How strong is your password?

[jimbo45]

FWIW:
I have always wondered why many financial institutions and other security sites allow almost an unlimited try at entering a password. That's how those password crackers work, keep testing. I would like to see a 15-30 minute timeout after say 3 bad password trys. This way the computers who try 10,000 different passwords won't keep trying as it won't be worth their time. then after about 3 times the timeout it keeps expanding the time between trys.

Just an idea. Some financial institutions have implemented a 5 times and your out and then requires a phone call to the place to explain why you failed.
Rich

Hi there

BANKS PHONE CALL SYSTEMS are really horrible -- I don't know how it works in the US but in Europe Banks tend to use these EXCRUTIATINGLY HIDEOUS Indian call centres --

After you've done the Zillions of multi-level menu options none of which fits your problem you then get 99.999% of the time typical messages like "Unfortunately due to the high volume of calls all our operators are busy -- but your Call is important to us and will be answered as soon as an operator is available" -- then unpleasant music and another 20 minutes wait meanwhile paying xxx EUR CENT a minute.

This occurs ANY time of the day or night on ANY day of the week so we all know its a Cash generating scam.

Finally when you DO get connected you then have to go through all sorts of B/S security which is probably sold on the streets of Bangalore for a few dollars.

Then the bozos at the other end usually read from prepared scripts so anything deviating from their normal business totally fazes them.

I remember back in Iceland before all this off shoring was done you would be told how many people were in the queue before your call was going to be answered and you had the option to press a number which would then automatically call you back when your turn was ready. This was available over 15 years ago -- nothing like this seems to exist anymore so where's the technology or Customer Service gone.

The whole area of telephone support has gone BACKWARDS in the last 10 years -- and just when you thought the whole horrid experience couldn't get any worse some places now make you SPEAK to an automated vocal questionare before you even get through to some sort of human at the other end -- great security when you are in a crowded office and need to discuss private Financial matters etc.

I've gone back to using old fashioned FAX -- don't laugh but it actually gets a quite a quick response.

The best solution is actually after your password has been invalidated x times is for you to have to set up the account again from scratch and the Bank will email you when it's activated.

No Phones, No stress etc etc.


Cheers
jimbo

 

[Fayla]

I have a college diploma and honors degree in Computer Networking and I.T. Support. This kind of career path would have led to one of such call center jobs (one possible route), but like you said, most companies seem to do this foreign call center setup. It's quite hard to find work in this field nowadays, even more so when the few remaining hands on technical supports are fast vanishing.

I've pretty much written off my education as wasted time and look for work elsewhere

FWIW:
I have always wondered why many financial institutions and other security sites allow almost an unlimited try at entering a password. That's how those password crackers work, keep testing. I would like to see a 15-30 minute timeout after say 3 bad password trys. This way the computers who try 10,000 different passwords won't keep trying as it won't be worth their time. then after about 3 times the timeout it keeps expanding the time between trys.

Just an idea. Some financial institutions have implemented a 5 times and your out and then requires a phone call to the place to explain why you failed.
Rich

...
BANKS PHONE CALL SYSTEMS are really horrible -- I don't know how it works in the US but in Europe Banks tend to use these EXCRUTIATINGLY HIDEOUS Indian call centres --
...

Cheers
jimbo

 

[Kari]

BANKS PHONE CALL SYSTEMS are really horrible -- I don't know how it works in the US but in Europe Banks tend to use these EXCRUTIATINGLY HIDEOUS Indian call centres --

Both my German banks, as well the on back in Finland, have local call centers. I have never waited longer than a minute or two, and when calling to my German banks the person who takes my call is German, answering in Germany. Same thing when I call my bank in Finland. All have the same kind of identification system, where first a computer takes care of my login before I'm connected to a person.

Login procedure, both phone banking and online banking, is also similar in all banks I use. Three strikes and out. Only way to reactivate the service is to order new one-time credentials, then log in using these to set up username, password and preferred identification methods. These one-time credentials are sent in my name, only to address what is known by the bank as my address, and I have to proof my identity in Post office when collecting the letter. By phone, I can only order new credentials using the number which is registered by the bank as my number.

I find European online and phone banking both secure, easy and fast. Full 10 points from me (http://www.sevenforums.com/security-news/144596-intel-pushes-password-pumping-mojo.html#post1242166).

Kari

 

[Maguscreed]

Pc password is mediocre but that's what I expected, My network and wifi passwords come up as best.

 

[Julio Cortez]

Just an idea. Some financial institutions have implemented a 5 times and your out and then requires a phone call to the place to explain why you failed.

Surely it should be this way.
Plus, many banks here in Italy (but I assume this works in the rest of the world too) use one-time-password generators with numerical 6-character passwords lasting 20 seconds, to use in addition to the passwords (usually two, one for the login and a separate one for allowing operations on the account) chosen by the user.

Back in topic, anyway:

You don't need to make all sorts of random and forgettable passwords which you probably store on a mobile phone or write down somewhere.

Of course you don't have to start from a completely random pattern (which you'll sooner or later have to write down), but from something you know you'll remember

Well, that's how usually a password of mine looks like (this is of course NOT any password of mine and never will be now that I unveiled it):
V0||3yb@||_Add!c7#14

If you read carefully you could read volleyball addict (which is something I don't risk to forget) and 14 (which is the number I use to wear when I play football and/or volley) in it. Couldn't you?
Then I made some substitutions (in a similar-to-leetspeek fashion, which I learnt some years ago and which comes automatic to me now every time I have to make a strong password):

• the first letters of the words are always uppercase
• 0 instead of the o
• | (pipe) instead of l (lowercase L letter)
• 3 instead of e
• @ instead of a (but I left the uppercase A at the beginning of the word)
• _ instead of the space
• ! instead of the i
• 7 instead of the t
• # before the number
• (in addition, I often put a K instead of the C and a k instead of the c, depending on the pronunciation, but in this password it doesn't apply)

(of course, anyone could adapt this set of substitutions to a set he/she likes the most or remembers the best: this is the one I've been using for years and I feel quite comfortable with it)

And here you can see the results:

PASSWORD METER


MS PASSWORD CHECKER


If anyone has ideas on how to improve this (I'm always open to suggestions), feel free to share!!

 

[Shadowjk]

All of mine are Strong or Best so it is all good

 

[jimbo45]

Hi there

even MS password checker gave me MEDIUM on that joke password I posted earlier

ðPa55wordÞ



So the trick of using at least two special characters saves a lot of creating impossible to remember passwords which actually are MORE of a security risk because you have to cannot remember so you write them down or store on a phone etc where other people might have access.



Another one

say a you are a Chelsea FC fan - Stamford Bridge easy to remember (It's Chelsea's home ground)

the MS password checker rates STRONG this !StamFordBridge?


So forget all the random Pw generators --use something simple with mixed case and a special character at each end. Add some numerics too if you want.


Cheers
jimbo

 

[Maguscreed]

Well to have a decent strength password you really just need to realize that most password crackers are using 'dictionaries'. Just stay away from words you can find in the dictionary, use a mix of lower, uppercase, and even numbers in it, and you are generally fine. 'leet-speak' as mentioned above is also a good way around that.

 

[Dinesh]

FWIW:
I have always wondered why many financial institutions and other security sites allow almost an unlimited try at entering a password. That's how those password crackers work, keep testing. I would like to see a 15-30 minute timeout after say 3 bad password trys. This way the computers who try 10,000 different passwords won't keep trying as it won't be worth their time. then after about 3 times the timeout it keeps expanding the time between trys.

Just an idea. Some financial institutions have implemented a 5 times and your out and then requires a phone call to the place to explain why you failed.
Rich

Hi there

BANKS PHONE CALL SYSTEMS are really horrible -- I don't know how it works in the US but in Europe Banks tend to use these EXCRUTIATINGLY HIDEOUS Indian call centres --

After you've done the Zillions of multi-level menu options none of which fits your problem you then get 99.999% of the time typical messages like "Unfortunately due to the high volume of calls all our operators are busy -- but your Call is important to us and will be answered as soon as an operator is available" -- then unpleasant music and another 20 minutes wait meanwhile paying xxx EUR CENT a minute.

This occurs ANY time of the day or night on ANY day of the week so we all know its a Cash generating scam.

Finally when you DO get connected you then have to go through all sorts of B/S security which is probably sold on the streets of Bangalore for a few dollars.

Then the bozos at the other end usually read from prepared scripts so anything deviating from their normal business totally fazes them.

I remember back in Iceland before all this off shoring was done you would be told how many people were in the queue before your call was going to be answered and you had the option to press a number which would then automatically call you back when your turn was ready. This was available over 15 years ago -- nothing like this seems to exist anymore so where's the technology or Customer Service gone.

The whole area of telephone support has gone BACKWARDS in the last 10 years -- and just when you thought the whole horrid experience couldn't get any worse some places now make you SPEAK to an automated vocal questionare before you even get through to some sort of human at the other end -- great security when you are in a crowded office and need to discuss private Financial matters etc.

I've gone back to using old fashioned FAX -- don't laugh but it actually gets a quite a quick response.

The best solution is actually after your password has been invalidated x times is for you to have to set up the account again from scratch and the Bank will email you when it's activated.

No Phones, No stress etc etc.


Cheers
jimbo

:roflmao:

 

[jimbo45]

Hi there
not sure what the previous post means but IS IT OR IS IT NOT TRUE that the usual call centre experience for most users is REALLY HORRIBLE these days and the facilities offered such as telling you how many people are in the queue and the ability to call you back when you are at the top of the queue are NOT OFFERED any more even though this was seen as necessary 15 to 20 years ago when Call centres first started to be used.

Also it's only INDIAN call centres who are starting to use this "automated Voice input stuff " where the request comes out like this " Are you calling about your Own account - please answer yes or no".

Then you have to give the account number and zillion other questions in a loud voice .

All in all for most people a totally HORRID experience.


If they want to do it properly allow the user to input by the phone keyboard the account number and the option - and then if the whole call centre is busy ring the caller back when the next agent is available.

We almost had that 20 years ago -- why have we gone BACKWARDS.

In fact the ring back idea is actually BETTER security since the call back would verify that the caller is the owner of the account in question or could certainly be better checked.

Cheers
jimbo

 

[Julio Cortez]

say a you are a Chelsea FC fan - Stamford Bridge easy to remember

Chelsea? What is Chelsea?
#Emirates_Stadium# sounds way more appropriate to me as a password

IS IT OR IS IT NOT TRUE that the usual call centre experience for most users is REALLY HORRIBLE these days

Over here, it doesn't depend only on the company, but also from person to person.
Among the personnel of the major telecom company over here, I've found people who actually knew how to solve problems (and they did in no time) and people who even struggled reading pre-given questions and tips from a sheet.
So, it usually has to do with how lucky you are in the moment you call: this, eventually, adds to your thesis that the call center experience is NOT how it was initially meant to be anymore :shock: