Password Nonsense

[Charles Lindsey]

I see that Gradwell are now demanding that we all change our passwords
every three months. Presumably in the belief that this will "improve
security", or because some self-proclaimed and expensive "security
consultant" has told then so.

Whereas it is my understanding that the consensus amongst security experts
is that forced password changing actually REDUCES security (because it
forces people to write their passwords down on some piece of paper). When
I was at the University, if I wanted to know the root password of any of
the umpteen servers around the place, all I had to do was to look in the
top right hand drawer of any of the sysadmins (I never did so, of course,
but I often observed them doing it).

I choose my passwords carefully. None of them is particularly obvious, and
some of them are exceedingly obscure (though they have meaning for me).
And NONE OF THEM IS WRITTEN DOWN ANYWHERE except in my head. Except for
one, which is for a theatre booking site which insists on regular password
changes and stores no information of interest to anybody else. And having
cycled through my whole repertoire I eventually chose a new password and
wrote it down. And, for your information, the word I chose was "foobar",
which is about as easily guessable as you can get.

Now I am not saying whether my Gradwell password is one of my weaker
passwords or not, but you can see what I am about to do if I am forced to
make a change (and I certainly do not intende to waste one of my really
serious passwords on them, such as the one I use for online banking).

So, now that Gradwell is reading this list, could they please explain

1. Why this change was made?

2. Whose bright idea was it?
and
3. How many cycles of changes I have to go through to get back to where I
started?

--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Web: http://www.cs.man.ac.uk/~chl
Email: c...@clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5

[John Hall]

In article <M9Mns...@clerew.man.ac.uk>,

Charles Lindsey <c...@clerew.man.ac.uk> writes:
>I see that Gradwell are now demanding that we all change our passwords
>every three months.

<snip>

I haven't seen this. Where/when do they make this demand? I haven't been
asked to change mine - or at any rate not yet.
--
John Hall

"The beatings will continue until morale improves."
Attributed to the Commander of Japan's Submarine Forces in WW2

[Roland Perry]

In message <M9Mns...@clerew.man.ac.uk>, at 16:14:37 on Fri, 31 Aug
2012, Charles Lindsey <c...@clerew.man.ac.uk> remarked:

>I see that Gradwell are now demanding that we all change our passwords
>every three months.

I was using the site earlier this week quite OK, but now I see they
won't let you sign into the Hosting Control Panel without changing it
first.

The "My Account" sign-in first asked me for a Passphrase (I didin't
realise I had one (see below), and when I tried again (after failing to
log into the Control Panel) it was happy to accept just my long-term
password.

This sounds like a bug (because surely they've just sent me a password
reset by email).

And when I change "my password" what parts of the site will that affect?

Just the Control Panels? (What about "My Account" - see above.)

I have other passwords for services such as ftp, SMTP relay, NetNews,
VoIP usage etc. Are they all going to have to be changed every three
months?

Later... Password reset email has arrived, and they have one of those
stupid rules "8-16 chars only, must have mix of lower and upper case, or
letters and numbers", which means many of the
password-memorising/creating tricks don't work.

And then, when you've changed it, they spring another surprise - you
have to use three random letters of your passphrase *as well* to log in.

(Their hint did remind me what it was, but this doubling of the
memorisation of credentials is extremely tiresome, as is counting out
the 8th letter of the phrase on my fingers).

If they are trying to get me to take my business elsewhere, they are
going about it the right way!

ps Did I miss the announcement about introducing this new 'feature'?

pps And every system maintenance rule in the world says DON'T MAKE
CHANGES LIKE THIS ON FRIDAY-SUNDAY, even if your support staff are
on special overtime over the weekend to deal with the fallout.
--
Roland Perry

[Roland Perry]

In message <UuLVctH9...@jhall.demon.co.uk.invalid>, at 11:26:05 on
Sat, 1 Sep 2012, John Hall <nospam...@jhall.co.uk> remarked:

>I haven't seen this. Where/when do they make this demand?

I hadn't either. But have you tried logging in to your Control Panel
today?

--
Roland Perry

[Jim Crowther]

In uk.net.providers.gradwell, on Fri, 31 Aug 2012 16:14:37, Charles

Lindsey wrote:

>I see that Gradwell are now demanding that we all change our passwords
>every three months. Presumably in the belief that this will "improve
>security", or because some self-proclaimed and expensive "security
>consultant" has told then so.
>

Oh bloody hell.

They can fuck right off. TSOhosts or similar here I come. That's
25+domains and ~GBP60 they'll be losing from me. First the SNAFU last
week, and now this *nonsense* (from a security POV).

Moving everything will be a RRPITA, but the lack of stupidity like
compulsorily changing passwords every 3 months will be worth it. Some
of my 'clients' only FTP once every year or so - having to change their
passwords every time (via me) will piss them off something rotten.

Whoever it was who suggested this, and the idiot who agreed it should
both be pilloried ('shot' seemed a bit strong).

--
Jim Crowther

[John Hall]

In article <5R+nmedU...@perry.co.uk>,

I have now.

:(

[Molly Mockford]

At 12:25:42 on Sat, 1 Sep 2012, Roland Perry <rol...@perry.co.uk> wrote
in <Mwm6uAb2...@perry.co.uk>:

>And then, when you've changed it, they spring another surprise - you
>have to use three random letters of your passphrase *as well* to log in.

Despite the fact that their own web site says:

"A passphrase is used as a security check when contacting our customer
services team via telephone, and helps us verify that we are discussing
your account with someone that is authorised to do so. It is not the
password used to log in to your control panel. We recommend that you
choose a phrase or word that you can easily provide over the telephone."

>(Their hint did remind me what it was, but this doubling of the
>memorisation of credentials is extremely tiresome, as is counting out
>the 8th letter of the phrase on my fingers).

8th? You're lucky! My passphrase is 14 characters long, and both times
that it's asked me for it, it's wanted characters in the 9 - 14 range. I
don't have enough fingers for this nonsense!
--
Molly Mockford
Nature loves variety. Unfortunately, society hates it. (Milton Diamond Ph.D.)
(My Reply-To address *is* valid, though may not remain so for ever.)

[Steve Firth]

Molly Mockford <nospam...@mollymockford.me.uk> wrote:

> "A passphrase is used as a security check when contacting our customer
> services team via telephone, and helps us verify that we are discussing
> your account with someone that is authorised to do so. It is not the
> password used to log in to your control panel. We recommend that you
> choose a phrase or word that you can easily provide over the telephone."

Just found my passphrase. I've never needed it before. Fortunately I
keep passwords/phrases somewhere that I can find them if necessary. I
doubt that everyone will be quite as methodical or even careful.
Although written down (in a sense) the crypto that I used was suitably
strong for sustained attack by people who know what they are doing.

[Roland Perry]

In message <Ts9Ybkdt...@molly.mockford>, at 11:54:37 on Sun, 2 Sep
2012, Molly Mockford <nospam...@mollymockford.me.uk> remarked:

>>And then, when you've changed it, they spring another surprise - you
>>have to use three random letters of your passphrase *as well* to log in.
>
>Despite the fact that their own web site says:
>
>"A passphrase is used as a security check when contacting our customer
>services team via telephone, and helps us verify that we are discussing
>your account with someone that is authorised to do so. It is not the
>password used to log in to your control panel. We recommend that you
>choose a phrase or word that you can easily provide over the telephone."

One way to fight back against passphrase nonsense (over the phone
anyway) is to either pick a word the average call centre person can't
spell, or pick a phrase like "Not telling you".

>>(Their hint did remind me what it was, but this doubling of the
>>memorisation of credentials is extremely tiresome, as is counting out
>>the 8th letter of the phrase on my fingers).
>
>8th? You're lucky! My passphrase is 14 characters long, and both
>times that it's asked me for it, it's wanted characters in the 9 - 14
>range. I don't have enough fingers for this nonsense!

And the obvious solution, of course, is to write it down and count the
letters that way. #fail.
--
Roland Perry

[Andy]

In message <k7iAsVcj...@perry.co.uk>, Roland Perry
<rol...@perry.co.uk> wrote

It may or not be a failure, depending on what risks you wish to protect
against. Having your passwords painted in dayglo orange on your office
wall is only a problem if others (burglars? Grandchildren?) have access
to it.
--
Andy Taylor [Editor, Austrian Philatelic Society].
Visit <URL:http://www.austrianphilately.com>

[Molly Mockford]

At 08:10:27 on Mon, 3 Sep 2012, Roland Perry <rol...@perry.co.uk> wrote
in <k7iAsVcj...@perry.co.uk>:

>One way to fight back against passphrase nonsense (over the phone
>anyway) is to either pick a word the average call centre person can't
>spell, or pick a phrase like "Not telling you".

:-)

[Charles Lindsey]

In <Mwm6uAb2...@perry.co.uk> Roland Perry <rol...@perry.co.uk> writes:

>In message <M9Mns...@clerew.man.ac.uk>, at 16:14:37 on Fri, 31 Aug
>2012, Charles Lindsey <c...@clerew.man.ac.uk> remarked:

>>I see that Gradwell are now demanding that we all change our passwords
>>every three months.

>Later... Password reset email has arrived, and they have one of those
>stupid rules "8-16 chars only, must have mix of lower and upper case, or
>letters and numbers", which means many of the
>password-memorising/creating tricks don't work.

Yes indeed, and the password reset email provides a link that will vanish
after 24 hours. And you don't get told about the mix of letters and
numbers until aftrer you have tried one without.

Nothing like forcing people to choose a new password with awkward
conditions and a time deadline for them to do it in. That is bound to
encourage them to use a well-thought-out password. NOT.

With lower case letters only, the number of possible 8-char passwords is
26**8. Doubtless they will argue that including digits increases that to
36**8.

Wrong! It actually decreases it to (26**7)*10, because you can be pretty
sure that the majority of users will merely stick a digit on the end.

The best way to ensure that a password in unguessable would be to pass it
through a spell-checker, and reject it if it did not fail. I just tried
mine on the Staroffice spellchecker, and even the weakest one failed
though, oddly, it passes any random selection of letters with a digit
mixed in with them. But that could be fixed.

>And then, when you've changed it, they spring another surprise - you
>have to use three random letters of your passphrase *as well* to log in.

Yes, so you have two things to remember (though the default passphrase if
you have not changed it is your password).

>(Their hint did remind me what it was, but this doubling of the
>memorisation of credentials is extremely tiresome, as is counting out
>the 8th letter of the phrase on my fingers).

Note that the 'hint' is for your passphrase, not for your password, so you
now have to devise one that will remind you of both. Which hardly improves
the security of either.

[Molly Mockford]

At 11:54:37 on Sun, 2 Sep 2012, Molly Mockford

<nospam...@mollymockford.me.uk> wrote in
<Ts9Ybkdt...@molly.mockford>:

>8th? You're lucky! My passphrase is 14 characters long, and both
>times that it's asked me for it, it's wanted characters in the 9 - 14
>range. I don't have enough fingers for this nonsense!

Having decided to change it to something much shorter (and therefore
less secure), I go to My Account / My Information / Change Passphrase,
and am told:

"You now require your passphrase when logging into our control panels.
To make sure you have one set, either access another control panel or
contact support. We hope to return passphrase management to this control
panel shortly."

So I go to the Hosting Control Panel, where I type in (with difficulty)
three characters from my passphrase, but am not offered any opportunity
to change it.

What the hell is this all about! Changing the rules concerning the
passphrase, but removing the ability to change the passphrase itself?
And "We hope to return passphrase management to this control panel
shortly" - HOPE??? "Intend" would be good; "We will" would be even
better. And "shortly"? What timescale do they have in place for this
essential facility? If we are expected to change our passwords every
three months, surely they must expect us to want to change our
passphrases to? Or hasn't that entered their heads?

OK, I'll contact Support. I'll raise a ticket, telling them the old
passphrase and what I want the new one to be. And I'll report back
here. (I have no intention whatsoever of wasting money on telephoning
them.)

[Bodincus]

| · : · : · : · : · : · : · Original Message · : · : · : · : · : · : ·
| From: Charles Lindsey
| Date: 31/08/12 17:14

In a recent conversation I had with our "Partner Account", I've been
told they're "introducing some new corporate concepts throughout the
company to raise its profile".

If this is the New and Improved Gradwell, bring us back the old.

And - please - if you're reading this (AS PROMISED JUST A WEEK AGO) feed
back to The Powers That Be (read Peter) that he isn't as good to choose
the people to work with as he thinks he is.

I'm not too bothered as I'm managing all my passwords with KeePass, and
it can automatically "expire" a password and create a new one with the
right parameters to replace the previous when needed.

But my customers will be royally pi$$ed off to change their User Portal
password every three months, to also remember a passphrase and to pick
three randoms from it every time they need to log-in to take the call
redirection on or off, something that on a normal phone can be
programmed on a button to press.

Technology is supposed to make things easier, you twonks.
--
ßodincµs - The Y2K Druid

[Roland Perry]

In message <504499b0$0$15596$a826...@newsreader.readnews.com>, at
12:51:11 on Mon, 3 Sep 2012, Bodincus <nobod...@this.ip> remarked:

>I'm not too bothered as I'm managing all my passwords with KeePass, and
>it can automatically "expire" a password and create a new one with the
>right parameters to replace the previous when needed.

Can it also cope with passphrases?
--
Roland Perry

[Roland Perry]

In message <M9rrx...@clerew.man.ac.uk>, at 10:32:19 on Mon, 3 Sep

2012, Charles Lindsey <c...@clerew.man.ac.uk> remarked:

>>Later... Password reset email has arrived, and they have one of those
>>stupid rules "8-16 chars only, must have mix of lower and upper case, or
>>letters and numbers", which means many of the
>>password-memorising/creating tricks don't work.
>
>Yes indeed, and the password reset email provides a link that will vanish
>after 24 hours. And you don't get told about the mix of letters and
>numbers until aftrer you have tried one without.

Yes, they clearly expect customers to be psychic, as well as having
photographic memories.
--
Roland Perry

[Robin Somes, Pisces Conservation]

In message <M9rrx...@clerew.man.ac.uk>, Charles Lindsey
<c...@clerew.man.ac.uk> writes

>>Later... Password reset email has arrived, and they have one of those
>>stupid rules "8-16 chars only, must have mix of lower and upper case, or
>>letters and numbers", which means many of the
>>password-memorising/creating tricks don't work.
>
>Yes indeed, and the password reset email provides a link that will
>vanish after 24 hours. And you don't get told about the mix of letters
>and numbers until aftrer you have tried one without.

Haven't even got the chance to do that :( Logged in to the Control Panel
without a hitch; tried to log in to Hosting, to be told I can't, and a
password request has been sent to my registered email address.

What if I'd been logging in to change my registered email address?
Didn't bloody think of that, did they?

Clicked the link in the email, and all I get is a page telling me my
account is locked as a security precaution - presumably because I don't
have a passphrase set (mainly as I had no intention of dealing with
their phone support if I could possibly avoid it).

Anyone know how far this goes; is it just the passwords to log in to the
CP - or does it include FTP as well? Or Webmail?

I've 30 domains spread over 2 Developer accounts. Having just got
through the Great Demon Mail Migration Fiasco, I thought things were
settling down - but this is starting to look personal :(

Cheers,
R

--

[Molly Mockford]

At 12:20:28 on Mon, 3 Sep 2012, Molly Mockford
<nospam...@mollymockford.me.uk> wrote in
<qLomCJo8...@molly.mockford>:

>OK, I'll contact Support. I'll raise a ticket, telling them the old
>passphrase and what I want the new one to be. And I'll report back
>here. (I have no intention whatsoever of wasting money on telephoning
>them.)

Well, entirely contrary to my expectations, this was done swiftly and
without any argument. And now I have a passphrase where I can identify
any character in my head, without using my fingers. Well done Customer
Support!

[John Hall]

In article <dWvx2vqW...@irchouse.demon.co.uk>,
"Robin Somes, Pisces Conservation" <ro...@pisces-conservation.com>
writes:
<snip>

>Logged in to the Control Panel without a hitch; tried to log in to
>Hosting, to be told I can't, and a password request has been sent to
>my registered email address.
>
>What if I'd been logging in to change my registered email
>address? Didn't bloody think of that, did they?

Once your registered email address has been set, I don't think that it's
possible to change it online. At least, when I wanted to change mine a
couple of weeks ago I couldn't see a way of doing so, and had to resort
to emailing support to get it changed.

[Gradwell]

I'm sorry you're frustrated with the password changes we have implemented.

In light of recent events of unauthorised access to customers accounts, we made the decision to tighten security in order to protect our customers' businesses and increase security.

If you'd like to discuss this further, a member of customer support would be happy to speak to you on 01225 800 888.

I've also forwarded this thread to the relevant people in Gradwell to ensure they receive this feedback.

[David Gibson]

In article "Password Nonsense" in <uk.net.providers.gradwell>, on Tue, 4
Sep 2012 Gradwell <helen...@gradwell.com> writes

>In light of recent events of unauthorised access to customers accounts, we made
>the decision to tighten security in order to protect our customers' businesses
>and increase security.

I had to log on *urgently* last week only to find that I was locked out
until I'd gone through the palaver of changing my password, and trying
to remember a passphrase I have NEVER used. Next time I logged on I
couldnt remember the new password Id chosen so I changed it back to the
old one. How does that increase security?

The whole premise is wrong here! You do not tighten security by making
people change their passwords every three months. You tighten it by
making them choose strong passwords in the first place.

I can see that changes are being made, even as I write, because I logged
on just now and was told I needed to use a passphrase, and then it let
me in without one! Eh?


Here is how to improve security...

1) Allow non alphanumeric chars in passwords: "everybody else" does.

2) Allow passwords longer than 16 characters: "everybody else" does.

3) Force people to use strong passwords: "everybody else" does.

(OK ... not everybody... but Im certainly used to a higher level pf
password security on sites other than Gradwell's)

4) Implement "host.deny" and "host.accept" files so that IP addresses
can be blocked from SSH/FTP access, and (importantly) so access can be
allowed to DDNS-hosted domain names.

5) Allow customers to be able to inspect their FTP access log. (I asked
for this a while ago and was told it was not possible. But another ISP I
use provides this facility)

--
David Gibson
Spam-cloaked message: The Reply-to address
will be valid for a short while

[Richard Clayton]

In article <e548692a-c240-4f51...@googlegroups.com>,
Gradwell <helen...@gradwell.com> writes

>I'm sorry you're frustrated with the password changes we have implemented.
>
>In light of recent events of unauthorised access to customers accounts, we made
>the decision to tighten security in order to protect our customers' businesses
>and increase security.

Tightening security does not necessarily increase security (in fact it's
often the other way round); but here's some sage advice about changing
passwords from some experts:

<http://www.schneier.com/blog/archives/2010/11/changing_passwo.html>

<http://www.pcmag.com/article2/0,2817,2362692,00.asp>

the latter article refers to this more general view of the imposition of
security for forms sake:

<http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLong
AndNoThanks.pdf>

Anyway -- you can't discuss a security initiative without first
discussing what the threat model is. In this case I suggest that the
threat model will be:

a) Gradwell database (or login machine) compromised

result: all passwords compromised and all customers must change
password; calendar based changes are irrelevant except if the compromise
is never noticed by anyone and is never repeated. Complexity of
passwords affects time to break password database offline -- main
countermeasure here is to ensure that the password database is "salted"

b) Individual user executes malware (or is "phished")

result: individual user compromised, they must clean machine and then
change their password; no other customers need do anything and what
changes they make are irrelevant. Complexity of password is completely
irrelevant.

c) Brute force attacks against Gradwell customers

result: individuals with weak passwords are compromised; they need to
change their password for something that is less likely to be guessed
(the actual strength will depend on what protections Gradwell has
against brute force attacks) See Joseph Bonneau's recent PhD thesis for
the state of the art discussion of this:

http://www.cl.cam.ac.uk/~jcb82/doc/2012-jbonneau-phd_thesis.pdf

>If you'd like to discuss this further, a member of customer support would be
>happy to speak to you on 01225 800 888.
>
>I've also forwarded this thread to the relevant people in Gradwell to ensure
>they receive this feedback.

What would actually make a difference is NOT a box-ticking exercise of
password changes (usually driven by accountancy firms who have copied
their lists of "how to make a computer system secure" from other
accountancy firms -- completely failing to realise the changed
assumptions from the 1980s threat models).

Instead:

how about showing us the last login IP address and time ?

or extra authentication steps when logging in from new IP addresses ?

There's a lot of modern ideas about how to protect web logins; forcing
password changes on a calendar basis (particularly every 3 months) is
not amongst them :( That's why some knowledgeable people are chipping
in to this thread -- and that's why they're despairing that Gradwell
(Peter or Ltd) seems to have misplaced the "clue" that made the company
attractive all these years.

BTW: if there's a new emphasis on security where's DNSSEC ??

--
Dr Richard Clayton <richard...@cl.cam.ac.uk>
tel: 01223 763570, mobile: 07887 794090
Computer Laboratory, University of Cambridge, CB3 0FD

[Roland Perry]

In message <e548692a-c240-4f51...@googlegroups.com>, at
02:46:54 on Tue, 4 Sep 2012, Gradwell <helen...@gradwell.com>
remarked:

>In light of recent events of unauthorised access to customers
>accounts, we made the decision to tighten security in order to
>protect our customers' businesses and increase security.

It's a laudable aim, but several of us think it was poorly delivered.

Doing it on a Saturday with no warning, for example. And we don't all
agree that the measures you've put in place actually increase security
rather than reduce it.
--
Roland Perry

[Robin Somes, Pisces Conservation]

In message <3hi4AvIf...@jhall.demon.co.uk.invalid>, John Hall
<nospam...@jhall.co.uk> writes

>In article <dWvx2vqW...@irchouse.demon.co.uk>,
> "Robin Somes, Pisces Conservation" <ro...@pisces-conservation.com>
>writes:

>>What if I'd been logging in to change my registered email

<snip>

>
>Once your registered email address has been set, I don't think that it's
>possible to change it online. At least, when I wanted to change mine a
>couple of weeks ago I couldn't see a way of doing so, and had to resort
>to emailing support to get it changed.

Thanks, I now see that's so, but it's not obvious until one tries it.

The scenario I had in mind involved the compromising of my email account
by A.N. Other - who by my trying to log in to fix it, would then have my
Gradwell CP password reset email automatically sent straight to him,
without even asking. He could then (provided I had no passphrase set and
he felt badly enough about me) log in and cause all sorts of mayhem.
Far-fetched, I know, but feasible.

An email to Gradwell support got access to one account quickly restored,
and I've reset the password as required. For my home a/c, I thought I'd
be clever; instead of trying to log in and getting that a/c frozen too,
I requested a forgotten password reminder. Trouble is, a couple of hours
on, and it still hasn't arrived :(

Cheers,
R


--

[Bodincus]

| · : · : · : · : · : · : · Original Message · : · : · : · : · : · : ·
| From: Gradwell
| Date: 04/09/12 10:46

I just got an SSO failure message while *already logged in* in my
Control panel and trying to access my "Hosting" section of the
services... I'm supposed to be already logged in!??!! o_O

The latest security trend is two-factor authentication, but I'm now
feeling the pain after I've enabled it on my Google account.

It's convoluted, cumbersome and it's "in the way" when you need urgent
access to something to get a problem fixed.

The best security tool is the one we have in our head, it's called a
brain. Learn how to best secure your digital property as you got to know
how to secure your physical property. Use the right tools, instruments
and features. If you fail, it's your fault and your loss.

I'm not asked by my car leasing company to change the car locks every
three months "to make my car more secure", the *car keys* are engineered
to be inherently more secure.

I'm not qualified to give security advice better than it has already
been done in this trend, but I can say I'm expecting Gradwell to always
be on the bleeding edge of technology, and the password policies that
have been foisted upon us without any warning are so 1980.

[Steve Firth]

Richard Clayton <ric...@highwayman.com> wrote:

> Complexity of password is completely
> irrelevant.

In every case. What is gained in terms of entropy by making a password
complex can be trumped by making a password longer. And in general long
passwords MarioMonkeyDonkeyKong are somewhat more memorable than
1&%$�hh3pt.

Giving some good, relevant advice on password security to customers
would help rather than implementing a blanket requirement to renew them
every three months. IASTR that the last time that I raised a lost
password request with Gradwell it was sent in clear and there was no
requirement to change the password on log in. If that is the way that
passwords continue to be sent to users who have lost/forgotten them I'm
not surprised that some accounts have been compromised.

[Richard Clayton]

In article <1kpx2bn.j03iri1xagnuN%%steve%@malloc.co.uk>, Steve Firth
<%steve%@malloc.co.uk> writes

>Richard Clayton <ric...@highwayman.com> wrote:
>
>> Complexity of password is completely
>> irrelevant.

I wrote a lot of other things as well... losing the context is unwise

>In every case. What is gained in terms of entropy by making a password
>complex can be trumped by making a password longer. And in general long
>passwords MarioMonkeyDonkeyKong are somewhat more memorable than
>1&%$�hh3pt.

assuming a dictionary of 20K words then selecting 4 words from it would
give a space of around 16E16, taking 10 characters each from a set of 64
is around 1E18 ... ie your example doesn't show any such trumping by a
factor of 6 in the wrong direction !

That's assuming in each case that you don't put in any semantic content
and make each word/character choice independent... if you generally
choose Kong after Donkey (or 23 after 1) then you will do much worse

do have a look at Joseph Bonneau's work though -- amongst all the
equations there is considerable wisdom about whether one should be
paying all that much attention to complexity per se

he's done a couple of blog posts this week as well

<http://www.lightbluetouchpaper.org/2012/09/03/password-cracking-part-i-
how-much-has-cracking-improved/>

>Giving some good, relevant advice on password security to customers
>would help rather than implementing a blanket requirement to renew them
>every three months.

key advice is not to use a password you've used at another service, lest
that one be compromised...

> IASTR that the last time that I raised a lost
>password request with Gradwell it was sent in clear and there was no
>requirement to change the password on log in.

sigh

[Steve Firth]

Richard Clayton <ric...@highwayman.com> wrote:

> assuming a dictionary of 20K words then selecting 4 words from it would
> give a space of around 16E16, taking 10 characters each from a set of 64
> is around 1E18 ... ie your example doesn't show any such trumping by a
> factor of 6 in the wrong direction !

I am tempted to reply "mindless literalist" to that one.

What on earth makes you think that the dictionary has 20K words? The OED
has over 200K words. Secondly what makes you think that every password
would contain four words? And thirdly what makes you think I am
advocating four correctly spelled dictionary words? I'm simply stating
that long passwords drawn from the set [A-Z,a-z,0-9] trump short
passwords drawn from the set [A-Z,a-z,0-9,@�$%^&*]. Within that space
one may make the password memorable if one wishes. If one wishes to use
the [CVC]n format preferred by some users instead of dictionary words,
one may. An attacker does not therefore have the comfort of knowing that
the password must be a specific number of dictionary words.

Also of course any password system should react to brute force attempts,
and time out if there is a clear attempt to brute force a password. An
attacker should not be able to get as far as 10E16 attempts, not even as
far as 10E2 attempts in any external attack. Your concerns are valid if
the attacker has stolen the password hash file, and the salts and users
invariably use a limited number of dictionary words. (I hope Gradwell
salted passwords *before* they came up with their ludicrous policy,
otherwise there's an element of PKB in their approach).

So, I would argue that the 21 char password that I referred to is a
member of a password space of 4E37 members and has an entropy of 125
bits that would (usually) be downrated to 105 bits if user selected
dictionary words are used. That's about twice as effective as anyone
really needs to use, especially if combined with sensible other controls
such as restricting the number of failed attempts before lockout.

[Richard Clayton]

In article <1kpx977.k51qemdcthyoN%%steve%@malloc.co.uk>, Steve Firth
<%steve%@malloc.co.uk> writes

>Richard Clayton <ric...@highwayman.com> wrote:
>
>> assuming a dictionary of 20K words then selecting 4 words from it would
>> give a space of around 16E16, taking 10 characters each from a set of 64
>> is around 1E18 ... ie your example doesn't show any such trumping by a
>> factor of 6 in the wrong direction !
>
>I am tempted to reply "mindless literalist" to that one.
>
>What on earth makes you think that the dictionary has 20K words?

because you suggested the words chosen would make passwords that "are
somewhat more memorable" that tends to mean words from a working
vocabulary

> The OED
>has over 200K words. Secondly what makes you think that every password
>would contain four words?

because that's the example you gave (I took the ten letters you gave for
the other style as well)

>And thirdly what makes you think I am
>advocating four correctly spelled dictionary words?

because that's the example you gave

> I'm simply stating
>that long passwords drawn from the set [A-Z,a-z,0-9]

dictionary words don't contain 0-9 and you were only capitalising the
first letter...

> trump short
>passwords drawn from the set [A-Z,a-z,0-9,@�$%^&*].

that is of course entirely true (for suitable values of long and
short)... but that's not what you gave examples of :(

>Within that space
>one may make the password memorable if one wishes. If one wishes to use
>the [CVC]n format preferred by some users instead of dictionary words,
>one may. An attacker does not therefore have the comfort of knowing that
>the password must be a specific number of dictionary words.
>
>Also of course any password system should react to brute force attempts,
>and time out if there is a clear attempt to brute force a password. An
>attacker should not be able to get as far as 10E16 attempts, not even as
>far as 10E2 attempts in any external attack.

again I refer you to Joseph's work -- who makes this point very clearly
indeed... and gives some nice graphs derived from real password
datasets; including the largest studied so far (captured in an elegant
privacy preserving manner from Yahoo! users)

> Your concerns are valid

I don't have concerns about complexity ... it's pretty much a red
herring here -- my main concern was that people do the calculations on
the "word" system correctly

we now generally point at http://xkcd.com/936/ (that uses just a 2000
word dictionary -- and the sum is correctly done to give ~2E13)

>if
>the attacker has stolen the password hash file, and the salts and users
>invariably use a limited number of dictionary words. (I hope Gradwell
>salted passwords *before* they came up with their ludicrous policy,
>otherwise there's an element of PKB in their approach).
>
>So, I would argue that the 21 char password that I referred to is a
>member of a password space of 4E37 members and has an entropy of 125
>bits that would (usually) be downrated to 105 bits if user selected
>dictionary words are used.

I would argue that the space is considerably smaller than 4E37 in
practice if the memorable test is applied (and there's a strong
suspicion that users of the multiple word system go for sequences that
have some grammatical quirks)

remember how the well-trained user of Enigma could not resist selecting
L E R "at random" if the three letters they were given were H I T!

>That's about twice as effective as anyone
>really needs to use, especially if combined with sensible other controls
>such as restricting the number of failed attempts before lockout.

see Joseph's work for a suitable computation -- and some new
formalisations of how to practically model attackers.

also, fans of rules like "use a non-letter and some caps etc" might care
to do some more reading:

http://cups.cs.cmu.edu/rshay/pubs/passwords_and_people2011.pdf

which paper continues to emphasise my main point which is that the
recent changes by the once-cluefull Gradwell are not evidence based (at
least no evidence from the past couple of decades) and are more likely
to be counterproductive than useful :-(

[c...@nospam.netunix.com]

Richard Clayton <ric...@highwayman.com> wrote:
> >
> >What on earth makes you think that the dictionary has 20K words?
>
> because you suggested the words chosen would make passwords that "are
> somewhat more memorable" that tends to mean words from a working
> vocabulary

A password or passprase can be memorable without reference to an
english working vocabulary. Think of a word for some simple item
such as a shovel or a river in some obscure african language.
Add a long since defunct telephone number of some relative or
girlfriend etc.
Plenty of entropy there.

There is every reason to suspect that none of the Gradwell security
breaches were password related and can be accounted for by SQL
injections and known vulnerablities in PHP, Perl, etc.

Any simple password breakin would be constrained to a single user
account unless escalated via some internal vulnerability.
A password breakin is likely to be the direct result of an SQL
injection attack having revealed a password stored in a user script
etc. Almost every website will have a script or file containing
its database name and password as plain text. People have an
unhealthy tendancy to use their login password as their database
password. BAD IDEA.

[Steve Firth]

Richard Clayton <ric...@highwayman.com> wrote:

>
> see Joseph's work for a suitable computation -- and some new
> formalisations of how to practically model attackers.

Yes, it's a lovely theoretical piece of work that assumes that an
attacker has infinite time to attack a password and has an infinite
number of tries to do so, and that no one monitors the attacks. As I
pointed out trivial countermeasures defeat the attacker. As I didn't
point out, but you are probably aware, use of a random password
generator using dictionary words overcomes many of your objections such
as the tendency of a human being to select a "comfortable" set of
choices.

[Roland Perry]

In message <1kpxu5a.ggoggknn9gu4N%%steve%@malloc.co.uk>, at 07:40:02 on
Wed, 5 Sep 2012, Steve Firth <%steve%@malloc.co.uk> remarked:

>As I didn't point out, but you are probably aware, use of a random
>password generator using dictionary words overcomes many of your
>objections such as the tendency of a human being to select a
>"comfortable" set of choices.

CompuServe had one of those, and occasionally produced pairs like
plane/crash.
--
Roland Perry

[David Gibson]

In article "Password Nonsense" in <uk.net.providers.gradwell>, on Tue, 4

Sep 2012 Steve Firth <%steve%@malloc.co.uk> writes

>What is gained in terms of entropy by making a password
>complex can be trumped by making a password longer. And in general long
>passwords MarioMonkeyDonkeyKong are somewhat more memorable than
>1&%$�hh3pt.

Whilst not offering a view on the above assertion, I would add that
"entropy" itself may not be necessarily important. There is an
interesting article on this at https://www.grc.com/haystack.htm

I must confess Ive not (yet) real all the references that Richard
Clayton provided (although I will do, when I have time) but Steve Gibson
(no relation) does seem to make some sense in his assertions about
passwords.

The daft thing is that Gradwell is not, even now, implementing a full
character space or long passwords. The login password *appears* to be
limited to [A-Za-z0-9] and 16 characters. (Infuriatingly we arent told
this anywhere - merely that our newly-typed password is no good).

Gradwell's FTP passwords, whilst limited to the same character set
(apparently), can be longer than 16 chars.

Of course, for SSH access, everything's fine.

Gradwell's handling of login passwords is, I guess, written in-house,
and this would appear to be the weak point. Surely, there's no sensible
reason why it cannot use a full char set and allow long passwords? If
my memory is working, I seem to recall that PHP even offers a password-
checking function that tells you if a string is weak/moderate/strong in
terms of its mix of characters.

For FTP, Gradwell should get a decent FTP package that offers host.deny
and host.allow, and allows customers to inspect their FTP access log.

In terms of security, I would hazard a guess that it is FTP access that
is the weak point at Gradwell (alongside SQL attacks). Not customer's
login passwords!

[Steve Firth]

I can recall a demo of a password generator that used the [CVC]n format.
The demonstrator was a rather large chap, and was very enthusiastic about
it. My colleague pointed out that we had to be careful to avoid giving
offence to our customers and it should not throw up racially sensitive
terms, offensive words etc or we would be hauled over hot coals. We were
assured this was impossible because it had a dictionary and it rejected
naughty words.

He then fired it up and it produced his first password: YEWFATFUQ

Very difficult to control the sniggering.

[tin...@isbd.co.uk]

Richard Clayton <ric...@highwayman.com> wrote:
>
> >In every case. What is gained in terms of entropy by making a password
> >complex can be trumped by making a password longer. And in general long
> >passwords MarioMonkeyDonkeyKong are somewhat more memorable than
> >1&%$£hh3pt.
>
> assuming a dictionary of 20K words then selecting 4 words from it would
> give a space of around 16E16, taking 10 characters each from a set of 64
> is around 1E18 ... ie your example doesn't show any such trumping by a
> factor of 6 in the wrong direction !
>
> That's assuming in each case that you don't put in any semantic content
> and make each word/character choice independent... if you generally
> choose Kong after Donkey (or 23 after 1) then you will do much worse
>

Doesn't the 'environment' of the password affect things as well
though? I.e. if you are trying a dictionary or brute force attack
on a password then any system which limits retries (or slows down
exponentially) will effectively prevent the attack.

Or am I misunderstanding completely?

--
Chris Green

[Steve Firth]

No you're not misunderstanding. Even a one second delay between retries is
an eternity for password crackers. Limiting the number of tries to three or
four with a reasonable (say five to ten minutes) before retry makes it even
harder. Flagging multiple failed attempts to an administrator also makes
sense.

[Roland Perry]

In message
<602475405368541622.949628%steve%-mallo...@news.eternal-september.org
>, at 12:58:49 on Wed, 5 Sep 2012, Steve Firth <%steve%@malloc.co.uk>
remarked:

>Flagging multiple failed attempts to an administrator also makes
>sense.

As an admin of several hosted sites, I would be quite happy to receive
an email *every* time a username/password login failed. And for failed
logins to track some kind of 1 second, 2 second, 4 second, 8 second, 16
second exponential before retries.
--
Roland Perry

[Bodincus]

| · : · : · : · : · : · : · Original Message · : · : · : · : · : · : ·
| From: Roland Perry
| Date: 05/09/12 16:24

> In message
> <602475405368541622.949628%steve%-mallo...@news.eternal-september.org
> >, at 12:58:49 on Wed, 5 Sep 2012, Steve Firth <%steve%@malloc.co.uk>
> remarked:
>
>> Flagging multiple failed attempts to an administrator also makes
>> sense.
>
> As an admin of several hosted sites, I would be quite happy to receive
> an email *every* time a username/password login failed.

Careful, that might backfire. You're exposing yourself to mailbombing
and other risks.

If the provider lumps all your usage throughout your services against
your allocation, a mailbox without size limits - like you might want
your admin one to be - might eat up all your space, landing your apps
and your webspace in deep problems.

If your provider restricts your bandwidth usage or bills you for excess,
you can see your website disappear or your money vanish from your bank
account so quickly you can't say "Erm".

Banning the attacking IP for X*Y minutes for every Y failed attempts
would stop the Script Kiddie or the Bot.
You want to be warned of that, not every failed attempt.

Incidentally, that's what Fail2Ban does. And - please - don't start the
usual bashing against F2B, we know its limits, problems, quirks and
vulnerabilities. But it's a good trade-off between a good layer of
security and too much management effort.

[Steve Firth]

[sigh] SIEM

[Roland Perry]

In message <504779df$0$15535$a826...@newsreader.readnews.com>, at
17:12:14 on Wed, 5 Sep 2012, Bodincus <nobod...@this.ip> remarked:

>> As an admin of several hosted sites, I would be quite happy to receive
>> an email *every* time a username/password login failed.

>Careful, that might backfire. You're exposing yourself to mailbombing
>and other risks.
>
>If the provider lumps all your usage throughout your services against
>your allocation, a mailbox without size limits - like you might want
>your admin one to be - might eat up all your space, landing your apps
>and your webspace in deep problems.

My email is provided by a quite separate set of people, and there's no
size limits (well, if there is it's a bit more than a Gigabyte).

>If your provider restricts your bandwidth usage or bills you for
>excess,

Nope, neither of those.

>you can see your website disappear or your money vanish from your bank
>account so quickly you can't say "Erm".

Won't happen.

--
Roland Perry

[Steve Firth]

Roland Perry <rol...@perry.co.uk> wrote:

> In message
> <602475405368541622.949628%steve%-mallo...@news.eternal-september.org

> at 12:58:49 on Wed, 5 Sep 2012, Steve Firth <%steve%@malloc.co.uk>
> remarked:
>
> >Flagging multiple failed attempts to an administrator also makes
> >sense.
>
> As an admin of several hosted sites, I would be quite happy to receive
> an email *every* time a username/password login failed.

You wouldn't. You appear to be misunderstanding the problem, the
solution and who would receive the alert that the site was (possibly)
being hacked. It wouldn't even be raised as an email alert to anyone,
but would be raised as an alert on the SIEM monitoring console.

> And for failed logins to track some kind of 1 second, 2 second, 4 second,
> 8 second, 16 second exponential before retries.

That thought seems to have failed in mid-air.

To spell it out, you don't get notified of every username/password log
in failure. Indeed no one does. However such failures are logged and
*multiple* failures are alerted. Not to the hapless and probably useless
admin but to Gradwell's Security Operation Centre, if they had one. They
are the ones responsible for taking action if someone is trying to hack
the accounts of their customers. If someone is repeatedly hammering away
trying to crack the passwords of a particular account then the
originating IP or IP block should be shunned for a period which could
vary from an hour or so for first attempts going to days or even
permanently if it is a repeat offence.

Such events are, or should be, raised as alerts in the SIEM manned by
Gradwell. Attempts to crack passwords are exactly the sort of event that
should be alerted to the security manager.

[Roland Perry]

In message <1kpz85q.1jpkfeb8p0iotN%%steve%@malloc.co.uk>, at 02:12:18 on
Thu, 6 Sep 2012, Steve Firth <%steve%@malloc.co.uk> remarked:

>> As an admin of several hosted sites, I would be quite happy to receive
>> an email *every* time a username/password login failed.
>
>You wouldn't. You appear to be misunderstanding the problem, the
>solution and who would receive the alert that the site was (possibly)
>being hacked.

I was referring to failed attempts to log into my Gradwell Consoles.

>It wouldn't even be raised as an email alert to anyone,

I'd like to know, though.

>but would be raised as an alert on the SIEM monitoring console.
>
>> And for failed logins to track some kind of 1 second, 2 second, 4 second,
>> 8 second, 16 second exponential before retries.
>
>That thought seems to have failed in mid-air.

To spell it out, if someone (even me) tries to log in and provides the
wrong password, I'd like them to have to wait increasing amounts of time
on every re-try.

>To spell it out, you don't get notified of every username/password log
>in failure. Indeed no one does.

Yes, but I would like to be.

> However such failures are logged and *multiple* failures are alerted.

As a compromise, perhaps I'd accept a daily log of failed attempts (to
log into my consoles) to be emailed to me (along with the log of
successful hits on the public side of he websites, that I get already).

>Not to the hapless and probably useless
>admin but to Gradwell's Security Operation Centre, if they had one. They
>are the ones responsible for taking action if someone is trying to hack
>the accounts of their customers. If someone is repeatedly hammering away
>trying to crack the passwords of a particular account then the
>originating IP or IP block should be shunned for a period which could
>vary from an hour or so for first attempts going to days or even
>permanently if it is a repeat offence.

Sounds sensible, but I've never heard of such activity being reported
back to the affected customer.
--
Roland Perry

[Steve Firth]

Roland Perry <rol...@perry.co.uk> wrote:

> Sounds sensible, but I've never heard of such activity being reported
> back to the affected customer.

Such a report is sent to my business email address every day from the
organisation(s) that provide web services. I get both a manangement
summary showing the security statistics that pertain to the web sites
and the rolling top 10 incidents in the areas that I have determined
need to be monitored.

Of course this is from service providers who charge a lot more than
Gradwell do and who are contractually required to furnish the
information in a timely manner.

I don't see Gradwell offering the full-fat security solution or at least
not doing so unless they are paid a bit more for the service. However I
do think that good practice mandates that they shoudl monitor their
security more closely than appears to be the case at present.

Sadly I think that the signs are that they have engaged some ISO27001
consultant who is working to a risk reduction formula that involves
ticking off boxes for each ISO27001 control. I know some of the people
who offer these services are SIA registered, i.e. jumped up night club
bouncers and office door staff. I hope that Gradwell have not fallen
foul of one of those.

[Gradwell]

Peter has issued a letter to update customers on the changes to Gradwell infrastructure and security. You can view it via our blog here: http://www.gradwell.com/blog/?p=2753

[news]

In article <45923af3-1b9a-4eb6...@googlegroups.com>,
Gradwell <helen...@gradwell.com> writes

>Peter has issued a letter to update customers on the changes to
>Gradwell infrastructure and security. You can view it via our blog
>here: http://www.gradwell.com/blog/?p=2753

Advice to change passwords but nothing about pass phrases and what
passwords will be accepted, nor the need for regular changes. Or does
that not emerge until you try to make changes?

PS: Glad I'm not a VoIP manager. All those Monday-morning squeals from
users whose passwords have been changed remotely over the weekend or
after warning emails fail because the system is down.
--
David Lawson

[Roland Perry]

In message <45923af3-1b9a-4eb6...@googlegroups.com>, at
04:38:49 on Thu, 6 Sep 2012, Gradwell <helen...@gradwell.com>
remarked:

>Peter has issued a letter to update customers on the changes to Gradwell infrastructure and security. You can view it via our blog here:
>http://www.gradwell.com/blog/?p=2753

Which does not address any of the issues raised here, indeed it merely
hints at even "more of the same".
--
Roland Perry

[Jim Crowther]

In uk.net.providers.gradwell, on Thu, 6 Sep 2012 04:38:49, Gradwell
wrote:

>Peter has issued a letter to update customers on the changes to
>Gradwell infrastructure and security. You can view it via our blog
>here: http://www.gradwell.com/blog/?p=2753

And I've had an email with I assume the same content - except the plain
text version does have some apparently strange spelling.

Not a word about the 3-month changeling stuff or *why* these changes
were thought necessary (they aren't of course to anyone who has even
cursorily examined what helps make passwords/phases secure).

I'm delighted RC has commented here. I hope PG has taken notice of his
observations. I'm not holding my breath. :(

--
Jim Crowther

[Steve Firth]

Gradwell <helen...@gradwell.com> wrote:

[messed up line length fixed]

> Peter has issued a letter to update customers on the changes to Gradwell
> infrastructure and security. You can view it via our blog here:
> http://www.gradwell.com/blog/?p=2753

Oh great.

Helena,

I was rather hoping that the point of someone from Gradwell posting here
would be restore the reputation of Gradwell and demonstrate that:

a) Gradwell really does have a clue and is getting over a rocky patch
and moving towards rectifying their problems;
b) Gradwell have decided to listen to and communicate with their
customer base.

Your reply causes concern because:

a) You replied via Goggle groups. Absolutely no one with even a hint of
clue would use Google groups for news. Google's approach to news is an
insult to those of us who use it and know how it works. For example your
entire reply was posted by Google in a single line of unlimited length.
This makes it difficult to read and impossible to reply to for many
newsreaders without involving the poor user in having to edit your reply
to conform with the accepted standard of a 72 to 80 character line
length. Hence your reply screams "I DON'T HAVE A CLUE" to your customer
base. Is that *really* the image that you wish to present?

b) Your reply consists solely of stating that Peter Gradwell has issued
a letter. Indeed he did, I have it in my Inbox. So your post was
pointless duplication and the letter itself shows ignorance of the
responses here.

c) No one from Gradwell has attempted to address any of the concerns
raised here by people who know more about internet security than,
apparently, anyone at Gradwell or any of Gradwell's advisors.

If you wanted to add to the image of Gradwell as a business that has
lost the USP that it used to have, that is turning its back on its
customers and is descending into the wonderful world of corporate
head-in-the-sand focussing on the wrong aspects of the business you
couldn't have done a better job than you have. If OTOH you were supposed
to be starting the process of digging Gradwell out of a self-generated
puddle of liquid manure you missed the target by starting your
excavation at the bottom of the hole and are, it seems, intent on making
your way towards the MoHo.


I wonder if this post will be treated as the others here have been by
giving it a damned good ignoring?

[Jim Crowther]

In uk.net.providers.gradwell, on Sat, 8 Sep 2012 13:33:37, Steve Firth
wrote:

[snip]

I agree with all that I've snipped, but especially with this bit I've
quoted:

>c) No one from Gradwell has attempted to address any of the concerns
>raised here by people who know more about internet security than,
>apparently, anyone at Gradwell or any of Gradwell's advisors.

If PG would just take note of any advise RC could offer, that'd be a
start.

--
Jim Crowther

[Gradwell]

Thank you to all of you who have taken the time to provide feedback on recent events. In line with that feedback, we have made a number of changes to increase security of our systems. The major change is in how customers and partners login and change credentials.

Going forward, in order to change a passphrase and password you will need to go to login.gradwell.com (you can no longer change passphrases or passwords through the Gradwell Control Panel). We have made this change to provide a central place for handling login information and the process forces a password change if it is the first time you login using this method. This process is called Single Sign On (SSO).

If you have not setup a passphrase, the SSO system will force you to set one at the same time as you change your password. If you have a passphrase, you will need to use three characters from the phrase to validate a password change.

Having setup a passphrase, you will need to use three passphrase characters to validate each login you make (unless you tick remember me which will be valid for 30 days on that device).

As temporary measure, we have removed the functionality to change your password and passphrase from the portal; this means that the portal cannot be used as a work around.

When changes are made to account details, the IP ACL or call barring rules in the VoIP CP, an email notification is sent to the master user account.

We have received a lot of comments, most of which have been negative about the requirement to reset credentials every 3 months; we have now removed this requirement.


The portal will use SSO as its login system. When setting a passphrase, we will offer a drop down of three suggested hints and an option for one of your own. This should help make passphrase answers a bit more standardised.

We also plan to use SSO for our partners.

The previous process for password reminders included contacting Gradwell in order to reset passwords; this will no longer be possible and having clicked on the Reset button within the Control panel, the customer will receive an email in order to reset passwords.


You’ve been asking us for passwords with special characters for some time and we are working to that end. We anticipate the use of special character passwords in the following few days.

[Roland Perry]

In message <698cdc11-efdb-49bf...@googlegroups.com>, at
03:24:52 on Tue, 11 Sep 2012, Gradwell <helen...@gradwell.com>
remarked:

>The previous process for password reminders included contacting
>Gradwell

Perhaps you've missed "by email/telephone" here?

>in order to reset passwords; this will no longer be possible and having
>clicked on the Reset button within the Control panel, the customer will
>receive an email in order to reset passwords.

The customer, or anyone with access to their email account.
--
Roland Perry

[Richard Clayton]

In article <698cdc11-efdb-49bf...@googlegroups.com>,
Gradwell <helen...@gradwell.com> writes

>We have received a lot of comments, most of which have been negative about the
>requirement to reset credentials every 3 months; we have now removed this
>requirement.

Thank you.

I'd be interested in seeing (a paraphrase of) the positive comments;
it's always interesting to see counter-arguments to what one believes.

>When setting a passphrase, we will
>offer a drop down of three suggested hints and an option for one of your own.
>This should help make passphrase answers a bit more standardised.

... and that is a good idea why ?

By the way, if the idea of asking for 3 characters from the passphrase
on the portal is to provide some limited protection against keyloggers
then it is essential not to ask for the characters in numerical order
(there's some unpublished work from Cardiff on this topic... they showed
how easy it was to reconstruct the passphrase over time).

[Andy]

In message <m1sq7oKS...@highwayman.com>, Richard Clayton
<ric...@highwayman.com> wrote
[]

>By the way, if the idea of asking for 3 characters from the passphrase
>on the portal is to provide some limited protection against keyloggers
>then it is essential not to ask for the characters in numerical order
>(there's some unpublished work from Cardiff on this topic... they showed
>how easy it was to reconstruct the passphrase over time).
>

Perhaps they should have a word with most UK banks, who seem to always
want eg 1, 3, 7 but never 7, 1, 3.
--
Andy Taylor [Editor, Austrian Philatelic Society].
Visit <URL:http://www.austrianphilately.com>

[John Hall]

In article <4Kdq6fEL...@kitzbuhel.demon.co.uk>,

Andy <an...@kitzbuhel.demon.co.uk> writes:
>In message <m1sq7oKS...@highwayman.com>, Richard
>Clayton <ric...@highwayman.com> wrote
>[]
>>By the way, if the idea of asking for 3 characters from the passphrase
>>on the portal is to provide some limited protection against keyloggers
>>then it is essential not to ask for the characters in numerical order
>>(there's some unpublished work from Cardiff on this topic... they showed
>>how easy it was to reconstruct the passphrase over time).
>>
>Perhaps they should have a word with most UK banks, who seem
>to always want eg 1, 3, 7 but never 7, 1, 3.

My bank always asks for 3 of the 4 digits in my pin (in addition to
selected characters from my password), and every time the order is
different.
--
John Hall

"The beatings will continue until morale improves."
Attributed to the Commander of Japan's Submarine Forces in WW2

[David Gibson]

In article "Password Nonsense" in <uk.net.providers.gradwell>, on Tue,

11 Sep 2012 John Hall <nospam...@jhall.co.uk> writes

> Andy <an...@kitzbuhel.demon.co.uk> writes:
>>Perhaps they should have a word with most UK banks, who seem
>>to always want eg 1, 3, 7 but never 7, 1, 3.
>
>My bank always asks for 3 of the 4 digits in my pin (in addition to
>selected characters from my password), and every time the order is
>different.

Just checked. My bank asked for 3 of the 6 digits, and in a non-
ascending order.

However, when my credit card company asks for 4 of the 10 characters in
my password, it *always* asks in ascending order.

[Bodincus]

| · : · : · : · : · : · : · Original Message · : · : · : · : · : · : ·
| From: David Gibson
| Date: 12/09/12 09:59

> In article "Password Nonsense" in <uk.net.providers.gradwell>, on Tue,
> 11 Sep 2012 John Hall <nospam...@jhall.co.uk> writes
>
>> Andy <an...@kitzbuhel.demon.co.uk> writes:
>>> Perhaps they should have a word with most UK banks, who seem
>>> to always want eg 1, 3, 7 but never 7, 1, 3.
>>
>> My bank always asks for 3 of the 4 digits in my pin (in addition to
>> selected characters from my password), and every time the order is
>> different.
>
> Just checked. My bank asked for 3 of the 6 digits, and in a non-
> ascending order.
>
> However, when my credit card company asks for 4 of the 10 characters in
> my password, it *always* asks in ascending order.
>

And you enter them in random order, *clicking with the mouse* and *not
tabbing through* to select the input you want to enter.

And how is this relevant to the original thread?

[Charles Lindsey]

In <MoGwcmGx...@highwayman.com> Richard Clayton <ric...@highwayman.com> writes:


>What would actually make a difference is NOT a box-ticking exercise of
>password changes (usually driven by accountancy firms who have copied
>their lists of "how to make a computer system secure" from other
>accountancy firms -- completely failing to realise the changed
>assumptions from the 1980s threat models).

Sadly, the official advice on IT Security from the Information
Commissioner is to require regular password changes :-(. In fact the whole
booklet is simply a regurgitation of well-worn platitudes.

--
Charles H. Lindsey ---------At Home, doing my own thing------------------------
Tel: +44 161 436 6131 Web: http://www.cs.man.ac.uk/~chl
Email: c...@clerew.man.ac.uk Snail: 5 Clerewood Ave, CHEADLE, SK8 3JU, U.K.
PGP: 2C15F1A9 Fingerprint: 73 6D C2 51 93 A0 01 E7 65 E8 64 7E 14 A4 AB A5

[Charles Lindsey]

In <pQS5SXFh...@highwayman.com> Richard Clayton <ric...@highwayman.com> writes:

>key advice is not to use a password you've used at another service, lest
>that one be compromised...

Actually, no. I have lost count of how many online suppliers I have
registered with, because they require registration before "Proceeding to
Checkout". And I have no idea how many forums I have signed up to, just
because I needed that forum to answer a particular question, and that is
the forum Google sent me to.

But the common factor of all those is that the registration is for *their*
benefit, not mine. My money is not at risk. So security of that password
is unimportant *to me*.

Of course, where my money IS at risk, then I have several exceedingly
non-obvious passwords, and I maintain a notebook which contains a 'clue'
as to which one is needed for which.

[Charles Lindsey]

In <e548692a-c240-4f51...@googlegroups.com> Gradwell <helen...@gradwell.com> writes:

>I'm sorry you're frustrated with the password changes we have implemented.

>In light of recent events of unauthorised access to customers accounts, we made the decision to tighten security in order to protect our customers' businesses and increase security.

If it was your intention to tighten decurity, then why have you actually
weakened it?

[David Gibson]

In article "Password Nonsense" in <uk.net.providers.gradwell>, on Wed,
12 Sep 2012 Bodincus <nobod...@this.ip> writes

>> However, when my credit card company asks for 4 of the 10 characters in
>> my password, it *always* asks in ascending order.
>>
>And you enter them in random order, *clicking with the mouse* and *not
>tabbing through* to select the input you want to enter.

.. whilst saying a different set of numbers out loud in case anyone's
listening :-)

>And how is this relevant to the original thread?

Is relevancy to the original thread an issue with you? :-)

[Bodincus]

| · : · : · : · : · : · : · Original Message · : · : · : · : · : · : ·
| From: David Gibson

| Date: 13/09/12 16:30

> In article "Password Nonsense" in <uk.net.providers.gradwell>, on Wed,
> 12 Sep 2012 Bodincus <nobod...@this.ip> writes
>
>>> However, when my credit card company asks for 4 of the 10 characters in
>>> my password, it *always* asks in ascending order.
>>>
>> And you enter them in random order, *clicking with the mouse* and *not
>> tabbing through* to select the input you want to enter.
>
> .. whilst saying a different set of numbers out loud in case anyone's
> listening :-)

<tinfoil hat>

>
>> And how is this relevant to the original thread?
>
> Is relevancy to the original thread an issue with you? :-)
>

Yes, get your own thread.

[Andy]

In message <50521765$0$9127$862e...@ngroups.net>, Bodincus
<nobod...@this.ip> wrote
>| � : � : � : � : � : � : � Original Message � : � : � : � : � : � : �

I'd say that this thread has remained remarkably on topic, which was how
we think Gradwell should have done their password-please setup and
factors affecting such systems.

But contribution to any thread, indeed reading one, is optional :)

[Roland Perry]

In message <7ph4s$BV7EU...@caves.org.uk>, at 09:59:01 on Wed, 12 Sep
2012, David Gibson <david@[127.0.0.1]> remarked:

>>>Perhaps they should have a word with most UK banks, who seem
>>>to always want eg 1, 3, 7 but never 7, 1, 3.
>>
>>My bank always asks for 3 of the 4 digits in my pin (in addition to
>>selected characters from my password), and every time the order is
>>different.
>
>Just checked. My bank asked for 3 of the 6 digits, and in a non-
>ascending order.
>
>However, when my credit card company asks for 4 of the 10 characters in
>my password, it *always* asks in ascending order.

I had cause to give a credit card company a call yesterday, and their
phone banking gateway robot asked in ascending order.
--
Roland Perry

[Roland Perry]

In message <qpkui9-...@llondel.org>, at 18:30:01 on Fri, 21 Sep
2012, David Hough <noone$$@llondel.org> remarked:

>> I had cause to give a credit card company a call yesterday, and their
>> phone banking gateway robot asked in ascending order.
>

>If it is completely random then occasionally it should ask in ascending
>order.

If it was completely random then occasionally it would ask for the same
digit three times. I'm sure they program out that possibility, which
also allows them to choose three digits at random, then ask for them in
a random order, but specifically exclude [re-randomise] any instances
where the order turns out to be ascending.
--
Roland Perry

[Roland Perry]

In message <oic0j9-...@llondel.org>, at 10:21:59 on Sat, 22 Sep

2012, David Hough <noone$$@llondel.org> remarked:
>>>> I had cause to give a credit card company a call yesterday, and their
>>>> phone banking gateway robot asked in ascending order.
>>>
>>>If it is completely random then occasionally it should ask in ascending
>>>order.
>>
>> If it was completely random then occasionally it would ask for the same
>> digit three times. I'm sure they program out that possibility, which
>> also allows them to choose three digits at random, then ask for them in
>> a random order, but specifically exclude [re-randomise] any instances
>> where the order turns out to be ascending.
>

>That's probably cryptographically weak in some obscure manner. As soon as
>it's known that something can't occur, it's a bit more information for
>someone trying to crack it.

Nevertheless, I doubt anyone has a system that asks for the same digit
more than once. I have a banking account where they ask for a random
two-from-four (which doesn't feel very strong, I have to say). In over
ten years it's always asked for two different digits.
--
Roland Perry