That should make it even harder for the hackers and not be too much of an inconvenience to the user.

  Forum Editor 22:13 07 Aug 2015

Many sites- particularly banking ones, will lock you out after relatively few password attempts - often only three failed attempts will do it.

  Devil Fish 00:03 08 Aug 2015

did a roll out contract a few years ago for a large organization and policy set was 3 login attempts then lock out , password reset had to be performed by an Admim\tech support of network after user verification which meant visiting the work station in question and verifying it was the user that locked themselves out.

  wee eddie 12:19 08 Aug 2015

Devil Fish ~ As a matter of interest: What is the logic used, when deciding on a limit of 3 Log-in attempts?

  Forum Editor 13:19 08 Aug 2015

wee eddie

I did exactly the same thing when I designed a financial site for a bank in HongKong - we decided on three attempts before lockout. It's a pretty common practice.

The logic is that users are unlikely to need more than three attempts to get the password right - it may be that they have the capslock key on, or they don't get the upper/lowercase thing right.

This thread is now locked and can not be replied to.

Elsewhere on IDG sites

Alienware 17 R4 2017 review

These brilliant Lego posters show just what children's imaginations are capable of

Mac power user tips and hidden tricks

Comment réinitialiser votre PC, ordinateur portable ou tablette Windows ?