KeithM89 wrote: » Well i hope no one else is using 'password' as their password....
SuperInfinity wrote: » I am willing to defend it, that's why I'm arguing for its merits.
vibe666 wrote: » in that case, regardless of who is right and who is wrong on the maths/security part of it, what difference does it even make at all what button you hit to go from your username to your password when what you are suggesting (by your own admission) amounts to basically the same thing? for something such as a web forum, all an attacker has to do is register as a new user and they instantly have access to every registered username for that site, so all they have to do then is crack the password (or in your case the 2nd half of the password since the first half is the username anyway).
vibe666 wrote: » obviously, with the main difference here being that the entire world has already been using the current method for many years and not only is everything set up for that to work, but everyone is used to doing it that way so why would anyone want to change it now? the merits of a 2 factor username & password login are pretty obvious as they are still pretty secure but much easier to remember than a 20 character random string of letters, numbers and symbols.
vibe666 wrote: » this isn't about arguing or winning, this is about you presenting an idea for people to review and critique and judge it on it's potential merits, so if you believe in what you are putting forward to the forum, then at the very least i think you would be willing to defend it.
SuperInfinity wrote: » could be one of them. This is the exact same as splitting them up. The only difference with a password one longer than it is that the underscore could be any character.
vibe666 wrote: » the simple truth is, that the more factors you have for a particular account, the more secure it is likely to be. why do you think most online banking has a 3 factor login?
SuperInfinity wrote: » vibe666. You are wrong. I said the exact same length password as password + username. I have told you all you need to know to work it out and only stated the obvious. Now leave me alone, but remember you are wrong.
vibe666 wrote: » no it isn't. if you have NO username and say a 15 character password it's going to be very difficult for anyone to guess what it is. if you have a board with 1,000,000 users it's going to be a hell of a lot easier to guess what any one or even some of those passwords are using brute force, particularly if you know that it NEEDS to be a long password as you can remove anything shorter than the minimum password length from the attack. BUT simply adding a username means that you have to guess every possible password until you get the right one for EACH user, not just guess the right password for any user. if you really don't like typing in usernames & passwords all the time then use something like lastpass with a strong master password and let it handle everything else online for you.
SuperInfinity wrote: » It would only be easier if the username + password was exactly equal to the password alone and all characters allowed in passwords were also allowed in usernames because of the seperation of them which is equivalent to the use of "tab".
Knasher wrote: » Actually sorry, realised I was wrong with my maths up above. Red faced now and tired I think I'll bow out before I make a further fool of myself.
SuperInfinity wrote: » This isn't true at all. That's like saying any combination of usernames and passwords could be tried.
Knasher wrote: » It is true. When you have usernames and passwords you can know the username, but you would need to try many passwords in order to get the right one. If it was just passwords, then it would be much easier to get an account. Not a specific account mind you, just a random one. The reason you don't need a username for truecrypt is because there is only one correct password.
SuperInfinity wrote: » This isn't true at all. That's like saying any combination of usernames and passwords could be tried. The "tab" between your username and password is the exact same as having a known character somewhere in the middle of the password. Any implementation of it to make it harder to brute-force could be directly copied in the password-only scenario by treating the first and second parts differently. Truecrypt for example doesn't have any "user name" required. You can use keyfiles but they're not to avoid bruteforcing a password.
red menace wrote: » It would make brute forcing boards really simple. Without the username being required any combination of characters could be tried and potentially loads of accounts could be comprimised
The Left Hand Of God wrote: » Do you agree with a 30 day forced password change limit? I find that the most pity-full and stupid thing ever. Forces people to be stupid IMO
SuperInfinity wrote: » Eh? 26 characters plus 10 numerals (26+10)^5 = 5,2521,875. If you allows upper and lower case letters: 62^5 = 916,132,832
SuperInfinity wrote: » Besides, there's no good reason that a password should be limited like that.
SuperInfinity wrote: » What if I want a very long username? Also there's the fact that you have to press tab....
red menace wrote: » I also work in IT and I know people are using the most retarded passwords ever My current password is touching 30 characters long, it sometimes takes me more than one attempt to get it right
Knasher wrote: » That's equivalent to putting a limit of 5 letters to user names. It's safe enough then but you haven't really saved anything by doing it and you have put an upper limit on the number of registered users. Just to be exact, if you only allow letters and numbers you would be limiting yourself to 376992 users only. (and to take it a little further, boards passed that number in September last year)
“Before I broke into the IT racket,” Scott Simons writes, “I was a front-line Customer Service Rep. At the time, the procedure for logging into our service management system was a bit puzzling.” “Like many organizations, your User ID was assigned by the company, but you had to choose your own password. But instead of having a screen to do that, you had to fill out a Password Request Form and fax it corporate headquarters. And then things got strange. “There was a 50/50 chance that corporate would reject your password. There was no rhyme or reason, such as not having enough numeric characters, or anything like that. It was just a simple notice, sent back via fax: Your password was not created. Please choose a different password. “Actually, their rejection messages weren’t always so simple. I decided to change my password one day to something more secure – two mixed-case passwords with numbers and special characters – but IT rejected it because they couldn’t read my handwriting. I typed out my secure password and then refaxed it. They responded that they changed my password... but not to what I picked: they just randomly chose some word, like frequency. Evidently they were tired of dealing with me. “And then, one day, everything clicked. I became enlightened when I mistakenly typed in a password that I had unsuccessfully requested at one time in the past: instead of a invalid credentials message, I found myself logged in as a completely different user. “A little testing (at other people’s workstations, just in case) confirmed my incredible suspicion: the User ID field on the login screen was a dummy. The login script looked only at the password field, comparing it to the list of passwords; if it matched, you were logged in as the user who owned that password, regardless of what User ID you had entered into the screen. The reason that passwords were sometimes rejected was simply that each user had to have a unique password for this ‘security’ scheme to work. “I guess you could call it could call it fake one-factor authentication? Or half-factor authentication? “After playing around a bit more, it was really easy to find some poorly-thought out passwords that belonged to users with much more powerful system permissions than mine. I believe one of them was a sales manager in Boston, who was apparently fond of kittens. “I never chose to wreak any havoc with this knowledge – or even share this crazy scheme with my coworkers – but I’m glad I can finally tell someone about it today.
SuperInfinity wrote: » Okay what if the first five letters of your password had to be unique?
SuperInfinity wrote: » But as I just stated, if the passwords are properly chosen then there would be as little chance of that happening as if two people had the exact same username + password.
SuperInfinity wrote: » But as I just stated, if the passwords are properly chosen then there would be as little chance of that happening
Nevore wrote: » But since the Interweb Emancipation Act of 2001, people over the age of 35 have been using the internet. They don't understand things like "no, don't use your username as your password. Or the dogs name. No, mam, it's not a really good idea to use your credit card number either. Yes, I know random numbers and letters look hard, but you can write it down somewhere if you really need to. No, not on a piece of paper stuck to the monitor at your desk in the bank you work at."
Jeremiah 16:1 wrote: » And what if you were a heterosexual male and didn't have a boyfriend? Log in with an egg?