Just thinking about passwords earlier today. Seems we get all
these warnings to construct complicated pass words no one will
be able to guess.

Now, I'm wondering, who would spend a lot of time to guess my
password? If I had a lot of money, yes, but other than that?

Now we have the Heart bleed data problem. Before that the Target
data theft, and other data breeches. Seems the danger is not
password guessing, but outright theft.

So, just what is the danger from a simpler password, versus a
complicated password, when their not going to guess it, but to
steal it?

Now this is especially true on sites where all you want to do is
read something, like a magazine website. Why have to mix your
capital and small letters with at least one number? It's not the
NSA you know... and they have your number anyway.

BOB KLAHN bob.klahn@sev.org http://home.toltbbs.com/bobklahn

... Libertarians: Voting for the perfect over the possible is an exercise in eg --- Via Silver Xpress V4.5/P [Reg]
* Origin: Fidonet Since 1991 Join Us: www.DocsPlace.org (1:123/140)

Hi Bob,

I see your point, and to a certain degree you're right - it might seem meaningless to have a so-called "strong" password. If someone is after your data - and if they have the resources needed - chances are they will eventually
get to your data too.

However, to adress your first question: There are many scenarios where your password might come in handy, even if you do not posess a lot of money. I'll give you an example from my everyday workplace. I run a webhosting business, and quite frequently we see user passwords being snapped up by spammers (or script kiddies, who knows). The passwords aren't leaked from us (at least, we have never seen any evidence suggesting so), but nevertheless, passwords are getting in the hands of people who shouldn't have them.

The concequence? Imagine an email account sending out (litteraly) tens of thousands of emails, if not up in the hundreds of thousands, or sites being defaced or changed to resemble some bank in a different part of the world.

The spam emails might contain viruses, or they might contain offers for drugs which are sold illegaly (they might even be dangerous, but at the very least we
know that such products are sold by criminals to fund their network). The phishing site can be used to snap up credit card info from people less aware of
the dangers of the internet.

Point is, all this is causing real damage to real people, if not the user who got his password stolen in the first place. And, since most spammers/hackers/internet criminals don't target a specific user, but carry out
a wide search across the internet for potential matches between user names and passwords, the less secure your password is, the more likely it is that your account is up next. Even if you don't have a dime to spare ;)

Regards,
Bjorn

Just thinking about passwords earlier today. Seems we get all
these warnings to construct complicated pass words no one will
be able to guess.

Now, I'm wondering, who would spend a lot of time to guess my
password? If I had a lot of money, yes, but other than that?

Now we have the Heart bleed data problem. Before that the Target
data theft, and other data breeches. Seems the danger is not
password guessing, but outright theft.

So, just what is the danger from a simpler password, versus a
complicated password, when their not going to guess it, but to
steal it?

Now this is especially true on sites where all you want to do is
read something, like a magazine website. Why have to mix your
capital and small letters with at least one number? It's not the
NSA you know... and they have your number anyway.

BOB KLAHN bob.klahn@sev.org http://home.toltbbs.com/bobklahn

... Libertarians: Voting for the perfect over the possible is an exercise in e

--- BBBS/NT v4.10 Dada-1
* Origin: Circle Of Protection (2:211/37)

Re: Passwords and bleeding hearts.
By: BOB KLAHN to ALL on Sat Apr 19 2014 00:02:20

Now this is especially true on sites where all you want to do is
read something, like a magazine website. Why have to mix your
capital and small letters with at least one number? It's not the
NSA you know... and they have your number anyway.

Because, my good sir, there are pre-written programs out there
that've been around since at least 1993 (when I first got my hands on one called 'crackerjack') that can take a spell-checker's list of words (a dictionary file) and, mixing that with common numbers and varying capitialization, that can break passwords easily. Provided the amount of security loopholes that end up being exposed on a daily basis, this means
that common providers of services have their encrypted password files
stolen on a regular basis (if they're smart enough to even use this level
of sophistication).
Given, as fact, that this happens (you can take that as a fact
from me; I got busted for it in 1996, so there is your proof), understand
next that although your account on that site may be just for reading
Penthouse Forums or whatever, a _lot_ of people that don't bother to use a secure password don't bother to use a _unique_ password with the plethora
of different sites that a person has to supply login credentials to these days. Even the script kiddies (people like myself, when I was in my early teens) know this kind of stuff. So when they crack one set of login credentials, they use the information in that file (your first name, last name, login string, password, anything else they can glean from that
server) to check if you have accounts on any similiar, or even dissimilar, mainstream sites where lots of people connect to. Poof, there's another handful. What if one of those is your bank? Follow the chains of logic
and you'll see that they can run off to a lot of other places as well.
Doing that kind of stuff can make you end up out on the street
broke and homeless. Doing that kind of stuff can let people impersonate
you and put you away for things you never did. When you really think
about it, the potentials for bad scenerios are legion. Trust me, I spent
a few years thinking about it.


-- guh up the effbomb down wif yr bad self

--- SBBSecho 2.26-OpenBSD
* Origin: telnet://bismaninfo.hopto.org:8023 1:282/1057 (1:282/1057)

Hi, BOB KLAHN!
I read your message from 19.04.2014 00:02

BK> Just thinking about passwords earlier today. Seems we get all these
BK> warnings to construct complicated pass words no one will be able to
BK> guess.

BK> Now, I'm wondering, who would spend a lot of time to guess my
BK> password? If I had a lot of money, yes, but other than that?

BK> Now we have the Heart bleed data problem. Before that the Target
BK> data theft, and other data breeches. Seems the danger is not
BK> password guessing, but outright theft.

BK> So, just what is the danger from a simpler password, versus a
BK> complicated password, when their not going to guess it, but to
BK> steal it?

BK> Now this is especially true on sites where all you want to do is
BK> read something, like a magazine website. Why have to mix your
BK> capital and small letters with at least one number? It's not the
BK> NSA you know... and they have your number anyway.

I think that 95% of people now use password managers. They store your passwords, and every password can be found and entered very quickly. If
5% of people don't use such programs they simply haven't heard of them.
;-)

The length of the password means nothing for a password manager. You
enter 20 digits passwords as easy as short ones. The program stores the
encoded passwords base, as a rule on a movable disk. The program itself
can generate very complicated, long passwords. You don't need to
remember them. Why and how often should you change your passwords? It
depends on where you use a particular password. If a hacker has stolen
your password from your e-mail he can use your box as a spam sender and
some servers can block your address as if you are a spammer.

Bye, BOB!
Alexander Koryagin
fido7.debate 2014
--- FIDOGATE 5.1.7ds
* Origin: Pushkin's BBS (2:5020/2140.2)

_lot_ of people that don't bother to use a secure

...

password don't bother to use a _unique_ password with the
plethora of different sites that a person has to supply
login credentials to these days. Even the script kiddies
(people like myself, when I was in my early teens) know
this kind of stuff. So when they crack one set of login
credentials, they use the information in that file (your
first name, last name, login string, password, anything
else they can glean from that server) to check if you
have accounts on any similiar, or even dissimilar,
mainstream sites where lots of people connect to. Poof,
there's another handful. What if one of those is your
bank? Follow the chains of logic and you'll see that

I have two levels of passwords. Those that involve money get
higher security.

they can run off to a lot of other places as well. Doing
that kind of stuff can make you end up out on the street
broke and homeless. Doing that kind of stuff can let
people impersonate you and put you away for things you
never did. When you really think about it, the

Of course, one way to put a crimp in that is to hold the people
who accept those cracked passwords and give out credit cards
etc. If you don't see the person in person, don't give him a
card.

OTOH, I had a scenario like that, all they needed was my credit
card number. It was easy to show it was fake, and I lost
nothing, but closed out that card. Next time it happened I
called them to complain, and esp since the card they gave the
money out on was the one I had canceled. Apparently it was an
inside the card company job.



BOB KLAHN bob.klahn@sev.org http://home.toltbbs.com/bobklahn

... Look on my tagline, ye mighty, and despair! Ozzie and Harriet Mandius.
--- Via Silver Xpress V4.5/P [Reg]
* Origin: Fidonet Since 1991 bbs.docsnetservices.com (1:123/140)