LISTEN NOW
Click-and-drag on the soundwaves below to skip to any point. You can also listen directly on Soundcloud.
- [00’23”] Fun Fact. What comes after “123”?
- [01’57”] World Password Day. (We still need it!)
- [04’20”] GitHub authentication troubles.
- [11’55”] This Week in Tech History. Sasser, the sassy Windows worm.
- [15’55”] Firefox hits a ton.
- [20’03”] Ransomware stats – how much do attacks cost?
With Doug Aamoth and Paul Ducklin.
Intro and outro music by Edith Mudge.
Listen on Soundcloud, Apple Podcasts, Google Podcasts, Spotify, Stitcher and anywhere that good podcasts are found.
Or simply drop the URL of our RSS feed into your podcatcher.
Stephen L. Bentall
Looking forward to World Password Day! Will you be able to recommend Password Managers (with the usual BBC caveat “other Password Managers are available”)? I can image how a Password Manager would ‘manage’ the creation of a new password for a new URL (or however it aligns something that requires a password and the password it generates at the time, but how does it progressively take-on the creation passwords to replace those that have been in use for what may be a very long time?
Paul Ducklin
One annoyance for password managers is the plethora of $#%*^^# sites that have stupid password rules that require the password manager to do a deliberately-less-than-optimum job by forcing the mixing up of characters to follow non-random rules. Good PMs do have options for generating passwords to suit ridiculous rules, though they shouldn’t have to.
Cassandra
Another annoyance is sites that do not reveal what the password rules are! You have to progressively select options to remove the $#%*^^# characters – and then progressively shorten the password until you discover that it is a password length rule that is causing the rejection (and the rule is often stupid like “max ten characters”).
Every so often I raise the default length for new passwords in my password manager – currently it is well over 50 – most sites can handle the slightly random number that I have chosen – it is just those pesky ones wanting “10 letters” !
It would be easy enough to have a little information icon, which when hovered over gave a brief set of password rules; if you could standardise the format, password managers could even read those rules!
Paul Ducklin
Even better if the rules were: “use bytes of your choice.” I can see why services that might be at risk of an offline attack would demand a minimum length, but all the other stuff is, IMO, fusspottery that acts to reduce maximum entropy and to try to “regulate” randomness.
As an obvious example, standard-issue UK numberplates are all exactly seven characters long, chosen from Latin uppercase letters and the digits 0 to 9. So there are 36^7 different possibilities. But they don’t need to be uniformly dispersed through all the options, and they aren’t. Two of the characters are always digits, and they denote the age of the vehicle so they have a very skewed distribution. The first two are always letters, but many letters aren’t allowed in those positions, and because the first one denotes the place of first registration, some letters are much more common that others. The last three are always letters, but many combinations are prohibited, and a different bunch of letters are never used. So the actual number of varations is several orders of magnitude smaller than what you would naively expect. Ironically, if tellingly, part of the reason for the current format was specifically so that tags would be easier for witnesses of crimes, and to make it more likely to identify specific vehicles based on pArtial matches. After all, the rego *isn’t a password*. In fact, it’s officially called the “index number” (though it is no longer just numbers, because there are far too many cars for that.)
Paul Ducklin
PS. The Password Day article is live:
https://nakedsecurity.sophos.com/2022/05/05/world-password-day-2022-the-1960s-just-called-and-gave-you-your-passwords-back/
We don’t explicitly recommend a specific product but we do mention a selection of products in the video in that article.