Topic: Microsoft tells users to stop using strong passwords everywhere (Read 5712 times)

Any decent service will block you (at least temporarily) after trying to enter a few wrong combinations, so it doesn't depend on how powerful your machine is.

My online banking account just let me put 4 numbers Pin  but if i want to withdraw some money from my account for that there is 2FA.

Yes  that's correct... The 2FA system is very  good system.

What is more annoying is some crappy sites like Dominos pizza have annoying password rules.. so simple passwords won't work.

Not "everywhere". This is nothing new. No need to use very strong passwords on sites w/ no connection to financial/personal information, really. Not the end of the world if you lose access.

Many sites have restrictions which either restrict the time allowed between login attempts and/or lock you out after a set number of failed attempts.

Microsoft sucks dick.  that's all i have to say.

What does not seem correctly to me is to keep the password in the same computer or written down in a paper, in the computer anyone can stole it and in paper you can lose it.
So if you put a strong password but you do some of the above is the same or worst that if you put a weak one.

- Sites limiting the size of passwords is just stupid.
- Most password crackers begin with hacking a copy of the database password hashes rather than bruteforcing the password field of a website
- Any site of any worth will use password salting which makes it much harder for an attacker to brute force your password from a hash stored in the database
- You need at least an 80 bit password.
- The keyspace is what password crackers work on, that and a number of common password patterns people use.

If you use lower and upper case, numbers and special characters then the keyspace is about 96 characters ( a-z, A-Z, 0-9, !-? ). Chances of attaining 80 bits or higher with an 8 or higher character password are good if you use the full character set.

Problem is they are difficult to memorise.

Try http://www.safepasswd.com and set it to Easy To Remember, and set the password length to 10 for your dumb password, and to 18 for your hard one.
Easy: bRitain8@2
Hard: H#iNTerceptor23rAid1

Use your easy password for everything except stuff that matters, use the hard password and if no length restrictions, the easy password for everything else

i.e. H#iNTerceptor23rAid1+bRitain8@2
------- Hard -------------- Easy ---

If an attacker nabs your easy password from other site they won't be able to use it to help them one bit with breaking the longer password, because in of itself, its not crackable by any password cracker on this earth at this point in time.

If the site that you are using the password for properly restricts login attempts by both IP address and by username then it should be very difficult to gain access to even a weak password if the attacker doesn't have a hash of the password.

Or a deterministic password?

I have "strong" password for only a couple of things like bitcoin wallet and email, but only writen on my mind, if you type it everywhere so it stops being "strong", for the rest i have weak.

"Write down your password... Your wallet is a lot more safe than your computer"

-- Whitfield Diffie (co-inventor of public key cryptography)

My password is always changing  because my online bank account want me to change it every 3 months and use a password that was not used in the last 12 changes ... that's like 36 months ... so I invent a new password every 3 months and after 1 week of inventing it I'm at the bank requesting for a reset and The second password I make i remember .... this is happening to me for more than 3 years now

Thanks for the 'advice' Microsoft 

Think I'll stick with http://keepass.info/ for managing my passwords

This is why I like the idea of using biometrics for everything. People get lazy when it comes to choosing a password but will put up a fight about somebody trying to steal an eyeball.

Don't worry, Ellen DeGeneres has the perfect solution!

What did I just read 
Well strong passwords offer better protection against Bruteforcing,Cracking etc
My password is about 10 Digits/Letters long and it is pretty unique.

I agree, this is full of risks that just are not worth taking.

What if your house were to catch fire, then all of a sudden you would not even be able to log into your bank account (along with all your other accounts).

I think this is very risky. If your "password book" were to get stolen, not only would all your accounts get hacked, but you would not have access to any of your accounts that an attacker doesn't think are worth his time.

I've been writing all my passwords down in a little book for the past 13 years. Amazingly, it's never been hacked into. Seriously, it's the best solution. If i lost the book, which doesn't seem likely, I guess I'd just reset the passwords.

There's a lot of sense in this: hackers aren't going to spend much effort hacking passwords into accounts that are of no value e.g. an account on a recruitment site unless they believe you're using the same one as you do for your banking or e-mail accounts, and if not, then they expend a lot of effort for nothing.
I set totally different password criteria for e-mail and banking/ecommerce websites than I do for less sensitive sites, which makes the few high security passwords I have easier to remember.

Something like this ?

Following this same logic, I have replaced the locks on my house with strips of duct tape.

This is the problem. Most passwords are capped at below 15-20 characters. That's 4-5 words.
ps.

https://blockchain.info/address/1JwSSubhmg6iPtRjtyqhUYYH7bZg3Lfy1T
People are still using that crap .

Suprisingly no, it's not. Atleast for sufficiently long paragraph of rare text. There is rather large number of common English words. 5 or so of these gives good security. As long as paragraph isn't: correct horse battery staple

Don't do this.
At least add a number or a %^& . A paragraph in English is such an easy target.

You don't need to remember passwords. Just always use the "forgot my password" link and get a new auto-generated one every time you want to use the site. If they don't assign a temporary one, just cut and paste a whole paragraph from an arbitrary web page that you happen have open. You don't have to remember anything if you reset every time you want to log in.

So if my girlfriend want to read let's say my emails there is no way I can fully protect them?
We're talking about things you want to protect from a random thief not from the government.

The importance a lot of people attach to such a topic never ceases to amaze me.
If someone wants your data and you do have something significant online - they will get it.
If you really do think its too important to be shared why the hell is it online (or on a PC to be more precise) in the first place?
Of course things are never quite that black and white, but I can't help feeling a lot of the time that a lot of people make a decent wedge out of talking crap about passwords and data security.

My usual password is 13-17 characters long, with a mix of upper/lower case, and numbers.. Its easy to remember bc I use it often. 7 letter password doesnt seem safe to me for online banking. I thought it was odd they only allowed 7 characters aswell..

My online banking account requires a second code sent to my personal phone (2FA).
Also all the banks here rely either on a sms code or a token for extra security.

And I live in Romania......

I did that once with a email account and forgot to pull that paper out of my trousers before putting them in the washing machine, remembered the secret question thankfully.

7 characters would be something like 12,000 hours on a really crummy pc.  So better machines would reduce that a lot.  So 7 certainly is crackable.

Is this Microsoft's way of saying that their involvement in PRISM et al has proven difficult, that their backdoors aren't working for them and that we should make passwords easier for them to crack? What a tit.
 Always use a complex password with uppercase, lowercase, numbers and special characters where allowed.

Having an online password of 7 characters is fairly secure.  You can't brute force a web password if they programmed it correctly.

My online banker doesnt allow a password over 7 characters long. Thats not secure now is it.. I thought this was such a joke I brought it up to the customer service, and they really had nothing to say.. Seriously...?

Write on a piece of paper and put it on your wallet. No need to memorize those strong passwords.

or use a password manager and memorize only one strong password.

I already do this.  I have a few differnt ones on sites I'm unsure of and more complex variations for more important needs.  When I go to an unimportant site I have an idea right away what the password would be based on it's importance to me and then I usually guess right after a couple tries.  Best to write the unimportant ones down and put them someplace safe.

Or lastpass. I haven't tried it personally but I've heard some VERY good things about it.

flash drive! no brain memory required.  Only password I memorize is email in case I need it on the go.  But ya, I'm not going to waste my time with a strong password for a site with no important info.  I like how my school requires "strong" passwords, I'm so afraid that someone will get into my account and do my homework for me

Well how much "brain power" is really used in strong passwords? Personally, I have an algorithm that I use to memorize all my passwords. But if the algo is leaked somehow some of my passwords could be comprised. So that's risky, but then again, I don't waste any "brain power" lol.

They should tell users to spend 1 month or 2 in some memorization course, then no more need to worry about wasting brain hash power with passwords.

What about having one strong password for some kind of keychain (with proper backups) that would remember all of the very strong passwords for each site?

Most users believe their best password is strong while it is not. If they are allowed to use their weak passwords, it will be too weak. 

I have had this stance for long. Let's take places like random forums and semi-useful services that don't carry any financial risks or allow access to other places, is strong passwords really needed in those?

Users should use and reuse weak passwords for websites which don't hold valuable information, say researchers from Microsoft, overturning decades of accumulated wisdom on internet security.

By not having to worry about remembering complex unique passwords for every individual website, users can focus their efforts on recalling secure passwords for high-value sites like banking or e-commerce.

I don't see the "everywhere" from your title.

Another article for hits made by theguardian

Microsoft tells users to stop using strong passwords everywhere

http://www.theguardian.com/technology/2014/jul/16/microsoft-stop-using-strong-passwords-everywhere

<< Weak passwords have their place, argues new research from Microsoft, and they help users conserve brainpower for where it is needed. >>