[conspire] Password permutations (was: Correction)

Michael Paoli Michael.Paoli at cal.berkeley.edu
Fri Apr 17 02:12:31 PDT 2020


> From: Texx <texxgadget at gmail.com>
> Subject: Re: [conspire] Password permutations (was: Correction)
> Date: Tue, 14 Apr 2020 19:22:15 -0700

> After being on the bench for months, I landed a gig.
> My first day, I was presented with a MAC laptop and a bunch of reading.
>
> The reading largely spelled out what I vaguely suspected.
> I went with long passwords, opened a separate password manager from the one
> that I use,
> and I didnt repeat the same password for ANYTHING.
> The first 2 days went fine as the onboarding progressed.
>
> On the third day, I forgot my password to the password manager.
> This resulted in being unable to log into the laptop, or the "Apple-ID"
> This, in turn "bricked" my MAC and while I was able to request help with my
> APPLE-ID,
> they had a mandatory waiting time of a month.
>
> There was no way to reinstall OS on the MAC.
>
> The job that was going to turn my life around, (Full time, yet) ended on my
> 1 week anniversary.

Bummer dude.  :-(  Sorry to hear that.

So, one of the things to always be aware of, when selecting
passwords/passphrases or the like - and also when entering them,
be aware / keep in mind - what's the recovery procedure?  Even is
there, or is there practically/feasibly one.
And also, what happens with incorrect password/passphrase attempts?
What are the consequences (hassles, or worse), if that happens
"too many times" ... and sometimes there are multiple thresholds on
that (e.g. delays next login attempt, locks out for 5 to 30 minutes,
have to get admin to unlock/reset, or go through some other
procedure for that, to, egad, device/data bricked or unrecoverable
... and sometimes the latter is even desirable - but its a bit on
the more extreme side).

So, e.g., encryption of, e.g. drive (or partition/filesystem,
user data ...).  Sometimes users ask me, and/or I ask them.  And when
they start to get all excited about wanting encryption, I also give them
dire warning - you lose/forget your encryption key/password/passphrase,
you lose all access to that data.  Period.  No recovery, no getting
it back.  And despite that, some users still not only go with
encryption, but lose/forget the key/passprhase/password to be able to
unlock the encryption.  <sigh>  Egad, some users repeatedly forget their
passwords, and don't even have the skills to unlock themselves from
there - even with physical access.  Heck, those users, I generally
won't even bring up or suggest something like drive encryption or
the like.  Yeah, it's annoying when I have to repeatedly reset
passwords for the same user on their Linux goop over and over and
over again.  But it happens.

Oh, and stuff that locks out / bricks.  It's especially annoying
when they don't tell you about such "features".  Surprise!  Not good.
(See also: Principle of Least Surprise)

So, yeah, the more, uh, "sensitive" stuff to that - especially
one-way-trips to bricking or other significant hassles.  I'm a helluva
lot more careful that I enter the password/passphrase correctly.  I also
make dang sure I can verify/(re)confirm I've got it correctly and is what
I think it is (or at least be as sure as feasible), before trying to
(re)enter it.

Yep, had a coworker once ... such "security" software on their
smart phone.  Smart phone bumping around in pocket.  Smart phone takes
that as unlock(/"login"/authentication) attempts.  Too many of those
(sort'a like pocket/butt dial), and the phone bricked itself.  All
data gone.  Just because the phone was bouncing around in the pocket for
some bit.  "Oops."  So, yeah, I do know of such software/devices
that'll do that.  Typically 10 to 20 failed attempts and ... bricked.
A lot more persnickety stuff gives one grief after as little as 3
failed attempts - like requiring administrator to reset/unlock after
3 failed attempts.




More information about the conspire mailing list