[conspire] Password permutations (was: Correction)

Texx texxgadget at gmail.com
Fri Apr 17 17:42:27 PDT 2020 

Bad user interfaces are part of the reason for passwords such as 1234.
Not saying its a good idea, just saying that I understand why people do it.

With a windows laptop, I CAN get into the machine with a linux disk and a
copy of "chntpw".
(Unless BIOS is locked down, but I make sure that stays unlocked)
Locked out of a MAC  you need your AppleId.
If forced to use a MAC, I will NEVER use a complex PW again.
Maybe smash 8 words together, but thats as far as Ill go.

Im brash.  Im ADD.  Im probably bi-polar.
I may not be a genius, but Im definitely brighter than the average person
on the street.
While clumsy, Im NOT an IDIOT.
I LEARNED my lesson!



On Fri, Apr 17, 2020 at 2:12 AM Michael Paoli <
Michael.Paoli at cal.berkeley.edu> wrote:

> > From: Texx <texxgadget at gmail.com>
> > Subject: Re: [conspire] Password permutations (was: Correction)
> > Date: Tue, 14 Apr 2020 19:22:15 -0700
>
> > After being on the bench for months, I landed a gig.
> > My first day, I was presented with a MAC laptop and a bunch of reading.
> >
> > The reading largely spelled out what I vaguely suspected.
> > I went with long passwords, opened a separate password manager from the
> one
> > that I use,
> > and I didnt repeat the same password for ANYTHING.
> > The first 2 days went fine as the onboarding progressed.
> >
> > On the third day, I forgot my password to the password manager.
> > This resulted in being unable to log into the laptop, or the "Apple-ID"
> > This, in turn "bricked" my MAC and while I was able to request help with
> my
> > APPLE-ID,
> > they had a mandatory waiting time of a month.
> >
> > There was no way to reinstall OS on the MAC.
> >
> > The job that was going to turn my life around, (Full time, yet) ended on
> my
> > 1 week anniversary.
>
> Bummer dude.  :-(  Sorry to hear that.
>
> So, one of the things to always be aware of, when selecting
> passwords/passphrases or the like - and also when entering them,
> be aware / keep in mind - what's the recovery procedure?  Even is
> there, or is there practically/feasibly one.
> And also, what happens with incorrect password/passphrase attempts?
> What are the consequences (hassles, or worse), if that happens
> "too many times" ... and sometimes there are multiple thresholds on
> that (e.g. delays next login attempt, locks out for 5 to 30 minutes,
> have to get admin to unlock/reset, or go through some other
> procedure for that, to, egad, device/data bricked or unrecoverable
> ... and sometimes the latter is even desirable - but its a bit on
> the more extreme side).
>
> So, e.g., encryption of, e.g. drive (or partition/filesystem,
> user data ...).  Sometimes users ask me, and/or I ask them.  And when
> they start to get all excited about wanting encryption, I also give them
> dire warning - you lose/forget your encryption key/password/passphrase,
> you lose all access to that data.  Period.  No recovery, no getting
> it back.  And despite that, some users still not only go with
> encryption, but lose/forget the key/passprhase/password to be able to
> unlock the encryption.  <sigh>  Egad, some users repeatedly forget their
> passwords, and don't even have the skills to unlock themselves from
> there - even with physical access.  Heck, those users, I generally
> won't even bring up or suggest something like drive encryption or
> the like.  Yeah, it's annoying when I have to repeatedly reset
> passwords for the same user on their Linux goop over and over and
> over again.  But it happens.
>
> Oh, and stuff that locks out / bricks.  It's especially annoying
> when they don't tell you about such "features".  Surprise!  Not good.
> (See also: Principle of Least Surprise)
>
> So, yeah, the more, uh, "sensitive" stuff to that - especially
> one-way-trips to bricking or other significant hassles.  I'm a helluva
> lot more careful that I enter the password/passphrase correctly.  I also
> make dang sure I can verify/(re)confirm I've got it correctly and is what
> I think it is (or at least be as sure as feasible), before trying to
> (re)enter it.
>
> Yep, had a coworker once ... such "security" software on their
> smart phone.  Smart phone bumping around in pocket.  Smart phone takes
> that as unlock(/"login"/authentication) attempts.  Too many of those
> (sort'a like pocket/butt dial), and the phone bricked itself.  All
> data gone.  Just because the phone was bouncing around in the pocket for
> some bit.  "Oops."  So, yeah, I do know of such software/devices
> that'll do that.  Typically 10 to 20 failed attempts and ... bricked.
> A lot more persnickety stuff gives one grief after as little as 3
> failed attempts - like requiring administrator to reset/unlock after
> 3 failed attempts.
>
>

-- 

R "Texx" Woodworth
Sysadmin, E-Postmaster, IT Molewhacker
"Face down, 9 edge 1st, roadkill on the information superdata highway..."
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://linuxmafia.com/pipermail/conspire/attachments/20200417/539fdbf5/attachment-0001.html>

More information about the conspire mailing list