?

Log in

No account? Create an account

Previous Entry | Next Entry

passwords

 My business bank have asked me to set up a new password.  It must be all numbers and ten digits long and I quote "it must be memorable"

Right...

Apart from pi, and your mobile number, both of which are bloody obvious to any hacker, how many 'memorable' ten digit numbers do you know?

I can do memorable letter sequences, but my brain isn't oriented to remember numbers.
This entry was originally posted on Dreamwidth where it has comment count unavailable comments.

Tags:

Comments

( 22 comments — Leave a comment )
altariel
Sep. 17th, 2013 01:10 pm (UTC)
My childhood home phone number would work. But that's really tricky.
watervole
Sep. 18th, 2013 08:16 am (UTC)
But a risk in that there are some people who would know the number (though not random hackers).
altariel
Sep. 18th, 2013 08:26 am (UTC)
That's going to be a risk with any series of numbers that you choose for having some significance, so I guess you have to decide what you want to trade off. Putting the STD to the end might help. Other options include a series of random numbers that you either write down (obviously risky) or attempt to memorize (beyond my humble capabilities). Or else make use of the "forgot your password?" function each time you log in, and get them to send you something new each time.
artw
Sep. 17th, 2013 01:14 pm (UTC)
Your mother's date of birth, followed by the number of aunts and uncles you have.
Or a memorable word coded A=1, B=2 etc.
sam_t
Sep. 17th, 2013 02:03 pm (UTC)
Preferably not a dictionary word, but that would work.

Baffles me why they'd ask for a number. Why would you choose a 10-choices-per-character unmemorable password over a 36-or-more-choices-per-character memorable one?
izhilzha
Sep. 17th, 2013 05:19 pm (UTC)
Or a memorable word with numbers substituted for letters in your own cipher (offset or backwards or whatever you can remember). Less easy to discover, but easy to recall.
watervole
Sep. 18th, 2013 08:20 am (UTC)
The problem with that one is that you need to write the mnemonic down somewhere (in order to remember which bank account you've used it for out of all the 20 odd passwords you have memorised already). If anyone finds the mnemonic, then they could work out the password. (Though I have to say that the mnemonic for the password I ended up with is no better - I regard it as one of my least secure passwords)
sam_t
Sep. 18th, 2013 08:45 am (UTC)
Maybe consider a password safe?
luckykaa
Sep. 17th, 2013 02:38 pm (UTC)
10 digits isn't hugely secure. 6 randomly chosen digits and mixed case letters would be more secure.
watervole
Sep. 18th, 2013 08:15 am (UTC)
But that also hits the 'write it down' problem. Though it is a bit better as long as I can have mostly letters.

When allowed a mixture of my own choosing, I can do better. I can find mnemonics - did that recently for funding circle - I have a password that is a mixture, but I think would be very difficult for anyone else to guess, but is still memorable for me.
luckykaa
Sep. 18th, 2013 09:05 am (UTC)
Sorry. I need to explain my meaining a bit more clearly. It was a comment on password strength.

6 characters will be rejected by most password systems as insecure. This will take 6 times as many guesses for a computer as a 10 digit number. At 1000 guesses a second, this will be guessed in a few months. Of course the banks systems will detect this sort of attack, and block it, but they shouldn't really rely on this.

This xkcd strip illustrates the problem: http://xkcd.com/936/
inamac
Sep. 17th, 2013 05:00 pm (UTC)
There is nothing secure about a ten digit number - because everyone is going to write it down somewhere, or it'll be a birthdate + something obvious. Both basic tests for hackers.

This is especially true about older customers, who would be particularly vulnerable to fraudsters getting access to their bank details (and we all know how sympathetic banks are to victims of those crimes).

Have you pointed this out to the bank?

(And I can't remember most of my four-digit PIN numbers, let alone my mobile number. One of the many reasons I don't do online banking.)
makyo
Sep. 17th, 2013 08:59 pm (UTC)
One approach is to choose a memorable ten-word phrase (or the first ten words of a longer passage) and turn it into a ten-digit number by counting the letters in each word. So, for example, "the first thing we do, let's kill all the lawyers" (from Henry VI part II) becomes 3552244337. I think this should be reasonably secure (certainly more so than using a phone number or pi) unless I've missed something obvious.
watervole
Sep. 18th, 2013 08:11 am (UTC)
I've actually adopted this trick for the 5 numeral password they want in addition to the 10 digit one, but the problem with doing this for a long number is the risk of a counting error while doing the conversion. Especially for 2 digit letters.
murphys_lawyer
Sep. 17th, 2013 11:35 pm (UTC)
All numbers?

ALL NUMBERS?!!1 ELEVENTY!1!

I wouldn't waste a bullet on the moron who thought in this day and age that a ten digit number was an acceptable password for a financial system. I have a five-foot stick I keep next to my desk with "Mr. Clue" written on it, and it's long overdue for an outing.

At the very least, I would drop heavy hints that they set the system up to fail and blame the customers when their accounts were emptied, on the grounds that "you obviously shared your PIN" or "you chose something too obvious".

In all seriousness, look at other business banks, and hope to Great Turing's Ghost their security is put together by someone with half a clue.
rockwell_666
Sep. 17th, 2013 11:59 pm (UTC)
What pillock came up with *that* brilliant idea?!

Making it all numbers reduces the complexity massively, requiring it to be exactly ten digits is even more stupid because it lets hackers know precisely how many characters are in it so they don't even have to try 8, 9 or 11 digit versions!

You should send the bank a copy of this XKCD strip: http://xkcd.com/936/
dumain.com
Sep. 18th, 2013 08:19 am (UTC)
Memorise a trivial hashing algorithm and apply it to the bank account number plus a memorable secret to derive the PIN. Thats what I do with my bank/credit card PINs. The hashing algorithm is obviously not strong but by the time anyone has enough samples to figure out what it is they will already have all my pins. Might seem a little over the top but I find memorising an algorithm easier than an arbitrary digit string.
inamac
Sep. 18th, 2013 07:02 pm (UTC)
Memorable 10 digit number:

0123456789

(I'd be willing to bet a lot of people use that.)
espresso_addict
Sep. 19th, 2013 12:51 am (UTC)
I can't remember numbers at all. Suggest writing it down and putting the note into something locked at home. We also store passwords in a spreadsheet protected with a decent encryption program on a hard-drive that's also encrypted, but that's harder to organise.
eledonecirrhosa
Sep. 19th, 2013 12:43 pm (UTC)
Could you have a string of shorter memorable numbers, and leave yourself a clue in words somewhere?

Like this: year we bought the cat - my height in cm - favourite BBC channel - number of cherry trees in garden.
watervole
Sep. 19th, 2013 01:26 pm (UTC)
I quite like that suggestion.
linda_joyce
Sep. 22nd, 2013 08:59 am (UTC)
Do you know your grand parents birthdays a combination of these numbers might work, eg month and day from one set, year in full from the the other. eg year from granny A, month and day from grandpa X . Though even that only gives you 8 digits add the day from grandpa A. It could be done with parents birthdays but that would be a bit obvious too.
( 22 comments — Leave a comment )

Profile

Judith
watervole
Judith Proctor

Tags

Latest Month

October 2017
S M T W T F S
1234567
891011121314
15161718192021
22232425262728
293031    
Powered by LiveJournal.com
Designed by Ideacodes