Replies

The entire notion of password has proliferated to the point that it’s gotten out of hand. I’m not particularly prolific with my online presence as far as forums, accounts with businesses, etcetera and I have more than thirty. I’ve given up trying to keep up with them all, with their constant requests to update passwords for security. I let my system generate them and save them. They autopopulate on my Apple devices. I have no clue what the individual passwords are myself. If I’m not on one of my devices I have to go through security questions or text validation or email validation and reset it to gain access, then reset it again once back on my devices so it’ll autopopulate once again. There is no way in hell anyone can keep up with all this, which is why so many otherwise intelligent people repeat the same, too-simple to the point of obvious password on all their accounts.

My company locks my access to my computer after three failed log in attempts. In addition, I have a separate log on to my computer, have a separate log on to the system and yet another separate log on to our VPN network if working remotely. All have three failed try lock outs. You have to call a company system administrator by telephone and request unlocking to regain access to the system. All three change passwords every couple months at different frequencies.

I mention this because unsaid in this article is the fact that the AI password guessing software seems to have unlimited attempts to access a computer/system with no lock out to impede them while it goes through its algorithm-driven computational gymnastics while guessing at a password.

I don’t.

Does anyone know how these AI password systems fare in a limited attempt lockout controlled access system?

re: “Food for thought... How long before this all gets out of hand? “

How much ‘stuff’ do you leave on your phone?
How much ‘stuff’ do you leave on your computer/laptop/tablet?

Every time I have to enter a password, I select ‘do not remember’. I might not have as many needs for passwords, as some of you younger (<65) folks, but do you have your machine of choice ‘remember’ your password?

Actually, thanks to the younger, and those who demanded an easier tech life, it is already out of hand, and your privacy is screwed.

“And if you’re worried about your own security, experts suggest ways to create strong passwords—such as by making them long (but still easy to remember)—and using two-step authentication.”

So, how does one construct “long but easy to remember passwords”? Not hard to construct one. Two is still fairly easy. I must have 50 passwords. Each is supposed to be unique. Each user name is supposed to be unique as well. Not only would I have to remember each password and username, I also would have to remember which one goes with which system.

I wonder how many “experts” follow their own advice?

I adopted two-factor authentication a decade ago and selected YubiKey. I opted to use their physical tokens, a little USB dongle that generates a very long one time code each time you use it to access a site. The system integrates nicely with various password manager programs.

The big downside is not having a key with you when you need it. I keep one on my company badge retractor, one on my personal keychain, and one in a living room endtable. The keys are unlabeled, so if you lose one the finder/thief won't know who it belongs to (assuming you keep all identification odd your keychain). Without the physical key, I'm not getting into my systems (unless I remember the person). My PW manager generates very long and impossible to remember passwords for sites, too.

YubiCo

There is something even more sinister happening on the internet. "It" happened to me.

When it comes to passwords, I don't do anything where if someone cracked my password they would be able to access any important private information about me and/or my family. I don't communicate any important information via e-mail, and I don't do Facebook or Twitter or any other social network interaction.

But, my problem is regarding what Google did last week.

My wife looked at our bank statement online. She noticed a charge for about $40. She was stunned that I had applied to and got charged for YouTube TV service. I did not.

Okay, maybe I did, in a way. What I did was to apply for a "trial" service of YouTube. And I expected that I could go and use that trial service to see if it was worthwhile getting it to replace my cable TV service. After browsing through the YouTube lineup, I decided immediately that I did not want that awful and limited service. So, I did not complete by trial subscription. So I thought.

Then, last week came the surprise via the Google charge on our credit card account. I HAD NEVER EVEN ENTERED ANY ACCOUNT INFORMATION in order to authorize the charges. But, the bank account showed a "recurring" monthly charge of $40, with last week being the first time the payment was drawn automatically.

Like I said, I had NEVER entered any account information to authorize any charges.

So, I called Google CS. The rep (based in the Phillipines, he told me) said that, the account information had very likely been obtained from information stored on my computer from previous use of the credit card where I had authorized "other" services (didn't have to be from Google) to use my credit card for payment. So, it turns out that Google had done a scan of my computer information to find a credit card that could be used to pay for the YouTube TV service. Like I said, I never did authorize any payment and I had not even entered any information into Google to authorize the recurring payments.

Google took the liberty of using, WITHOUT AUTHORIZATION, account information which had been recorded on my computer from some previous payment which I had made to "other" services. That was a huge surprise, and I was very angry that Google could be so invasive. I never trusted Google before, and I trust them even less. However, that taught me a lesson about making any kind of payments online to any other service. And I won't do it again. If my account information is being retained on my computer without my knowing it, I don't want to risk it being used in the future without authorization.

If I want to set up any kind of recurring payments, I'm going old school and doing them directly via the bank and not some online service. But now, I'm rethinking even that procedure, since, if I can view account information via online banking, what is there to say that even that information is not being recorded and "made available" for future "unauthorized" purchases.

Needless to say I called Google and cancelled the YouTube service which I had NOT really purchased, and that first payment was going to be refunded. The only good thing I can say regarding the whole experience is that, the rep was very kind and thoughtful, and I appreciate HIS service.

Lesson learned. Never again.

George: I am not giving you my code.

Kramer: I’ll bet I can guess it.

George: Pssh. Yeah. Right.

Kramer: Oh, alright. Yeah. Uh, let’s see. Um, well, we can throw out birthdays immediately. That’s too obvious. And no numbers for you, you’re a word man. Alright, let’s go deeper. Uh, what kind of man are you? Well, you’re weak, spineless, a man of temptations, but what tempts you?

George: Huh?

Kramer: You’re a portly fellow, a bit long in the waistband. So what’s your pleasure? Is it the salty snacks you crave? No no no no no, yours is a sweet tooth.

George: Get out of here.

Kramer: Oh you may stray, but you’ll always return to your dark master, the cocoa bean.

George: I’m leaving.

Kramer: No, and only the purest syrup nectar can satisfy you!

George: I gotta go.

Kramer: If you could you’d guzzle it by the gallon! Ovaltine! Hershey’s!

George: Shut up!

Kramer: Nestle’s Quik!

George: Shut up!