Strong Complex Passwords Don't Work

glide on 30/03/2022 - 12:02

I use a password manager to generate unique strong passwords. I kept trying to reset my password, and although the site accepts it, it was never set against my account.

My auto-generated password was v6wAsB&QY#LVc* (obviously I'm not using that now). There was no feedback that it didn't work, it says it accepted the change and that it would logout my devices - but the new password never worked.

Once I used a much weaker password it worked and I could login again. I think some additional guidance/validation is required.

Site Discussion

Comments

  • Cheaplikethebird on 30/03/2022 - 12:11
    +5

    Some systems have a max character count for passwords.

    • ESEMCE on 30/03/2022 - 12:36
      +2

      And also character-set restrictions (like no or restricted set of symbols).
      Still it should tell you when you change the password.

      • Cheaplikethebird on 30/03/2022 - 12:52
        +2

        I've just tested the problem password against my own account and was able to log out and back in with it (too late suckas I've already changed it again). My guess is OP was catching an extra blank space character when copy+pasting their PW.

        • ESEMCE on 30/03/2022 - 13:41
          +1

          OP doesn't specify that OzBargain is the problem site.

  • MS Paint on 30/03/2022 - 12:12
    +1

    What's your new weaker ozbargain password?

    • Hybroid on 30/03/2022 - 12:16
      +8

      Hunter2

      • orangetrain on 30/03/2022 - 14:10
        +9

        Downvoted for useless post. Why a bunch of asterisks?

        • Hybroid on 30/03/2022 - 14:14

          Try [*******]

          • DashCam AKA Rolts on 30/03/2022 - 18:20

            @Hybroid: When I put my password in comments, it always comes up as xxxxxxxx. Anyone else get this?

    • bdl on 30/03/2022 - 13:00

      GLIDEARSE

    • USER DC on 30/03/2022 - 13:09

      P@ssw0rd123

  • boomramada on 30/03/2022 - 12:29
    -3

    Complex Passwords

    Waste of time, pretty much most sites, you get locked out after few incorrect attempts.

    Strategy I use, don't use same password that you use on email account anywhere. Most important of all, but password that you can remember.
    Try not to recycle passwords.
    If its a site that you hardly use, let google generate one and save it under your google account.

    for google, use two-way authentication but make sure to have secondary phone number attached to your account, otherwise if you lose your phone, you be fuked.

    • Shadowsfury on 30/03/2022 - 12:58

      Basically my approach too

      At some point a few years back I went through and changed every password Chrome had saved down to the suggested passwords.

      Plus keeping the extra security over the main google account.

      I know some would say you need to go a step further and use LastPass or something but I'd like to think the above approach is already better than most and strikes a balance with ease of transition and security.

    • Elegant Giant on 30/03/2022 - 13:18
      +2

      Waste of time

      Biggest nope of all. There are always plenty of attack vectors and there's different ways to protect yourself and your accounts. Unique, complex passwords are the best protection. Even in the event of one site and password being breached, you're limiting the scope of loss to one account / system.

      pretty much most sites, you get locked out after few incorrect attempts.

      This helps to protect the account from live brute-force attacks, but if a password database is leaked offline attacks can be performed against the accounts.

      Strategy I use, don't use same password that you use on email account anywhere. Most important of all, but password that you can remember.

      Unique passwords on all sites. There should be at least one password that you know offhand (password manager), with a second for something else that controls access for many systems (email, but even that should be in the password manager).

      Try not to recycle passwords.

      Do not recycle passwords. In an age of password managers that auto-generate 15+ character unique passwords, there is no need to use the same password on multiple sites, or to reuse it across multiple sites.

      for google, use two-way authentication

      For all sites that support it, use multi-factor authentication - it's extra protection and prevention for unwanted actors into your accounts. 100% definitely on email and password manager - email is your gateway to your online identity (all your sites are tied to it), and your password manager is the key to all your accounts.

      Final tips
      • Don't use pet's names, friend's names, etc in your password. These are usually always known by other people and part of a common tactic for trying passwords
      • The longer your password, the longer it will take to brute force. Use a minimum of 12 characters in your passwords, or longer if you're using a passphrase
      • If you're using a passphrase, don't just use letters, still try to add numbers & symbols in certain places. This adds to complexity and timeliness in any brute-force attack
      • boomramada on 30/03/2022 - 14:39
        -3

        Biggest nope of all. There are always plenty of attack vectors and there's different ways to protect yourself and your accounts. Unique, complex passwords are the best protection. Even in the event of one site and password being breached, you're limiting the scope of loss to one account / system.

        brute force attack on website? seriously? so 90's

        I give you two good valid reasons, brute force is so 90's.
        1) Can't use on website accounts, even in ozb
        2) https://www.nytimes.com/2021/01/12/technology/bitcoin-passwo…

        Unique, complex passwords are the best protection. Even in the event of one site and password being breached

        These two commands take roughly the same amount of time to execute, without any analysis or guesswork:
        $ echo cGFzc3dvcmQxMjMK | base64 -d
        password123
        $ echo RzVqVW5YLXlKWDQK | base64 -d
        G5jUnX-yJX4

        But in case of real hash passwords, In other words, as long as the hash format isn't truncating, even a weak hash will protect a strong password.

        Correct me if Im wrong.

        • freefall101 on 30/03/2022 - 15:53
          +1

          brute force attack on website? seriously? so 90's

          How do you think attackers go after websites in the 2020's, magical pixie dust?

          If a site gets breached, there's not many possible outcomes. One is it's stored in plaintext, then it's game over. Two it's unsalted, so you apply a dictionary attack. Three it's salted and encrypted and you brute force the weakest passwords. Having a decent password usually saves you on two and definitely saves you on three.

          It's possible to brute force the login page if it's badly configured, but usually the only hacks anyone needs to know about is when someone hacks into the site.

          These two commands take roughly the same amount of time to execute, without any analysis or guesswork:

          When someone talks about hashing a password they use a cryptographic hash, not base64. Not sure what you're trying to get at here.

          • boomramada on 30/03/2022 - 16:18

            @freefall101: I can't speak for all websites out there, but getting access to end user account by brute force attack is kind of impossible from the front end, Most attacks are done through back end and gain access to the db. Which also depends on how password been stored, for example yahoo breach in 2014? it doesn't matter the length of the password, its all about hashing algorithm they used, at that time I belive they were using MD5, which isn't as good, hence complexity of the password didn't matter much. Although hackers gain access to secret questions etc, which they later used to access accounts with same user name in other sites. That's why I hate secret questions in passion.

            Most recent attacks, hackers only manage to gain access to account information, since passwords are impossible to reverse-engineer.

            If you really need to hack into someone's website accounts, there are other easy means.

            When someone talks about hashing a password they use a cryptographic hash, not base64. Not sure what you're trying to get at here.

            Correct, where length of password mean nothing, Even a weak password good as strong password.

            Edit. Nothing against using strong passwords as a sys admin, for end user, its a pointless exercise.

            • freefall101 on 30/03/2022 - 16:48
              +1

              @boomramada: I probably didn't word it well, but that's what I meant by a site being breached, you get access to the back end. You're definitely right, that's the easy way, but it is possible - just very unlikely - to brute force a misconfigured front end as well.

              And plenty of companies still do stupid plaintext mistakes. Facebook had a mea culpa moment a couple of years ago - https://about.fb.com/news/2019/03/keeping-passwords-secure/

              But this is why I gave 3 outcomes. Plain text, your password is gone, no matter how complex. The second one is still up in the air. The problem Yahoo had was specifically unsalted hashes. Salting even an MD5 has can greatly increase security because you need to attack them one password at a time, you can't just do the entire database at once. And while MD5 sucks, if you happened to have a 25 character random password with symbols in that Yahoo database someone would still be working on it to this day, it's simply too big. MD5 is easy to crack but not actually reverse engineered completely.

    • Diji1 on 30/03/2022 - 17:18

      Password managers are more secure and more convenient.

      You are just making your life harder and less secure …

      … and for some reason evangelising about it to others.

  • Typical16-bitEnjoyer on 30/03/2022 - 12:45

    Let me guess, Westpac website?

    • SnowDragon on 30/03/2022 - 12:48
      +2

      Westpac security is a joke. It might have changed since, but when I created an account I could only have a 6 character length password.

      • Typical16-bitEnjoyer on 30/03/2022 - 12:54

        Last I checked ~12 months ago it was still the case!

        • moar bargains on 31/03/2022 - 12:42

          Last I checked today, it's still the case! 😡

      • boomramada on 30/03/2022 - 12:55
        -3

        6 character length password, that's perfect length in my books, have you met the my gov? now that is the biggest joke.

      • Diji1 on 30/03/2022 - 17:23

        Password length is not the only factor in password security.

        For example there is the rate of login attempts.

        For example if Westpac allows three wrong login attempts per hour then there is no reasonable chance of brute forcing the password.

  • Moderatorscotty on 30/03/2022 - 13:14

    Just tried set the same password and it works fine. Maybe you didn't type in the long string correctly? We don't have any rule in the backend on what password you can use, other than not empty.

    Now everyone is trying to log into my account…

  • Domingo on 30/03/2022 - 13:50
    +1

    The problem with password complexity requirements covered in detail here:

    https://xkcd.com/936/

  • pharkurnell on 30/03/2022 - 14:50

    https://www.useapassphrase.com/
    lots of fun testing passwords… :)

  • ode1online on 30/03/2022 - 14:54

    Make sure you are typing the password.I found on some sites (steam for one) I am unable to PASTE in the password and I have to type it or its not accepted, but doesn't tell me the issue, just says its incorrect.

    • Quantumcat on 30/03/2022 - 15:37
      +1

      Are you sure you weren't inserting a space accidentally?

    • noob999 on 31/03/2022 - 16:48

      Another big issue is reading or seeing what you type is correct due the fonts used.
      1 vs I vs l
      0 vs O
      8 vs B
      6 vs 8
      etc

  • freefall101 on 30/03/2022 - 15:57
    +2

    Just updated my password, new long generated password (longer than the OP) from password manager, worked fine.

    • freefall101 on 31/03/2022 - 13:40

      Update on this, it didn’t work on my iphone logging in with Bitwarden. Could copy/paste from the app to log in, but it’s not filling automatically properly. Works fine on desktop windows.

      Could be a weird thing with auto fill on iPhones, not a problem with ozbargain though.

      • glide on 19/05/2022 - 16:00

        I use bitwarden on iphone, so perhaps that was the issue!

  • shaybisc on 31/03/2022 - 08:53

    According to a password strength tester this rather simple eleven character password will take 2,000 years to crack- &B86mv7624+

    https://www.whatismyip.com/password-strength-test/

    All of my passwords are much longer than that - Bitwarden password is 30- but it's probably overkill until quantum computing becomes a practical reality isn't it?

Login or Join to leave a comment
Login Join