That little soft spot on the head....

Why is it that web sites will force you to have a minimum 8-character passw ord, which MUST include both upper and lowercase, and at least one special character, with additional limits on character sequences and repetition --- and yet, will block the account after three unsuccessful login attempts?

Is there any proof that these schemes work? I mean, other than getting people to select something other that "password" or "1234"?

I say that if I have to write it down to remember it -- by definition it is less secure.

(And some of my colleagues wonder why I say "I.T." is the janitorial work o f engineering! :)

Reply to
mpm
Loading thread data ...

The login attempt restriction is to defeat someone trying to crack a _particular_ user's password, on-line, while the enforced length and character requirements are to try to defeat someone trying to crack hashed passwords en-masse from e.g. an archive of millions of hashed passwords stolen in a data breach situation.

and the difference between an easily-cracked password in seconds and one that takes trillions of years can be non-intuitive. you might be surprised what with high-performance cracking software using massive hash tables can bust within seconds or minutes. all 8 character random alphanumeric sequences of simply lowercase letters and numbers are AFAIK trivially bustable off-line in milliseconds, the state space is not that large and the hashes can be pre-computed.

by some metrics the same character repeated some arbitrary number of times greater than 50:

"qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqq"

is a very strong password that would take trillions of years to bust.

Reply to
bitrex

an md5 rainbow table of all 10 digit lower case alphanumeric passwords is only about 300 gigs of data, in fact. it allows all hashed passwords of that qualification 10 digits and shorter to be busted relatively instantly. 300 gigs of data is not a lot of data by 2019 standards

Reply to
bitrex

assword, which MUST include both upper and lowercase, and at least one spec ial character, with additional limits on character sequences and repetition --- and yet, will block the account after three unsuccessful login attempt s?

ord" or "1234"?

t is less secure.

rk of engineering! :)

OK, so you can "look it up" in a pre-calculated table of hashes. But that route assumes the attacker has somehow breached the password file on the server. And, I guess that does happen often enough to be a real con cern. (Again... janitors. Can't secure shit.)

Regardless, I highly doubt my "standard" password would be present in any p re-calculated table.

Reply to
mpm

"standard password"?

anyway, test it out and see. this tool runs locally it doesn't transmit any data over the 'net:

Reply to
bitrex

remember I believe there are various sophisticated ways of chaining pre-computed hashes to recursively break passwords that have any monotonic subdivision pre-computed, exponentially faster, it doesn't have to be just the whole thing, atomically. IDK how that works exactly you'd have to ask an info security/cryptography person.

Reply to
bitrex

I've watched attackers try to guess passwords, the disallowed ones are popular guesses.

that depends on your physical security... perhaps don't write it down verbatim

--
  When I tried casting out nines I made a hash of it.
Reply to
Jasen Betts

Combining Wompanoag Indian names from around New England, as an example

"wampanoagwompatucket"

results in an intrinsically pretty strong password by most metrics without using any special characters, rather like the "code talkers" of World War 2

Reply to
bitrex

assword, which MUST include both upper and lowercase, and at least one spec ial character, with additional limits on character sequences and repetition --- and yet, will block the account after three unsuccessful login attempt s?

t is less secure.

FWIW: This whole mini-rant started when, this morning, I tried to log on t o see my 401k account. Even though I write the user name and password dow n VERBATIM, Transamerica can't seem to log me in.

They suck. And I'm pretty sure their entire I.T. security "staff" are a bunch of child ren. Literally. (With apologies to those children out there who can actually p rogram better!)

I think this is about 9th or 10th time it's happened. And I don't have the problem on other sites.

So yeah, I get a little pissed when they remind me to include all the speci al f-ckin' characters, etc... And then even when I do reset the password.. . it still doesn't work.

To paraphrase Nicholas Taleb, maybe Transamerica should hire some actual ja nitors to handle their I.T. department. It's not that they would necessari ly do a better job (although it's hard to imagine otherwise), it's that you really wouldn't expect them to!

Reply to
mpm

Your header shows that you're using G2 reader which puts you on an Android tablet. No clue what you're using for a web browser or OS for logging into TransAmerica. Try the following process, even though some of it may seem rather illogical:

  1. In your browser, clear the cookies associated with Transamerica. For Firefox, click on the site information icon (small "i" inside a circle on the URL line to the left of the lock symbol). At the bottom of the window, click on "Clear cookies and Site Data". It may take two or three seconds of the "Clear cookies..." option to appear. It will only appear if you have cookies for transamerica stored. You should see "transamerica.com" and "
    formatting link
    " listed. Click "remove" and they'll both be removed. Bug me if you need instructions for other browsers.
  2. When you try to login to transamerica.com again, inscribe the correct user name, but intentionally mangle the password. Make sure this intentionally wrong password is at least 2 characters longer than your real password. It will fail to login, which is what I would expect. Now, try again, this time using the real password.

If the above process works, please report it to Transamerica support. I don't want to get involved in yet another time burners with the janitors. If not, save it for the next time you have a similar problem and try it again.

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
 Click to see the full signature
Reply to
Jeff Liebermann

Jeff Liebermann wrote in news: snipped-for-privacy@4ax.com:

Are you using THEIR app? Most have apps and do not like web browser access. Even if you've been doing it that way all along, many have apps and prefer their customers use the app. (and update it)

Reply to
DecadentLinuxUserNumeroUno

Actually, Windows-7 w/ IE-11.

The failed login notwithstanding, the reset password really ought to work. (They send you a link to your email on file.)

Pathetic.

I already left them a nasty-gram, so toxically worded, I might actually reg ret it (a little) when I get them on the phone Monday. If I had my way, ou r company would switch benefits elsewhere. All their offerings are TA-base d (as expected), so not much to choose from, and their fund performances re lative to most of their peers is often on life support. Frankly, I only do it for the employer match.

Which lately, it seems like it would be a more efficient system for my empl oyer to just give the money directly to TA and leave me out of it. It is j ust barely worth the effort sometimes.

OK. Rant over. I'll suck it up on Monday and deal with the god-damn T/A janitors again. AGAIN!

Reply to
mpm

How to delete cookies for a specific domain in IE:

I've noticed that such features often malfunction on weekends when the IT staff is absent. Things should magically start working again on Monday morning.

I don't think it's a pop-up blocker problem, but it might be worth turning it off in IE 11 just to see what pops up. Gear icon -> Internet Options -> Privacy -> Pop-up Blocker -> Uncheck

You might also try logging in with a different browser.

Good luck.

--
Jeff Liebermann     jeffl@cruzio.com 
150 Felker St #D    http://www.LearnByDestroying.com 
 Click to see the full signature
Reply to
Jeff Liebermann

Robert Baer wrote in news:aXeUE.10284$ snipped-for-privacy@fx12.iad:

You say some of the most stupid things sometimes.

Aren't you the dope that was on a PC under a text only interface and phone modems due to your paranoia about ten years ago?

Don't see too many android hack news segments about bank or investment firm apps.

Ooops... statistical dope too, eh?

You think a browser based access is safer? Oh wait.... more noticeable if it is hacked?

Nice try. Nice try, Double Oh Nothing.

Reply to
DecadentLinuxUserNumeroUno

Robert Baer wrote in news:GSeUE.10283$ snipped-for-privacy@fx12.iad:

You obviously only give a cursory glance at threads posted here. READ the thread. He already spoke on the requisites (in the very first post).

And for those where money is involved... ALL of them do.

Reply to
DecadentLinuxUserNumeroUno

Thanks! BUT it ain't too swift; passes an e-mail with flying colors..

Reply to
Robert Baer

Almost.....remember, many sites require digits, mixed case and some special characters.

Reply to
Robert Baer

Then again, "apps" easily get f*cked and one cannot see any difference..

Reply to
Robert Baer

It's not very secure if you use it in multiple places, since you have to reveal it to each of them.

Password managers are your friend.

Sylvia.

Reply to
Sylvia Else

bitrex wrote in news:pJ5UE.15503$ snipped-for-privacy@fx15.iad:

You spelled seconds incorrectly. You wrote 'trillions of years'.

We haven't even been here that long.

By 'some metrics'? What are you "Some Idiot" (The Amateurs)?

Reply to
DecadentLinuxUserNumeroUno

ElectronDepot website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.