{"id":253,"date":"2016-01-08T07:34:56","date_gmt":"2016-01-08T14:34:56","guid":{"rendered":"http:\/\/www.businesstechnologyassociates.com\/blog\/?p=253"},"modified":"2016-01-16T15:47:23","modified_gmt":"2016-01-16T22:47:23","slug":"password-shenanigans","status":"publish","type":"post","link":"https:\/\/www.businesstechnologyassociates.com\/blog\/2016\/01\/password-shenanigans\/","title":{"rendered":"Password Shenanigans"},"content":{"rendered":"<p>There seems to be a trend in web security that requires that you type your password, <strong>no pasting allowed!<\/strong><\/p>\n<p>This combined with other password &#8220;requirements&#8221; are creating problems for people like me that use very secure long passwords.\u00a0 That means I use a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Password_Safe\" target=\"_blank\">password safe<\/a> that generates long random strings of letters and numbers like:<\/p>\n<blockquote>\n<pre>kUTaVYPuw6KdCLsqhfJ35qHdZcgCqR<\/pre>\n<\/blockquote>\n<p>BTW, this password is random and not used by me, anywhere!<\/p>\n<p>So when I sign up for a site that does not allow pasting my really secure password, but requires that I type it manually, I end up with passwords like:<\/p>\n<blockquote>\n<pre>Secure4Stupid!<\/pre>\n<\/blockquote>\n<p>Making my password much less secure. Also most sites use the &#8220;onpaste=return false;&#8221; trick.\u00a0 This only stops the stupid people, as 5-15 minutes with a <a href=\"http:\/\/www.greasespot.net\/\" target=\"_blank\">Greasemonkey<\/a> script will defeat that &#8220;security&#8221; feature.\u00a0 <strong>So let&#8217;s not think that every idea about password security is a good idea.<\/strong><\/p>\n<p>Even the following idea is <a href=\"https:\/\/www.schneier.com\/blog\/archives\/2014\/03\/choosing_secure_1.html\" target=\"_blank\"><strong>probably not that secure<\/strong><\/a> given that password crackers use dictionaries that contain the words: correct, horse, battery, and staple.<\/p>\n<p><a href=\"https:\/\/xkcd.com\/936\/\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-254 size-full\" src=\"\/blog\/wp-content\/uploads\/2016\/01\/password_strength.png\" alt=\"xkcd comic\" width=\"740\" height=\"601\" srcset=\"https:\/\/www.businesstechnologyassociates.com\/blog\/wp-content\/uploads\/2016\/01\/password_strength.png 740w, https:\/\/www.businesstechnologyassociates.com\/blog\/wp-content\/uploads\/2016\/01\/password_strength-300x244.png 300w\" sizes=\"auto, (max-width: 706px) 89vw, (max-width: 767px) 82vw, 740px\" \/><\/a>Another annoyance is sites that do not tell me what the maximum length is for a password on their site.\u00a0 Almost no one tells you this even though they tell you, you must enter at least 8 characters, using letter and numbers&#8230;.\u00a0 Since I have had several sites truncate my password, <span style=\"text-decoration: underline;\">without error or warning<\/span>, I now have to look at the HTML source code to see if a hint is there.<\/p>\n<p>So here is some password advice for web-site developers and their customers.<\/p>\n<ul>\n<li><strong>Do<\/strong> tell us the minimum and <strong>maximum<\/strong> lengths, characters allowed (numbers, letters, symbols, etc.).\u00a0 Make the maximum something like 255, to allow secure passwords and phrases.<\/li>\n<li><strong>Do<\/strong> use a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Cryptographic_hash_function\" target=\"_blank\">hashing algorithm<\/a> to store passwords for you password protected applications.\u00a0 This also allows for very long passwords, but fixes the hash value length that you need to store to authenticate your users.\u00a0 A really useful function is the Unix <a href=\"https:\/\/en.wikipedia.org\/wiki\/Crypt_%28C%29#SHA2-based_scheme\" target=\"_blank\">crypt()<\/a> library function that is implemented in numerous languages including C, Perl, PHP, Python, and Ruby.<\/li>\n<li><strong>Do<\/strong> use standard HTML for accepting passwords for compatibility with more devices.<\/li>\n<li><strong>Do not<\/strong> disable pasting which causes users to create weaker passwords.<\/li>\n<li><strong>Do not<\/strong> store passwords in plain text on any system.\u00a0 For clients, use a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Password_Safe\" target=\"_blank\">password safe program<\/a> to generate and store passwords. For applications and servers, use a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Crypt_%28C%29#SHA2-based_scheme\" target=\"_blank\">strong hashing algorithm<\/a> to store and compare passwords.<\/li>\n<li><strong>Do not<\/strong> use JavaScript for security as it is easily circumvented.<\/li>\n<li><strong>Do not<\/strong> reuse passwords for multiple sites.<\/li>\n<\/ul>\n<p>For more advice on password security:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.schneier.com\/blog\/archives\/2009\/08\/password_advice.html\" target=\"_blank\">https:\/\/www.schneier.com\/blog\/archives\/2009\/08\/password_advice.html<\/a><\/li>\n<li><a href=\"https:\/\/www.schneier.com\/blog\/archives\/2009\/02\/balancing_secur.html\" target=\"_blank\">https:\/\/www.schneier.com\/blog\/archives\/2009\/02\/balancing_secur.html<\/a><\/li>\n<li><a href=\"https:\/\/en.wikipedia.org\/wiki\/Crypt_%28C%29#SHA2-based_scheme\" target=\"_blank\">https:\/\/en.wikipedia.org\/wiki\/Crypt_%28C%29#SHA2-based_scheme<\/a><\/li>\n<li><a href=\"https:\/\/www.usenix.org\/legacy\/events\/usenix99\/provos\/provos_html\/node3.html\" target=\"_blank\">https:\/\/www.usenix.org\/legacy\/events\/usenix99\/provos\/provos_html\/node3.html<\/a><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>There seems to be a trend in web security that requires that you type your password, no pasting allowed! This combined with other password &#8220;requirements&#8221; are creating problems for people like me that use very secure long passwords.\u00a0 That means I use a password safe that generates long random strings of letters and numbers like: &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/www.businesstechnologyassociates.com\/blog\/2016\/01\/password-shenanigans\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Password Shenanigans&#8221;<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,17,3],"tags":[],"class_list":["post-253","post","type-post","status-publish","format-standard","hentry","category-internet","category-security","category-technology"],"_links":{"self":[{"href":"https:\/\/www.businesstechnologyassociates.com\/blog\/wp-json\/wp\/v2\/posts\/253","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.businesstechnologyassociates.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.businesstechnologyassociates.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.businesstechnologyassociates.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.businesstechnologyassociates.com\/blog\/wp-json\/wp\/v2\/comments?post=253"}],"version-history":[{"count":10,"href":"https:\/\/www.businesstechnologyassociates.com\/blog\/wp-json\/wp\/v2\/posts\/253\/revisions"}],"predecessor-version":[{"id":266,"href":"https:\/\/www.businesstechnologyassociates.com\/blog\/wp-json\/wp\/v2\/posts\/253\/revisions\/266"}],"wp:attachment":[{"href":"https:\/\/www.businesstechnologyassociates.com\/blog\/wp-json\/wp\/v2\/media?parent=253"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.businesstechnologyassociates.com\/blog\/wp-json\/wp\/v2\/categories?post=253"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.businesstechnologyassociates.com\/blog\/wp-json\/wp\/v2\/tags?post=253"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}