It looks like you're new here. If you want to get involved, click one of these buttons!
Subscribe to our Patreon, and get image uploads with no ads on the site!
Base theme by DesignModo & ported to Powered by Vanilla by Chris Ireland, modified by the "theFB" team.
Comments
Here's the thing - the people who set the policy also consider four digits to be enough to safeguard their bank accounts.
Besides...in terms of the actual security difference - ie how long it'd take to crack the four-digit code with a computer compared with the eight-digit code - the difference is measured in seconds and wouldn't even be considered a minor inconvenience.
It's an idiotic policy, most likely dreamt up by somebody in management (they rarely know anything about these things, but for some reason always want to appear like they know).
It also let's me work out how many months I've been there !
Also I suspect that these password policies are precisely why there are so many crap passwords - people are inherently lazy, so constantly asking for changes, where you can't reuse things mean people get the most simple BS ... and yet to crack passwords you don't care what characters are used, you care about the length - brute force programs will try every combination of printable character at tens or hundreds of millions of combinations per second - random word pass phrases would be as (or more) secure. easier to remember and by virtue of complexity wont need changing as often (and when change can be changed for another easy to recall phrase)
I'd say don't worry about retrieving 'phone messages. If it's that important they'll call you back.
I've switched over to using LastPass to store and generate passwords. The master password is then concealed inside a system that isn't protected by LastPass, in a manner which ought to make it very hard to find, and hard to identify if you do find it.
I remember at school the class did an experiment to show this. Everyone was asked to come up with a "random" list of zeroes and ones, like 20 or something. There are four combinations of pairs of these: 00, 01, 10 and 11, and you would expect a roughly even distribution of both but every single kid in the class had more 01s and 10s than 00s and 11s.
Polarityman illustrated this as well - you would expect about a tenth of those of number pairs to be doubles but there was only one, very low even before he got not-random.
When people generate what they think are random sequences there are usually too few repeated digits, which makes the sequences more predictable and weaker as security measures.
Apple derandomised the track shuffling in iTunes because people noticed a lot of consecutive tracks appearing, and thought it wasn't random. They changed the algorithm to be less random but to produce fewer consecutive tracks and fewer consecutive tracks even from the same album or the same artist. People then thought it was more random...
Most people think that's counter-intuitive, but it's only so if you don't understand what "random" actually means.
The 30 or so numbers could be the most random selection of the million plus combinations possible ... but it might be very easy to make all sorts of assumptions
Yes, that's the difference between Gaussian/Normal Distribution and Random.
I use the former a lot, to make people think it's the latter
If there's no indication your account has been compromised, enforcing regular changes of complex passwords is counterproductive, as a number of posters in the thread have pointed out.
There is a chance that an anticipated non-random pattern is created randomly, yes. The experiment doesn't "prove" anything, it just indicates an extremely strong likelihood of it. You wouldn't need a particularly large sample to hit "extremely strong likelihood".
So, periodic password changes *could* stop undetected intrusions that have been quietly data mining without your knowledge. In the case of a (semi) well monitored network that has suffered an undetected intrusion a password change could be followed by an observed drop in traffic which would indicate that some unauthorised users might have been in the system using legitimate accounts...