I think we should make survey if weak passwords should be allowed,

IMO strong passwords scare users away and I strongly feel that I am not alone in that view

Thank you for opinions

Unless you are referring to the password you use in Ubuntu One SSO, this is not a Forum Feedback & Help topic.

Thread moved to The Cafe.

I'm quite surprised. No passwords here, all is handled by the Ubuntu One SSO.
Educate rather than survey, methinks.

Well, I'll use this thread to ask an OFF -Topic question:

Vbulletin seems to be dead (?) and every VBulletin forum I know has been changing to Xenforo. Does ubuntuforums.org plan to do that as well?

Not that I know of.

Well, what about if weak passwords are allowed and then your password ends up getting cracked?

What then?
I would assume you would advocate the opposite.

I use long passphrases for every account I create, provided a site allows it. If you have a hard time with passwords, then this may be helpful. https://lastpass.com/

Why not a finger print reader? What could be better?

I read a very interesting blog on Planet Ubuntu the other month where it was reasoned that finger prints should not be viewed as passwords but as user names. It was pointed out that we leave our finger prints everywhere. So, they are not a very secure password at that.

The writer won me over.

Why not a finger print reader? What could be better?

I read a very interesting blog on Planet Ubuntu the other month where it was reasoned that finger prints should not be viewed as passwords but as user names. It was pointed out that we leave our finger prints everywhere. So, they are not a very secure password at that.

The writer won me over.

I agree. It is one of the many reasons I wasn't sold when Apple built it into the iPhone.

I agree. It is one of the many reasons I wasn't sold when Apple built it into the iPhone.Apple is using the fingerpring for their NFC electronic wallet now. I think that's a reasonable use of fingerprints. The phone is encrypted when you lock the screen. Passphrase to unlock, fingerprint to activate a credit card. Beats the crap out of the existing US magnetic stripe system.

You can't win with passwords. If you require difficult ones, users complain they can't remember them. You allow easy ones and when users accounts get bruteforced and stolen, users complain your security sucks.

Apple is using the fingerpring for their NFC electronic wallet now. I think that's a reasonable use of fingerprints. The phone is encrypted when you lock the screen. Passphrase to unlock, fingerprint to activate a credit card. Beats the crap out of the existing US magnetic stripe system.

You can't win with passwords. If you require difficult ones, users complain they can't remember them. You allow easy ones and when users accounts get bruteforced and stolen, users complain your security sucks.

I learned enough from this passing Defcon to know better than to trust storing my credit or checking info on my phone. The extra layer of security is a good thing.

You mean this?
https://media.defcon.org/DEF%20CON%2020/DEF%20CON%2020%20slides/DEF%20CON%2020%20Hacking%20Conference%20Presentati on%20By%20Eddie%20Lee%20-%20NFC%20Hacking%20The%20Easy%20Way%20-%20Slides.m4v
Sounds to me like the fingerprint requirement will break this attack.

Three words - Two Step Authentication.

Password, plus a code received by sms on receipt of correct password.
Google et al have been trying to push this for years.

I keep trying new distros and sometimes BSDs as dual boot with Lubuntu. I face a serious problem because a database created with KeePassX2

is not compatible with KeePassX(1). Actually I started using KeePassX when I was using openSUSE and they were offering Ver 2. I didn't

even realize that this will cause such inconvenience in the future. By default Ubuntu provides KeePassX 1 and I have to add this PPA (https://launchpad.net/~keepassx/+archive/ubuntu/daily) .

Three words - Two Step Authentication.

Password, plus a code received by sms on receipt of correct password.
Google et al have been trying to push this for years.

Except that people won't be excited about using it in a scenario that requires frequent logging in and out. E.g., it's one thing to used 2SA logging into Google every so often. It's another thing if you work in an environment that requires logging in every time your machine wakes from suspend. Folks find that very annoying,

Passwords will be around until we come up with something that is both easier and more secure.

until then password123 will do the job just fine :)

Why not a finger print reader? What could be better?

I read a very interesting blog on Planet Ubuntu the other month where it was reasoned that finger prints should not be viewed as passwords but as user names. It was pointed out that we leave our finger prints everywhere. So, they are not a very secure password at that.

The writer won me over.

I read about an experimental technology but don't recall where. It uses a finger but not the prints. Instead, it maps the capillary patterns in one's finger. The finger in question must have a blood supply in order to be read. It sounds sort of like a retina scan. Is there an issue with that sort of thing?

then why not just give a drop of blood. i mean banks are already bleeding us dry... :D

then why not just give a drop of blood. i mean banks are already bleeding us dry... :D

That's the problem - we have no drop to give :)

I run a corporate network. The more complex the password means problems.

1.) Users write them on sticky notes on their monitor
2.) They need to be constantly reset by admins

Password vaulting and Single Sign On technology are talked about in my Data Center Security Journals. Password vaults that you log into and click on the application to load. You remember one password. Single Sign On where your information is stored encrypted and hashed on your device.

Two step authentication is used by banks with a key device that changes a 6 digit number every few seconds. You log in and use your key device to put in the number. Problem is it can get stolen. Apple uses a finger print. When do thieves start cutting off fingers. Was it Da Vinci Code or Angels and Demons were they stole the scientists eye. The cost of implementing higher level security is not possible for home users. We spend $30,000+ a year on security for our data center network. My router at home was over $400. Most will not spend it. Most ISPs can't support it, when users have issues.

Best security is turn off your device when not in use. My workstation at home has its own 20A wall switch that connects to the plugs. When I am not using it, the switch is off. Disable Wake on LAN so your computer can't be turned on. Install Malware and Virus protection to protect your devices. I use Lookout on my phone. I can wipe the phone if stolen.

I was so glad when someone finally implemented the simple idea for password strength that the longer the password/phrase gets, the more requirements are dropped for things like capital letters, numbers, special characters, etc. It allows people to come up with a sentence or something they can actually remember, without having to write it all over the place, constantly send requests to reset, or otherwise grumble about.

The problem is, every authentication system can be beaten by sufficiently organised efforts. The key is to decide the security:convenience ratio for each object you're trying to protect. I'm wary of the security and privacy implications of biometrics. I think for most purposes a strong password is virtually impregnable. Of course people chose weak passwords by and large, but this could be remedied to an extent by having minimum restrictions on password length and complexity. And implementing two-factor auth for important services.

Another problem is the varying password restrictions on different sites. Some sites still don't allow symbols in passwords. Some restrict the maximum length to pretty low values like 8 or 12 characters. Many have no restriction on minimum length. Most don't force alphanumeric passwords. Some require ONLY alphabetic passwords.

My general strategy is to remember a single semi-random long string of symbols (i.e., upper + lower case characters, digits and symbols), at least 16 characters or more in length, on top of which are added a few characters that vary from site to site in a consistent manner, which is easy to recall. The whole combo looks like a random string of symbols to anybody, unless they could get at two or more of my passwords in which case the differences become obvious and predictable. But that requires a breach and leak at more than one site, which is quite unlikely. If/When that happens I guess I'll have to change the semi-random string to another one. That is not so hard as long as it's just once or twice a year.

And I hope to have a better auth system by the time I get senile. Or I'll just have to make myself not worth exploiting! ;-)