Passwords

AnteaterAnteater Shipmate
SoF is, since the redesign, much more hit'n'miss about keeping me signed in, resulting is lots of password requests. The best is to not do it at all, so you keep using your password and remember it, or actually keep people signed in, not just for a few accesses.

And the password policy could be stronger. Not wishing to pull rank as a (Ret'd) IT Security Consultant, it's interesting that it classes "ship of fools password" as strong.(??)

THis is more a suggestion than a subject for discussion which is what I thought Styx was partly for. If not accept my apologies and close the thread.

Anteater

Comments

  • RooKRooK Admin Emeritus
    The password strength policy is one that we specifically discussed when setting up the new Ship site.

    One of the foibles of the past we wanted to correct was the general (and continuing) misunderstanding about what makes for a secure password. There was a terrible and popular set of advice regarding the use of non-standard characters, with the hope of achieving higher specific entropy. This had the consequence of driving towards passwords that were hard for humans to remember, which prompted most passwords to be merely minor variants of previous passwords. Worse, it included a policy of asking for frequent password changes, which made the problem exponential and added weakness for spearphishing since people were accustomed to requests to set new passwords.

    So, our new policy follows the more conventional wisdom of leaning towards maximum entropy while also allowing for good human memorization.

    As usual, XKCD says it better with pictures.
  • Since when everybody has set their password to "correct horse battery staple".
  • Doc TorDoc Tor Hell Host
    Since, er...

    [changes password]
  • Amanda B ReckondwythAmanda B Reckondwyth Mystery Worship Editor
    I like the idea of four random words -- I hadn't thought of that before.

    A scheme that I sometimes use is that I take the first line of a favorite poem (preferably a poem that is not a common favorite of everyone) and use the first letter of each word in the line as my password. I'll always remember the line, hence the letters, hence the password.
  • My password was chosen randomly on my behalf by the Ship itself, AFAIK. Can I therefore change it at will?

    (Not that I want or need to do so - just a point of order, so to speak).
  • You can change your password in your settings - cog symbol by your name on top right, if you're on a laptop or desktop
  • Yes, I see - thank you!
  • RuthRuth Admin Emeritus
    RooK wrote: »

    I can't remember four random words for each of the roughly 100 sites for which I need a password.
  • OhherOhher Shipmate
    I've succumbed to OleTech. Picked up two cheap paper address books, pre-alphabetized, and record in them the names of websites I sign up up to, plus the passwords I create, and carry one around with my checks & debit cards and the other I keep under my mousepad. I write in pencil so I can change things easily if needed.
  • RooKRooK Admin Emeritus
    Ruth wrote: »
    RooK wrote: »

    I can't remember four random words for each of the roughly 100 sites for which I need a password.

    That's why I use "correct horse battery staple" for everything. Except for here, where I use "ship of fools password", obviously.
  • I don't believe that's your Ship password.

    If it were, the system would automatically replace it in your post (for all other posters except you) with a line of asterisks.

    Look: mine's **************** . Try it for yourself.
  • caroline444caroline444 Shipmate
    Ohher wrote: »
    I've succumbed to OleTech. Picked up two cheap paper address books, pre-alphabetized, and record in them the names of websites I sign up up to, plus the passwords I create, and carry one around with my checks & debit cards and the other I keep under my mousepad. I write in pencil so I can change things easily if needed.

    I do the same, except with an A4 ring folder. I sometimes think if my house caught fire that would be the first thing I would try and grab before leaving the building...how sad is that!
  • It's more important to have separate individual different passwords for some accounts than others - bank, email, Twitter, Facebook, Amazon* - but other accounts really don't matter. For example, most shop accounts or ticketing accounts do not need to save your payment details and most will allow you to refuse that option. At which point, how securely do you need to password details of a single train journey booked as a one off? So rather than panic about 100 passwords, prioritise the 20 or so important ones.

    * no option not to save payment details on Amazon, I read an account years ago from someone who was fairly influential in social media whose identity was stolen - and the weak link was his Amazon account. It not only gave his home address but also his banking information.
  • caroline444caroline444 Shipmate
    It's more important to have separate individual different passwords for some accounts than others - bank, email, Twitter, Facebook, Amazon* - but other accounts really don't matter. For example, most shop accounts or ticketing accounts do not need to save your payment details and most will allow you to refuse that option. At which point, how securely do you need to password details of a single train journey booked as a one off? So rather than panic about 100 passwords, prioritise the 20 or so important ones.

    * no option not to save payment details on Amazon, I read an account years ago from someone who was fairly influential in social media whose identity was stolen - and the weak link was his Amazon account. It not only gave his home address but also his banking information.

    Yes, keeping passwords to a minimum sounds sensible.

    I'm old, wrinkly and paranoid about having bank card info online. I keep two current accounts, one with only a very modest amount of money in it - and I use this for all my online transactions.
  • OhherOhher Shipmate
    I'm old, wrinkly and paranoid about having bank card info online. I keep two current accounts, one with only a very modest amount of money in it - and I use this for all my online transactions.

    Same here.
  • caroline444caroline444 Shipmate
    edited June 2
    Ohher wrote: »
    Same here.

    Ah, nice to know I'm not the only one!

  • BroJamesBroJames Purgatory Host
    Similarly here, I have a credit card with a low credit limit on it for that purpose.
  • MooMoo Kerygmania Host
    Me too.
  • balaambalaam Shipmate
    Eutychus wrote: »
    I don't believe that's your Ship password.

    If it were, the system would automatically replace it in your post (for all other posters except you) with a line of asterisks.

    Look: mine's **************** . Try it for yourself.

    OK, I'll try.
    Mine's idonotbelieveyou . Can anyone see it?
  • No, of course not!
  • BroJamesBroJames Purgatory Host
    Not quite, @Eutychus, @balaam’s password in his post will be visible on his own device, just not on anyone else’s. My password, btw, is •••••••••••••••••••
  • The RogueThe Rogue Shipmate
    I understand that this site has the ability to only show the passwords above to people who are competent at their roles and that everyone else will see a string of asterisks.
  • edited June 3
    If you want to get an extension/plugin for your browser so you can see passwords, they are available. "Show/Hide Passwords" is the one I use on FireFox. You get an extra button on webpages with password boxes. You type in asterisks and then if you want to look, you "show" the password. This is useful when you are having trouble logging in and have, say, 3 attempts before you get locked out. When you type things like "paswsord1234" twice in a row.

    Re bank passwords, does your bank not offer 2 factor confirmation? Not sure if this is standard in Canada, but I'm in business and do some high amount transactions. Where you enter the login info, and before it's authorised as a login, it calls a cell phone for confirmation via an app/text message with a number to enter on the login page/voice confirmation. - one of these. The bank also immediately flags some transactions and puts them on hold if they appear questionable to their software. Thus: make a credit card or debit payment and it is not quite authorized until an additional confirmation is made in some situations. My paranoia lets me use a computer for banking but not on a cell phone where the confirmations are received.
  • I'm really tired of being denied entry, and having to invent a new password so often. I did this routine on Sept 4, and yesterday the same thing. Am I on some kinda watchlist or what?? And yes I'm old and crochety. Does everyone have to make a new password every month? or oftener? Just what is the policy?
  • The cookie only leaves you logged in for a month, after that you will need to login again. So, we all login once a month.

    That doesn't reset the password, so using the same password each month should be OK.

    You can change password whenever you want, but you need to have logged on with the old password first so if you're able to change password I can't see how that can be related to be denied entry.
  • I was just asked to change my password on a site, then made to log in again. It did not take my new password. I clicked "I lost my password" and it allowed me to set up a new one. I used the same password. It told me I couldn't use that one, since it was my previous password.
  • mousethief wrote: »
    I was just asked to change my password on a site, then made to log in again. It did not take my new password. I clicked "I lost my password" and it allowed me to set up a new one. I used the same password. It told me I couldn't use that one, since it was my previous password.

    That's set up in the password policy. For our office server for example, the policy has memory for the prior 5 passwords if you change it every 3 months as required by the policy. You can't use the same words. You'd have only 1 more chance in some period of days if you'd done what you describe. Locked account.

    There's obviously some compromise made on the ship to balance security with user friendliness.
  • Not accepting the password I just created is set up in the password policy? I don't think so.
  • If both you and pearls are getting password errors, it could be coincidence. It could also be the browsers you are using. If you could, what browsers are each of you using?
  • Chrome
  • You're not talking about the same websites.
  • Eutychus wrote: »
    You're not talking about the same websites.

    True.
  • The idea is to find if there is a commonality. If pearls is also using chrome, then it could be the issue regardless of the sites being different.
  • mousethief wrote: »
    Chrome

    If you've saved a previous password, Chrome doesn't always update when you change it. Sometimes you have to delete it and start again. I have no idea why.
  • If you're asked for a random number anywhere, I find my childhood phone number very handy. It comes to mind much more easily than anything I use currently, and it hasn't been written down for decades.
  • That's set up in the password policy. For our office server for example, the policy has memory for the prior 5 passwords if you change it every 3 months as required by the policy. You can't use the same words.

    Public service announcement: There are 24 different permutations of the words "correct horse battery staple".

    Just saying...
  • Tubbs wrote: »
    mousethief wrote: »
    Chrome

    If you've saved a previous password, Chrome doesn't always update when you change it. Sometimes you have to delete it and start again. I have no idea why.

    That only matters if you let Chrome fill in the password. I didn't; I typed it myself.
Sign In or Register to comment.