The Second Day after Password Change is the worst

I am back to that world. One thing I miss from working at the bomb factory was enforced chip+pin for login. Stick my badge in the card read and enter the PIN.
Anyone who got long term exemptions had to get managers manager sign off every 6 months.

6 Likes

I have a ton of passwords at work (also for home/personal stuff, I use Keepass for home and Lastpass at work) but the home ones don’t bother me. The reason the work ones bother me is because I get logged out of most things every day and when I’m in a rush to get something done it ends up going like this:

  • Login to computer so I can get to Lastpass, so I can
  • Login to Lastpass, so I can
  • Login to the VPN, so I can
  • Login to the system that builds the code and start a build, then I can
  • Login to the system that deploys the build and deploy it, so I can
  • Login to the system that lets me
  • Login to the system running the deployed code, from which I can
  • Login to the database on that container so that I can finally run that quick query that I needed to check – if I can even remember it now after 8 distracting login procedures. If I got doubly-distracted by 2FA prompts and having to go login to my phone to go to the authenticator app to get a code to relogin to something then it’s a sure bet I’ve forgotten what it was that I was intending to do in the first place. Hmm. Maybe I left a note in the ticketing system,
  • Login to the ticketing system to search for any indications of what I was trying to do

Single sign-on is supposed to be in the works for someday. I don’t generally like it since it’s a single point of failure and can cause things to get cross-contaminated in some circumstances (watching music videos, searching the web, and checking email are not a single connected workflow and shouldn’t influence each other Google), but for connected workflows across disparate systems it’d sure be nice to have.

5 Likes

All my passwords would look like logmeinoct18, logmeinnov18, logmeindec18, …

SEE ALSO: learning to type   su -   instead of just   su

8 Likes

Third day. Automatic entry of password n-1 has generally stopped.

Password entry is now observed as being [ pause ] followed by entry of password n-(RNG).

The subject typically realizes the mistake after 4 to 7 characters have been entered, backs out and enters password n

5 Likes

Day 3 is amusing, but I’m particularly fond of Day 8, when your lizard brain wants to autocomplete the password without correctly remembering where symbols and capitalisation are supposed to go.

6 Likes

Ah, yes, the old “Lizard Brain, Why do you suddenly think capitalization does not matter?”

I believe this is linked to the phenomenon of captializing numbers…

Small Eff, capital Zero, capital Zero, small Bee, small Aye, small Arrr.

4 Likes

“Your new password may not contain more than a three character sequence in common with your old password. Please enter a new password.”

7 Likes

Okay, then, I’ll alternate between two patterns.

“Your password is too similar to one you’ve used within the last 24 password changes.”

5 Likes

I’ve sometimes thought that having a 128 character password complete with smalls and caps, digits, and special characters would be great to have as a phone number. Seems to me it would cut down on the kind of spam calls dialed at random.

If (or when) it leaks into spammers’ databases, then change it To a new one, and automatically send the new one securely only to your friends and other contacts.

3 Likes

I don’t think they do it that way anymore.

We’ve had spam calls at work where it’s very obvious some machine is just working through all possible numbers for a given known exchange.

128 characters with more possible symbols would take longer, but could be done the same way.

4 Likes

Let’s assume a character set of 64 (26 uppercase, 26 lowercase, 10 digits, 2 symbols).

64^128 = ~ 1,552,518,092,300,708,935,148,979,488,462,500,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000.

I’d like to see them try.

5 Likes

Looks like the perfect job for a virus-infected zombie PC bot army :slight_smile:.

5 Likes

Indeed. And I think with the delay needed to connect and waiting for the phone company to say “That number doesn’t exist” would make it even worse for the spammers. Let’s say it takes one second to connect and get a “number doesn’t exist” message. That would be 64^128 seconds, or about 5e+214 billion years (if my calculations are correct). The universe may not even last that long.

Even if each call takes one nanosecond, and the spammers have software that makes a trillion calls at once, you’d still have a whole lot of numbers to try.

3 Likes

We have a 30 day expiration where I work. It’s my absolute favorite thing to be reminded by windows that I should change my password 15 days after I changed it.

It sounds like you’re happy with BitWarden, but it’s worth mentioning (at least for others), that KeePass supports Two Factor through a plugin named KeeOTP.

I also use KeePass, and recommend it for anyone so long as they’re willing to put in the work. KeePass has a active plugin development community, and there are a number of quality of life improvements available. Here are the plugins/extensions I’m currently using above the base KeePass experience:

  • KeeOTP
    • This stores seeds for OTP generators, like Google Authenticator. It works with many of the major Two Factor implementations.
  • KPEntryTemplates
    • This adds template functionality to the UI, so you have different field layouts for different types of accounts.
  • KeeAgent
    • This allows me to store my SSH keys in KeePass, and works with PuTTY and mRemoteNG(and probably others) to automatically login.
  • Readable Passphrase Generator
    • This generates passphrases like “Correct Horse Battery Staple”. I use this for passwords I might conceivably have to type in, like my primary account password at work.
  • KeePassHttp
    • This makes KeePass data (selectively) available via HTTP, to be used by clients, such as…
  • PassIFox
    • This integrates with Firefox to automatically fill in usernames and passwords. This makes KeePass almost invisible for most day to day browsing.
  • ChromeIPass
    • Just like above, but for Chrome. I find it doesn’t work quite as well, though.

For mobile, I use KeePass2Android and store my password file in Google Drive for easy access. Additionally, I have purchased an InputStick to make logging in at work a bit easier. I’ve barely seen my last few passwords.

I should probably turn this into its own post at some point…

Extensions like PassIFox and ChromeIPass can help with these, but you can also use the built-in AutoType functionality in KeePass, or use the KeePass2Android keyboard on mobile. I try to avoid copying and pasting passwords when I can since just about any other program can read the clipboard.

4 Likes

Doh. Didn’t think of that. At least KeePass deletes the clipboard after a certain number of seconds. I’ll look into AutoType.

ETA: looks like I have AutoType enabled already – must be default. The two factor obfuscation isn’t enabled though.

2 Likes

Planck time (in seconds) (Pt)= ~ 5 x 10-44 s
Age of the universe (in seconds) (A)= ~ 4.32 x 1017 s
Number of atoms in the universe (U) = ~ 1082

U x (A/Pt) = ~8.6 x 10142.

Number of possible phone “numbers” = ~ 1.6x10231

Chance of winning the Powerball: 1:3x108

Turn every atom of the universe into a zombie PC, have the interval between each attempted call be equal to Planck time, run your zombies for as long as the universe is thought to have existed so far, and you’d still be (much) more likely to have won the Powerball ten times in a row than to have called one of the 7 billion numbers corresponding to a person on Earth.

(Edit: multiplied by the most significant digits of Planck time, rather than divided. Math error fixed).
(Edit #2 and #3: And mucked up the Powerball chances when converting into scientific notation. Only ten wins in a row, not twelve).

4 Likes

I think this is something we should patent, that is it would be if there was a 1/(64^128) chance it would ever be implemented.

3 Likes

They’re SAVING … at least … 23 old passwords at all times?

Wait, as CLEARTEXT? No, that would be crazy. Encrypted with the n – 1 password?

And then reencrypting the list every time you change it?

This still doesn’t sound legit :fearful:

3 Likes

Same password ceaser cypher move on one each change. Computer will never catch it and it will look like gibberish 25 times out of 26.

3 Likes

10 days in. Perhaps thinking all would be well in a fortnight was optimistic.

When presented with a password prompt, the subject begins to randomly mash buttons before deleting that and pushing more buttons.

7 Likes