Strange security protocol

[Bob_Church 7]

We seem to be rapidly approaching the point where I'll have to enter my user name and password to flush the commode. It's gotten downright weird. I'm trying go get some wireless boosters set up and every device has to have its own password and the list is getting longer and longer.
But that's now what I'm posting about.
When I call one of my Doctors' offices or the drug store or pretty much anyone else medical related my records are protected by the following Top Sekrit information. My birthday and address. I can change appointments, get medical information and pretty much anything by providing those two publicly available bits of information. Of course these are the same idiots who tell me at least twice that if I'm having a medical emergency to hang up and dial 911. But the idea of how easy it is to confirm my identity is downright strange. And it would be so easy to assign a password and it would take less time to give it to them.

[PhreeZone 15]

Generally asking for your Birthday/name is only used when they can then also validate that information against something else such as the credit card or drivers license.

Passwords are a horrible idea to use since they are the weakest form of authentication there is. The most important thing is to never reuse one which is exactly the issue that most people have. Credential reuse has lead to more issues than most people are aware of. With massive breeches at Yahoo and other major providers the passwords you used there along with your email address is in the hands of hackers. The ability to then plug that same combo into other sites and have it work has a surprisingly high success rate.

Last I checked I am running over 200 separate and unique strong (15-20 in length, random case, symbols and numbers) passwords on all the sites and accounts I have out there. There are lots of password manager software packages out there that I would recommend everyone takes a serious look at and then start using the one that fits your needs best.

Yesterday is history
And tomorrow is a mystery

Parachutemanuals.com

[ryoder 1,381]

Have you ever been challenged by a question about information that you have never given any to any web account?
This has happened to me several times over the last few years.
Like a question about a place I haven't lived at in 20 years, or a car I have not owned in as long a time.
I had to dig though my filing cabinet a couple times to find the answer.
The startling thing was these were questions about information that would not even be in a current credit report.

"There are only three things of value: younger women, faster airplanes, and bigger crocodiles" - Arthur Jones.

[ryoder 1,381]

PhreeZone

Last I checked I am running over 200 separate and unique strong (15-20 in length, random case, symbols and numbers) passwords on all the sites and accounts I have out there.

I'm up to 337 different accounts with different login IDs and pwds.
"pwgen" is my friend.

And in light of the Facebook stories in the past month, I'm feeling really bad about giving them bogus information to set up my account.

"There are only three things of value: younger women, faster airplanes, and bigger crocodiles" - Arthur Jones.

[oldwomanc6 38]

Not sure what you are trying to say, but usually when they ask you these questions, they are only trying to verify you are the patient that they think you are. (you can't access your personal medical records with only this, or at least you shouldn't be able). It still should require ID and signature.

I have one of the most common names on the planet, and believe it or not, I have been in the same hospital at the same time as another person with my name, giving birth at the same time, so when they ask which Umpty Frat you are and what your birthdate is, it's for a good reason.

lisa
WSCR 594
FB 1023
CBDB 9

[Bob_Church 7]

oldwomanc6

Not sure what you are trying to say, but usually when they ask you these questions, they are only trying to verify you are the patient that they think you are. (you can't access your personal medical records with only this, or at least you shouldn't be able). It still should require ID and signature.

I have one of the most common names on the planet, and believe it or not, I have been in the same hospital at the same time as another person with my name, giving birth at the same time, so when they ask which Umpty Frat you are and what your birthdate is, it's for a good reason.

Once they verify who I am by asking my name and birthdate they then say "for security purposes I need your address with zip code." This week alone I've changed appointments and ordered prescription medicines to be delivered to my home. All using exactly this protocol. I have three doctors and they each use this protocol.

[Bob_Church 7]

ryoder

Have you ever been challenged by a question about information that you have never given any to any web account?
This has happened to me several times over the last few years.
Like a question about a place I haven't lived at in 20 years, or a car I have not owned in as long a time.
I had to dig though my filing cabinet a couple times to find the answer.
The startling thing was these were questions about information that would not even be in a current credit report.

That would creep me out. Any idea how they got the info, let alone why they asked it?.

[Bob_Church 7]

One reason it stood out this time was that then I called the phone company but I had to give them the PIN number off my bill. Their security was higher than what I'd just used to have a months worth of enbrel injectors delivered to my home.

[ryoder 1,381]

Bob_Church

That would creep me out. Any idea how they got the info, let alone why they asked it?.

I just searched though my old sent emails to a friend, and found a screengrab from one.
Now bear in mind this one happened in 2014.

"There are only three things of value: younger women, faster airplanes, and bigger crocodiles" - Arthur Jones.

[Bob_Church 7]

The part that drives me nuts is working on wireless boosters to get a wireless camera going and then when asked for a password trying to remember which device I'm on now, it's like "which layer am I in now?"

[flyhi 24]

At work, we recently went to a secondary means of security. It is a small device that, when you press the button, it generates a six numeral code that you have to put into the computer to sign on. That is in addition to your password. Each code is unique and changes several times a minute.

On the back of the device is written, "Made in China."

Shit happens. And it usually happens because of physics.

[ryoder 1,381]

flyhi

At work, we recently went to a secondary means of security. It is a small device that, when you press the button, it generates a six numeral code that you have to put into the computer to sign on. That is in addition to your password. Each code is unique and changes several times a minute.

On the back of the device is written, "Made in China."

https://en.wikipedia.org/wiki/Security_token

A couple places I worked at used these for employee VPN access.

"There are only three things of value: younger women, faster airplanes, and bigger crocodiles" - Arthur Jones.

[jimjumper 25]

This is what is required to log into the military TriCare website. I don't bother. I just call.

Password Security Requirements:
• At least one lowercase letter (a to z)
• At least one uppercase letter (A to Z)
• At least one digit (0 to 9)
• At least one special character (@_#!&$`%*+()./,;~:}|?{>=<)
• At least 9 characters (and no more than 20) valid characters as described above
• Cannot contain any words in the Dictionary that are more than three letters
• Must contain at least 2 characters NOT showing in your current password
• Cannot contain personal information
• Cannot be changed more than once in 24 hours
• Must be different than your current or previous passwords
Important Points to Remember:
1 Must not contain any common dictionary words, personal information (like parts of your name, SSN or date of birth), nor invalid characters.
2 Password will expire in 60 days.
3 Start entering the confirmation password to ensure password requirements have been met.

And then they have tips section on how to create a password that you can remember! Sure....

[jcd11235 0]

jimjumper

This is what is required to log into the military TriCare website. I don't bother. I just call.

Password Security Requirements:
• At least one lowercase letter (a to z)
• At least one uppercase letter (A to Z)
• At least one digit (0 to 9)
• At least one special character (@_#!&$`%*+()./,;~:}|?{>=<)
• At least 9 characters (and no more than 20) valid characters as described above
• Cannot contain any words in the Dictionary that are more than three letters
• Must contain at least 2 characters NOT showing in your current password
• Cannot contain personal information
• Cannot be changed more than once in 24 hours
• Must be different than your current or previous passwords
Important Points to Remember:
1 Must not contain any common dictionary words, personal information (like parts of your name, SSN or date of birth), nor invalid characters.
2 Password will expire in 60 days.
3 Start entering the confirmation password to ensure password requirements have been met.

And then they have tips section on how to create a password that you can remember! Sure....

Gotta love outdated password requirements.

My work password, despite being strong, is substantially less secure than the passwords for my personal devices and most important non-work accounts, precisely because it has ridiculous rules and must be changed regularly.

ETA: Of course, Randall has already addressed this issue.

Math tutoring available. Only $6! per hour! First lesson: Factorials!

[billvon 2,395]

>ETA: Of course, Randall has already addressed this issue.

I don't buy his reasoning. Creating a password out of words makes it a lot easier to force it. (i.e. the software knows that 'horse' is valid and will try it as part of the password; it can safely ignore all non-word variations of that, cutting down the search space by orders of magnitude.)

[Phillbo 11]

ryoder

Have you ever been challenged by a question about information that you have never given any to any web account?
This has happened to me several times over the last few years.
Like a question about a place I haven't lived at in 20 years, or a car I have not owned in as long a time.
I had to dig though my filing cabinet a couple times to find the answer.
The startling thing was these were questions about information that would not even be in a current credit report.

That's called Two factor Authentication. They data mine public records and present the questions. Financial service industry has been using it for years.

[Bob_Church 7]

For home use I want a device, maybe just a flash drive that works with an application or something so that I plug it in and it takes care of passwords for me. For one thing, anyone trying to use my wireless would have to park in my driveway which I'd notice and I no longer have secured data so it's just not that big a deal.

[billvon 2,395]

>For one thing, anyone trying to use my wireless would have to park in my driveway

Unless, of course, they have a Pringle's can.

[airdvr 197]

Quote

There are lots of password manager software packages out there that I would recommend everyone takes a serious look at and then start using the one that fits your needs best.

True...but how am I to remember the password to the password manager software?

Please don't dent the planet.

Destinations by Roxanne

[jcd11235 0]

billvon

>ETA: Of course, Randall has already addressed this issue.

I don't buy his reasoning. Creating a password out of words makes it a lot easier to force it. (i.e. the software knows that 'horse' is valid and will try it as part of the password; it can safely ignore all non-word variations of that, cutting down the search space by orders of magnitude.)

The software would have no reason to restrict itself to dictionary words unless password requirements only allowed combinations of words. Without that information, password length is the most important barrier to defeat by force. Even if it only looks for dictionary words, the typical (English speaking) adults know in excess of 20,000 words. That's about 6.4 * 10^25 different passphrases of four, five, or six words.

What makes no sense is disallowing "horse" as part of a password because that combination of characters is a dictionary word. That allows an attack algorithm to be designed for which some combinations can be eliminated with absolute certainty without being tried. Similarly, requiring particular classes of characters to be used makes it very easy for an algorithm to know a character combination is not a valid password.

Math tutoring available. Only $6! per hour! First lesson: Factorials!

[billvon 2,395]

Quote

The software would have no reason to restrict itself to dictionary words unless password requirements only allowed combinations of words.

Right - but that's what Randall is saying; only choose combinations of words for your password. That represents a much smaller set of valid passwords.

Quote

Without that information, password length is the most important barrier to defeat by force. Even if it only looks for dictionary words, the typical (English speaking) adults know in excess of 20,000 words. That's about 6.4 * 10^25 different passphrases of four, five, or six words.

Right. But that is orders of magnitude less than a random combination of letters, numbers and punctuation.

Let's take a simple case - a five character password.

What if you choose a five letter word? There are 8938 possible valid words (from a Scrabble dictionary.)

What if you choose a five letter "word" that is a random combination of five lowercase letters? It's 26^5, or 11 million possibilities.

What if you choose a five letter password that is a random combination of upper and lower case letters, numbers and an additional ten punctuation characters? Then it's 62^5, or 916 million possibilities.

In the above example, the 'word based' password is over 100,000 times easier to guess.

Quote

What makes no sense is disallowing "horse" as part of a password because that combination of characters is a dictionary word. That allows an attack algorithm to be designed for which some combinations can be eliminated with absolute certainty without being tried.

But again, it doesn't matter. In the above example, if you excluded all the possible valid five letter words, your search space would go from 916,132,832 to 916,123,894 - not a noticeable difference. On the other hand, trying JUST the five letter words would reduce your search space from 916,132,832 to 8938 - and that is a massive reduction in effort.

If I was trying to crack passwords with a brute force attack, I'd add a "Randall cracker" that would simply try combinations of valid words first off. That way if anyone used such a password, you could find it relatively quickly before you started on the much larger (and thus longer-to-process) space made up of all possible ASCII characters.

[jcd11235 0]

billvon

Right - but that's what Randall is saying; only choose combinations of words for your password.

The hacker's assumption should be that most people aren't going to take Randall's advice, retaining much less secure passwords, making tailoring an attack algorithm to passphrases an inefficient strategy.

billvon

What if you choose a five letter "word" that is a random combination of five lowercase letters? It's 26^5, or 11 million possibilities.

True. If you can easily remember 30 random characters, that's definitely the best strategy. Most people, including me, can't memorize a string of 30 random characters nearly as easily as 4-6 random words. Consequently, most people create passwords that really aren't that secure. A passphrase would be better for them. Feel free to keep using 30 random characters, though. That is more secure. It actually doesn't surprise me that you can do it, but I would argue that you're an outlier.

Quote

If I was trying to crack passwords with a brute force attack, I'd add a "Randall cracker" that would simply try combinations of valid words first off. That way if anyone used such a password, you could find it relatively quickly before you started on the much larger (and thus longer-to-process) space made up of all possible ASCII characters.

That would be a poor and time consuming strategy. Those would be nowhere near the low hanging fruit, and not quickly defeated. 20,000 words is a reasonable floor, with random lengths. Four to six words is pretty easy to memorize. Eight to ten not so hard, compared to a similarly secure password of random characters. If you're trying to crack passwords, you'd have much faster success targeting the kinds of passwords Randall advocates replacing.

Randall wasn't selling a passphrase as the ultimate password strategy. He was offering it as a more secure, easier to remember alternative to predictable modifications to single words, which is what many people use, and are sometimes encouraged to use by bad password policies.

My own strategy is different from anything either of us has thus far mentioned, and more secure (albeit frequently incompatible with policy), but Randall's strategy is sound, even if suboptimal.

Math tutoring available. Only $6! per hour! First lesson: Factorials!