Passwords

OP
OP
jakeblu
Messages
8,481
Name
Steve
Edit My Images
Yes
#42
Another thought about passwords.

There are some websites - but not very many - where I really care about protecting my password. Banks, email, cloud storage, ... but not many. And then there are a whole load where I really don't care very much. For example I've just bought a case for my mobile phone, from a website I'll probably never use again. Why do I care about keeping that secure? If my account is hacked, what are the bad guys going to do - buy me another mobile phone case? So why don't I just use a password like '123456'? It's easy to remember, and if it's cracked it offers absolutely zero clues as to what my other passwords (the ones that I do care about) are.

Could that be part of the reason why passwords such as '123456' and 'password' are so common? Not because people are stupid, but because they're being forced to create passwords for websites which they really don't care about one way or the other?
Not really sure about this hacking thing, but if they do hack into your account, wont they have your card details?
 

Cobra

Just not pink enough
Staff member
Messages
85,305
Name
Phitt, Hissy Phitt
Edit My Images
No
#43
Do you get locked out of here if you enter the wrong password too many times?
TBH I'm not sure, I don't log out, I suspect that it might be a "wait 15 minutes" thing though.
 
Messages
446
Name
Paul
Edit My Images
Yes
#44
I just use Safari's auto password generator. Never had a problem on any website and I don't have to write down the hundreds of passwords I use week in week out.
 

StewartR

Efrem Zimbalist Jr
Advertiser
Messages
12,018
Name
Stewart
Edit My Images
Yes
#45
Not really sure about this hacking thing, but if they do hack into your account, wont they have your card details?
No.

I mean, sure, if they hack into my bank account, then they'll have everything. But that one's very secure. If they hack into my account on the website that sells mobile phone cases, they'll get my name, email address, home address, mobile phone number - all of which are readily available elsewhere - and my order history on that website.

When you type your credit or debt card details into a website, they are generally not saved. If you weren't aware of it, the rules for handling card details online - the Payment Card Industry Data Security Standards (PCI DSS) - are very onerous indeed. So onerous that in my business we don't allow the sensitive card details (which are basically the full card number and the CVV code) anywhere near our website. When somebody needs to pay, we hand them over to the payment gateway website to conduct the transaction, and then back to our website once the transaction is completed. That way we only need to comply with a restricted version of PCI DSS rather than the full blown version. Some websites operate at a higher level of PCI DSS by hosting the payment page themselves, and some operate at a still higher level of PCI DSS by offering toy store your card details to facilitate future purchases. But that doesn't happen without explicitly asking you whether you want to do that.
 
Messages
411
Edit My Images
No
#46
So onerous that in my business we don't allow the sensitive card details (which are basically the full card number and the CVV code) anywhere near our website. When somebody needs to pay, we hand them over to the payment gateway website to conduct the transaction, and then back to our website once the transaction is completed.
It's not the sensible businessmen like yourself who are the problem but the people who don't think as you do and will store sensitive details inappropriately. I've actually seen examples of financial data stored in plain text documents helpfully named by customer and postcode! That's why there's still a lot more education required on both sides of the link.
 
Messages
6,866
Name
Graham
Edit My Images
No
#47
One thing which I really dislike is when ordering over the phone and they want your card details so they can punch it into their machine/web portal. Security is completely blown out of the window with that. I would prefer something like where you could generate a secure one-time code from your banking app which you could provide over the phone instead, but I'm sure the software infrastructure required to put that in place would be pretty expensive.
 
OP
OP
jakeblu
Messages
8,481
Name
Steve
Edit My Images
Yes
#48
No.

I mean, sure, if they hack into my bank account, then they'll have everything. But that one's very secure. If they hack into my account on the website that sells mobile phone cases, they'll get my name, email address, home address, mobile phone number - all of which are readily available elsewhere - and my order history on that website.

When you type your credit or debt card details into a website, they are generally not saved. If you weren't aware of it, the rules for handling card details online - the Payment Card Industry Data Security Standards (PCI DSS) - are very onerous indeed. So onerous that in my business we don't allow the sensitive card details (which are basically the full card number and the CVV code) anywhere near our website. When somebody needs to pay, we hand them over to the payment gateway website to conduct the transaction, and then back to our website once the transaction is completed. That way we only need to comply with a restricted version of PCI DSS rather than the full blown version. Some websites operate at a higher level of PCI DSS by hosting the payment page themselves, and some operate at a still higher level of PCI DSS by offering toy store your card details to facilitate future purchases. But that doesn't happen without explicitly asking you whether you want to do that.
Thanks, very informative
 
Messages
7,181
Name
Jeff
Edit My Images
No
#50
I suppose it helps when you grew up speaking four languages to communicate at home , then in later life reverted to taxi driver spake or pure bollockanese as its otherwise known
 
Messages
411
Edit My Images
No
#51
I'm sure the software infrastructure required to put that in place would be pretty expensive.
Not really but you can be sure that once it's gone through half a dozen committees and been both gold and platinum plated it will be. I've designed and/or coded various applications in banks and with the databases all the big banks have already it's not that hard. The problem lies in getting the agreements in place to implement things. "Security" and latterly "Data Protection" are always trotted out as excuses for complexity but as many can attest: "security" is not necessarily used in a way most customers would expect.
 
Messages
3,097
Name
Andy
Edit My Images
No
#52
A new technology is coming that eliminates usernames and passwords completely. Once you have registered with a website, you’ll receive a credential from them. Whey you return, all you need to do is present that credential back again confirming “it’s me”.

Nobody else will be able to present your credential but you. You’ll have a bunch of these credentials in an app like a password manager, but far more cryptographically sophisticated.

You’ll also have other digital credentials that you can use to prove things about yourself if you want to, like your name, address, date of birth, credit rating, nationality etc etc, just like you have with paper credentials now, but more secure.

Big companies like IBM and Microsoft are already jumping on board. I know this as the company I work for originated a load of it. Check out https://evernym.com or https://sovrin.org.

Fun times ahead!
 
Messages
6,866
Name
Graham
Edit My Images
No
#53
I think I've already got something similar to this with Microsoft and Xbox where I can verify my identity on the computer with an authentication app on my phone but I don't know if it works as an app on Windows 10, which would eliminate having to use a separate device (my phone). It's not fully automated though but I can see how it would be more than possible to make it automated.
 

sirch

Official Forum Numpty 2015
Messages
7,932
Name
Chris
Edit My Images
Yes
#54
Yeah, great, because what could possibly go wrong with having one private company having access to all your accounts and having to go begging to them when you lose access for whatever reason.
 

sirch

Official Forum Numpty 2015
Messages
7,932
Name
Chris
Edit My Images
Yes
#55
which would eliminate having to use a separate device (my phone)
That is the whole point, it is two factor authentication. anyone trying to get into your account has to have both your phone and your computer. Putting the app on your computer would mean anyone who hacked or stole your computer would have access to the account.
 
Messages
6,866
Name
Graham
Edit My Images
No
#56
Good point, it's a pain but I can see why hmrc does it now with a security code being sent to your phone.
 

Cobra

Just not pink enough
Staff member
Messages
85,305
Name
Phitt, Hissy Phitt
Edit My Images
No
#57
A new technology is coming that eliminates usernames and passwords completely. Once you have registered with a website, you’ll receive a credential from them. Whey you return, all you need to do is present that credential back again confirming “it’s me”.
I'm confused, what exactly is a credential? personal data about you? or maybe some form of password?

what could possibly go wrong with having one private company having access to all your accounts
Absolutely nothing Chris. ;)
What was that about Huawei again? :LOL:
 
Messages
411
Edit My Images
No
#58
That is the whole point, it is two factor authentication. anyone trying to get into your account has to have both your phone and your computer. Putting the app on your computer would mean anyone who hacked or stole your computer would have access to the account.
Which sums up the whole security problem neatly. People don't want the hassle of conforming to good security then blame everyone but themselves when the bad guys take advantage.

:tumbleweed:
 

KIPAX

Seriously Likeable
Messages
20,122
Name
KIPAX
Edit My Images
Yes
#60
To log in they usually need your email as well.. Not hard for the freebie email users but when you have your own domain you can use a different email for every login..I can use "whatever_i_want@kipax.com" this makes it harder for anyone but also allows me to track where spam is coming from and who lets my email out to others...
 

sirch

Official Forum Numpty 2015
Messages
7,932
Name
Chris
Edit My Images
Yes
#62
What was that about Huawei again? :LOL:
TBH I would probably trust the Chinese government to keep my details secure far more than some profit driven American company
 

Cobra

Just not pink enough
Staff member
Messages
85,305
Name
Phitt, Hissy Phitt
Edit My Images
No
#63
TBH I would probably trust the Chinese government to keep my details secure far more than some profit driven American company
I'm just wondering what Alexa would have to say about that :D
 

Tori_T

Staff member
Messages
7,650
Edit My Images
Yes
#67
I think the difference is that US law allows you to waive statutory rights, but I don't believe you can in the UK.
 
Top