The Second Day after Password Change is the worst

kxkvi · October 24, 2018, 3:42pm

Indeed. And I think with the delay needed to connect and waiting for the phone company to say “That number doesn’t exist” would make it even worse for the spammers. Let’s say it takes one second to connect and get a “number doesn’t exist” message. That would be 64^128 seconds, or about 5e+214 billion years (if my calculations are correct). The universe may not even last that long.

Even if each call takes one nanosecond, and the spammers have software that makes a trillion calls at once, you’d still have a whole lot of numbers to try.

LockeCJ · October 24, 2018, 4:26pm

We have a 30 day expiration where I work. It’s my absolute favorite thing to be reminded by windows that I should change my password 15 days after I changed it.

It sounds like you’re happy with BitWarden, but it’s worth mentioning (at least for others), that KeePass supports Two Factor through a plugin named KeeOTP.

I also use KeePass, and recommend it for anyone so long as they’re willing to put in the work. KeePass has a active plugin development community, and there are a number of quality of life improvements available. Here are the plugins/extensions I’m currently using above the base KeePass experience:

KeeOTP
- This stores seeds for OTP generators, like Google Authenticator. It works with many of the major Two Factor implementations.
KPEntryTemplates
- This adds template functionality to the UI, so you have different field layouts for different types of accounts.
KeeAgent
- This allows me to store my SSH keys in KeePass, and works with PuTTY and mRemoteNG(and probably others) to automatically login.
Readable Passphrase Generator
- This generates passphrases like “Correct Horse Battery Staple”. I use this for passwords I might conceivably have to type in, like my primary account password at work.
KeePassHttp
- This makes KeePass data (selectively) available via HTTP, to be used by clients, such as…
PassIFox
- This integrates with Firefox to automatically fill in usernames and passwords. This makes KeePass almost invisible for most day to day browsing.
ChromeIPass
- Just like above, but for Chrome. I find it doesn’t work quite as well, though.

For mobile, I use KeePass2Android and store my password file in Google Drive for easy access. Additionally, I have purchased an InputStick to make logging in at work a bit easier. I’ve barely seen my last few passwords.

I should probably turn this into its own post at some point…

Extensions like PassIFox and ChromeIPass can help with these, but you can also use the built-in AutoType functionality in KeePass, or use the KeePass2Android keyboard on mobile. I try to avoid copying and pasting passwords when I can since just about any other program can read the clipboard.

kxkvi · October 24, 2018, 4:34pm

Doh. Didn’t think of that. At least KeePass deletes the clipboard after a certain number of seconds. I’ll look into AutoType.

ETA: looks like I have AutoType enabled already – must be default. The two factor obfuscation isn’t enabled though.

nimelennar · October 24, 2018, 5:00pm

Planck time (in seconds) (Pt)= ~ 5 x 10^-44 s
Age of the universe (in seconds) (A)= ~ 4.32 x 10¹⁷ s
Number of atoms in the universe (U) = ~ 10⁸²

U x (A/Pt) = ~8.6 x 10¹⁴².

Number of possible phone “numbers” = ~ 1.6x10²³¹

Chance of winning the Powerball: 1:3x10⁸

Turn every atom of the universe into a zombie PC, have the interval between each attempted call be equal to Planck time, run your zombies for as long as the universe is thought to have existed so far, and you’d still be (much) more likely to have won the Powerball ten times in a row than to have called one of the 7 billion numbers corresponding to a person on Earth.

(Edit: multiplied by the most significant digits of Planck time, rather than divided. Math error fixed).
(Edit #2 and #3: And mucked up the Powerball chances when converting into scientific notation. Only ten wins in a row, not twelve).

kxkvi · October 24, 2018, 6:33pm

I think this is something we should patent, that is it would be if there was a 1/(64^128) chance it would ever be implemented.

smulder · October 24, 2018, 8:07pm

They’re SAVING … at least … 23 old passwords at all times?

Wait, as CLEARTEXT? No, that would be crazy. Encrypted with the n – 1 password?

And then reencrypting the list every time you change it?

This still doesn’t sound legit

Daveb · October 24, 2018, 9:57pm

Same password ceaser cypher move on one each change. Computer will never catch it and it will look like gibberish 25 times out of 26.

Wisconsin_Platt · November 2, 2018, 5:40pm

10 days in. Perhaps thinking all would be well in a fortnight was optimistic.

When presented with a password prompt, the subject begins to randomly mash buttons before deleting that and pushing more buttons.