Password guessing is always like that in popular media too. Oh he loved houses so his pw is obviously “Stallion”
Uhm no, it was probably zkl+7+:$(89?
Comment on xkcd #2869: Puzzles
roadrunner_ex@lemmy.ca 10 months ago
I remember a book I read in elementary school (in the Cam Jansen series, IIRC) where the main conflict was a mean older brother put a password on the new family computer (a huge deal in the early 90s), and the younger hires the kid detective to find the password. The password is “hot dog”, ultimately determined because the desktop BG was a picture of ketchup and mustard.
I recall being not super satisfied with that ending.
Password guessing is always like that in popular media too. Oh he loved houses so his pw is obviously “Stallion”
Uhm no, it was probably zkl+7+:$(89?
Well. Cyber security professionals wish it were that way. Instead it’s usually 1234 or their kid’s birthday or some shit. Having a connection in your mind between houses and horses and then using that to remember something like Green4Stallion8 would actually be more secure than most people’s passwords. It’s even more better if you can remember a nonsense word that phonetically matches and change up the capital like, kreeN4stauLion8.
Of course most people don’t need to worry about social hacking. Black hats aren’t going through random social media profiles when they have millions of password and email combinations they ripped from a few websites. So unless you’re the CEO of LifeLock or dealing with abusive family the above password would totally work even if everyone around one you loved Horse Cottages.
Ironically only the passwords I’m forced to change frequently (i.e. my work password) are something simple and easy to type. All of my personal passwords are like 40 characters of gibberish my password manager invented and the password to that is similar to the xkcd batteryhorsestaple and is changed from time to time as well.
But my work doesn’t allow password managers, so I just have a rolling window of like 12 passwords since that’s their history limit.
Yup. Most corporate and government security is downright hilarious.
Yes, password expiry is generally considered bad practice and should only be triggered on demand if there’s suspicion of a security breach, precisely because it’s much more likely to lead to simple, less secure passwords.
Which doesn’t stop a ton of organizations from requiring it anyway.
Are you really supposed to change your passwords every 30 days?
No. Make sure your password is memorable to you, and long without being easily guessed. The more secure the initial password, the longer you can go without switching. The more memorable the initial password, the longer you can go without using password recovery.
If your passwords are safety critical, they should not be written anywhere, making remembering them key.
This assumes you’re not using two factor authentication of course. With 2FA, your password security (not strength, that’s different but very related) is less important. Security requires the vector of attack to be small, so having a bunch of accounts with the same password decreases the security (but not strength) of your password.
Requiring frequent changes to passwords on average causes less secure and less strong passwords to be used, and causes the lost password recovery to be more frequently used, which is, in and of itself, a vector of vulnerability.
The recommendation is every six months. But that’s based on companies faithfully reporting breaches to everyone right away. Which they haven’t been. You could probably leave sites that aren’t hooked to a payment for every six months, but email, bank, and anything that has payment details should be changed more often.
What’s with the ominous line about 30 days?
Since websites decided it was okay to delay reporting breaches as long as possible it’s there prudent time frame for updating critical passwords. (Things linked to payments methods or sensitive information)
Even if the password was “stallion” they probably would have made it Stallion1, Stallion!, $tallion, etc. The password always ends up being a single word, all lowercase, no numbers, no special characters.
I think you meant horses, houses to Stallion seems like a rather tenuous link.
He loved houses. Houses is one letter off from horses. A stallion is a horse. His password is stallion!
“correct-stallion-battery-staple” is what I think you meant
Do your thing, piped bot
KISSmyOS@lemmy.world 10 months ago
I can imagine you going *"Why didn’t they just hit [Esc] to bypass the password prompt, open a DOS prompt and delete the password files in C:\Windows.pwl?"
(Yes, that was actually a thing you could do on early 90’s Windows 3.0)
tiramichu@lemm.ee 10 months ago
Same with Windows 95 and Windows 98. Those operating systems were not really designed with a proper concept of ‘user accounts’
The password box wasn’t supposed to prevent system access, it was to capture user credentials for networking, like remote file share access.
yuriy@lemmy.world 10 months ago
I believe even as far as XP and maybe 7 you could just make a new user account with admin privileges by creating it through command prompt and changing a single flag. I used this to get unfettered access to the remote hard drive server in high school and stole other people’s homework.
It’s no wonder I ended up going the GED route lmao
MonkderZweite@feddit.ch 10 months ago
Yes, but getting to the cmd, you have to replace C:/windows/system32/utilman.exe with cmd.exe on 7+.
Tippon@lemmy.world 10 months ago
You didn’t even need to do that. You could hold down the shift key to bypass some passwords, and just click cancel on others.
Early Windows had awful security.
Maggoty@lemmy.world 10 months ago
Even now if someone has physical access to your Windows computer and it has a USB port, they will get through.
KISSmyOS@lemmy.world 10 months ago
Not if you activated a BIOS password which blocks booting from USB (and can’t be reset by jumpers or removing the CMOS battery on modern motherboards), or Bitlocker which blocks copying cmd.exe over the accessibility options.
Maggoty@lemmy.world 10 months ago
Well yeah. But that depends on a person doing it.
Buddahriffic@lemmy.world 10 months ago
I wonder how hard it would be to set up a machine so that it modifies or melts a USB drive being used like that.