In message <698cdc11-efdb-49bf-9c43-f9ed42f94c80@googlegroups.com>, at 03:24:52 on Tue, 11 Sep 2012, Gradwell <helena.c...@gradwell.com> remarked:
>The previous process for password reminders included contacting >Gradwell
Perhaps you've missed "by email/telephone" here?
>in order to reset passwords; this will no longer be possible and having >clicked on the Reset button within the Control panel, the customer will >receive an email in order to reset passwords.
The customer, or anyone with access to their email account.
-- Roland Perry
In article <698cdc11-efdb-49bf-9c43-f9ed42f94c80@googlegroups.com>,
Gradwell <helena.c...@gradwell.com> writes
>We have received a lot of comments, most of which have been negative about the >requirement to reset credentials every 3 months; we have now removed this >requirement.
Thank you.
I'd be interested in seeing (a paraphrase of) the positive comments;
it's always interesting to see counter-arguments to what one believes.
>When setting a passphrase, we will >offer a drop down of three suggested hints and an option for one of your own. >This should help make passphrase answers a bit more standardised.
... and that is a good idea why ?
By the way, if the idea of asking for 3 characters from the passphrase
on the portal is to provide some limited protection against keyloggers
then it is essential not to ask for the characters in numerical order
(there's some unpublished work from Cardiff on this topic... they showed
how easy it was to reconstruct the passphrase over time).
-- Dr Richard Clayton <richard.clay...@cl.cam.ac.uk>
tel: 01223 763570, mobile: 07887 794090
Computer Laboratory, University of Cambridge, CB3 0FD
In message <m1sq7oKSwxTQF...@highwayman.com>, Richard Clayton <rich...@highwayman.com> wrote
[]
>By the way, if the idea of asking for 3 characters from the passphrase
>on the portal is to provide some limited protection against keyloggers
>then it is essential not to ask for the characters in numerical order
>(there's some unpublished work from Cardiff on this topic... they showed
>how easy it was to reconstruct the passphrase over time).
Perhaps they should have a word with most UK banks, who seem to always want eg 1, 3, 7 but never 7, 1, 3.
-- Andy Taylor [Editor, Austrian Philatelic Society].
Visit <URL:http://www.austrianphilately.com>
In article <4Kdq6fELa0TQF...@kitzbuhel.demon.co.uk>,
Andy <a...@kitzbuhel.demon.co.uk> writes:
>In message <m1sq7oKSwxTQF...@highwayman.com>, Richard
>Clayton <rich...@highwayman.com> wrote
>[]
>>By the way, if the idea of asking for 3 characters from the passphrase
>>on the portal is to provide some limited protection against keyloggers
>>then it is essential not to ask for the characters in numerical order
>>(there's some unpublished work from Cardiff on this topic... they showed
>>how easy it was to reconstruct the passphrase over time).
>Perhaps they should have a word with most UK banks, who seem
>to always want eg 1, 3, 7 but never 7, 1, 3.
My bank always asks for 3 of the 4 digits in my pin (in addition to
selected characters from my password), and every time the order is
different.
-- John Hall
"The beatings will continue until morale improves."
Attributed to the Commander of Japan's Submarine Forces in WW2
In article "Password Nonsense" in <uk.net.providers.gradwell>, on Tue,
11 Sep 2012 John Hall <nospam_no...@jhall.co.uk> writes
> Andy <a...@kitzbuhel.demon.co.uk> writes:
>>Perhaps they should have a word with most UK banks, who seem
>>to always want eg 1, 3, 7 but never 7, 1, 3.
>My bank always asks for 3 of the 4 digits in my pin (in addition to
>selected characters from my password), and every time the order is
>different.
Just checked. My bank asked for 3 of the 6 digits, and in a non-
ascending order.
However, when my credit card company asks for 4 of the 10 characters in
my password, it *always* asks in ascending order.
-- David Gibson
Spam-cloaked message: The Reply-to address will be valid for a short while
> In article "Password Nonsense" in <uk.net.providers.gradwell>, on Tue,
> 11 Sep 2012 John Hall <nospam_no...@jhall.co.uk> writes
>> Andy <a...@kitzbuhel.demon.co.uk> writes:
>>> Perhaps they should have a word with most UK banks, who seem
>>> to always want eg 1, 3, 7 but never 7, 1, 3.
>> My bank always asks for 3 of the 4 digits in my pin (in addition to
>> selected characters from my password), and every time the order is
>> different.
> Just checked. My bank asked for 3 of the 6 digits, and in a non-
> ascending order.
> However, when my credit card company asks for 4 of the 10 characters in
> my password, it *always* asks in ascending order.
And you enter them in random order, *clicking with the mouse* and *not tabbing through* to select the input you want to enter.
And how is this relevant to the original thread?
-- ßodincµs - The Y2K Druid
In <MoGwcmGxZfRQF...@highwayman.com> Richard Clayton <rich...@highwayman.com> writes:
>What would actually make a difference is NOT a box-ticking exercise of
>password changes (usually driven by accountancy firms who have copied
>their lists of "how to make a computer system secure" from other
>accountancy firms -- completely failing to realise the changed
>assumptions from the 1980s threat models).
Sadly, the official advice on IT Security from the Information
Commissioner is to require regular password changes :-(. In fact the whole
booklet is simply a regurgitation of well-worn platitudes.
-- Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Web: http://www.cs.man.ac.uk/~chl Email: c...@clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
In <pQS5SXFhAnRQF...@highwayman.com> Richard Clayton <rich...@highwayman.com> writes:
>key advice is not to use a password you've used at another service, lest
>that one be compromised...
Actually, no. I have lost count of how many online suppliers I have
registered with, because they require registration before "Proceeding to
Checkout". And I have no idea how many forums I have signed up to, just
because I needed that forum to answer a particular question, and that is
the forum Google sent me to.
But the common factor of all those is that the registration is for *their*
benefit, not mine. My money is not at risk. So security of that password
is unimportant *to me*.
Of course, where my money IS at risk, then I have several exceedingly
non-obvious passwords, and I maintain a notebook which contains a 'clue'
as to which one is needed for which.
-- Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Web: http://www.cs.man.ac.uk/~chl Email: c...@clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
In <e548692a-c240-4f51-b7f0-92893601acee@googlegroups.com> Gradwell <helena.c...@gradwell.com> writes:
>I'm sorry you're frustrated with the password changes we have implemented.
>In light of recent events of unauthorised access to customers accounts, we made the decision to tighten security in order to protect our customers' businesses and increase security.
If it was your intention to tighten decurity, then why have you actually
weakened it?
-- Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Web: http://www.cs.man.ac.uk/~chl Email: c...@clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5
>> In article "Password Nonsense" in <uk.net.providers.gradwell>, on Wed,
>> 12 Sep 2012 Bodincus <nobody.h...@this.ip> writes
>>>> However, when my credit card company asks for 4 of the 10 characters in
>>>> my password, it *always* asks in ascending order.
>>> And you enter them in random order, *clicking with the mouse* and *not
>>> tabbing through* to select the input you want to enter.
>> .. whilst saying a different set of numbers out loud in case anyone's
>> listening :-)
><tinfoil hat>
>>> And how is this relevant to the original thread?
>> Is relevancy to the original thread an issue with you? :-)
>Yes, get your own thread.
I'd say that this thread has remained remarkably on topic, which was how we think Gradwell should have done their password-please setup and factors affecting such systems.
But contribution to any thread, indeed reading one, is optional :)
-- Andy Taylor [Editor, Austrian Philatelic Society].
Visit <URL:http://www.austrianphilately.com>
In message <7ph4s$BV7EUQF...@caves.org.uk>, at 09:59:01 on Wed, 12 Sep 2012, David Gibson <david@[127.0.0.1]> remarked:
>>>Perhaps they should have a word with most UK banks, who seem
>>>to always want eg 1, 3, 7 but never 7, 1, 3.
>>My bank always asks for 3 of the 4 digits in my pin (in addition to
>>selected characters from my password), and every time the order is
>>different.
>Just checked. My bank asked for 3 of the 6 digits, and in a non-
>ascending order.
>However, when my credit card company asks for 4 of the 10 characters in
>my password, it *always* asks in ascending order.
I had cause to give a credit card company a call yesterday, and their phone banking gateway robot asked in ascending order.
-- Roland Perry
In message <qpkui9-246....@llondel.org>, at 18:30:01 on Fri, 21 Sep 2012, David Hough <noon...@llondel.org> remarked:
>> I had cause to give a credit card company a call yesterday, and their
>> phone banking gateway robot asked in ascending order.
>If it is completely random then occasionally it should ask in ascending
>order.
If it was completely random then occasionally it would ask for the same digit three times. I'm sure they program out that possibility, which also allows them to choose three digits at random, then ask for them in a random order, but specifically exclude [re-randomise] any instances where the order turns out to be ascending.
-- Roland Perry
In message <oic0j9-396....@llondel.org>, at 10:21:59 on Sat, 22 Sep 2012, David Hough <noon...@llondel.org> remarked:
>>>> I had cause to give a credit card company a call yesterday, and their
>>>> phone banking gateway robot asked in ascending order.
>>>If it is completely random then occasionally it should ask in ascending
>>>order.
>> If it was completely random then occasionally it would ask for the same
>> digit three times. I'm sure they program out that possibility, which
>> also allows them to choose three digits at random, then ask for them in
>> a random order, but specifically exclude [re-randomise] any instances
>> where the order turns out to be ascending.
>That's probably cryptographically weak in some obscure manner. As soon as
>it's known that something can't occur, it's a bit more information for
>someone trying to crack it.
Nevertheless, I doubt anyone has a system that asks for the same digit more than once. I have a banking account where they ask for a random two-from-four (which doesn't feel very strong, I have to say). In over ten years it's always asked for two different digits.
-- Roland Perry
