Gregory's Server
 26 comments
@nixCraft But you are aware that you have billions of tries to guess a Wi-Fi password, but only 3 tries to guess a banking pin, before the account gets locked? @frainfostudent @nixCraft Really? I don't know it any different. AFAIK this has always been that way in Germany since the start of online banking. 3 bad tries on the ATM and the debit card is offline. Just recently I've accidentally entered the wrong transaction identity number three times into the web server of my bank and then the account was locked. It is a 6 digit number. @nixCraft My credit union used to require online passwords be exactly 8 *digits*. My only guess why is that it was so they could be set and changed at the bank at service desks on the pin pads they had for customers. They absolutely would not allow resets to alphanumerics on the website until the whole system was eventually upgraded. @nixCraft@mastodon.social If you cannot connect to the wi-fi, you cannot connect to your bank account  @nixCraft Sad thing is, most banks actually require the first, but since that's so ridiculous you have to write it down or something and even then probably have to try four or five different options. Worse still, people give up and use password managers which can have problems and leaks sometimes. Sometimes I think seriously about just permanently dedicating some old phone or tablet or something solely to passwords and 2FA stuff, left permanently in airplane mode or something. @nazokiyoubinbou @nixCraft I’m sorry, did you actually write “worse still people give up and use password managers”? Worse than writing it down?! Or do you really expect to remember all the different randomized passwords for all your different accounts? @social @nixCraft Calm down, you're looking at a logic problem emotionally, not logically. Yes, I did say that password managers are worse. Someone has to gain physical access to a piece of paper for something you've written down. Password managers can be accessed online. Not necessarily all leaked even. Sometimes other exploits lead to accessing them (an issue sometimes with mobile devices in particular.) Often enough their encryption is necessarily weak anyway. @social @nixCraft I think you're imagining the sort of environment where the current password system was originally created from -- eg a high confidential work area where people must even protect their work from other workers there (potential spies!) Hard for users to know passwords stored in ultra-secure mechanisms (even memorized) made sense there. It doesn't work in the modern day where your biggest threat is some script kiddie in Russia rather than your next door neighbor. @nazokiyoubinbou @nixCraft It's safer than you think! The app itself is a trusted pathway to the service, and it's probably been authorized at least once with a password or something more complex. The PIN is just an additional factor. Totally different from the WiFi situation, where that one code will allow virtually anything to connect in and do stuff. @DarcMoughty @nixCraft I think you meant to post this to them, not me, but I do want to point out that this isn't quite as literal as I think you've taken it to be. The point is just some things that seem like they don't need so much protection go over-the-top even with crazy requirements then some things that need heavy protection have little to none. @DarcMoughty @nixCraft A better example might be the bank requiring capitals, numbers, symbols, and the sacrifice of your firstborn to login then, once logged in, the only real protection on it is your phone's biometric lock or PIN, often enough easily faked or watched. @nixCraft I’ve always assumed the reason for the latter is that it requires a second factor — whether that’s a physical card or a phone.  @nixCraft but it PROOMPTS you for the code on your PHONE which is so much more secure than LOONIX
@nixCraft Unfortunately, I know many people around me using this kind of password types for sensitive informations... 💀 - Endless sensitization.  Password is one of the keys. The other one is the approved device the screen is running on.    When you're remote and the IT support needs to troubleshoot something and they look at your internet connection and you're connected to "hey why don't you go fuck yourself" and you realize aw geez. Didn't think that one through the whole way did ya K. @nixCraft as someone noted: 3 wrong attempts and you lost. |
@nixCraft because nobody can take advantage of $0
(jk)