Secure Password is not Secure

You’ve seen it, “Enter your new password, it has to be this long with these character types…” BLAH BLAH BLAH. You enter your regular password of Monkey123 (Yes, monkey is always among the most popular passwords found on the internet.)

https://wpengine.com/resources/passwords-unmasked-infographic/
(indecent passwords are blacked out)

I like sites that allow you to add multiple symbols. I also like sites that allow you to set VERY LONG passwords. I personally use passwords that have UPPER, lower, numbers 123, and symbols [email protected]#$%^&*()_+-={}|[]\:”;'<>?,./ that are super long. I also use a password manager so I don’t have to remember my passwords. See LastPass. LastPass is not a sponsor. I have used them as a paid subscriber for 10+ years.

I was setting up a password for 8×8 which is a VoIP phone provider and I used my random password generator from LastPass and 8×8 told me my password was not secure.

Here is an example of a password that I use for my accounts. You can see 50 characters that have upper, lower, numbers, and symbols. A password like this 50 character length has 1606 bits of entropy.

4.53*10^94 is the total number of passwords
94 characters on the keyboard, 50 digits = 94^50
THAT IS slightly more than “FOUR AND ONE HALF HUNDRED UNTRIGINTILLION.”

BUT, 8×8 limits you to no more than 25 characters. That’s half of the total possible combinations at 2.1291E+49 (or 2.13*10^49 or 20 QUINDECILLION.

I don’t know about you but I am not comfortable with only 20 quindecillion possibilities for my password and a brute force attack. Now a days computers can guess about 1,000,000 guesses per second.

SINCE they limit the types of characters to just [email protected]#$%^&*()_+-=;:,.?<> AND a-z, A-Z, 0-1 which equals 58 character types and max of 25 digits (58^25) = 1.21815E+44 (or 1.22 Hundred Tredecillion or 1.22 * 10^44 or 121,814,739,012,626,000,000,000,000,000,000,000,000,000)

IN CLOSING, a site that requires password should never limit the number of digits and should allow for all possible character types. If they are storing your password securely with a salted hash then the length and type does NOT matter to the database.

Have a nice (and secure) day!

Do Not Do This

Pssssn
Photo Credit: https://howtoremove.guide/p-s-s-s-s-n-wireless-network/

Do NOT join this network if you see it. Once you do it will brick your iPhone and will need a Reset Network Settings to fix. iOS Settings > General > Reset > Reset Network Settings.
(NOTE: if you need to click ‘Reset Network Settings” you won’t lose any data or files on your phone except you will lose any saved Wi-Fi networks and passwords.)

Photo Credit: Jason Lamb

There is a bug in the text parser in iOS that tries to interpret the % as an escape character. %20 is often used in URLs and JavaScript to identify space between words. You can see a full list of URL encodes here: https://www.w3schools.com/tags/ref_urlencode.ASP

You can play with this 074%097%115%111%110%032%076%097%109%098%032%105%115%032%065%087%069%083%079%077%069%033 and decode it here: http://www.unit-conversion.info/texttools/ascii/

Start this video at 22:58 to hear Steve talk about this vulnerability.

You can check out Steve Gibson’s show notes from this episode here: https://www.grc.com/sn/sn-824-notes.pdf or the written transcript of that episode here: https://www.grc.com/sn/sn-824.htm

Also read: https://howtoremove.guide/p-s-s-s-s-n-wireless-network/