Re: Can't create a password successfully.
On Sun, 3 Apr 2022 22:45:27 -0700 David Christensen wrote: > On 4/3/22 21:07, ghe2001 wrote: > > I kinda thought it probably was. It's pretty obvious. The idea is > > to generate a bunch of gibberish that could be easily remembered. > > It's not gibberish; it has meaning. The meaning is what makes the > password both memorable and weak. I concur with David. The fundamental problem with using clever formulas to come up with memorable passwords is that clever formulas are reproducible. The "dictionary" from which a modern password cracker draws its guesses has nothing to do with what is and isn't "a dictionary word". Rather, it's a purpose-built word list, informed by years of statistical analysis of millions of real-world passwords leaked from previous breaches. Actual randomness is the only reasonably effective way to make a password hard to guess. Trying to come up with unique, sufficiently random passwords for every website, service, and so forth — and *remember* all those passwords — is a real problem at any age. I would strongly suggest using a password manager. Make sure the master password to unlock the password manager is really strong. But then you only have one password to remember, and you can have an effectively unlimited number of unique, random, strong passwords. Personally, I use KeepassXC with a self-hosted Syncthing instance to sync the password file to all my devices. If you're not up for self-hosting, there are some cloud-based password managers with decent security too, eg Bitwarden. For the specific challenge of *generating* passwords that are both genuinely random and reasonably memorable, you might want to take a look at the "diceware" approach, which is to start with a list of several tens of thousands of actual English words and use a high-quality random number generator to pick a few words from the list. As a helpful little bonus, most password managers nowadays come with a password generator built-in, which in many cases can be configured to generate a diceware passphrase instead of a gibberish string of characters. Cheers! -Chris
Re: Can't create a password successfully.
On 2022-04-04, Patrick Wiseman wrote: > > Chrome does that. > I never turned on 'Save passwords' or whatever it is so remained unaware of this feature.
Re: Can't create a password successfully.
On Mon, 4 Apr 2022 10:20:09 -0400 Patrick Wiseman wrote: > Chrome does that. As does Firefox: https://support.mozilla.org/en-US/kb/how-generate-secure-password-firefox > On Mon, Apr 4, 2022 at 10:04 AM Curt wrote: > > > On 2022-04-03, Brian wrote: > > > > > >> One of the bits of advice is to use long passwords made up of three > > >> random words and to use a different password per website / to use > > >> your web browser to generate an appropriate random password. > > >> Forcing passwords to change regularly may not be a good way to > > >> maintain security - it can mean that people use password01, password02 > > >> and things like that. > > > > > > Changing passwords at frequent intervals? Total nonsensense as far as > > > advice goes. > > > > > > > What web browser generates 'random' passwords? Am I missing something? > > > > > > > > > > -- Celejar
Re: Can't create a password successfully.
Chrome does that. On Mon, Apr 4, 2022 at 10:04 AM Curt wrote: > On 2022-04-03, Brian wrote: > > > >> One of the bits of advice is to use long passwords made up of three > >> random words and to use a different password per website / to use > >> your web browser to generate an appropriate random password. > >> Forcing passwords to change regularly may not be a good way to > >> maintain security - it can mean that people use password01, password02 > >> and things like that. > > > > Changing passwords at frequent intervals? Total nonsensense as far as > > advice goes. > > > > What web browser generates 'random' passwords? Am I missing something? > > > > >
Re: Can't create a password successfully.
On 2022-04-03, Brian wrote: > >> One of the bits of advice is to use long passwords made up of three >> random words and to use a different password per website / to use >> your web browser to generate an appropriate random password. >> Forcing passwords to change regularly may not be a good way to >> maintain security - it can mean that people use password01, password02 >> and things like that. > > Changing passwords at frequent intervals? Total nonsensense as far as > advice goes. > What web browser generates 'random' passwords? Am I missing something?
Re: Can't create a password successfully.
On Sun, Apr 03, 2022 at 11:12:07PM -0700, Charlie Gibbs wrote: > On Sun Apr 3 23:07:14 2022 to...@tuxteam.de wrote: [...] > > Much of it is security theater. > > I'll remember that phrase. I learnt it from Bruce Schneier [1]. I have the hunch that he coined it himself. > > Someone (TM) up the chain can tick the checkbox "password security > > enforced". Then, the Rest of the Web (TM) goes forth and cargo-cults > > that, because that's how the Web is held together. > > https://xkcd.com/936/ :-) Not the worst way to choose passwords. Actually, before resorting to pwgen, I used to pick up one random item on my (always cluttered) desk, see if it contains a series number of sorts and use that. Cheers [1] https://en.wikipedia.org/wiki/Bruce_Schneier -- t signature.asc Description: PGP signature
Re: Can't create a password successfully.
On Sun Apr 3 23:07:14 2022 to...@tuxteam.de wrote: > On Sun, Apr 03, 2022 at 07:45:47PM +, Andrew M.A. Cater wrote: > > [...] > >>> Indeed, all of this happens, usually without any explanation >>> whatsoever. >>> For whose benefit are such requirements constructured? > > Much of it is security theater. I'll remember that phrase. > Someone (TM) up the chain can tick the checkbox "password security > enforced". Then, the Rest of the Web (TM) goes forth and cargo-cults > that, because that's how the Web is held together. https://xkcd.com/936/ -- /~\ Charlie Gibbs | Life is perverse. \ /| It can be beautiful - X I'm really at ac.dekanfrus | but it won't. / \ if you read it the right way. |-- Lily Tomlin
Re: Can't create a password successfully.
On 4/3/22 21:07, ghe2001 wrote: On Sunday, April 3, 2022 7:37 PM, David Christensen wrote: Mozart is famous enough that I expect transcripts of all of his works exist. Yes, but they don't know it's Mozart. And he wrote lots of pieces with words. Suppose the attacker prepares dictionaries using the "first characters" algorithm for passwords ranging in length from 1 to N characters (where N is the number of words in the work) for all known human works, and compiles those dictionaries into one huge dictionary. The number of 1-character English passwords would be the same as the number of uppercase and lowercase characters in the English language (e.g. 52). (Similarly so for all the other human languages.) The number of 2-character English passwords could be 52**2. But, as the password length increases, the number of dictionary entries will drop below 52**length. For very long passwords, say the entire King James Bible (788,280 words), there would be few such English entries in the dictionary. The huge dictionary might be petabytes, exabytes, zettabytes, etc., but that is tiny compared to 52**788,280. And, that algorithm is common. I kinda thought it probably was. It's pretty obvious. The idea is to generate a bunch of gibberish that could be easily remembered. It's not gibberish; it has meaning. The meaning is what makes the password both memorable and weak. I expect that serious crackers already have such. I don't think so. It's not a word, so how could it be in a dictionary? And a dictionary of the letters of all the things it might have come from would be a pretty big task. You are thinking of books. I am thinking of data structures/ files generated via the "first characters" algorithm applied to published works. Using a unique and unpublished phrase or sentence would preclude creating a dictionary. But, is there such a thing as a "unique and unpublished phrase or sentence" and how do you remember it forever? Well, it wouldn't work if the line is unpublished -- like you say, it'd miss the 'remember it forever' part. It needs to be something that's already remembered. And there are so many places it could come from: Plato, the writings of the Buddha, 1950s rock, a couple lines of COBOL, one or another translation of something, etc. Depends on the user's background. It's something from the user's memory. I think the password would, in effect, be random to anybody but the user. But like I said -- I think... A smart adversary will study his target. David
Re: Can't create a password successfully.
On Sun, Apr 03, 2022 at 04:43:30PM -0500, Nicholas Geovanis wrote: [...] > I've worked on linux-based software which is covered by overseas medical > device law as well as US HIPAA [...] > > Changing passwords at frequent intervals? Total nonsensense as far as > > advice goes. > > > > See above, it applies here too. Yup. Regulatory organs sometimes fall asleep at the helm. The German BSI hasn't got the memo yet, either. Takes some time and perhaps some people with courage to yell at them for them to wake up. Cheers -- t signature.asc Description: PGP signature
Re: Can't create a password successfully.
On Sun, Apr 03, 2022 at 07:45:47PM +, Andrew M.A. Cater wrote: [...] > > Indeed, all of this happens, usually without any explanation whatsoever. > > For whose benefit are such requirements constructured? Much of it is security theater. Someone (TM) up the chain can tick the checkbox "password security enforced". Then, the Rest of the Web (TM) goes forth and cargo-cults that, because that's how the Web is held together. [...] > Forcing passwords to change regularly may not be a good way to > maintain security - it can mean that people use password01, password02 > and things like that. Actually, NIST recommends [1] against forcing regular password change. Also they recommend against requirements as the above. What they do recommend is to check passwords against dictionaries (dictionary attack /is/ a thing happening out there). My personal policy? Use pwgen to generate a password. Write down the less-used in an encrypted medium. Use 8 chars for the less important, 12 for the somewhat more importants and 16 for the real fat ones (e.g. my LUKS passphrase, my backup encryption). The latter ones I use often, so I just keep them in my head. Never use semi-important passwords for two different "places". And oh, when some silly web site insists on special chars either consider not using that web site or, if I must, prepend a '#'. > With every good wish as ever Cheers [1] https://www.netsec.news/summary-of-the-nist-password-recommendations-for-2021/ -- t signature.asc Description: PGP signature
Re: Can't create a password successfully.
On 4/3/22 20:05, Greg Marks wrote: i have a trouble of creating a password.. It says "The password does not contain the required characters." I have tried everything and still doesn't get to work. You might try a command like this: That's sick. I like it. }:-> 2022-04-03 21:25:48 dpchrist@tinkywinky ~ $ cat /etc/debian_version ; uname -a 9.13 Linux tinkywinky 4.9.0-18-amd64 #1 SMP Debian 4.9.303-1 (2022-03-07) x86_64 GNU/Linux 2022-04-03 21:36:46 dpchrist@tinkywinky ~ $ I@pJFg.BVt0SP(\=MZDRM+fo>Il^A;C?9Ap0b]e The last three characters of the argument to tr(1) specify a range. Was that intentional? .-_ And, I believe you have missed some printing characters (85 vs. 94): 2022-04-03 21:26:14 dpchrist@tinkywinky ~ $ perl -e 'print chr for 0 .. 127' | tr -dc 'A-Za-z0-9@#*()+={}/?~;,.-_' #()*+,./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_abcdefghijklmnopqrstuvwxyz{}~ 2022-04-03 21:26:42 dpchrist@tinkywinky ~ $ perl -e 'print chr for 0 .. 127' | tr -dc '[:graph:]' !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ But, 384+ bits of entropy ought to be secure for the foreseeable future. (Just don't ask me to type the generated passwords.) David
Re: Can't create a password successfully.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 ‐‐‐ Original Message ‐‐‐ On Sunday, April 3, 2022 7:37 PM, David Christensen wrote: > Mozart is famous enough that I expect transcripts of all of his works > exist. Yes, but they don't know it's Mozart. And he wrote lots of pieces with words. > And, that algorithm is common. I kinda thought it probably was. It's pretty obvious. The idea is to generate a bunch of gibberish that could be easily remembered. > it's just a question of password length. Yeah. As with all pws, length is important. It could be as long as you like. > I expect that serious crackers already have such. I don't think so. It's not a word, so how could it be in a dictionary? And a dictionary of the letters of all the things it might have come from would be a pretty big task. > Using a unique and unpublished phrase or sentence would preclude > creating a dictionary. But, is there such a thing as a "unique and > unpublished phrase or sentence" and how do you remember it forever? Well, it wouldn't work if the line is unpublished -- like you say, it'd miss the 'remember it forever' part. It needs to be something that's already remembered. And there are so many places it could come from: Plato, the writings of the Buddha, 1950s rock, a couple lines of COBOL, one or another translation of something, etc. Depends on the user's background. It's something from the user's memory. I think the password would, in effect, be random to anybody but the user. But like I said -- I think... -- Glenn English -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJiSm79ACEJEJ/XhjGCrIwyFiEELKJzD0JScCVjQA2Xn9eG MYKsjDJ9xAgAs+BFGziD2i7sjJBZKud/zfkNNH4hZIiy68iUGnetzJIjG4xF oICPdWqvu7m7/NMLscMI7RuA0rc+wafenl1pW/S6m4hzttzuYcQa9DjbsD23 LQobpV/TiBF9CrHWa5bDuyjTGGoEyotfW36RWBjLgYiUZJvrxE9vfC88hvkz Q8JTXNatZu4oECb/tUETquDbLwK7hKa2EaxQL6WgRR0ApdC63Y3wFzH29EPi ogw//xjdDC4rsM3a9lTAEs4dnGhCBdB49ZmaF8pn6ebBIe35hQqsvmT6xjpK k1FEjyy1EqFQOZ0u06dg6yvdgQcU0FBBakkWXWfCy4pqHInvEA6gHg== =DAxA -END PGP SIGNATURE-
Re: Can't create a password successfully.
> i have a trouble of creating a password.. It says "The > password does not contain the required characters." > > I have tried everything and still doesn't get to work. You might try a command like this: signature.asc Description: PGP signature
Re: Can't create a password successfully.
On 4/3/22 14:05, ghe2001 wrote: Another password generator suggestion: I'm 79 and memory isn't what it used to be, so I find those "secure" passwords generated by computers to be less than optimal. I use a system that I claim can't be hacked by a dictionary search and almost certainly not by guessing, but will be easy to remember: Think of a line or two from a relatively obscure play or poem or song that you like. A while back, a woman I needed a pw for used lines from an aria in one of Mozart's operas -- in Italian. Just take the first letters of the words, case included, and all the punctuation and stuff, and that's your pw. You may need to add a few numerals to make the bank's pw checker happy. When you want to use it, run the line(s) through your mind, and you remember the pw. If anyone on this list knows why that won't work, I'd sure appreciate knowing about it... Mozart is famous enough that I expect transcripts of all of his works exist. And, that algorithm is common. Generating a dictionary for the pair is trivial; it's just a question of password length. I expect that serious crackers already have such. Using a unique and unpublished phrase or sentence would preclude creating a dictionary. But, is there such a thing as a "unique and unpublished phrase or sentence" and how do you remember it forever? Given defenses such as fail2ban(8), a dictionary is usable only if the attacker has obtained the salted password hash (e.g. /etc/shadow) and can do the work offline. That said, the stories I read usually cite credential stuffing or phishing as the origin of breeches: https://www.sentinelone.com/blog/7-ways-hackers-steal-your-passwords/ David
Re: Can't create a password successfully.
On Sun, Apr 3, 2022, 3:00 PM Brian wrote: > On Sun 03 Apr 2022 at 19:45:47 +, Andrew M.A. Cater wrote: > > > On Sun, Apr 03, 2022 at 08:25:46PM +0100, Brian wrote: > > > On Sun 03 Apr 2022 at 20:10:14 +0100, Brad Rogers wrote: > > > > > > > On Sun, 3 Apr 2022 21:31:34 +0300 > > > > PanosGR wrote: > > > > > > > > Hello PanosGR, > > > > > > > > >I have tried everything and still doesn't get to work. > > > > > > > > Very often passwords are required to contain a mix of upper and lower > > > > case letters and one or more numerals. Some sites require 'special' > > > > characters (%#~$, etc) to be used, some limit their use. > > > > > > Indeed, all of this happens, usually without any explanation > whatsoever. > > > For whose benefit are such requirements constructured? > > > > > > -- > > > Brian. > > > > > > > Some of this is to make passwords harder to guess / harder to > brute-force. > > Some of this is to satisfy regulatory requirements - so credit card > > transactions have particular restrictions / two factor authentication > > or similar. > > My quety related to *whose benefit* these rules are imposed? Your > answer implies it is for the benefit of the website. I am not aware > of any regulatory requirements placed on the user in the UK for > devising passwords. > I've worked on linux-based software which is covered by overseas medical device law as well as US HIPAA, PCI and medical IT-device standards. All have password-strength requirements which compliant businesses and software must meet. Including web-facing components. YMMV. > One of the bits of advice is to use long passwords made up of three > > random words and to use a different password per website / to use > > your web browser to generate an appropriate random password. > > Forcing passwords to change regularly may not be a good way to > > maintain security - it can mean that people use password01, password02 > > and things like that. > > Changing passwords at frequent intervals? Total nonsensense as far as > advice goes. > See above, it applies here too. -- > Brian. > >
Re: Can't create a password successfully.
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 --- Original Message --- On Sunday, April 3rd, 2022 at 1:45 PM, Andrew M.A. Cater wrote: > One of the bits of advice is to use long passwords made up of three > random words and to use a different password per website / to use > your web browser to generate an appropriate random password. > Forcing passwords to change regularly may not be a good way to > > maintain security - it can mean that people use password01, password0 > and things like that. Another password generator suggestion: I'm 79 and memory isn't what it used to be, so I find those "secure" passwords generated by computers to be less than optimal. I use a system that I claim can't be hacked by a dictionary search and almost certainly not by guessing, but will be easy to remember: Think of a line or two from a relatively obscure play or poem or song that you like. A while back, a woman I needed a pw for used lines from an aria in one of Mozart's operas -- in Italian. Just take the first letters of the words, case included, and all the punctuation and stuff, and that's your pw. You may need to add a few numerals to make the bank's pw checker happy. When you want to use it, run the line(s) through your mind, and you remember the pw. If anyone on this list knows why that won't work, I'd sure appreciate knowing about it... -- Glenn English -BEGIN PGP SIGNATURE- Version: ProtonMail wsBzBAEBCAAGBQJiSgwMACEJEJ/XhjGCrIwyFiEELKJzD0JScCVjQA2Xn9eG MYKsjDKbiwgAkbU//9+29tyueQIijF1RNtvEI/nJ5a0NCevcWPCH8kWPiGwZ Cu50MABhNUJzoI1QWxZmJtDH4CzDhM6JHTVScPzmkT8byU4yXlMieN7mK4K4 blPuqcQa2Z00CIaIK7Hs9ggQmYby9pVG12HLlN0gie7v2yE5Uy8DXI7mzVNg GAXKcWDZ+2rxkoW8bei1L5VR2tSLyJIQKIyyw7/5P2RxOEOe7AqvegcrNmhT gPN3t4c85x/XxdMDWkbe07AkXFsWyj7jasM4ZDcV9YuJ3wvNNDeV7E+kVbtC etKGWXtK3Oi9AmUQrff7hkzGTki7XjfW58mYqNr+Vjm6VLyeLlpPSg== =duP4 -END PGP SIGNATURE-
Re: Can't create a password successfully.
On Sun, 3 Apr 2022 19:45:47 + "Andrew M.A. Cater" wrote: Hello Andrew, >maintain security - it can mean that people use password01, password02 >and things like that. My previous employer was wise to that; If I tried such tactics their password vetting software would reject the new version as being "too similar" to one of my previous passwords. Obviously, they kept a table with my previous passwords. A security headache in itself. -- Regards _ / ) "The blindingly obvious is never immediately apparent" / _)rad "Is it only me that has a working delete key?" Life's short, don't make a mess of it No Time To Be 21 - The Adverts pgplJw_LQXhKi.pgp Description: OpenPGP digital signature
Re: Can't create a password successfully.
On Sun, 3 Apr 2022 20:25:46 +0100 Brian wrote: Hello Brian, >For whose benefit are such requirements constructured? I suspect that's a rhetorical question, but just in case it's not; The idea is to promote the use of more complex passwords that should be harder to guess. Of course, they're still likely to be machine guessable within a reasonable amount of time. The worst thing is that some web sites don't mention such requirements and the poor user (PanosGR in this case) will be left guessing as to what is required. I also realise that I didn't mention in my previous post some web sites put password size limits in place (both min and/or max). -- Regards _ / ) "The blindingly obvious is never immediately apparent" / _)rad "Is it only me that has a working delete key?" Looking for something I can call my own Chairman Of The Bored - Crass pgpNThl8HB8GO.pgp Description: OpenPGP digital signature
Re: Can't create a password successfully.
On Sun 03 Apr 2022 at 19:45:47 +, Andrew M.A. Cater wrote: > On Sun, Apr 03, 2022 at 08:25:46PM +0100, Brian wrote: > > On Sun 03 Apr 2022 at 20:10:14 +0100, Brad Rogers wrote: > > > > > On Sun, 3 Apr 2022 21:31:34 +0300 > > > PanosGR wrote: > > > > > > Hello PanosGR, > > > > > > >I have tried everything and still doesn't get to work. > > > > > > Very often passwords are required to contain a mix of upper and lower > > > case letters and one or more numerals. Some sites require 'special' > > > characters (%#~$, etc) to be used, some limit their use. > > > > Indeed, all of this happens, usually without any explanation whatsoever. > > For whose benefit are such requirements constructured? > > > > -- > > Brian. > > > > Some of this is to make passwords harder to guess / harder to brute-force. > Some of this is to satisfy regulatory requirements - so credit card > transactions have particular restrictions / two factor authentication > or similar. My quety related to *whose benefit* these rules are imposed? Your answer implies it is for the benefit of the website. I am not aware of any regulatory requirements placed on the user in the UK for devising passwords. > One of the bits of advice is to use long passwords made up of three > random words and to use a different password per website / to use > your web browser to generate an appropriate random password. > Forcing passwords to change regularly may not be a good way to > maintain security - it can mean that people use password01, password02 > and things like that. Changing passwords at frequent intervals? Total nonsensense as far as advice goes. -- Brian.
Re: Can't create a password successfully.
On Sun, Apr 03, 2022 at 08:25:46PM +0100, Brian wrote: > On Sun 03 Apr 2022 at 20:10:14 +0100, Brad Rogers wrote: > > > On Sun, 3 Apr 2022 21:31:34 +0300 > > PanosGR wrote: > > > > Hello PanosGR, > > > > >I have tried everything and still doesn't get to work. > > > > Very often passwords are required to contain a mix of upper and lower > > case letters and one or more numerals. Some sites require 'special' > > characters (%#~$, etc) to be used, some limit their use. > > Indeed, all of this happens, usually without any explanation whatsoever. > For whose benefit are such requirements constructured? > > -- > Brian. > Some of this is to make passwords harder to guess / harder to brute-force. Some of this is to satisfy regulatory requirements - so credit card transactions have particular restrictions / two factor authentication or similar. One of the bits of advice is to use long passwords made up of three random words and to use a different password per website / to use your web browser to generate an appropriate random password. Forcing passwords to change regularly may not be a good way to maintain security - it can mean that people use password01, password02 and things like that. With every good wish as ever Andy Cater
Re: Can't create a password successfully.
On Sun 03 Apr 2022 at 20:10:14 +0100, Brad Rogers wrote: > On Sun, 3 Apr 2022 21:31:34 +0300 > PanosGR wrote: > > Hello PanosGR, > > >I have tried everything and still doesn't get to work. > > Very often passwords are required to contain a mix of upper and lower > case letters and one or more numerals. Some sites require 'special' > characters (%#~$, etc) to be used, some limit their use. Indeed, all of this happens, usually without any explanation whatsoever. For whose benefit are such requirements constructured? -- Brian.
Re: Can't create a password successfully.
On Sun, 3 Apr 2022 21:31:34 +0300 PanosGR wrote: Hello PanosGR, >I have tried everything and still doesn't get to work. Very often passwords are required to contain a mix of upper and lower case letters and one or more numerals. Some sites require 'special' characters (%#~$, etc) to be used, some limit their use. As Andrew said, without knowing exactly what web site you're trying to use, it's difficult to give specific advice. -- Regards _ / ) "The blindingly obvious is never immediately apparent" / _)rad "Is it only me that has a working delete key?" Tell the dinosaurs they just won't survive The History Of The World (Part 1) - The Damned pgpuuSWnRxjeT.pgp Description: OpenPGP digital signature
Re: Can't create a password successfully.
On Sun, Apr 03, 2022 at 09:31:34PM +0300, PanosGR wrote: > Hello there, i have a trouble of creating a password.. It says "The > password does not contain the required characters." > > I have tried everything and still doesn't get to work. > > Perhaps could you give me a password just to create an account? > > Thanks, > > Panos. Hi Panos, Where are you trying to create an account / what for? Sorry, this is unclear. With every good wish, as ever, Andy Cater
Can't create a password successfully.
Hello there, i have a trouble of creating a password.. It says "The password does not contain the required characters." I have tried everything and still doesn't get to work. Perhaps could you give me a password just to create an account? Thanks, Panos.